WSUS via Round Robin??

I had an idea today.

Im setting up 5 definite WSUS servers, which many end up being more like 8-10. All of which are downstream replicas of the main WSUS server.

Instead of setting up certain machines to point to a certain WSUS server, could I achieve some "failover" by using DNS round robin to point to the group of WSUS servers?

For instance if WSUS2 went down, the clients would just continue on to WSUS3 and so on during the round robin lookup.

Has anyone done this? Can anyone think of caveats of doing it this way?

i figured I could use the alias updates.company.ad, or something similar.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Claymoore

WSUS can be deployed in a Network Load Balance cluster, which would be even better.

Appendix C: Configure WSUS for Network Load Balancing

Jordus

I glanced over that page and if SQL clustering is a requirement then that will exclude NLB from my list of options.

astorrs

Jordus wrote: »

I glanced over that page and if SQL clustering is a requirement then that will exclude NLB from my list of options.

It's not a requirement for implementing NLB on WSUS.

They mention it because if you were deploying NLB for high-availability reasons you'd usually want to make sure the back-end SQL environment was HA as well.

HeroPsycho

And one has to wonder at what point should you be considering SCCM, too...

blargoe

A WSUS server can support approximately 15,000 clients. You must be working for a HUGE copmany to have a need to LB or RR up to 10 servers for WSUS.

But it's certainly valid to do it either way.

Jordus

HeroPsycho wrote: »

And one has to wonder at what point should you be considering SCCM, too...

SCCM isnt very cost effective when every machine needs a connector license. (at least I think so)

Jordus

blargoe wrote: »

A WSUS server can support approximately 15,000 clients. You must be working for a HUGE copmany to have a need to LB or RR up to 10 servers for WSUS.

But it's certainly valid to do it either way.

Well, we are putting multiples out there to alleviate data crossing sites as much as possible.

around 90 sites and ~13000 windows machines.

blargoe

OK I get it now. You probably have like 5 hub sites and want a server for each hub and their connected sites or something like that, with your bigger sites having the multiple servers using round robin or nlb.

Here's how I set up my WSUS (given, currently I'm down to just 6 sites)

1 server in 5 of the sites (sixth gets its updates from the hub site)

DNS Alias for each WSUS server (update.company.com; asiaupdate.company.com for example)

Site-level GPO that gets attached to every site in AD. Only setting configured is the update server URL/Statistics URL for that site. Doing a site GPO catches all the workstations and servers for that site but also anyone from the main office that roams from site to site and forces them to get updates locally.

Domain GPO with our "standard" WSUS settings (auto-download and schedule install, etc)

OU GPO's to override the standard settings (don't auto-install on Servers OU, etc)

I've found that to be the easiest way with the least GPO's required. For computers not in the domain there is a registry file I import that gives them the same settings as the GPO.

Finally, for our roaming Internet road-warriors, I put a WSUS in the DMZ that is set to connect to our upstream WSUS on 443 for policy and directs roaming laptops to download the update files from microsoft.com. Since they got the WSUS URL from our GPO, I had to put aliases in our Internet DNS for all of those alias WSUS hostnames so they can seamlessly continue to get our update policy. If you're using an DNS Domain that isn't valid for the Internet, that wouldn't work for you though.

HeroPsycho

Jordus wrote: »

SCCM isnt very cost effective when every machine needs a connector license. (at least I think so)

Agreed, but it sounded like you were wanting something with exceptionally high resiliency, etc. WSUS isn't the answer if that's what you wanted. Doesn't sound like you do though...