Group Policy for WSUS Distirbuted Management KKVP 12/9/2008 1:30:00 AM Hi All, We have around 20+ WSUS Servers out of which only one updates with MU through internet and rest updates from the parent. Also we have 20+ Servers (all are DC) which are setup in Distributed Management, such that * Autonomous mode * Local administrators can control content and computer groups. Each Server has different hostnames and we are using GPO for Client Side targetting, and have 20+ GPO (since hostnames of the WSUS Servers are different) My query is * Is this as per best practice? * Is there any way to consolidate in 2 or 3 GPO? * Currently we dont have any performance issue in the Servers, will there be an impact due to this? Note: These implementation was completed just 2 months back and so far running fine! Thanks in advance! -- Regards, KKVP

Re: Group Policy for WSUS Distirbuted Management "Augusto Alvarez" <augustoalvarez[ at ]noesmimail.com> 12/9/2008 11:23:30 AM The only thing to be concerned about the scneario you described could be about 20+ GPOs, sounds like too many. Common best practices on WSUS GPOs depends on each scenario and the quantity of different users/computers that you may have. For example: You may require that mobile users will have a different policy than workstation users for their updates, and will differ also from servers policy. You can apply this by organizing those types on different OU, and then apply each GPO. The one thing that you can sure apply to your current environment is a common GPO to the entire domain, applying all the values that all the GPOs will have in common. This way you can set particular GPOs for each case with only the values that you require for that type of computer. Hope it helps. Cheers -- augusto alvarez | it pro | southworks MCP - MCTS - MCITP DBA http://blogs.southworks.net/aalvarez "KKVP" <KKVP[ at ]discussions.microsoft.com> wrote in message news:D6F5CC63-AE8C-4F5F-A838-729A978AAF5A[ at ]microsoft.com... [Quoted Text] > Hi All, > > We have around 20+ WSUS Servers out of which only one updates with MU > through internet and rest updates from the parent. > > Also we have 20+ Servers (all are DC) which are setup in Distributed > Management, such that > * Autonomous mode > * Local administrators can control content and computer groups. > > Each Server has different hostnames and we are using GPO for Client > Side > targetting, and have 20+ GPO (since hostnames of the WSUS Servers are > different) > > My query is > > * Is this as per best practice? > * Is there any way to consolidate in 2 or 3 GPO? > * Currently we dont have any performance issue in the Servers, will > there be an impact due to this? > > Note: These implementation was completed just 2 months back and so far > running fine! > > Thanks in advance! > > -- > Regards, > KKVP

Re: Group Policy for WSUS Distirbuted Management DaveMills <DaveMills[ at ]newsgroup.nospam> 12/9/2008 10:58:51 PM On Tue, 9 Dec 2008 09:23:30 -0200, "Augusto Alvarez" <augustoalvarez[ at ]noesmimail.com> wrote: [Quoted Text] >The only thing to be concerned about the scneario you described could be >about 20+ GPOs, sounds like too many. > >Common best practices on WSUS GPOs depends on each scenario and the quantity >of different users/computers that you may have. For example: You may require >that mobile users will have a different policy than workstation users for >their updates, and will differ also from servers policy. You can apply this >by organizing those types on different OU, and then apply each GPO. > >The one thing that you can sure apply to your current environment is a >common GPO to the entire domain, applying all the values that all the GPOs >will have in common. This way you can set particular GPOs for each case with >only the values that you require for that type of computer. > >Hope it helps. > >Cheers I thought similar. If the only thing different is the name of the WSUS server then only that setting needs to be made in the GPO for each site. It should be "enforced" so the Domain and OU policy does not change it. Then you do not need an OU for each site. Of course if you already have an OU for each sites computers then it makes little difference if you apply at the OU or "enforce" at the site. Another approach discussed a few weeks ago would be to rely on "DNS Netmask ordering" to send the same hostname to a different IP depending upon the IP address. This avoids the need for different GPOs but the poster was having trouble with the netmask ordering not always resolving to the desired server IP. Search for it and have a read. -- Dave Mills There are 10 types of people, those that understand binary and those that don't.