Home
.. About WSUS Wiki

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

Wiki Community
.. Wiki Contributors
.. I Love WSUS
.. WSUS Wiki Diary
.. Wiki Statistics
.. To Do Page

Miscellaneous Stuff
.. Other Resources
.. Do You Know?

Clients Managing WSUS3.0 Servers must reside on the same Active Directory domain as the server.

WSUS3.0 uses a console instead of a web interface as in WSUS 2.0. The console connects to an API Virtual Directory instance (in IIS) on the WSUS Server named "ApiRemoting30." This connection happens over the web ports as configured on the server. (Usually 80, 443, etc.)

This creates limitations in some environments, specifically in situations where a single WSUS server is servicing multiple Active Directory domains. WSUS will communicate with clients in other domains for patching correctly, however, if you wish to manage the WSUS server from the clients using the WSUS3.0 console- the client must reside on the same domain as the WSUS Server.

The behavior is experienced due to the default configuration in IIS for the "ApiRemoting30", and limitations in the MMC architecture. The ApiRemoting30 Virtual Directory uses Integrated Authentication and Digest Authentication which will pass the credentials used to log onto the client directly to the WSUS server- which should fail since they reside on different domains.

There are several potential work arounds. Information on work arounds will be forthcoming.