WSUS Integration With AD

At present, with WSUS, you have to define machine groups manually on the WSUS server. It might have been better to have properly made WSUS AD-integrated. This would have enabled WSUS to make more use of OUs in the Active Directory for automatic create target groups, and for determining which computers exist in AD but which have not yet checked in with WSUS. This would allow better co-ordination of AD and WSUS - without it, validating that all computers in a domain are up to date becomes a manual process.

Naturally, this should be optional - that is, you should be able to use OU targeting if you want and where this makes sense. It may not suit all organisations.

Thomas Lee

Resolution for WSUS RTM

This feature is not included in WSUS Version 1, but is under consideration for future versions.

Comments:

From Jemimus - 12/6/06 6:42 AM

We chose to go the route of creating at least a seperate GPO for every target group. We also make sure that we keep the client update behaviour uniform within a single group, just to make it a little clearer when administrating.

The downside is that you have, depenmding on your requirements, a whole collection of GPO's ( = more GPO processing overhead) that you only use for Windows Update targetting. In our case we even created seperate OU's just for for this purpose, though you should ideally avoid having your OU design be led by such a single specific requirement.

We initally had a lot of problems with computers not showing up in WSUS. This case down to the self-update of the Windows Update ckient not working correctly.

What I did was, I added a software installatie policy to the WSUS Target GPO's, that installs the latest version of the Windows Update Agent. Reinstalling the agent cured 99% of all other problems we had.

To check if I really got em all, I made a vbscript that checks the Windows update client executable version, and the targeted group registry entry. . If its the new version, then I know the server either talked to the WSUS server itself at some point, or at least properly installed the latest version of the client. That covers most of any issues.

There is always the odd server that refuses to talk to the WSUS server, usually cured with a manual reinstallation of the client if needed. What I did notice though, is that the Windows Update client service sometimes doesnt exit properly, in which case you need to kill the process beforehand.

From clarv02 - 12/5/06 4:09 PM

I think this may be related to AD integration. I would like some way to reconcile the computers in WSUS to all computers on my network. Maybe AD integration is the way. Basically, if there are computers that haven't taken the GPO, or for some other reason, have not checked in to WSUS, I have no way of knowing who they are. I've done manual reconciliations against AD computers, but there should be a more automated way.

From LordMycal - 8/24/06 10:14 AM

It sucks that this doesn't exist. While you can create a GPO for your OU's that point them to the WSUS server and configure settings that way, it's still not quite an integration because several problems still exist:

1) If you delete a computer out of active directory, it doesn't remove the computer from your WSUS database. You have to manually go in and remove it.

2) If a computer just decides, "I'm not going to talk to WSUS" but doesn't generate errors, it simply doesn't show up in WSUS at all. It makes it difficult to reconsile the computers in AD and the computers in WSUS. Sure you can run an SQL query against your database and then compare that list against a list you've exported out of AD, but that is rather cumbersome.

Ideally, I'd like to be able to quickly and easily generate reports that tell me what computers are in WSUS but not AD, and what computers are in AD but not WSUS, so that I can quickly identify problems and/or yell at people that replaced a computer but never removed the old computer out of AD...

From christianw - 4/13/06 11:18 PM

Yes, you can do this already. In the WSUSAdmin tool, go to Options and Computers Options. Then specify to use Group Policy for groups. Then in ADU&C (or GPMC) create a new Group Policy in each OU with a different Windows Updates "Target Name", and this will put all the computers from that OU (who have that GPO) into a computer group in WSUS. Then you can choose to authorise updates in WSUSadmin based on those computer groups.

From krulewit - 5/20/05 8:50 AM

Couldn't you do this from the AD side by having specific GPOs are each OU that control the computer targeting?

From Skatterbrain - 2/1/05 8:42 PM

Definitely consider it as an option.� SMS 2003 allows for that sort of flexibility (not that I'm comparing the two products).� Even if it could do a one-time import it would save me a TON of time and mess setting things up quickly.� Regardless, I can use GPO's to target OU computers to set the group-name for WUS to pick them up, so if that feature isn't in RTM I can make do with the workaround.

From tdwilli - 12/3/04 4:47 AM

I agree that it would be very beneficial to have WUS a bit more tightly AD-integrated.� However, in our particular case, we don't use OU's in our AD environment so any automatic AD OU integration might be extremely annoying.� Perhaps it can be provided as a configuration option to enable or disable from the Admin console.��WUS�should be capable of�auto-detecting (using LDAP) the network AD structure and providing the admin an interface to select existing OU's, individual user/computer accounts, or entire domains for targeted group patch management.

Last Modified 7/14/05 3:02 PM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register