WSUS and Domain Controllers

[Zipster]

Hi,

I seemed to of installed WSUS OK and all seems to be great.
I have just one problem.

In the Computers section I can see all of our windows XP/2000 clients and member servers but I cannot see any Domain Controller's ?!?!?

Is this meant to be or have I overlooked something?!?

Thanks.

http://www.k.abbott.btinternet.co.uk/

 

[minxca]

Do you use GPO? if yes, do you appy it to DC OU too?

 

[Davetoo]

Your DC's will show up in the Domain Controller container, not in your Computer container. That is by design.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[markdmac]

The advice above is all correct, I would just like to add to it.

You will want to make sure that you have configured a seperate policy for your Domain Controllers that specifies not to allow the auto reboot after hotfix installation. Having DCs reboot themselves is NEVER a good idea.

I hope you find this post helpful.

Regards,

Mark

 

[monsterjta]

Great advice...I would also like to add my 2 cents. In WSUS, create 2 groups and add 1/2 of your DC's to each. Now, you may release updates to your DC's at different times or days and you may automatically reboot them via policy.

To take it a step further, create an evaluation group in WSUS and add only one DC and split the remainder between the two other WSUS groups. Now you can test your patches without compromising all your DC's and you don't have to go the extra distance to manually reboot each DC when you release your patches.

Good Luck!

 

[Zipster]

Hi all,

Thanks for your comments.

I have made sure that not to allow the auto reboot after installation on the servers.

I have one GPO that applies to servers (inc. the DC) in each site (three sites).

The weird thing is that the updates are applying but when I click the computers button I can't see any DC's (DC's only - all other machines are showing).

Also I can seem to find a Domain Controller container when I click the computers button, here's the groups (with one's I have created myself):

Groups
All Computers: 39
Unassigned Computers: 2
Clients UK: 24
Clients US: 5
Servers UK: 7
Servers US: 1

Unassigned Computers don't contain any DC's!!

http://www.k.abbott.btinternet.co.uk/

 

[markdmac]

But have you applied a policy on the Domain Controllers container in AD Users & Computers?

I hope you find this post helpful.

Regards,

Mark

 

[Zipster]

Yes:

"I have one GPO that applies to servers (inc. the DC) in each site (three sites)."

http://www.k.abbott.btinternet.co.uk/

 

[monsterjta]

You may need to manually apply BITS 2.0 and WinHTTP 5.1. These are necessary to communicate with WSUS. Then, issue the WUAUCLT /DETECTNOW command and GPUPDATE /FORCE.

Also, don't forget about the Default Domain Controller policy, which is linked to the Domain Controllers OU by default. However, I would suggest modifying it.

 

[rolo1968]

You may want to check the Windows Update log for any clues.
c:\windows\WindowsUpdate.log

 

[monsterjta]

Correction...I stated earlier:

"Also, don't forget about the Default Domain Controller policy, which is linked to the Domain Controllers OU by default. However, I would suggest modifying it."

I meant to say: I would NOT suggest modifying it.

Kudos!