2 Replies Latest reply on Aug 1, 2014 1:51 PM by ibraheems

    Using Client Side and Server Side Targeting together

    ibraheems

      Hello guys,

       

      I work for an organization that pretty extensively uses Active Directory to manage the workstations and most of the servers. However, there are a few servers which must remain isolated from the domains and, for various reasons, cannot locally modify the client-side targeting registry keys used in WSUS. For this reason, our current WSUS setup uses server-side targeting and we must manually add workstations and servers as they report in (quite annoying )

       

      We are migrating to a new 2012 WSUS server and were wondering if the following configuration scheme would work:

       

      1) Configure WSUS server to use client-side targeting and modify the GPOs accordingly so that the few hundred managed workstations add themselves properly.

       

      2) Temporarily switch to server-side targeting on the WSUS console and have the isolated servers connect to the WSUS server. Manually put them in the appropriate groups.

       

      3) Switch back to client-side targeting so that any future workstations/servers automatically add to the appropriate groups.

       

      Has anybody tried this/know about any issues we might run into if we try this?

       

      Thanks!

        • Re: Using Client Side and Server Side Targeting together
          Lawrence Garvin
          2) Temporarily switch to server-side targeting on the WSUS console and have the isolated servers connect to the WSUS server. Manually put them in the appropriate groups.

          In general, those who have tried to change group memberships using this methodology have met with issues, but that may well be because the clients were enabled for client-side targeting.

           

          Effectively, when Client-Side Targeting is set, the WUA is authoritative for the group memberships of the client, and will not query the WSUS server for group assignments. It expressly queries for only those groups assigned. One of the side effects of setting Options->Computers to "Use Group Policy..." is that it disables the ability to assign computers to groups using the console; however, it may also be that this also disables the ability of the WSUS server to respond to a WUA query for the client's assigned group(s). I have never tested the behavior at this level of detail, so you'd have to test this to see what actually happens. Also note, though, it would be (from Microsoft's perspective) an "unsupported" configuration.

           

          However, a much more reliable way to achieve this objective, and it would be fully supported, is to simply deploy a replica server for those systems which need to use server-side targeting. The Options->Computers setting is a PER-WSUS-SERVER setting, and does not have to be the same on downstream servers as it is on upstream servers.

           

          This would also give you the added protection of a console (the replica server) where ONLY the machines that should be server-side managed can be. With ALL of your clients in a single console, you'll always run the risk that somebody puts a client-side managed system in the wrong group, and that will definitely complicate things. There's also the risk that somebody forgets to switch Options->Computers back, and that can also complicate things. In effect, the additional server completely eliminates all of the risks that will naturally associate with the idea of flipping an option to end-run the non-existent policy settings. :-)

           

          Enable Reporting Rollup on the upstream server and you can still do enterprise-wide monitoring and reporting from the upstream server.