What exactly did you set in your group policy?
J ________________________________ From: listsad...@lists.myitforum.com <listsad...@lists.myitforum.com> on behalf of Beardsley, James <james.beards...@dhgllp.com> Sent: Thursday, March 6, 2014 9:18 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] Clients incorrectly looking to DMZ SUP So I set up a GPP to do a WMI query to see if it could ping the internal SUP and if it can, it changes the WUServer and WUStatusServer regkeys to the internal SUP. That part is working correctly. However, now in the logs, I get these messages. Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://wsus03.corp.local:8531 and Policy ENABLED Failed to Add Update Source for WUAgent of type (2) and id ({56BF6422-9A17-4B0F-BC39-8BD3C053FA9C}). Error = 0x87d00692. So it seems that setting it with GPP is going to cause this group policy conflict. Any suggestions? From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Beardsley, James Sent: Tuesday, March 04, 2014 5:22 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] Clients incorrectly looking to DMZ SUP Ah I see. I was thinking that by default, clients in “Intranet” mode would point to the internal SUP and “Internet” mode would go for the DMZ SUP. Thanks, I’ll look into doing something with GPP’s From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: Tuesday, March 04, 2014 4:03 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Clients incorrectly looking to DMZ SUP OK, well then, there’s no way to control which SUP client will use then. SUP use, like MP use within a single primary site is not controlled by location at all. The main use of multiple SUPs (and MPs) is availability. The process for SUPs failing over from an inaccessible one to an accessible one is different than that of MPs however and thus in this case, you need to use group policy to manipulate the process. These two blog posts discuss this details: http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/software-update-points-in-cm2012sp1.aspx http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/group-policy-preferences-and-software-updates-in-cm2012sp1.aspx J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Beardsley, James Sent: Tuesday, March 4, 2014 2:27 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Clients incorrectly looking to DMZ SUP Both From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: Tuesday, March 04, 2014 3:18 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Clients incorrectly looking to DMZ SUP Are both of your SUPs using HTTPS or just the one in the DMZ? J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Beardsley, James Sent: Tuesday, March 4, 2014 1:56 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Clients incorrectly looking to DMZ SUP That’s what is odd. I used the same command line to install all clients. That’s why I don’t understand the variation in configs ccmsetup.exe /UsePKICert SMSSITECODE=DHG SMSMP=https://<Site Server FQDN> CCMHOSTNAME=externalsccm.example.com FSP=sccmfsp.example.com RESETKEYINFORMATION=TRUE CCMFIRSTCERT=1 From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Trevor Sullivan Sent: Tuesday, March 04, 2014 2:47 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Clients incorrectly looking to DMZ SUP James, You don’t want to use a GPO to configure the SUP at all on 2007 or 2012. The ConfigMgr client uses local Group Policy to set this. If the internal clients were not installed as Internet clients, then they should not be receiving the address for the Internet-based Software Update Point. What command line did you use to install the internal (intranet) clients? http://technet.microsoft.com/en-us/library/gg712696.aspx#BKMK_InternetSUP Cheers, Trevor Sullivan Internet-Based Software Update Point The Internet-based software update point accepts communication from client computers on the Internet. You can create the Internet-based software update point only when the active software update point is not configured to accept communication from client computers on the Internet. You must install the Internet-based software update point on a site system that is remote from the site server, located in a perimeter network, and accessible to Internet-based client computers. The Internet-based software update point synchronizes with the active software update point at the same site by default. When the Internet-based software update point is disconnected from the active software update point, you can manually synchronize software updates by using the export and import process. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point<http://technet.microsoft.com/en-us/library/912bfec1-fd19-4f56-a840-4ecd643c541b#SyncDisconnected> section in this topic. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Beardsley, James Sent: Tuesday, March 4, 2014 1:29 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Clients incorrectly looking to DMZ SUP I have a SUP internally and then a DMZ SUP that is configured to use the internal SUP as its sync source. I’m coming across PC’s that are on the internal network where both the WUServer regkey and the WUAHandler log are pointing to the DMZ SUP (and failing) instead of the internal SUP. What could be causing that? In CM07, I had a GPO that configured the server but when I migrated to 2012, I was under the impression that a GPO wasn’t required any longer. I thought about putting the GPO back in place but by forcing all clients to look to the internal SUP, the external clients wouldn’t be able to access it for software updates. So I’m trying to figure out where the mix-up is happening that is causing some clients on internal subnets to look to the DMZ SUP for its SU’s. Is it based on boundaries? Do I have a boundary configuration issue? Thanks, James ________________________________ IRS Compliance: Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties imposed under the Internal Revenue Code or applicable state or local tax law or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ IRS Compliance: Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties imposed under the Internal Revenue Code or applicable state or local tax law or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ IRS Compliance: Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties imposed under the Internal Revenue Code or applicable state or local tax law or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ IRS Compliance: Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties imposed under the Internal Revenue Code or applicable state or local tax law or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ IRS Compliance: Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties imposed under the Internal Revenue Code or applicable state or local tax law or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation.
