Guidelines for GPOs and WSUS

[brentlea]

I am currently working on deploying WSUS in our organization. The short story is that it's been pressed on me and I'm deploying without nearly enough research and planning. I was going to skip WSUS and go straight to SMS, but due to budgeting problems, we are going to use WSUS for now.

Our organization has locations spread throughout 46 states. For the most part, I have an OU in our Active Directory for each location. Most of these remote locations have a local server for AD, DNS, DHCP, and file/print sharing. I want to use computer-based targeting so that I don't have the manual process of adding systems to computer groups. I am creating a new GPO for each OU (location). This GPO contains only the settings for WSUS. This should allow me to approve updates by location, or for all locations at once.

My fear with this plan is that I am going to kill AD with a large number of GPOs. Currently I have over 50, and the number is climbing. Is this the best approach, or is there a better way?

Thanks in advance.

[AdamV]

If these 50 GPOs apply to users/machines all at once, this is starting to be a big load.
If only a handful apply to any given situation, this is less of a problem.
As long as they don't change too often they don't generate replication traffic so no really big shakes there.

Number of settings per GPO will be a bigger factor in speed issues and load on both server delivering the GP and on workstations processing them. Inheritance complexity (blocking / overriding) will increase this effort as well.

One thing you don't mention is your domain model - is this a single domain with many sites or are there several here? If more than one, you need to ensure that policies are applied correctly so that a site will get policies from a local DC - avoid cross-domain links if at all possible.

[brentlea]

We have a single AD 2000 domain with many sites. The GPOs in question only apply to machines, as I have disabled the user section. The only settings in the GPO are for WSUS, so they are pretty small. Also, aside from the default domain policy, the WSUS policies are the only policies affecting the workstations in those OUs.

[AdamV]

so just to clarify, is this one GPO per site (roughly) or are all 50 applied to all workstations? (I think you implied the answer because they are only WSUS settings and they vary between sites, I'm just checking so you don't get bad advice. It seems to me this woudl be fine if I understand your intentions correctly)

You could (if you wanted) split out the policy which forces WSUS to be used rather than WU, and determine when it updates etc., then just have site or OU-based policies to determine the path.

If you have several sites which will use the same settings (ie you are happy that updates tested and approved for one will apply to several others) then you could apply the same policy to them and point to a DFS path which uses an FRS-replicated local filestore for the files. This might simplify your GPs a lot - let DFS do the clever part of working out where to get updates from.

If you go with OU based policies rather than sites, think about mobile workers. DFS wuld help here too, but generally I woudl suggest sites would be the easiest way to avoid problems here. Conversely, if userA takes laptopA to siteB - shoudl they get updated accorging to siteB policy and approved updates, or to siteA (and pull the updates across the WAN)? something to think about.

[brentlea]

Yes, that is correct, one GPO per site.

Thanks for the insight. I'm going to look into using DFS as you indicated below.

Since I've been under the gun on this, I finished creating the GPOs today. Now I can effectively target my update approvals to various sites.

Thanks again!