Hello guys ! I know that the question in the "title" of the thread is a bit vague, so let me explain my issue :)
First of all grab a pencil and a sheet of paper, I am gonna introduce some concepts of our infrastructure which are necessary in order to understand my problem.
So let's say I have 4 different network zones (1, 2, 3, 4) where different windows domains are hosted (A, B, C, etc.).
Without giving too much information about our infrastructure, the final drawing is as follow :
Primary site (with SUP) in Network zone 1 Domain A
And I have
1 MP/DP/SUP in the network zone 2, Domain A, managing untrusted domains in zone 2
1 MP/DP/SUP in the network zone 3, Domain A, managing untrusted domains in zone 3
1 MP/DP/SUP in the network zone 4, Domain A, managing untrusted domains in zone 4
So in abstract, all SUPs are in the same windows domain sharing the same DB managing different untrusted windows domains.
Everyone still here ? :)
So, all SUP roles installed, all my clients in the untrusted domains receives the 4 SUPs (locationservice.log). I've read a lot of documentation and topics and I understood that since 2012 SP1 (My version is 2012R2 CU3 if my memory is still fine), SCCM supports multiple SUPs.
My problem in fact is that, for example, a client in a domain in network zone 2, takes the SUP of the network zone 1 which is not allowed regarding our security policy, it should take the SUP from the same network zone (alias 2). But as I understood, that shouldn't be a big deal since after 4 unsuccessful attempts at the interval of 30 minutes between the intervals (in other words 2 hours) it should roll the SUPs and try to connect to another one, excepted that after few days, it doesn't and the client is still trying to reach my primary site in network zone 1 ...
Then I came across the following article which describe exactly my issue : http://blogs.technet.com/b/umairkhan/archive/2014/10/03/configmgr-2012-r2-multiple-sup-scenario-clients-not-failing-over-to-the-other-sup.aspx
Error 0x80072ee2 in WindowsUpdate.log etc.
So I applied the workaround by adding the error code to the "WSUS Scan Retry Error Codes" but unfortunately it doesn't do the trick ... And my client continues to try to contact the primary site and not the SUP he's supposed to.
Is it clear enough ?
So my questions are quite simple ...
1. Am I doing it right ?
2. Is there a way to force the SUP through a registry hack such as for the MP (AllowedMPs) ?
Any other suggestion is welcome !
Thank you :)