Hello there,

We have an issue with SCCM and his agents by change our firewall rules.

We have 3 Domains; in Domain A1 is our Primary Site Server with the MP A1 WSUS A1 Role.

In Domain B2 is a MP B2 with WSUS B2 and in Domain C3 is a MP C3 with WSUS C3. There is no Secondary Site in both domains.

In the Past all Agents can communicate with all WSUS Server and all is running fine but our Security Rules are changed. The idea is that only client/agents communicate with the own WSUS and MP.

Now I have agents in domain B2 that would like communicate with the MP B2 and with WSUS B3 whats is not running fine, they becomes no updates and have problems in the WUAHANDLER:

OnSearchComplete - Failed to end search job. Error = 0x80072ee2.       WUAHandler     18.05.2015 09:01:03        5908 (0x1714) Scan failed with error = 0x80072ee2.     WUAHandler     18.05.2015 09:01:03        5908 (0x1714) Its a WSUS Update Source type ({7A250DB5-2AE5-4062-A594-7C56744DB6C3}), adding it.          WUAHandler     18.05.2015 09:01:03               6360 (0x18D8) Existing WUA Managed server was already set (http://domainB3:8530), skipping Group Policy registration.     WUAHandler                18.05.2015 09:01:03        6360 (0x18D8)

So the idea was to work with GPO and WSUS Setting but this not the right solution, on a test gpo I changed the server to WSUS B2 for a client in domain B2, make a gpupdate restart the WUAUSERV and the CCMEXEC but now I have other errors:

Enabling WUA Managed server policy to use server: http://DOMAINC3:8530   WUAHandler     18.05.2015 13:31:12        2476 (0x09AC) Waiting for 2 mins for Group Policy to notify of WUA policy change...   WUAHandler     18.05.2015 13:31:12        2476 (0x09AC) Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://DOMAINB2:8530 and Policy ENABLED                WUAHandler     18.05.2015 13:31:16        2476 (0x09AC) Failed to Add Update Source for WUAgent of type (2) and id ({7A250DB5-2AE5-4062-A594-7C56744DB6C3}). Error = 0x87d00692.      WUAHandler     18.05.2015 13:31:16        2476 (0x09AC)

I know that the agents should be change the server himself when its someone not reachable but thats doesnt helps really.

For the MP we forced them with a Policy but is it possible to force the WSUS Update Server as MP?

With best regards

Andr

• Edited by mr. AAJ Monday, May 18, 2015 12:44 PM

Hi,

Have you tried to change the server manually, not GP? Does it work?

Best Regards,

Joyce

Hi,

It is not currently possible to force the Clients to use a specific SUP, you can do it with MP after R2 CU3 but not for the SUP.

Regards,

Jrgen

No, that doesnt work too but it is so the same thing i can do. :)

Yes, that with the MP i know but my hope that there is a workaround for SUP too.

The best thing i can do is that we change back the firewall rule and let him for the moment free but it is only the port 8530 we need. 

Or is there some other idea how i can fix that problem? 

I dont understand why the WSUS rotation not really run?

In Domain B2 and Domain C3 you could try adding a CNAME for WSUS A1 which directs to WSUS B2 and WSUS C3 respectively

I don't have a lab to validate that myself so its more a suggestion than a proven recommendation.