Not Monitored
Tag not monitored by Microsoft.
35,811 questions
Check your boundaries and boundary groups configuration for the selection of the SUP?
MECM Software Updates / WSUS Config Untrusted Domain
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 17%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Johno
106
Reputation points
Hi All,
I've now got my untrusted domain child site system configured and communicating with the primary site server, clients are registering and applications can be deployed, but I've hit a snag with Software Updates. I've followed the below blog post, but the clients are trying to use WSUS on the primary site server.
https://www.systemcenterdudes.com/installing-sccm-dp-mp-sup-untrusted-domain
The WUAHandler logs and the Registry keys on the client, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, point to the primary site server rather than the child WSUS site system.
Do I need to override these settings with a group policy or should the client detect the site its in and that the WSUS is installed and configured then set them to the appropriate site system?
Cheers,
Johno
3 answers
Sort by: Most helpful
-
-
Jason Sandys 31,151 Reputation points Microsoft Employee2020-09-08T00:24:20.4+00:00 but the clients are trying to use WSUS on the primary site server.
Why is this an issue? Are you actually accounting for network restrictions (which have nothing to do with AD or AD trusts)?
Do I need to override these settings with a group policy
No, that won't work and the client will disable software updates.
As Eswar notes, clients locate and use SUPs based on boundaries and boundary groups; however, once they get assigned to a SUP, they won't automatically change unless they fail to communicate with the assigned SUP three times. Also, in this case, failure does not include the typical failure/error cause by a firewall blocking traffic.
-
Johno 106 Reputation points
2020-09-08T03:03:37.32+00:00 Why is this an issue? Are you actually accounting for network restrictions (which have nothing to do with AD or AD trusts)?
The clients don't have (aren't allowed) direct access to the Primary Site Server. I understand this is a network restriction and has nothing to do with AD or AD trusts, but felt it's worth giving that information to indicate the network restrictions in place. We are attempting to utilize ConfigMgr to manage the computers in a segregated network.
The primary site server is fully functional for the general network, across multiple subnets and sites.
The segregated network currently consists of a single network, there is an MECM boundary configured with the appropriate IP Address range, and a single boundary group containing that boundary group and a single site system with DP, MP, and WSUS installed and assigned to that boundary group.
-
Johno 106 Reputation points
2020-09-08T03:04:39.473+00:00 failure does not include the typical failure/error cause by a firewall blocking traffic.
The clients have never been able to directly contact the primary site server. Is there a way force this to update or reset ? Even on a brand new VM configured on the segregated network, i'm still unable to see Windows Update scan results or required updates etc for these machines.
-
Jason Sandys 31,151 Reputation points Microsoft Employee
2020-09-08T11:32:59.37+00:00 but felt it's worth giving that information to indicate the network restrictions in place.
But a separate AD forest, untrusted or not, in no way means there are network restrictions in place; the two are completely independent.
-
Jason Sandys 31,151 Reputation points Microsoft Employee
2020-09-08T11:36:08.213+00:00 Does the site for this segregated network also host the SUP role? You called out WSUS, but that doesn't strictly imply a SUP.
If so, is that SUP healthy?
What kind of boundaries are you using?
What version of ConfigMgr is the site running?
-
Johno 106 Reputation points
2020-09-09T02:20:50.297+00:00 Yes, SUP is installed on the remote site system, according to the MECM console, it's healthy, if there's somewhere else to check the state of this component other than the Component Status and Status Messages I'm all ears.
Boundary is a single IP address range 192.168.200.1-192.168.200.254
Version is currently MECM 2002 5.00.8968.1042
-
Jason Sandys 31,151 Reputation points Microsoft Employee
2020-09-09T14:58:38.773+00:00 To clarify, this isn't a secondary site server, correct? It's a site system that is part of the primary site?
-
Johno 106 Reputation points
2020-09-09T23:29:18.663+00:00 Correct, single site (C01), Primary server managing the servers and workstations on the corporate network, and a single site system to manage the servers and workstations in the segregated network.
-
Jason Sandys 31,151 Reputation points Microsoft Employee
2020-09-10T03:03:32.9+00:00 Did the clients exist in any way before the SUP or site system?
-
Johno 106 Reputation points
2020-09-11T03:29:34.293+00:00 I've just imaged up a new Windows 10 VM in the segregated network and installed the client with ccmsetup.exe /mp:siteSystem.abc.local SMSMP=siteSystem.abc.local SMSSITECODE=C01
Same results.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 57.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jason Sandys 76 Reputation points2020-09-11T14:01:08.253+00:00 Is the site system in a different domain or forest from the clients?
-
Johno 106 Reputation points
2020-09-14T01:15:02.597+00:00 No, the clients and site system are in the same forest and domain, on the same network/subnet.
-
Jason Sandys 31,151 Reputation points Microsoft Employee
2020-09-14T01:40:22.703+00:00 Then the only possibility here is that your boundaries and boundary groups are misconfigured.
What kind of boundaries are you using?
-
Johno 106 Reputation points
2020-09-15T03:15:25.033+00:00 Site System IP Addresses (UTSiteSystem.ut.local)
- Segregated network = 192.168.198.2/24
- Link to Primary Site Server = 192.168.197.2/24
Client IP address
- Segregated network = 192.168.198.20/24
Primary Site Server IP Addresses
- Enterprise network = 10.0.0.1/24
- Link to Site System = 192.168.197.1/24
Boundary
Description: UT_IPR
Type: IP Address range
Starting IP address: 192.168.198.1
Ending IP address: 192.168.198.254
Site systems: UTSiteSystem.ut.local
Boundary Group: CMBG_UTBoundary Group
Name: CMBG_UT
Boundaries: 192.168.198.1-192.168.198.254, UT_IPR
Site system servers: UTSiteSystem.ut.local, C01
Fallback Boundary Group Name: <none>
Option: Allow peer downloads in this boundary group: True -
Johno 106 Reputation points
2020-09-15T03:28:17.037+00:00 Client is NOT able to resolve the name of the primary site server (CMPrimSvr.domain.com), but can resolve the site system name (UTSiteSystem.ut.local) via DNS configured on segregated networks Domain controller.
Site System (UTSiteSystem.ut.local) is able to resolve primary site server (CMPrimSvr.domain.com) via an entry in the hosts file
-
Jason Sandys 31,151 Reputation points Microsoft Employee
2020-09-15T13:31:35.207+00:00 Without seeing all of your boundaries and boundary groups, nothing definitive can be said.
-
Jason Sandys 31,151 Reputation points Microsoft Employee
2020-09-15T13:34:12.49+00:00 Just to validate, the site system in the segregated network hosts the DP, MP, and SUP roles, correct?
-
Johno 106 Reputation points
2020-09-15T22:55:41.733+00:00 Correct.
Application deployment works fine in the segregated network, so DP is working
Client is registering and sending hardware and software inventory, so MP is working.
Only thing I cant see is, the required updates from the console for the machines in the segregated network, nor are they installing the advertise/deployed software updates.
Sign in to comment -
-
Amandayou-MSFT 11,046 Reputation points2020-09-08T03:25:34.873+00:00 Hi @Johno
We could assign software update points which are in untrusted domain child site system to the boundary group so that clients can find and use them.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.-
Johno 106 Reputation points
2020-09-08T04:17:14.547+00:00 Thanks @Amandayou-MSFT , but that's already configured with the child site system.
Sign in to comment -