Solved

Clients not getting Windows update Policy from GPO

Posted on 2004-04-04
31
1,242 Views
Last Modified: 2007-12-19
Hi all,

Trying to get clients to recieve windows update policy for SUS from windows 2003 and windows 2000 server but it doesn't seem to work.

With 2003 server, the windows update template is  there by default but in 2000 server I had to manually add it.  Anyway, all other policies that are set up in the GPO are working fine.  All clients can get them off the servers no problems but not the windows update policy.

Anyone knows how to fix this?

ps: SUS is good when you can get it working :-(

thanks in advance
0
Comment
Question by:cooljam23
  • 17
  • 14
31 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10754107
Hi cooljam23,


Get the lastest admin tools for windows 2003 or get the latest update for the Windows Update ADM file.
These will allow to to have the full options for Windows update.

Then make sure the clients have had a 90 minute wait after you've made the change or you've used secedit /refreshpolicy user_policy or machinepolicy

Ps have the client machines got Sp3 or better?

0
 
LVL 20

Expert Comment

by:What90
ID: 10754121
cooljam23,

Here's some further links that may help:
http://www.microsoft.com/windowsserversystem/sus/default.mspx

And here's the troubleshooting page for it:
http://www.susserver.com/
0
 

Author Comment

by:cooljam23
ID: 10754304
Thanks for a quick reply.

I have created a test group so that we don't interrupt all users during business hours.  The policy on this group was set and Windows update ADM file was loaded correctly.  All is working and set up, eg type of update, time, server name, etc.  The only problem is clients that we put into this group do not get the policy off the server.  They have had also more than 90 min wait time.  we're talking days here.  I also tried to put this policy on to other groups but they do not seem to be getting the policy at all.  

If I manually create the Windows update policy on local, it will find the SUS server and receive the updates with problem.  I just need the clients to get the policy off the server.
0
 

Author Comment

by:cooljam23
ID: 10754310
/edit last post, last sentence.  Clients can find SUS server and recieve the updates with no problem.
0
 
LVL 20

Expert Comment

by:What90
ID: 10754336
What's the server name you are using? Have you tried putting in the SUS ip address or have you used the fully qualified domain name?
The default is Htttp:///isaserver but I've had to put in the full  Htttp:///isaserver.mydomain.com to get it to behave correctly on certain sites.

Check that the clients can ping or sesolve the SUS server name and ip address?

Are you sure that the policies are going to the client (check with RoSP tool) or change the background screen colour to confirm.

0
 

Author Comment

by:cooljam23
ID: 10754415
All clients can ping server name and/or ip address fine.  I'll try to use fully qualified domain name anyway.

What's RoSP tool and where can I get it from?

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10755315
0
 

Author Comment

by:cooljam23
ID: 10755589
yeah sorry i've just realised that the tool is called rsop.msc

I got the policy thingy working now.  I was real dumb.  I was supposed to apply the policy on computers instead of users.  I'm just waiting to see if the test pc will be getting updates tonight.  But I'm afraid that it might not work as i've tried this a few months ago and decided to give up on it.  Will keep you posted.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10762364
Happens the best of us!

When I was testing SUS, I used two machines in their own OU (2000 and XP) and just ran GPupdate/secedit to speed up the updates and testing purposes, rahter than wait for a nightly update. Speeds things up alot. Remember to check the client machine's event logs to see what happening.

Keep in there with the updates - it makes life some much easier as I mention before this link is a good troubleshooting page for it:
http://www.susserver.com/
0
 

Author Comment

by:cooljam23
ID: 10763014
Ok here's the update.

2004-04-06 13:51:12  03:51:12   Success   CDM            Starting
2004-04-06 13:51:14  03:51:14   Success   IUCTL          Starting
2004-04-06 13:51:27  03:51:27   Success   IUCTL          Downloaded iuident.cab from http://susserver to C:\Program Files\WindowsUpdate\V4
2004-04-06 13:51:31  03:51:31   Success   IUENGINE       Starting
2004-04-06 13:51:50  03:51:50   Success   IUENGINE       Querying software update catalog from https://a248.e.akamai.net/v4.windowsupdate.microsoft.com/consumerdrivers/getmanifest.asp
2004-04-06 13:51:50  03:51:50   Success   IUENGINE       Didn't find matching driver for ROOT\LEGACY_HPECP\0000
2004-04-06 13:52:48  03:52:48   Success   IUENGINE       Shutting down
2004-04-06 13:52:48  03:52:48   Success   IUCTL          Shutting down
2004-04-06 13:52:48  03:52:48   Success   CDM            Shutting down

I'm not too sure what this means as I have not seen this before.  Last time I got the error message was something different.  Hopefully you could help me with it.  I have had a search around google and www.susserver.com but came up empty.

I guess I should skip the option 4 update for now as it takes each hour for client to update.  

Thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763191
Looks like that machine is up to date for patches. Have you:
Pulled down the lastest patches on the SUS server by syncing it on the admin page?
Got any machine which have only got the service pack and no updates running on them for testing purposes?
Is any thing in the machine event logs?

0
 

Author Comment

by:cooljam23
ID: 10763262
You're right, the current approved patches are all installed on this test pc.  What I found though 1 patch that wasn't installed and I have approved it and here's a different error

2004-04-06 14:46:11  04:46:11   Success   IUCTL          Starting
2004-04-06 14:46:11  04:46:11   Success   IUCTL          Downloaded iuident.cab from http://susserver to C:\Program Files\WindowsUpdate\V4
2004-04-06 14:46:11  04:46:11   Success   IUENGINE       Starting
2004-04-06 14:46:12  04:46:12   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:12  04:46:12   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:12  04:46:12   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:13  04:46:13   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:13  04:46:13   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:13  04:46:13   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:17  04:46:17   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:17  04:46:17   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:18  04:46:18   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:18  04:46:18   Error     IUENGINE       Querying software update catalog from http://susserver/autoupdatedrivers/getmanifest.asp (Error 0x80190194)
2004-04-06 14:46:18  04:46:18   Success   IUENGINE       Shutting down
2004-04-06 14:46:18  04:46:18   Success   IUCTL          Shutting down

This looks pretty straight forward but because I'm new to this I wouldnt' have much clue.  

In Event viewer, there's quite a few errors

Source: EventSystem
EventID: 4356

Description: The COM+ Event System Failed to create an instance of the subscriber parition(numbers,etc)

Any idea?

Thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763291
I don't think the EventID: 4356 has much to with SUS was this on the client workstation or the SUS server?

For Error 0x80190194 Basically it can't find a file:
http://support.microsoft.com/?kbid=326596

It looks like if you put a unpatched client in that OU and it should work.
0
 

Author Comment

by:cooljam23
ID: 10763366
That's on client workstation.

I guess this version of SUS is not perfect is it?  I know that the new version is coming out real soon so maybe I'll just have to live with this one.

I will completely blow this pc out and reinstall xp without no patches and see if it works.
I'll let you know tomorrow.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763375
Are you using V1.1?
V2 is out soon (I love those marketing folks time scales ...) and is supposed to be a great leap forward.

You could just uninstall some patches in control panel and save yourself some work?
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:cooljam23
ID: 10763451
Yes it's 1.1

We talked to some of the IT gurus in L.A. and they said V2 is very good and told us that we should have a look at it.  But because these new worms come out almost like hourly we really have to get everyone here patched.  So I decided to get back into SUS 1.1

There are some workstations that have not been sp1 patched so I'd thought it's better to test it on xp stand alone with no sp1, etc.

I don't know how good you are with SMS2003 but if you can help me out with this small problem would be much appreciated.  I'll up the points ofcourse.

We got SMS2003 with SQL2000 and SUS1.1 installed on windows 2003 server.  Recently I've managed to get SMS2003 running, pushing out software just the way we wanted.  When I installed SUS, the reporting page for SMS2003 seems to have disappared.  This is something to do with IIS?  I'm sure there's a conflict somewhere along web based reporting.  

Thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763463
What's the URL you where accessing to get to the SMS reporting page?

If you installed SUS after then it's mostly likely be re-directed to another URL i.e \\localhost\smsreport
0
 

Author Comment

by:cooljam23
ID: 10763502
http://localhost/smsreporting_123  (123 = SMS site code)

Was working fine until SUS was installed.

Had a look on IIS manager and that page does exist, along with //localhost/susadmin

I've also changed the permission on smsreporting page access just for the heck of it and it's still no go.
0
 

Author Comment

by:cooljam23
ID: 10771981
Been waiting for SUS client to get the updates for hours now but nothing is happening.  

I was getting something at least yesterday but today the log is empty.  I've used all options 2-4 and nothing is happening.  

The pc had fresh install of xp + windows update feature.  It didn't work so I thought i'd install sp1 and it still did not work.

Client can ping the SUS server fine and is getting the policy.

This is my understanding.  Option 4, machine has to be logged out?  Option 2-3, doesn't matter whether machine is logged out or not? But I've tried all the combinations nothing has worked today. aarhhh.  I thought SMS2003 was harder to set up than SUS.  

I've still got 2 horus at work, i'll keep trying.  

thanks
0
 

Author Comment

by:cooljam23
ID: 10772002
Oh one more thing.  What log files should I be looking at?

I know on client there's one in c:\windows\windows update.log

I'm not sure about the server though.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10772004
Option 4 the user can be logged in or out - it shouldn't matter.


The only thing I can think of is that you have tied in SUS to SMS to push the updates. We're (that means me - what a great project group I am!) going to be trialing that feature in a couple of weeks time.

If i could suggest that you put SUS on another server and point the GPO to the new server, things may start working.

Once you have made the updates to the GPO (set it to the nearest hour), run gpupdate on the XP box.
0
 

Author Comment

by:cooljam23
ID: 10772152
Hum that would mean we'll have to put SUS on hold for a few days.  We're getting a new server for this.  Hopefully you won't mind waiting.  The point will be yours but I wanna keep this thread open.  

We'll be pushing out sp1 and a few patches out via SMS2003 tomorrow so hopefully things will go smoothly "figers crossed".  Should be alright as I've done 2-week testing on SMS2003.

I'll keep you posted if I come up with any problems.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10772164
No problem, no hurry either. Anyway I may have to ask you about SMS2003! ;-)
0
 

Author Comment

by:cooljam23
ID: 10772247
Ok here we go, another problem.  Not sure if it's solvable

On AD, I've discovered that some of the computers that are not on AD anymore are still showing in Users and computers.  SMS2003 scans all computers off AD, therefore the computers that do not exist anymore are being shown in SMS2003.

Is there a way of cleaning up the computers/users on AD?  I can manually delete them ofcourse but imagine the time that i'm gonna be spending on that :-(

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10772280
You could use an LDAP script to strip out the computers if you know their names and have them in electronic format.

Personally, unless it's a big number (100+) I'd simply Ctrl and click on the computer name and group delete them.

If it's more than 100+ then create a new thread and post it up. I'm sure someone else may have an answer!
0
 

Author Comment

by:cooljam23
ID: 10809936
Hi,  hope you've had good easter (or is it still easter overthere?)

Here's an update.  We got it working now but there's still a few more questions I'd like to ask.

I've approved quite a lot of fixes on the SUS server but for some reason the client only pulled out a few of the fixes.  Now I thought that client probably had those fixes installed already but when I went to windows update website it came up with 12 fixes.  Those 12 fixes were included in the the approved list but for some reason client didn't pull all the fixes off the server.  

so my question would be is there some kind of scanning process for on the client end in regards to whether what fix have already been applied,etc.

Also following the instructions on susserver.com  I've enabled the "remove access to windows update: option for "local power users" and "domain power users"  If i'm correct, they should be seen as non-admin user to SUS therefore there should be no pop-ups at all when the user is logged in?  I've also enabled the "no restart for scheduled updates" option in GPO but the client still seems to be getting the notification for the restart.

I've got to do some more testing I guess. I'll let you know.

Thanks
0
 
LVL 20

Accepted Solution

by:
What90 earned 150 total points
ID: 10810010
The machines should check against the SUS server's master patch list and see what it doesn't have, then pull down the updates. Click on approve changes in the SUS interface (you don't have to retick all the boxes!) and the master list should be updated.


Sounds like you also need to run gpupdate on the client machines first to get the lastest up date info for the GPO.

Good luck!
0
 

Author Comment

by:cooljam23
ID: 10818617
Man this SUS thing is pissing me off a bit.  It worked for the first time yesterday (scheduled install) but it didn't pull out all the updates.

Since then i've been pushing the hours back but the client doesn't seem to be picking up the updates at all.  I ran gpupdate ofcourse.  I also uninstalled the updates.  I've also pushed the update back to option 3 and logged in as domain admin and still the machine doesn't seem to be picking the updates.  There's nothing at all in the log file.  

Seems like SUS server was working for once and it died?  Nothing was changed apart from the hour of schduled update.  

I'll try to remove all approved updates and reapprove them.
0
 

Author Comment

by:cooljam23
ID: 10819753
Ok I think i'm gonna give up on SUS.  It's not working with scheduled update.  I have not done anything to it apart from changing the time in GPO.  What I did this morning was changed the time of the update then ran gpupdate on client and logged off.  30 mins later client was getting updates.  Not all but a lot so I'm not going to complain.  I think I'll leave it as is because I've come to a conclusion that it's not that reliable this version.  I'll have to wait till the new version.

We've pushed out sp1 for xp last night using sms2003 and it went real smooth.  We'll be pushing out updates from SUS server tomorrow night and hopefully things will work.

Thanks again for your help.
0
 

Author Comment

by:cooljam23
ID: 10994564
Hey sorry to bug in again.

Just an update.  SUS is working fine now with WOL as well.  I've also set up the reporting tools and some other nice features.  Been running it for 2 weeks with no problems.  

Thanks agian.
0
 
LVL 20

Expert Comment

by:What90
ID: 10994759
So what did you do to get it all smoothed out?

Would be really interested to know!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now