Solved

Clients not getting Windows update Policy from GPO

Posted on 2004-04-04
31
1,250 Views
Last Modified: 2007-12-19
Hi all,

Trying to get clients to recieve windows update policy for SUS from windows 2003 and windows 2000 server but it doesn't seem to work.

With 2003 server, the windows update template is  there by default but in 2000 server I had to manually add it.  Anyway, all other policies that are set up in the GPO are working fine.  All clients can get them off the servers no problems but not the windows update policy.

Anyone knows how to fix this?

ps: SUS is good when you can get it working :-(

thanks in advance
0
Comment
Question by:cooljam23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 14
31 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10754107
Hi cooljam23,


Get the lastest admin tools for windows 2003 or get the latest update for the Windows Update ADM file.
These will allow to to have the full options for Windows update.

Then make sure the clients have had a 90 minute wait after you've made the change or you've used secedit /refreshpolicy user_policy or machinepolicy

Ps have the client machines got Sp3 or better?

0
 
LVL 20

Expert Comment

by:What90
ID: 10754121
cooljam23,

Here's some further links that may help:
http://www.microsoft.com/windowsserversystem/sus/default.mspx

And here's the troubleshooting page for it:
http://www.susserver.com/
0
 

Author Comment

by:cooljam23
ID: 10754304
Thanks for a quick reply.

I have created a test group so that we don't interrupt all users during business hours.  The policy on this group was set and Windows update ADM file was loaded correctly.  All is working and set up, eg type of update, time, server name, etc.  The only problem is clients that we put into this group do not get the policy off the server.  They have had also more than 90 min wait time.  we're talking days here.  I also tried to put this policy on to other groups but they do not seem to be getting the policy at all.  

If I manually create the Windows update policy on local, it will find the SUS server and receive the updates with problem.  I just need the clients to get the policy off the server.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:cooljam23
ID: 10754310
/edit last post, last sentence.  Clients can find SUS server and recieve the updates with no problem.
0
 
LVL 20

Expert Comment

by:What90
ID: 10754336
What's the server name you are using? Have you tried putting in the SUS ip address or have you used the fully qualified domain name?
The default is Htttp:///isaserver but I've had to put in the full  Htttp:///isaserver.mydomain.com to get it to behave correctly on certain sites.

Check that the clients can ping or sesolve the SUS server name and ip address?

Are you sure that the policies are going to the client (check with RoSP tool) or change the background screen colour to confirm.

0
 

Author Comment

by:cooljam23
ID: 10754415
All clients can ping server name and/or ip address fine.  I'll try to use fully qualified domain name anyway.

What's RoSP tool and where can I get it from?

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10755315
0
 

Author Comment

by:cooljam23
ID: 10755589
yeah sorry i've just realised that the tool is called rsop.msc

I got the policy thingy working now.  I was real dumb.  I was supposed to apply the policy on computers instead of users.  I'm just waiting to see if the test pc will be getting updates tonight.  But I'm afraid that it might not work as i've tried this a few months ago and decided to give up on it.  Will keep you posted.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10762364
Happens the best of us!

When I was testing SUS, I used two machines in their own OU (2000 and XP) and just ran GPupdate/secedit to speed up the updates and testing purposes, rahter than wait for a nightly update. Speeds things up alot. Remember to check the client machine's event logs to see what happening.

Keep in there with the updates - it makes life some much easier as I mention before this link is a good troubleshooting page for it:
http://www.susserver.com/
0
 

Author Comment

by:cooljam23
ID: 10763014
Ok here's the update.

2004-04-06 13:51:12  03:51:12   Success   CDM            Starting
2004-04-06 13:51:14  03:51:14   Success   IUCTL          Starting
2004-04-06 13:51:27  03:51:27   Success   IUCTL          Downloaded iuident.cab from http://susserver to C:\Program Files\WindowsUpdate\V4
2004-04-06 13:51:31  03:51:31   Success   IUENGINE       Starting
2004-04-06 13:51:50  03:51:50   Success   IUENGINE       Querying software update catalog from https://a248.e.akamai.net/v4.windowsupdate.microsoft.com/consumerdrivers/getmanifest.asp
2004-04-06 13:51:50  03:51:50   Success   IUENGINE       Didn't find matching driver for ROOT\LEGACY_HPECP\0000
2004-04-06 13:52:48  03:52:48   Success   IUENGINE       Shutting down
2004-04-06 13:52:48  03:52:48   Success   IUCTL          Shutting down
2004-04-06 13:52:48  03:52:48   Success   CDM            Shutting down

I'm not too sure what this means as I have not seen this before.  Last time I got the error message was something different.  Hopefully you could help me with it.  I have had a search around google and www.susserver.com but came up empty.

I guess I should skip the option 4 update for now as it takes each hour for client to update.  

Thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763191
Looks like that machine is up to date for patches. Have you:
Pulled down the lastest patches on the SUS server by syncing it on the admin page?
Got any machine which have only got the service pack and no updates running on them for testing purposes?
Is any thing in the machine event logs?

0
 

Author Comment

by:cooljam23
ID: 10763262
You're right, the current approved patches are all installed on this test pc.  What I found though 1 patch that wasn't installed and I have approved it and here's a different error

2004-04-06 14:46:11  04:46:11   Success   IUCTL          Starting
2004-04-06 14:46:11  04:46:11   Success   IUCTL          Downloaded iuident.cab from http://susserver to C:\Program Files\WindowsUpdate\V4
2004-04-06 14:46:11  04:46:11   Success   IUENGINE       Starting
2004-04-06 14:46:12  04:46:12   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:12  04:46:12   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:12  04:46:12   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:13  04:46:13   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:13  04:46:13   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:13  04:46:13   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:17  04:46:17   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:17  04:46:17   Success   IUENGINE       Querying software update catalog from http://susserver/autoupdate/getmanifest.asp
2004-04-06 14:46:18  04:46:18   Success   IUENGINE       Determining machine configuration
2004-04-06 14:46:18  04:46:18   Error     IUENGINE       Querying software update catalog from http://susserver/autoupdatedrivers/getmanifest.asp (Error 0x80190194)
2004-04-06 14:46:18  04:46:18   Success   IUENGINE       Shutting down
2004-04-06 14:46:18  04:46:18   Success   IUCTL          Shutting down

This looks pretty straight forward but because I'm new to this I wouldnt' have much clue.  

In Event viewer, there's quite a few errors

Source: EventSystem
EventID: 4356

Description: The COM+ Event System Failed to create an instance of the subscriber parition(numbers,etc)

Any idea?

Thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763291
I don't think the EventID: 4356 has much to with SUS was this on the client workstation or the SUS server?

For Error 0x80190194 Basically it can't find a file:
http://support.microsoft.com/?kbid=326596

It looks like if you put a unpatched client in that OU and it should work.
0
 

Author Comment

by:cooljam23
ID: 10763366
That's on client workstation.

I guess this version of SUS is not perfect is it?  I know that the new version is coming out real soon so maybe I'll just have to live with this one.

I will completely blow this pc out and reinstall xp without no patches and see if it works.
I'll let you know tomorrow.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763375
Are you using V1.1?
V2 is out soon (I love those marketing folks time scales ...) and is supposed to be a great leap forward.

You could just uninstall some patches in control panel and save yourself some work?
0
 

Author Comment

by:cooljam23
ID: 10763451
Yes it's 1.1

We talked to some of the IT gurus in L.A. and they said V2 is very good and told us that we should have a look at it.  But because these new worms come out almost like hourly we really have to get everyone here patched.  So I decided to get back into SUS 1.1

There are some workstations that have not been sp1 patched so I'd thought it's better to test it on xp stand alone with no sp1, etc.

I don't know how good you are with SMS2003 but if you can help me out with this small problem would be much appreciated.  I'll up the points ofcourse.

We got SMS2003 with SQL2000 and SUS1.1 installed on windows 2003 server.  Recently I've managed to get SMS2003 running, pushing out software just the way we wanted.  When I installed SUS, the reporting page for SMS2003 seems to have disappared.  This is something to do with IIS?  I'm sure there's a conflict somewhere along web based reporting.  

Thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10763463
What's the URL you where accessing to get to the SMS reporting page?

If you installed SUS after then it's mostly likely be re-directed to another URL i.e \\localhost\smsreport
0
 

Author Comment

by:cooljam23
ID: 10763502
http://localhost/smsreporting_123  (123 = SMS site code)

Was working fine until SUS was installed.

Had a look on IIS manager and that page does exist, along with //localhost/susadmin

I've also changed the permission on smsreporting page access just for the heck of it and it's still no go.
0
 

Author Comment

by:cooljam23
ID: 10771981
Been waiting for SUS client to get the updates for hours now but nothing is happening.  

I was getting something at least yesterday but today the log is empty.  I've used all options 2-4 and nothing is happening.  

The pc had fresh install of xp + windows update feature.  It didn't work so I thought i'd install sp1 and it still did not work.

Client can ping the SUS server fine and is getting the policy.

This is my understanding.  Option 4, machine has to be logged out?  Option 2-3, doesn't matter whether machine is logged out or not? But I've tried all the combinations nothing has worked today. aarhhh.  I thought SMS2003 was harder to set up than SUS.  

I've still got 2 horus at work, i'll keep trying.  

thanks
0
 

Author Comment

by:cooljam23
ID: 10772002
Oh one more thing.  What log files should I be looking at?

I know on client there's one in c:\windows\windows update.log

I'm not sure about the server though.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10772004
Option 4 the user can be logged in or out - it shouldn't matter.


The only thing I can think of is that you have tied in SUS to SMS to push the updates. We're (that means me - what a great project group I am!) going to be trialing that feature in a couple of weeks time.

If i could suggest that you put SUS on another server and point the GPO to the new server, things may start working.

Once you have made the updates to the GPO (set it to the nearest hour), run gpupdate on the XP box.
0
 

Author Comment

by:cooljam23
ID: 10772152
Hum that would mean we'll have to put SUS on hold for a few days.  We're getting a new server for this.  Hopefully you won't mind waiting.  The point will be yours but I wanna keep this thread open.  

We'll be pushing out sp1 and a few patches out via SMS2003 tomorrow so hopefully things will go smoothly "figers crossed".  Should be alright as I've done 2-week testing on SMS2003.

I'll keep you posted if I come up with any problems.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10772164
No problem, no hurry either. Anyway I may have to ask you about SMS2003! ;-)
0
 

Author Comment

by:cooljam23
ID: 10772247
Ok here we go, another problem.  Not sure if it's solvable

On AD, I've discovered that some of the computers that are not on AD anymore are still showing in Users and computers.  SMS2003 scans all computers off AD, therefore the computers that do not exist anymore are being shown in SMS2003.

Is there a way of cleaning up the computers/users on AD?  I can manually delete them ofcourse but imagine the time that i'm gonna be spending on that :-(

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10772280
You could use an LDAP script to strip out the computers if you know their names and have them in electronic format.

Personally, unless it's a big number (100+) I'd simply Ctrl and click on the computer name and group delete them.

If it's more than 100+ then create a new thread and post it up. I'm sure someone else may have an answer!
0
 

Author Comment

by:cooljam23
ID: 10809936
Hi,  hope you've had good easter (or is it still easter overthere?)

Here's an update.  We got it working now but there's still a few more questions I'd like to ask.

I've approved quite a lot of fixes on the SUS server but for some reason the client only pulled out a few of the fixes.  Now I thought that client probably had those fixes installed already but when I went to windows update website it came up with 12 fixes.  Those 12 fixes were included in the the approved list but for some reason client didn't pull all the fixes off the server.  

so my question would be is there some kind of scanning process for on the client end in regards to whether what fix have already been applied,etc.

Also following the instructions on susserver.com  I've enabled the "remove access to windows update: option for "local power users" and "domain power users"  If i'm correct, they should be seen as non-admin user to SUS therefore there should be no pop-ups at all when the user is logged in?  I've also enabled the "no restart for scheduled updates" option in GPO but the client still seems to be getting the notification for the restart.

I've got to do some more testing I guess. I'll let you know.

Thanks
0
 
LVL 20

Accepted Solution

by:
What90 earned 150 total points
ID: 10810010
The machines should check against the SUS server's master patch list and see what it doesn't have, then pull down the updates. Click on approve changes in the SUS interface (you don't have to retick all the boxes!) and the master list should be updated.


Sounds like you also need to run gpupdate on the client machines first to get the lastest up date info for the GPO.

Good luck!
0
 

Author Comment

by:cooljam23
ID: 10818617
Man this SUS thing is pissing me off a bit.  It worked for the first time yesterday (scheduled install) but it didn't pull out all the updates.

Since then i've been pushing the hours back but the client doesn't seem to be picking up the updates at all.  I ran gpupdate ofcourse.  I also uninstalled the updates.  I've also pushed the update back to option 3 and logged in as domain admin and still the machine doesn't seem to be picking the updates.  There's nothing at all in the log file.  

Seems like SUS server was working for once and it died?  Nothing was changed apart from the hour of schduled update.  

I'll try to remove all approved updates and reapprove them.
0
 

Author Comment

by:cooljam23
ID: 10819753
Ok I think i'm gonna give up on SUS.  It's not working with scheduled update.  I have not done anything to it apart from changing the time in GPO.  What I did this morning was changed the time of the update then ran gpupdate on client and logged off.  30 mins later client was getting updates.  Not all but a lot so I'm not going to complain.  I think I'll leave it as is because I've come to a conclusion that it's not that reliable this version.  I'll have to wait till the new version.

We've pushed out sp1 for xp last night using sms2003 and it went real smooth.  We'll be pushing out updates from SUS server tomorrow night and hopefully things will work.

Thanks again for your help.
0
 

Author Comment

by:cooljam23
ID: 10994564
Hey sorry to bug in again.

Just an update.  SUS is working fine now with WOL as well.  I've also set up the reporting tools and some other nice features.  Been running it for 2 weeks with no problems.  

Thanks agian.
0
 
LVL 20

Expert Comment

by:What90
ID: 10994759
So what did you do to get it all smoothed out?

Would be really interested to know!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question