WSUS Server not detecting client computers
This is my first question, so please bear with me as I learn the proper syntax to ask these questions. I will give as much information as I can, but I'm sure that I will need some coaching to give you what you need to know.
I currently am administering an organization of about 1500 users and have been charged with the task of installing and configuring a WSUS server.
Topography
Our central location:
Win2k3 PDC for the organization, only the other DC report to this DC, no client computers connect directly to it for AD validation.
Win2k3 DC for the location
50 Client Computers (mix of winxp and win2k)
19 Branch locations:
Win2k DC for each location
10 - 30 Client Computers (mix of winxp and win2k)
WSUS Installation:
I installed WSUS on a Win2k3Sp1 machine.
It is set on port 8530.
I have set the group policy configurations correctly (to my knowledge).
I have client-side targetting set in group policy, as well as 2 group policies that are blanket for the organization, but do not overlap. All computers in the organization is a member of one of these 3 (one of which is only domain controllers).
I have created these groups in WSUS so that the computers will add themselves to the groups as they retrieve the next computer policy update.
I set the group policy on the local DC for the main location. Initially it added itself to the "All Computers" group, as I made the GP changes before I created the group for the DCs. After that, I created the group, and the DC for the central location added itself within 24 hours (I didn't stalk it with the refresh button, so I don't know exactly how long it took). A couple of days later, I looked and one of the other DCs had added to the list. I thought, perhaps it is just taking a long time for this group policy to propagate, but I just came back from a long weekend and we still only have the 2 DCs showing up in the WSUS list, and no client computers are showing up at all.
I have gone through every tutorial and walkthrough and question / answer session that I could find online and I don't see anything like this. So at this point, I am at the mercy of the experts and I sincerely hope that you can help me.
Thanks much.
HN1
I currently am administering an organization of about 1500 users and have been charged with the task of installing and configuring a WSUS server.
Topography
Our central location:
Win2k3 PDC for the organization, only the other DC report to this DC, no client computers connect directly to it for AD validation.
Win2k3 DC for the location
50 Client Computers (mix of winxp and win2k)
19 Branch locations:
Win2k DC for each location
10 - 30 Client Computers (mix of winxp and win2k)
WSUS Installation:
I installed WSUS on a Win2k3Sp1 machine.
It is set on port 8530.
I have set the group policy configurations correctly (to my knowledge).
I have client-side targetting set in group policy, as well as 2 group policies that are blanket for the organization, but do not overlap. All computers in the organization is a member of one of these 3 (one of which is only domain controllers).
I have created these groups in WSUS so that the computers will add themselves to the groups as they retrieve the next computer policy update.
I set the group policy on the local DC for the main location. Initially it added itself to the "All Computers" group, as I made the GP changes before I created the group for the DCs. After that, I created the group, and the DC for the central location added itself within 24 hours (I didn't stalk it with the refresh button, so I don't know exactly how long it took). A couple of days later, I looked and one of the other DCs had added to the list. I thought, perhaps it is just taking a long time for this group policy to propagate, but I just came back from a long weekend and we still only have the 2 DCs showing up in the WSUS list, and no client computers are showing up at all.
I have gone through every tutorial and walkthrough and question / answer session that I could find online and I don't see anything like this. So at this point, I am at the mercy of the experts and I sincerely hope that you can help me.
Thanks much.
HN1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, here is my GPO setup for one of the two client computer groups (none of which are showing up)
(wuau.adm is 42kb, last modified 5/26/2005)
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update:
Setting
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box -> Not configured
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box -> Not configured
Configure Automatic Updates -> Enabled (Configure automatic updating: 4 - Auto download and schedule the install, Scheduled install day: 0 - Ever day, Scheduled install time: 02:00)
Specify intranet Microsoft update service location -> Enabled (http://newupdateserver:8530, http://newupdateserver:8530)
Enable client-side targeting -> Enabled (Target group name for this computer: ComputerGroup1)
Reschedule Automatic Updates scheduled installations -> Disabled
No auto-restart for scheduled Automatic Updates installations -> Not configured
Automatic Updates detection frequency -> Enabled (Check for updates at the following interval (hours): 6)
Allow Automatic Updates immediate installation -> Enabled
Delay Restart for scheduled installations -> Not configured
Re-prompt for restert with scheduled installations -> Not configured
Allow non-administrators to receive update notifications -> Not configured
User Configuration -> Administrative Templates -> Windows Components -> Windows Update
Setting
Remove Access to all Windows Update features -> Enabled
All three policies that I have are running the same group policy for this type of setup.
I think I might have found an interesting tidbit with the tool that CDCOP posted, here is the log from it:
This is one of the computers that has not added to the computers groups (one of the branch DCs actually)
=-=-=-=-=-=-=-=-=-=-=-=-=-
WSUS Client Diagnostics Tool
Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 5.4.3630.2554 . . . . . . . . . . . PASS
This version is SUS 1.0
Checking AU Settings
AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
Option is from Policy settings
Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use
Checking Connection to WSUS/SUS Server
WUServer = http://newupdateserver:8530
WUStatusServer = http://newupdateserver:8530
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
VerifyWUServerURL() failed with hr=0x80072efd
A connection with the server could not be established
Press Enter to Complete
=-=-=-=-=-=-=-=-=-=-=-=-=-
For one of the local DC in the central location (which has been added to the Domain Controllers group on the WSUS server), everything is the same except for the red text at the bottom:
WinHttpDownloadFileToMemor
A connection with the server could not be established
=-=-=-=-=-=-=-=-=-=-=-=-=-
Hope this helps.
(wuau.adm is 42kb, last modified 5/26/2005)
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update:
Setting
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box -> Not configured
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box -> Not configured
Configure Automatic Updates -> Enabled (Configure automatic updating: 4 - Auto download and schedule the install, Scheduled install day: 0 - Ever day, Scheduled install time: 02:00)
Specify intranet Microsoft update service location -> Enabled (http://newupdateserver:8530, http://newupdateserver:8530)
Enable client-side targeting -> Enabled (Target group name for this computer: ComputerGroup1)
Reschedule Automatic Updates scheduled installations -> Disabled
No auto-restart for scheduled Automatic Updates installations -> Not configured
Automatic Updates detection frequency -> Enabled (Check for updates at the following interval (hours): 6)
Allow Automatic Updates immediate installation -> Enabled
Delay Restart for scheduled installations -> Not configured
Re-prompt for restert with scheduled installations -> Not configured
Allow non-administrators to receive update notifications -> Not configured
User Configuration -> Administrative Templates -> Windows Components -> Windows Update
Setting
Remove Access to all Windows Update features -> Enabled
All three policies that I have are running the same group policy for this type of setup.
I think I might have found an interesting tidbit with the tool that CDCOP posted, here is the log from it:
This is one of the computers that has not added to the computers groups (one of the branch DCs actually)
=-=-=-=-=-=-=-=-=-=-=-=-=-
WSUS Client Diagnostics Tool
Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 5.4.3630.2554 . . . . . . . . . . . PASS
This version is SUS 1.0
Checking AU Settings
AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
Option is from Policy settings
Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use
Checking Connection to WSUS/SUS Server
WUServer = http://newupdateserver:8530
WUStatusServer = http://newupdateserver:8530
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
VerifyWUServerURL() failed with hr=0x80072efd
A connection with the server could not be established
Press Enter to Complete
=-=-=-=-=-=-=-=-=-=-=-=-=-
For one of the local DC in the central location (which has been added to the Domain Controllers group on the WSUS server), everything is the same except for the red text at the bottom:
WinHttpDownloadFileToMemor
A connection with the server could not be established
=-=-=-=-=-=-=-=-=-=-=-=-=-
Hope this helps.
This is @ a remote site huh? Do you switches block netbios names? Try to specify the DNS name or an IP address for the WSUS server in the GPO and recheck the client for a connection.
ASKER
I actually just got off the phone with one of the guys that I inheritted the network from and found out that as far as the branch offices are concerned we have an ACL on our central router that will prevent them from accessing this server until we change that.
So I guess my issue now is with the central site (which shouldn't be going through the router). I will run the diag tool on some of the local client computers that are located not adding themselves to the WSUS server.
So I guess my issue now is with the central site (which shouldn't be going through the router). I will run the diag tool on some of the local client computers that are located not adding themselves to the WSUS server.
ASKER
Ok, I think I figured that mystery out. I just looked and apparently the old SUS server was configured at the individual branch office OU level as well as at the blanket GP level. So I changed the blanket, but didn't see that it had been configured at the individual level. I just adjusted this and will give it some time to propagate.
I also realized that the two DCs that were updating, one was on the same subnet with the WSUS server, and the other was on a VLAN. So the router ACLs are blocking the branch office Domain Controllers, and the individual client computers were configured at the OU GP level, so after I change the ACLs on the router, we should be in business.
I also realized that the two DCs that were updating, one was on the same subnet with the WSUS server, and the other was on a VLAN. So the router ACLs are blocking the branch office Domain Controllers, and the individual client computers were configured at the OU GP level, so after I change the ACLs on the router, we should be in business.
Cool. Let me know how it goes.
ASKER
Yep, that fixed it. I didn't know that the WSUS client tool existed. Thanks a ton for your help CDCOP!
No problem. Thanks for the points.
Which wuau.adm file are you using for the group policy - there is an updated one (its 43k as opposed to the older 24k one)
Are you using different group policies for the DCS as opposed to the client computers?
Is the WSUS server fully updated - manually do this from windowsupdate.com if not, as this can fix a lot of WSUS operational issues.
As per CDCOP - your GPO settings will be helpful in diagnosing .