Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 904
  • Last Modified:

WSUS client issue

We are have configured WSUS on a new server and we are using "move computers task in wsus " insted of using group policy for updating clients. The problem is that WSUS console is not showing client in the computers list. We have tried using client side targeting, changing domains etc but no luck. I have aslo changed the client machine and configered it for wsus but its aslo didnt worked

There should be no WSUS configuration issues as far as i think as we are already using wsus on other servers.

Anyone shed some light plz.

Thanks.
0
KidsTrainingTeam
Asked:
KidsTrainingTeam
  • 14
  • 11
  • 4
  • +2
1 Solution
 
prashsaxCommented:
You need to make sure if clients have been configured to contact the new WSUS server.

To check goto one of the machines.
Open regedit and locate these keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://YOUR-WSUS-SERVER"
"WUStatusServer"="http://YOUR-WSUS-SERVER"
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="IT Department"
"ElevateNonAdmins"=dword:00000000

Most, likely you clients are not configured properly.
0
 
AJThomasCommented:
Hi, I assume you have used GPO to point all the PC's at the server WSUS is on - when you set up the new server did you adjust the gpo to reflect the new server name and/or port?

Cheers

AJ
0
 
Ron MalmsteadInformation Services ManagerCommented:
prashsax is right on the reg keys.  Those have to be listed on in the client registry.  Either manually enter them or group policy....

However....clients can still fail to update or fail to even show up in the list... if they don't have BITS updated from the original version. (Background intelligent transfer service)

On some clients, you may have to bring them up to date a bit before they will start syncing up with the WSUS server.

Go to windows update and install that BITS update.  I think you can download it for network install as well.

Also....you should specify the WSUS server in group policy.  This will save you from having to make registry changes on every machine.

Additionally...you should have separate groups in WSUS web for servers and clients.

When client first makes contact with WSUS server, it will appear in the "unassigned" group.  You then have to move it into another group.

For client pc's I would set updates to "install approval" for "All Computers".  This will allow newly created machines to update immediatly upon joining to your network.  Otherwise they will not update until you put them into the group.

PS: you shouldn't have WSUS server installed on every server, you only need one WSUS server in your domain...and every machine gets updates from it.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
KidsTrainingTeamAuthor Commented:
We dont need to set any option on clients if we are using second option, which is other than one which requires group policy or registry settings to be modified on clients. Although i have tested that option too and it is also not working.

Thanks
0
 
prashsaxCommented:
You need to either setup the Group policy or update each machine manually so that they point to WSUS server.

Once you have done either of above, Client will then request for update as per the timing schedule you have specified.

Sometimes, clients will contact WSUS server 2-3 hrs after their scheduled timing.
0
 
KromptonCommented:
KidsTrainingTeam,

Open regedit>navigate to
HKLM\software\microsoft\windows\currentversion\windowsupdate
rename or delete values may be two or three (AccountDomainSid, SusClientId and maybe PingID)
Restart machine
From run box execute "wuauclt /detectnow" (no quotes)

Many times (but not always) this will allow the client to reconnect to the server

Good luck,
Krompton
0
 
KidsTrainingTeamAuthor Commented:
Problem: WSUS is not detecting client / Client not connecting to WSUS

Sorry, we didn’t post our problem clearly before. Here’s some more information about the problem.

We have installed & configured WSUS on a server having Windows 2003 Operating System and we are using server side targeting to deploy the updates. We have configured the Group Policy through Active Directory. We are using ‘Use the Move computers tasks in Windows Server Update Services’ under Computer Options in WSUS console (We didn’t do any changes in the client side). But, it’s not detecting the clients. It’s been more than a week now. (This server previously had SUS and then we upgraded to WSUS; but, it didn’t work properly. So, we uninstalled WSUS and then re-installed it again)

But, where as when we change the same client to point to another domain, which also has Win 2003 server, WSUS (Server side targeting, Group Policy configured through Active Directory), it detects the client. So, I feel that there is something wrong in the server side. We double checked the settings and configurations but, don’t know where we made a mistake. Any help is highly appreciated!

Thanks,
KidsTraining Team
0
 
KromptonCommented:
What is the Domain structure. Two seprate domains or is one a child domain of the other?
0
 
KidsTrainingTeamAuthor Commented:
They are two separate domains !
0
 
KidsTrainingTeamAuthor Commented:
Still unresolved..any suggestions???
0
 
prashsaxCommented:
I assume you have already check the registry setting i've already mentioned on the client machine.

What does Windows Update Log says on the client computers.

Could you post it.

You can locate it under c:\windows\windowsupdate.log
0
 
KidsTrainingTeamAuthor Commented:
Hi Prashsax,

There are only two entries under this key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate], which are ‘WUServer’ & ‘WUStatusServer’ and there are no entries like ‘TargetGroupEnabled’, ‘TargetGroup’ or ‘ElevateNonAdmins’

Also, when I checked the log file on client computers, I found that one of the machines has two log files under the names ‘Windows Update.log’ (white space between Windows and Update) and ‘WindowsUpdate.log’. The latter is the recent file. But, my question is, the same client connects to another WSUS server or a WSUS server in another domain detects this client when I change the DNS entries. Anyway, included the last few lines of the log file of one of the clients. Let me know if i should provide you more details.

Client's Log File:
-------------------

2006-06-09      12:35:00       808       c4      AU      #############
2006-06-09      12:35:00       808       c4      AU      ## START ##  AU: Search for updates
2006-06-09      12:35:00       808       c4      AU      #########
2006-06-09      12:35:00       808       c4      AU      <<## SUBMITTED ## AU: Search for updates [CallId = {DB349CD0-C643-4F88-BD57-9F98304CB5B5}]
2006-06-09      12:35:00       808      338      Agent      *************
2006-06-09      12:35:00       808      338      Agent      ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
2006-06-09      12:35:00       808      338      Agent      *********
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190191
2006-06-09      12:35:00       808      338      Misc      WARNING: DownloadFileInternal failed for http://156.26.162.236/WSUSAdmin//selfupdate/wuident.cab: error 0x80190191
2006-06-09      12:35:00       808      338      Setup      FATAL: IsUpdateRequired failed with error 0x80244017
2006-06-09      12:35:00       808      338      Setup      WARNING: SelfUpdate: Default Service: IsUpdateRequired failed: 0x80244017
2006-06-09      12:35:00       808      338      Setup      WARNING: SelfUpdate: Default Service: IsUpdateRequired failed, error = 0x80244017
2006-06-09      12:35:00       808      338      Agent        * WARNING: Skipping scan, self-update check returned 0x80244017
2006-06-09      12:35:01       808      338      Agent        * WARNING: Exit code = 0x80244017
2006-06-09      12:35:01       808      338      Agent      *********
2006-06-09      12:35:01       808      338      Agent      **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2006-06-09      12:35:01       808      338      Agent      *************
2006-06-09      12:35:01       808      338      Agent      WARNING: WU client failed Searching for update with error 0x80244017
2006-06-09      12:35:01       808      338      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {DB349CD0-C643-4F88-BD57-9F98304CB5B5}]
2006-06-09      12:35:01       808      338      AU        # WARNING: Search callback failed, result = 0x80244017
2006-06-09      12:35:01       808      338      AU      #########
2006-06-09      12:35:01       808      338      AU      ##  END  ##  AU: Search for updates [CallId = {DB349CD0-C643-4F88-BD57-9F98304CB5B5}]
2006-06-09      12:35:01       808      338      AU      #############
2006-06-09      12:35:01       808      338      AU      AU setting next detection timeout to 2006-06-09 22:35:01
2006-06-09      12:35:05       808      338      Report      REPORT EVENT: {F4284F4F-FEA5-4722-A5BA-A2B1D1ABA585}      2006-06-09 12:35:00-0500      1      148      101      {D67661EB-2423-451D-BF5D-13199E37DF28}      0      80244017      SelfUpdate      Failure      Software Synchronization      Error: Agent failed detecting with reason: 0x80244017

0
 
prashsaxCommented:
Ok.

Please add your WSUS server name in exception list in proxy settings.

IE->Tools-> Internet Options->Connections->Lan Settings->Advanced->Exceptions.

Add your WSUS servers complete name(FQDN)
e.g  servername.domainname.com

This should tell the machine not to use proxy for WSUS.

now run this command on dos prompt.

net stop wuauserv

net start wuauserv

Wait for some time, this PC should be detected by WSUS server.
0
 
prashsaxCommented:
This tool checks all the settings on client machine.
Should their be any problem for clients to connect to server, it will report to you.


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
0
 
KidsTrainingTeamAuthor Commented:
Well, we don't have proxy server. Also, Advanced button is disabled. I can enable it, only if i check the box 'Use a proxy server for your LAN'. Anyway, should I go ahead and try this on client machine ?

Thanks for your time!
0
 
prashsaxCommented:
No, if you do not use proxy then its not required.

Did you tried that WSUS Client Test tool.

See, if it could find any errors.
0
 
KidsTrainingTeamAuthor Commented:

Yes. I did use that tool. At the end of the test, it says, " Verify WUServerURL() faliled with hr=0x80190191. The requested resource requires user authentication."
0
 
prashsaxCommented:
You IIS requires Integrated authentication.

Configure it for anonymous access.

0
 
KidsTrainingTeamAuthor Commented:

U mean, SelfUpdate folder under Default web site of IIS ? If that's the case, I already have it enabled for anonymous access.
0
 
KidsTrainingTeamAuthor Commented:
any other suggestions / workaround ??
0
 
KromptonCommented:
KidsTrainingTeam,

Can you access the WSUSAdmin Web interface from any of the problem clients? (http://yourwsusservername/wsusadmin/)

0
 
prashsaxCommented:
Enable anonymous access on default web site as well.

Right Click Default Web site.
Properties.
Directory Security
Anonymous Access and Authentication Control.
Click Edit button.
Check Allow Anonymous Access and username is written as IUSR_XXXXXXXXXXXXX.  (XXXX being machine name.)
Also make sure "Allow IIS to control Password" is checked.

No other check box should be check other then this.


0
 
KidsTrainingTeamAuthor Commented:

Hi Krompton,

Thanks for your reply. Yes, I can access WSUS console from the client in question.




0
 
KidsTrainingTeamAuthor Commented:
Hi Prashsax,

Yes, Anonymous access has been enabled with the username, and password was also entered in there. Also, under Authenticated Access, 'Integrated Windows Authentication' has been checked and I dont know where to check for 'Allow IIS to control password'. Thanks for ur support.
0
 
prashsaxCommented:
>Also, under Authenticated Access, 'Integrated Windows Authentication' has been checked

Uncheck the "Integrated Windows Authentication".

This is what is causing the problems.

Then restart the server.



0
 
KromptonCommented:
I believe prashsax is correct.

Though in IIS Manager, Under the website, "wsusadmin" should have Integrated Windows Authentication checked and Anonymous Access unchecked. You don't want everyone to be able to access that part.
0
 
KidsTrainingTeamAuthor Commented:

Prashsax,  I was kinda excited after seeing this hint. I unchecked that, rebooted the server.... yet no luck. It's just still driving me crazy. I know, it may take some time to appear in the console but, it's close to 45 mins since i rebooted the machine. Again, thanks!
0
 
prashsaxCommented:
What is the schedule which you have defined.

Wait for some more time.

Then look for the same logs on the clients.

0
 
KidsTrainingTeamAuthor Commented:

Awesome! Yes, now both the Server name and client names appears in the console. Thankssssssss a lot. As you know, it was driving me crazy for about 2 weeks now since i didnt notice that option. Also, did few changes in group policy and seems to be working fine. (But, an update icon appears in the system tray saying that, 'click here to install the updates'. Shouldn't those updates be detected by WSUS? Shall i go ahead and install 'em or wait for WSUS to detect them.)

Also, i need ur expertise with another server.  Would you look in to this when you find some time ? http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21885528.html 

Thanks again !
0
 
prashsaxCommented:
Good, that its working now.

Computer has already downloaded the updates.

Go ahead and install them. After installation their report can be seen in WSUS logs.
0
 
KidsTrainingTeamAuthor Commented:
Yes, i'm gonna install all of the updates except one, which is WSUS Service Pack1 and you would understand why i'm worried about applying SP1 when you see the above mentioned link. Thanks!
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 14
  • 11
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now