bklyngy
asked on
Computers not checking in with WSUS
I am running a centralized WSUS network over a Windows 2000 Server environment. I have a master WSUS server and six WSUS acting as replicas. Six of the seven servers were previously running SUS; I installed MSDE plus the security patch and then decomissioned SUS and put WSUS on port 80. All computers in the specific GPO I set up started reporting in within 2 days. However, I have a dilemma with the seventh replica server. This server was running SUS but it was uninstalled before WSUS was installed. WSUS set up successfully, it syncs successfully, but out of 40 or so computers, only two reported in over a span of two months. During that time, I checked certain computers to make sure they were getting the GPO (Win Update screen is grayed out with my GPO settings shown underneath but grayed out), i forced the GPO using secedit, and I put a script in the computer OU's startup to register related dlls and reauthorize or redirect old SUS clients to the new WSUS server ( i got it from this site), i ran wuauclt.exe commands on certain computers but all with no effect. I disabled the Software Update Services service thinking that was interfering with something (Windows Software Update Services is running on Auto, MSSQLWSUS$ instance is running), but the other servers were running this unneccessary service without issue. The GPO is exactly the same for each site.
Again, 2 computers checked in successfully, but I'm missing a good 30 computers. About 5% of the PCs may be cloned and I know about the SUS IDs causing issues, but the rest should be checking in. I think I read something recently about uninstalling an instance of SQL screwing something up but I dont know if it applies here. The only errors recorded in the Event Viewer are related to the WUSync Service not finding a SUS Server (this is the now useless Software Update Server service from SUS) but this service has been disabled on each server with no ill effect on any.
What am i missing?
Again, 2 computers checked in successfully, but I'm missing a good 30 computers. About 5% of the PCs may be cloned and I know about the SUS IDs causing issues, but the rest should be checking in. I think I read something recently about uninstalling an instance of SQL screwing something up but I dont know if it applies here. The only errors recorded in the Event Viewer are related to the WUSync Service not finding a SUS Server (this is the now useless Software Update Server service from SUS) but this service has been disabled on each server with no ill effect on any.
What am i missing?
Mohammed Hamada
Can you post the event viewer error..!
ASKER
There are no event viewer errors anymore (the logs were cleared) since i stoppped the old SUS sync service. The only items regarding this in the event viewer are Information entries that the WSUS sync starts and completes successfully.
Can you make sure that port 80 is enabled on all of the win2000 computers?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Port 80 is enabled on every wsus server.
Can the remote ping the host at all?
What OS are these machines running?
Any event logged on the remote machines?
What OS are these machines running?
Any event logged on the remote machines?
ASKER
The wsus servers are domain controllers; every client can successfully ping and connect to their prospective wsus server. Each replica is successfully synching with the master every night. These are XP SP2 clients. The client machines have no errors in their event viewers (I have not checked all 30-50 machines, but the users I have tapped into remotely have no errors recorded).
If you provide me with an email address, i can send you over a little tool that acn be used to tell you the settings on these remote PC
I guess the problem here is that the client computers can not apply WSUS group policy to get updates.
Please check the following setting on the client computers:
1. Right click "My Computer" to choose Properties item to open System Properties page.
2. Under "Automatic Updates" tab, please check if you can change automatic updates settings. If yes, that indicates the group policy does not apply to the client computer. If not, indicates the policy has been applied to the client computer. We need check the WSUS server settings to find cause.
Can you first try to see the IP report, Try to type on one of the clients the below command and see if it's pointing to the IP address of the WSUS server's internal NIC for DNS..!!
Start ---> run --> type cmd and enter
type ipconfig /all and enter
Reset your client Configurations... the following link can be helpful..
http://wsus.editme.com/ClientFAQ
Try to rejoin the clients to the Domain ...
1. Quit the workstation from the domain. To do so, see:
Locate in Client Computers in Server Management console and choose the computer has in right panel. Click Remove from network link to delete the computer from domain.
2. Setup the client computer by running "Setup Client Computer" wizard to setup computer account.
3. In the client computer, try to join it to domain by running http://servername/connectcomputer. And assign the appropriate user accounts to the computer.
Run command "gpupdate /force" Without quotation marks to update group policy.
Logoff then logon the computer with domain user account to see if the group policy has been applied.
Check these links for Wsus AU Settings
http://www.microsoft.com/technet/community/columns/sectip/st0506.mspx
http://groups.google.com.ly/group/microsoft.public.windows.server.update_services/browse_thread/thread/a27906c8dd33f50d/7d73a6f85a3337db?lnk=st&q=client+not+check+in+with+wsus+server&rnum=5&hl=en#7d73a6f85a3337db
the above link contains a diagnostic link for the WSUS..
Hope this helps..
Please check the following setting on the client computers:
1. Right click "My Computer" to choose Properties item to open System Properties page.
2. Under "Automatic Updates" tab, please check if you can change automatic updates settings. If yes, that indicates the group policy does not apply to the client computer. If not, indicates the policy has been applied to the client computer. We need check the WSUS server settings to find cause.
Can you first try to see the IP report, Try to type on one of the clients the below command and see if it's pointing to the IP address of the WSUS server's internal NIC for DNS..!!
Start ---> run --> type cmd and enter
type ipconfig /all and enter
Reset your client Configurations... the following link can be helpful..
http://wsus.editme.com/ClientFAQ
Try to rejoin the clients to the Domain ...
1. Quit the workstation from the domain. To do so, see:
Locate in Client Computers in Server Management console and choose the computer has in right panel. Click Remove from network link to delete the computer from domain.
2. Setup the client computer by running "Setup Client Computer" wizard to setup computer account.
3. In the client computer, try to join it to domain by running http://servername/connectcomputer. And assign the appropriate user accounts to the computer.
Run command "gpupdate /force" Without quotation marks to update group policy.
Logoff then logon the computer with domain user account to see if the group policy has been applied.
Check these links for Wsus AU Settings
http://www.microsoft.com/technet/community/columns/sectip/st0506.mspx
http://groups.google.com.ly/group/microsoft.public.windows.server.update_services/browse_thread/thread/a27906c8dd33f50d/7d73a6f85a3337db?lnk=st&q=client+not+check+in+with+wsus+server&rnum=5&hl=en#7d73a6f85a3337db
the above link contains a diagnostic link for the WSUS..
Hope this helps..
ASKER
The clients are all getting the GPO and they are absolutely seeing the DCs. Disjoining the domain is not an option.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I sent you my email address at your posted AOL acct. Thanks.
ASKER
The app never made it to me.
ASKER
Microsoft just releasd sp1 for wsus that supposedly fixes this issue. Im giving it a shot tonight..
http://support.microsoft.com/?scid=kb;en-us;919004&spid=2097&sid=global
http://support.microsoft.com/?scid=kb;en-us;919004&spid=2097&sid=global
ASKER
I ran the client diagnostic tool and the clients are aimed at the old sus server even though the gpo is being applied and the new server is in the gpo. How do i refresh or clear that cached setting from the clients so they can rediscover the new wsus server?
Goto Start --> run --> cmd and enter
Gpupdate /force
Gpupdate /force
ASKER
unfortunately that command only works for win2003; what I did find however is that for some reason, there was a replication issue and my gpo did not make it across; the settings were grayed out because they were still under a gpo that pointed them to a now non-wsus server. That was resolved today and immediately the missing clients started checking in with WSUS.
Thanks for the help, but the Microsoft WSUS Client Diagnostic Tool was the key: http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx
Thanks for the help, but the Microsoft WSUS Client Diagnostic Tool was the key: http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx
Good Job bklyngy, Now you can close the question by awarding points to the helpful comment/expert or/and refund points by directing this Q's link to community support with a new question asking for refund.
Regards.
Regards.