Solved

WSUS Server not pushing updates.

Posted on 2006-11-20
19
415 Views
Last Modified: 2008-02-01
Morning All,

I've got WSUS installed on a Windows Server 2003 Standard.  This server is a member server machine.  Our Domain Controller is a 2000 Server.  

I have linked a GPO to an OU containing only 4 machines to test the update process before I open it up to the whole domain.  

Upon reviewing the WSUSAdmin page the WSUS server sees all 4 machines, knows what updates all 4 machines need.  But will not update them.  The GPO settings are for installation of updates automatically.  

In the event log for the WSUS Server I see the following
1053 - Userenv - Cannot determine user or computer name
1030 - Userenv - Windows can't query the list of GPO's.  - This one occurrs every time I reboot the machine.  
364 - Synchronization - This isn't going to happen because this server resides on a network that has no internet connectivity.  I don't know why this one showed up either as I have synchronization set to manual anyway.  

Thanks in advance for any help you can provide.  
0
Comment
Question by:jonmori
  • 9
  • 7
19 Comments
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17979511
From here: http://www.eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1
-------------------------------------
In our case, an apparently corrupt OU caused the servers in it to create the event ID 1000 (Userenv) with message: "Windows cannot determine the user or computer name. Return value (1317)", on Windows 2000 servers, and event ID 1053 (Userenv) with message "Windows cannot determine the user or computer name. (The specified user does not exist). Group Policy processing aborted", on Windows 2003 servers. In each case, the event appeared every 60 to 120 minutes (the machine’s policy update interval). Moving the servers back to “Computers” stopped the event. The OU looked and behaved normal otherwise. Deleting and creating the OU again (even with the same name) solved the problem.
--------------------------------------

That "could" be the issues with the Userenv errors.  All of the errors you are listing don't necessarily mean anything to WSUS...they are more along general errors for the server itself.  Is the server actually on the network ok (communicating with the DC, other servers, etc.)?



As far as actually updating the clients with the WSUS updates...see here first and confirm that all is set correctly: http://technet2.microsoft.com/WindowsServer/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true

Can you explain/elaborate on the GPO settings you have set?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17979516
Oops...forgot...also on the WSUS server have you actually approved the updates for install and not just "Detect"?
0
 

Author Comment

by:jonmori
ID: 17979714
Thanks for the quick response.  

I stumbled across the above on eventid as well.  I created a second OU with the same GPO linked to it with one of the 4 machines, so far as I can tell the GPO is affecting both OU's the same.  

All updates that I have gone through are approved for Install and show up on the Admin page when I query for Install approval.  

The WSUS server is on the network, has connectivity, can ping all over the place etc (working on it here at my desk until I get it running correctly, then it's off to the server room).  

I followed the linked article in setting up my GPO.  But here are the settings:

The latest administrative WSUS template was loaded from the WSUS Server.  (Done via my locally installed ADUC tool, not on the DC).  
Configure Automatic Updates - Enabled - 4 Auto download and schedule the install.  (Scheduled for 10:00 AM Daily while testing this process)
Specify Intranet Update location - Enabled - http://{WSUS Server name} for both detection and statistics
Client Side Targeting is not configured
Reschedule Automatic Updates - Enabled - 1 minute
No Auto Restart - Enabled
Automatic Updates Detection frequency - Enabled - 22 hours
Allow Automatic Updates Immediate Installation - Enabled
Delay restart for Scheduled Installations - Enabled - 5 minutes
Re-prompt for restart - Enabled - 20 minutes
Receieve Update notifications for non-admins - Enabled
Remove access to all windows update features - Enabled
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17981562
OK, looks good.  Do you also have a setting in the GPO under "Windows Components/Windows Installer" (I think) that says "Always install using elevated privileges"?

I believe that needs to be set if the workstations are to install on their own.

Also, have you done a GPRESULT from the workstation to verify they are getting the GPO settings actually sent to them from the domain controller that you've set up?
0
 

Author Comment

by:jonmori
ID: 17981700
Let's see

For the WSUS GPO I have (now) enabled the "Always install using elevated privleges" setting for the Computer Configuration section.  I left the User Configuration section alone.  

When I run a GPRESULT from a workstation in the OU I see the WSUS GPO listed under the Computer received "Registry" settings from these GPO's
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17981977
OK...so since you have updates set for 10am daily, it's hard to test in the afternoon...lol.  Maybe you should set your test GPO up for "install immediately" and then run a gpudate /force from a test workstation after about 15 minutes and see if it gets the WSUS updates.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17981979
Also, I should've asked before, but I'm assuming that Automatic Updates service is running on the workstations?
0
 

Author Comment

by:jonmori
ID: 17982320
Alright,

I have verified that the Automatic Updates service is running on all workstations.  I turned BITS on as well, but I don't know if that's necessary for this version of WSUS or not until the next one.  

Unfortunately I don't see any install immediately option, these are 2000 clients I'm dealing with here.  If only we could get to XP soon...

Thanks!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 23

Expert Comment

by:TheCleaner
ID: 17983287
The workstations are 2000?

What about the LAN?  Is there a firewall in the mix anywhere between clients and WSUS server?

Have you ran the client diagnostics tool for WSUS on one of the clients?  http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx

0
 

Author Comment

by:jonmori
ID: 17988901
Alright,

I had a busy morning with meetings so now I can get back to the real work.  

I downloaded the diagnostic tools for both the server and client.  I also downloaded and installed the BITS 2.0 Client and installed it on one of the test machines.  

After installing the new BITS 2.0 I installed and ran the Client Diagnostic utility on this machine.  Everything comes up PASS where configured since we don't have any proxy servers anywhere along the line all those tests were skipped.

All these machines are in the same room so no firewalls or anything between here and there.  
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17989018
So everything came up pass but you still don't get the updates themselves?  What about on the server...if you go into the admin tool, under the computer tab, and then choose a computer...does it show that it tried to push the updates to the computer?

Are you using the default ports of 80 and 8530?  Any virus scanning program or IPSEC policies that block 8530 outbound from the workstations perhaps?
0
 

Author Comment

by:jonmori
ID: 17990688
Here's where I'm at now.  

When I look at a given machine in the WSUSAdmin page I can see what updates are installed or needed.  I can also see that there was a status report from each machine within the last 24 hours.  What I can't see is when an update that shows as installed in WSUSAdmin was installed.  

As for the TCP/IP stuff I did not change any configuration ports.  No IPSEC policies in place that would block 8530 as far as I know.  

I reviewed all approved updates and these had no deadline assigned previously.  I'm wondering if WSUS was just taking it's time in deploying approved updates?  I've since assigned a 2 PM deadline for tomorrow for all of these approved updates.  

I'll keep you posted.  

Thanks again for your help!
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 17991671
One thing is to make sure that they are approved for install in the "Unassigned Computers" group, just in case.

If all else fails, you can always uninstall WSUS and reinstall and start over...sucks but I've done it a few times myself during setup.
0
 

Author Comment

by:jonmori
ID: 17995277
Believe me the thought of nuking and starting over is starting to become pretty appealing in this case.  

All the updates are approved for install for computers in the "Unassigned Computers" group.  

If nothing happens this afternoon or over the weekend I think I'll be taking that approach first thing Monday Morning.  
0
 

Author Comment

by:jonmori
ID: 18020535
Well, I left everything be over the long weekend.  

However, not everything is up to date.  Even after I set a deadline for these updates.  The Status of Downloads did creep up from about 160 to 174 or so out of 5GB though.  How long should it take for the WSUS server to push out the updates to client machines?  Why is it that the status of downloads creeps up so slowly?  

I'm taking the Exchange Server 2003 Bootcamp for the rest of the week, so no work.  But I'll have access to the Internet and plenty of time to debate the nuke & start over option.  

Thanks!
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 500 total points
ID: 18027909
Well, not sure what your download rate is, but it shouldn't take very long to update 5GB of updates on the WSUS server.

As far as "how long to push out the updates", that I'm not positive of...I can say that from the event logs it seems like a standard weekly push of 3-4 updates tends to only take a few minutes tops.

I'm thinking you may need to start from scratch.  Maybe something isn't quite right or something.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now