WSUS Server not pushing updates.

From here: http://www.eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1
-------------------------------------
In our case, an apparently corrupt OU caused the servers in it to create the event ID 1000 (Userenv) with message: "Windows cannot determine the user or computer name. Return value (1317)", on Windows 2000 servers, and event ID 1053 (Userenv) with message "Windows cannot determine the user or computer name. (The specified user does not exist). Group Policy processing aborted", on Windows 2003 servers. In each case, the event appeared every 60 to 120 minutes (the machine’s policy update interval). Moving the servers back to “Computers” stopped the event. The OU looked and behaved normal otherwise. Deleting and creating the OU again (even with the same name) solved the problem.
--------------------------------------

That "could" be the issues with the Userenv errors.  All of the errors you are listing don't necessarily mean anything to WSUS...they are more along general errors for the server itself.  Is the server actually on the network ok (communicating with the DC, other servers, etc.)?



As far as actually updating the clients with the WSUS updates...see here first and confirm that all is set correctly: http://technet2.microsoft.com/WindowsServer/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true

Can you explain/elaborate on the GPO settings you have set?

Oops...forgot...also on the WSUS server have you actually approved the updates for install and not just "Detect"?

Thanks for the quick response.  

I stumbled across the above on eventid as well.  I created a second OU with the same GPO linked to it with one of the 4 machines, so far as I can tell the GPO is affecting both OU's the same.  

All updates that I have gone through are approved for Install and show up on the Admin page when I query for Install approval.  

The WSUS server is on the network, has connectivity, can ping all over the place etc (working on it here at my desk until I get it running correctly, then it's off to the server room).  

I followed the linked article in setting up my GPO.  But here are the settings:

The latest administrative WSUS template was loaded from the WSUS Server.  (Done via my locally installed ADUC tool, not on the DC).  
Configure Automatic Updates - Enabled - 4 Auto download and schedule the install.  (Scheduled for 10:00 AM Daily while testing this process)
Specify Intranet Update location - Enabled - http://{WSUS Server name} for both detection and statistics
Client Side Targeting is not configured
Reschedule Automatic Updates - Enabled - 1 minute
No Auto Restart - Enabled
Automatic Updates Detection frequency - Enabled - 22 hours
Allow Automatic Updates Immediate Installation - Enabled
Delay restart for Scheduled Installations - Enabled - 5 minutes
Re-prompt for restart - Enabled - 20 minutes
Receieve Update notifications for non-admins - Enabled
Remove access to all windows update features - Enabled

OK, looks good.  Do you also have a setting in the GPO under "Windows Components/Windows Installer" (I think) that says "Always install using elevated privileges"?

I believe that needs to be set if the workstations are to install on their own.

Also, have you done a GPRESULT from the workstation to verify they are getting the GPO settings actually sent to them from the domain controller that you've set up?

Let's see

For the WSUS GPO I have (now) enabled the "Always install using elevated privleges" setting for the Computer Configuration section.  I left the User Configuration section alone.  

When I run a GPRESULT from a workstation in the OU I see the WSUS GPO listed under the Computer received "Registry" settings from these GPO's

OK...so since you have updates set for 10am daily, it's hard to test in the afternoon...lol.  Maybe you should set your test GPO up for "install immediately" and then run a gpudate /force from a test workstation after about 15 minutes and see if it gets the WSUS updates.

Also, I should've asked before, but I'm assuming that Automatic Updates service is running on the workstations?

Alright,

I have verified that the Automatic Updates service is running on all workstations.  I turned BITS on as well, but I don't know if that's necessary for this version of WSUS or not until the next one.  

Unfortunately I don't see any install immediately option, these are 2000 clients I'm dealing with here.  If only we could get to XP soon...

Thanks!

The workstations are 2000?

What about the LAN?  Is there a firewall in the mix anywhere between clients and WSUS server?

Have you ran the client diagnostics tool for WSUS on one of the clients?  http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx

Alright,

I had a busy morning with meetings so now I can get back to the real work.  

I downloaded the diagnostic tools for both the server and client.  I also downloaded and installed the BITS 2.0 Client and installed it on one of the test machines.  

After installing the new BITS 2.0 I installed and ran the Client Diagnostic utility on this machine.  Everything comes up PASS where configured since we don't have any proxy servers anywhere along the line all those tests were skipped.

All these machines are in the same room so no firewalls or anything between here and there.  

So everything came up pass but you still don't get the updates themselves?  What about on the server...if you go into the admin tool, under the computer tab, and then choose a computer...does it show that it tried to push the updates to the computer?

Are you using the default ports of 80 and 8530?  Any virus scanning program or IPSEC policies that block 8530 outbound from the workstations perhaps?

Here's where I'm at now.  

When I look at a given machine in the WSUSAdmin page I can see what updates are installed or needed.  I can also see that there was a status report from each machine within the last 24 hours.  What I can't see is when an update that shows as installed in WSUSAdmin was installed.  

As for the TCP/IP stuff I did not change any configuration ports.  No IPSEC policies in place that would block 8530 as far as I know.  

I reviewed all approved updates and these had no deadline assigned previously.  I'm wondering if WSUS was just taking it's time in deploying approved updates?  I've since assigned a 2 PM deadline for tomorrow for all of these approved updates.  

I'll keep you posted.  

Thanks again for your help!

One thing is to make sure that they are approved for install in the "Unassigned Computers" group, just in case.

If all else fails, you can always uninstall WSUS and reinstall and start over...sucks but I've done it a few times myself during setup.

Believe me the thought of nuking and starting over is starting to become pretty appealing in this case.  

All the updates are approved for install for computers in the "Unassigned Computers" group.  

If nothing happens this afternoon or over the weekend I think I'll be taking that approach first thing Monday Morning.  

Well, I left everything be over the long weekend.  

However, not everything is up to date.  Even after I set a deadline for these updates.  The Status of Downloads did creep up from about 160 to 174 or so out of 5GB though.  How long should it take for the WSUS server to push out the updates to client machines?  Why is it that the status of downloads creeps up so slowly?  

I'm taking the Exchange Server 2003 Bootcamp for the rest of the week, so no work.  But I'll have access to the Internet and plenty of time to debate the nuke & start over option.  

Thanks!