WSUS client questions

For the Registry question.  Are those 2000 clients reporting to the WSUS server?  Are they cloned PC's?  Imaged without Sysprep?

On those XP machines, depends on your GP Settings, etc, but generally, if the users are administrators of those computers, they get prompted to install the updates rather than it being done in the background.  Can you verify what permissions those users have?

Also, could you post what your GPO looks like for the Windows update section?

meant which GPO settings do you have applied, etc...

They are not reporting to the WSUS server. They most likely are cloned and Sysprep was not used. What Ive been doing is checking those registry settings on the cloned computers and making sure that they are pointing to the WSUS server and then deleting the AccountDomainSid and SusClient Id and having it recreated using a script I got from someone else. Its worked fine on the other cloned computers but they had the registry settings to begin with and these 2 dont.

For the XP machines one has local admin (mine) and thats why I figured it was prompting me but I just found out another one does it too. His account is a Power User.

For the GPO settings the are set on the DC and point to our WSUS server and have it set to automatically download and install updates daily. Any settings in particular you want to know about?

That was the main setting I was concerned about.  But would like to see the other settings as well to determine the issue with the power user.  Are you using GPMC to manage the settings?  If so, highlight your GPO, click the settings tab, then copy and paste the "Windows Components/Windows Update" section.



On those win2000 clients, what Service Pack is on them?

Also, download the client diagnostic tool via and run it on the problem workstations :

http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx
 

answers to your questions:

make sure the windows 2000 clients have the latest service pack installed, also make sure that windows xp clients have sp1 installed - this should fix both your problems...

I installed the GPMC and here is the section for WSUS

Windows Components/Windows Update
Policy Setting
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours):  22
 
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 09:00
 
Policy Setting
No auto-restart for scheduled Automatic Updates installations Enabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://qdc1 
Set the intranet statistics server: http://qdc1 
(example: http://IntranetUpd01)
 

The 2000 Clients have SP4.

I cant run the tool until they are off of the comptuers and I dont know when that will be.

To make the 2000 box receive and install the updates make sure they have the latest service pack..

trippleO7 is on track with NewSID tool. Any time you duplicate a system drive (unless it was prepared with sysprep) I would run NewSID. This will save you many headaches down the road.

The 2000 and XP clients have the latest service packs.

Are you sure the NewSid will do the trick if there is no area for the SID to be there in the first place? Normally I would run my script that would delete and recreate the SID and restart the update service etc but there is no section in the registry for this information to go. Therefore there is no old SID info.

You were trying to delete and update the SID in the Windows update part of the registry....this is for Security and SAM accounts, which in turn, will uniquely identify those computers so communication between them and the WSUS server can occur.


From http://www.microsoft.com/technet/sysinternals/Utilities/NewSid.mspx:

How it Works
NewSID starts by reading the existing computer SID. A computer's SID is stored in the Registry's SECURITY hive under SECURITY\SAM\Domains\Account. This key has a value named F and a value named V. The V value is a binary value that has the computer SID embedded within it at the end of its data. NewSID ensures that this SID is in a standard format (3 32-bit subauthorities preceded by three 32-bit authority fields).

Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID.

Three phases to the computer SID replacement follow. In the first phase, the SECURITY and SAM Registry hives are scanned for occurrences of the old computer SID in key values, as well as the names of the keys. When the SID is found in a value it is replaced with the new computer SID, and when the SID is found in a name, the key and its subkeys are copied to a new subkey that has the same name except with the new SID replacing the old.

The final two phases involve updating security descriptors. Registry keys and NTFS files have security associated with them. Security descriptors consist of an entry that identifies which account owns the resource, which group is the primary group owner, an optional list of entries that specify actions permitted by users or groups (known as the Discretionary Access Control List - DACL), and an optional list of entries that specify which actions performed by certain users or groups will generate entries in the system Event Log (System Access Control List - SACL). A user or a group is identified in these security descriptors with their SIDs, and as I stated earlier, local user accounts (other than the built-in accounts such as Administrator, Guest, and so on) have their SIDs made up of the computer SID plus a RID.

The first part of security descriptor updates occurs on all NTFS file system files on the computer. Every security descriptor is scanned for occurrences of the computer SID. When NewSID finds one, it replaces it with the new computer SID.

The second part of security descriptor updates is performed on the Registry. First, NewSID must make sure that it scans all hives, not just those that are loaded. Every user account has a Registry hive that is loaded as HKEY_CURRENT_USER when the user is logged in, but remains on disk in the user's profile directory when they are not. NewSID identifies the locations of all user hive locations by enumerating the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList key, which points at the directories in which they are stored. It then loads them into the Registry using RegLoadKey under HKEY_LOCAL_MACHINE and scans the entire Registry, examining each security descriptor in search of the old computer SID. Updates are performed the same as for files, and when its done NewSID unloads the user hives it loaded. As a final step NewSID scans the HKEY_USERS key, which contains the hive of the currently logged-in user as well as the .Default hive. This is necessary because a hive can't be loaded twice, so the logged-in user hive won't be loaded into HKEY_LOCAL_MACHINE when NewSID is loading other user hives.

Finally, NewSID must update the ProfileList subkeys to refer to the new account SIDs. This step is necessary to have Windows NT correctly associate profiles with the user accounts after the account SIDs are changed to reflect the new computer SID.

NewSID ensures that it can access and modify every file and Registry key in the system by giving itself the following privileges: System, Backup, Restore and Take Ownership.

So will this add the Windows Update keys that were missing on these computers?

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate there are 2 keys for WUServer and WUStatusServer

and

Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate there are 2 keys for AccountDomainSid and SusClient Id

Ok, Im going to be able to run all of these checks in a couple of hours so I will report back what I find.

the batch script below is also a combo of registering drivers needed by WSUS. This script also deleted cloned WSUS Sids



rem ***** Fixes problem with client machines not showing up on the server due to imaging method *****

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f

regsvr32 /s wuapi.dll
regsvr32 /s wups.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s msxml3.dll
regsvr32 /s Mssip32.dll
regsvr32 /s Initpki.dll

NET STOP WUAUSERV
NET STOP BITS
regsvr32 /s cdm.dll
regsvr32 /s bitsprx2.dll
regsvr32 /s bitsprx3.dll
regsvr32 /s iuengine.dll
regsvr32 /s qmgr.dll
regsvr32 /s qmgrprxy.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml2.dll
regsvr32 /s msxml3.dll
regsvr32 /s urlmon.dll
regsvr32 /s wuapi.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wuauserv.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups.dll
regsvr32 /s wuweb.dll

NET START BITS
NET START WUAUSERV
regsvr32 /s softpub.dll
regsvr32 /s initpki.dll
regsvr32 /s mssip32.dll
regsvr32 /s wintrust.dll
regsvr32 /s dssenh.dll
regsvr32 /s rsaenh.dll
regsvr32 /s gpkcsp.dll
regsvr32 /s sccbase.dll
regsvr32 /s slbcsp.dll
regsvr32 /s cryptdlg.dll
regsvr32 /s jscript.dll

wuauclt /resetauthorization /detectnow

bigjimbo813, I use that script and may have got it from you to begin with.

------------------------------------------------------------------------------------
Here is the result from the WSUS Client Diagnostics Tool

Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 5.8.0.2469. . . . . . . . . . . . . PASS
                This version is WSUS 2.0

Checking AU Settings
        AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
                Option is from Control Panel

Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use

Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
        UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL
------------------------------------------------------------------------------

I ran NewSid as well but it didnt help. I did have to rejoin the computer to the domain though which I wasnt expecting!

Here is the result from gpresult /s before running NewSid

 KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\Certi
ficates\6F05ECED792553B71EE9D834DBD1D28628773DDC
            ValueName:  Blob
            ValueType:  REG_BINARY
            Value:

                 

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
            ValueName:
            ValueType:  REG_NONE
            Value:      This key contains no values

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
            ValueName:
            ValueType:  REG_NONE
            Value:      This key contains no values

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate
            ValueName:  ElevateNonAdmins
            ValueType:  REG_DWORD
            Value:      0x00000001

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate
            ValueName:  WUServer
            ValueType:  REG_SZ
            Value:      http://qdc1

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate
            ValueName:  WUStatusServer
            ValueType:  REG_SZ
            Value:      http://qdc1

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  NoAutoRebootWithLoggedOnUsers
            ValueType:  REG_DWORD
            Value:      0x00000001

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  UseWUServer
            ValueType:  REG_DWORD
            Value:      0x00000001

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  DetectionFrequencyEnabled
            ValueType:  REG_DWORD
            Value:      0x00000001

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  DetectionFrequency
            ValueType:  REG_DWORD
            Value:      0x00000016

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  NoAutoUpdate
            ValueType:  REG_DWORD
            Value:      0x00000000

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  AUOptions
            ValueType:  REG_DWORD
            Value:      0x00000004

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  ScheduledInstallDay
            ValueType:  REG_DWORD
            Value:      0x00000000

            KeyName:    Software\Policies\Microsoft\Windows\WindowsUpdate\AU
            ValueName:  ScheduledInstallTime
            ValueType:  REG_DWORD
            Value:      0x0000000d


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
            Revision Number:    7 (Active Directory) 7 (Sysvol)
            Unique Name:        Local Group Policy
            Domain Name:
            Linked to:          Local computer

        Default Domain Policy
            Revision Number:    28 (Active Directory) 28 (Sysvol)
            Unique Name:        {31B2F340-016D-11D2-945F-00C04FB984F9}
            Domain Name:        EFS-NLSC.COM
            Linked to:          Domain (DC=efs-nlsc,DC=com)


        Run the Security Configuration Editor for more information.


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
            Revision Number:    7 (Active Directory) 7 (Sysvol)
            Unique Name:        Local Group Policy
            Domain Name:
            Linked to:          Local computer

        Default Domain Policy
            Revision Number:    28 (Active Directory) 28 (Sysvol)
            Unique Name:        {31B2F340-016D-11D2-945F-00C04FB984F9}
            Domain Name:        efs-nlsc.com
            Linked to:          Domain (DC=efs-nlsc,DC=com)


        Additional information is not available for this type of policy setting.

Here is the result from gpresult /s before after NewSid and after forcing a policy update on the DC.

Create global objects


###############################################################

Last time Group Policy was applied: Wednesday, November 29, 2006 at 12:14:43 PM
Group Policy was applied from: qdc1.efs-nlsc.com


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

        Default Domain Policy
            Revision Number:    9 (Active Directory) 9 (Sysvol)
            Unique Name:        {31B2F340-016D-11D2-945F-00C04FB984F9}
            Domain Name:        efs-nlsc.com
            Linked to:          Domain (DC=efs-nlsc,DC=com)


        Additional information is not available for this type of policy setting.




###############################################################

  Computer Group Policy results for:



  Domain Name:          EFS-NLSC
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Wednesday, November 29, 2006 at 12:04:48 PM
Group Policy was applied from: qdc1.efs-nlsc.com


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
            Revision Number:    7 (Active Directory) 7 (Sysvol)
            Unique Name:        Local Group Policy
            Domain Name:
            Linked to:          Local computer




        The following settings were applied from: Local Group Policy

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS
            ValueName:  EFSBlob
            ValueType:  REG_BINARY
            Value:



            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\Certi
ficates\1B0C91C85D800038B9F6E1301BCDED1096653BF3
            ValueName:  Blob
            ValueType:  REG_BINARY
            Value:



            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
            ValueName:
            ValueType:  REG_NONE
            Value:      This key contains no values

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
            ValueName:
            ValueType:  REG_NONE
            Value:      This key contains no values


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
            Revision Number:    7 (Active Directory) 7 (Sysvol)
            Unique Name:        Local Group Policy
            Domain Name:
            Linked to:          Local computer


        Run the Security Configuration Editor for more information.


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
            Revision Number:    7 (Active Directory) 7 (Sysvol)
            Unique Name:        Local Group Policy
            Domain Name:
            Linked to:          Local computer


        Additional information is not available for this type of policy setting.

For the registry edit from DenisCooper I put the text into a file and saved it with .reg and tried to import it and here is what I got.

Cannot import XXXX.reg -- The specified file is not a registry script. You can only import registry files.

I was hoping this was the thing that would fix it too!

The only thing I changed in the text was the server name. Should I have changed anything else?

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="qdc1"
"WUStatusServer"="qdc1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001
"RescheduleWaitTime"=dword:00000005
"NoAutoRebootWithLoggedOnUsers"=dword:00000000
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000004

I just looked at my WSUS server and the computer is there! I wonder what happened?

TSI-WLV,
I believe the technical explanation is "FM".
The "M" stands for magic and you can fill in the rest.

This has been a great string of posts and I've already 'cut and pasted' a bunch of it.

Thanks all.

Vic

glad its working,

another good source of information can be obtained from -> c:\windows\WindowsUpdate.log  (hence no space).

Usually that file will contain all the errors which WSUS is experiencing. If you haven't deleted it you could revert to the log times before the system appeared for an explanation.

Vic,

This site is wonderful isn't it?

you just need to double click the .reg file, it should put it in itself, don't need to import it through regedit....

glad it's all working for you now...

This is a great site!

TSI-WLV,
Sorry about the re-adding to the Domain. I typically run the tool prior to the machine having been added to a domain and haven't needed to use it in a loooong time but it is a great tool.
Didn't you say there were a couple machines having this problem? Have they both been cleared up? If the other has not try just removing from Domain and re-joining to see if the problem was just GPO application. If not run NewSid on it as well and see what happens.

Cheers,
Krompton

The simple fix I use is to drop the box into a Workgroup (NO RE-BOOT),
Re-add to the domain (RE-BOOT).
Then run a time synch.

Create a batch command out of the following lines:

cd\
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time


Vic

Good posts people!  Nice to see it's working for you TSI-WLV.

Someone moved a bunch of computer around so I will have to find the other one and see what happens.

Thanks for all the ideas and tips and Ill dish out some points when I have a chance to figure out how Im going to do it!