WSUS permissions/403/IIS error
I just installed WSUS (Windows Server Update Services) 3.0 on our Windows Server 2003 Standard R2 machine (x86) and performed the initial sync. I then tried to access the client update site (http://servername/selfupdate) on a client machine and I got a 403 error. After searching the net for 30 minutes and not finding much, I decided to set NTFS permissions to all directories installed into IIS by the WSUS setup to give the IUSER_machinename account read access. This didn't work and I then tried giving the Everyone group read access, but this still didn't work so I tried giving everyone full permissions, which also didn't work. I made sure all necessary ports were open in the firewall (and they were), so I'm completely at a loss as to what is going on. I just uninstalled WSUS and reinstalled it so I would have a fresh start. The machine is also a DC using AD, but I don't think that has anything to do with this since I'm trying to use the IIS site.
Please help!
Please help!
Bastiaan
403 is indeed a access denied because of rights. take a look at http://support.microsoft.com/kb/920654 for a known issue about this.
ASKER
That didn't work. I had already tried that but I tried it again anyway. I still get the 403. Nothing has changed.
You can't attach to that site directly.
What are you trying to do?
After installing WSUS, you simply have to create and link a GPO high enough in the AD tree to collect all your workstations that sets the following:
Computer Config>Admin Templates>Windows Components>Windows Update
Configure Automatic Updates = Enabled
Choose Option 4
Choose Option 0 for Everyday
Pick the time option that suits you.
Specify intranet Microsoft update service location = Enabled
Enter your server (http://servername) in both boxes for Update server and reporting server.
Automatic Updates detection frequency = Enabled.
Leave it at 22 hours.
You can Enable and set any other options there that might appeal to you also.
If Windows Update isn't under the location above, then it will be necessary to add a Template by right-clicking the Administrative Templates container and selecting Add New Template. Click the Add button and scroll down untill you find the Windows Update template - select it and close out. You should now have the options available.
Once you set your schedule, enable the update client and point it to your server then the client-side agent will do the rest. To force a quicker scan simply type (at the client from a CMD window) wuauclt /detectnow. If all is working properly then your client should show up in the WSUS console shortly and start looking for updates.
What are you trying to do?
After installing WSUS, you simply have to create and link a GPO high enough in the AD tree to collect all your workstations that sets the following:
Computer Config>Admin Templates>Windows Components>Windows Update
Configure Automatic Updates = Enabled
Choose Option 4
Choose Option 0 for Everyday
Pick the time option that suits you.
Specify intranet Microsoft update service location = Enabled
Enter your server (http://servername) in both boxes for Update server and reporting server.
Automatic Updates detection frequency = Enabled.
Leave it at 22 hours.
You can Enable and set any other options there that might appeal to you also.
If Windows Update isn't under the location above, then it will be necessary to add a Template by right-clicking the Administrative Templates container and selecting Add New Template. Click the Add button and scroll down untill you find the Windows Update template - select it and close out. You should now have the options available.
Once you set your schedule, enable the update client and point it to your server then the client-side agent will do the rest. To force a quicker scan simply type (at the client from a CMD window) wuauclt /detectnow. If all is working properly then your client should show up in the WSUS console shortly and start looking for updates.
may be can you check you server to see if those computers are detected by the WSUS server . if listes then you need to go to the client pc and then go the windowsupdate.log which is located in the c:/windows and see what is the error listed there.. or you might see the event viewer to c the errors.
Hope this helps
Cheers:)
Kamal
Hope this helps
Cheers:)
Kamal
ASKER
Oh..... I see... You are talking about using WSUS in an AD environment where clients are our workstations. What this server is actually intended for is to distribute updates in a mass deployment environment where client PCs are not members of our AD domain and will be distributed to our customers. We manufacture PCs and read in the Windows OPK that we could integrate WSUS into our production in environment. We have been using bat scripts to deploy updates until now and wish to move forward a step. Do you have any idea how to go about doing this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We are, but MS releases so many updates that we would have to rebuild our images every two weeks and you know how much trouble that can be with over 20 production images. We can do this fine with Vista's WIM format, but for XP (which business customers still love) we have to use a different imaging solution. Also, some of the updates on Window Update cannot be found on their website (or at least the correct version) since they have a tendency to name 15 different updates or a series of updates under the same KB. Heck, some can't even be found on the Windows Update site for admins! The bottom line is that even if we integrate all of the updates we can get, there are still a few (i.e., 5 or 6) that are only available on Windows Update and that can only be downloaded and installed once the customer activates and validates their PC (or unless we do so for them in the factory, which just happens to violates the EULA we accept as a system builder).
Do you know of another way to do this other than editing the registry? This is almost as time consuming as running WU. If there are no other options, can write up a script to do this automatically.
Do you know of another way to do this other than editing the registry? This is almost as time consuming as running WU. If there are no other options, can write up a script to do this automatically.
The .REG files are a script of sorts.
Once you have the original value in a REG file it's a matter of double clicking my file to make them clients, when finished double click yours - it's really that simple.
The only other way is to use a GPO - which means the image must be a domain-joined pc. I can't see this being necessary when you only need to run 2 reg files for this to work, then be removed.
Once you have the original value in a REG file it's a matter of double clicking my file to make them clients, when finished double click yours - it's really that simple.
The only other way is to use a GPO - which means the image must be a domain-joined pc. I can't see this being necessary when you only need to run 2 reg files for this to work, then be removed.
Honestly, I would slipstream as much as you can - since SP2 there have been over 100 patches. It's still time consuming with WSUS so you want to try to cut down that time as much as possible.
ASKER
Yes, I suppose you're right about the two clicks.
We do and have slipstreamed all of them we can get... I guess we'll then use WSUS for the ones we can't get any other way.
Thank you for your help, netman66.
Is there any way to iniate WSUS server updates from the clients without having to install the admin utility on the clients or being logged into the server and use the admin snap in?
We do and have slipstreamed all of them we can get... I guess we'll then use WSUS for the ones we can't get any other way.
Thank you for your help, netman66.
Is there any way to iniate WSUS server updates from the clients without having to install the admin utility on the clients or being logged into the server and use the admin snap in?
Yes, after running the Reg file it should happen fairly quickly on it's own, but you can speed it up a little by running this from a CMD prompt or Run box on the client:
wuauclt /detectnow
This tells the client-side agent to look now.
wuauclt /detectnow
This tells the client-side agent to look now.
ASKER
Okay, just one question though --
I thought that the wuauclt /detectnow was for use on the server to detect new clients once the GPO has been defined. Does the wuauclt /detectnow function act differently on the client and server or was that just a typo?
I thought that the wuauclt /detectnow was for use on the server to detect new clients once the GPO has been defined. Does the wuauclt /detectnow function act differently on the client and server or was that just a typo?
That command is for the Windows Update agent. It exists on both server and workstation, but unless your server is taking updates from your server it won't produce any visible results.
The client must initiate the connection and subsequent scan to detect what is missing. The server plays a fairly passive role with respect to the client.
The client must initiate the connection and subsequent scan to detect what is missing. The server plays a fairly passive role with respect to the client.