Solved

WSUS 3 - Clients having problems hitting the URL of WSUS but can ping and telnet to server

Posted on 2007-12-06
28
9,288 Views
Last Modified: 2013-12-05
Hi Guys,

I've installed a new WSUS 3 server today after our old one has been decommisioned a while back.

The problem we are having is that the clients wont connect to the WSUS server so the server doesnt detect the computers. We can ping the server from a failing client as well as telnet.  We have ran the MS CLient Diagnostics and here are the results.

WSUS Client Diagnostics Tool

Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 7.0.6000.381. . . . . . . . . . . . PASS
                This version is WSUS 2.0

Checking AU Settings
        AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                Option is from Policy settings

Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy
                proxy.lafarge.com:8090
                User IE ProxyByPass
                *.gb.aggregates.lafarge.com;10.172.*;*.lafargecement.co.uk;*.laf
arge.com;<local>
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use

Checking Connection to WSUS/SUS Server
                WUServer = http://sysgbcwus01
                WUStatusServer = http://sysgbcwus01
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS

VerifyWUServerURL() failed with hr=0x801901f7

No Error description could be found



I origonaly thought the problem was old settings still ligering in the system so i have created and ran the following script but this still doesnt help the problem.


proxycfg -d
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow


Does anyone have any ideas on why this problem is occurring and what I can do to fix it?
0
Comment
Question by:Aeropars
  • 13
  • 12
  • 2
  • +1
28 Comments
 
LVL 2

Expert Comment

by:biztopia
Comment Utility
On the clients, try:

- stop wuauserv
- renaming C:\Windows\SoftwareDistribution to something like C:\Windows\SD.old
- start wuauserv

I've found this fixes a variety of problems relating to updates on client PCs.

Cheers
D.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Your URL needs to be http://servername:8530, not http://servername. Also make sure your firewall isn't blocking port 8350 on either client or server side.

The incorrect URL is a common mistake.

0
 

Author Comment

by:Aeropars
Comment Utility
Thanks for the responses guys.

I'll give them both a try although I'm not too convinced by the URL containing a port as we have another WSUS server fora sperate division of the company which works fine but has no server port in the URL?
0
 

Author Comment

by:Aeropars
Comment Utility
I've tried both suggestions but nothing has changed I'm afraid. Any other ideas??
0
 
LVL 2

Expert Comment

by:biztopia
Comment Utility
Are you configuring the clients for the WSUS server via Group Policy?

If so I'd go through and check all the GPO settings as per the WSUS doco.  

Also, have you checked the log "C:\Windows\SoftwareDistribution\ReportingEvents.log" ?

Check this link on MS website re clients not reporting.
http://technet2.microsoft.com/WindowsServer/en/library/fbe4fd59-5ff3-4e8d-8ec1-733a4f904ab21033.mspx

Failing that, and this is a long shot, you could try running Process Monitor (http://www.microsoft.com/technet/sysinternals/Utilities/ProcessMonitor.mspx) on the client, then force an update check by running "wuauclt /detectnow".

0
 

Author Comment

by:Aeropars
Comment Utility
I've just tried doing a telnet into the IIS server but I can only telnet in on port 80. According to MS the 8530 port is a custom port but I havent specified a custom port during the install. I selected for it to run on port 80. With this configuation i have had 2 computers contact the WSUS server and register although 12 of them has not reported status. Are you certain I need to be using port 8530?

The reporting Events.log has "Windows Update Client failed to detect with error 0x80244022"

On advice from another site, I have also ran the VB script for the client self update.
0
 

Author Comment

by:Aeropars
Comment Utility
Also, forgot to add that I am configuring via group policy but the settings are identicle to the working versino we have for the other company we support.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
You are correct:

Port 8350 is an alternative port. The reasons for selecting port 8350 is because port 80 is the http port. Of course you know that WSUS is a webpage based system and it sounds like you already have IIS running. WSUS also populates the list of computers from the web page. But, since 80 is the default http port for contacting the WWW, antivirus and firewalls security are tight on those ports and can cause problems on port 80. So, it is recommended you pick the alternative port. It sounds like you have the ammo to do so.

The GPO should include the port number for a more defined path. Also using the fully qualified domain name instead of the computer name or IP address for that GPO is recommended.:

I also know that computers will not show up if they don't have any updates ready for them. When there are updates ready for them, it may take about 20 hours to populate the list of clients in WSUS. I don't' know why it takes up to 24 hours, there are probably fixes to this. You will probably start seeing the list populated as you download updates for them. So, try and download an update that you know a missing client needs and wait 24 hours.

There is one other thing I would check, There is a minimum base of updates needed to work with WSUS. For XP boxes, you need service pack 2. For 200 boxes, you need service pack 4.

With that said, here is some information on your error report in event viewer.  This informaiton was found in technet. This is a binary error and the last four digiits come up with the error.

http://technet2.microsoft.com/windowsserver/en/library/0700bf14-01b0-4d47-abae-e77345ca974f1033.mspx?mfr=true

0x80244022
 WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL
 Http status 503 - temporarily overloaded.
 
I don't quite know why you are getting these errors. I will continue to research it.
0
 

Author Comment

by:Aeropars
Comment Utility
Hi and thanks for the reply.

I've done as you suggested and reinstalled WSUS on port 8530 by telling th einstall to use its own website within IIS. I've also used the FQDN in the GPO with the correct port number.

I've set up a fresh VMware XP machine to test this on and this has nothign on but XP and SP2. This client still fails with the above error when running the client diag tool.

 Http status 503 - temporarily overloaded - I noticed this error message as well and the only explanation I could come up with was that the server is actally a VMware server which is shared with about 8 other servers. I know this shouldnt be a problem but given the shared nature of the single gigabit network card, could this be a problem perhaps? I know its a long shot but I'm out of ideas!
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Have a look at this link to see if this resolves your problem:

http://support.microsoft.com/kb/903262/en-us

Nice work on the alternative port. Thought that would fix the problem.
0
 

Author Comment

by:Aeropars
Comment Utility
I did already try that on advce from another forum but to no Avail. I though this might fix the problem as we did use imaged machines but the one i'm testing from is built from scratch by the normal windows CD.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
of the single gigabit network card

You are running a Gig NIC? Do you have a Gig router and Gig switch? You may be trying to run a Gig NIC on a 100Mb network.

The error you are getting isn't the usual error you get when WSUS can't be found. You may be requesting information from the server and overloading the router or switch with your Gig NIC and a 100Mb switch and/or router.
0
 

Author Comment

by:Aeropars
Comment Utility
all servers are connected together via a gig fiber network. All Pcs run 100mb.
PCs are pinging the server in less than 1ms on the local network and network card utilisation on the physical server is not even half. The network as a whole is running perfectly so thats why i'm so baffeled by the client error code. The Vmware box was just a stab in the dark really hoping it might give one of you guys the answer.

Is there anything I can check for in IIS? Is there a chance this is a wrong error code for whats happening? we all know what microsoft are like for error messages!
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Aeropars
Comment Utility
I'm not really sure that's relivant to my problem. Yes we use a proxy server but there is no firewall blocking internal traffic. The proxy is a basic ISA server box wth no redirection enabled.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I am not sure if ISA would knock you down:
If an ISA box, maybe you need to set a rule to allow access on the Newly created port of 8350. Maybe ISA is blocking WSUS.
0
 

Author Comment

by:Aeropars
Comment Utility
That cant be the case as the clients are all on the inside of that firewall. Th requests would not be trying to pass through the firewall.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Are you using a form of load balancing
0
 

Author Comment

by:Aeropars
Comment Utility
For WSUS? If so then no. Just a single server thats a member of the domain.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I once helped a person with the wrong DNS suffix on the client that had the problem.

This is odd that only one client is having issues.

Maybe an IPconfig /all of the client can shed some light on the subject. Maybe this client is going to a DNS server that doesn't point the way to the Netbios name of the server or resolving the URL.

0
 

Author Comment

by:Aeropars
Comment Utility
Its not just one client that has the problem. theres masses of clients that are not being discovered ye are all in the same domain.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I told you I was going to research this issue:

I found this iformation at http://www.wsus.info/forums/lofivers...php?t5308.html
"Check your registry (on the client machine) for a Binary value in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet
Settings\Connections that is called WinHttpSettings. If it exists,
delete it."

0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
link didn't copy correctly, try this for additional information.

http://www.wsus.info/forums/index.php?showtopic=5308
0
 

Author Comment

by:Aeropars
Comment Utility
Thanks for your help so far.

Just gave it a go but to no avail I'm afraid. The client diag tool is giving the exact same message :(
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
There seems to be a lot of people having problems synchronizing clients to the WSUS server. So, I have been developing a combined fix as a checklist to make sure things are in order before doing some deep troubleshooting. We have covered many of these discrepancies. Let's go through the checklist to make sure we haven't forgotten anything.
_________________________________________________________________________________
1) Overloaded NICS on the clients:
I have been working with another post where only a couple clients showed up. When running a WSUS client diagnostic tool, they came up with the 503 error on the client (overloaded NIC). The WSUS client diag tool will show a line in the text that says something like:

VerifyWUServerURL() failed with hr=0x801901f7

The proposed fix to this is:
"Check your registry (on the client machine) for a Binary value in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet
Settings\Connections that is called WinHttpSettings. If it exists,
delete it."

and I found that fix on this site:
http://www.wsus.info/forums/index.php?showtopic=5308

If you have no clients showing up, then you may wish to consider a fault in the GPO created to point your clients to the WSUS server.
________________________________________________________________________________
2) A common error with a GPO or group policy is how it is applied to the LAN. Some folks put the GPO on the Users or Computers group. Users and Computers are CN folders. Group policy will not work on CN folders. Instead, you will probably want WSUS to handle updates for the entire domain. So, it is probably easiest to create a default domain policy instead of a group policy. If you wish to apply this to the group policy, you will have to create a new folder that is a "OU" (Organizational Unit) Folder and apply that policy to the OU.
_______________________________________________________________________________
3) ISA is a prolific Software firewall. You have to create rules for services Like DHCP, Telnet, printing and pinging. WSUS, by default uses port 80 as the default web page for synchronizing with the WSUS server. Some have WSUS on an alternative port. If so, ISA and some other firewalls may need to allow communications on the port of preference for WSUS. Firewall blockage is pretty common with WSUS, especially on an alternative port.
_________________________________________________________________________________
4) Also, before a list of clients will populate in WSUS, you will need to synchronize your server, I have yet to understand why. But the first time a client gets updates with the server is when the client appears in a populated list for updates. You have to use the console to select the updates you wish download, then synchronize your server to an outside server. Once you download the updates, the GPO you created will point the clients to the WSUS server for updates. Once these updates are delivered, your client will be included into a list of clients that are receiving updates. Then, you can create your update groups. So, synchronizing with the server is an important step to populate your list of clients in WSUS.
________________________________________________________________________________

5) Problems with the proxy:
http://www.eggheadcafe.com/forumarchives/windowsupdate/Aug2005/post23974553.asp

I haven't looked into the explaination of this. So the details will be provided on the link.
________________________________________________________________________________

6) Network load balancing over a switched network, or other Dual NIC conflicts resulting in Overloaded NICS:
Load balancing over a switched network with two NICS on the server can shut down a NIC. In fact, two NICS on a server can always conflict. The differences between a hub and a switch is the switch provides a single path to a computer. If you have two NICS, then you have two paths to the same machine. The NICS therefore confuses the system and one NIC shuts down. Usually when this happens, Your DHCP, if provided by the server, will shut down. There are a number of configurations that can cause a dual nic conflict on a switched network. If you feel you have this error, please advise and we can troubleshoot your particular configuration.

______________________________________________________________________________
7) Problems with Imaged machines:
http://support.microsoft.com/kb/903262/en-us

Much like dual NICS you have two MAC addresses to what appears to be the same computer. So, WSUS has problems with imaged machines.
_______________________________________________________________________________
8) Wrong port configurations for the WSUS website:
default port is port 80 and an alternative port is port 8350.

Some folks use Port 80 for a different website. If you have multiple websites on the same computer as the WSUS server, you have to provide an alternative port for WSUS. Otherwise, your clients will use the GPO to go to the default web page on the server. That default web page is under the C:\inetpub\wwwroot\ of the server.
________________________________________________________________________________
9) Netframework:
There is a list of prerequisites for WSUS. The best place to find the prereq's is to google search WSUS white papers. The white papers gives you a step by step list of installation procedures. The reason for the search is because 2003 server standard and 2003 SBS has a little different methods to the setup procedures. For 2003 server standard, review the following link for prereq's.

http://technet2.microsoft.com/windowsserver/en/library/f593532c-e92e-47f3-914a-38a6c2519e941033.mspx?mfr=true
________________________________________________________________________________
11) prereqs for clients:
The clients also need prereq's to be completed>
for xp clients, you need Service Pack 2
for 2000 clients, you need Service Pack 4

______________________________________________________________________________
NOTE:
WSUS is a web based application that manages updates for clients and servers. It doesn't require Netbios or DNS to populate the list of computers in WSUS. Instead the list of clients populates using IIS. If you have problems and all else above fails, you may wish to update IIS on your server and see if that fixes your issue.


I hope this information helps you. If not, let me know and I will try to further assist.
0
 

Author Comment

by:Aeropars
Comment Utility
Thanks for the list. I've read through it and we have already coveredeverything apart form one part on there.

The dual NIC part is interesting. We have (i think and will need to check) teamed network cards so although theres two NICs they perform as one. I dont see this as a problem though as its sucessfully working with teamed network cards on our sister companies servers.

Thanks for your help so far.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
Comment Utility
There are a number of problems with misconfigured NICS. Load sharing between two NICS can cause a number of issues.

Disabling one NIC will work well for most LANs. Multiple NICs really isn't needed on most LANs. As the defined path over a switched network is causing common problems with many administrators who use two NICS for NLB, I am trying to design a fix. Your question caught me in the first stages of discovery to this fix.

The settings I am concentrating on for proper NLB over a switched network are:
Spanning tree portfast, Proper configuration of dual NICS, NLB over a switched network, Multicast/Unicast modes,

Any one of these settings misconfigured can cause a overloaded NIC.

NLB over a swtiched network, Microsoft Fix:
http://support.microsoft.com/kb/261957

Technet article on Network load balancing on a switched network:
http://technet.microsoft.com/en-us/library/bb742455.aspx

A little explaination of spanning tree and portfast.
http://itt.theintegrity.net/pmwiki.php?n=ITT.Spanning-TreeAndPortfast
(NOTE: Portfast is necessary for XP clients. XP clients will time out otherwise.)

The differences between Unicast and Multicast modes:
http://support.microsoft.com/kb/291786
(The server requires Multicast mode to work with dual NICS)

Event ID 5719, spanning tree portfast:
http://support.microsoft.com/kb/247922

Preventing NIC flooding caused by NLB:
http://technet2.microsoft.com/windowsserver/en/library/bf3a1c95-f960-4ed3-b154-3586631fb0061033.mspx?mfr=true

Network connectivity between clients and servers may fail. This failure occurs after the installation of either security update MS05-019 or Microsoft Windows Server 2003 Service Pack 1 (SP1).
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

Putting the load balancing in perspective:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23037760.html

NIC flooding is a common problem. When a NIC is flooded it will shut down services on the NIC and cause various errors. One error I see a lot is Event 1030 for WSUS. Since this error is a known problem that is not well documented, many administrators may suggest updating NIC drivers as a fix to the problem. Periodically that works. Most of the time, this problem goes unresolved until One NIC is deemed bad and disabled, as in this case.  I hope this additional information helps.


0
 

Expert Comment

by:Mr_Wrong
Comment Utility
Dollars to Donuts he has the number of concurrent connections in IIS throttled too low.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now