Solved

Clients Computers are not showing up within WSUS

Posted on 2008-06-20
24
1,148 Views
Last Modified: 2011-10-19
Hello,
I freshly installed WSUS 3.0 on a domain member server.  All computers in my domain are members of the same domain.  Server OS in use Server 2003 Enterprise, Clients are running Windows XP Pro
Question:  From within WSUS I noticed that there is a section on how you can specify how to assign computers to groups.
Options are:
Use the update services console
Use group policy or registry settings on computers.

Problem:
Im not sure which one to select.  If I select either of the two my computers do not show up in WSUS.

I specified the WSUS server location as
http://servername:80

When I run an RSOP on a client machine the information specified in my group policy is being applied, however the cleints are not checking in with WSUS.  How can someone help me get this up and running?
0
Comment
Question by:stressedout2004
  • 10
  • 7
  • 6
  • +1
24 Comments
 
LVL 2

Expert Comment

by:thor_08
Comment Utility
You will agree to allocate policies.

has performed a GPUpdate / force from customers?
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
To answer your first question, I would suggest that you use Group Policy since they're in a domain and youv'e created a Policy.  Regarding why the clients are not checking in, couple of things to check on the Policy itself:
-That you enabled "Specify intranet Microsoft update service location".  Also define the statistics server for reporting purposes.  I've had trouble with this in the past.
-Ensure that "Configure Automatic Updates" is Enabled.
-What is the 'Automatic Updates detection frequency' set to?  As I recall, that value is a little high by default.  Or is it low?  I just remember changing it.

One last thing to check is that the Policy settings are actually being applied on a client machine.  I know you checked via RSOP but just for fun, check 'HKLM\Software\Software\policies\Microsoft\Windows\WindowsUpdate' and see what you have.

HTH
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Any hint in event viewer that the group policies have not been applied.

0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Try removing :80 from your GPO. If I remember right, some folks had problems with that.
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
Im going to remove the port number in the GPO so that it reads
Http://servername  

My statistics server and Windows Update Server are defined in group policy and point to the location of the WSUS server.  Does it make a difference if the statistics server points to the same location as the update server.  
http://servername
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
Here is the latest news of my progress.  
Changing the update location without the port http://servername did not seem to work.  The group policy applied locally and is set as follows.  I can prove GPO's are being applied because they are seen using RSOP.

I have included two screenshots fro my latest WSUS settings and errors. Please be sure to remove the txt extension because it is nativly and RTF file format.  
This is a brand new installation of WSUS on a new server.  Why do I keep getting these errors on ever one of my WSUS instalattions?
The DSS Authentication Web Service is not working.
The SimpleAuth Web Service is not working.
The Client Web Service is not working.
The Server Synchronization Web Service is not working.
The Reporting Web Service is not working.
No client computers have ever contacted the server.
Self-update is not working.
WSUS-Settings.rtf.txt
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Does it make a difference if the statistics server points to the same location as the update server? Absolutely:
Different web pages have to be defined with their own IP addresses. You can't have all the default web pages on one server pointing to the default port 80. Otherwise this would confuse IIS.

I have an article that I might be able to dig up on an creating an alternative Port, port 8530.
http://technet2.microsoft.com/windowsserver/en/library/e0934a67-f0ed-41a3-bf57-78fd9ac949431033.mspx?mfr=true

By default, if WSUS sees a web site on port 80, it will confiugure your port to be 8530. Now, on your GPO, add http:\\servername:8530.
http://www.wsus.info/forums/lofiversion/index.php?t4555.html

An example of your problem:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_23104233.html

Your problems are striclty IIS configurations, and since you have room for one more zone, I might suggest you add IIS to the zone on this page. configuring ports and stuff like that for websites is not my strongest point.
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
Q: "Does it make a difference if the statistics server points to the same location as the update server?"
A:  Yes, depending on how your WSUS server is configured.  On mine, it's the same and it works fine.  That being said, I had to do some tweaking after doing a default install.  

I agree with ChiefIT, I think the issues you're having are related to IIS configuration or rather a mis-match between the IIS settings and the client settings you're pushing.  You can try running 'netstat -a' from a command prompt on your WSUS server to see what ports are open. TCP servername:http will be the default port 80.  If you see "servername:8530" then you know you'll need to change the Policy to match.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Cool info Kollenh:

I didn't know you could use netstat like that.
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
I do not see port 8530 listening using netstat.

So what server anmes names do I use for the update server and statistics server?
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
If you don't see 8530 as a listening port then chances are it's still setup on the default port 80.  If you did a default install of WSUS then whatever server you installed it upon should be the name you will use (for both update server and statistics).

Open up IIS manager, connect to that server, and see what Web Sites are listed.  If you don't see WSUS Administration as a separate site, look under the Default Web Site.  If you're not sure what settings to look for, let me know.  Basically at this point, just make sure you see the requisite sites running.  Have you pulled any of the WindowsUpdate logs from a client computer to see where the error may be?  'C:\Windows\WindowsUpdate.log'
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
It doesn't hurt anything to change the port to 8530. Change that in your GPO and try a GPUdated. See if clients start saying, "HOWDY".
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
I have three screenshots of IIS and one file of windowsupdate.txt attached.  
The windows update log file was taken from a client computer.  There are lots of failure indications in the log file that I cannot make sense out of.

Please rename 3screenshots.txt to 3screenshots.rtf
If you look in the the file 3screenshots.rtf yo will see my comments for each item.
 


WindowsUpdate.txt
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
I forgot to add the screenshots file because it was to large.  

3screenshot.zip
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
I followed the instruction in a this link
http://www.wsus.info/forums/index.php?showtopic=5928&hl

Here is my status:  
However a few services are still not working but computers are checking in now.
The DSS Authentication Web Service is not working.
The Server Synchronization Web Service is not working.
The DSS Authentication Web Service is not working.
The SimpleAuth Web Service is working correctly.
The Client Web Service is working correctly.
The Server Synchronization Web Service is not working.
The Reporting Web Service is working correctly.
22 client computers have contacted the server.
Self-update is working.

When I click on a computer, it shows that the computer has not reported its status yet. ??? Almost there but not quite.  Any one make any sense of the windows update log file?
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
Did you edit the contents of the file at all?  Your log differs drastically from what my systems have, with a lot of data "missing" from yours.  Granted I'm running the newer version but I don't recall there being that much difference in the client log.  However, this entry from the log leads me to believe that your clients are not actually configured to point to your WSUS server:
DnldMgr      Regulation server path: http://www.update.microsoft.com/v6/UpdateRegulationService/UpdateRegulation.asmx.

On my clients logs, the DnldMgr path is 'http://myWSUSserver:8530/Content/etc./etc."

No, you shouldn't need to allow any of the extensions that are currently marked 'prohibited' to make WSUS work; the .NET Framework is the important piece and that's allowed.
Yes, the username should be the 'IUSR_<Servername>' service of the IIS/WSUS server.
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility

kollenh: stated
Yes, the username should be the 'IUSR_<Servername>' service of the IIS/WSUS server.

I have to enter a password when i select the IUSR 'IUSR_<Servername> account, what password should i use because im being prompted for a password?  I actuall created an account that is a member of domain users and added that account to each service.  Is that incorrect?  does the anomymous account need administrative rights to work?
0
 
LVL 5

Accepted Solution

by:
kollenh earned 500 total points
Comment Utility
No, the anonymous account should NOT have administrative rights.  If you don't know the IUSR_ password (and I don't on mine) then here is a good article on how to find and/or change it: http://support.microsoft.com/kb/297989
(Please note you'll need to edit the adsutil.vbs file to get the password in clear text)

I'm not sure I follow what you mean when you say "added that account to each service".  To which services do you refer and where/how did you change the account?  It sounds like you may be striving for more security than you need with this product.  I'd leave the default settings in place, if possible.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Download the latest MMC for the server.
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
Im not sure what the difference is between the accounts below.
IWAM account
IUSR account
I have changed the password for both accounts and also set each Virtual Directory in IIS under the default web sites where WSUS is located to use the  IUSR account for anymous autnentication.

I have a screen shot (Access.rtf)of all the virtual directories that use the  IUSR_machine account for authentication. Sicne pictures are worth a thousand words i have included the screenshot which demonstrates this.
Is my configuration now corect?

I just ran the command wsusutil checkhealth and in the application log, I receive the message
Event ID 10000   WSUS is working correctly.  
What do you think?





Access.txt
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
I think that's a good sign and it matches my configuration.  Question now is what happens when the clients try to update?  I'm still a little concerned about the WindowsUpdate log you attached previously; it was missing a lot of content/information that I'm used to seeing.

Pick a client at random and check it's settings in the registry, found here:
'HKLM\Software\Software\policies\Microsoft\Windows\WindowsUpdate' and post the contents, please.
0
 
LVL 9

Author Comment

by:stressedout2004
Comment Utility
Hello,

Here is a screenshot of a random registry key (regedit.xtx) and also a copy of WSUS log file (Windows.txt).  The log file looks different but still does nto point to the server.  weird.
regedit.txt
WindowsUpdate.txt
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
From what I'm seeing, it looks like things should be working.  If you haven't yet, try running "clientdiag" on one of the systems and see what results you get.
0
 
LVL 9

Author Closing Comment

by:stressedout2004
Comment Utility
Thank You for all of your help.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now