?
Solved

client side targeting WSUS and GPO

Posted on 2008-11-12
48
Medium Priority
?
4,956 Views
Last Modified: 2012-05-05
I have WSUS SP1 set up on our SBS 2003 SP2 DC.
No computers are appearing and I notice in the GPO that client side targeting is not enabled.
I'm a little baffled by GPOs, so bear with me.
I've created a group under 'Computers' in WSUS.
client side targeting asks you to specify the group name.
Is this the group you created under 'Computers' in WSUS, or the name of the group in GPO ie SBSComputers.
All our PCs except servers are in a group called SBSComputers under MYBusiness in GPO management.
If this is a simple answer, then maybe I've awarded too many points, but I need to sort this and the thread might grow!
Cheers
0
Comment
Question by:jasonbournecia
  • 25
  • 22
48 Comments
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22938413
It's the group name you created on the WSUS server and specify in the client-side targetting. You'll get there :o)
group name SBSComputers
Client side targetting SBSComputers
0
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 22938416
In the group name you need to specify computers.
http://www.wsuswiki.com/WSUSCreateTargetGroups 
0
 

Author Comment

by:jasonbournecia
ID: 22938572
Hi Guys,
I created a group called EYC in the WSUS update console and this is the name I put in client side targeting.
I did a gpupdate and still nothing has appeared.
Should it be the name of the group in AD i.e. SBScomputers instead?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Expert Comment

by:leegclystvale
ID: 22938655
NO, it should be like yuou've done.
I assume you've created a GPO , setup the Windows update section, and then applied the GPO to an OU that contains your workstations?
If so, it can take a while to populate. You can accelerate things a bit from the client run wuauclt /detectnow from the run command.
See how that goes
0
 

Author Comment

by:jasonbournecia
ID: 22938777
Bear with me.
I didn't create the GPO.
I changed the settings in the default domain policy.
I'm a little confused, as the default domain policy already contains the settings as they were i.e. Allow updates to install at 1:00 pm, but it was not pointing at our server, so I enabled it to specify our server.
I did a couple of test in IE which did find the server.
I baffled by GPO generally.
In our default domain policy we have our password policy. but this policy is also under SBS domain password policy.
I assume our default domain policy is being used. I ran rsop.msc as someone suggested and default domain policy is mentioned.
Do I need to create a specific GPO just for WSUS? If I did, exactly where would it go?
Updates already exists under default domain policy though
Ive attached an image of our GPO.
untitled.JPG
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22938917
No, you should do changes like that to the default domain policy. Always create a new GPO and test it on an OU. Any settings that are domain wide will filter down unless you specify otherwise. THIS IS GOOD ADVICE as it will affect all your active dirctory structure!
Back to your problem...challenge :o) Lets get this sorted out.
1) Remove settings from the default domain policy for Windows updates and select not configured.
2) Right click Group Policy objects and create new GPO. Call it WSUS.
3) In the GPO you've just created WSUS (it will be visible in Group Policy Objects - right click-edit) navigate to the Windows updates settings you've been doing and input all the necessary settings for your updates, http://servername etc, client side name which is the Group you created in WSUS (SBSComputers).
4) In Group policy management (where the Group Policy Objects container can be found) scroll up and expand your mybusiness>Computers containers/OU's and right click the SBSComputers OU and select Link an Existing GPO
5) A dialogue box will appear and you need to select the GPO your created (WSUS)
You can actually drag GPO to OUs, but the above is a good method.
Also, you will notice in the Group Policy Management console that when you click on an OU it will show you what GPO is applied to that OU. Also if you click a GPO from the Group Policy Objects, it will show you what OUs that GPO is applied to.
6) Run the GPdate /force and you're done.
7) Go to a client and run wuauclt /detectnow from the command prompt.
Let me know how you get on.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22938923
That should read, No you should NOT do changes like this in the default domain policy :o)
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22938974
Your settings in the default domain policy should not be there. Now you are creating GPOs specifically for updates on specific machines, remove the settings. I have different settings for my servers and manually do updates as I don't trust auto updates for servers as they should be tested before they go onto the system.
Also good policy for you to make another OU called TestOUforWSUS and put a machine in it and then apply all updates you want to test, test them on that one machine, and then if fine, Apply the updates to the SBSComputers OU.
If you want any more help, just shout!
0
 

Author Comment

by:jasonbournecia
ID: 22939160
Quick question.
You say "Right click Group Policy objects"
In group policy Management, do I right click on my domain name and choose "Create and link a GPO here"
Thank you for the clarity
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22939182
No, expand the domain name and at the bottom, you will see a container called Group Policy Objects. R/click on that.
You can see it on your diagram you posted. second from the bottom.
0
 

Author Comment

by:jasonbournecia
ID: 22939486
Just let me know when you want me to take a hike!
I did as you say, even rebooted server after gpupdate /force.
Nothing happened.
Just to clarify, the group is called EYC in update services and in client side targeting.
Should it be SBSComputers?
or what else could I look at?
Sorry this is dragging on.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22939584
I doesn't matter on the name. As long as you have created a group in WSUS and called the client side the same, it will work.
I've been assuming you;re running XP from the clients. Is this right? Should have asked first! Are they running SP2 firewall enabled?
Have you run the detectnow on the clients? Try a reboot.
Also are these cloned/imaged machines in the OU that you're applying the GPO to? (SBSComputers)
0
 

Author Comment

by:jasonbournecia
ID: 22940175
Virtually all machines are XP Pro SP3; or at least SP2.
Just went and turned on a client machine and have just checked the server; still no PCs showing under computers in Update services.
Most of these machines were installed from XP CDs, a few are new and so had XP pre installed.
Attached pic; is there somewhere else I could be missing something obvious?
wsus.JPG
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22940264
On your diagram, under Enable client side targetting, the target group name should be "EYC" NOT "WSUS". In WSUS console you should have a group called EYC too. The computers will go in there.
Change the WSUS to EYC and then gpupdate /force etc and then do the bit on the client wuauclt /detectnow.
Any problems after that, screenshot your compuers page on the wsus console
0
 

Author Comment

by:jasonbournecia
ID: 22940445
A slight whoops, I did notice that and changed it, but obviously did not do a gpupdate; still no change though.
I've attached screen shot.
computers.JPG
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22940599
Expand the All computers bit and post a shot. Also posta  shot of the revised GPO settings you did previously.
Also when you right click on the GPO itself in Group Policy management, does it have a tick next to enabled? It should have by default. Please check.
0
 

Author Comment

by:jasonbournecia
ID: 22940707
There is a tick next to link enabled
gpm.JPG
updateservices.JPG
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22940998
Are you sure your wsus server address is right? Test it.
You should be able to ping it using it's I as well.
Also can you post the log from a client it's in C:\windows\Windowsupdate.log
0
 

Author Comment

by:jasonbournecia
ID: 22941341
I can ping the server name
WindowsUpdate.log
0
 

Author Comment

by:jasonbournecia
ID: 22941535
I might need to leave soon and continue this tomorrow if you're okay, I'm sorting out someone's hardware problem; much easier!
FYI Under Options in the Update services interface, under Computers, it is set to use group policy, which I assume is correct if I want computers to populate automatically.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22941593
Are you sure the client you're trying is in that SBSComputer OU in grouppolicy?
On the client, type gpresult from a command prompt and post findings
Also have a look at thes eregistry setings to see if they have a value

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PingID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientId
Post back your findings
 
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22941634
Don't use Group policy setting and see how that goes.
0
 

Author Comment

by:jasonbournecia
ID: 22948186
Morning.
All clients are in SBSComputer, see file
Attached gpresult
Cant see those reg settings, see attached

You say don't use group policy, in the Options section of Update Services, under Computers, I change it to say Use Update Services Console, Still no computers appear and there is no option to search AD.
ADUC.JPG
reg.JPG
gpresult.txt
0
 

Author Comment

by:jasonbournecia
ID: 22948275
Just out of interest, you mentioned:
"Also, you will notice in the Group Policy Management console that when you click on an OU it will show you what GPO is applied to that OU. Also if you click a GPO from the Group Policy Objects, it will show you what OUs that GPO is applied to."
In group Policy Management, when I click on eyc.local, just beneath 'Domain' it lists the GPOs on the right.
WSUS is not listed there, but is listed against sbscomputers further down.
Is this normal behaviour, see attached
gpos.JPG
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22948352
Yeah that is normal behaviour. When you click the EYC doimain, the GPO's on the right as per your diagram is the GPO's that are applied to the domain ie and any sub OU's. When you click on an OU and any GPO's listed there will only apply that that OU and any sub OU's and will also have the domain GPO's applying to it. Hope that makes sense.
Is you server firewalled? Your clients seem to be getting a WSUS SID so that is good.
I would delete the bottom 2 registry values (not defauklt at the top). and then run wuauclt /detectnow on the client.
Keep the settings as you have them on the WSUS console.
0
 

Author Comment

by:jasonbournecia
ID: 22948513
ISA 2000 is running on the SBS server
I deleted the bottom two entries and ran wuauclt /detectnow
I changed computers back to use Group policy in WSUS console options section.
Still no change

0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22948557
Is the nic firewalled on the server?
There is something not right.
Can you double check using this short document that you are using Client side targetting on the server.
http://technet.microsoft.com/en-us/updatemanagement/bb245868.aspx
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22948739
oh ok. When you click on your domain EYC in the Group policy management and all those GPOs appear on the right as per your diagram, you need to go all through those GPOs and set any Windows Update settings to not configured. It may be that at a higher level, something has been set that is confusing things.
You also NEED to look at the firewall GPO at domain level (Small Business server Firewall GPO ) as that may be stopping things as it seems to be applying firewall settings at domain level!
0
 

Author Comment

by:jasonbournecia
ID: 22949000
Thanks for persevering.
The NIC is controlled by ISA, but everything else works.
I went through that document and its links and all fine.
I went through all the GPOs on the right, all not configured.
But, under Domain Controllers, the Default Domain Controllers Policy does have some settings in Windows Update.
Even though this is a separate group, shall I wipe them?
0
 

Author Comment

by:jasonbournecia
ID: 22949014
Is it anything to do with 'Wuau.adm' I read about on the technet site?
How do I know if I have the latest?
Does it matter?
Cheers
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22949179
Yes wipe them! You don't need a policy like this at domain level. Run GPupdate /force, reboot your client and run wuauclt /detectnow.
Wuau.adm should be fine if you have SP2 or later which you said you have on your clients.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22949190
Oops. Just realised your GPO wityh settings is in the Domain controllers OU. Leave them there.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22949204
I assume you installed WSUS using the default port 80 and you didn't change the port?
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22949294
OK, to ensure it's out the equation, copy the wuau.adm from the WSUS server itself (your SBS 2003 server) Copy the file wuau.adm which is on your server c:\windows\inf and copy it to that location on the client.
Add the adm file on the client. You may need to remove previous adm file first or overwrite. The reinput all your settings again in the GPO. Run the wuauclt /detectnow
0
 

Author Comment

by:jasonbournecia
ID: 22949449
Whoops back at you, I wiped the Update section from the DC
I didn't install WSUS, but under IIS, the default web site is 80 and WSUS admin is showing as 8530
I copied wuau.adm from server to local machine. I ran wuauclt /detectnow on local machine; nothing.
You mentioned inputting GPO back in; are you talking about the server GPO or WSUS gpo, it is already populated.
0
 

Author Comment

by:jasonbournecia
ID: 22949481
I notice under Update source under options in Update services, it shows port number 8080 under use a proxy server? Should use proxy server even be there?
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22949937
Does the new adm file show any extra settings at the top that you didn't have before? Like Do not display "Install updates and shutdown"?
Surpirsed the ADM is already populated. Might be worth removing it. Then adding it again. Go to the WSUS GPO and edit it. Expand Computer config>Right click administrative templates>Add/remove templates>Click wuau>click remove>close. close it all down. Run gpupdate /force.
go back to WSUS GPO and add it again. Expand Computer config>Right click administrative templates>Add/remove templates>Click Add>close. close it all down. Run gpupdate /force again.
The proxy server setting should go to the internet to get it's updates from the MS site so if the server needs to go through the p[roxy server to get to the internet as usual, then that should be fine. Nothin to do with your clients seeing WSUS.
 Also look at this:
Default Web site on Windows SBS 2003 must be modified to enable some WSUS client computers to self-update.
The WSUS server setup process installs two IIS v-roots on the server: SelfUpdate and ClientWebService. Setup also places some files under the home directory of the default Web site (on port 80) that enables client computers to self-update through the default Web site. By default, the default Web site is configured to deny access to any IP address other than localhost or specific subnets attached to the server. This means that client computers that are not on localhost or on those specific subnets cannot self-update. To grant access to these client computers, complete the following steps on the default Web sites SelfUpdate and ClientWebService virtual directory.
To grant access to the client computers to self-update:
 
1.   In Server Management, expand Advanced Management, expand Internet Information Services, expand Web Sites, expand Default Web Site, right-click the Selfupdate virtual directory, and then select Properties.
2.   Click Directory Security.
3.   Under IP address and domain name restrictions, click Edit, and then click Granted Access.
4.   Click OK, right-click the ClientWebService virtual directory, and then select Properties.
5.   Click Directory Security.
6.   Under IP address and domain name restrictions, click Edit, and then click Granted Access.
found above info here http://www.wsuswiki.com/WSUSonSBS#1

download and run the wsus diagnostic tool for the client
http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
AND - you will need to add an allow inbound rule for port 80 and port 8530 on ISA 2000.
Post back the diagnostic tool from the client
0
 

Author Comment

by:jasonbournecia
ID: 22950650
As far as I can tell, the adm's are pretty similar.
Removed and re added wuau.
Did a gpupdate force, but decided not to reboot the server at this time; not sure if that's an issue, did do it yesterday though.
Attached diag tool.
Granted access on the other two; I hope taht doesn't affect our security.
Hesitant about allowing port 80 inbound, as that might open up the default web server?
You can probably tell, I'm rapidly climbing out of my depth.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22950693
Where's the diag results?
0
 

Author Comment

by:jasonbournecia
ID: 22950810
0
 

Author Comment

by:jasonbournecia
ID: 22950898
I've added these rules to ISA.
I hope they're right, because I'm out of my depth
isa.JPG
0
 
LVL 13

Accepted Solution

by:
leegclystvale earned 2000 total points
ID: 22951053
Looks good I reckon it's a ISA issue port blocking.
In the GPO, where you specify the Intranet update server, type http://yourwsusServerName:8530
gpupdate /force on the server and then gpupdate /force on the client and the wuauclt /detectnow commands.
We'll look at the ISA bits in a minute
0
 

Author Comment

by:jasonbournecia
ID: 22951680
Hey! We virtually could be there.
I did as above, but did not reboot server; did log off though.
Rebooted my machine, ran detectnow.
In Update services, in the EYC group two PCs of 3 show; neither is mine though.
I'm going to give it a little while and see what happens; I'll let you know their status.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22951760
Cool! It can take a couple of days to populate the database and even then you may have some clients not appearing. It would just be a case of deleting their wsus SIDS as you did earlier in the registry and then running detectnow.
You will be there if some can get through. it's when none are appearing you need to look at it more closely.
cheers
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22951782
You've done well as a few searches I've made on SBS being used for ISa 2000 and WSUS3, most people have given up and upgrdaed to ISA 2004 or moved the WSUS to a dedicated server! time will tell
0
 

Author Comment

by:jasonbournecia
ID: 22957993
We are there leegclystvale, there are 12 PCs showing in EYC :) :) :)
I've added this comment to increase the points.

0
 

Author Closing Comment

by:jasonbournecia
ID: 31515895
Absolutely brilliant!
Sometimes leegclystvale, thanks is just not enough.
You were like a dog with a bone, you wouldn't let go; I really appreciate that.
You taught me more about GPOs than I knew, you were patient, clear and informative.
You took me out of my comfort zone with ISA; it is somewhere I needed to go anyway; another 18 months before we change servers.
I can't thank you enough.
Now, about those updates....... :)
I know I'll be asking a new question about those.
0
 
LVL 13

Expert Comment

by:leegclystvale
ID: 22958105
Good man! Glad you're sorted. Nothing worse than trying everything and things still not working. Yes and now the updates :o) Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question