J.R. Sitman
asked on
Windows can not check for updates Code 800710DD
I have one workstation that is getting this message. Windows can not check for updates Code 800710DD. I couldn't find the solution.
http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/82672a1d-0b8c-4ec2-8019-c3433ee043b7
Run Following command to set security descriptor.(PLS run commandProperly).
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;
IF Grroup policy is present follow this below path (Or ask Client to give access).
Start->Administrative Tools->Active Directory Users and Computers->Right Click on domain -> Select Properties-> Select Group Policy
In Group Policy Snap-in open folowing
Computer Configuration -> Windows Settings -> Security Settings -> System Services
Select Service named Authomatic Updates and click properties.
Click Edit Security and Just add Authenticated Users with read permissions to Group or user names.
Don't forget run gpupdate on your target computer
ASKER
I'm logged on as the user who is a local Admin and the AD Users and Computers is not in the Admin Tools.
follow this blog to repair permission errors on .NET
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx
ASKER
attached is the update log
WindowsUpdate.log
WindowsUpdate.log
see ID:26159090 in case you missed it(above)
Another thing that works very well is use the Microsoft Fix it for me here
http://support.microsoft.com/kb/971058
http://support.microsoft.com/kb/971058
ASKER
Did you see anything in my log
yes, did you try the microsoft fix it?
ASKER
Also I just tried to access the microsoft.net folder permissions on a computer that is not having the update problem and the permissions are exactly the same. Administrator (none) users Read & execute, list and read. So I think I was on the wrong track. I don't think security is the issue.
ASKER
I'll try the fix now and post results
ASKER
Fix didn't solve it. Any other help would be GREATLY appreciated
did you reboot and check the latest entries in the log?
ASKER
did you run the aggressive mode of the fix?
Your log is is now also reporting that 56 updates are found
ASKER
Ran the default fix. Updates it needs or updates it did?
updates needed, run the aggressive mode
ASKER
ok. I'll get back to you as soon as it completes and I reboot
If that dont work, update/reinstall the latest windows update agent
http://support.microsoft.com/kb/949104
Install from the command line
WindowsUpdateAgent30-<plat form>.exe /quiet /norestart /wuforce
http://support.microsoft.com/kb/949104
Install from the command line
WindowsUpdateAgent30-<plat
ASKER
Didn't work. I'll try the agent
ASKER
what goes in the command line <platform>
ASKER
ignore question about platform
ASKER
I ran the command line and it flashed quickly, no message. I tried the Windows update, still not working. I'll reboot just in case
ASKER
FYI there is one other Vista computer on our network with the exact same problem. I've been doing your fixes on it also with the same negative results
ASKER
Reboot didn't help. It shows the last update was 9/2009. What about a system restore back that far?
ASKER
I just checked and you can't do a restore that far back.
are you using wsus?
ASKER
yes
post your clientdiag results
http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
and the result of (command line)
reg query "HKLM\SOFTWARE\Policies\Mi crosoft\Wi ndows\Wind owsUpdate" /s
http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
and the result of (command line)
reg query "HKLM\SOFTWARE\Policies\Mi
Also remove the ":80" from your WSUS GPO, it is not required if on port 80
ASKER
Run the clientdiag on the workstation or server
workstation, hence the name clientdiag ;^)
ASKER
attached screen shot of diag
clientdiag.png
clientdiag.png
ok now we narrowed it to the wsus server
first remove the ":80" from the GPO and gpupdate /force(on client) and check again
first remove the ":80" from the GPO and gpupdate /force(on client) and check again
ASKER
You should verify your permissions/settings on your WSUS server
http://technet.microsoft.com/en-us/library/cc708545%28WS.10%29.aspx
also verify the existence of the selfupdate virtual folder on port 80
http://technet.microsoft.com/en-us/library/cc708545%28WS.10%29.aspx
also verify the existence of the selfupdate virtual folder on port 80
ASKER
I can't remember where the GPO is located? Admin Templates or ?
Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update
ASKER
found it
ASKER
I had to add Network Services to the security. Also see attached. I'm not sure if I'm doing this correctly, but I was trying to check the permissions for the regkey as per the artiicle. Is the highlighted portion correct?
reg2.png
reg2.png
That looks the same as mine
ASKER
I appreciate you not giving up. What now? it's still not working?
Ok, you verified all your WSUS settings?
You changed the GPO ?
Did a gpupdate on client machine and checked clientdiag again?
You changed the GPO ?
Did a gpupdate on client machine and checked clientdiag again?
Also found this comment:
The 0x800710dd error, when occuring on all desktops, can be caused if the NT
AUTHORITY\Network Service account is not a member of the Users local group on
the WSUS server.
It can also occur if the /clientwebservice virtual directory does not have
anonymous access permissions enabled.
The 0x800710dd error, when occuring on all desktops, can be caused if the NT
AUTHORITY\Network Service account is not a member of the Users local group on
the WSUS server.
It can also occur if the /clientwebservice virtual directory does not have
anonymous access permissions enabled.
ASKER
I verified the permissions, but I didn't verify every registry setting listed in the article.
Yes changed the GPO
Yes did gpudate
clientdiag give same error
Yes changed the GPO
Yes did gpudate
clientdiag give same error
ASKER
sorry, just saw your last two posts. I thought you were gone. I'll check into these
nope, still here
hopefully we'll get it for ya
hopefully we'll get it for ya
ASKER
Thanks for hanging in there. I couldn't figure out how to verify or add the NT Authority/Network Service to Domain Users Account. Can you give details.
Also I checked WSUS and every computer in our network stopped reporting in in Sept. Maybe this will help you identify the problem.
Also I checked WSUS and every computer in our network stopped reporting in in Sept. Maybe this will help you identify the problem.
Click Start, click Programs, click Administrative Tools, and then click Computer Management to open the Computer Management console.
In the left pane, expand Local Users and Groups, and then click the Groups folder.
In the right pane, right-click the Users group, and then click Properties.
Click Add.
In the Select Users or Groups dialog box, locate the Look in drop-down box, and then select the local computer.
Select Authenticated Users, and then click Add.
Select INTERACTIVE, and then click Add.
Click OK, click Apply, and then click Close to close the properties for the Users group.
In the left pane, expand Services and Applications, and then click Services.
In the right pane, right-click IIS Admin Service, and then click Restart.
In the Restart Other Services confirmation dialog box, click Yes.
Do you have your wsus gpo applied to "authenticated users" ?
ASKER
don't see local users. see attachmenrt
local.png
local.png
sorry, you should go into dsa.msc (copy pasted the steps above)
ASKER
yes Authenticated users is in the filters
Lets start over a little bit, go over all the steps here
http://blogs.technet.com/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx
http://blogs.technet.com/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx
ASKER
Auth users and interactive were already there. How much longer you going to be working? Are you working tomorrow. I'm getting Frustrated and need a break
ASKER
I was wondering if I remove the WSUS GPO do you think I can update the workstation then?
I'm at home and will stick with you till we get it.
What version wsus are you running? open console click help and then about
What version wsus are you running? open console click help and then about
ASKER
3.2.7600
I highly suggest resolving your wsus issue, I've helped many get thru this. The error you were getting is one of the less common ones. If it were me I would uninstall IIS and ASP.NET uninstall WSUS and reinstall all.
ASKER
OK. I'll uninstall all, reinstall and get back to you tomorrow. Again, thanks for hanging with me.
Night.
Night.
good luck
Here are 2 links that should be very useful
How to manually remove all of WSUS
Then also( this step was missing from above link)
Go to command prompt and type in:
msiexec /x {CEB5780F-1A70-44A9-850F-D E6C4F6AA8F B} callerid=ocsetup.exe
Install WSUS 3.0 - Step-By-Step
How to manually remove all of WSUS
Then also( this step was missing from above link)
Go to command prompt and type in:
msiexec /x {CEB5780F-1A70-44A9-850F-D
Install WSUS 3.0 - Step-By-Step
ASKER
the new install and syncronization just completed. How long before it stats adding computers?
Run wuauclt /resetauthorization /detectnow on them
ASKER
I did it on one. Hasn't show up yet. Shouldn't it detect them itself?
Its based on your detection cycle determined in group policy. How do your clientdiags look?
ASKER
Unbelievable the diags are exactly the same
ASKER
Onr thing that I didn't mention is after I followed the removal instructions and then tried to reinstall WSUS SP1 it said I had a newer version already installed. So I installed SP2. So I guess the intructions left something behind.
What's puzzling it that WSUS has worked for 2 years with out a problem. I think the upgrade to SP2 might have caused the current issues.
What's puzzling it that WSUS has worked for 2 years with out a problem. I think the upgrade to SP2 might have caused the current issues.
Most likely, since you say machines hadn't reported since sept. Which I believe is when sp2 was released.
ASKER
Can u help with a Complete uninstall
ASKER
Should I post anothe rquestion of how to completely uninstall WSUS SP2 or do you want to continue with this one.
Let's continue, will be home shortly. Did you follow the link I provided early on completely removing?
ASKER
ok. Yes I did and I'm doing it again. However, this time I uninstalled SP2 from add/remove.
ASKER
Good news, it's letting me install SP1 this time. I'll keep you posted.
ASKER
ASKER
I tried to install WSUS no SP and get this attachment.
sp1a.png
sp1a.png
Its not necessary to install earlier versions. Use sp2
ASKER
I did that this morning and it got the same clientdiag error, remember?
ASKER
waiting for your reply if I should try SP2 again
Try deleting
HKLM\Software\Microsoft\Up date Services\Server\Setup key and try again so we can make sure all remnants of wsus are removed
HKLM\Software\Microsoft\Up
Did you run the command....
msiexec /x {CEB5780F-1A70-44A9-850F-D E6C4F6AA8F B} callerid=ocsetup.exe
msiexec /x {CEB5780F-1A70-44A9-850F-D
ASKER
just to confirm see attachment. this is all that remains. let me know to continue
server.png
server.png
ASKER
Just ran it and it say the action is only valid for products installed
that's correct
try setup again and post wsussetup.log if it fails
ASKER
SP2 or SP1
should have asked earlier is the server 64 bit?
if so the correct command was...
msiexec /x {BDD79957-5801-4A2D-B09E-8 52E7FA64D0 1} callerid=ocsetup.exe
if so the correct command was...
msiexec /x {BDD79957-5801-4A2D-B09E-8
sp2, and do you have Microsoft Report Viewer Redistributable 2008 installed?
ASKER
OK. Yes it's installed
ASKER
synchronizing. it took several hours the first time. I'll keep you posted
you should be able to do a clientdiag, but lets change your wsus gpo to use the server IP Address(rule out dns problem)
ASKER
so instead of http://servername, put 172.16.1.6 (server ip) in the intranet locations in the GPO
yes, also go over this paying special attention to IUSR and IWAM
http://support.microsoft.com/?id=271071
http://support.microsoft.com/?id=271071
ASKER
ok
Do you see the IUSR and IWAM accounts in the builtin\users group ?
Has the IP of the server recently changed?
Has the servername recently changed ?
Has the IP of the server recently changed?
Has the servername recently changed ?
ASKER
no and no
no IUSER or IWAM in users group?
ASKER
Sorry answered the wrong part of your question. See attached
iusr.png
iusr.png
thats ok, what type of errors are in the eventvwr?
ASKER
still synchronizing
lets do this
1. Check the membership of the guests group. Remove the IUSR account from the members if it shows up under the guests group.
2. Reset the IUSR account password:
a. Open the AD Users and Computers console and select the container that holds the IUSR_<Server_Name>. This account is located under the Users container by default.
b. Right click the IUSR account, select the option to change the password, and provide a new password for the account.
c. Open a command prompt window run and change directories so that the prompt is on C:\inetpub\adminscripts.
d. Then run:
cscript adsutil.vbs set w3svc/anonymoususerpass <new password>
Note: <new password> is the password provided in step 2b.
e. Open the IIS management console and go into the properties for the website you are working with. Choose the directory security tab, click edit for Authentication and
Access Control. Make sure enable anonymous access is checked. If it is, the IUSR account will be selected. Reselect this account and specify the new password when setting the account. Specifically do this on the Default Website and the WSUS website .
NOTE: If you have upgraded from WSS 2.0 to WSS 3.0 you should have a website named Sharepoint-80 in the IIS console. Please follow step 5 for the Sharepoint-80 website, because the WSUS selfupdate directory is hosted under the website listening on port 80.
f. Try restarting the update service or run wsusutil checkhealth.
g. Under the default website, the SELFUPDATE and CONTENT virtual directories should be configured to use Integrated Windows Authentication. Make sure that they dont have anonymous access enabled.
h. Make sure SSL is not enabled on the SELFUPDATE virtual directory.
i. Restart IIS.
1. Check the membership of the guests group. Remove the IUSR account from the members if it shows up under the guests group.
2. Reset the IUSR account password:
a. Open the AD Users and Computers console and select the container that holds the IUSR_<Server_Name>. This account is located under the Users container by default.
b. Right click the IUSR account, select the option to change the password, and provide a new password for the account.
c. Open a command prompt window run and change directories so that the prompt is on C:\inetpub\adminscripts.
d. Then run:
cscript adsutil.vbs set w3svc/anonymoususerpass <new password>
Note: <new password> is the password provided in step 2b.
e. Open the IIS management console and go into the properties for the website you are working with. Choose the directory security tab, click edit for Authentication and
Access Control. Make sure enable anonymous access is checked. If it is, the IUSR account will be selected. Reselect this account and specify the new password when setting the account. Specifically do this on the Default Website and the WSUS website .
NOTE: If you have upgraded from WSS 2.0 to WSS 3.0 you should have a website named Sharepoint-80 in the IIS console. Please follow step 5 for the Sharepoint-80 website, because the WSUS selfupdate directory is hosted under the website listening on port 80.
f. Try restarting the update service or run wsusutil checkhealth.
g. Under the default website, the SELFUPDATE and CONTENT virtual directories should be configured to use Integrated Windows Authentication. Make sure that they dont have anonymous access enabled.
h. Make sure SSL is not enabled on the SELFUPDATE virtual directory.
i. Restart IIS.
ASKER
ok. Will later. Family just arrived. Going to dinner. Sorry. Don't bail on me. I appreciate the help
Okie Dokie
ASKER
The article 271071 specifically warns to do use it unless you are doing it on a Web Server.
ASKER
When I check "Guest" proerties it doesn't list IUSR as a member, but IUSR does list Guest as a member. Should I remove Guest from the IUSR properties?
ASKER
I did everything in the steps you sent. I didn't complete the steps in 271071 until I get confirmation it is necessary. I don't like changing all the permissions on my DC. FYI clientdiag is still showing the error.
I hope you're checking mail today. Love to get this solved before they return to work on Monday.
I hope you're checking mail today. Love to get this solved before they return to work on Monday.
on the server run from cmd
wsusutil /checkhealth
then post any errors/warnings from the eventvwr under application(only wsus specific)
wsusutil /checkhealth
then post any errors/warnings from the eventvwr under application(only wsus specific)
ASKER
Error. Windows cannot find "wsusutil
sorry about that, should have told you WSUSutil.exe is located in the %drive%\Program Files\Update Services\Tools folder
ASKER
self update is not working
no client computers have contacted the server
the reporting web service is not working
the client web service is not working
the simpleauth web service is not working
no client computers have contacted the server
the reporting web service is not working
the client web service is not working
the simpleauth web service is not working
I need the event ids, these sound like in the range of 13042 and so on
ASKER
in the same order
13042
13051
12002
12022
12042
13042
13051
12002
12022
12042
ASKER
I'm begging to think this is a life long project. You're very nice for sticking with it. I guess that's why you're a Guru
i enjoy it and am very confident we can resolve this
ASKER
FYI I just installed WSUS SP1 on our DC at another location and it's already discovering computers. Don't know if this helps.
i would then scrap this and have your gpo point to that server
ASKER
Sorry. they are not connected. One in Long Beach (problem) one in Los Angeles (working)
where is the WSUSinstalldir
where is the WSUSinstalldir
C:\Program Files\Update Services\setup\installself updateonpo rt80.vbs
ASKER
I figured it out, but when I run the command I get "there is no file extension in "C"\program" I tried twice
ASKER
meant C:\program
use quotes because of the space between update and services
"C:\Program Files\Update Services\setup\installself updateonpo rt80.vbs"
"C:\Program Files\Update Services\setup\installself
ASKER
that worked moving to next step
ASKER
on the next step I typed cacls but it didn't work. see attachment
cacls.png
cacls.png
Try
cacls "C:\Program Files\Update Services\selfupdate"
cacls "C:\Program Files\Update Services\selfupdate"
ASKER
did cacls display everything as it should:
BUILTIN\Users:(OI)(CI)R
BUILTIN\Administrators:(OI )(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
adsutil.vbs
http://technet.microsoft.com/en-us/library/cc720489%28WS.10%29.aspx
BUILTIN\Users:(OI)(CI)R
BUILTIN\Administrators:(OI
NT AUTHORITY\SYSTEM:(OI)(CI)F
adsutil.vbs
http://technet.microsoft.com/en-us/library/cc720489%28WS.10%29.aspx
ASKER
Yes it did
ASKER
when I run it I get This script does not work with Wscript. I'm about ot give up. What do you think about me instlling WSUS SP1 on a different server?
ASKER
I got a message if I wanted to register csript. I did and then it worked. attached are results
script.png
script.png
ASKER
sorry. here are the correct results
ASKER
forgot to attach
script2.png
script2.png
goto the section
HTTP 401.1: DENIED BY INVALID USER CREDENTIALS:
http://blogs.technet.com/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx
also how does wsusutil /checkhealth look now?
HTTP 401.1: DENIED BY INVALID USER CREDENTIALS:
http://blogs.technet.com/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx
also how does wsusutil /checkhealth look now?
ASKER
This may be helpful. When I logged on to another server and tried to browse the network, the DC spcala08 does not show up
ASKER
checkhealth is the same
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm trying another server. I'll get back to you tomorrow. Thanks for sticking with it.
Nite
Nite
alright, last hurrah
lets uninstall/reinstall everything again except this time .NET as well<<<removal tool here
lets uninstall/reinstall everything again except this time .NET as well<<<removal tool here
ASKER
The new server installational is working and the clientdiag is perfect. So you are correct it was a DSN problem. How do you suggest I award points?
Glad to see we figured it out, did you also resolve your dns issue?
ID:26168386 would be the answer then
ID:26168386 would be the answer then
ASKER
Need your help on what I should accept to close this
ASKER
The DNS issue was causing the problems. I need to resolve that.
I like to use this tool to diagnose problems
pbbergs.com/windows/downlo ads/ad_dia g.hta
make sure you have dcdiag and netdiag installed
pbbergs.com/windows/downlo
make sure you have dcdiag and netdiag installed