Windows can not check for updates Code 800710DD

http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/82672a1d-0b8c-4ec2-8019-c3433ee043b7

Run Following command to set security descriptor.(PLS run commandProperly).
 
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
IF Grroup policy is present follow this below path (Or ask Client to give access).
 
Start->Administrative Tools->Active Directory Users and Computers->Right Click on domain -> Select Properties-> Select Group Policy
 
In Group Policy Snap-in open folowing
Computer Configuration -> Windows Settings -> Security Settings -> System Services
 
Select Service named Authomatic Updates and click properties.
 
Click Edit Security and Just add Authenticated Users with read permissions to Group or user names.
 
Don't forget run gpupdate on your target computer

I'm logged on as the user who is a local Admin and the AD Users and Computers is not in the Admin Tools.

WSUS: Clients get HTTP 401 errors - 0x800710DD errors generated in WindowsUpdate.log

follow this blog to repair permission errors on .NET


http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx

attached is the update log
WindowsUpdate.log

see ID:26159090 in case you missed it(above)

Another thing that works very well is use the Microsoft Fix it for me here


http://support.microsoft.com/kb/971058

Did you see anything in my log

yes, did you try the microsoft fix it?

Also I just tried to access the microsoft.net folder permissions on a computer that is not having the update problem and the permissions are exactly the same.  Administrator (none) users Read & execute, list and read.  So I think I was on the wrong track.  I don't think security is the issue.

I'll try the fix now and post results

Fix didn't solve it.  Any other help would be GREATLY appreciated

did you reboot and check the latest entries in the log?

Yes did a reboot.  Attached is the latest log.

WindowsUpdate.log

did you run the aggressive mode of the fix?

Your log is is now also reporting that 56 updates are found

Ran the default fix.  Updates it needs or updates it did?

updates needed, run the aggressive mode

ok.  I'll get back to you as soon as it completes and I reboot

If that dont work, update/reinstall the latest windows update agent

http://support.microsoft.com/kb/949104


Install from the command line

WindowsUpdateAgent30-<platform>.exe /quiet /norestart /wuforce

Didn't work.  I'll try the agent

what goes in the command line <platform>

ignore question about platform

I ran the command line and it flashed quickly, no message.  I tried the Windows update, still not working.  I'll reboot just in case

FYI there is one other Vista computer on our network with the exact same problem.  I've been doing your fixes on it also with the same negative results

Reboot didn't help.  It shows the last update was 9/2009.  What about a system restore back that far?

I just checked and you can't do a restore that far back.

are you using wsus?

yes

post your clientdiag results


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE


and the result of (command line)

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /s

Also remove the ":80" from your WSUS GPO, it is not required if on port 80

Run the clientdiag on the workstation or server

workstation, hence the name clientdiag ;^)

attached screen shot of diag
clientdiag.png

ok now we narrowed it to the wsus server

first remove the ":80" from the GPO and gpupdate /force(on client) and check again

Screen shot of cmd line

regkey.png

You should verify your permissions/settings on your WSUS server

http://technet.microsoft.com/en-us/library/cc708545%28WS.10%29.aspx

also verify the existence of the selfupdate virtual folder on port 80

I can't remember where the GPO is located?  Admin Templates or ?

Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update

found it

I had to add Network Services to the security.  Also see attached. I'm not sure if I'm doing this correctly, but I was trying to check the permissions for the regkey as per the artiicle.  Is the highlighted portion correct?
reg2.png

That looks the same as mine

I appreciate you not giving up.  What now?  it's still not working?

Ok, you verified all your WSUS settings?

You changed the GPO ?

Did a gpupdate on client machine and checked clientdiag again?

Is your  " IUSR_ComputerName" still part of your users group?


http://support.microsoft.com/kb/920659

Also found this comment:



The 0x800710dd error, when occuring on all desktops, can be caused if the NT
AUTHORITY\Network Service account is not a member of the Users local group on
the WSUS server.

It can also occur if the /clientwebservice virtual directory does not have
anonymous access permissions enabled.

I verified the permissions, but I didn't verify every registry setting listed in the article.
Yes changed the GPO
Yes did gpudate
clientdiag give same error

sorry, just saw your last two posts.  I thought you were gone.  I'll check into these

nope, still here

hopefully we'll get it for ya

Thanks for hanging in there.  I couldn't figure out how to verify or add the NT Authority/Network Service to Domain Users Account.  Can you give details.
Also I checked WSUS and every computer in our network stopped reporting in in Sept.  Maybe this will help you identify the problem.

Click Start, click Programs, click Administrative Tools, and then click Computer Management to open the Computer Management console.  
In the left pane, expand Local Users and Groups, and then click the Groups folder.  
In the right pane, right-click the Users group, and then click Properties.  
Click Add.  
In the Select Users or Groups dialog box, locate the Look in drop-down box, and then select the local computer.  
Select Authenticated Users, and then click Add.  
Select INTERACTIVE, and then click Add.  
Click OK, click Apply, and then click Close to close the properties for the Users group.  
In the left pane, expand Services and Applications, and then click Services.  
In the right pane, right-click IIS Admin Service, and then click Restart.  
In the Restart Other Services confirmation dialog box, click Yes.

Do you have your wsus gpo applied to "authenticated users" ?

don't see local users.  see attachmenrt
local.png

sorry, you should go into dsa.msc (copy pasted the steps above)

yes Authenticated users is in the filters

Lets start over a little bit, go over all the steps here


http://blogs.technet.com/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx

Auth users and interactive were already there.  How much longer you going to be working?  Are you working tomorrow.  I'm getting Frustrated and need a break

I was wondering if I remove the WSUS GPO do you think I can update the workstation then?

I'm at home and will stick with you till we get it.

What version wsus are you running? open console click help and then about

3.2.7600

I highly suggest resolving your wsus issue, I've helped many get thru this. The error you were getting is one of the less common ones. If it were me I would uninstall IIS and ASP.NET uninstall WSUS and reinstall all.

OK.  I'll uninstall all, reinstall and get back to you tomorrow.  Again, thanks for hanging with me.

Night.

good luck

Here are 2 links that should be very useful

How to manually remove all of WSUS

Then also( this step was missing from above link)
Go to command prompt and type in:
msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe

Install WSUS 3.0 - Step-By-Step

the new install and syncronization just completed.  How long before it stats adding computers?

Run wuauclt /resetauthorization /detectnow on them

I did it on one.  Hasn't show up yet.  Shouldn't it detect them itself?

Its based on your detection cycle determined in group policy. How do your clientdiags look?

Unbelievable the diags are exactly the same

Onr thing that I didn't mention is after I followed the removal instructions and then tried to reinstall WSUS SP1 it said I had a newer version already installed.  So I installed SP2.  So I guess the intructions left something behind.

What's puzzling it that WSUS has worked for 2 years with out a problem.  I think the upgrade to SP2 might have caused the current issues.

Most likely, since you say machines hadn't reported since sept. Which I believe is when sp2 was released.

Can u help with a Complete uninstall

Should I post anothe rquestion of how to completely uninstall WSUS SP2 or do you want to continue with this one.

Let's continue, will be home shortly. Did you follow the link I provided early on completely removing?

ok.  Yes I did and I'm doing it again.  However, this time I uninstalled SP2 from add/remove.

Good news, it's letting me install SP1 this time.  I'll keep you posted.

I spoke too soon.  
See attachment
sp1.png

I tried to install WSUS no SP and get this attachment.
sp1a.png

Its not necessary to install earlier versions. Use sp2

I did that this morning and it got the same clientdiag error, remember?

waiting for your reply if I should try SP2 again

Try deleting

HKLM\Software\Microsoft\Update Services\Server\Setup key and try again so we can make sure all remnants of wsus are removed

Did you run the command....


msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe

just to confirm see attachment.  this is all that remains.  let me know to continue
server.png

Just ran it and it say the action is only valid for products installed

that's correct

try setup again and post wsussetup.log if it fails

SP2 or SP1

should have asked earlier is the server 64 bit?

if so the correct command was...

msiexec /x {BDD79957-5801-4A2D-B09E-852E7FA64D01} callerid=ocsetup.exe

sp2, and do you have Microsoft Report Viewer Redistributable 2008 installed?

OK.  Yes it's installed

synchronizing.  it took several hours the first time.  I'll keep you posted

you should be able to do a clientdiag, but lets change your wsus gpo to use the server IP Address(rule out dns problem)

so instead of http://servername, put 172.16.1.6 (server ip) in the intranet locations in the GPO

yes, also go over this paying special attention to IUSR and IWAM


http://support.microsoft.com/?id=271071

ok

Do you see the IUSR and IWAM accounts in the builtin\users group ?


Has the IP of the server recently changed?

Has the servername recently changed ?

no and no

no IUSER or IWAM in users group?

Sorry answered the wrong part of your question.  See attached
iusr.png

thats ok, what type of errors are in the eventvwr?

still synchronizing

lets do this

1. Check the membership of the guests group. Remove the IUSR account from the members if it shows up under the guests group.  
2. Reset the IUSR account password:  
a. Open the AD Users and Computers console and select the container that holds the IUSR_<Server_Name>. This account is located under the Users container by default.  
b. Right click the IUSR account, select the option to change the password, and provide a new password for the account.  
c. Open a command prompt window run and change directories so that the prompt is on C:\inetpub\adminscripts.  
d. Then run:  
cscript adsutil.vbs set w3svc/anonymoususerpass <new password>  
Note: <new password> is the password provided in step 2b.  
e. Open the IIS management console and go into the properties for the website you are working with. Choose the directory security tab, click edit for Authentication and
Access Control. Make sure enable anonymous access is checked. If it is, the IUSR account will be selected. Reselect this account and specify the new password when setting the account. Specifically do this on the Default Website and the WSUS website .  
NOTE: If you have upgraded from WSS 2.0 to WSS 3.0 you should have a website named Sharepoint-80 in the IIS console. Please follow step 5 for the Sharepoint-80 website, because the WSUS selfupdate directory is hosted under the website listening on port 80.  
f. Try restarting the update service or run wsusutil checkhealth.  
g. Under the default website, the SELFUPDATE and CONTENT virtual directories should be configured to use Integrated Windows Authentication. Make sure that they dont have anonymous access enabled.  
h. Make sure SSL is not enabled on the SELFUPDATE virtual directory.  
i. Restart IIS.

ok.  Will later.  Family just arrived.  Going to dinner.  Sorry.  Don't bail on me.  I appreciate the help

Okie Dokie

The article 271071 specifically warns to do use it unless you are doing it on a Web Server.

When  I check "Guest" proerties it doesn't list IUSR as a member, but IUSR does list Guest as a member.  Should I remove Guest from the IUSR properties?

I did everything in the steps you sent.  I didn't complete the steps in 271071 until I get confirmation it is necessary.  I don't like changing all the permissions on my DC.  FYI clientdiag is still showing the error.
I hope you're checking mail today.  Love to get this solved before they return to work on Monday.

on the server run from cmd

wsusutil /checkhealth


then post any errors/warnings from the eventvwr under application(only wsus specific)

Error.  Windows cannot find "wsusutil

sorry about that, should have told you  WSUSutil.exe is located in the %drive%\Program Files\Update Services\Tools folder

self update is not working
no client computers have contacted the server
the reporting web service is not working
the client web service is not working
the simpleauth web service is not working

I need the event ids, these sound like in the range of 13042 and so on

in the same order
13042
13051
12002
12022
12042

start here with 13042

http://www.microsoft.com/products/ee/transform.aspx?ProdName=.NET%20Framework&ProdVer=2.0.50727.42&EvtID=13042&EvtSrc=Windows%20Server%20Update%20Services&FileVer=2.0.50727.42&FileName=EventLogMessages.dll&EvtType=%E9%94%99%E8%AF%AF&LCID=

http://blogs.technet.com/asksbs/archive/2008/06/02/troubleshooting-multiple-errors-on-wsus-13042-13051-and-12032.aspx

I'm begging to think this is a life long project.  You're very nice for sticking with it.  I guess that's why you're a Guru

i enjoy it and am very confident we can resolve this

FYI I just installed WSUS SP1 on our DC at another location and it's already discovering computers.  Don't know if this helps.

i would then scrap this and have your gpo point to that server

Sorry. they are not connected.  One in Long Beach (problem) one in Los Angeles (working)

where is the WSUSinstalldir

C:\Program Files\Update Services\setup\installselfupdateonport80.vbs

I figured it out, but when I run the command I get "there is no file extension in "C"\program"  I tried twice

meant C:\program

use quotes because of the space between update and services


"C:\Program Files\Update Services\setup\installselfupdateonport80.vbs"

that worked moving to next step

on the next step I typed cacls but it didn't work.  see attachment
cacls.png

Try

cacls "C:\Program Files\Update Services\selfupdate"

worked.  so far everything is correct.  See attachment.  where is this?

iis.png

did cacls display everything as it should:

BUILTIN\Users:(OI)(CI)R
 
BUILTIN\Administrators:(OI)(CI)F
 
NT AUTHORITY\SYSTEM:(OI)(CI)F



adsutil.vbs
http://technet.microsoft.com/en-us/library/cc720489%28WS.10%29.aspx

Yes it did

when I run it I get This script does not work with Wscript.  I'm about ot give up.  What do you think about me instlling WSUS SP1 on a different server?

I got a message if I wanted to register csript.  I did and then it worked.  attached are results
script.png

sorry. here are the correct results

forgot to attach
script2.png

goto the section

HTTP 401.1: DENIED BY INVALID USER CREDENTIALS:

http://blogs.technet.com/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx

also how does wsusutil /checkhealth look now?

This may be helpful.  When I logged on to another server and tried to browse the network, the DC spcala08 does not show up

checkhealth is the same

I'm trying another server.  I'll get back to you tomorrow.  Thanks for sticking with it.

Nite

alright, last hurrah  

lets uninstall/reinstall everything again except this time .NET as well<<<removal tool here

The new server installational is working and the clientdiag is perfect.  So you are correct it was a DSN problem.  How do you suggest I award points?

Glad to see we figured it out, did you also resolve your dns issue?

ID:26168386 would be the answer then

Need your help on what I should accept to close this

not sure what you are missing
ID:26168386

was the comment mentioning DNS

The DNS issue was causing the problems.  I need to resolve that.

I like to use this tool to diagnose problems

pbbergs.com/windows/downloads/ad_diag.hta

make sure you have dcdiag and netdiag installed