J.R. Sitman
asked on
All computers not reporting in to WSUS
All computers have stopped reporting in to WSUS. How do I trouble shoot this? I used to have WSUS on a 2003 server but now it's on a 2008.
WSUS Reporting Rollup Sample Tool
http://download.microsoft.com/download/3/3/9/339ac5ee-ae9a-44a4-b09c-483736294433/WSUSRollupSample.EXE
This tool uses the WSUS application programming interface (API) to demonstrate centralized monitoring and reporting for WSUS. It creates a single report of update and computer status from the WSUS servers into your WSUS environment. The sample package also contains sample source files to customize or extend the tool functionality of the tool to meet specific needs. The WSUS Reporting Rollup Sample Tool and files are provided AS IS. No product support is available for this tool or sample files.
http://technet.microsoft.com/en-us/wsus/bb466192.aspx
Carpe Diem
http://download.microsoft.com/download/3/3/9/339ac5ee-ae9a-44a4-b09c-483736294433/WSUSRollupSample.EXE
This tool uses the WSUS application programming interface (API) to demonstrate centralized monitoring and reporting for WSUS. It creates a single report of update and computer status from the WSUS servers into your WSUS environment. The sample package also contains sample source files to customize or extend the tool functionality of the tool to meet specific needs. The WSUS Reporting Rollup Sample Tool and files are provided AS IS. No product support is available for this tool or sample files.
http://technet.microsoft.com/en-us/wsus/bb466192.aspx
Carpe Diem
Client Diagnostics Tool
Download this tool, which has been designed to aid the WSUS administrator in troubleshooting client machines that are failing to report back to the WSUS Server. The tool will conduct preliminary checks and test the communication between the WSUS Server and the client machine. Once the tool has completed the tests it will display the results in the console window. The Windows Server Update Services Client Diagnostic tool is provided AS IS. No product support is available for this tool. For more information, read the readme file.
http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
Carpe Diem
Download this tool, which has been designed to aid the WSUS administrator in troubleshooting client machines that are failing to report back to the WSUS Server. The tool will conduct preliminary checks and test the communication between the WSUS Server and the client machine. Once the tool has completed the tests it will display the results in the console window. The Windows Server Update Services Client Diagnostic tool is provided AS IS. No product support is available for this tool. For more information, read the readme file.
http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
Carpe Diem
also see where your workstations are pointing to under the following reg key
HKEY_LOCAL_MACHINE\SOFTWAR E\Policies \Microsoft \Windows\W indowsUpda te\AU
your WSUS server should be mentioned in there
Carpe Diem
HKEY_LOCAL_MACHINE\SOFTWAR
your WSUS server should be mentioned in there
Carpe Diem
ASKER
I'm testing the Windows update from two computers. They both required that I allow the install of an ActiveX add on. However, I don't think that would affect it?
did you check the registry Key ?
carpe Diem
carpe Diem
also run a gpresults on those PC's to see if your Group Policy takes
ASKER
The registry states UseWUServer
ASKER
gpresult shows WSUS is being applied. Both computers I'm testing have 25 security updates needed. I'll run the Client diagnostic tool now
ASKER
attached are the results. How do I fix this.
wsustest.png
wsustest.png
are you applying the GPO to users or Computers?
Carpe Diem
Carpe Diem
ASKER
computers
thats the right way
maby you have a defect GPO
try creating anew one with only thet policy and disabeling the other (just to see)
Carpe Diem
maby you have a defect GPO
try creating anew one with only thet policy and disabeling the other (just to see)
Carpe Diem
ASKER
I'm reading the article and was checking permissions on the folders. I'm new to Server 2008 and I don't see how to add an account to the security. i.e. NT Authority is not listed as having permissions to the Microsoft.net folder. How do I add it?
What is the results from command prompt
reg query "HKLM\SOFTWARE\Policies\Mi crosoft\Wi ndows\Wind owsUpdate"
Post your windowsupdate.log
reg query "HKLM\SOFTWARE\Policies\Mi
Post your windowsupdate.log
Verifying WSUS Server Settings
http://technet.microsoft.com/en-us/library/cc708545%28WS.10%29.aspx
Install WSUS 3.0 - Step-By-Step with screen shots
http://blogs.microsoft.co.il/blogs/yanivf/archive/2007/09/23/install-wsus-3-0-step-by-step.aspx
ASKER
log attached
WindowsUpdate.log
WindowsUpdate.log
"I used to have WSUS on a 2003 server but now it's on a 2008."
did you change the "Specify intranet Microsoft update service location" ?
Computer Configuration -> Administrative Templates -> Windows Update->"Specify intranet Microsoft update service location"
wsus-specify-intranet-microsoft-.gif
did you change the "Specify intranet Microsoft update service location" ?
Computer Configuration -> Administrative Templates -> Windows Update->"Specify intranet Microsoft update service location"
wsus-specify-intranet-microsoft-.gif
ASKER
yes it was changed to the new server
Run the following . bat on the client
net stop bits
net stop wuauserv
Ipconfig /flushdns
cd "Documents and Settings\All Users\Application Data\Microsoft\Network\Dow nloader"
del qmgr0.dat
del qmgr1.dat
net start bits
net start wuauserv
wuauclt.exe /resetauthorization /detectnow
net stop bits
net stop wuauserv
Ipconfig /flushdns
cd "Documents and Settings\All Users\Application Data\Microsoft\Network\Dow
del qmgr0.dat
del qmgr1.dat
net start bits
net start wuauserv
wuauclt.exe /resetauthorization /detectnow
ASKER
I did all of the above. Now what?
After waiting a few moments has the client reported in?
Save below as reportnow.bat and run on clients that havent reported
%Windir%\system32\net.exe stop bits
%Windir%\system32\net.exe stop wuauserv
%Windir%\system32\net.exe stop cryptsvc
del %WINDIR%\WindowsUpdate.log /S /Q
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
rd /s /q %windir%\softwareDistribution
%Windir%\system32\net.exe start cryptsvc
%Windir%\system32\net.exe start bits
%Windir%\system32\net.exe start wuauserv
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
wuauclt /resetauthorization /detectnow
wuauclt /reportnow
exit /B 0
ASKER
been 5 minutes nothing yet. I'll keep checking. Should I delete the original GPO and create another?
Also I never got an answer about add a service to the permissions that are listed in the WSUS set up article
Also I never got an answer about add a service to the permissions that are listed in the WSUS set up article
"been 5 minutes nothing yet. I'll keep checking. Should I delete the original GPO and create another?"
Did you try the latest .bat I posted? No your GPO is fine as long as you get results when you run reg query "HKLM\SOFTWARE\Policies\Mi crosoft\Wi ndows\Wind owsUpdate" from command prompt
"Also I never got an answer about add a service to the permissions that are listed in the WSUS set up article"
go over the verify wsus settings link I posted, although I dont think that is your issue.
Did you try the latest .bat I posted? No your GPO is fine as long as you get results when you run reg query "HKLM\SOFTWARE\Policies\Mi
"Also I never got an answer about add a service to the permissions that are listed in the WSUS set up article"
go over the verify wsus settings link I posted, although I dont think that is your issue.
are the computers in the container that the GPO is applied to ?
ASKER
Yes i ran your bat a few minutes ago. No I haven't done the verifying steps. I will now. As fas as I can tell the problem started when I installed WSUS on the 2008 server, because it's been 75 days since they reported in. I'm the only Admin so sometimes I negelect to check everything due to time limits.
Double check that the "Specify intranet Microsoft update service location" points to the correct server IP or Servername
http://servername
FQDN is not recommended
http://servername
FQDN is not recommended
ASKER
yep set to http://spcala11
ASKER
in the registry is this correct SQLServerName %computername%\Microsoft## SSEE? or should it have the server name?
%computername%\Microsoft## SSEE is correct
ASKER
ok. awaiting your next suggestion
What are the results of ?
reg query "HKLM\SOFTWARE\Policies\Mi crosoft\Wi ndows\Wind owsUpdate" from command prompt
reg query "HKLM\SOFTWARE\Policies\Mi
ASKER
both results show the correct server. http://spcala11
should be reporting then, post latest windowsupdate.log from a client that you ran the earlier .bat on
ASKER
workstation log attached
WindowsUpdate.log
WindowsUpdate.log
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Which folder is the problem?
sorry, no way to tell from logs.
ASKER
I'm in IIS mgr but don't know how to enable Windows integrated authentication. Can you detail it.
ASKER
Cancel last post. I found the authenication setting
ASKER
here is the workstation current log after I changed the Authentication
WindowsUpdate.log
WindowsUpdate.log
I appears to be a success
"This computer is currently scheduled to install these updates on Monday, April 26, 2010 at 3:00 AM: - Update for Microsoft Office Outlook 2007 Junk Email Filter (KB981433)..........."
"This computer is currently scheduled to install these updates on Monday, April 26, 2010 at 3:00 AM: - Update for Microsoft Office Outlook 2007 Junk Email Filter (KB981433)..........."
should have read , It appears
ASKER
When will WSUS update the last time the computer checked in?
Thats random based on a default period of 22 hours. The .Bat I provided above deletes these keys and the wuauclt /resetauthorization /detectnow
wuauclt /reportnow
reapplies them
wuauclt /reportnow
reapplies them
ASKER
ok. So it looks like it's fixed, "correct"
yup, are they now starting to report? The .bat will speed it up.
ASKER
I ran your bat and yes the workstation reported in. Thanks for hanging in there.. is 32063781, the answer I should award points to?
That's the one that got rid of your 0x800710DD errors :)
ASKER
Thanks for your patience
Carpe Diem