WSUS not working

Hi,
A standalone SBS 2008 SP2 64 bit server acts as DC on a small domain with about a dozen clients. Windows Server Update Services is setup with all of the settings according to instructions from the Microsoft Website. But in recent weeks the updates are not installing. In the SBS console, under Security on the Updates tab, the status of the updates shows as In Progress. There is no indication why the installation of a particular update has not completed. I manually restarted on of the computers but that did not affect the status of the updates.
All of the computers are affected in the same way. I have been through the setup configuration 3 times checking the settings, and and once started completely from scratch setting up WSUS, and it's the same result all the time.
This is my only experience with SBS 2008 or WSUS, so don't assume anything has been checked or done no matter how trivial. Thanks for the help.
Bill
westoneAsked:
Who is Participating?
 
Shane32EECommented:
I have the same configuration in my office.  Try opening the WSUS via the Administrative Tools menu.  Go to All Updates, and then filter by 'approved' and 'failed'.  Hit refresh and see what comes up.  You can then double click on an entry and go to page 2 of the status report to see which computers it failed on.  Finally, sometimes you can click the word 'failed' and see if an event log entry comes up.

I would suggest checking the client computers to be sure they are communicating with the WSUS server properly.  Did you configure the clients to use WSUS via a group policy?  The correct group policy settings to set is in the 'Default Domain Policy' under 'Computer Configuration' > 'Administrative Templates' > 'Windows Update'.  Policy 'Specify intranet Microsoft update service location'.  Enable the policy and set it to http://myservername:8530.  You may need to open TCP port 8530 through the firewall, but I think it's automatic.  After saving the group policy, update the policy on the client (via command line 'gpupdate /force') and if you check for updates, it should reflect that on the server.

Does that help?

Shane
0
 
westoneAuthor Commented:
Okay, I made the change you suggested. Do I just wait or is there a way to force the client to check for updates?
The instructions I found at MS detailed the setup of 3 different Policies related to WSUS, but none of them specified the policy you just pointed out.
0
 
westoneAuthor Commented:
After editing this policy on the DC, I ran gpupdate /force on one of the clients. It said computer policy was updated. However, after logging into the client, I checked the local computer policy, and the same policy showed as not configured. So it seems the computer would not know to look at the DC for updates. Is that correct?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Shane32EECommented:
Are the computers domain-joined?  Do you log on to the client PCs using users that are members of the domain?  If so, it will apply any GP settings on the DC.
0
 
Shane32EECommented:
We can run a report in the GP admin tool to check what settings are applied to any given computer and user.  Go to the Group Policy Reports section at the bottom and right click it to create a new report.  Try it and ask if you have any questions about how to use the tool.  This will verify that the policy is configured properly and that the DC is trying to apply the policy to the client.
0
 
Shane32EECommented:
Once you have the policy applied, open Windows Update and try checking for updates.  Windows Update will return an error if it cannot contact your WSUS server.  If it still doesn't work, I'll check my IIS settings, as I may have had to configure something in there to get it going, but I can't remember.

There are other Windows Update-related group policy settings, but the only other one set up in my office (I'm using SBS 2008 as well, very simple with only two dozen clients) is in the same section and is called 'Configure Automatic Updates'.  With that setting, you can force clients to automatically download and install updates when desired.  But it is unrelated to enabling WSUS on your network.
0
 
westoneAuthor Commented:
Oh yeah, all of the computers and users are domain members. I just recently made a change to another policy, for folder redirection, and it rolled out to the clients as expected. So far I have run gpudate /force twice, logged in twice and rebooted this computer once and the policy still shows as not configured.
0
 
Shane32EECommented:
I'd create the report and see if it shows up in there.  If not, we need to check the policy to see exactly how it is applied.  For example, right-click the policy, and make sure that under GPO Status, computer policies are enabled.  If the WSUS setting shows up in the report, then we'll diagnose from the client.
0
 
Shane32EECommented:
What operating system is the client?  On my Windows 7 client, I don't see the same policies listed in the Local Security Policy tool.  However, another way to check if the policy is getting to the client is to open regedit on the client and check this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

You should see two entries: WUServer and WUStatusServer  -- both set to  http://myservername:8530

I have to leave in a couple minutes, but I will reply later if you have not got it going by then.

Thanks,
Shane
0
 
westoneAuthor Commented:
Both the report you suggested and the reg key on the client show the policy is being applied. It just doesn't show if I use gpedit.msc on the client. I have to go as well, and pick this up later, but at least this gives me something to go on. Thanks for the help and I will be back in communication tomorrow.
0
 
Shane32EECommented:
Same here -- my clients also do not show the setting on the clients via the 'gpedit.msc' tool on the client.  But if the keys are in the registry, then the policy has been applied.  (Group policy settings are simply registry entries, actually.)

You also can, on the client, check exactly which policies are being applied by executing (from an admin command prompt):

gpresult /scope computer /h output-computer.htm
gpresult /scope user /h output-user.htm

This will save the results to a html file.  To view in the console window, use /v instead.

Shane
0
 
DonNetwork AdministratorCommented:
What are the results from a clientdiag?


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE


What errors are in windowsupdate.log from a problem client?<<<<Please post this log
0
 
westoneAuthor Commented:
I will run the diag when I am onsite later today. Thanks for the suggestion.
0
 
DonNetwork AdministratorCommented:
Ok will await the results.
0
 
westoneAuthor Commented:
The results are pasted below. One FAIL: WSUS Server and Status server do not match. In the policy, the server name is entered in both settings, without the port, and they do match. Perhaps the port should be included on both in the settings. Or do you think that is even the issue?
0
 
westoneAuthor Commented:
Oops. Here are the results:

WSUS Client Diagnostics Tool

Checking Machine State
      Checking for admin rights to run tool . . . . . . . . . PASS
      Automatic Updates Service is running. . . . . . . . . . PASS
      Background Intelligent Transfer Service is running. . . PASS
      Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
            This version is WSUS 2.0

Checking AU Settings
      AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
            Option is from Policy settings

Checking Proxy Configuration
      Checking for winhttp local machine Proxy settings . . . PASS
            Winhttp local machine access type
                  <Direct Connection>
            Winhttp local machine Proxy. . . . . . . . . .  PASS
            Winhttp local machine ProxyBypass. . . . . . .  PASS
      Checking User IE Proxy settings . . . . . . . . . . . . PASS
            User IE Proxy. . . . . . . . . . . . . . . . .  PASS
            User IE ProxyByPass. . . . . . . . . . . . . .  PASS
            User IE AutoConfig URL Proxy . . . . . . . . .  PASS
            User IE AutoDetect
            AutoDetect not in use

Checking Connection to WSUS/SUS Server
            WUServer = http://ESC-SERVER:8530
            WUStatusServer = http://ESC-SERVER
      UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
      WUServer & WUStatusServer do not Match. . . . . . . . . FAIL
      Connection to server. . . . . . . . . . . . . . . . . . PASS
      SelfUpdate folder is present. . . . . . . . . . . . . . PASS
0
 
DonNetwork AdministratorCommented:
Yes you should add the port, should be as follows

http://servername:8530
0
 
DonNetwork AdministratorCommented:
correct the port in your GPO, run "gpudate /force" on the client and then run "wuauclt /resetauthorization /detectnow" on the client <<<Both commands without quotes
0
 
westoneAuthor Commented:
Okay, the policies setting the WU server location and the Status server are now both set to the http://server_name:8530. I rebooted the workstation and ran gpupdate /force, however the clientdiag still show the same failure, that the names do not match. I rechecked the policy on the server to be sure it had stuck, and it was correct.
I manually edited the registry settings on the local workstation affected by the GP so that they match, and the ClientDiag utility succeeded with no failures. Now I just wait to see if it updates tonight?
0
 
DonNetwork AdministratorCommented:
Did you run wuauclt /resetauthorization /detectnow ?

post the windowsupdate.log , wait a few minutes after running the command before posting the log.
0
 
westoneAuthor Commented:
I only ran the second command after your last post, I think we were cross posting there for a few minutes. The update log is attached here. I have to leave for the day, and will return in the morning. thanks for sticking with me on this, I am really out of my element here.
 WindowsUpdate.log
0
 
DonNetwork AdministratorCommented:
The line

Found 0 updates and 55 categories in search;

and this

Reporter successfully uploaded 2 events.

confirm that this particular client is updating from WSUS just fine.
0
 
westoneAuthor Commented:
The Update Services UI on the SBS 2008 server show this computer with a yellow !, and states there is one update needed, KB976002. The report was updated after the update log attached to my previous post.
0
 
DonNetwork AdministratorCommented:
Is the update approved?
0
 
westoneAuthor Commented:
The approval status for this update is "Install".
0
 
DonNetwork AdministratorCommented:
Try resetting windows update components

http://support.microsoft.com/kb/971058
0
 
westoneAuthor Commented:
Thanks for that link. I have reset everything, but it may be this evening before I can restart the server. So it may be a day or two before we know if it is working.

Also, I did not do the aggressive steps listed in the procedures. If this doesn't resolve the issue, later this week-end I will redo the reset and perform those steps as well.
0
 
DonNetwork AdministratorCommented:
You only needed to run on the client you suspected having troubles with, no need on the WSUS server
0
 
westoneAuthor Commented:
Okay, I mentioned before that I am not familiar with WSUS. I have found the issue with this update is that the files for the update failed to download, according to the UI. It can be approved, but it is necessary to go in the UI and click Retry Download to get the files on the server. I have just done that and am waiting to see the results. If there is a problem with downloading the files I will post another question for that.
Thanks for all the help.
0
 
DonNetwork AdministratorCommented:
On the WSUS server run the command

wsusutil reset

http://technet.microsoft.com/en-us/library/cc720466(WS.10).aspx


This Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.