Solved

WSUS not working

Posted on 2010-11-21
30
977 Views
Last Modified: 2012-05-10
Hi,
A standalone SBS 2008 SP2 64 bit server acts as DC on a small domain with about a dozen clients. Windows Server Update Services is setup with all of the settings according to instructions from the Microsoft Website. But in recent weeks the updates are not installing. In the SBS console, under Security on the Updates tab, the status of the updates shows as In Progress. There is no indication why the installation of a particular update has not completed. I manually restarted on of the computers but that did not affect the status of the updates.
All of the computers are affected in the same way. I have been through the setup configuration 3 times checking the settings, and and once started completely from scratch setting up WSUS, and it's the same result all the time.
This is my only experience with SBS 2008 or WSUS, so don't assume anything has been checked or done no matter how trivial. Thanks for the help.
Bill
0
Comment
Question by:westone
  • 13
  • 10
  • 7
30 Comments
 
LVL 3

Accepted Solution

by:
Shane32EE earned 250 total points
ID: 34184041
I have the same configuration in my office.  Try opening the WSUS via the Administrative Tools menu.  Go to All Updates, and then filter by 'approved' and 'failed'.  Hit refresh and see what comes up.  You can then double click on an entry and go to page 2 of the status report to see which computers it failed on.  Finally, sometimes you can click the word 'failed' and see if an event log entry comes up.

I would suggest checking the client computers to be sure they are communicating with the WSUS server properly.  Did you configure the clients to use WSUS via a group policy?  The correct group policy settings to set is in the 'Default Domain Policy' under 'Computer Configuration' > 'Administrative Templates' > 'Windows Update'.  Policy 'Specify intranet Microsoft update service location'.  Enable the policy and set it to http://myservername:8530.  You may need to open TCP port 8530 through the firewall, but I think it's automatic.  After saving the group policy, update the policy on the client (via command line 'gpupdate /force') and if you check for updates, it should reflect that on the server.

Does that help?

Shane
0
 

Author Comment

by:westone
ID: 34184089
Okay, I made the change you suggested. Do I just wait or is there a way to force the client to check for updates?
The instructions I found at MS detailed the setup of 3 different Policies related to WSUS, but none of them specified the policy you just pointed out.
0
 

Author Comment

by:westone
ID: 34184104
After editing this policy on the DC, I ran gpupdate /force on one of the clients. It said computer policy was updated. However, after logging into the client, I checked the local computer policy, and the same policy showed as not configured. So it seems the computer would not know to look at the DC for updates. Is that correct?
0
 
LVL 3

Expert Comment

by:Shane32EE
ID: 34184116
Are the computers domain-joined?  Do you log on to the client PCs using users that are members of the domain?  If so, it will apply any GP settings on the DC.
0
 
LVL 3

Expert Comment

by:Shane32EE
ID: 34184123
We can run a report in the GP admin tool to check what settings are applied to any given computer and user.  Go to the Group Policy Reports section at the bottom and right click it to create a new report.  Try it and ask if you have any questions about how to use the tool.  This will verify that the policy is configured properly and that the DC is trying to apply the policy to the client.
0
 
LVL 3

Expert Comment

by:Shane32EE
ID: 34184125
Once you have the policy applied, open Windows Update and try checking for updates.  Windows Update will return an error if it cannot contact your WSUS server.  If it still doesn't work, I'll check my IIS settings, as I may have had to configure something in there to get it going, but I can't remember.

There are other Windows Update-related group policy settings, but the only other one set up in my office (I'm using SBS 2008 as well, very simple with only two dozen clients) is in the same section and is called 'Configure Automatic Updates'.  With that setting, you can force clients to automatically download and install updates when desired.  But it is unrelated to enabling WSUS on your network.
0
 

Author Comment

by:westone
ID: 34184129
Oh yeah, all of the computers and users are domain members. I just recently made a change to another policy, for folder redirection, and it rolled out to the clients as expected. So far I have run gpudate /force twice, logged in twice and rebooted this computer once and the policy still shows as not configured.
0
 
LVL 3

Expert Comment

by:Shane32EE
ID: 34184142
I'd create the report and see if it shows up in there.  If not, we need to check the policy to see exactly how it is applied.  For example, right-click the policy, and make sure that under GPO Status, computer policies are enabled.  If the WSUS setting shows up in the report, then we'll diagnose from the client.
0
 
LVL 3

Expert Comment

by:Shane32EE
ID: 34184175
What operating system is the client?  On my Windows 7 client, I don't see the same policies listed in the Local Security Policy tool.  However, another way to check if the policy is getting to the client is to open regedit on the client and check this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

You should see two entries: WUServer and WUStatusServer  -- both set to  http://myservername:8530

I have to leave in a couple minutes, but I will reply later if you have not got it going by then.

Thanks,
Shane
0
 

Author Comment

by:westone
ID: 34184192
Both the report you suggested and the reg key on the client show the policy is being applied. It just doesn't show if I use gpedit.msc on the client. I have to go as well, and pick this up later, but at least this gives me something to go on. Thanks for the help and I will be back in communication tomorrow.
0
 
LVL 3

Expert Comment

by:Shane32EE
ID: 34184497
Same here -- my clients also do not show the setting on the clients via the 'gpedit.msc' tool on the client.  But if the keys are in the registry, then the policy has been applied.  (Group policy settings are simply registry entries, actually.)

You also can, on the client, check exactly which policies are being applied by executing (from an admin command prompt):

gpresult /scope computer /h output-computer.htm
gpresult /scope user /h output-user.htm

This will save the results to a html file.  To view in the console window, use /v instead.

Shane
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34185227
What are the results from a clientdiag?


http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE


What errors are in windowsupdate.log from a problem client?<<<<Please post this log
0
 

Author Comment

by:westone
ID: 34292119
I will run the diag when I am onsite later today. Thanks for the suggestion.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34292370
Ok will await the results.
0
 

Author Comment

by:westone
ID: 34313009
The results are pasted below. One FAIL: WSUS Server and Status server do not match. In the policy, the server name is entered in both settings, without the port, and they do match. Perhaps the port should be included on both in the settings. Or do you think that is even the issue?
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 

Author Comment

by:westone
ID: 34313164
Oops. Here are the results:

WSUS Client Diagnostics Tool

Checking Machine State
      Checking for admin rights to run tool . . . . . . . . . PASS
      Automatic Updates Service is running. . . . . . . . . . PASS
      Background Intelligent Transfer Service is running. . . PASS
      Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
            This version is WSUS 2.0

Checking AU Settings
      AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
            Option is from Policy settings

Checking Proxy Configuration
      Checking for winhttp local machine Proxy settings . . . PASS
            Winhttp local machine access type
                  <Direct Connection>
            Winhttp local machine Proxy. . . . . . . . . .  PASS
            Winhttp local machine ProxyBypass. . . . . . .  PASS
      Checking User IE Proxy settings . . . . . . . . . . . . PASS
            User IE Proxy. . . . . . . . . . . . . . . . .  PASS
            User IE ProxyByPass. . . . . . . . . . . . . .  PASS
            User IE AutoConfig URL Proxy . . . . . . . . .  PASS
            User IE AutoDetect
            AutoDetect not in use

Checking Connection to WSUS/SUS Server
            WUServer = http://ESC-SERVER:8530
            WUStatusServer = http://ESC-SERVER
      UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
      WUServer & WUStatusServer do not Match. . . . . . . . . FAIL
      Connection to server. . . . . . . . . . . . . . . . . . PASS
      SelfUpdate folder is present. . . . . . . . . . . . . . PASS
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34313166
Yes you should add the port, should be as follows

http://servername:8530
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34313200
correct the port in your GPO, run "gpudate /force" on the client and then run "wuauclt /resetauthorization /detectnow" on the client <<<Both commands without quotes
0
 

Author Comment

by:westone
ID: 34313402
Okay, the policies setting the WU server location and the Status server are now both set to the http://server_name:8530. I rebooted the workstation and ran gpupdate /force, however the clientdiag still show the same failure, that the names do not match. I rechecked the policy on the server to be sure it had stuck, and it was correct.
I manually edited the registry settings on the local workstation affected by the GP so that they match, and the ClientDiag utility succeeded with no failures. Now I just wait to see if it updates tonight?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34313465
Did you run wuauclt /resetauthorization /detectnow ?

post the windowsupdate.log , wait a few minutes after running the command before posting the log.
0
 

Author Comment

by:westone
ID: 34313862
I only ran the second command after your last post, I think we were cross posting there for a few minutes. The update log is attached here. I have to leave for the day, and will return in the morning. thanks for sticking with me on this, I am really out of my element here.
 WindowsUpdate.log
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34314126
The line

Found 0 updates and 55 categories in search;

and this

Reporter successfully uploaded 2 events.

confirm that this particular client is updating from WSUS just fine.
0
 

Author Comment

by:westone
ID: 34314719
The Update Services UI on the SBS 2008 server show this computer with a yellow !, and states there is one update needed, KB976002. The report was updated after the update log attached to my previous post.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34314753
Is the update approved?
0
 

Author Comment

by:westone
ID: 34314781
The approval status for this update is "Install".
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34314852
Try resetting windows update components

http://support.microsoft.com/kb/971058
0
 

Author Comment

by:westone
ID: 34318175
Thanks for that link. I have reset everything, but it may be this evening before I can restart the server. So it may be a day or two before we know if it is working.

Also, I did not do the aggressive steps listed in the procedures. If this doesn't resolve the issue, later this week-end I will redo the reset and perform those steps as well.
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 250 total points
ID: 34320218
You only needed to run on the client you suspected having troubles with, no need on the WSUS server
0
 

Author Comment

by:westone
ID: 34334432
Okay, I mentioned before that I am not familiar with WSUS. I have found the issue with this update is that the files for the update failed to download, according to the UI. It can be approved, but it is necessary to go in the UI and click Retry Download to get the files on the server. I have just done that and am waiting to see the results. If there is a problem with downloading the files I will post another question for that.
Thanks for all the help.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34334654
On the WSUS server run the command

wsusutil reset

http://technet.microsoft.com/en-us/library/cc720466(WS.10).aspx


This Checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now