Solved

WSUS 3.0 Update issues

Posted on 2011-03-02
24
1,662 Views
Last Modified: 2012-05-11
I have a WSUS 3.0 server that has several groups of clients where I have approved several updates.  All clients have reported status back to the wsus server today.

For some reason, when I run a "wuauclt /detectnow" the client reports that there are 0 updates needed even when the WSUS server shows several approved updates that are ready to install.

I have verified there are no firewalls running
I can telnet from the client to the wsus server on port 8530
rsop.msc reports no errors applying my wsus gpo
the registry key at HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate has keys pointing to my wsus server

Below are the results from running the MS WSUS clientdiag tool on the client as well as the contents of the windows update log after running a
wuauclt /resetauthorization /detectnow

WSUS Client Diagnostics Tool

Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
                This version is WSUS 2.0

Checking AU Settings
        AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                Option is from Policy settings

Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use

Checking Connection to WSUS/SUS Server
                WUServer = http://manage2.xxx.com:8530
                WUStatusServer = http://manage2.xxx.com:8530
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
        Connection to server. . . . . . . . . . . . . . . . . . PASS
        SelfUpdate folder is present. . . . . . . . . . . . . . PASS


ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://manage2.xxx.com:8530/ClientWebService/client.asmx
Initializing simple targeting cookie, clientId = 3e4327c6-03c1-4f8a-a3ba-398d342e5bca, target group = , DNS name = xxxx.xxxx.xxxx.com
Server URL = http://xxx.xxx.com:8530/SimpleAuthWebService/SimpleAuth.asmx
WARNING: Failed to evaluate Installed rule, updateId = {6DE1BCC5-79E0-43F7-9146-BA4D3BA5D790}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {9B765177-CAD2-4901-8BEA-AD58ED8CF289}.51, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {2ADE0371-D580-4B7A-8740-E3B48292A4A6}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {B97F3C64-3B2B-4DB9-927C-6CD68EDB98C1}.51, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {7C1C2C32-30E5-44CD-8A74-ECCB75C77BA0}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {962A4718-740F-45BB-85AE-187E0008B823}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {65DA1810-3EA2-4AFE-B394-DFD66B588B73}.51, hr = 80041017
* Found 0 updates and 53 categories in search; evaluated appl. rules of 522 out of 1261 deployed entities
*********
**  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
*************
>>##  RESUMED  ## AU: Search for updates [CallId = {1C8D0B28-1087-4EC5-A2B0-B7826F4F2C22}]
 # 0 updates detected
#########
##  END  ##  AU: Search for updates [CallId = {1C8D0B28-1087-4EC5-A2B0-B7826F4F2C22}]
#############
Featured notifications is disabled.
Setting AU scheduled install time to 2011-03-03 06:00:00
REPORT EVENT: {94CFFDE6-7683-4EA3-8696-169DC5362CBB}      2011-03-02 23:13:09:541-0000      1      147      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Software Synchronization      Windows Update Client successfully detected 0 updates.
      REPORT EVENT: {E0B75A3D-2C2A-4510-A99E-ABEF0AA3ECB2}      2011-03-02 23:13:09:541-0000      1      156      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Pre-Deployment Check      Reporting client status.
0
Comment
Question by:tferro999
  • 13
  • 11
24 Comments
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35023744
You say that " I have a WSUS 3.0 server that has several groups of clients "



and in your log your target group is missing

target group = , DNS name

Target groups need to match in both group policy and in the WSUS console.

During setup, did you select "use group policy or registry settings"?

http://technet.microsoft.com/en-us/library/cc720450%28WS.10%29.aspx
0
 

Author Comment

by:tferro999
ID: 35023938
Under options I currently have it set to use the update services console.  The clients are present in their respective groups.

What would cause the target group to be missing?  If I remove them from the group and re-add will it help?

I forgot to mention that this WSUS server had been working perfectly for months.  Recently the machine was in a weird state and had to be bounced, afterwards the updating issues started.
0
 

Author Comment

by:tferro999
ID: 35023960
I must not have copied enough of the log, I do see the target group

2011-03-03      03:01:08:680      2024      e48      PT      WARNING: Cached cookie has expired or new PID is available
2011-03-03      03:01:08:680      2024      e48      PT      Initializing simple targeting cookie, clientId = 3e4327c6-03c1-4f8a-a3ba-398d342e5bca, target group = , DNS name = site01.staging.xxx.com
2011-03-03      03:01:08:680      2024      e48      PT        Server URL = http://manage2.xxx.com:8530/SimpleAuthWebService/SimpleAuth.asmx
2011-03-03      03:01:08:727      2024      e48      Report      Uploading 2 events using cached cookie, reporting URL = http://manage2.xxx.com:8530/ReportingWebService/ReportingWebService.asmx
2011-03-03      03:01:08:727      2024      e48      Report      Reporter successfully uploaded 2 events.
0
 
LVL 47

Accepted Solution

by:
dstewartjr earned 500 total points
ID: 35023988
No, you confirmed for me "Under options I currently have it set to use the update services console."

so you wont see the target group in your logs.

I wanted to first make sure that target groups wasnt the issue.

Have the approved updates finished downloading to the WSUS server?

Have you tried running wsusutil reset ?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35024013
Do you have client side targeting enabled in group policy? <<< you shouldnt since you are using the console for grouping.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35024026
Are there any WSUS related errors in the eventvwr application log?
0
 

Author Comment

by:tferro999
ID: 35024548
I have confirmed that client side targeting is not enabled in my WSUS GPO, just the standard update location and time/frequency settings under.

computer config >> policies >> windows settings >> admin templates >> windows components >> windows updates

nothing wsus related in the logs of the client or server

I have not run wsustil reset.  I read that it can cause other problems.  One suggestion was to try
BITSADMIN /ALLUSERS /RESET
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35027780
"I have not run wsustil reset.  I read that it can cause other problems."

???

I have never seen or heard of that command causing any issues.

wsustil reset checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.

Clearing out the BITs cache cant hurt.
0
 

Author Comment

by:tferro999
ID: 35027839
I think I have identified the issue.  Although the updates had been approved, they had never finished downloading.

After looking at some other forums, it appears that the "network service" account did not have full access permissions to my local wsuscontent folder.  I'm applying these permissions now and will let you know if downloads resume after a reboot.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35027894
Did you miss ?

http:#a35023988

"Have the approved updates finished downloading to the WSUS server?"

0
 

Author Comment

by:tferro999
ID: 35028015
Yes
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35028066
:^)  
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:tferro999
ID: 35028370
its taking forever to apply the file permissions but i'll give it a chance to finish.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35028500
Here's an article to compare your settings with

http://technet.microsoft.com/en-us/library/cc708545(WS.10).aspx
0
 

Author Comment

by:tferro999
ID: 35028721
I've looked at the registry and IIS permissions and it looks correct.

I added network service to the wsuscontent root folder.

Still no joy downloading updates.  The machine does have external access.

If I do a manual synchronization it should start the download process right?
0
 

Author Comment

by:tferro999
ID: 35028813
http://blogs.technet.com/b/sus/archive/2008/07/09/troubleshooting-wsus-downloads.aspx

Read some info here, cant see any errors in my event viewer or the softwaredistribution.log
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35028815
wsusutil reset
0
 

Author Comment

by:tferro999
ID: 35029246
wsus admin console is having intermittent issues loading and i'm seeing some disk i/o errors in event viewer.

The drive with the wsus content is on our SAN and it looks like this may be due to some issues with the HBA or switch.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35029305
Is this drive local to your WSUS server ?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35029341
It is not a supported configuration.

The reason is that all file content is downloaded/written to the filesystem
via the BITS service, which is properly configured to run in the Local
System context.

The "Local System" account will not have write permissions to NAS, in most
cases.


http://www.eggheadcafe.com/software/aspnet/29402819/storing-wsus-content-on-nas.aspx

Any comment concerning WSUS made by Lawrence Garvin should be taken to heart
0
 

Author Comment

by:tferro999
ID: 35029501
The SAN presents the LUN to the server as if it was a local resource.  I read a few posts about people trying to store the wsus content on a NAS file share.

This was working for months prior to this.  The only recent change was moving to a new fiber switch.  I'll let you know what I find.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35029526
You would be better off adding drive space to existing WSUS server(If space is needed) and moving the content there.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35029567
Yeah, I see that it's doable...but have you read the warning ?


Warning
By storing content on a network attached drive, network traffic will be doubled (since the data must be transfered from the iSCSI target host to the WSUS host, before being distributed to the client). This may degrade network performance, so consider your situation. Additional resource demands on the fileserver must also be considered, as the iSCSI commands must be interpreted at both ends, in addition to the data transfer.

This is a completely unsupported configuration, and you will probably not recieve any assistance from Microsoft if you configure your server in this manner.



http://www.wsuswiki.com/ContentOnNetworkDrive
0
 

Author Comment

by:tferro999
ID: 35030168
I think we are good, this is on a Fiber based SAN, not iSCSI.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now