Solved

WSUS 3.0 Update issues

Posted on 2011-03-02
24
1,684 Views
Last Modified: 2012-05-11
I have a WSUS 3.0 server that has several groups of clients where I have approved several updates.  All clients have reported status back to the wsus server today.

For some reason, when I run a "wuauclt /detectnow" the client reports that there are 0 updates needed even when the WSUS server shows several approved updates that are ready to install.

I have verified there are no firewalls running
I can telnet from the client to the wsus server on port 8530
rsop.msc reports no errors applying my wsus gpo
the registry key at HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate has keys pointing to my wsus server

Below are the results from running the MS WSUS clientdiag tool on the client as well as the contents of the windows update log after running a
wuauclt /resetauthorization /detectnow

WSUS Client Diagnostics Tool

Checking Machine State
        Checking for admin rights to run tool . . . . . . . . . PASS
        Automatic Updates Service is running. . . . . . . . . . PASS
        Background Intelligent Transfer Service is running. . . PASS
        Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
                This version is WSUS 2.0

Checking AU Settings
        AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
                Option is from Policy settings

Checking Proxy Configuration
        Checking for winhttp local machine Proxy settings . . . PASS
                Winhttp local machine access type
                        <Direct Connection>
                Winhttp local machine Proxy. . . . . . . . . .  NONE
                Winhttp local machine ProxyBypass. . . . . . .  NONE
        Checking User IE Proxy settings . . . . . . . . . . . . PASS
                User IE Proxy. . . . . . . . . . . . . . . . .  NONE
                User IE ProxyByPass. . . . . . . . . . . . . .  NONE
                User IE AutoConfig URL Proxy . . . . . . . . .  NONE
                User IE AutoDetect
                AutoDetect not in use

Checking Connection to WSUS/SUS Server
                WUServer = http://manage2.xxx.com:8530
                WUStatusServer = http://manage2.xxx.com:8530
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
        Connection to server. . . . . . . . . . . . . . . . . . PASS
        SelfUpdate folder is present. . . . . . . . . . . . . . PASS


ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://manage2.xxx.com:8530/ClientWebService/client.asmx
Initializing simple targeting cookie, clientId = 3e4327c6-03c1-4f8a-a3ba-398d342e5bca, target group = , DNS name = xxxx.xxxx.xxxx.com
Server URL = http://xxx.xxx.com:8530/SimpleAuthWebService/SimpleAuth.asmx
WARNING: Failed to evaluate Installed rule, updateId = {6DE1BCC5-79E0-43F7-9146-BA4D3BA5D790}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {9B765177-CAD2-4901-8BEA-AD58ED8CF289}.51, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {2ADE0371-D580-4B7A-8740-E3B48292A4A6}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {B97F3C64-3B2B-4DB9-927C-6CD68EDB98C1}.51, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {7C1C2C32-30E5-44CD-8A74-ECCB75C77BA0}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {962A4718-740F-45BB-85AE-187E0008B823}.52, hr = 80041017
WARNING: Failed to evaluate Installed rule, updateId = {65DA1810-3EA2-4AFE-B394-DFD66B588B73}.51, hr = 80041017
* Found 0 updates and 53 categories in search; evaluated appl. rules of 522 out of 1261 deployed entities
*********
**  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
*************
>>##  RESUMED  ## AU: Search for updates [CallId = {1C8D0B28-1087-4EC5-A2B0-B7826F4F2C22}]
 # 0 updates detected
#########
##  END  ##  AU: Search for updates [CallId = {1C8D0B28-1087-4EC5-A2B0-B7826F4F2C22}]
#############
Featured notifications is disabled.
Setting AU scheduled install time to 2011-03-03 06:00:00
REPORT EVENT: {94CFFDE6-7683-4EA3-8696-169DC5362CBB}      2011-03-02 23:13:09:541-0000      1      147      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Software Synchronization      Windows Update Client successfully detected 0 updates.
      REPORT EVENT: {E0B75A3D-2C2A-4510-A99E-ABEF0AA3ECB2}      2011-03-02 23:13:09:541-0000      1      156      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Pre-Deployment Check      Reporting client status.
0
Comment
Question by:tferro999
  • 13
  • 11
24 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35023744
You say that " I have a WSUS 3.0 server that has several groups of clients "



and in your log your target group is missing

target group = , DNS name

Target groups need to match in both group policy and in the WSUS console.

During setup, did you select "use group policy or registry settings"?

http://technet.microsoft.com/en-us/library/cc720450%28WS.10%29.aspx
0
 

Author Comment

by:tferro999
ID: 35023938
Under options I currently have it set to use the update services console.  The clients are present in their respective groups.

What would cause the target group to be missing?  If I remove them from the group and re-add will it help?

I forgot to mention that this WSUS server had been working perfectly for months.  Recently the machine was in a weird state and had to be bounced, afterwards the updating issues started.
0
 

Author Comment

by:tferro999
ID: 35023960
I must not have copied enough of the log, I do see the target group

2011-03-03      03:01:08:680      2024      e48      PT      WARNING: Cached cookie has expired or new PID is available
2011-03-03      03:01:08:680      2024      e48      PT      Initializing simple targeting cookie, clientId = 3e4327c6-03c1-4f8a-a3ba-398d342e5bca, target group = , DNS name = site01.staging.xxx.com
2011-03-03      03:01:08:680      2024      e48      PT        Server URL = http://manage2.xxx.com:8530/SimpleAuthWebService/SimpleAuth.asmx
2011-03-03      03:01:08:727      2024      e48      Report      Uploading 2 events using cached cookie, reporting URL = http://manage2.xxx.com:8530/ReportingWebService/ReportingWebService.asmx
2011-03-03      03:01:08:727      2024      e48      Report      Reporter successfully uploaded 2 events.
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 35023988
No, you confirmed for me "Under options I currently have it set to use the update services console."

so you wont see the target group in your logs.

I wanted to first make sure that target groups wasnt the issue.

Have the approved updates finished downloading to the WSUS server?

Have you tried running wsusutil reset ?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35024013
Do you have client side targeting enabled in group policy? <<< you shouldnt since you are using the console for grouping.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35024026
Are there any WSUS related errors in the eventvwr application log?
0
 

Author Comment

by:tferro999
ID: 35024548
I have confirmed that client side targeting is not enabled in my WSUS GPO, just the standard update location and time/frequency settings under.

computer config >> policies >> windows settings >> admin templates >> windows components >> windows updates

nothing wsus related in the logs of the client or server

I have not run wsustil reset.  I read that it can cause other problems.  One suggestion was to try
BITSADMIN /ALLUSERS /RESET
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35027780
"I have not run wsustil reset.  I read that it can cause other problems."

???

I have never seen or heard of that command causing any issues.

wsustil reset checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again.

Clearing out the BITs cache cant hurt.
0
 

Author Comment

by:tferro999
ID: 35027839
I think I have identified the issue.  Although the updates had been approved, they had never finished downloading.

After looking at some other forums, it appears that the "network service" account did not have full access permissions to my local wsuscontent folder.  I'm applying these permissions now and will let you know if downloads resume after a reboot.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35027894
Did you miss ?

http:#a35023988

"Have the approved updates finished downloading to the WSUS server?"

0
 

Author Comment

by:tferro999
ID: 35028015
Yes
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35028066
:^)  
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:tferro999
ID: 35028370
its taking forever to apply the file permissions but i'll give it a chance to finish.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35028500
Here's an article to compare your settings with

http://technet.microsoft.com/en-us/library/cc708545(WS.10).aspx
0
 

Author Comment

by:tferro999
ID: 35028721
I've looked at the registry and IIS permissions and it looks correct.

I added network service to the wsuscontent root folder.

Still no joy downloading updates.  The machine does have external access.

If I do a manual synchronization it should start the download process right?
0
 

Author Comment

by:tferro999
ID: 35028813
http://blogs.technet.com/b/sus/archive/2008/07/09/troubleshooting-wsus-downloads.aspx

Read some info here, cant see any errors in my event viewer or the softwaredistribution.log
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35028815
wsusutil reset
0
 

Author Comment

by:tferro999
ID: 35029246
wsus admin console is having intermittent issues loading and i'm seeing some disk i/o errors in event viewer.

The drive with the wsus content is on our SAN and it looks like this may be due to some issues with the HBA or switch.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35029305
Is this drive local to your WSUS server ?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35029341
It is not a supported configuration.

The reason is that all file content is downloaded/written to the filesystem
via the BITS service, which is properly configured to run in the Local
System context.

The "Local System" account will not have write permissions to NAS, in most
cases.


http://www.eggheadcafe.com/software/aspnet/29402819/storing-wsus-content-on-nas.aspx

Any comment concerning WSUS made by Lawrence Garvin should be taken to heart
0
 

Author Comment

by:tferro999
ID: 35029501
The SAN presents the LUN to the server as if it was a local resource.  I read a few posts about people trying to store the wsus content on a NAS file share.

This was working for months prior to this.  The only recent change was moving to a new fiber switch.  I'll let you know what I find.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35029526
You would be better off adding drive space to existing WSUS server(If space is needed) and moving the content there.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35029567
Yeah, I see that it's doable...but have you read the warning ?


Warning
By storing content on a network attached drive, network traffic will be doubled (since the data must be transfered from the iSCSI target host to the WSUS host, before being distributed to the client). This may degrade network performance, so consider your situation. Additional resource demands on the fileserver must also be considered, as the iSCSI commands must be interpreted at both ends, in addition to the data transfer.

This is a completely unsupported configuration, and you will probably not recieve any assistance from Microsoft if you configure your server in this manner.



http://www.wsuswiki.com/ContentOnNetworkDrive
0
 

Author Comment

by:tferro999
ID: 35030168
I think we are good, this is on a Fiber based SAN, not iSCSI.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now