Off Line WSUS-Files For Updates Not Downloaded but actually have been succesfuly imported

I have an issue I need help with.  This is a disconnected network.  I first copied over the update files.  I then imported the metadata.  The size of the update files on the connected server is 10.97GB and the size of the update files on the disconnected WSUS is 10.97GB.  The size of the metadata folder is also the same.  The NT Service has full control of the WSUS and the WSUS Content folders and files.
- When I first imported everything the dashboard stated 0 files needed downloaded.
- I did a test push of updates to a test server.  I pushed about 55 out of 100 patches.  No errors.  I did same for a test workstation and pushed about 48 out of 100 patches with no errors.  Not really sure whey it didn't push all the 100 patches though.  Could it be they weren't needed?
- I then did a second round of patch pushes and then started getting the notification in the Patch window stating Files not downloaded.  It was approved and needed. See attached:
WSUS Dashboard
Also on Friday 28 June the dashboard stated 213 needing updates and downloaded 10.90MB out of 1112MB.  On Monday 1 July the dashboard states 206 updates need downloaded and its downloaded 21MB of 1112MB.  I'm attaching windows update logs for test server, test workstation and the WSUS sever itself.  Also attaching error event from WSUS event viewer (event 10032 and error 364).  Saw no errors in the test server and workstation event logs relating to updates.  Just to make sure my WSUS continues to work I pushed 1 patch this morning to the WSUS itself.  The patch I pushed stated the WSUS need it and it was approved last week ande succesffuly deployed to the TestServer.  

Please any ideas would be most appreciated.  If you need any other info please just ask me.
Who is Participating?
Mike TConnect With a Mentor Leading EngineerCommented:

A few examples of wsusutil will clear any confusion:
cab file from source wsus:

Won't work - no need to specify where the import goes
wsusutil import wsus.log D:\updateservicedbfiles

This will work only if you copy the cab to the path where wsusutil is. This works but is not necessary,
e.g. C:\program files\update services\tools\wsusutil import wsus.log

Better command line:
C:\program files\update services\tools\wsusutil import

where E: is a USB or DVD that you copied the cab file to. June is the month of the export and is optional but probably useful if you want a history to drop back to.

cd C:\program files\update services\tools
wsusutil import E:\

if you rename the cab files, you can use the month there instead. Note this is just a suggestion not a requirement. The default name is I just found this confusing when repeating the exercise regularly.

wsusutil import E:\ E:\Logs\junepatches.log
will create a log file called junepatches in E:\Log. Your command will create the log in the tools directory. Better to create a central place for it for auditing.

 wsusutil reset
(note there's no forward slash) reset will download all the missing updates on your source wsus. It runs instantly, but triggers a fresh synchronise so you have to wait until the missing patches appear on the *online* server.

I'm not sure about the update status as I was using SCCM which doesn't care, so it doesn't display any approvals to see.

The file sizes sound about right. My content was 50GBish and the cab file was 8MB. I have not included drivers or extra languages which might explain which the cab is smaller.

Finally the import for me, took 2 hours; 15 minutes sounds far too quick. I expect I may have to do one last export/import cycle thanks to patch Tuesday so will take a few extra notes.

Checking the log file (WindowsUpdate.log) is absolutely key so tracking where things fail. Check for any error codes.


were the update approved on the source server ?
Did clients already successfully install missing patch from source server ?

Conrad_BelAuthor Commented:
Yes they were approved on the internet facing server.  No clients are connected to the internet facing server.

Do you know exactly what permissions should be on the D:  D:\WSUS  D:\WSUS Content folders and the D:WSUS\updateservicedbfiles (metadata)?

Also the exact permissions needed on the IIS default website?

Do you think my problem may be that I did a simple copy and past of the update files to the D:\wsus\wsus content folder?  I did do the export and import of the metadata as required.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Did you check the status of "Security Update for Windows 7 for x64-based System (KB2579686)" (for example) on the internet facing server to be sure it has been downloaded ?
Conrad_BelAuthor Commented:
No, unfortunately I do not control the internet facing WSUS.  Is this KB something we should check for?  Or is this an example?  According to my partner, he approved all updates and waited for them to finish updating.  What is the best way to ensure they did in fact finish updating?

As I stated in my post, he downloaed 10.97GB of updates and thats exactly what I have now on my offline wsus.
Conrad_BelAuthor Commented:
I will see if he can build a test server on his side and then apply all patches to it to see if he runs into the same issue.
I've just picked the oulined KB in your screenshot... 10 Gb does not seem a huge amount of data.
If you do not have access to the source server, you will have some difficulty to debug.

Good luck.
Conrad_BelAuthor Commented:
He only got updates for server 2008 and windows 7 and office products.
Yes, I agree without access to the source server this is going to be difficult.
Mike TConnect With a Mentor Leading EngineerCommented:

From recent painful experience, if the internet facing WSUS does NOT finish its synch or the files in the WSUSContent folder are deleted (yes, I know) the offline WSUS will not work.

From your log:
WARNING: Sync of Updates: 0x8024000b
2013-06-27      12:21:22:921       856      1f4      PT      WARNING: SyncServerUpdatesInternal failed: 0x8024000b
2013-06-27      12:21:22:921       856      1f4      Agent        * WARNING: Failed to synchronize, error = 0x8024000B
2013-06-27      12:21:22:921       856      1f4      Agent        * WARNING: Exit code = 0x8024000B

which looks like WSUS cannot find the files from the WSUScontent (rather than the internet). In my case I had similar error but complication of files were provided by SCCM.

My issue was fixed by running the following:

wsusutil reset

Try that first. If it doesn't work look at this article.

The key steps are

     1. Approve all the updates that you need to copy.
      2. export the metadata : command prompt:
            "%programfiles%\update services\tools\wsusutil.exe export   c:\YourBackupDirectory\   c:\YourBackupDirectory\metadata.log
      3. "MergeCopy" all of the content files from your original server (typically c:\WSUS\wsuscontent\) to the same directory on the new server.
      4. Copy the metadata (YourBackupDirectory) to the downstream server.
      5.   Import the metadata on the downstream server:
            "%programfiles%\update services\tools\wsusutil.exe"  import c:\YourBackupDirectory\ c:\YourBackupDirectory\metadata.log
            (It can take from 3 to 4 hours for the database to validate content that has just been imported)
      6. reset the metabase/local downloaded updates
            wsustil.exe reset  reset the metabase/local downloaded updates

and note the comment from Lawrence:

>our Export server wasn't able to download all the updates that I approved due to company proxy/firewall blocking some of the updates from
> downloading, therefore generating some errors in the metadata I assume.

Well THAT will definitely MESS THINGS UP!.... I thought the Deployment Guide documentation was pretty clear on this. The Export Server must have downloaded *ALL* approved content before you can perform the export/import steps.

As an aside the Microsoft have two documents to read for the complete picture on WSUS.

WSUS deployment guide
WSUS step by step for permissions (on page 7)

Both are worth reading!

Conrad_BelAuthor Commented:
thanks for all your assistance.  It actually seems like the updates may have not all been downloaded from the source server to begin with. My fellow engineer originally handed me a disk with 10.7 GB of data for about 3000 updates.  After redoing the synce and doing a control A to highlight all the updates and then doing the approve for install the size of the data has grown to about 20GB.  I think this makes a lot of sense.  Anyway, i will be trying to complete the Import of the metadata and the robocopy of the update files today.  Will keep you informed.
Conrad_BelAuthor Commented:
I have done a robocopy /mir of my wsus content.  I imported my metadata.  After I brought in my wsus content files and did the import of metadata I then started my WSUS service.

I copied the metadata cab file to the C:\program files\update services\tools folder then ran the import as:
c:\program files\update services\tools> wsusutil import wsus.log

Do I need to specify where to import it to?  ie.
wsusutil import wsus.log D:\updateservicedbfiles

How do I get the WSUS Admin console to reset?  It is still showing files approved but not downloaded with red x from my initial problem.  If I run the wsusutil /reset will this help restore some sanity to my WSUS Admin console?

Shouldn't all the updates be showing unapproved on my offline wsus?

Also, I brought in about 20GB of update files and my metadata file is about 10 MB.  Does that sound correct?  Also, the wsusutil import wsus.log job only took about 15 minutes?  Does that sound correct?

I keep reading it should take about 3 hours for this to import?
Conrad_BelAuthor Commented:
mike,  i am up and running.  the issue the whole time was the source wsus never got all the updates to begin with.  

my next question is  when i do my next import, does wsus remember all the patches i have already pushed?
How do you manage that?

What do you do with the superceded updates?  I have read some people just deny them others approve and install them?  What about you?
Mike TLeading EngineerCommented:
Hi. Glad it's all working now.
The machines know what patches they have so WSUS only pushes what's missing, effectively remembering.

With superseded updates I use SCCM so it's slightly different. I would not approve them and ideally run a script to delete them on some schedule.

Conrad_BelAuthor Commented:
Thanks Mike, you've been a blessing.  I am going to decline the superceded.  I will only be running 2008 R2 and win 7 X64 so i will never bring any older systems online.  This is a dev net.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.