[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Off Line WSUS-Files For Updates Not Downloaded but actually have been succesfuly imported

Posted on 2013-07-01
Medium Priority
Last Modified: 2013-07-12
I have an issue I need help with.  This is a disconnected network.  I first copied over the update files.  I then imported the metadata.  The size of the update files on the connected server is 10.97GB and the size of the update files on the disconnected WSUS is 10.97GB.  The size of the metadata folder is also the same.  The NT Service has full control of the WSUS and the WSUS Content folders and files.
- When I first imported everything the dashboard stated 0 files needed downloaded.
- I did a test push of updates to a test server.  I pushed about 55 out of 100 patches.  No errors.  I did same for a test workstation and pushed about 48 out of 100 patches with no errors.  Not really sure whey it didn't push all the 100 patches though.  Could it be they weren't needed?
- I then did a second round of patch pushes and then started getting the notification in the Patch window stating Files not downloaded.  It was approved and needed. See attached:
WSUS Dashboard
Also on Friday 28 June the dashboard stated 213 needing updates and downloaded 10.90MB out of 1112MB.  On Monday 1 July the dashboard states 206 updates need downloaded and its downloaded 21MB of 1112MB.  I'm attaching windows update logs for test server, test workstation and the WSUS sever itself.  Also attaching error event from WSUS event viewer (event 10032 and error 364).  Saw no errors in the test server and workstation event logs relating to updates.  Just to make sure my WSUS continues to work I pushed 1 patch this morning to the WSUS itself.  The patch I pushed stated the WSUS need it and it was approved last week ande succesffuly deployed to the TestServer.  

Please any ideas would be most appreciated.  If you need any other info please just ask me.
Question by:Conrad_Bel
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 3

Expert Comment

ID: 39293276

were the update approved on the source server ?
Did clients already successfully install missing patch from source server ?


Author Comment

ID: 39293556
Yes they were approved on the internet facing server.  No clients are connected to the internet facing server.

Do you know exactly what permissions should be on the D:  D:\WSUS  D:\WSUS Content folders and the D:WSUS\updateservicedbfiles (metadata)?

Also the exact permissions needed on the IIS default website?

Do you think my problem may be that I did a simple copy and past of the update files to the D:\wsus\wsus content folder?  I did do the export and import of the metadata as required.

Expert Comment

ID: 39293664
Did you check the status of "Security Update for Windows 7 for x64-based System (KB2579686)" (for example) on the internet facing server to be sure it has been downloaded ?
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal


Author Comment

ID: 39293853
No, unfortunately I do not control the internet facing WSUS.  Is this KB something we should check for?  Or is this an example?  According to my partner, he approved all updates and waited for them to finish updating.  What is the best way to ensure they did in fact finish updating?

As I stated in my post, he downloaed 10.97GB of updates and thats exactly what I have now on my offline wsus.

Author Comment

ID: 39293855
I will see if he can build a test server on his side and then apply all patches to it to see if he runs into the same issue.

Expert Comment

ID: 39293877
I've just picked the oulined KB in your screenshot... 10 Gb does not seem a huge amount of data.
If you do not have access to the source server, you will have some difficulty to debug.

Good luck.

Author Comment

ID: 39294150
He only got updates for server 2008 and windows 7 and office products.
Yes, I agree without access to the source server this is going to be difficult.
LVL 18

Assisted Solution

by:Mike T
Mike T earned 2000 total points
ID: 39294839

From recent painful experience, if the internet facing WSUS does NOT finish its synch or the files in the WSUSContent folder are deleted (yes, I know) the offline WSUS will not work.

From your log:
WARNING: Sync of Updates: 0x8024000b
2013-06-27      12:21:22:921       856      1f4      PT      WARNING: SyncServerUpdatesInternal failed: 0x8024000b
2013-06-27      12:21:22:921       856      1f4      Agent        * WARNING: Failed to synchronize, error = 0x8024000B
2013-06-27      12:21:22:921       856      1f4      Agent        * WARNING: Exit code = 0x8024000B

which looks like WSUS cannot find the files from the WSUScontent (rather than the internet). In my case I had similar error but complication of files were provided by SCCM.

My issue was fixed by running the following:

wsusutil reset

Try that first. If it doesn't work look at this article.

The key steps are

     1. Approve all the updates that you need to copy.
      2. export the metadata : command prompt:
            "%programfiles%\update services\tools\wsusutil.exe export   c:\YourBackupDirectory\metadata.cab   c:\YourBackupDirectory\metadata.log
      3. "MergeCopy" all of the content files from your original server (typically c:\WSUS\wsuscontent\) to the same directory on the new server.
      4. Copy the metadata (YourBackupDirectory) to the downstream server.
      5.   Import the metadata on the downstream server:
            "%programfiles%\update services\tools\wsusutil.exe"  import c:\YourBackupDirectory\metadata.cab c:\YourBackupDirectory\metadata.log
            (It can take from 3 to 4 hours for the database to validate content that has just been imported)
      6. reset the metabase/local downloaded updates
            wsustil.exe reset  reset the metabase/local downloaded updates

and note the comment from Lawrence:

>our Export server wasn't able to download all the updates that I approved due to company proxy/firewall blocking some of the updates from
> downloading, therefore generating some errors in the metadata I assume.

Well THAT will definitely MESS THINGS UP!.... I thought the Deployment Guide documentation was pretty clear on this. The Export Server must have downloaded *ALL* approved content before you can perform the export/import steps.

As an aside the Microsoft have two documents to read for the complete picture on WSUS.

WSUS deployment guide
WSUS step by step for permissions (on page 7)

Both are worth reading!


Author Comment

ID: 39310239
thanks for all your assistance.  It actually seems like the updates may have not all been downloaded from the source server to begin with. My fellow engineer originally handed me a disk with 10.7 GB of data for about 3000 updates.  After redoing the synce and doing a control A to highlight all the updates and then doing the approve for install the size of the data has grown to about 20GB.  I think this makes a lot of sense.  Anyway, i will be trying to complete the Import of the metadata and the robocopy of the update files today.  Will keep you informed.

Author Comment

ID: 39310990
I have done a robocopy /mir of my wsus content.  I imported my metadata.  After I brought in my wsus content files and did the import of metadata I then started my WSUS service.

I copied the metadata cab file to the C:\program files\update services\tools folder then ran the import as:
c:\program files\update services\tools> wsusutil import wsus.cab wsus.log

Do I need to specify where to import it to?  ie.
wsusutil import wsus.cab wsus.log D:\updateservicedbfiles

How do I get the WSUS Admin console to reset?  It is still showing files approved but not downloaded with red x from my initial problem.  If I run the wsusutil /reset will this help restore some sanity to my WSUS Admin console?

Shouldn't all the updates be showing unapproved on my offline wsus?

Also, I brought in about 20GB of update files and my metadata file is about 10 MB.  Does that sound correct?  Also, the wsusutil import wsus.cab wsus.log job only took about 15 minutes?  Does that sound correct?

I keep reading it should take about 3 hours for this to import?
LVL 18

Accepted Solution

Mike T earned 2000 total points
ID: 39316132

A few examples of wsusutil will clear any confusion:
cab file from source wsus: wsus.cab

Won't work - no need to specify where the import goes
wsusutil import wsus.cab wsus.log D:\updateservicedbfiles

This will work only if you copy the cab to the path where wsusutil is. This works but is not necessary,
e.g. C:\program files\update services\tools\wsusutil import wsus.cab wsus.log

Better command line:
C:\program files\update services\tools\wsusutil import wsus.cab

where E: is a USB or DVD that you copied the cab file to. June is the month of the export and is optional but probably useful if you want a history to drop back to.

cd C:\program files\update services\tools
wsusutil import E:\wsus-june.cab

if you rename the cab files, you can use the month there instead. Note this is just a suggestion not a requirement. The default name is export.cab. I just found this confusing when repeating the exercise regularly.

wsusutil import E:\wsus-june.cab E:\Logs\junepatches.log
will create a log file called junepatches in E:\Log. Your command will create the log in the tools directory. Better to create a central place for it for auditing.

 wsusutil reset
(note there's no forward slash) reset will download all the missing updates on your source wsus. It runs instantly, but triggers a fresh synchronise so you have to wait until the missing patches appear on the *online* server.

I'm not sure about the update status as I was using SCCM which doesn't care, so it doesn't display any approvals to see.

The file sizes sound about right. My content was 50GBish and the cab file was 8MB. I have not included drivers or extra languages which might explain which the cab is smaller.

Finally the import for me, took 2 hours; 15 minutes sounds far too quick. I expect I may have to do one last export/import cycle thanks to patch Tuesday so will take a few extra notes.

Checking the log file (WindowsUpdate.log) is absolutely key so tracking where things fail. Check for any error codes.


Author Comment

ID: 39319431
mike,  i am up and running.  the issue the whole time was the source wsus never got all the updates to begin with.  

my next question is  when i do my next import, does wsus remember all the patches i have already pushed?
How do you manage that?

What do you do with the superceded updates?  I have read some people just deny them others approve and install them?  What about you?
LVL 18

Expert Comment

by:Mike T
ID: 39321280
Hi. Glad it's all working now.
The machines know what patches they have so WSUS only pushes what's missing, effectively remembering.

With superseded updates I use SCCM so it's slightly different. I would not approve them and ideally run a script to delete them on some schedule.


Author Comment

ID: 39321419
Thanks Mike, you've been a blessing.  I am going to decline the superceded.  I will only be running 2008 R2 and win 7 X64 so i will never bring any older systems online.  This is a dev net.

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question