Off Line WSUS-Files For Updates Not Downloaded but actually have been succesfuly imported

Posted on 2013-07-01
Last Modified: 2013-07-12
I have an issue I need help with.  This is a disconnected network.  I first copied over the update files.  I then imported the metadata.  The size of the update files on the connected server is 10.97GB and the size of the update files on the disconnected WSUS is 10.97GB.  The size of the metadata folder is also the same.  The NT Service has full control of the WSUS and the WSUS Content folders and files.
- When I first imported everything the dashboard stated 0 files needed downloaded.
- I did a test push of updates to a test server.  I pushed about 55 out of 100 patches.  No errors.  I did same for a test workstation and pushed about 48 out of 100 patches with no errors.  Not really sure whey it didn't push all the 100 patches though.  Could it be they weren't needed?
- I then did a second round of patch pushes and then started getting the notification in the Patch window stating Files not downloaded.  It was approved and needed. See attached:
WSUS Dashboard
Also on Friday 28 June the dashboard stated 213 needing updates and downloaded 10.90MB out of 1112MB.  On Monday 1 July the dashboard states 206 updates need downloaded and its downloaded 21MB of 1112MB.  I'm attaching windows update logs for test server, test workstation and the WSUS sever itself.  Also attaching error event from WSUS event viewer (event 10032 and error 364).  Saw no errors in the test server and workstation event logs relating to updates.  Just to make sure my WSUS continues to work I pushed 1 patch this morning to the WSUS itself.  The patch I pushed stated the WSUS need it and it was approved last week ande succesffuly deployed to the TestServer.  

Please any ideas would be most appreciated.  If you need any other info please just ask me.
Question by:Conrad_Bel
  • 8
  • 3
  • 3

Expert Comment

ID: 39293276

were the update approved on the source server ?
Did clients already successfully install missing patch from source server ?


Author Comment

ID: 39293556
Yes they were approved on the internet facing server.  No clients are connected to the internet facing server.

Do you know exactly what permissions should be on the D:  D:\WSUS  D:\WSUS Content folders and the D:WSUS\updateservicedbfiles (metadata)?

Also the exact permissions needed on the IIS default website?

Do you think my problem may be that I did a simple copy and past of the update files to the D:\wsus\wsus content folder?  I did do the export and import of the metadata as required.

Expert Comment

ID: 39293664
Did you check the status of "Security Update for Windows 7 for x64-based System (KB2579686)" (for example) on the internet facing server to be sure it has been downloaded ?

Author Comment

ID: 39293853
No, unfortunately I do not control the internet facing WSUS.  Is this KB something we should check for?  Or is this an example?  According to my partner, he approved all updates and waited for them to finish updating.  What is the best way to ensure they did in fact finish updating?

As I stated in my post, he downloaed 10.97GB of updates and thats exactly what I have now on my offline wsus.

Author Comment

ID: 39293855
I will see if he can build a test server on his side and then apply all patches to it to see if he runs into the same issue.

Expert Comment

ID: 39293877
I've just picked the oulined KB in your screenshot... 10 Gb does not seem a huge amount of data.
If you do not have access to the source server, you will have some difficulty to debug.

Good luck.

Author Comment

ID: 39294150
He only got updates for server 2008 and windows 7 and office products.
Yes, I agree without access to the source server this is going to be difficult.
Make managing Office 365 email signatures a breeze

Are you using Office 365? Having trouble trying to set up email signatures for your users? Getting stressed out managing multiple signatures? Need an easier way to manage? We have a solution for you, try the most-user friendly and powerful signature management tool on the market.

LVL 17

Assisted Solution

by:Mike T
Mike T earned 500 total points
ID: 39294839

From recent painful experience, if the internet facing WSUS does NOT finish its synch or the files in the WSUSContent folder are deleted (yes, I know) the offline WSUS will not work.

From your log:
WARNING: Sync of Updates: 0x8024000b
2013-06-27      12:21:22:921       856      1f4      PT      WARNING: SyncServerUpdatesInternal failed: 0x8024000b
2013-06-27      12:21:22:921       856      1f4      Agent        * WARNING: Failed to synchronize, error = 0x8024000B
2013-06-27      12:21:22:921       856      1f4      Agent        * WARNING: Exit code = 0x8024000B

which looks like WSUS cannot find the files from the WSUScontent (rather than the internet). In my case I had similar error but complication of files were provided by SCCM.

My issue was fixed by running the following:

wsusutil reset

Try that first. If it doesn't work look at this article.

The key steps are

     1. Approve all the updates that you need to copy.
      2. export the metadata : command prompt:
            "%programfiles%\update services\tools\wsusutil.exe export   c:\YourBackupDirectory\   c:\YourBackupDirectory\metadata.log
      3. "MergeCopy" all of the content files from your original server (typically c:\WSUS\wsuscontent\) to the same directory on the new server.
      4. Copy the metadata (YourBackupDirectory) to the downstream server.
      5.   Import the metadata on the downstream server:
            "%programfiles%\update services\tools\wsusutil.exe"  import c:\YourBackupDirectory\ c:\YourBackupDirectory\metadata.log
            (It can take from 3 to 4 hours for the database to validate content that has just been imported)
      6. reset the metabase/local downloaded updates
            wsustil.exe reset  reset the metabase/local downloaded updates

and note the comment from Lawrence:

>our Export server wasn't able to download all the updates that I approved due to company proxy/firewall blocking some of the updates from
> downloading, therefore generating some errors in the metadata I assume.

Well THAT will definitely MESS THINGS UP!.... I thought the Deployment Guide documentation was pretty clear on this. The Export Server must have downloaded *ALL* approved content before you can perform the export/import steps.

As an aside the Microsoft have two documents to read for the complete picture on WSUS.

WSUS deployment guide
WSUS step by step for permissions (on page 7)

Both are worth reading!


Author Comment

ID: 39310239
thanks for all your assistance.  It actually seems like the updates may have not all been downloaded from the source server to begin with. My fellow engineer originally handed me a disk with 10.7 GB of data for about 3000 updates.  After redoing the synce and doing a control A to highlight all the updates and then doing the approve for install the size of the data has grown to about 20GB.  I think this makes a lot of sense.  Anyway, i will be trying to complete the Import of the metadata and the robocopy of the update files today.  Will keep you informed.

Author Comment

ID: 39310990
I have done a robocopy /mir of my wsus content.  I imported my metadata.  After I brought in my wsus content files and did the import of metadata I then started my WSUS service.

I copied the metadata cab file to the C:\program files\update services\tools folder then ran the import as:
c:\program files\update services\tools> wsusutil import wsus.log

Do I need to specify where to import it to?  ie.
wsusutil import wsus.log D:\updateservicedbfiles

How do I get the WSUS Admin console to reset?  It is still showing files approved but not downloaded with red x from my initial problem.  If I run the wsusutil /reset will this help restore some sanity to my WSUS Admin console?

Shouldn't all the updates be showing unapproved on my offline wsus?

Also, I brought in about 20GB of update files and my metadata file is about 10 MB.  Does that sound correct?  Also, the wsusutil import wsus.log job only took about 15 minutes?  Does that sound correct?

I keep reading it should take about 3 hours for this to import?
LVL 17

Accepted Solution

Mike T earned 500 total points
ID: 39316132

A few examples of wsusutil will clear any confusion:
cab file from source wsus:

Won't work - no need to specify where the import goes
wsusutil import wsus.log D:\updateservicedbfiles

This will work only if you copy the cab to the path where wsusutil is. This works but is not necessary,
e.g. C:\program files\update services\tools\wsusutil import wsus.log

Better command line:
C:\program files\update services\tools\wsusutil import

where E: is a USB or DVD that you copied the cab file to. June is the month of the export and is optional but probably useful if you want a history to drop back to.

cd C:\program files\update services\tools
wsusutil import E:\

if you rename the cab files, you can use the month there instead. Note this is just a suggestion not a requirement. The default name is I just found this confusing when repeating the exercise regularly.

wsusutil import E:\ E:\Logs\junepatches.log
will create a log file called junepatches in E:\Log. Your command will create the log in the tools directory. Better to create a central place for it for auditing.

 wsusutil reset
(note there's no forward slash) reset will download all the missing updates on your source wsus. It runs instantly, but triggers a fresh synchronise so you have to wait until the missing patches appear on the *online* server.

I'm not sure about the update status as I was using SCCM which doesn't care, so it doesn't display any approvals to see.

The file sizes sound about right. My content was 50GBish and the cab file was 8MB. I have not included drivers or extra languages which might explain which the cab is smaller.

Finally the import for me, took 2 hours; 15 minutes sounds far too quick. I expect I may have to do one last export/import cycle thanks to patch Tuesday so will take a few extra notes.

Checking the log file (WindowsUpdate.log) is absolutely key so tracking where things fail. Check for any error codes.


Author Comment

ID: 39319431
mike,  i am up and running.  the issue the whole time was the source wsus never got all the updates to begin with.  

my next question is  when i do my next import, does wsus remember all the patches i have already pushed?
How do you manage that?

What do you do with the superceded updates?  I have read some people just deny them others approve and install them?  What about you?
LVL 17

Expert Comment

by:Mike T
ID: 39321280
Hi. Glad it's all working now.
The machines know what patches they have so WSUS only pushes what's missing, effectively remembering.

With superseded updates I use SCCM so it's slightly different. I would not approve them and ideally run a script to delete them on some schedule.


Author Comment

ID: 39321419
Thanks Mike, you've been a blessing.  I am going to decline the superceded.  I will only be running 2008 R2 and win 7 X64 so i will never bring any older systems online.  This is a dev net.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now