Solved

WSUS Server, Clients not consistantly reporting

Posted on 2013-11-01
29
334 Views
Last Modified: 2013-11-05
We have an environment setup with WSUS configured for our machines on a Window 2003 Server.  We can see our machines as Clients to the server however there is a large portion of them that do not consistently report.  Some may be machines that are no longer part of the domain which I believe I need to just delete however there are many that I can connect to and when I run the wuauclt /reportnow command it does not seem to provide any results.  The machines can ping the WSUS server however when I run the client diagnotic tool it reports that the server is not set through Policy, "UseWuServer value is missing".  What is the best way to resolve this as it seems to have no problem on some machines and this machine has reported and updated in the past.

Screen Shot of Diag Tool
0
Comment
Question by:lpadmin1
  • 15
  • 14
29 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39616998
On same client that you ran clientdiag on, what is the result of from cmd prompt?

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617004
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617012
0
 

Author Comment

by:lpadmin1
ID: 39617026
See result for query below.  There are some machines that are imaged however most of them are not.  query result
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617229
Based on your results above, your problem is with your WSUS GPO settings
0
 

Author Comment

by:lpadmin1
ID: 39617381
I just double checked GPO settings on the DC.  Everything appears to be correct.  If it was GPO why would some work and others suddenly stop working?  There is only one OU for our machines.
0
 

Author Comment

by:lpadmin1
ID: 39617441
The only thing I would add is the for the intranet update location we used a specific port in the location. So it looks like http://WSUSserver:8530 but on the server you can see the connection port is 8530.
0
 

Author Comment

by:lpadmin1
ID: 39617447
Windows firewall is off as well due to our SonicWall SSO configuration.  So I know its not a firewall issue between the server and client.
0
 

Author Comment

by:lpadmin1
ID: 39617457
Just did a gpupdate /force and logged out and in and the results are the same for the query.
0
 

Author Comment

by:lpadmin1
ID: 39617467
Ran query on another XP machine in the same OU and results look good.  Purposely ran on a machine I knew was reporting.results good
0
 

Author Comment

by:lpadmin1
ID: 39617504
To only add to the confusion, it appears like the GPO is being applied to the machine.  However the registry does not reflect thisGPO.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617620
Have you ensured that the PC's not reporting have the correct membership ??

I.E. in ADUC in the properties>>"Member of" tab of any PC not reporting correct GP settings
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617623
Also, have you looked at RSOP.msc to rule out another GPO overwriting ??
0
 

Author Comment

by:lpadmin1
ID: 39617795
Thank you for sticking with us here.  We have confirmed the machine does have the correct membership.  It is associated to the domain, in the same container, permissions are the same as well.  When I use RSoP and compare the machines, the machine that does not report is missing 12 out of the 16 items we have configured in the Windows Update GP.  I don't think there would be any other GP overwriting information though.  The only other GP we have for this computer OU is for setting the firewall for the SonicWall configuration.

On a side note though I would agree that it could be a group policy overwriting this.  Is there anywhere else that a GP would be hiding for the container that I wouldn't obviously see from the Group Policy Management Console?

I do see other policies such as the Default Domain Controller Policy but when you go into Windows Updates it just doesn't have anything configured for these items.  Would that overwrite it?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617814
The results of your rsop.msc should tell which GPO is applying which setting. Maximize the RSOP window if you havent already.
0
 

Author Comment

by:lpadmin1
ID: 39617830
It says WSUS computers is applying just like the machine that gets the other additional 12 settings.  I just can't comprehend why the other settings are not coming with it.
RSop
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 39617845
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617853
What errors are there in eventvwr ??
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617864
Are these XP computers on SP3 yet ???

http://support.microsoft.com/kb/840669
0
 

Author Comment

by:lpadmin1
ID: 39617868
We'll be back Monday if you are still willing to give it a go with us.  We will check all the items with the GP settings from the article and see what we can find.  We have inherited this domain with no information so it is often a process to see what the other admins have overlooked here in the past.  Thank you again for sticking with us today.  I hope to get back to you with good results on Monday.  Have a good weekend otherwise.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39617876
I'll be here, I'd check what service pack the XP machines are on first.
0
 

Author Comment

by:lpadmin1
ID: 39621814
The XP machines are all on SP3.  We are still looking at some of the DNS settings but they seem okay so far with the exception that there were some old servers hosting the role that we weren't really using.  Most of the records seem up to date but we are looking into setting up dns scavenging once I fully understand it.  We do seem to have some more details into the error that the machines that do not receive the GPO are getting.  We pulled that from a Windows 7 machine.  We have two DNS servers, one on server 2008R2 and another on server 2003.  

-      System
 
            -      Provider
 
                  [ Name]       Microsoft-Windows-GroupPolicy
 
                  [ Guid]       {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}

 
                  EventID      1058

 
                  Version      0

 
                  Level      2

 
                  Task      0

 
                  Opcode      1

 
                  Keywords      0x8000000000000000

 
            -      TimeCreated
 
                  [ SystemTime]       2013-11-04T15:54:17.400643700Z

 
                  EventRecordID      65580

 
            -      Correlation
 
                  [ ActivityID]       {48AA81AC-9D2F-48BF-9125-46D30F1427A3}

 
            -      Execution
 
                  [ ProcessID]       1208
 
                  [ ThreadID]       3840

 
                  Channel      System

 
                  Computer      LPCIT4.domain.com

 
                   -      Security
 
                  [ UserID]       S-1-5-21-515967899-1682526488-725345543-7269

-      EventData
                  
 
            SupportInfo1      4
 
            SupportInfo2      816
 
            ProcessingMode      0
 
            ProcessingTimeInMilliseconds      546
 
            ErrorCode      1396
 
            ErrorDescription      Logon Failure: The target account name is incorrect.
 
            DCName      \\LPCC-DC.domain.com

 
            GPOCNName      cn={A90A2B0C-8B93-4021-BE92-E14562FC33C2},cn=policies,cn=system,DC=domain,DC=com
 
            FilePath      \\domain.com\SysVol\domain.com\Policies\{A90A2B0C-8B93-4021-BE92-E14562FC33C2}\gpt.ini
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39621868
0
 

Author Comment

by:lpadmin1
ID: 39622114
I am not sure that is the answer.  This is happening to a lot of machine and about 100 out of 175.  And some of those out of 100 I just reformatted and joined them to the domain.  I did run dcdiag though just on a hunch and I see this error.  We have a secondary domain controller that I have no clue what kind of shape it is in.  When DCDIAG was ran on the new server I noticed these:

 Starting test: FrsEvent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared.  Failing SYSVOL replication problems may cause
    Group Policy problems.

and

      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         ......................... LPCC-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LPCC-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LPCC-DC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LPCC-DC passed test NCSecDesc
      Starting test: NetLogons
         ......................... LPCC-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LPCC-DC passed test ObjectsReplicated
      Starting test: Replications
         [LPSRV01] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         ......................... LPCC-DC failed test Replications



Looking into these now.  Do you have any suggestions while I am on my hunt to see if I can resolve these and see if I have any success?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39622162
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39622166
0
 

Author Comment

by:lpadmin1
ID: 39622539
Okay, so we found a DC that was never properly removed from the domain and we were able to remove it from the domain by using Metadata Cleanup.  While we are still looking into this should DC1 and DC2 have DFS installed, both the DFS Namespacing and DFS Replication?  We are looking for a copy of Windows Server 2003 R2 for the install on DC2.  If we don't need that for this then I will not install it on the DCs.  We use VBScripting for mapping any network shares and they are all hosted on one server that is not a DC.  I assume thats why DFS is not installed anywhere.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39622712
If you cleared up the DCdiag errors I wouldnt worry about DFS. When you reboot clients now do they successfully get your WSUS GPO settings ??
0
 

Author Comment

by:lpadmin1
ID: 39624236
Okay so after working on removing the old DC and looking at the DNS after that was done we noticed that we had two DNS servers acting as primary DNS servers along with other remains of old DCs in the DNS that were probably DNS servers at some time.  I am still not sure if we have them setup right with the two that we have as primary and secondary as it seems that we had a couple of hiccups where they thought their files were corrupt and reverted to previous instances for DNS.  I think now it is all settled out but I will still have to take a look to make sure they are properly configures.  HOWEVER, once we got the DNS cleaned out it seemed like all of the computers began to report and update on WSUS.  It was DNS all along just incredible cumbersome to find all the issues.  Still haven't run DCDIAG to see if all errors are resolved but we are getting there.  I am sure we will be back with more questions creating a new thread.
0

Featured Post

Can’t get the mobile email signature right?

Not having any luck when trying to create an email signature for mobile devices? Does the formatting keep messing up? Make sure you have great email signatures on all devices by using Exclaimer Cloud - Signatures for Office 365.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
Lync meeting or Lync conferencing is what many organizations would like to deploy to allow them save money. But companies are now giving up for various reasons, one of which is that they cannot join external meetings (non-federated company meetings)…
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now