Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

WSUS Server, Clients not consistantly reporting

We have an environment setup with WSUS configured for our machines on a Window 2003 Server.  We can see our machines as Clients to the server however there is a large portion of them that do not consistently report.  Some may be machines that are no longer part of the domain which I believe I need to just delete however there are many that I can connect to and when I run the wuauclt /reportnow command it does not seem to provide any results.  The machines can ping the WSUS server however when I run the client diagnotic tool it reports that the server is not set through Policy, "UseWuServer value is missing".  What is the best way to resolve this as it seems to have no problem on some machines and this machine has reported and updated in the past.

Screen Shot of Diag Tool
0
lpadmin1
Asked:
lpadmin1
  • 15
  • 14
1 Solution
 
Donald StewartNetwork AdministratorCommented:
On same client that you ran clientdiag on, what is the result of from cmd prompt?

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
0
 
Donald StewartNetwork AdministratorCommented:
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
lpadmin1Author Commented:
See result for query below.  There are some machines that are imaged however most of them are not.  query result
0
 
Donald StewartNetwork AdministratorCommented:
Based on your results above, your problem is with your WSUS GPO settings
0
 
lpadmin1Author Commented:
I just double checked GPO settings on the DC.  Everything appears to be correct.  If it was GPO why would some work and others suddenly stop working?  There is only one OU for our machines.
0
 
lpadmin1Author Commented:
The only thing I would add is the for the intranet update location we used a specific port in the location. So it looks like http://WSUSserver:8530 but on the server you can see the connection port is 8530.
0
 
lpadmin1Author Commented:
Windows firewall is off as well due to our SonicWall SSO configuration.  So I know its not a firewall issue between the server and client.
0
 
lpadmin1Author Commented:
Just did a gpupdate /force and logged out and in and the results are the same for the query.
0
 
lpadmin1Author Commented:
Ran query on another XP machine in the same OU and results look good.  Purposely ran on a machine I knew was reporting.results good
0
 
lpadmin1Author Commented:
To only add to the confusion, it appears like the GPO is being applied to the machine.  However the registry does not reflect thisGPO.
0
 
Donald StewartNetwork AdministratorCommented:
Have you ensured that the PC's not reporting have the correct membership ??

I.E. in ADUC in the properties>>"Member of" tab of any PC not reporting correct GP settings
0
 
Donald StewartNetwork AdministratorCommented:
Also, have you looked at RSOP.msc to rule out another GPO overwriting ??
0
 
lpadmin1Author Commented:
Thank you for sticking with us here.  We have confirmed the machine does have the correct membership.  It is associated to the domain, in the same container, permissions are the same as well.  When I use RSoP and compare the machines, the machine that does not report is missing 12 out of the 16 items we have configured in the Windows Update GP.  I don't think there would be any other GP overwriting information though.  The only other GP we have for this computer OU is for setting the firewall for the SonicWall configuration.

On a side note though I would agree that it could be a group policy overwriting this.  Is there anywhere else that a GP would be hiding for the container that I wouldn't obviously see from the Group Policy Management Console?

I do see other policies such as the Default Domain Controller Policy but when you go into Windows Updates it just doesn't have anything configured for these items.  Would that overwrite it?
0
 
Donald StewartNetwork AdministratorCommented:
The results of your rsop.msc should tell which GPO is applying which setting. Maximize the RSOP window if you havent already.
0
 
lpadmin1Author Commented:
It says WSUS computers is applying just like the machine that gets the other additional 12 settings.  I just can't comprehend why the other settings are not coming with it.
RSop
0
 
Donald StewartNetwork AdministratorCommented:
What errors are there in eventvwr ??
0
 
Donald StewartNetwork AdministratorCommented:
Are these XP computers on SP3 yet ???

http://support.microsoft.com/kb/840669
0
 
lpadmin1Author Commented:
We'll be back Monday if you are still willing to give it a go with us.  We will check all the items with the GP settings from the article and see what we can find.  We have inherited this domain with no information so it is often a process to see what the other admins have overlooked here in the past.  Thank you again for sticking with us today.  I hope to get back to you with good results on Monday.  Have a good weekend otherwise.
0
 
Donald StewartNetwork AdministratorCommented:
I'll be here, I'd check what service pack the XP machines are on first.
0
 
lpadmin1Author Commented:
The XP machines are all on SP3.  We are still looking at some of the DNS settings but they seem okay so far with the exception that there were some old servers hosting the role that we weren't really using.  Most of the records seem up to date but we are looking into setting up dns scavenging once I fully understand it.  We do seem to have some more details into the error that the machines that do not receive the GPO are getting.  We pulled that from a Windows 7 machine.  We have two DNS servers, one on server 2008R2 and another on server 2003.  

-      System
 
            -      Provider
 
                  [ Name]       Microsoft-Windows-GroupPolicy
 
                  [ Guid]       {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}

 
                  EventID      1058

 
                  Version      0

 
                  Level      2

 
                  Task      0

 
                  Opcode      1

 
                  Keywords      0x8000000000000000

 
            -      TimeCreated
 
                  [ SystemTime]       2013-11-04T15:54:17.400643700Z

 
                  EventRecordID      65580

 
            -      Correlation
 
                  [ ActivityID]       {48AA81AC-9D2F-48BF-9125-46D30F1427A3}

 
            -      Execution
 
                  [ ProcessID]       1208
 
                  [ ThreadID]       3840

 
                  Channel      System

 
                  Computer      LPCIT4.domain.com

 
                   -      Security
 
                  [ UserID]       S-1-5-21-515967899-1682526488-725345543-7269

-      EventData
                  
 
            SupportInfo1      4
 
            SupportInfo2      816
 
            ProcessingMode      0
 
            ProcessingTimeInMilliseconds      546
 
            ErrorCode      1396
 
            ErrorDescription      Logon Failure: The target account name is incorrect.
 
            DCName      \\LPCC-DC.domain.com

 
            GPOCNName      cn={A90A2B0C-8B93-4021-BE92-E14562FC33C2},cn=policies,cn=system,DC=domain,DC=com
 
            FilePath      \\domain.com\SysVol\domain.com\Policies\{A90A2B0C-8B93-4021-BE92-E14562FC33C2}\gpt.ini
0
 
Donald StewartNetwork AdministratorCommented:
0
 
lpadmin1Author Commented:
I am not sure that is the answer.  This is happening to a lot of machine and about 100 out of 175.  And some of those out of 100 I just reformatted and joined them to the domain.  I did run dcdiag though just on a hunch and I see this error.  We have a secondary domain controller that I have no clue what kind of shape it is in.  When DCDIAG was ran on the new server I noticed these:

 Starting test: FrsEvent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared.  Failing SYSVOL replication problems may cause
    Group Policy problems.

and

      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         ......................... LPCC-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LPCC-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LPCC-DC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LPCC-DC passed test NCSecDesc
      Starting test: NetLogons
         ......................... LPCC-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LPCC-DC passed test ObjectsReplicated
      Starting test: Replications
         [LPSRV01] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         ......................... LPCC-DC failed test Replications



Looking into these now.  Do you have any suggestions while I am on my hunt to see if I can resolve these and see if I have any success?
0
 
Donald StewartNetwork AdministratorCommented:
0
 
lpadmin1Author Commented:
Okay, so we found a DC that was never properly removed from the domain and we were able to remove it from the domain by using Metadata Cleanup.  While we are still looking into this should DC1 and DC2 have DFS installed, both the DFS Namespacing and DFS Replication?  We are looking for a copy of Windows Server 2003 R2 for the install on DC2.  If we don't need that for this then I will not install it on the DCs.  We use VBScripting for mapping any network shares and they are all hosted on one server that is not a DC.  I assume thats why DFS is not installed anywhere.
0
 
Donald StewartNetwork AdministratorCommented:
If you cleared up the DCdiag errors I wouldnt worry about DFS. When you reboot clients now do they successfully get your WSUS GPO settings ??
0
 
lpadmin1Author Commented:
Okay so after working on removing the old DC and looking at the DNS after that was done we noticed that we had two DNS servers acting as primary DNS servers along with other remains of old DCs in the DNS that were probably DNS servers at some time.  I am still not sure if we have them setup right with the two that we have as primary and secondary as it seems that we had a couple of hiccups where they thought their files were corrupt and reverted to previous instances for DNS.  I think now it is all settled out but I will still have to take a look to make sure they are properly configures.  HOWEVER, once we got the DNS cleaned out it seemed like all of the computers began to report and update on WSUS.  It was DNS all along just incredible cumbersome to find all the issues.  Still haven't run DCDIAG to see if all errors are resolved but we are getting there.  I am sure we will be back with more questions creating a new thread.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 15
  • 14
Tackle projects and never again get stuck behind a technical roadblock.
Join Now