Solved

WSUS Server, Clients not consistantly reporting

Posted on 2013-11-01
29
328 Views
Last Modified: 2013-11-05
We have an environment setup with WSUS configured for our machines on a Window 2003 Server.  We can see our machines as Clients to the server however there is a large portion of them that do not consistently report.  Some may be machines that are no longer part of the domain which I believe I need to just delete however there are many that I can connect to and when I run the wuauclt /reportnow command it does not seem to provide any results.  The machines can ping the WSUS server however when I run the client diagnotic tool it reports that the server is not set through Policy, "UseWuServer value is missing".  What is the best way to resolve this as it seems to have no problem on some machines and this machine has reported and updated in the past.

Screen Shot of Diag Tool
0
Comment
Question by:lpadmin1
  • 15
  • 14
29 Comments
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39616998
On same client that you ran clientdiag on, what is the result of from cmd prompt?

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617004
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617012
0
 

Author Comment

by:lpadmin1
ID: 39617026
See result for query below.  There are some machines that are imaged however most of them are not.  query result
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617229
Based on your results above, your problem is with your WSUS GPO settings
0
 

Author Comment

by:lpadmin1
ID: 39617381
I just double checked GPO settings on the DC.  Everything appears to be correct.  If it was GPO why would some work and others suddenly stop working?  There is only one OU for our machines.
0
 

Author Comment

by:lpadmin1
ID: 39617441
The only thing I would add is the for the intranet update location we used a specific port in the location. So it looks like http://WSUSserver:8530 but on the server you can see the connection port is 8530.
0
 

Author Comment

by:lpadmin1
ID: 39617447
Windows firewall is off as well due to our SonicWall SSO configuration.  So I know its not a firewall issue between the server and client.
0
 

Author Comment

by:lpadmin1
ID: 39617457
Just did a gpupdate /force and logged out and in and the results are the same for the query.
0
 

Author Comment

by:lpadmin1
ID: 39617467
Ran query on another XP machine in the same OU and results look good.  Purposely ran on a machine I knew was reporting.results good
0
 

Author Comment

by:lpadmin1
ID: 39617504
To only add to the confusion, it appears like the GPO is being applied to the machine.  However the registry does not reflect thisGPO.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617620
Have you ensured that the PC's not reporting have the correct membership ??

I.E. in ADUC in the properties>>"Member of" tab of any PC not reporting correct GP settings
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617623
Also, have you looked at RSOP.msc to rule out another GPO overwriting ??
0
 

Author Comment

by:lpadmin1
ID: 39617795
Thank you for sticking with us here.  We have confirmed the machine does have the correct membership.  It is associated to the domain, in the same container, permissions are the same as well.  When I use RSoP and compare the machines, the machine that does not report is missing 12 out of the 16 items we have configured in the Windows Update GP.  I don't think there would be any other GP overwriting information though.  The only other GP we have for this computer OU is for setting the firewall for the SonicWall configuration.

On a side note though I would agree that it could be a group policy overwriting this.  Is there anywhere else that a GP would be hiding for the container that I wouldn't obviously see from the Group Policy Management Console?

I do see other policies such as the Default Domain Controller Policy but when you go into Windows Updates it just doesn't have anything configured for these items.  Would that overwrite it?
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617814
The results of your rsop.msc should tell which GPO is applying which setting. Maximize the RSOP window if you havent already.
0
 

Author Comment

by:lpadmin1
ID: 39617830
It says WSUS computers is applying just like the machine that gets the other additional 12 settings.  I just can't comprehend why the other settings are not coming with it.
RSop
0
 
LVL 47

Accepted Solution

by:
dstewartjr earned 500 total points
ID: 39617845
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617853
What errors are there in eventvwr ??
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617864
Are these XP computers on SP3 yet ???

http://support.microsoft.com/kb/840669
0
 

Author Comment

by:lpadmin1
ID: 39617868
We'll be back Monday if you are still willing to give it a go with us.  We will check all the items with the GP settings from the article and see what we can find.  We have inherited this domain with no information so it is often a process to see what the other admins have overlooked here in the past.  Thank you again for sticking with us today.  I hope to get back to you with good results on Monday.  Have a good weekend otherwise.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39617876
I'll be here, I'd check what service pack the XP machines are on first.
0
 

Author Comment

by:lpadmin1
ID: 39621814
The XP machines are all on SP3.  We are still looking at some of the DNS settings but they seem okay so far with the exception that there were some old servers hosting the role that we weren't really using.  Most of the records seem up to date but we are looking into setting up dns scavenging once I fully understand it.  We do seem to have some more details into the error that the machines that do not receive the GPO are getting.  We pulled that from a Windows 7 machine.  We have two DNS servers, one on server 2008R2 and another on server 2003.  

-      System
 
            -      Provider
 
                  [ Name]       Microsoft-Windows-GroupPolicy
 
                  [ Guid]       {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}

 
                  EventID      1058

 
                  Version      0

 
                  Level      2

 
                  Task      0

 
                  Opcode      1

 
                  Keywords      0x8000000000000000

 
            -      TimeCreated
 
                  [ SystemTime]       2013-11-04T15:54:17.400643700Z

 
                  EventRecordID      65580

 
            -      Correlation
 
                  [ ActivityID]       {48AA81AC-9D2F-48BF-9125-46D30F1427A3}

 
            -      Execution
 
                  [ ProcessID]       1208
 
                  [ ThreadID]       3840

 
                  Channel      System

 
                  Computer      LPCIT4.domain.com

 
                   -      Security
 
                  [ UserID]       S-1-5-21-515967899-1682526488-725345543-7269

-      EventData
                  
 
            SupportInfo1      4
 
            SupportInfo2      816
 
            ProcessingMode      0
 
            ProcessingTimeInMilliseconds      546
 
            ErrorCode      1396
 
            ErrorDescription      Logon Failure: The target account name is incorrect.
 
            DCName      \\LPCC-DC.domain.com

 
            GPOCNName      cn={A90A2B0C-8B93-4021-BE92-E14562FC33C2},cn=policies,cn=system,DC=domain,DC=com
 
            FilePath      \\domain.com\SysVol\domain.com\Policies\{A90A2B0C-8B93-4021-BE92-E14562FC33C2}\gpt.ini
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39621868
0
 

Author Comment

by:lpadmin1
ID: 39622114
I am not sure that is the answer.  This is happening to a lot of machine and about 100 out of 175.  And some of those out of 100 I just reformatted and joined them to the domain.  I did run dcdiag though just on a hunch and I see this error.  We have a secondary domain controller that I have no clue what kind of shape it is in.  When DCDIAG was ran on the new server I noticed these:

 Starting test: FrsEvent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared.  Failing SYSVOL replication problems may cause
    Group Policy problems.

and

      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 11/04/2013   12:54:46
            Event String:
            The attempt to establish a replication link for the following writable directory partition failed.
         ......................... LPCC-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LPCC-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LPCC-DC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LPCC-DC passed test NCSecDesc
      Starting test: NetLogons
         ......................... LPCC-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LPCC-DC passed test ObjectsReplicated
      Starting test: Replications
         [LPSRV01] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         ......................... LPCC-DC failed test Replications



Looking into these now.  Do you have any suggestions while I am on my hunt to see if I can resolve these and see if I have any success?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39622162
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39622166
0
 

Author Comment

by:lpadmin1
ID: 39622539
Okay, so we found a DC that was never properly removed from the domain and we were able to remove it from the domain by using Metadata Cleanup.  While we are still looking into this should DC1 and DC2 have DFS installed, both the DFS Namespacing and DFS Replication?  We are looking for a copy of Windows Server 2003 R2 for the install on DC2.  If we don't need that for this then I will not install it on the DCs.  We use VBScripting for mapping any network shares and they are all hosted on one server that is not a DC.  I assume thats why DFS is not installed anywhere.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 39622712
If you cleared up the DCdiag errors I wouldnt worry about DFS. When you reboot clients now do they successfully get your WSUS GPO settings ??
0
 

Author Comment

by:lpadmin1
ID: 39624236
Okay so after working on removing the old DC and looking at the DNS after that was done we noticed that we had two DNS servers acting as primary DNS servers along with other remains of old DCs in the DNS that were probably DNS servers at some time.  I am still not sure if we have them setup right with the two that we have as primary and secondary as it seems that we had a couple of hiccups where they thought their files were corrupt and reverted to previous instances for DNS.  I think now it is all settled out but I will still have to take a look to make sure they are properly configures.  HOWEVER, once we got the DNS cleaned out it seemed like all of the computers began to report and update on WSUS.  It was DNS all along just incredible cumbersome to find all the issues.  Still haven't run DCDIAG to see if all errors are resolved but we are getting there.  I am sure we will be back with more questions creating a new thread.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SCCM cant add drivers to driver package 11 158
Use System DSN 6 70
Access Convert Columns into Rows 5 48
encryption on machine 7 66
I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
Viewers will learn how to maximize accessibility options in an Excel workbook for users with accessibility issues.
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now