Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 54
  • Last Modified:

WSUS Server Not Conencting to Clients Correctly

Hello:

I have a project to setup a WSUS server.  For setup, I have used notes and suggestions from http://www.youtube.com/watch?v=f4_UoxXJ9Cg .  This projects includes:

1. 64-bit Windows 2008 R2 Standard Server Sp1.

2. 2 Test Windows 7 professional Computers.
      a.  1 PC is a 64-bit PC.
      b.  1 PC is a 32-bit PC.


This project was actually already started by another administrator that has since left the company; but, the finishing touches were never applied.  

As I was realizing how everything was already installed/configured everthing seemed to be in place.  I did make some minor changes in the GPO, for client side targeting.  I moved the clients (in Active Directory) to the 'WSUS Test' OU and then linked the WSUS GPO to the respected OU.  

The designated Clients show up in the WSUS computer groups; but, I cannot get the approved updates to get installed.

The version of the WSUS software on our WSUS Server is 3.27600.226

version.PNG
I can see the respected clients show up in the WSUS Computer groups; but, they do not give back any status.  Please see the picture below:

notReportedStatusyet.PNG
I can tell on the client that the Windows Update Settings are controlled by the WSUS Server; but, I cannot get the approved updates to actually install on the selected computers.

client-Settings-show.PNG
GPO-WinUpdates.PNG
I thought about un-linking the GPO and un-installing the WSUS software from the Server so I can start from scratch.  You now how it is a little confusing when you are working with another person's project.  But, I honestly feel that if I do that, the problem will not go away.  

I fear that the problem is tied to the fact that I cannot get a status update on the WSUS clients, from the WSUS Server.  Very weird, I can see the clients, the clients are linked to the WSUS Server; but, I cannnot get the Approved updates to become installed on the WSUS client PC's.

My question is, how can I get the Approved updates to be insatlled on the WSUS clients?
0
Pkafkas
Asked:
Pkafkas
  • 32
  • 18
8 Solutions
 
PkafkasNetwork EngineerAuthor Commented:
Equally important, I do get emails from the WSUS Server that new updates have been synchronized on the WSUS server.
0
 
DonNetwork AdministratorCommented:
On a client are there errors in the windowsupdate.log?  <<reading from the bottom up.
0
 
DonNetwork AdministratorCommented:
Also you check your WSUS version on the homepage of the console

wsus
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
PkafkasNetwork EngineerAuthor Commented:
Ok

1.  I have uploaded the a .txt file with some log inforamtion from today.
   

2.  I am note sure how to see the WSUS home page.
ConfigLog.txt
0
 
DonNetwork AdministratorCommented:
From the errors I see in that log look over

http://kaustubhghanekar.blogspot.com/2011/05/advanced-wsus-troubleshooting-for-error.html

You may also be missing the port # in your WSUS gpo config

check that it is  http://mogl-util1:8530
0
 
PkafkasNetwork EngineerAuthor Commented:
http://mogl-util1:8530 does not come up with anything.  WSUS is not configured to be used with a special port.  

If I put http://mogl-util1

500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.

There are no additional errors after the above sentence.
0
 
PkafkasNetwork EngineerAuthor Commented:
When I try to run the web page on the actual Server, http://mogl-utl1

I get the below web page.

error
0
 
PkafkasNetwork EngineerAuthor Commented:
How am I supposed to now if I should put port 8530 in the GPO.  Everything that I have seen in the WSUS config is referencing port 80.

Maybe I should just start over from scratch instead of trying to use someone else's configurations.

Any ideas?
0
 
PkafkasNetwork EngineerAuthor Commented:
The primary question is how to get the windows updates to be installed on the WSUS computer clients.

Does it have something to do with the WSUS Computer Clients not reporting their status yet?
0
 
SandeshdubeySenior Server EngineerCommented:
Try this on client computer which is not pulling the update from WSUS.
net stop bits
net stop wuauserv
From windows explorer:

Clear the contents of C:\Windows\SoftwareDistribution
Rename C:\Windows\WindowsUpdate.log to WindowsUpdate.log.old
From the registry delete the follwing keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PingID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientId
 
From the command prompt again:

net start bits
net start wuauserv
wuauclt /detectnow /resetauthorization

Also run wsus diagnosis tool and check.http://technet.microsoft.com/en-us/windowsserver/bb466192.aspx
0
 
PkafkasNetwork EngineerAuthor Commented:
I have only approved updates for 2 computers so Far.  Both computers are not able to install updates.

There are a total of 4 computers that are WSUS clients.  All 4 computers are not able to report their status yet; but, all 4 computers Show up in the WSUS Client group.

I will try the above suggestions; but, if I have to do the above for all of the new clients, that are added to the WSUS computer group, Then it seems like something else is wrong.
0
 
PkafkasNetwork EngineerAuthor Commented:
Its not like some of the clients are working and some are not working.  All of the WSUS clients are not working.
0
 
PkafkasNetwork EngineerAuthor Commented:
The WSUS Diagnostic tools seem promising:

http://technet.microsoft.com/en-us/windowsserver/bb466192.aspx
0
 
DonNetwork AdministratorCommented:
@Sandeshdubey

This *NOT!!!* a duplicate SID issue. That will not fix  0x8024401f error.

@Pkafkas

FYI, the clientdiag tool will not work on 64 bit systems.

Did you go over http://kaustubhghanekar.blogspot.com/2011/05/advanced-wsus-troubleshooting-for-error.html ???

Where it mentions MIME types in IIS.


When you are in the WSUS console and on the left hand side under "Update Services" you click on your server name, this is the home page where you can see both the version and the port # being used
0
 
DonNetwork AdministratorCommented:
If not the MIME look over this

http://support.myeasyprojects.net/KB/a104/http-error-50019-error-code-0x8007007e.aspx

Where you may need to disable compression
0
 
PkafkasNetwork EngineerAuthor Commented:
it appears that we are using port 80 and the version is 3.2.7600.251

homepage
0
 
PkafkasNetwork EngineerAuthor Commented:
The above screen shot also shows taht wer have 4 computers connected adn 7 updates approved.

The last synchronization was successfull; but did the updates actually download?
0
 
PkafkasNetwork EngineerAuthor Commented:
I still am not aware why the computers are not reporting the status back to the WSUS server.
0
 
DonNetwork AdministratorCommented:
Lets first get your WSUS updated

http://support.microsoft.com/kb/2734608
0
 
DonNetwork AdministratorCommented:
The "Download Status" from your screencap is where you check if the files have been downloaded
0
 
DonNetwork AdministratorCommented:
Also from your screenshot I see that you have "Approved 7 updates"

unless these are "Needed" updates by your clients, they wont download/detect anything.

Click on "Updates">>"All Updates" >>>set approval to "Any Except Declined" and the "Status" to "Needed" and refresh>>>now you can approve updates that your clients will detect.

Have you setup automatic approval rules ???
0
 
PkafkasNetwork EngineerAuthor Commented:
Ok,

I clicked on "Updates">>"All Updates"
>>>set approval to "Any Except Declined"  
"Status" to "Needed"

and then clicked the refresh button.

No updates were shown.  See the screen shot.

Needed
0
 
PkafkasNetwork EngineerAuthor Commented:
Hello dstewartjr,

I did go to the web site that you mentioned and MIME types are not an issue here.  There were no duplicates.
0
 
PkafkasNetwork EngineerAuthor Commented:
So the clients are showing up in WSUS.

The approved updates do download to the WSUS server.  I was watching it as it was downloading, from the home page.

I cannot get any of the clients to show any status.  

Perhaps that is why the above query 'Show any updates except declined' shows not updates.  Probably because it cannot get the status from the Computers.
0
 
PkafkasNetwork EngineerAuthor Commented:
I will try to update the WSUS Server.

http://support.microsoft.com/kb/2734608

It appears that I will have to apply this update on the client computers as well.  Or did I not understand the article correctly?
0
 
DonNetwork AdministratorCommented:
Only to the WSUS server, your clients most likely have a newer version of the wuaclt.exe than the WSUS server...This is what that update addresses.
0
 
PkafkasNetwork EngineerAuthor Commented:
Ok, dstewartjr

Well 1 thing is fixed, you mentioend befor to disabbel compression on the WSUS Server (64-bit).

http://support.myeasyprojects.net/KB/a104/http-error-50019-error-code-0x8007007e.aspx

Specificall the web site to run the command:

"%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']"  <enter>  

I did do that and the http://servername looks better now; but, I do not think that has fixed the issue.

after diabled.
0
 
DonNetwork AdministratorCommented:
That is what you should see. Are you prompted for a download when you use


http://mogl-utl1/iuident.cab

Now on a client run wuauclt /detectnow

What errors are in the windowsupdate.log (last 50 lines)

may also want to look over

http://technet.microsoft.com/en-us/magazine/gg153542.aspx
0
 
PkafkasNetwork EngineerAuthor Commented:
Ok,

1.  On the server, I do get a prmpt to download or open the iuident.cab file.
         a.  Should I open or save that file?

2.  I do not get prompted if I try to go to taht web link ( http://mogl-utl1/iuident.cab ) from a client pc,


3.  I did run wuauclt /detectnow from 2 client WSUS compuers but nothing has changed from the WSUS server.
         a.  I still see no status reply yet from the Clients.
         b.  I have not restarted eitehr of them yet.  I will do that 9restart and ten see what happens).

4.   I have not updates to WSUS Service pack to yet either.
0
 
PkafkasNetwork EngineerAuthor Commented:
I think we are on to something here:

1.  According to http://technet.microsoft.com/en-us/magazine/gg153542.aspx 
        a.  if I cannot access http://mogl-utl1/iuident.cab from aclient then tehre si something wrong.


2.  Additioanlly, in Server manager I see some errors assocaited with the start-up for WSUS.

self-update stopped

3.  For the suggest comand, I actually did a seach and found that .vbs file in

C:\program files\update services\setup\InstallSelfupdateOnPort80.vbs

Should or can I just execute that .vbs from the windwos explorer folder?  Or must I use the command prompt?
0
 
PkafkasNetwork EngineerAuthor Commented:
hey finally some progress, after I submitted my above post I wanted to see if one of the clients were showing after teh restert.  Now both clients that I ran wuauclt /detectnow on are reporting in.

getting status back

Should I still run that InstallSelfupdateOnPort80.vbs file?  I have not triggered tath .vbs yet.  I still cannot access http://mogl-utl1/iuident.cab from a client PC.
0
 
DonNetwork AdministratorCommented:
Should I still run that InstallSelfupdateOnPort80.vbs file?


It can only fix things, it wont break anything.

so yes
0
 
DonNetwork AdministratorCommented:
You should use the command line to run the script
0
 
PkafkasNetwork EngineerAuthor Commented:
Hey I "think" some updates did install on my 2 test computers last night.  

Now how can I verify that?  Is there a report that I can run?  To see which were installed form WSUS on any computer group from last night?

How can I verify if WSUS is installing updates on designated computers?
0
 
DonNetwork AdministratorCommented:
You can look at the last 50 or so lines of the windowsupdate.log
0
 
PkafkasNetwork EngineerAuthor Commented:
It does not appear that anything got isntalled according to the WindowsUpdate.log, located on the \\mogl-util1\C$\Windows\WindowsUpdate.log
log-11212013.txt
0
 
PkafkasNetwork EngineerAuthor Commented:
Is that is the case and the remaining updates that I have approved will nto get installed tonight.

I will check to morrow to see.  Please see the attached screen shot below.

check1
Is there a way to run a report on a specific computer, from the reports module?  I winder what else must I do?
0
 
DonNetwork AdministratorCommented:
It does not appear that anything got isntalled according to the WindowsUpdate.log, located on the \\mogl-util1\C$\Windows\WindowsUpdate.log

No, you need to look at the windowsupdate.log on client....not server

This client is not getting the WSUS GPO

2013-11-20      15:25:45:327       904      e38      Agent        * WSUS server: <NULL>
2013-11-20      15:25:45:327       904      e38      Agent        * WSUS status server: <NULL>

Yes, you can run reports...just double click on a highlighted update
0
 
PkafkasNetwork EngineerAuthor Commented:
Ok,

I just added 6 updates to be downlaoded and installed, from WSUS.

check compare on Friday
I just noticed that a windows update prompt is available on 1 of my test computers.

start-wu
That was not there before.

I guess we will wait and see for tonight.  Perhaps the updates that i seelcted in the past were nto needed and with no status showing there was no way to tell.  And perhaps if any updates did install last night, tehy did not require a reboot.

I do not see anything from this morniong at 4:00 am (11/21/2013 - See attached:  Around_4Oclock_11212013.txt

I also attached the client Windows Update Log file.  Log_Client_11212013.txt  I see a lot of:

2013-11-21      11:05:39:708       436      11c4      DnldMgr        * Regulation call complete. 0x00000000
2013-11-21      11:05:39:708       436      11c4      DnldMgr      ***********  DnldMgr: New download job [UpdateId = {C15A4671-66BE-41B0-84E7-9E697FC3E4DA}.200]  ***********
2013-11-21      11:05:39:708       436      11c4      DnldMgr      Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update C15A4671-66BE-41B0-84E7-9E697FC3E4DA is "PerUpdate" regulated and can NOT download. Sequence 9306 vs AcceptRate 5000.
2013-11-21      11:05:39:708       436      11c4      DnldMgr        * Update is not allowed to download due to regulation.
Around-4Oclock-11212013.txt
Log-Client-11212013.txt
0
 
PkafkasNetwork EngineerAuthor Commented:
This client I am woring on can see teh WSUS server:

2013-11-20      18:10:36:114       436      2d4      AU        # WSUS server: http://mogl-util1
2013-11-20      18:10:36:114       436      2d4      AU        # Detection frequency: 22

So that is a good thing at least.  Lets see what happens tonight.
0
 
DonNetwork AdministratorCommented:
From one of your earlier posts

As I was realizing how everything was already installed/configured everthing seemed to be in place.  I did make some minor changes in the GPO, for client side targeting.  I moved the clients (in Active Directory) to the 'WSUS Test' OU

And then from your log

 
target group = , DNS name = mogl00005d0710.w8521domain.com

The client is not picking up the target group

which setting did you select in WSUS

reg
0
 
PkafkasNetwork EngineerAuthor Commented:
Good call,

I just changed this to select the Group Policy or registry settings.

computers
Should I run a wuauclt /detectnow again on teh 2 test PC's?

I suppose it could not hurt.  And then check the logs.
0
 
DonNetwork AdministratorCommented:
No, it wont hurt
0
 
PkafkasNetwork EngineerAuthor Commented:
I see some good and not so good notes, after I ran "wuauclt /detectnow" again.  And did a restart of the PC.

I see windows updates waiting to be installed.

I see some settings stating to instal at 4:00 am.

But I still see "target group = , DNS name = mogl00005d0710.w8521domain.com"

Please se teh attachment.  Maybe it just needs a little imt to ckick in?

I see the other test PC has a prompt tiinstall updates by the start button as well.

wupromptAfer-Restart-and-manual-update.txt
0
 
PkafkasNetwork EngineerAuthor Commented:
It appears that someof the updates got installed; but, not all of them

But it is progress.

Please see the 'approved' & 'needed' updates screen/query.

 compare_after
0
 
PkafkasNetwork EngineerAuthor Commented:
Hello dstewartjr,

From one of your comments above:
 
which setting did you select in WSUS

computer_group_assiciations
which selection should I have set?

The top or the bottom option?

- Use Update Service Console.
- Use Group Policy or Group Settings on Computer?

It appears that the WSUS server did install the udpates anyway; but, I would prefer to delegate specific Computers to a specific WSUS Group as indicated below.  


- Windows_7_prof
- Windows_7_prof64
- Windows_2008R264

Perhaps having the previous setting (update from the Services Console) is better for what I want.  As long as it works, with teh updates I am fine with seperating the coputers into WSUS groups.
0
 
PkafkasNetwork EngineerAuthor Commented:
Right now all of the computers are in the unnassigned group.

unassigned
I will probably have to change the setting from tehj above pic and then do a "wuauclt /detectnow" on the clients and then restart.

Then see if I can delegate the computers to the groups.  Do you concur?
0
 
DonNetwork AdministratorCommented:
I prefer the bottom selection. Also I have found that it's only necessary to separate workstations from servers with ClientSide Targeting. The workstations so they can be set to option 4 "Schedule and install the updates" and the Servers to Option "3 = Automatically download and notify of installation." <<Then on servers I can manually choose when and what updates to install"

You should also configure automatic approval rules.

http://technet.microsoft.com/en-us/library/cc708458%28v=ws.10%29.aspx

Best Practices

http://technet.microsoft.com/en-us/library/cc720525%28v=ws.10%29.aspx
0
 
PkafkasNetwork EngineerAuthor Commented:
Oh, so  you are suggesting to have seperate WSUS Group Policies:

1. One GPO designed for workstations.  

2.  One GPO designed for Servers.

that makes sence becasue one may have the same GPO linked to different OU's.  Is that correct?
0
 
DonNetwork AdministratorCommented:
Yes, you need a separate GPO for each instance of client side targeting(workstations, servers..etc)
0
 
PkafkasNetwork EngineerAuthor Commented:
i Iill look at these best practices items over and thanks for everything.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 32
  • 18
Tackle projects and never again get stuck behind a technical roadblock.
Join Now