Solved

windows 2012 security update from wsus

Posted on 2014-09-30
25
230 Views
Last Modified: 2016-02-20
i have a windows 2012 domain controller and wsus server. Our group gpo says only local administrator can install updates on servers.
But domain controller none local admin.
How can i make all security updates on domain controller server
0
Comment
Question by:apollo-13
  • 13
  • 6
  • 5
  • +1
25 Comments
 
LVL 17

Assisted Solution

by:LesterClayton
LesterClayton earned 250 total points
ID: 40351847
Domain controllers indeed don't have local administrators - you have to be a member of the Administrators group of the Domain itself.

Administrators group in Domain
Begin a member of this group will give you administrator access over all Domain Controllers.  Domain Admins are also a memver of this group, so if you are a Domain Admin, then you already have sufficient rights.
0
 

Author Comment

by:apollo-13
ID: 40351855
i am in administartors group, but still cant server wsus update .if i log the DC with domain\superuser  (superuser=DOMAIN ADMIN) windows update cant and says windows updates systemadmistrator.
0
 
LVL 5

Assisted Solution

by:Abdul Khadja Alaoudine
Abdul Khadja Alaoudine earned 50 total points
ID: 40351860
Domains admins are local administrator on Domain Controllers. Therefore, you don't have to make any further changes. Have you tried installing updates on DC?
0
 
LVL 17

Assisted Solution

by:LesterClayton
LesterClayton earned 250 total points
ID: 40351865
This actually sounds like a UAC issue (User Account Control), but this is pretty much clutching at straws.

Try log in as DOMAIN\Administrator (i.e. the actual Administrator).  This account is not UAC limited by default.  If it works logged in Administrator, then it will confirm if this is a UAC issue or not.  The resolution to that would be to change the default domain controller policy to disable "User Account Control: Run all administrators in admin approval mode"

Turn off UAC for All Administrators
0
 

Author Comment

by:apollo-13
ID: 40351869
Have you tried installing updates on DC?---YES
0
 

Author Comment

by:apollo-13
ID: 40351876
i logged to Domain controller domain\administrator .Thats mean is i have like local admin isnt.

But windows updates says me . some configurations make configure from systemadministrator(Yellow).
0
 

Author Comment

by:apollo-13
ID: 40351877
UAC ist disabled before.
0
 

Author Comment

by:apollo-13
ID: 40351883
can be some where WSUS makes problem .when i need to windows update on the other server then i log local admin and make updates
0
 
LVL 17

Assisted Solution

by:LesterClayton
LesterClayton earned 250 total points
ID: 40351975
It's hard to think that WSUS would be the cause of the issue - all it does is present a list of updates to your WSUS Client.

Can you post some screenshots showing the error messages?
0
 

Author Comment

by:apollo-13
ID: 40351981
hi clayton

I think my problem ,Domain controller local admin ,because i dont any problem with other servers.

example. i log on my other win2012 terminal server like ts1\administrator then i can make all updateson this server.

But how i do on DC ,because there is no local admin ,i mean i cant log in DC1\administrator  for updates.
0
 
LVL 17

Assisted Solution

by:LesterClayton
LesterClayton earned 250 total points
ID: 40351984
There is no local administrator - you cannot log on as a local administrator.

Please post some screenshots showing the errors  you are getting.
0
 

Author Comment

by:apollo-13
ID: 40351986
also comes out UPDATES INSTALL screen sometimes ,i click install but comes other (yellow) screen and says some configurations make configure from systemadministrator

even i loged domain admin on dc
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:apollo-13
ID: 40351989
errors you mean wsus logs on dc?
0
 

Author Comment

by:apollo-13
ID: 40351994
2014-09-30      12:07:40:983       928      1210      AU      ###########  AU: Initializing Automatic Updates  ###########
2014-09-30      12:07:40:983       928      1210      AU      AIR Mode is disabled
2014-09-30      12:07:40:983       928      1210      AU        # Policy Driven Provider: http://wsusserver:8530
2014-09-30      12:07:40:983       928      1210      AU        # Detection frequency: 22
2014-09-30      12:07:40:983       928      1210      AU        # Approval type: Pre-install notify (Policy)
2014-09-30      12:07:40:983       928      1210      AU        # Auto-install minor updates: No (User preference)
2014-09-30      12:07:40:983       928      1210      AU        # Will interact with non-admins (Non-admins are elevated (User preference))
2014-09-30      12:07:41:076       928      1210      AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80240037
2014-09-30      12:07:41:076       928      1210      AU      AU finished delayed initialization
2014-09-30      12:07:41:092      1500      dac      Misc      ===========  Logging initialized (build: 7.8.9200.16693, tz: +0200)  ===========
2014-09-30      12:07:41:092      1500      dac      Misc        = Process: C:\Windows\Explorer.EXE
2014-09-30      12:07:41:092      1500      dac      Misc        = Module: C:\Windows\system32\wucltux.dll
2014-09-30      12:07:41:092      1500      dac      CltUI      FATAL: CNetworkCostChangeHandler::RegisterForCostChangeNotifications: CoCreateInstance failed with error 80004002
2014-09-30      12:07:41:092      1500      dac      CltUI      WARNING: RegisterNetworkCostChangeNotification: Error 80004002
2014-09-30      12:18:18:361       928      1210      AU      ###########  AU: Uninitializing Automatic Updates  ###########
2014-09-30      12:18:18:408       928      1210      WuTask      Uninit WU Task Manager
2014-09-30      12:18:18:439       928      1210      Service      *********
2014-09-30      12:18:18:439       928      1210      Service      **  END  **  Service: Service exit [Exit code = 0x240001]
2014-09-30      12:18:18:439       928      1210      Service      *************
0
 
LVL 17

Assisted Solution

by:LesterClayton
LesterClayton earned 250 total points
ID: 40352010
Here is your error code:

FATAL: CNetworkCostChangeHandler::RegisterForCostChangeNotifications: CoCreateInstance failed with error 80004002

From the looks of things, you have had this issue already:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28404012.html

You accepted multiple peoples answers as solutions.

Unfortunately, I have no first hand experience with this error code, so I am unsubscribing from this topic.  Hopefully, others can help.
0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 200 total points
ID: 40352426
Try reinstalling the Windows Update Agent on this server

http://windows.microsoft.com/en-us/windows7/windows-update-error-80004002

You should install from command line using  /quiet /norestart /wuforce

so  windowsupdateagent30-x64.exe /quiet /norestart /wuforce
0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 200 total points
ID: 40352446
You also will need to update your WSUS to support 2012

http://blogs.technet.com/b/sus/archive/2012/09/05/additional-note-on-kb-2734608-regarding-wsu-windows-8-and-windows-server-2012.aspx

Make sure you install this latest update on your WSUS server, which includes KB 2734608

http://support2.microsoft.com/kb/2828185
0
 

Author Comment

by:apollo-13
ID: 40353944
this server is main Domain controller which we want agent uninstall, do i need to consider something before agent uninstall?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 40354579
uninstall ???

The agent *MUST* be installed in order for windows update to work.
0
 

Author Comment

by:apollo-13
ID: 40356603
Try reinstalling the Windows Update Agent on this server ---  no sucess ,reinstalled but still cant updates.


2014-10-02      11:31:26:596       916       44      Agent        * Found 58 updates and 69 categories in search; evaluated appl. rules of 488 out of 964 deployed entities
2014-10-02      11:31:26:596       916       44      Agent      *********
2014-10-02      11:31:26:596       916       44      Agent      **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2014-10-02      11:31:26:596       916       44      Agent      *************
2014-10-02      11:31:26:596       916      f94      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {BE4A6117-88AC-4B89-AE58-AC9D3FA4A6FB} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-10-02      11:31:26:596       916      f94      AU        # 58 updates detected
2014-10-02      11:31:26:596       916      f94      AU      #########
2014-10-02      11:31:26:596       916      f94      AU      ##  END  ##  AU: Search for updates  [CallId = {BE4A6117-88AC-4B89-AE58-AC9D3FA4A6FB} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-10-02      11:31:26:596       916      f94      AU      #############
2014-10-02      11:31:26:596       916      f94      AU      All AU searches complete.
0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 200 total points
ID: 40357004
Really??

# 58 updates detected

Did you update your WSUS also ???
0
 

Author Comment

by:apollo-13
ID: 40363490
wsus log says:
IsSessionRemote: WinStationQueryInformationW(WTSIsRemoteSession) failed for session 2, GetLastError
0
 
LVL 47

Accepted Solution

by:
dstewartjr earned 200 total points
ID: 40363635
Again, have you installed http://support2.microsoft.com/kb/2828185  ?????
0
 

Author Closing Comment

by:apollo-13
ID: 40363665
thanks
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 40363760
What comment actually helped you solve your problem??? Accepting multiple answers is of no help to the database.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now