?
Solved

windows 2012 security update from wsus

Posted on 2014-09-30
25
Medium Priority
?
281 Views
Last Modified: 2016-02-20
i have a windows 2012 domain controller and wsus server. Our group gpo says only local administrator can install updates on servers.
But domain controller none local admin.
How can i make all security updates on domain controller server
0
Comment
Question by:apollo-13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 6
  • 5
  • +1
25 Comments
 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 1000 total points
ID: 40351847
Domain controllers indeed don't have local administrators - you have to be a member of the Administrators group of the Domain itself.

Administrators group in Domain
Begin a member of this group will give you administrator access over all Domain Controllers.  Domain Admins are also a memver of this group, so if you are a Domain Admin, then you already have sufficient rights.
0
 

Author Comment

by:apollo-13
ID: 40351855
i am in administartors group, but still cant server wsus update .if i log the DC with domain\superuser  (superuser=DOMAIN ADMIN) windows update cant and says windows updates systemadmistrator.
0
 
LVL 5

Assisted Solution

by:Abdul Khadja Alaoudine
Abdul Khadja Alaoudine earned 200 total points
ID: 40351860
Domains admins are local administrator on Domain Controllers. Therefore, you don't have to make any further changes. Have you tried installing updates on DC?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 1000 total points
ID: 40351865
This actually sounds like a UAC issue (User Account Control), but this is pretty much clutching at straws.

Try log in as DOMAIN\Administrator (i.e. the actual Administrator).  This account is not UAC limited by default.  If it works logged in Administrator, then it will confirm if this is a UAC issue or not.  The resolution to that would be to change the default domain controller policy to disable "User Account Control: Run all administrators in admin approval mode"

Turn off UAC for All Administrators
0
 

Author Comment

by:apollo-13
ID: 40351869
Have you tried installing updates on DC?---YES
0
 

Author Comment

by:apollo-13
ID: 40351876
i logged to Domain controller domain\administrator .Thats mean is i have like local admin isnt.

But windows updates says me . some configurations make configure from systemadministrator(Yellow).
0
 

Author Comment

by:apollo-13
ID: 40351877
UAC ist disabled before.
0
 

Author Comment

by:apollo-13
ID: 40351883
can be some where WSUS makes problem .when i need to windows update on the other server then i log local admin and make updates
0
 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 1000 total points
ID: 40351975
It's hard to think that WSUS would be the cause of the issue - all it does is present a list of updates to your WSUS Client.

Can you post some screenshots showing the error messages?
0
 

Author Comment

by:apollo-13
ID: 40351981
hi clayton

I think my problem ,Domain controller local admin ,because i dont any problem with other servers.

example. i log on my other win2012 terminal server like ts1\administrator then i can make all updateson this server.

But how i do on DC ,because there is no local admin ,i mean i cant log in DC1\administrator  for updates.
0
 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 1000 total points
ID: 40351984
There is no local administrator - you cannot log on as a local administrator.

Please post some screenshots showing the errors  you are getting.
0
 

Author Comment

by:apollo-13
ID: 40351986
also comes out UPDATES INSTALL screen sometimes ,i click install but comes other (yellow) screen and says some configurations make configure from systemadministrator

even i loged domain admin on dc
0
 

Author Comment

by:apollo-13
ID: 40351989
errors you mean wsus logs on dc?
0
 

Author Comment

by:apollo-13
ID: 40351994
2014-09-30      12:07:40:983       928      1210      AU      ###########  AU: Initializing Automatic Updates  ###########
2014-09-30      12:07:40:983       928      1210      AU      AIR Mode is disabled
2014-09-30      12:07:40:983       928      1210      AU        # Policy Driven Provider: http://wsusserver:8530
2014-09-30      12:07:40:983       928      1210      AU        # Detection frequency: 22
2014-09-30      12:07:40:983       928      1210      AU        # Approval type: Pre-install notify (Policy)
2014-09-30      12:07:40:983       928      1210      AU        # Auto-install minor updates: No (User preference)
2014-09-30      12:07:40:983       928      1210      AU        # Will interact with non-admins (Non-admins are elevated (User preference))
2014-09-30      12:07:41:076       928      1210      AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80240037
2014-09-30      12:07:41:076       928      1210      AU      AU finished delayed initialization
2014-09-30      12:07:41:092      1500      dac      Misc      ===========  Logging initialized (build: 7.8.9200.16693, tz: +0200)  ===========
2014-09-30      12:07:41:092      1500      dac      Misc        = Process: C:\Windows\Explorer.EXE
2014-09-30      12:07:41:092      1500      dac      Misc        = Module: C:\Windows\system32\wucltux.dll
2014-09-30      12:07:41:092      1500      dac      CltUI      FATAL: CNetworkCostChangeHandler::RegisterForCostChangeNotifications: CoCreateInstance failed with error 80004002
2014-09-30      12:07:41:092      1500      dac      CltUI      WARNING: RegisterNetworkCostChangeNotification: Error 80004002
2014-09-30      12:18:18:361       928      1210      AU      ###########  AU: Uninitializing Automatic Updates  ###########
2014-09-30      12:18:18:408       928      1210      WuTask      Uninit WU Task Manager
2014-09-30      12:18:18:439       928      1210      Service      *********
2014-09-30      12:18:18:439       928      1210      Service      **  END  **  Service: Service exit [Exit code = 0x240001]
2014-09-30      12:18:18:439       928      1210      Service      *************
0
 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 1000 total points
ID: 40352010
Here is your error code:

FATAL: CNetworkCostChangeHandler::RegisterForCostChangeNotifications: CoCreateInstance failed with error 80004002

From the looks of things, you have had this issue already:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28404012.html

You accepted multiple peoples answers as solutions.

Unfortunately, I have no first hand experience with this error code, so I am unsubscribing from this topic.  Hopefully, others can help.
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 800 total points
ID: 40352426
Try reinstalling the Windows Update Agent on this server

http://windows.microsoft.com/en-us/windows7/windows-update-error-80004002

You should install from command line using  /quiet /norestart /wuforce

so  windowsupdateagent30-x64.exe /quiet /norestart /wuforce
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 800 total points
ID: 40352446
You also will need to update your WSUS to support 2012

http://blogs.technet.com/b/sus/archive/2012/09/05/additional-note-on-kb-2734608-regarding-wsu-windows-8-and-windows-server-2012.aspx

Make sure you install this latest update on your WSUS server, which includes KB 2734608

http://support2.microsoft.com/kb/2828185
0
 

Author Comment

by:apollo-13
ID: 40353944
this server is main Domain controller which we want agent uninstall, do i need to consider something before agent uninstall?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40354579
uninstall ???

The agent *MUST* be installed in order for windows update to work.
0
 

Author Comment

by:apollo-13
ID: 40356603
Try reinstalling the Windows Update Agent on this server ---  no sucess ,reinstalled but still cant updates.


2014-10-02      11:31:26:596       916       44      Agent        * Found 58 updates and 69 categories in search; evaluated appl. rules of 488 out of 964 deployed entities
2014-10-02      11:31:26:596       916       44      Agent      *********
2014-10-02      11:31:26:596       916       44      Agent      **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2014-10-02      11:31:26:596       916       44      Agent      *************
2014-10-02      11:31:26:596       916      f94      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {BE4A6117-88AC-4B89-AE58-AC9D3FA4A6FB} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-10-02      11:31:26:596       916      f94      AU        # 58 updates detected
2014-10-02      11:31:26:596       916      f94      AU      #########
2014-10-02      11:31:26:596       916      f94      AU      ##  END  ##  AU: Search for updates  [CallId = {BE4A6117-88AC-4B89-AE58-AC9D3FA4A6FB} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-10-02      11:31:26:596       916      f94      AU      #############
2014-10-02      11:31:26:596       916      f94      AU      All AU searches complete.
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 800 total points
ID: 40357004
Really??

# 58 updates detected

Did you update your WSUS also ???
0
 

Author Comment

by:apollo-13
ID: 40363490
wsus log says:
IsSessionRemote: WinStationQueryInformationW(WTSIsRemoteSession) failed for session 2, GetLastError
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 800 total points
ID: 40363635
Again, have you installed http://support2.microsoft.com/kb/2828185  ?????
0
 

Author Closing Comment

by:apollo-13
ID: 40363665
thanks
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40363760
What comment actually helped you solve your problem??? Accepting multiple answers is of no help to the database.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question