unable to deploy updates to clients using WSUS

Hello Experts,

I have a client that recently migrated and reverted changes to their WSUS infrastructure. After that, client is unable to push all updates to all computers. After further investigation, I discovered that GPO is properly applied to all workstation using port 8530, but somehow the computers still make a reference to old different port number used in the past.

I was able to identify that the policy is properly applied to computers, however for some reason, there is a registry key in all computers that makes reference to a old port number server . Please see details below, and let me know if I have to reinstall WSUS, and choose port 80 or if I can modify exiting IIS binding settings to use same port that is being used by the GPO.

Background:

I would like to summarize all troubleshooting steps taken today regarding the existing WSUS infrastructure at CompanyAcme

    Telnet from testing machines to your WSUS server on port 80 and 8530 passed successfully. Link http://technet.microsoft.com/en-us/magazine/gg153542.aspx

 Opened a Web browser on the client and go to http://<WSUSServerName>/iuident.cab

 Manually deleted the existing WSUS GPO policies in AD.
   
 Force replication among all DCs
   
The following settings were applied to WSUS console; Synchronization Schedule, Automatic Approvals, and Computer container to use Group Policy or registry settings on Computers
   
Deployed a new GPO named WSUS Update policy; only two settings were configure [Configure Automatic updates and specify intranet Microsoft Update service location to locate your current WSUS server on port 8530]

Link GPO to a testing OU. Policy is Link enabled and force. We did block inheritance over test OU to prevent any issues with other policies, and computers lost RDP access. Block inheritance was disabled to rollback changes
 
Force replication in AD
   
From two test computers, we ran gpoupdate/force and each computer was rebooted.
   
New GPO was correctly applied to computers, however all computers still make a reference to a different port used on a previous WSUS upgrade/deploy server[port 8xxxx].
   
Once your machines will be able to look at current WSUS server and the correct port, patches will be deploy properly.

You mentioned earlier that WSUS for Windows 2012 server was deployed in the past, then realized system center essentials is not compatible with Windows 2012 R2 server and SCCM is required, all changes were reverted and did the upgrade from Windows 2003 to Windows 2008.

Please see articles below, and see if that might help

http://www.wsus.info/index.php?showtopic=10906

http://technet.microsoft.com/en-us/library/cc708602%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/bb632477.aspx

Your thoughts?
Jerry SeinfieldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
"for some reason, there is a registry key in all computers that makes reference to a old port number server" - what regkey? Name it, please.
Rename that regkey, reapply the policy using gpupdate /force at the client and restart your update service at the client and search for updates.
0
Jerry SeinfieldAuthor Commented:
Any other suggestions?
0
SreRajCommented:
Hi,

Please generate Resultant Set of Policies for a client machine using Group Policy Results Wizard in Group Policy Management Console. In RSOP, verify that the correct settings for port number are getting applied to client machine and see if there is any other GPO which is overriding expected settings.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

DonNetwork AdministratorCommented:
Firstly WSUS does *NOT* do any pushing of updates, it is a pull technology(Clients query WSUS for the updates that are approved/needed).

From a command prompt type:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

does this return the correct port number and server name ??

if not, you most likely have a duplicate Gpo that is taking precedence.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Commented:
I remember reading an article a while ago about "Group Policy Tattooing" where if a setting is set out side of the policy key in the registry it remains even after the policy is removed. The only way to undo this is to create a policy to negate the old policy or create a reg.exe script to remove the old settings
0
Jerry SeinfieldAuthor Commented:
can you please indicate step-by step instructions to set up that policy about Tattooing and negate the old policy

Everyone,

Would it possible that we have wrong configuration in ISS with all migrations done in the past?

If so, what should  be modified in IIS to look at the correct port?
0
McKnifeCommented:
Your feedback to the rsop suggestion is missing. It could all be very simple.
0
Jerry SeinfieldAuthor Commented:
RSOP shows that we are using wrong port 8531 instead of 8530, the other policies apparently do not make any reference to WSUS. In fact, i deleted all WSUS policies, created a new GPO for WSUS, and that is the one that is being applied to all macnihes, however somehow the port used by machines is the wrong one, and not the one specified in the new GPO
0
McKnifeCommented:
dstewartjr asked you to do
--
From a command prompt type:

 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
does this return the correct port number and server name ??
--
You gave no feedback yet.
0
Jerry SeinfieldAuthor Commented:
that command returned the wrong port number but correct server name.
0
McKnifeCommented:
Then delete that regkey, do a gpupdate and restart your update service.
0
Jerry SeinfieldAuthor Commented:
Do I have to repeat the same for all computers? Like I mentioned earlier, this was an upgrade, and none of my computers are getting the updates
0
DonNetwork AdministratorCommented:
"that command returned the wrong port number but correct server name. "

Then you are not locating the GPO that is applying. Look closer at your RSOP.msc where it says "GPO NAME"
0
compdigit44Commented:
You could post the RSOP and block out your server names so everyone can help you review them
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.