Solved

unable to deploy updates to clients using WSUS

Posted on 2014-12-23
15
235 Views
Last Modified: 2016-02-20
Hello Experts,

I have a client that recently migrated and reverted changes to their WSUS infrastructure. After that, client is unable to push all updates to all computers. After further investigation, I discovered that GPO is properly applied to all workstation using port 8530, but somehow the computers still make a reference to old different port number used in the past.

I was able to identify that the policy is properly applied to computers, however for some reason, there is a registry key in all computers that makes reference to a old port number server . Please see details below, and let me know if I have to reinstall WSUS, and choose port 80 or if I can modify exiting IIS binding settings to use same port that is being used by the GPO.

Background:

I would like to summarize all troubleshooting steps taken today regarding the existing WSUS infrastructure at CompanyAcme

    Telnet from testing machines to your WSUS server on port 80 and 8530 passed successfully. Link http://technet.microsoft.com/en-us/magazine/gg153542.aspx

 Opened a Web browser on the client and go to http://<WSUSServerName>/iuident.cab

 Manually deleted the existing WSUS GPO policies in AD.
   
 Force replication among all DCs
   
The following settings were applied to WSUS console; Synchronization Schedule, Automatic Approvals, and Computer container to use Group Policy or registry settings on Computers
   
Deployed a new GPO named WSUS Update policy; only two settings were configure [Configure Automatic updates and specify intranet Microsoft Update service location to locate your current WSUS server on port 8530]

Link GPO to a testing OU. Policy is Link enabled and force. We did block inheritance over test OU to prevent any issues with other policies, and computers lost RDP access. Block inheritance was disabled to rollback changes
 
Force replication in AD
   
From two test computers, we ran gpoupdate/force and each computer was rebooted.
   
New GPO was correctly applied to computers, however all computers still make a reference to a different port used on a previous WSUS upgrade/deploy server[port 8xxxx].
   
Once your machines will be able to look at current WSUS server and the correct port, patches will be deploy properly.

You mentioned earlier that WSUS for Windows 2012 server was deployed in the past, then realized system center essentials is not compatible with Windows 2012 R2 server and SCCM is required, all changes were reverted and did the upgrade from Windows 2003 to Windows 2008.

Please see articles below, and see if that might help

http://www.wsus.info/index.php?showtopic=10906

http://technet.microsoft.com/en-us/library/cc708602%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/bb632477.aspx

Your thoughts?
0
Comment
Question by:Jerry Seinfield
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40515931
"for some reason, there is a registry key in all computers that makes reference to a old port number server" - what regkey? Name it, please.
Rename that regkey, reapply the policy using gpupdate /force at the client and restart your update service at the client and search for updates.
0
 

Author Comment

by:Jerry Seinfield
ID: 40516005
Any other suggestions?
0
 
LVL 12

Assisted Solution

by:SreRaj
SreRaj earned 167 total points
ID: 40516072
Hi,

Please generate Resultant Set of Policies for a client machine using Group Policy Results Wizard in Group Policy Management Console. In RSOP, verify that the correct settings for port number are getting applied to client machine and see if there is any other GPO which is overriding expected settings.
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 167 total points
ID: 40516503
Firstly WSUS does *NOT* do any pushing of updates, it is a pull technology(Clients query WSUS for the updates that are approved/needed).

From a command prompt type:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

does this return the correct port number and server name ??

if not, you most likely have a duplicate Gpo that is taking precedence.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40517920
I remember reading an article a while ago about "Group Policy Tattooing" where if a setting is set out side of the policy key in the registry it remains even after the policy is removed. The only way to undo this is to create a policy to negate the old policy or create a reg.exe script to remove the old settings
0
 

Author Comment

by:Jerry Seinfield
ID: 40517940
can you please indicate step-by step instructions to set up that policy about Tattooing and negate the old policy

Everyone,

Would it possible that we have wrong configuration in ISS with all migrations done in the past?

If so, what should  be modified in IIS to look at the correct port?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40518022
Your feedback to the rsop suggestion is missing. It could all be very simple.
0
 

Author Comment

by:Jerry Seinfield
ID: 40518074
RSOP shows that we are using wrong port 8531 instead of 8530, the other policies apparently do not make any reference to WSUS. In fact, i deleted all WSUS policies, created a new GPO for WSUS, and that is the one that is being applied to all macnihes, however somehow the port used by machines is the wrong one, and not the one specified in the new GPO
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 40518328
dstewartjr asked you to do
--
From a command prompt type:

 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
does this return the correct port number and server name ??
--
You gave no feedback yet.
0
 

Author Comment

by:Jerry Seinfield
ID: 40518497
that command returned the wrong port number but correct server name.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40518525
Then delete that regkey, do a gpupdate and restart your update service.
0
 

Author Comment

by:Jerry Seinfield
ID: 40518572
Do I have to repeat the same for all computers? Like I mentioned earlier, this was an upgrade, and none of my computers are getting the updates
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40518575
"that command returned the wrong port number but correct server name. "

Then you are not locating the GPO that is applying. Look closer at your RSOP.msc where it says "GPO NAME"
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40518802
You could post the RSOP and block out your server names so everyone can help you review them
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now