Solved

Problem with WSUS 3.0 SP2 Synchronization

Posted on 2015-01-09
9
634 Views
Last Modified: 2016-02-20
I recently had to do some updating to my IIS7.5 server that runs WSUS and Exchange 2010 Web Services.  After finally getting autodiscover to work, I can no longer synchronize WSUS to the Microsoft site.  When I try to do so, I get the following message.

The error type is unknown.

TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy' threw an exception. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
at Microsoft.UpdateServices.Internal.ClassFactory.CreateInstance(Type type, Object[] args)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.GetWebServiceProxyInternal(UpdateServerConfiguration serverConfig, WebServiceCommunicationHelper webServiceHelper, Boolean useCompressionProxy)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.GetWebServiceCompressionProxy(UpdateServerConfiguration serverConfig, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.RetrieveSubscriptionData()
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

It appears to be related to SSL/TLS negotiation.  There are also the following errors in the Applicaton Log

Error Windows Server Update Services, Event ID 13042 Task Category 6, Self-update is not working.
Error Windows Server Update Services, Event ID 10022 Task Category 7, The last catalog synchronization attempt was unsuccessful.
Error Windows Server Update Services, Event ID 12002, Task Category 9, The Reporting Web Service is not working.
Error Windows Server Update Services, Event ID 12012, Task Category 9, The API Remoting Web Service is not working.
Error Windows Server Update Services, Event ID 12022, Task Category 9, The Client Web Service is not working.
Error Windows Server Update Services, Event ID 12042, Task Category 9, The SimpleAuth Web Service is not working.
Error Windows Server Update Services, Event ID 12052, Task Category 9, The DSS Authentication Web Service is not working.

All of the client computers are able to connect to WSUS, and are reporting their status, the only issue is with the server not being able to synchronize.

The history...

Set up Server 2008 R2 and MS Exchange 2010 using domain.local.
Obtained GoDaddy UCC Certificate that listed both domain.com and domain.local for mail., autodiscover., etc...
Installed WSUS 2.0 (have since moved to latest version).

Everything worked fine.

When the certificate expired, I had to purchase a new UCC certificate.  GoDaddy took away the ability to have .local as a alt subject.  Still things were working OK.

I ran into some problems over the past weekend trying to make a configuration change (web redirect for domain.com to go to our www site hosted on another server (compliance reasons).  Broke a lot of things, but got everything running OK for Exchange (no more certificate errors, autodiscover, which never worked correctly in the past now fixed, etc...).  I did this by changing the local server for a number of the services in IIS7.5 to the domain.com or mail.domain.com instead of domain.local or mail.domain.local.

After all was fixed, tried to open the MMC for WSUS.  It wouldn't connect to the computer, which in the past was connected to simply by entering the computer name MAILSERVER1.   Was able to connect using MAIL.DOMAIN.COM or DOMAIN.COM instead.  However, now I can't get synchronizations to work.  I have checked to make sure the locally generated certificate was in the trusted store, it is.  I have also double, triple and quadruple checked all IIS security and authentication settings.  All appear to be OK.

Does anyone know what would be causing the error above?  I am at my wits end, and about to either move WSUS to a different server (really don't want to screw up Exchange again), or abandon it (which I hate to do because a number of our users don't install updates when prompted, or don't tell me if they have an error installing an update...very nice to be able to monitor from WSUS).

Thanks in advance to the wizard who can help me solve this problem.
0
Comment
Question by:CATMAN1966
  • 5
  • 4
9 Comments
 
LVL 19

Expert Comment

by:compdigit44
ID: 40542185
Are you getting any crypt32 errors in your event logs? Are the root certificates up to date on your server?

On a side note, you stated your web server host both wsus and Exchange web services. I hope you have other servers if not this is a single point of failure for you.
0
 

Author Comment

by:CATMAN1966
ID: 40542235
No crypt32 errors in any of the logs.

My environment is relatively simple.  2 Win 2008 R2 servers.  Server 1 is file server/SQL server.  Server 2 is Exchange 2010/WSUS server.  About 40 clients.

I am using the Windows Internal Database with WSUS, not SQL.

When I set up originally, I wanted to keep the file server set up without web services for security, so I used the Exchange Server (that does not host our company web site, that is hosted elsewhere) when I set up WSUS.  It has worked pretty well for the most part over the past 4 years.  

I think I can get it to work if I set up bindings for 8530 and 8531, but both Exchange and WSUS are running under the Default Web Site and this causes autodiscover to fail.

I am far from being an IIS 7.5 expert, and am not sure what applications/virtual directories need to be moved or copied (how do you copy, or can you) from the Default Site to a new web site on IIS using the bindings above.  I think that would be one solution.  The other solution that might be easier is to move WSUS to the file/SQL server where there are no other web apps.

Of course, I would prefer to leave as-is and correct the problem, but I have searched everywhere for advice on this issue, and can't find anything that will work.

What course of action would you choose?
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40542462
While this is not an idea setup .... it did work before you made changes to autodiscovery.  Is the server itself able to access the WInodws Update site? Control Pane => Windows Update?

Is the server a VM by any chance?
0
 

Author Comment

by:CATMAN1966
ID: 40542578
The server CAN reach the server, as can all of the clients.  It is only a problem with the server trying to reach the external Windows Update Server.  No virtual machines...yet, I am toying with the idea when I upgrade late this year or mid 2016.

Just checked registry...there were a number of values pointing to the local domain relating to WSUS.  Changed to the public domain, rebooted, no difference.  Everything still works the same, still get the error trying to synchronize.

Thanks
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 19

Expert Comment

by:compdigit44
ID: 40543134
In IIS what ports are in use by your web sites?
If WSUS is going right to MS it would be using port 80 or 443?  Did you set WSUS up to use https?
0
 

Accepted Solution

by:
CATMAN1966 earned 0 total points
ID: 40543300
Ports 80, 443 are only open.  If I bind 8530 and 8531 (as http, https respectively), it causes an issue with autodiscover (documented, but I don't have the link handy).  Both ports redirect to the outside server our web site is hosted on.  Users can access the site at mail.domain.com/owa, and all other apps and virtual directories are redirected to the owa app.

I did set up WSUS to use https.

I am pretty sure I have two options.  

1. Move WSUS to a different site on the web server and bind to 8530 and 8531 then reconfigure WSUS.  I don't have a strong background in IIS7 configuration so this worries me since it is our production E-mail and backup server both of which are working exactly as intended.

2. Install WSUS on the other server.  Opens IIS services up to our LAN, but shouldn't cause a huge security risk.  

I am doing the second.  I will have to reapprove all updates, but it is a lot less time consuming than trying to mess with the e-mail server and potentially causing a mess.  The whole issue started when a client noticed that domain.com was redirected to our OWA site.  Times are changing and a lot more users don't type www at the beginning of an URL so I made changes to DNS and IIS.  In the process I ran into a couple of issues with autodiscover and OOF settings.  It took me two days to get them working again (with certificate errors to users and other issues along the way).  I didn't realize I had created the current issue until the other day when I went to manually check for updates in WSUS.  Given my last encounter with making changes to IIS, I am nervous to do anything else since it is working fine and only has a couple of minor potential security issues that I will resolve in the near future (I regularly scan externally and internally with Nexpose).  

At the moment, it is working...failed on the first install.  Uninstalled, reinstalled, installed correctly.  It is synchronizing, but since it is the first time, it is doing so very slowly (about 51% in an hour).  I haven't changed GP to point to the new WSUS server yet, but know how to negotiate the registry very well to resolve client connection errors (have dealt with these for years on various clients).

I'm not going to uninstall WSUS from the mail/backup server as it will be decommissioned next year as it is near the end of it's life cycle. I'm not having performance issues so just will make sure all machines are checking in with the new and not checking in with the old.

I'll let you know how it goes.  Thanks for the ideas.
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 500 total points
ID: 40543412
Reinstall WSUS was going to be one of my next suggestion to you. This is why I asked if the server was a VM so you could take a snapshot...

Nice work..
0
 

Author Comment

by:CATMAN1966
ID: 40545253
Thanks...the synchronization finished on the new server, and machines are starting to check in, so this ended up being the easiest solution without doing anything that would cause me additional headaches on our Exchange Server.  I imagine I will have to do a wuauclt /detectnow /resetauthorization on a couple, but so far that doesn't seem to be an issue.
0
 

Author Closing Comment

by:CATMAN1966
ID: 40554958
Expert helped me think through the issue with the above comments, but my idea to move to a different server was the final resolution that worked with the least amount of headaches.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now