New WSUS server not seeing any computers

J.R. Sitman
J.R. Sitman used Ask the Experts™
on
I built a new WSUS server two days ago and it has not added any of our computers.  I changed the existing GPO to point to the new server.  I also rebooted all the computers.  It's 2012 R2 VM server on Hyper-V
I'm guessing I've missed a step in the installation.

What should I check?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Check the Windows Update frequency of the client PCs.  
Even though you've rebooted, run "gpupdate /force" from a client.
Run "wuauclt /ShowWUAutoScan" on a client and watch for errors.
Run "wuauclt /r" on a client and then check the WSUS server
Thomas GrassiSystems Administrator
Commented:
You can check this registry

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

See if the changes applied
Seth SimmonsSr. Systems Administrator
Commented:
did you put the correct port?
by default, WSUS on 2012 listens on port 8530; 8531 if using SSL
the location URL would thus look like this:

http://wsus-server:8530 or if you use SSL, https://wsus-server:8531
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

J.R. SitmanIT Director

Author

Commented:
did gpupdate /force

When I ran wuauclt /ShowWUAutoscan it open the "check for updates"  When I ran wuauclt /r it did not show up on the WSUS server.

On WSUS server if I do a search for a computer, it doesn't find it.

I didn't see and setting to enter a port #.

Registry on one computer still shows the previous WSUS server.  I double checked the GPO and it has the new server.
J.R. SitmanIT Director

Author

Commented:
Under the settings for Computers, it has "Use the Update Services console"  is that correct?
Thomas GrassiSystems Administrator

Commented:
Post your gpo info for wsus

Also take a look at the log file on the local computers

%systemroot%\windowsupdate.log

Check for errors
Post results
DonNetwork Administrator

Commented:
"Registry on one computer still shows the previous WSUS server.  I double checked the GPO and it has the new server. "

Did you create a new GPO for this new WSUS server, or did you edit the old ??
Seth SimmonsSr. Systems Administrator

Commented:
I didn't see and setting to enter a port #.

it's part of the URL
i provided the example above
you put the port number there the same way you port a port number the URL bar of a browser when it's other than 80 or 443

Commented:
Not sure on the "use the update services console"  I can't recall seeing that.

Check all of the applied GP to your client by running "gpresult /r" on your client and see if you've possibly got the WSUS configured in two separate GPO.    

Once you've ID'd the correct GPO, just run "gpupdate /force" instead of rebooting to save some time.
DonNetwork Administrator

Commented:
You can also speed up clients reporting by running the following .bat on them

%Windir%\system32\gpupdate

%Windir%\system32\net.exe stop bits
%Windir%\system32\net.exe stop wuauserv
%Windir%\system32\net.exe stop cryptsvc
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
del %WINDIR%\WindowsUpdate.log /S /Q
rd /s /q %windir%\softwareDistribution
%Windir%\system32\net.exe start cryptsvc
%Windir%\system32\net.exe start bits
%Windir%\system32\net.exe start wuauserv


sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)


sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

wuauclt /resetauthorization /detectnow
wuauclt /reportnow

exit /B 0
J.R. SitmanIT Director

Author

Commented:
J.R. SitmanIT Director

Author

Commented:
when I enter either of the ports I get page cannot be displayed.

Also I don't believe running the bat file will fix anything because the computer settings are still pointed to the previous server.
J.R. SitmanIT Director

Author

Commented:
I verified only one WSUS GPO is being deployed to the computer
Seth SimmonsSr. Systems Administrator

Commented:
so when you installed WSUS, you changed the default port to 80 with wsusutil?
J.R. SitmanIT Director

Author

Commented:
I don't recall what port I used.  How do I verify and or change?
J.R. SitmanIT Director

Author

Commented:
I think I may have found the problem.  I made a new GPO, removed the OU from the old GPO.  From a computer I did gpupdate /force.  It states it was successful, however then it states computer policy could not be updated.  
See attached.   I'll be away from the computer for an hour.
wsus-command.jpg
Seth SimmonsSr. Systems Administrator

Commented:
How do I verify and or change?

it's in the wsus2.jpg screenshot you posted earlier (update service and statistics server location)
based on what you are providing, might also be something else going on
check your domain controller replication for any issues
Commented:
Attached are some screen shots.   The WSUS here is on port 8530 so in the GPO the address is:  http://10.100.0.19:8530 as you'll see.
WSUS console.   Server set to port 8530.GPO WSUS server location specificationWSUS settings that are touched in GPO.
J.R. SitmanIT Director

Author

Commented:
I fixed the problem in post 40914470.  I had a brain fart and the // were backward in the GPO.  
However, I still can't get the the wsus server using http://wsusVM_LA:8530 or it's ip address, http://172.16.1.78:8530

I did verify the port is 8530 based on Lukemo screen shot.  
In the GPO I have only the server name http://WSUSVM_LA.  Also the old server still has WSUS installed.

Additional help is appreciated.
Thomas GrassiSystems Administrator

Commented:
that's why I setup a DNS record for WSUS then the GPO using the DNS record so if you ever change the server you will not need to remember to change any thing


Just food for thought
J.R. SitmanIT Director

Author

Commented:
Thanks, but still need help on this.
Thomas GrassiSystems Administrator

Commented:
Lets try this from your computer not the server running WSUS

Start MMC

File >  Add/Remove snap in >  scroll down Available Snap-ins > Select Update Services > OK

Highlight "Update Services"  in right most panel click on Connect to Server

Enter server name  WSUSVM_LA  PORT default is 80 if you setup WSUS as default try 8530

Lets see if you can connect to the WSUS Server  remotely
J.R. SitmanIT Director

Author

Commented:
I tried it from my workstation, a DC and a member server.  None of them had "update servces" as a Snap-in
Thomas GrassiSystems Administrator

Commented:
Another thought

Did we ever figure out if the computers are getting the GPO updates correctly?
J.R. SitmanIT Director

Author

Commented:
I deleted the new GPO because it was causing an error when I did gpupdate /force.  I activated the old GPO.  So all computers are getting it.  In the old GPO I changes the server to the new server.
Thomas GrassiSystems Administrator

Commented:
Ok now we are back to the original question correct.?

I see in your posting above http://www.experts-exchange.com/questions/28702870/New-WSUS-server-not-seeing-any-computers.html#a40914786

That you have 8 computers that have not yet reported.

Is that still true?

Where are the computers in WSUS? Do you manually add them to the Group Pc or Server?

Can we see a screen shot of the groups expanded or are they all unassigned?

also try running this if the GPO is correct now.

wuauclt.exe /resetauthorization /detectnow


HTH
J.R. SitmanIT Director

Author

Commented:
correct, we are back at the beginning.  the new WSUSVM_LA server has no computers.  I ran the wuauclt.exe on my workstation and nothing displayed.  I'm running it from the run box.  Should I be running it from a command prompt?
Thomas GrassiSystems Administrator
Commented:
yes on each machine not the wsus server

open elevated command prompt run as administrator

wuauclt.exe /resetauthorization /detectnow

If the registry entries are pointing to the correct wsus server the above command will reregister the computer with wsus

Give it a few minutes then from the server in the WSUS console you will find a computer listed under the unassigned computers group

We can talk about how to automate that later if you want
DonNetwork Administrator

Commented:
According to your log, your computers are pointing to http://spcala189
J.R. SitmanIT Director

Author

Commented:
I ran the command and also checked the registry.  The correct WSUS server is there, but so far, the server hasn't displayed any computers.  It's been 12 minutes.  I'll be away from computer for an hour or so.  Let me know what you want me to do.
I also checked another computer without running the command and the correct server is there
Thomas GrassiSystems Administrator

Commented:
When you are checking the WSUs Console make sure you do a refresh the console does not update automatically
J.R. SitmanIT Director

Author

Commented:
yep, I've done it several times.  It's been an hour now and no computers.

Commented:
In my 2nd attachment I showed the address for the WSUS server with http://HOST:8530 
Is your GPO set like that?  
Did WSUS work with the previous server?

Try this URL from your client's web browser:
http://HOST:8530/SimpleAuthWebService/SimpleAuth.asmx
This should be the response:
Client view to WSUS serverReplace HOST with either your DNS name or your IP address.   You could even have a DNS issue where the clients are looking for HOST and it's not resolving, so maybe try the FQDN - HOST.DOMAIN.
J.R. SitmanIT Director

Author

Commented:
this is how the GPO is set.  http://WSUSVM_LA.  I can try and change it to the ip.  Would it look like this, http://172.16.1.78:8530
Thomas GrassiSystems Administrator

Commented:
What happens if you ping by the DNS name does that work from the computer?

Ipconfig /all post results
Seth SimmonsSr. Systems Administrator

Commented:
Would it look like this,

yes, that is the example i gave in the beginning
if you did not change the default port, then it runs on port 8530 in 2012
J.R. SitmanIT Director

Author

Commented:
I can ping it from my workstation with FQDN, ip or just dns name.  All resolve
J.R. SitmanIT Director

Author

Commented:
@Seth, I didn't bother to change it because the information previously in the GPO used just the DNS name.  With that said, "thank you"  they have started to report in to the WSUS server.  I will go through all the help and accept the best answers.

Thanks VERY much to all.

Commented:
can you post the last few hundred lines of a client's windowsupdate.log file again?
Thomas GrassiSystems Administrator

Commented:
Glad they are now reporting sometimes it takes time

Hope we all helped
J.R. SitmanIT Director

Author

Commented:
you all definitely helped
J.R. SitmanIT Director

Author

Commented:
Thanks to all for sticking with me.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial