evollic
asked on
Client PC's denied access to Windows Updates using WSUS on Windows Server 2012 R2.
TL,DR: Migrating to new WSUS server, Old WSUS works fine, just decommissioning. Client PC's can talk to WSUS to see what updates they need. When they go to download them they get an error and can't download. The WSUS server logs show denied access even though they have access.
Long Version:
Migrating to new WSUS server. Old server is Server 2003 running WSUS 3.2.7600.274 and WID. New WSUS server is a fresh Windows Server 2012 R2 Std. build. Installed DHCP, DNS, File and Storage Services, IIS, and WSUS roles (and all other features needed to run the roles). New server has all Windows Updates installed. Only other software installed is McAfee EndPoint Security (no firewall activated or turned on, only threat protection). WSUS ver. 6.3.9600.18324 Port 8530.
Ran WSUS wizard on new server. Pointed WSUS content store locally, to D:\WSUS. Using WID. Configured new server as a downstream server to grab all approved/disapproved updates and computer group from old server. (This helps to not have to transfer all the update files and database, 120+GB worth...)
Once Synced to old server, I changed options to sync to Microsoft. Went through other settings to copy the Products and Classifications, Update Files and Languages, Computer Assignments, and Email notifications. Basically mirrored all the old server settings.
Followed the MS guide for WSUS install/permissions.
Gave permission on D:\WSUS: Network Service - Full control
Domain Users - Read, List, Execute, Special Permissions Create files/write data Create folders/append data
Domain Admins - Full Control
WSUS Administrators - Full Control
Had to add permissions for those accounts to the root of D: as well.
IIS setup on the new server:
I checked the WSUS Administration content folder and can open it from the IIS console and see the proper listing of folder/files. New server is on port 8530, old site is port 80. Permissions mirrors the content folder.
Made a test GPO to point computers to new server and computer group. Test computer (Windows 7 Pro, all computers in network will be the same build of OS) gets the correct server and group settings so it does call the new server (registry key shows this). Computer sees an update it needs (I went ahead and approved only one new update on the new server to prove that it needs an update). When you click install it fails with error code 80244017 on the computer, details of the two errors:
Source: Windows Error Reporting
EvenID: 1001
Level: Information
Fault bucket 2406445264, type 29
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0
Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23 804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B 43877BCB1B 7}
P10: 0
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\W indows\WER \ReportArc hive\NonCr itical_7.6 .7601.2345 3_0e128b2d b63a7f5cae 44971399cf 6d3afbfc6_ 05b42282
Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-18 5e0f40af64
Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0
Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23 804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B 43877BCB1B 7}
P10: 0
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\W indows\WER \ReportQue ue\NonCrit ical_7.6.7 601.23453_ 0e128b2db6 3a7f5cae44 971399cf6d 3afbfc6_ca b_00501e8c
Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-18 5e0f40af64
Looking on the new WSUS server you see this error:
Log Name: Application
Source: Windows Server Update Services
Event ID: 12072
Task Category: 9
Level: Error
Keywords: Classic
The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest. GetRespons e()
at Microsoft.UpdateServices.I nternal.He althMonito ring.HmtWe bServices. CheckConte ntDirWebAc cess(Event LoggingTyp e type, HealthEventLogger logger)
Now to troubleshoot this. From the user computer I can manually browse to \\NEWSERVER\WSUSContent. I can see all the folders and open/execute them from Explorer so user permissions seem to be set properly.
Ran Procmon on New Server and found these errors:
"Time of Day","Process Name","PID","Operation","P ath","Resu lt","Detai l"
"3:29:34.7771538 PM","WsusService.exe","114 68","RegOp enKey","HK LM\System\ CurrentCon trolSet\Se rvices\Win Sock2\Para meters","A CCESS DENIED","Desired Access: All Access"
"3:29:34.7849925 PM","WsusService.exe","114 68","RegOp enKey","HK LM\System\ CurrentCon trolSet\Se rvices\Win Sock2\Para meters","A CCESS DENIED","Desired Access: All Access"
"3:29:38.6010850 PM","w3wp.exe","15128","Re gOpenKey", "HKLM\Syst em\Current ControlSet \Services\ WinSock2\P arameters" ,"ACCESS DENIED","Desired Access: All Access"
"3:29:38.6084621 PM","w3wp.exe","15128","Re gOpenKey", "HKLM\Syst em\Current ControlSet \Services\ WinSock2\P arameters" ,"ACCESS DENIED","Desired Access: All Access"
"3:29:43.5853384 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6074142 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6216802 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0428396 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0812699 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0941561 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:49.3002955 PM","w3wp.exe","15128","Cr eateFile", "C:\Window s\System32 \config\sy stemprofil e\AppData\ Roaming"," ACCESS DENIED","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"3:29:50.1045416 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \anonymous CheckFile. txt","ACCE SS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4605213 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4638890 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4832755 PM","w3wp.exe","15128","Cr eateFile", "D:\WSUS\W susContent \AF\0A5C2C 66C1D8CF82 2D0B4B2B8F 6940D66CED 1FAF.cab", "ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
From what I can see I have the proper permissions in place but obviously I don't somewhere. Any ideas where else to look?
Long Version:
Migrating to new WSUS server. Old server is Server 2003 running WSUS 3.2.7600.274 and WID. New WSUS server is a fresh Windows Server 2012 R2 Std. build. Installed DHCP, DNS, File and Storage Services, IIS, and WSUS roles (and all other features needed to run the roles). New server has all Windows Updates installed. Only other software installed is McAfee EndPoint Security (no firewall activated or turned on, only threat protection). WSUS ver. 6.3.9600.18324 Port 8530.
Ran WSUS wizard on new server. Pointed WSUS content store locally, to D:\WSUS. Using WID. Configured new server as a downstream server to grab all approved/disapproved updates and computer group from old server. (This helps to not have to transfer all the update files and database, 120+GB worth...)
Once Synced to old server, I changed options to sync to Microsoft. Went through other settings to copy the Products and Classifications, Update Files and Languages, Computer Assignments, and Email notifications. Basically mirrored all the old server settings.
Followed the MS guide for WSUS install/permissions.
Gave permission on D:\WSUS: Network Service - Full control
Domain Users - Read, List, Execute, Special Permissions Create files/write data Create folders/append data
Domain Admins - Full Control
WSUS Administrators - Full Control
Had to add permissions for those accounts to the root of D: as well.
IIS setup on the new server:
I checked the WSUS Administration content folder and can open it from the IIS console and see the proper listing of folder/files. New server is on port 8530, old site is port 80. Permissions mirrors the content folder.
Made a test GPO to point computers to new server and computer group. Test computer (Windows 7 Pro, all computers in network will be the same build of OS) gets the correct server and group settings so it does call the new server (registry key shows this). Computer sees an update it needs (I went ahead and approved only one new update on the new server to prove that it needs an update). When you click install it fails with error code 80244017 on the computer, details of the two errors:
Source: Windows Error Reporting
EvenID: 1001
Level: Information
Fault bucket 2406445264, type 29
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0
Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B
P10: 0
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\W
Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-18
Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0
Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B
P10: 0
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\W
Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-18
Looking on the new WSUS server you see this error:
Log Name: Application
Source: Windows Server Update Services
Event ID: 12072
Task Category: 9
Level: Error
Keywords: Classic
The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.
at Microsoft.UpdateServices.I
Now to troubleshoot this. From the user computer I can manually browse to \\NEWSERVER\WSUSContent. I can see all the folders and open/execute them from Explorer so user permissions seem to be set properly.
Ran Procmon on New Server and found these errors:
"Time of Day","Process Name","PID","Operation","P
"3:29:34.7771538 PM","WsusService.exe","114
"3:29:34.7849925 PM","WsusService.exe","114
"3:29:38.6010850 PM","w3wp.exe","15128","Re
"3:29:38.6084621 PM","w3wp.exe","15128","Re
"3:29:43.5853384 PM","w3wp.exe","15128","Cr
"3:29:43.6074142 PM","w3wp.exe","15128","Cr
"3:29:43.6216802 PM","w3wp.exe","15128","Cr
"3:29:44.0428396 PM","w3wp.exe","15128","Cr
"3:29:44.0812699 PM","w3wp.exe","15128","Cr
"3:29:44.0941561 PM","w3wp.exe","15128","Cr
"3:29:49.3002955 PM","w3wp.exe","15128","Cr
"3:29:50.1045416 PM","w3wp.exe","15128","Cr
"3:30:10.4605213 PM","w3wp.exe","15128","Cr
"3:30:10.4638890 PM","w3wp.exe","15128","Cr
"3:30:10.4832755 PM","w3wp.exe","15128","Cr
From what I can see I have the proper permissions in place but obviously I don't somewhere. Any ideas where else to look?
ASKER
The server is DHCP for a smaller network, secondary DNS, some file storage and WSUS of course. It's got the hardware/disk specs to easily handle what we're going to throw at it. I've read WSUS shouldn't exist on a domain controller and would totally agree with that one though.
Edit: Computers on network, 150 give or take. Servers, 10. So nothing crazy.
Edit: Computers on network, 150 give or take. Servers, 10. So nothing crazy.
WSUS is OK on a virtual server hyper-v or vmware, you might consider that. WSUS data drive should be fairly big 400GB even
ASKER
WSUS Data drive is 1TB. Other drives are 5+TB. The server was spec'd to be a WSUS server with some file storage and small roles.
I get what your saying, but I have a permission issue. I've spec'd the server to work for it's role and at the moment this has to be our new WSUS. Also, the server will not be a Domain Controller or have any of those roles.
I get what your saying, but I have a permission issue. I've spec'd the server to work for it's role and at the moment this has to be our new WSUS. Also, the server will not be a Domain Controller or have any of those roles.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you sir! It ended up being:
"2. Is IUSR account is a member of the local Users group on the server?"
The IUSR account was not a member in the local Users group. As soon as I applied that my test clients were able to download the updates and install them. Sometimes its the small things we over look... Thanks again!
"2. Is IUSR account is a member of the local Users group on the server?"
The IUSR account was not a member in the local Users group. As soon as I applied that my test clients were able to download the updates and install them. Sometimes its the small things we over look... Thanks again!
Heavy downloads will kill your other processes.