Client PC's denied access to Windows Updates using WSUS on Windows Server 2012 R2.

TL,DR: Migrating to new WSUS server, Old WSUS works fine, just decommissioning. Client PC's can talk to WSUS to see what updates they need. When they go to download them they get an error and can't download. The WSUS server logs show denied access even though they have access.

Long Version:
Migrating to new WSUS server. Old server is Server 2003 running WSUS 3.2.7600.274 and WID. New WSUS server is a fresh Windows Server 2012 R2 Std. build. Installed DHCP, DNS, File and Storage Services, IIS, and WSUS roles (and all other features needed to run the roles). New server has all Windows Updates installed. Only other software installed is McAfee EndPoint Security (no firewall activated or turned on, only threat protection). WSUS ver. 6.3.9600.18324 Port 8530.

Ran WSUS wizard on new server. Pointed WSUS content store locally, to D:\WSUS. Using WID. Configured new server as a downstream server to grab all approved/disapproved updates and computer group from old server. (This helps to not have to transfer all the update files and database, 120+GB worth...)

Once Synced to old server, I changed options to sync to Microsoft. Went through other settings to copy the Products and Classifications, Update Files and Languages, Computer Assignments, and Email notifications. Basically mirrored all the old server settings.

Followed the MS guide for WSUS install/permissions.
Gave permission on D:\WSUS: Network Service - Full control
Domain Users - Read, List, Execute, Special Permissions Create files/write data Create folders/append data
Domain Admins - Full Control
WSUS Administrators - Full Control
Had to add permissions for those accounts to the root of D: as well.

IIS setup on the new server:
I checked the WSUS Administration content folder and can open it from the IIS console and see the proper listing of folder/files. New server is on port 8530, old site is port 80. Permissions mirrors the content folder.

Made a test GPO to point computers to new server and computer group. Test computer (Windows 7 Pro, all computers in network will be the same build of OS) gets the correct server and group settings so it does call the new server (registry key shows this). Computer sees an update it needs (I went ahead and approved only one new update on the new server to prove that it needs an update). When you click install it fails with error code 80244017 on the computer, details of the two errors:

Source: Windows Error Reporting
EvenID: 1001
Level: Information

Fault bucket 2406445264, type 29
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_05b42282

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_cab_00501e8c

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Looking on the new WSUS server you see this error:

Log Name: Application
Source: Windows Server Update Services
Event ID: 12072
Task Category: 9
Level: Error
Keywords: Classic

The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

Now to troubleshoot this. From the user computer I can manually browse to \\NEWSERVER\WSUSContent. I can see all the folders and open/execute them from Explorer so user permissions seem to be set properly.

Ran Procmon on New Server and found these errors:
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"3:29:34.7771538 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:34.7849925 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6010850 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6084621 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:43.5853384 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6074142 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6216802 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0428396 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0812699 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0941561 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:49.3002955 PM","w3wp.exe","15128","CreateFile","C:\Windows\System32\config\systemprofile\AppData\Roaming","ACCESS DENIED","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"3:29:50.1045416 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\anonymousCheckFile.txt","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4605213 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4638890 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4832755 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"


From what I can see I have the proper permissions in place but obviously I don't somewhere. Any ideas where else to look?
evollicAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pjamCommented:
My first thought would be WSUS should not be on that server.
Heavy downloads will kill your other processes.
0
evollicAuthor Commented:
The server is DHCP for a smaller network, secondary DNS, some file storage and WSUS of course. It's got the hardware/disk specs to easily handle what we're going to throw at it. I've read WSUS shouldn't exist on a domain controller and would totally agree with that one though.

Edit: Computers on network, 150 give or take. Servers, 10. So nothing crazy.
0
pjamCommented:
WSUS is OK on a virtual server hyper-v or vmware, you might consider that.  WSUS data drive should be fairly big 400GB even
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

evollicAuthor Commented:
WSUS Data drive is 1TB. Other drives are 5+TB. The server was spec'd to be a WSUS server with some file storage and small roles.

I get what your saying, but I have a permission issue. I've spec'd the server to work for it's role and at the moment this has to be our new WSUS. Also, the server will not be a Domain Controller or have any of those roles.
0
Peter HutchisonSenior Network Systems SpecialistCommented:
A few things to check:
1. Do Users or Domain Users or  have read access to the WsusContent folder?
2. Is IUSR account is a member of the local Users group on the server?
3. If using a service name, use a CNAME record rather than a host A record, so that it resolves to the WSUS's server name.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
evollicAuthor Commented:
Thank you sir! It ended up being:

"2. Is IUSR account is a member of the local Users group on the server?"

The IUSR account was not a member in the local Users group. As soon as I applied that my test clients were able to download the updates and install them. Sometimes its the small things we over look... Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.