Solved

Client PC's denied access to Windows Updates using WSUS on Windows Server 2012 R2.

Posted on 2016-09-01
7
143 Views
Last Modified: 2016-09-09
TL,DR: Migrating to new WSUS server, Old WSUS works fine, just decommissioning. Client PC's can talk to WSUS to see what updates they need. When they go to download them they get an error and can't download. The WSUS server logs show denied access even though they have access.

Long Version:
Migrating to new WSUS server. Old server is Server 2003 running WSUS 3.2.7600.274 and WID. New WSUS server is a fresh Windows Server 2012 R2 Std. build. Installed DHCP, DNS, File and Storage Services, IIS, and WSUS roles (and all other features needed to run the roles). New server has all Windows Updates installed. Only other software installed is McAfee EndPoint Security (no firewall activated or turned on, only threat protection). WSUS ver. 6.3.9600.18324 Port 8530.

Ran WSUS wizard on new server. Pointed WSUS content store locally, to D:\WSUS. Using WID. Configured new server as a downstream server to grab all approved/disapproved updates and computer group from old server. (This helps to not have to transfer all the update files and database, 120+GB worth...)

Once Synced to old server, I changed options to sync to Microsoft. Went through other settings to copy the Products and Classifications, Update Files and Languages, Computer Assignments, and Email notifications. Basically mirrored all the old server settings.

Followed the MS guide for WSUS install/permissions.
Gave permission on D:\WSUS: Network Service - Full control
Domain Users - Read, List, Execute, Special Permissions Create files/write data Create folders/append data
Domain Admins - Full Control
WSUS Administrators - Full Control
Had to add permissions for those accounts to the root of D: as well.

IIS setup on the new server:
I checked the WSUS Administration content folder and can open it from the IIS console and see the proper listing of folder/files. New server is on port 8530, old site is port 80. Permissions mirrors the content folder.

Made a test GPO to point computers to new server and computer group. Test computer (Windows 7 Pro, all computers in network will be the same build of OS) gets the correct server and group settings so it does call the new server (registry key shows this). Computer sees an update it needs (I went ahead and approved only one new update on the new server to prove that it needs an update). When you click install it fails with error code 80244017 on the computer, details of the two errors:

Source: Windows Error Reporting
EvenID: 1001
Level: Information

Fault bucket 2406445264, type 29
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_05b42282

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_cab_00501e8c

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Looking on the new WSUS server you see this error:

Log Name: Application
Source: Windows Server Update Services
Event ID: 12072
Task Category: 9
Level: Error
Keywords: Classic

The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

Now to troubleshoot this. From the user computer I can manually browse to \\NEWSERVER\WSUSContent. I can see all the folders and open/execute them from Explorer so user permissions seem to be set properly.

Ran Procmon on New Server and found these errors:
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"3:29:34.7771538 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:34.7849925 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6010850 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6084621 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:43.5853384 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6074142 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6216802 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0428396 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0812699 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0941561 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:49.3002955 PM","w3wp.exe","15128","CreateFile","C:\Windows\System32\config\systemprofile\AppData\Roaming","ACCESS DENIED","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"3:29:50.1045416 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\anonymousCheckFile.txt","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4605213 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4638890 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4832755 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"


From what I can see I have the proper permissions in place but obviously I don't somewhere. Any ideas where else to look?
0
Comment
Question by:evollic
  • 3
  • 2
7 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 41780587
My first thought would be WSUS should not be on that server.
Heavy downloads will kill your other processes.
0
 

Author Comment

by:evollic
ID: 41780592
The server is DHCP for a smaller network, secondary DNS, some file storage and WSUS of course. It's got the hardware/disk specs to easily handle what we're going to throw at it. I've read WSUS shouldn't exist on a domain controller and would totally agree with that one though.

Edit: Computers on network, 150 give or take. Servers, 10. So nothing crazy.
0
 
LVL 17

Expert Comment

by:pjam
ID: 41780596
WSUS is OK on a virtual server hyper-v or vmware, you might consider that.  WSUS data drive should be fairly big 400GB even
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:evollic
ID: 41780609
WSUS Data drive is 1TB. Other drives are 5+TB. The server was spec'd to be a WSUS server with some file storage and small roles.

I get what your saying, but I have a permission issue. I've spec'd the server to work for it's role and at the moment this has to be our new WSUS. Also, the server will not be a Domain Controller or have any of those roles.
0
 
LVL 18

Accepted Solution

by:
Peter Hutchison earned 500 total points
ID: 41790840
A few things to check:
1. Do Users or Domain Users or  have read access to the WsusContent folder?
2. Is IUSR account is a member of the local Users group on the server?
3. If using a service name, use a CNAME record rather than a host A record, so that it resolves to the WSUS's server name.
1
 

Author Comment

by:evollic
ID: 41791308
Thank you sir! It ended up being:

"2. Is IUSR account is a member of the local Users group on the server?"

The IUSR account was not a member in the local Users group. As soon as I applied that my test clients were able to download the updates and install them. Sometimes its the small things we over look... Thanks again!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now