?
Solved

Client PC's denied access to Windows Updates using WSUS on Windows Server 2012 R2.

Posted on 2016-09-01
7
Medium Priority
?
670 Views
Last Modified: 2016-09-09
TL,DR: Migrating to new WSUS server, Old WSUS works fine, just decommissioning. Client PC's can talk to WSUS to see what updates they need. When they go to download them they get an error and can't download. The WSUS server logs show denied access even though they have access.

Long Version:
Migrating to new WSUS server. Old server is Server 2003 running WSUS 3.2.7600.274 and WID. New WSUS server is a fresh Windows Server 2012 R2 Std. build. Installed DHCP, DNS, File and Storage Services, IIS, and WSUS roles (and all other features needed to run the roles). New server has all Windows Updates installed. Only other software installed is McAfee EndPoint Security (no firewall activated or turned on, only threat protection). WSUS ver. 6.3.9600.18324 Port 8530.

Ran WSUS wizard on new server. Pointed WSUS content store locally, to D:\WSUS. Using WID. Configured new server as a downstream server to grab all approved/disapproved updates and computer group from old server. (This helps to not have to transfer all the update files and database, 120+GB worth...)

Once Synced to old server, I changed options to sync to Microsoft. Went through other settings to copy the Products and Classifications, Update Files and Languages, Computer Assignments, and Email notifications. Basically mirrored all the old server settings.

Followed the MS guide for WSUS install/permissions.
Gave permission on D:\WSUS: Network Service - Full control
Domain Users - Read, List, Execute, Special Permissions Create files/write data Create folders/append data
Domain Admins - Full Control
WSUS Administrators - Full Control
Had to add permissions for those accounts to the root of D: as well.

IIS setup on the new server:
I checked the WSUS Administration content folder and can open it from the IIS console and see the proper listing of folder/files. New server is on port 8530, old site is port 80. Permissions mirrors the content folder.

Made a test GPO to point computers to new server and computer group. Test computer (Windows 7 Pro, all computers in network will be the same build of OS) gets the correct server and group settings so it does call the new server (registry key shows this). Computer sees an update it needs (I went ahead and approved only one new update on the new server to prove that it needs an update). When you click install it fails with error code 80244017 on the computer, details of the two errors:

Source: Windows Error Reporting
EvenID: 1001
Level: Information

Fault bucket 2406445264, type 29
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_05b42282

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Fault bucket , type 0
Event Name: WindowsUpdateFailure3
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7601.23453
P2: 80244017
P3: EE671A7B-282D-4035-910A-23804968C082
P4: Download
P5: 200
P6: 0
P7: 0
P8: AutomaticUpdatesWuApp
P9: {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
P10: 0

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.6.7601.23453_0e128b2db63a7f5cae44971399cf6d3afbfc6_cab_00501e8c

Analysis symbol:
Rechecking for solution: 0
Report Id: 7a6349d1-707b-11e6-b023-185e0f40af64


Looking on the new WSUS server you see this error:

Log Name: Application
Source: Windows Server Update Services
Event ID: 12072
Task Category: 9
Level: Error
Keywords: Classic

The WSUS content directory is not accessible.
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

Now to troubleshoot this. From the user computer I can manually browse to \\NEWSERVER\WSUSContent. I can see all the folders and open/execute them from Explorer so user permissions seem to be set properly.

Ran Procmon on New Server and found these errors:
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"3:29:34.7771538 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:34.7849925 PM","WsusService.exe","11468","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6010850 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:38.6084621 PM","w3wp.exe","15128","RegOpenKey","HKLM\System\CurrentControlSet\Services\WinSock2\Parameters","ACCESS DENIED","Desired Access: All Access"
"3:29:43.5853384 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6074142 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:43.6216802 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0428396 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0812699 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:44.0941561 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:29:49.3002955 PM","w3wp.exe","15128","CreateFile","C:\Windows\System32\config\systemprofile\AppData\Roaming","ACCESS DENIED","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"3:29:50.1045416 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\anonymousCheckFile.txt","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4605213 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4638890 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"
"3:30:10.4832755 PM","w3wp.exe","15128","CreateFile","D:\WSUS\WsusContent\AF\0A5C2C66C1D8CF822D0B4B2B8F6940D66CED1FAF.cab","ACCESS DENIED","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Attributes: R, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\IUSR"


From what I can see I have the proper permissions in place but obviously I don't somewhere. Any ideas where else to look?
0
Comment
Question by:evollic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 41780587
My first thought would be WSUS should not be on that server.
Heavy downloads will kill your other processes.
0
 

Author Comment

by:evollic
ID: 41780592
The server is DHCP for a smaller network, secondary DNS, some file storage and WSUS of course. It's got the hardware/disk specs to easily handle what we're going to throw at it. I've read WSUS shouldn't exist on a domain controller and would totally agree with that one though.

Edit: Computers on network, 150 give or take. Servers, 10. So nothing crazy.
0
 
LVL 17

Expert Comment

by:pjam
ID: 41780596
WSUS is OK on a virtual server hyper-v or vmware, you might consider that.  WSUS data drive should be fairly big 400GB even
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:evollic
ID: 41780609
WSUS Data drive is 1TB. Other drives are 5+TB. The server was spec'd to be a WSUS server with some file storage and small roles.

I get what your saying, but I have a permission issue. I've spec'd the server to work for it's role and at the moment this has to be our new WSUS. Also, the server will not be a Domain Controller or have any of those roles.
0
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 2000 total points
ID: 41790840
A few things to check:
1. Do Users or Domain Users or  have read access to the WsusContent folder?
2. Is IUSR account is a member of the local Users group on the server?
3. If using a service name, use a CNAME record rather than a host A record, so that it resolves to the WSUS's server name.
1
 

Author Comment

by:evollic
ID: 41791308
Thank you sir! It ended up being:

"2. Is IUSR account is a member of the local Users group on the server?"

The IUSR account was not a member in the local Users group. As soon as I applied that my test clients were able to download the updates and install them. Sometimes its the small things we over look... Thanks again!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question