Jump to content

WSUS Computer Issues

Go to solution Solved by G33kman,

OK I finally figured out the issue with both of the problems I was having! :D

 

PROBLEM #1

Error updating .NET Framework 3.5 on the Server

 

Solution #1

I manually installed the updates. from the Microsoft Update Catalog Website

 

PROBLEM #2

I couldn't get more than one of my clients (desktops) to show up in WSUS at a time.

 

SOLUTION #2

The issue was I created a Windows 10 image to load onto the desktop computers. So when it came to setting up WSUS all the computers had the same SID for WSUS. I found a BAT script that I ran to fix the issues. After I ran this I ran Windows Update on all the computers and everything showed up in WSUS.

 

BAT FILE

Make sure that you enter the correct location and port number for you WSUS server in the code below so that the computer can point to WSUS when looking for updates.

REPLACE "WSUSserver:PORT"

EX. http://12srv:8530

 

Run this BAT file on all your client computers that need to connect to WSUS.

REG Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId  /f
REG Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation  /f

:: Enter WSUS Server details here EX. http://12srv:8530
REG Add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t REG_SZ /d http://WSUSserver:PORT /F
REG Add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t REG_SZ /d http://WSUSserver:PORT /F

gpupdate.exe /Force
net stop wuauserv /y
net stop BITS /y
rd C:\WINDOWS\SoftwareDistribution /s /Q
del "c:\windows\windowsupdate.log"
regsvr32 WUAPI.DLL /s
regsvr32 WUAUENG.DLL /s
regsvr32 WUAUENG1.DLL /s
regsvr32 ATL.DLL /s
regsvr32 WUCLTUI.DLL /s
regsvr32 WUPS.DLL /s
regsvr32 WUPS2.DLL /s
regsvr32 WUWEB.DLL /s
regsvr32 msxml3.dll /s
net start wuauserv /y

wuauclt.exe /resetauthorization /detectnow
PAUSE

I know this is well documented elsewhere but I figured it would be good to place it here since this post has so much going on with WSUS.

Hope this can help someone trying to setup WSUS. :)

 

I'd like to say a huge thank you to everyone in this post that helped me to get this setup it was a bit of a nightmare for a while but you guys were truly SO much help and I really appreciate it.

Ryan

So I have my WSUS setup (at least I believe it's correct) but I can only get my two servers to show up as well as one of the desktop computers.

I have read a few different posts on setting things up and followed the instructions on this page Deploy and Configure WSUS Server 2012 R2.

I was able to get my computer to show up in the computer list for a little while and then it disappeared... Now I am able to get another computer to show up (Win10-Adam) but none of the other computers.

I have manually updated the Group Policy on all of the machines so that they point to the WSUS server on port 8530 as well as opened the firewall ports in SEP Small Business Edtion. I have disabled the Windows Firewall on both Servers and the Desktop Windows Firewalls are disabled as well.

 

Some Information

My Primary DC is 08SRV and my Secondary is WS2012

 

Here's some pictures of how my settings are.

 

1: My WSUS Computers that are listed

2: My Group Policy Settings on 08SRV (this is carried over to WS2012 as well)

Both WSUS Servers GPO's are the same for the Domain Controllers as well as the Reichel OU

3: My Group Policy settings on my computer (same on all the desktops) also the "Configure Automatic Updates" setting is Enabled and set to 3.

4: My Firewall Rule for port 8530 in Symantec Endpoint Protection - Small Business Edition Cloud

 

Anyone have any ideas? o.O

1.jpg

2.jpg

3.jpg

4.jpg

Link to comment
Share on other sites

Link to post
Share on other sites

Computers need a reboot when you make changes to WSUS GPOs so make sure you have done that. Often when you are getting new computers in to WSUS that have been operational for some time getting updates from the internet it can take a long time for WSUS and the computer to process all the update history information and actually start showing up in WSUS properly, like many many hours.

 

On the computers that should be in WSUS open cmd and run 'gpresult /h C:\tmp\<computername>.htm' then open that file and have a look at the actual GPO settings that have been applied to that computer.

Link to comment
Share on other sites

Link to post
Share on other sites

Ok I will do that now. I am going to leave the computers running over the weekend to give them time to update settings. Hopefully that will be enough. Thanks!

Link to comment
Share on other sites

Link to post
Share on other sites

Also try not to use enforced GPOs, they are rarely required and brake the principle for GPO ordering.

Link to comment
Share on other sites

Link to post
Share on other sites

Quote

If you have more than one GPO linked to an OU then the processing order of these GPOs is determined by what is known as the link order. The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.

https://emeneye.wordpress.com/2016/02/16/group-policy-order-of-precedence-faq/

 

Hopefully this is helpful and will allow you to change those GPOs to not enforced. Enforced doesn't actually make them get applied any better to computers it only effects how GPOs are processed and can produced unintended settings/problems if not carefully used.

 

Edit:

Quote

The Enforce setting is a property of the link between an Active Directory container and a GPO. It is used to force that GPO to all Active Directory objects within a container, no matter how deeply they are nested. The settings within a GPO that is enforced override other settings that would prevail because they are applied later. If there are conflicting settings in GPOs that are enforced at two levels of the hierarchy, the setting enforced furthest from the client prevails. This is a reversal of the usual rule, in which the setting from the nearest-linked GPO would prevail.

Meaning unlike how GPOs are normally applied, settings set at an OU take precedence over the same setting applied higher up, enforced is top down and not bottom up.

 

I realize the guide you followed told you to do that but it's incorrect and poorly worded step.

Quote

Close out of the Group Policy Management Editor then right click the policy then Enforced to enable it:

Link Enabled enables a GPO not enforced.

Link to comment
Share on other sites

Link to post
Share on other sites

Awesome piece of information! I have been doing that wrong this whole time... ?

I will be sure to fix that Monday.

Link to comment
Share on other sites

Link to post
Share on other sites

I'd also suggest doing a gpresult /h output.htm to verify you're getting the GPO. One I also do sometimes is open up command prompt and do a netstat -n 1 | find "8530" then I just click "check for updates" and watch to see if it tries to connect to my WSUS server. If I see it trying, then I'll hop on the WSUS server and run the same command to see if it hits the WSUS server or not. If I can see at least the connection is doing what it should be, I'll let WSUS sit.

Link to comment
Share on other sites

Link to post
Share on other sites

Thanks I did run the gpresult command and it looks like the clients have the GPO setup correctly and the server is good to go.

 

I created a group for the DC's and enabled targeting for them to "Domain Controllers" but they're still showing up as unassigned in WSUS and only one computer is still showing up. I restarted both servers and a couple computers so I'm thinking I will still have to wait a while to see if they show up eventually? Or is there something else I can do to help them be seen?

Link to comment
Share on other sites

Link to post
Share on other sites

Did you create the group in WSUS? I only see "Reichel" listed in your first WSUS screenshot.

Link to comment
Share on other sites

Link to post
Share on other sites

Yeah I created a group called DC in WSUS and changed the GPO for the Domain Controllers to be DC so they should be matched up just fine.

Link to comment
Share on other sites

Link to post
Share on other sites

If you see the network traffic happening, then just give it time. WSUS is certainly not the fastest thing.

Also if you check for updates and no errors, also a good sign.

Link to comment
Share on other sites

Link to post
Share on other sites

Yeah I'm definitely getting network traffic on the Server. It's downloading the updates I believe as you can see in the picture this is going to take a while since I'm stuck on a 4.5Mbps on average internet connection. :S

At this rate I should have the updates downloaded by 2050... Lol

5.jpg

Link to comment
Share on other sites

Link to post
Share on other sites

mmm not the traffic I was referring to - I meant verifying the clients are talking to the WSUS server as I mentioned earlier (using netstat).

Link to comment
Share on other sites

Link to post
Share on other sites

Oh lol sorry. I ran the netstat -an command once after running wuauclt /detectnow command and I saw this

TCP 192.168.1.101:6939 192.168.1.5:8530 ESTABLISHED

Now I just ran the command again to make sure I was entering the information correctly and I don't see that anymore but now I see my IPv6 address with the same ports... Think there's an issue there?

Link to comment
Share on other sites

Link to post
Share on other sites

Also I keep looking at WSUS in the computers section and the servers are staying in the unassigned computers and in the computer group that I set up for the clients different computers keep showing up and then disappearing... Lol

Anyone have an idea why that would be happening?

Link to comment
Share on other sites

Link to post
Share on other sites

Things will likely start working after that inital sync and download of updates finishes, until that happens WSUS has nothing to give out to clients or really tell them anything.

Link to comment
Share on other sites

Link to post
Share on other sites

Got the WSUS update for windows 10 support?

 

Also, double check that the GPO's security filtering and delegation settings are correctly configured (make sure authenticated users can read the GPO, otherwise even though they might be in scope, the computer account might not have read access to the GPO so it can't actually see that that GPO is in scope, so it never applies it).

 

Another thing that you will want to do after the initial sync is to run some maintenance, seriously just get rid of all the superseded updates, you'll find that if your running WSUS from the internal database it tends to chug unless you maintain it well (if you have a SQL cluster, throw it on that instead).

Link to comment
Share on other sites

Link to post
Share on other sites

Well it looks like I'll be waiting on the initial download to finish to see if my computers show up. I left it run over night and it download about 20 GB's so if I figured my math out right I have about 2.5 days of downloading left to do... O.o Lol

 

Blake:

I just downloaded the update for Windows 2012 R2 (KB3095113) the server is restarting right now.

I will check the GPO security and delegation settings after that.

 

Yeah I definitely plan on running the maintenance after the download it done. I have a 1TB storage setup for WSUS but I'd sure like to remove whatever I don't need.

Link to comment
Share on other sites

Link to post
Share on other sites

You won't see any activity on 8530 unless you initiate the connection (check for updates etc...).

 

So the only issue you're having right now is the clients not showing up in the groups which you want them to?

Link to comment
Share on other sites

Link to post
Share on other sites

Yeah everything seems to be running smoothly right now. It's downloading the updates with about 66 GB's left. :/

 

I can get my two Servers to stay in WSUS and they're actually in the DC group that I created rather than the Unassigned Computers group but under the group I created for the Windows 10 Computers I can only get my computer to show up. Nothing else...

Link to comment
Share on other sites

Link to post
Share on other sites

So I think WSUS is going to put me in a wheelchair by the time I have it setup and figured out... Lol

So I came in to work this morning and after doing some cleaning on the updates yesterday the updates finally downloaded completely! So that's a huge relief.

The issue I'm having now is The WS2012 (WSUS) Server itself has 10 updates updates which are all .NET Framework 3.5 - Security Updates. I tried to install them and it errors out... I have them all approved for install on my DC group. Am I doing something wrong here by chance?

 

On a plus note I was able to update my Desktop this morning which worked fine even though that's still the only computer that I can get to show up in WSUS... Lol

Thanks,

Ryan

6.jpg

Link to comment
Share on other sites

Link to post
Share on other sites

OK I finally figured out the issue with both of the problems I was having! :D

 

PROBLEM #1

Error updating .NET Framework 3.5 on the Server

 

Solution #1

I manually installed the updates. from the Microsoft Update Catalog Website

 

PROBLEM #2

I couldn't get more than one of my clients (desktops) to show up in WSUS at a time.

 

SOLUTION #2

The issue was I created a Windows 10 image to load onto the desktop computers. So when it came to setting up WSUS all the computers had the same SID for WSUS. I found a BAT script that I ran to fix the issues. After I ran this I ran Windows Update on all the computers and everything showed up in WSUS.

 

BAT FILE

Make sure that you enter the correct location and port number for you WSUS server in the code below so that the computer can point to WSUS when looking for updates.

REPLACE "WSUSserver:PORT"

EX. http://12srv:8530

 

Run this BAT file on all your client computers that need to connect to WSUS.

REG Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId  /f
REG Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation  /f

:: Enter WSUS Server details here EX. http://12srv:8530
REG Add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t REG_SZ /d http://WSUSserver:PORT /F
REG Add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t REG_SZ /d http://WSUSserver:PORT /F

gpupdate.exe /Force
net stop wuauserv /y
net stop BITS /y
rd C:\WINDOWS\SoftwareDistribution /s /Q
del "c:\windows\windowsupdate.log"
regsvr32 WUAPI.DLL /s
regsvr32 WUAUENG.DLL /s
regsvr32 WUAUENG1.DLL /s
regsvr32 ATL.DLL /s
regsvr32 WUCLTUI.DLL /s
regsvr32 WUPS.DLL /s
regsvr32 WUPS2.DLL /s
regsvr32 WUWEB.DLL /s
regsvr32 msxml3.dll /s
net start wuauserv /y

wuauclt.exe /resetauthorization /detectnow
PAUSE

I know this is well documented elsewhere but I figured it would be good to place it here since this post has so much going on with WSUS.

Hope this can help someone trying to setup WSUS. :)

 

I'd like to say a huge thank you to everyone in this post that helped me to get this setup it was a bit of a nightmare for a while but you guys were truly SO much help and I really appreciate it.

Ryan

Link to comment
Share on other sites

Link to post
Share on other sites

If you sysprep oobe the image it'll generate a new SID. Glad you got that figured out, I'm sure it was a head scratcher lol.

Link to comment
Share on other sites

Link to post
Share on other sites

Yeah that's why I'm confused I did that. I do have unique SID's for the user and the computer but the susClientId for WSUS carried over to all the machines. Confusing but at least I found a solution. What a relief!!! Lol

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, G33kman said:

Yeah that's why I'm confused I did that. I do have unique SID's for the user and the computer but the susClientId for WSUS carried over to all the machines. Confusing but at least I found a solution. What a relief!!! Lol

oh that is weird, all my servers are clones from a template (2012R2) and no issues, good ol' M$, never consistent. (Good job security at least)

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×