Windows Step-by-Step: 04/05/11

Tuesday, April 5, 2011

Troubleshooting WSUS server

Are you straggling to troubleshoot WSUS server. Those who followed the steps, I mentioned in my previous posting Install and Configure WSUS—Step by Step but couldn’t get it going and still got issue with deployment. you might have few issues with WSUS. Here are solutions for you.

Client not showing in WSUS Server:

There are several reasons client don’t pop up in WSUS server. a) GPO and WSUS miss-configured. b) Proper prerequisite has not been meet both for server and client as I mentioned in my post.
Log on to WSUS sever as Domain Admin. Open WSUS Console>Option>Computers>Select use group policy or registry settings on computers>Apply>ok.
WSUS Console>Server Name>computers>All Computers>Add Proper Computer Groups, I mean client target group you have mentioned in GPO.
Are all the computers and Server pointing proper client target group as you mentioned in GPO? Did you configure parent GPO and computers pointing child GPO??? Check group policy object using GPO management console to find out any miss-configuration!!! Make sure the computer you are looking WSUS console is placed in right GPO. Run gpresult.exe from command prompt to find out computer and user config. Wait until GPO refresh time and you will see client in WSUS console.
Another way to see client quickly in WSUS console is to log on to Windows XP SP2 (Must have SP2) client. Run WUAUCLT /DETECTNOW and GPUPDATE /FORCE from command prompt. Reboot client. Log back again.
Start menu>run>Type regedit.exe>ok. Now go to HKEY_Local_Machine\Software\Policies\Microsoft\Windows\Windows Update

You are suppose to see

client target group	REG_SZ	Group Name in GPO say Desktop, WindowsXP, Windows7, Server, etc
ClientGroupEnabled	REG_DWORD	0×00000001(1)
WUServer	REG_SZ	Http://ServerName:8530
WUStatusSever	REG_SZ	Http://ServerName:8530

This mean this client is reporting to WSUS server.
Another critical point to note here, don’t use default configuration port that is 80. Use port 8530 because in ISA server or corporate firewall might be pointing this port to corporate web site unless web publisher added in ISA.

WSUS database full of BugCheck Dump causing WSUS to stop functioning:

***This file is generated by Microsoft SQL Server version 9.00.4035.00 upon detection of fatal unexpected error. Please return this file, the query or program that produced the bugcheck, the database and the error log, and any other pertinent information with a Service Request***
***Stack Dump being sent to c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLDump0154.txt***
I am one of the victim of this SQL error. This will occupy entire disk space in system partition causing WSUS to stop working. This error got nothing to do with WSUS. This is purely SQL problem. It happens when WSUS is running long and you don’t run clean up wizard to clean database and WSUS. I have to be honest here. I am not an SQL Expert. I found some clues by searching books and google, this SQL error occur when SQL index is corrupt. I logged to SQL server using management studio express and follow this Microsoft link and run DBCC CHECKDB. But this will not solve this issue. Basically, SQL database is screwed. You have to backup database, reinstall WSUS and restore will solve this issue. But my best suggestion would be fresh installation of everything….. start from scratch.
You may also try this link if you require re-indexing database.

Connection Error

“An error occurred trying to connect the WSUS server. This error can happen for a number of reasons. Check connectivity with the server. Please contact your network administrator if the problem persists.
Click Reset Server Node to connect the server again.”
Reason: WSUS-related Web services (IIS) may stop working when you upgrade a Windows Server 2003-based computer to Windows Server 2008
Solutions:
Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
Try removing the persisted preferences for the console by deleting the wsus file under C:\Documents and Settings\%username%\Application data\Microsoft\MMC\
To work around this problem, uninstall the ASP.NET role service in IIS, and then use Service Manager to reinstall the service. To do this, follow these steps:

Click Start, click Administrative Tools, and then click Server Manager.
Expand Roles, and then click Web Server (IIS).
In the Role Services section, click Remove Role Services.
Disable the ASP.NET check box, and then click Next.
Click Remove.
Wait for the removal process to finish, and then click Close.
In the same Role Services section, click Add Role Services.
Enable the ASP.NET check box, and then click Next.
Click Install.
Wait for the installation process to finish, and then click Close
Restart all WSUS related services such as IIS, SQL, Update services (Location Administrative Tools>Services)

WSUS debug tools Download WSUS debug tools from Microsoft WSUS sites. Extract Clientdiag.exe in client machine and WSUS server diagnostic tools in WSUS server. In both case extract in %windir%\system32 location. Open command prompt>change directory to %windir%\system32. Run clientdiag.exe (client machine) and wsusdebugtool.exe (WSUS server) from command prompt. You can run both in wsus server to test whether wsus server is contacting itself for update or not. If you see checking machine state PASS that means client is contacting wsus.

Install and configure WSUS 3.0 SP2 – Step-By-Step

Microsoft Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2) enables information technology administrators to deploy the latest Microsoft updates, hotfixes and service packs to computers running Microsoft Windows Server 2003 family, Windows Server 2008, Microsoft Windows Vista family, Microsoft Windows XP with Service Pack 2 operating systems. By using WSUS, administrators can fully manage and take control of the distribution of updates that are released through Microsoft Update.
Prerequisites for WSUS server

Windows Server 2003 SP1 or Windows Server® 2008
Microsoft Internet Information Services (IIS) 6.0 or later
Windows Installer 3.1 or later
Microsoft .NET Framework 2.0
Microsoft Report Viewer Redistributable 2005
Microsoft Management Console 3.0
SQL Server 2005 SP1 or later

Prerequisites for WSUS clients (x86 and x64)

Windows XP SP2, Windows Vista, Windows 7
Windows Server 2003 or Windows Server 2008

WSUS Deployment Scenarios
WSUS is flexible enough to deploy starting from small to enterprise organisation. just you need to make sure active directory, DNS and DHCP working perfect. If port 80 is occupied by your company web site you can use port 8530. I used port 8530 on WSUS server. I have ISA 2004 so I will show how to add WSUS publishing rule in ISA 2004 also.
Install Prerequisites
1. IIS installation
go to add/remove windows component and select Application server

click next

Select as above. you must select ASP.net and IIS, then check Internet Information Services and click Details.

Check BITS, check IIS manager and click on details

Check ASP and WWW and click ok.

2. MMC 3.0 installation

no need to install you installed service pack on your server

3. .net framework installation

Download .net 2 framework from the link http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en
run installation, click next, accept EULA and follow the installation screen.

4. MS report viewer installation, Download report viewer from the Link
run installation, click next, accept EULA and follow the installation screen.

5. SQL Server 2005 SP1 installation
download SQL server 2005 from the link

Click next and click install, click next again

follow installation screen until finish.

Now you have fulfil prerequisite as mention above.

WSUS installation
download WSUS from http://connect.microsoft.com/directory/ website. sign in using hotmail or live account. download x86 or x64 as you prefer. here I am installing x86 version.

Click on run

click next

Check Full server installation radio button, click next

Accept EULA

You must have two partition in your server as you can see above. I selected D:\WSUS . click next

Check use existing database. It is required for enterprise deployment. internal database will not work if you have large number of desktop and server. click next.

Click next
On the next screen “web site selection” check create Microsoft Windows Server Update Services Web Site on port 8530
DO NOT CHECK RECOMMENDED

Click next

Click next , Click next again

Click finish. WSUS config wizard will start next

click next

Click next

Provide proxy server IP and credentials above if you have proxy server. in my case I typed my ISA server IP, port 80 and my domain admin credentials.

Click on start connecting and wait until finish, click next and follow the config screen to select your language, products, classification

wait until synchronisation finish. It might take 30/40 minutes depending on speed of your internet.
Setup IIS Security
Now set permission in IIS in WSUS server, you may set anonymous logon. Don’t worry its inside your firewall.

Configure WSUS
open WSUS management console. In the Left hand side pan, click on Options then click on Change Update File and Language. Check Download Update files to the server when updates are approved. Select appropriate language. Then Click Apply and Ok.

Click on Automatic Approval and create new rules and run the rules. In my case I have two custom rules.

In the left hand side pan right click on All Computers, Click on Add Computer Group. For example, I have three computer groups; desktop, Windows7 and Server.

Group Policy Configuration
This part describes how to use GPO to deliver Automatic Updates

Open group policy management console, Right click on the Group policy objects container and click new. create policies for each of computer groups. For Example, WSUS Policy for desktop, WSUS Policy for Windows 7 and WSUS Server policy.

Now right click on WSUS policy that is desktop policy you just created and change settings of four GPO that are enabled here on screen

Configure Auto download and schedule installation that fit for you

Point WSUS server and port as http://yourserver:8530 in both the box

Type target group to populate desktop/pc in WSUS Server.

Check enabled in following box not to reboot machine if user logged on

Repeat this process for WSUS server policy, Windows 7 Policy and so on.
In GPO management console, Right click on the organisational unit that contain desktop/workstation and link existing WSUS policy you created in above steps with this organisational unit.

Link it with WSUS policy

Repeat same steps for all other organisational unit in GPO management console. Now you may close GPO now.

Important! Do NOT link WSUS policy in child OU. Link directly to the top of OU hierarchy otherwise workstation will not populate.

Publish WSUS policy in ISA Server
If you have ISA 2004/2006 or Forefront TMG 2010, you have to set WSUS policy in ISA firewall access rule. so that ISA doesn’t block communication between server and client. You don’t need to do it if nothing blocking between Client and Server communication and don’t have a firewall.

To publish WSUS policy, Open ISA management console
Go to Network Object and expand WEB listener, right click on web listener click new. Type Name of WSUS server. Name should be netbios name of WSUS server. Follow the screen shot.

Click next, click finish.
In the right hand side Tasks Pan, Click on publish a web server and follow the screen shot

On the next screen shot select the web listener (WSUS server) you added in the previous steps.

Right click on the WSUS Publishing policy, click on property>Click Bridging Tab and check web server and port 8530

On the paths add these path if these aren’t exist already

uncheck verify and block option. Apply Changes and click ok.
Troubleshooting
Go to client machine, run gpupdate /force if client not showing on WSUS
Run wuauclt /resetauthorization /detectnow command from client machine.
Check Registry of client.