WSUS upgrade from 2.0 - 3.0 and now only some clients reporting

[crazdt]

I have been researching for hours.
Each machine I find that is not in WSUS but is in AD (therefore should be in
WSUS) has the registry settings @
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINDOWSUPDATE and
HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE. The correct WUServer
is present (http://servername:8530) and up until the upgrade all clients were
reporting. I checked to see if it an issue with the susid because many of my
machines are cloned but the susid's are different. I have tried the wuauclt
/resetauthorization /detect now command but still nothing. The domain GPO
appears to be applied according to gpresult on several machines.

There are a couple hundred machines (workstations and servers) that are
reporting, or are at least still present in the adminconsole. reports
indicate they are reporting nightly.

The only thing I saw fishy was while troubleshooting client connectivity. I
can ping the wsus server, i can verify the existence of the selfupdate tree,
but when I try to contact the wsus server via the web
(http://wsusserverbname:8530) instead of getting a 'page under construction'
message, i get a '403 - forbidden' message. I can connect to the same page
using port 80, but my clients have always been configured to 8530. Even the
clients that are still reporting currently get the 403 error is i try to
connect to the webpage. Head scratcher.

Anyone have any ideas or direction for me to go next?

--
crazdt

[crazdt]

Yes, there is a selfupdate under both Default Web Site and WSUS
Administration. Both are pointing to the same place and both have anonymous
access. I tested that the client machines can get to the directory
http://wsusserver:8530/selfupdate/wuident.cab and they can. The window pops
up to save or run the file. But, when trying to get to
http://wsusserver:8530 I get the http 403 forbidden message.
--
crazdt

"Lawrence Garvin" wrote:

> "crazdt" <cra...@discussions.microsoft.com> wrote in message
> news:83A16337-70EA-4ECF...@microsoft.com...

> >I have been researching for hours.
> > Each machine I find that is not in WSUS but is in AD (therefore should be
> > in
> > WSUS) has the registry settings @
> > HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINDOWSUPDATE and
> > HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE. The correct
> > WUServer
> > is present (http://servername:8530) and up until the upgrade
>

> Key Word: UPGRADE.
>
> There is a known issue where the WSUS 3.0 (SP1) installer sometimes doesn't
> recreate the /selfupdate virtual directory.
>
> Please verify that the /selfupdate virtual directory exists in both the
> "Default Web Site" v-root, as well as the "WSUS Administration" v-root.
>
> If it does not (and it probably does not)
>
> 1. Create a new virtual directory called 'selfupdate'.
> 2. Set the path to C:\Program Files\Update Services\selfupdate
> 3. Enable Anonymous Access
>
>
>
> --
> Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
>

[crazdt]

I looked at the windowsupdate.log of a pc not being reported in wsus this
morning and this is what I saw:
2008-08-07 01:39:03:054 1068 434 AU ########### AU: Initializing Automatic
Updates ###########
2008-08-07 01:39:03:054 1068 434 AU # WSUS server: http://chsvr07:8530
2008-08-07 01:39:03:054 1068 434 AU # Detection frequency: 20
2008-08-07 01:39:03:054 1068 434 AU # Target group: unassigned computers
2008-08-07 01:39:03:054 1068 434 AU # Approval type: Scheduled (Policy)
2008-08-07 01:39:03:054 1068 434 AU # Scheduled install day/time: Every
day at 1:00
2008-08-07 01:39:03:054 1068 434 AU # Auto-install minor updates: Yes
(Policy)
2008-08-07 01:39:03:070 1068 434 AU Setting AU scheduled install time to
2008-08-08 05:00:00
2008-08-07 01:39:03:070 1068 434 Report *********** Report: Initializing
static reporting data ***********
2008-08-07 01:39:03:070 1068 434 Report * OS Version = 5.0.2195.4.0.65536
2008-08-07 01:39:04:117 1068 434 Report * Computer Brand = Hewlett-Packard
2008-08-07 01:39:04:117 1068 434 Report * Computer Model = HP Compaq
dc7100 SFF(PJ359UA)
2008-08-07 01:39:04:132 1068 434 Report * Bios Revision = 786C1 v01.05
2008-08-07 01:39:04:132 1068 434 Report * Bios Name = Default System BIOS
2008-08-07 01:39:04:132 1068 434 Report * Bios Release Date =
2004-06-16T00:00:00
2008-08-07 01:39:04:132 1068 434 Report * Locale ID = 1033
2008-08-07 01:39:04:742 1068 434 AU Obtained Post reboot hr from
Agent:8024000c
2008-08-07 01:39:04:742 1068 434 AU AU setting pending client directive to
'Forced Reboot'
2008-08-07 01:39:04:773 1068 434 AU Triggering Offline detection
(non-interactive)
2008-08-07 01:39:04:773 1068 434 AU AU finished delayed initialization
2008-08-07 01:39:04:773 1068 434 AU #############
2008-08-07 01:39:04:773 1068 434 AU ## START ## AU: Search for updates
2008-08-07 01:39:04:773 1068 434 AU #########
2008-08-07 01:39:04:773 1068 434 AU <<## SUBMITTED ## AU: Search for updates
[CallId = {C48B66DD-33B2-4D9D-97FF-C4DC458AA216}]
2008-08-07 01:39:05:648 1068 4d4 Agent *************
2008-08-07 01:39:05:648 1068 4d4 Agent ** START ** Agent: Finding updates
[CallerId = AutomaticUpdates]
2008-08-07 01:39:05:648 1068 4d4 Agent *********
2008-08-07 01:39:05:648 1068 4d4 Agent * Online = No; Ignore download
priority = No
2008-08-07 01:39:05:648 1068 4d4 Agent * Criteria = "IsHidden=0 and
IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or
IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and
IsAssigned=1 or IsHidden=0 and IsInstalled=1 and
DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or
IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and
IsAssigned=1 and RebootRequired=1"
2008-08-07 01:39:05:648 1068 4d4 Agent * ServiceID =
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
2008-08-07 01:39:19:742 1068 434 AU WARNING: AU found no suitable session to
launch client in
2008-08-07 01:39:26:164 1068 4d4 Agent WARNING: Failed to evaluate Installed
rule, updateId = {03FF1EBE-C1CF-4DBA-ACDA-5C3BFBD9133D}.100, hr = 80041017
2008-08-07 01:39:28:804 1068 4d4 Agent * Found 0 updates and 41 categories
in search; evaluated appl. rules of 492 out of 639 deployed entities
2008-08-07 01:39:28:867 1068 4d4 Agent *********
2008-08-07 01:39:28:867 1068 4d4 Agent ** END ** Agent: Finding updates
[CallerId = AutomaticUpdates]
2008-08-07 01:39:28:867 1068 4d4 Agent *************
2008-08-07 01:39:28:867 1068 4d4 Report REPORT EVENT:
{1CEDFA1D-59C3-42A9-B756-38913732A4DC} 2008-08-07
01:39:03:070-0400 1 202 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Reboot completed.
2008-08-07 01:39:28:867 1068 3f0 AU >>## RESUMED ## AU: Search for updates
[CallId = {C48B66DD-33B2-4D9D-97FF-C4DC458AA216}]
2008-08-07 01:39:28:867 1068 3f0 AU # 0 updates detected
2008-08-07 01:39:28:867 1068 3f0 AU #########
2008-08-07 01:39:28:867 1068 3f0 AU ## END ## AU: Search for updates
[CallId = {C48B66DD-33B2-4D9D-97FF-C4DC458AA216}]
2008-08-07 01:39:28:867 1068 3f0 AU #############
2008-08-07 01:39:28:867 1068 3f0 AU Setting AU scheduled install time to
2008-08-08 05:00:00
2008-08-07 01:47:11:601 1068 4d4 Report Uploading 1 events using cached
cookie, reporting URL =
http://chsvr07:8530/ReportingWebService/ReportingWebService.asmx
2008-08-07 01:47:11:742 1068 4d4 Report Reporter successfully uploaded 1
events.
2008-08-07 09:18:21:085 1068 434 AU Launched new AU client for directive
'Forced Reboot', session id = 0x0
2008-08-07 09:18:21:288 1764 6e0 Misc =========== Logging initialized
(build: 7.1.6001.65, tz: -0400) ===========
2008-08-07 09:18:21:288 1764 6e0 Misc = Process:
C:\WINNT\system32\wuauclt.exe
2008-08-07 09:18:21:288 1764 6e0 AUClnt Launched Client UI process
2008-08-07 09:18:22:335 1764 6e0 Misc =========== Logging initialized
(build: 7.1.6001.65, tz: -0400) ===========
2008-08-07 09:18:22:335 1764 6e0 Misc = Process:
C:\WINNT\system32\wuauclt.exe
2008-08-07 09:18:22:335 1764 6e0 Misc = Module:
C:\WINNT\system32\wucltui.dll
2008-08-07 09:18:22:335 1764 6e0 CltUI AU client got new directive = 'Forced
Reboot', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return =
0x00000000
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x0, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x0, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x0, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x0, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x1, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x1, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x1, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x1, uFlags=0x3, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 CltUI FATAL: Failed to show client UI,
directive=6, hr=80070002
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x2, uFlags=0x0, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x2, uFlags=0x0, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x2, uFlags=0x0, hr=0x80070002)
2008-08-07 09:18:23:319 1764 6e0 AUClnt WARNING: Shell_NotifyIcon failed
(dwMessage=0x2, uFlags=0x0, hr=0x80070002)
2008-08-07 09:18:23:335 1068 434 AU AU received handle event

What I though was crazy is that evidently these machines are still working.
A reboot was forced on her pc yet her pc is not in the admin console. So I
wonder what is controlling the downloads and installs at thispoint.
--
crazdt

"Lawrence Garvin" wrote:

> "crazdt" <cra...@discussions.microsoft.com> wrote in message
> news:83A16337-70EA-4ECF...@microsoft.com...

> >I have been researching for hours.
> > Each machine I find that is not in WSUS but is in AD (therefore should be
> > in
> > WSUS) has the registry settings @
> > HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINDOWSUPDATE and
> > HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE. The correct
> > WUServer
> > is present (http://servername:8530) and up until the upgrade
>

[Winfried Sonntag [MVP]]

crazdt schrieb:

> 0x80070002

On the Client: Start > Run > regsvr32 wups2.dll [ENTER].

Winfried
--
http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx
http://www.wsuswiki.com/Home

[crazdt]

The PC's that I am working with right now are all windows 2000. It seems
like this command would affect only pc's not getting updates where my problem
is the updates are still moving but most of my pc's are not listed in WSUS.
They used to be there..... but only about 30% remain.
--
crazdt

[Winfried Sonntag [MVP]]

crazdt schrieb:

> The PC's that I am working with right now are all windows 2000. It seems
> like this command would affect only pc's not getting updates where my problem
> is the updates are still moving but most of my pc's are not listed in WSUS.
> They used to be there..... but only about 30% remain.

Ok, try this solution: http://msmvps.com/blogs/athif/pages/66376.aspx

[crazdt]

I did try that to no avail. The script errored out. I went and checked
several pc's and the susid's were always different.
--
crazdt

[Winfried Sonntag [MVP]]

crazdt schrieb:

> I did try that to no avail. The script errored out. I went and checked
> several pc's and the susid's were always different.

On the client:
net stop wuauserv
rd /s /q %windir%\SoftwareDistribution
net start wuauserv
wuauclt /resetauthorization /detectnow
wuauclt /detectnow
wuauclt /reportnow

Wait 5 Minutes, then post the last 30 lines from
%windir%\WindowsUpdate.log.

[crazdt]

I have found that this is working. I also ran the secedit /refresh
machine_policy /enforce and have had success on the particular machines. I
will have to try adding it into the login script.

Now, I am looking at the synchronizations of the WSUS server and it hasn't
had an update since the BITS update on July 17 and that was the only one. On
July 9th, there were about 37 updates. I need to see if that is normal.
--
crazdt

[Lawrence Garvin]

"crazdt" <cra...@discussions.microsoft.com> wrote in message

news:BE3417DD-DF36-4F87...@microsoft.com...

> Yes, there is a selfupdate under both Default Web Site and WSUS
> Administration. Both are pointing to the same place and both have
> anonymous
> access. I tested that the client machines can get to the directory
> http://wsusserver:8530/selfupdate/wuident.cab and they can. The window
> pops
> up to save or run the file.

Excellent.

> But, when trying to get to
> http://wsusserver:8530 I get the http 403 forbidden message.

That's an expected error; there is no default content at the base URL.

To be sure, test the URL http://wsusserver:8530/iuident.cab, which should
present you with a File Open/Save dialog.

[crazdt]

Expected error? the documentation states it should be a "Page Under
Construction" message - as I get with the port 80 selfudate page
--
crazdt

[Lawrence Garvin]

"crazdt" <cra...@discussions.microsoft.com> wrote in message

news:62B4561E-1DCC-449A...@microsoft.com...

>> > But, when trying to get to
>> > http://wsusserver:8530 I get the http 403 forbidden message.
>>
>> That's an expected error; there is no default content at the base URL.

> Expected error? the documentation states it should be a "Page Under

> Construction" message - as I get with the port 80 selfudate page

The IIS documentation states that because there's actually a page there that
provides that content on a default installation of IIS, which you're seeting
on the por t80 default site. WSUS doesn't "own" the default site, it merely
stores some content there for legacy AU clients to use (which are pretty
much a non-issue these days unless you're still trying to update a fresh
installation of WinXPSP1 or Win2000SP3).

However, on an ASP.NET driven website where there is *NO* content in the
root directory, all your'e going to get is a '403' error because there's no
authorized content to serve up.

[DaveMills]

On Sun, 10 Aug 2008 05:54:00 -0700, crazdt <cra...@discussions.microsoft.com>
wrote:

>Expected error? the documentation states it should be a "Page Under
>Construction" message - as I get with the port 80 selfudate page

Which documentation. None I searched mention "under construction" at all. In any
case that message is the default for IIS on port 80 not on every port, viz:
8530. It is not a WSUS implementation just what you get when there is no default
content on port 80.
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.

[crazdt]

http://technet.microsoft.com/en-us/library/cc708627.aspx
Perhaps I misread and used the wrong output line. But, It is under the
section labeled To Troubleshoot the Automatic Update Client, Step 3.
--
crazdt

[DaveMills]

On Mon, 11 Aug 2008 08:16:02 -0700, crazdt <cra...@discussions.microsoft.com>
wrote:

>http://technet.microsoft.com/en-us/library/cc708627.aspx
>Perhaps I misread and used the wrong output line. But, It is under the
>section labeled To Troubleshoot the Automatic Update Client, Step 3.

That paragraph does not mention "Under Construction". The key test is step 4. Do
you get a download prompt for http://WSUSServerName/selfupdate/wuident.cab
I think step 3 is simply looking to check for things like cannot resolve DNS
name etc.

[crazdt]

"Open Internet Explorer and in the Address bar type http://WUServerwhere
WUServer stands for the value in the output from step 2.

You should see an "Under Construction" message if the WUServer value is
valid. If it is not, you will get an HTTP error of some kind."

That CLEARLY does mention it. Thanks for all your assistance.
--
crazdt

[DaveMills]

*plonk*

[crazdt]

HAHA!! Deals well with correction. How about *plonk* you. (Taking away no
help is not hurtful).
--
crazdt

[Harry Johnston [MVP]]

DaveMills wrote:

>> http://technet.microsoft.com/en-us/library/cc708627.aspx
>> Perhaps I misread and used the wrong output line. But, It is under the
>> section labeled To Troubleshoot the Automatic Update Client, Step 3.
>
> That paragraph does not mention "Under Construction". The key test is step 4. Do
> you get a download prompt for http://WSUSServerName/selfupdate/wuident.cab
> I think step 3 is simply looking to check for things like cannot resolve DNS
> name etc.

You're looking at "To troubleshoot client connectivity", not "To troubleshoot
the Automatic Update client". The text the OP mentions is indeed there.

Harry.

--
Boycott Beijing 2008 http://www.rsf.org/rubrique.php3?id_rubrique=174

[crazdt]

Very good, Thanks. Turns out, Winfried nailed it. Once I collected a group
of PC's not working, it was identical Sus sid's. I am working the command
into my login scripts to alleviate that issue.

I have learned a LOT from this workgroup.
--
crazdt

[DaveMills]

Thanks Harry.

Apologies to crazdt and *unplonk*. I was having a bad day I guess

[crazdt]

Thanks Dave.
--
crazdt