Re: Windows Server 2008 - Windows Update Failing - Error 8024401F
![Lawrence Garvin [MVP]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Lawrence Garvin [MVP]
news:6DE24CD2-57DF-45C5...@microsoft.com...
>I posted this in the Windows Update group. PA Bear kindly suggested I post
> it here. Any help would be appreciated.
>
> I'm at a total loss here. I simply installed Windows 2008 Server Standard
> and clicked the link to update windows. Just that simple.
>
> None of the other machines on my network have any troubles.
>
> What am I missing?
A lot more *details* on your issue would be a good start:
1. What update is failing?
2. How did you obtain the update?
3. What do you mean by "clicked the link to update windows".
Please post the entire log segment showing your 0x8024401F error.
btw.. unless you're using a WSUS Server in this mix, you were in the right
place to start with.
If you are using a WSUS Server -- some information about your WSUS Server
would be useful, also.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
![Harry Johnston [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWpkBAPqvc839nzAtvH7xG03OwcxExyoyKpBgg3G7rKJeLEHQ=s40-c)
Harry Johnston [MVP]
> Right now, I have that server torn down. Once I get it back online, I'll
> post that info. As for the link to update windows, it was the link on the
> server manager applet. From your statement about WSUS, it sounds like that
> would be an internal system dedicated to update distribution. If that's the
> case, I am not using WSUS. I'm new to w2k8 so I didn't know if this was an
> older technology renamed, or a new technology.
This suggests the problem is related to ISA. I've already posted to your thread
in the Windows Update group asking if PA Bear has any ideas, so please check
back later today. I've suggested that you try using a different computer name
and IP number on your next rebuild, but I've never used ISA so I'm not sure
whether this is a sensible suggestion or not. :-)
You are of course welcome to also continue posting to this thread. I believe
Lawrence is particularly familiar with corporate Windows Update issues so he
might spot something the rest of us could miss!
Harry.
Lawrence Garvin [MVP]
> Hi Lawrence,
>
> Right now, I have that server torn down. Once I get it back online, I'll
> post that info. As for the link to update windows, it was the link on the
> server manager applet. From your statement about WSUS, it sounds like
> that
> would be an internal system dedicated to update distribution. If that's
> the
> case, I am not using WSUS.
Okay, then truly, your question is more appropriate in the original forum
for WindowsUpdate.
> In any case, the steps to reproduce are: install windows server 2008
> standard, rename the computer, join a domain, and click the windows update
> link from server manager. Just that simple. I would assume the update is
> going to Microsoft for the updates.
Because you're joining a domain, making assumptions can be a bit tricky.
Your assumption holds *if* there are no group policies configured to modify
the behavior of the server once it joins the domain. Such policies are not
just limited to the Windows Update Agent, but also the Windows Firewall
installed on the Win2008 server.
Having that extra information, the 0x8024401F error is an HTTP 500 error,
HTTP 500 - an error internal to the server prevented fulfilling the request.
and as Harry pointed out, the most likely cause, all other things being
equal, is that your proxy/firewall is blocking access to the Windows Update
site -- although, generally, that should have returned an HTTP 403 error,
not an HTTP 500 error.
Another possibility is that a policy has been applied to the server and
contains an invalid URL for a WSUS Server. This might happen if the machine
name of the URL is a valid webserver, but the pathname of the URL contains a
reference that the web server cannot accurately parse.
Another possibility is that simply joining the domain has placed the server
in an OU that isn't authorized to have Internet access, although, again,
this scenario would normally return an HTTP 403 from the proxy/firewall.
Yet another possiblity is that a group policy has configured the Windows
Firewall to disable all outbound access from the server -- yet, this
particular scenario would likely log an 0x80072efd error (CANNOT CONNECT),
rather than an HTTP 4xx or HTTP 5xx code, which implies that a web server
actually answered the fone.
Probably the best place to start diagnostics is to review the
WindowsUpdate.log on the server, and the firewall logs for the time this
error was logged, and see if the firewall generated this error, or passed it
through from Windows Update, or somewhere else. It would also be useful to
run RSOP or GPRESULT on the server and confirm that there aren't any
unexpected (or undesirable) policy configurations.
Greg Wilkerson
Unless windows server 2008 uses different ports/protocols than
XP/Vista/server 2003, it's not an ISA issue. I have no troubles with the
updates on those O/Ss.
And I have not gone to the steps to configure Group Policy. So, unless
something is turned off by default on windows server 2008, I don't think
that's it.
And, I can get to the internet via IE; no troubles there.
I'm having issues with this box so it may be a corrupt install.
I'll keep digging,
Thanks,
Greg
--
Greg Wilkerson
SQL Server DBA
Lawrence Garvin [MVP]
> Thanks for the replies.
>
> Unless windows server 2008 uses different ports/protocols than
> XP/Vista/server 2003, it's not an ISA issue. I have no troubles with the
> updates on those O/Ss.
Assuming there is not a problem with machine 'D', because machines 'A', 'B',
and 'C' work correctly, when machine 'D' is nothing like machines 'A', 'B',
and 'C' is a potentially risky assumption.
I would make no such assumptions until I had proof in hand, based on direct
tests against machine 'D', or another machine just like machine 'D'.
> And I have not gone to the steps to configure Group Policy. So, unless
> something is turned off by default on windows server 2008, I don't think
> that's it.
Assuming that things are on/off by default in Win2008, just because they
were in Win2003, is also a potentially risky assumption.
If you have another Windows Server =2008= system that is not displaying such
symptoms, then we could infer from *that* machine that the issue is not in
the proxy/firewall.
> And, I can get to the internet via IE; no troubles there.
Yes, but IE doesn't use the same proxy channel that the Windows Update Agent
uses. The WUA is all about WinHTTP, so to successfully get through a proxy
server (from any machine), you need to properly configure WinHTTP.
If your IE is working, this could be as simple as proxycfg -d (to remove all
proxy configs) or proxycfg -u (to duplicate the IE configs into WinHTTP) on
a WinXP/2003 machine, but on Vista/Win2008, this methdology has entirely
changed, proxycfg.exe is no longer available, and you need to configure
WinHTTP proxy through NETSH.
But IE working simply tells us that the core networking is functioning. We
sort of already knew that, though, since you did get an HTTP 500 message
back from *something*. (If the core networking was dysfunctional, the WUA
would have logged an 0x80072EFD error.)
> I'm having issues with this box so it may be a corrupt install.
Oh.. you're having *OTHER* issues as well???
Full disclosure is the best way to get reliable and accurate help with an
issue. :-)