Clients Not Detecting Updates on WSUS Server Not Connected to Inte

I have a somewhat unusual situation that I am having difficulty with and hope
that someone can help. I have a LAN that is not connected to the Internet due
to company security policy that I need to keep patched. I have found some
documentation on how to set up this sort of scenario but it is not very
detailed and I have not been able to get it to work properly yet. Here is the
problem in detail.

I installed WSUS on a server that is connected to the internet and
configured it for the updates that I wanted to get. The server connected to
Microsoft and the updates were downloaded. I then ran the wsusutil export
commande to export the metadata .cab and .log files. I copied the .cab, .log,
and WSUScontent files to DVD's.

I then installed another WSUS server on my LAN that is not connected to the
Internet and copied the files from the server that is connected to the
Internet to the one that is not. I then ran the wsusutil import command to
import the metadata to that server.

I then ran the Syncrhonize now command on my server that is not connected to
the Internet, which is set to synchronize with itself, and it succeeded.
Under Download Status I saw the number of update files needed appear and
below that the number of megabytes required for the files and the number of
megabytes downloaded. The downloading begain but only went about halfway and
then stopped.

Meanwhile, the computers on my LAN began reporting back to the WSUS server
and they began to receive updates, but not all of them. Some of them are
showing that many updates are still required. When I check in the WSUS
server, I see that many of the required updates were downloaded and are
availabe for deployment, but the clients don't seem to be getting them for
some reason. In other cases, I am told that the files for the updates have
not yet been downloaded, which would seem plausible since the download seems
to have stalled even though I copied over all the necessary files.

I have tried to verify that the updates were actually on the hard drive of
the WSUS server that is not connected to the Internet but there isn't a clear
correlation between the update name and its file name in the WSUScontent
directory. At least I couldn't find one. Even the File ID doesn't seem to map
to them.

I have been working on this issue for weeks now without much success and I
am beginning to get extremely frustrated with it. There doesn't seem to be a
lot of documentation on how to do what I am doing so most of the things I
have tried don't exactly apply. Any ideas?

"VernCook" <> wrote in message
news:6B359333-2635-4F88-86B3-...

> I have found some documentation on how to set up this sort of
> scenario but it is not very detailed

This is the official documentation for setting up a disconnected network.
http://technet.microsoft.com/en-us/l...73(WS.10).aspx

> I then ran the Syncrhonize now command on my server that is not connected
> to
> the Internet, which is set to synchronize with itself, and it succeeded.

This is the step that is unnecessary.

The disconnected server should be set as an UPSTREAM server and you should
never run Synchronize on this server.

> The downloading begain but only went about halfway and then stopped.

An indication that a file is missing from your *connected* server.


> Meanwhile, the computers on my LAN began reporting back to the WSUS server
> and they began to receive updates, but not all of them. Some of them are
> showing that many updates are still required.

No doubt as a result of the server still trying to "download" the other half
of the files.

> I have tried to verify that the updates were actually on the hard drive of
> the WSUS server that is not connected to the Internet but there isn't a
> clear
> correlation between the update name and its file name in the WSUScontent
> directory. At least I couldn't find one. Even the File ID doesn't seem to
> map
> to them.

An easier way is to simply list the BITS queue of the disconnected server
(bitsadmin /list /allusers /verbose) and see what file is listed at the top
of the queue for download. That's the first file that the disconnected
server could not find in the imported content store. You can get the
bitsadmin.exe v2.0 utility from the \support\tools folder of the service
pack media.

> Any ideas?

1. Resynchronize your connected server. Verify that all download activity
has terminated. Enable the "File Info" column of the All Updates view, and
verify that no update is shown as needing files.

2. Configure your disconnected server as an upstream server, synchronizing
from Microsoft Update, but do Not synchronize it.

3. Reconfigure your policy or unplug the network cable from the disconnected
server to remove the client detections until you've completed the server
import. As noted in the cited documentation, "It can take 3-4 hours for the
database to validate content that has just been imported."

4. Follow the instructions, as provided above, from the WSUS Deployment
Guide to re-export your metadata and content and then import it to the
server. Do not run a Synchronization. The wsusutil import command does
everything that is needed.

5. When the disconnected server has completed the content validation,
re-enable client detections.



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin