Crazy Set Up Problem

I have a daft problem which driving me nuts!



I have tried the installation twice now on different servers. The first time
I couldn't use the default web site (Sharepoint was installed), but I
continued anyway, but it never worked.

I have now installed to a different server, opted for default web site etc
and it still refuses to see any computers.



I have followed the instructions carefully, creating a group policy Object
called WSUS (loading the correct template for it). Adding all the changes in
under Windows Updates section including http://backup (name of server with
WSUS installed. I noticed someone else had an issue and it was fixed by
adding a port number http://wsus:8530 but I didn't think you need to add a
port if the installation is using default settings. In any case, I tried it
and it still didn't work!



Everything looks good, Synchronisation has finished etc, but computers just
refuse to appear. I have tried adding the WSUS GPO to an OU, rebooted the
machine within the OU, but the machine still goes to MS Web site for
updates.



I know I'm missing something daft, but I've done this twice now!



Any suggestions would be really appreciated.



Thanks.



Windows 2003 AD

All servers are 2003 Standard

Workstations are XP Pro

Domain is in tip top order with no other issues on the network.

On a client try running gpupdate /force, then run gpresult and see if the
WSUS policy was applied.
You can also try running RSOP.
See:
http://support.microsoft.com/kb/323276

hth
DDS


"Phil Angus" <> wrote in message
news:...
>I have a daft problem which driving me nuts!
>
>
>
> I have tried the installation twice now on different servers. The first
> time I couldn't use the default web site (Sharepoint was installed), but I
> continued anyway, but it never worked.
>
> I have now installed to a different server, opted for default web site etc
> and it still refuses to see any computers.
>
>
>
> I have followed the instructions carefully, creating a group policy Object
> called WSUS (loading the correct template for it). Adding all the changes
> in under Windows Updates section including http://backup (name of server
> with WSUS installed. I noticed someone else had an issue and it was fixed
> by adding a port number http://wsus:8530 but I didn't think you need to
> add a port if the installation is using default settings. In any case, I
> tried it and it still didn't work!
>
>
>
> Everything looks good, Synchronisation has finished etc, but computers
> just refuse to appear. I have tried adding the WSUS GPO to an OU, rebooted
> the machine within the OU, but the machine still goes to MS Web site for
> updates.
>
>
>
> I know I'm missing something daft, but I've done this twice now!
>
>
>
> Any suggestions would be really appreciated.
>
>
>
> Thanks.
>
>
>
> Windows 2003 AD
>
> All servers are 2003 Standard
>
> Workstations are XP Pro
>
> Domain is in tip top order with no other issues on the network.
>
>

Can't see any problems there:

COMPUTER SETTINGS
------------------
CN=WEBSERVER,OU=Domain Servers_OU,DC=test,DC=local
Last time Group Policy was applied: 03/12/2009 at 15:49:07
Group Policy was applied from: DCB.test.local
Group Policy slow link threshold: 500 kbps
Domain Name: test
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
WSUS
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
"Danny Sanders" <> wrote in message
news:%23i%...
> On a client try running gpupdate /force, then run gpresult and see if the
> WSUS policy was applied.
> You can also try running RSOP.
> See:
> http://support.microsoft.com/kb/323276
>
> hth
> DDS
>
>
> "Phil Angus" <> wrote in message
> news:...
>>I have a daft problem which driving me nuts!
>>
>>
>>
>> I have tried the installation twice now on different servers. The first
>> time I couldn't use the default web site (Sharepoint was installed), but
>> I continued anyway, but it never worked.
>>
>> I have now installed to a different server, opted for default web site
>> etc and it still refuses to see any computers.
>>
>>
>>
>> I have followed the instructions carefully, creating a group policy
>> Object called WSUS (loading the correct template for it). Adding all the
>> changes in under Windows Updates section including http://backup (name of
>> server with WSUS installed. I noticed someone else had an issue and it
>> was fixed by adding a port number http://wsus:8530 but I didn't think you
>> need to add a port if the installation is using default settings. In any
>> case, I tried it and it still didn't work!
>>
>>
>>
>> Everything looks good, Synchronisation has finished etc, but computers
>> just refuse to appear. I have tried adding the WSUS GPO to an OU,
>> rebooted the machine within the OU, but the machine still goes to MS Web
>> site for updates.
>>
>>
>>
>> I know I'm missing something daft, but I've done this twice now!
>>
>>
>>
>> Any suggestions would be really appreciated.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> Windows 2003 AD
>>
>> All servers are 2003 Standard
>>
>> Workstations are XP Pro
>>
>> Domain is in tip top order with no other issues on the network.
>>
>>
>
>

"Phil Angus" <> wrote in message
news:...

> I have tried the installation twice now on different servers. The first
> time I couldn't use the default web site (Sharepoint was installed), but I
> continued anyway, but it never worked.

Installing WSUS on a Sharepoint-enabled server is a bit tricky, but it can
be done. If you'd like to pursue this conversation further, we can chat more
about it.

> Everything looks good, Synchronisation has finished etc, but computers
> just refuse to appear. I have tried adding the WSUS GPO to an OU, rebooted
> the machine within the OU, but the machine still goes to MS Web site for
> updates.

The last sentence is pretty much confirmation that the policy is not being
successfully applied.

The question becomes whether this is a function of Group Policy, or a
function of the specific policy settings.

Your RSOP already shows the policy is being read by the client, so it's
reasonable to assume the policy settings are being applied as configured,
and they're not having the desired effect.

The best next step from here is to run the Client Diagnostic Tool on this
client system and post the results for analysis.

You can obtain the Client Diagnostic Tool from:
http://download.microsoft.com/downlo...tic%20Tool.EXE

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Thanks Lawrence:


WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is not running. PASS
Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
Option is from Policy settings

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
WUServer = http://192.168.0.103
WUStatusServer = http://192.168.0.103
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
Connection to server. . . . . . . . . . . . . . . . . . PASS

WinHttpDownloadFileToMemory(szURLDest, NULL, 0, NULL, NULL, NULL,
&downloadBuffe
r) failed with hr=0x80190193

No Error description could be found

Press Enter to Complete
"Lawrence Garvin [MVP]" <> wrote in message
news:E30C5AE7-BF24-4021-9732-...
> "Phil Angus" <> wrote in message
> news:...
>
>> I have tried the installation twice now on different servers. The first
>> time I couldn't use the default web site (Sharepoint was installed), but
>> I continued anyway, but it never worked.
>
> Installing WSUS on a Sharepoint-enabled server is a bit tricky, but it can
> be done. If you'd like to pursue this conversation further, we can chat
> more about it.
>
>> Everything looks good, Synchronisation has finished etc, but computers
>> just refuse to appear. I have tried adding the WSUS GPO to an OU,
>> rebooted the machine within the OU, but the machine still goes to MS Web
>> site for updates.
>
> The last sentence is pretty much confirmation that the policy is not being
> successfully applied.
>
> The question becomes whether this is a function of Group Policy, or a
> function of the specific policy settings.
>
> Your RSOP already shows the policy is being read by the client, so it's
> reasonable to assume the policy settings are being applied as configured,
> and they're not having the desired effect.
>
> The best next step from here is to run the Client Diagnostic Tool on this
> client system and post the results for analysis.
>
> You can obtain the Client Diagnostic Tool from:
> http://download.microsoft.com/downlo...tic%20Tool.EXE
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"Phil Angus" <> wrote in message
news:...

> Checking Connection to WSUS/SUS Server
> WUServer = http://192.168.0.103
> WUStatusServer = http://192.168.0.103
> UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
> Connection to server. . . . . . . . . . . . . . . . . . PASS
>
> WinHttpDownloadFileToMemory(szURLDest, NULL, 0, NULL, NULL, NULL,
> &downloadBuffer) failed with hr=0x80190193

This is an HTTP '403' error attempting to access the Default Web Site
/selfupdate virtual directory of the WSUS server.

The specific subcode being encountered here can be obtained from the IIS
logs and matched against this subcode listing for HTTP 403 errors. Assuming
this is a fresh install on a fresh server, I'd start by reevaluating things
you =changed= that are not documented in the Step By Step Guide as needing
to be changed (which is, to be honest, *nothing*). If this wasn't a fresh
server installation, then the question goes to what's changed on this server
from a default installation of Win2003 and IIS6. Implementation of a SCW
template is also a typical cause of issues with WSUS involving HTTP 403
errors as a result of ACL modifications on NTFS resources.

In other words, I'm pretty confident that whatever is not the *default* on
this server, is the culprit.

Most likely causes are:
- Host Headers are enabled and they're not matching the client request
- The DWS is restricted to an IP Address that does not match the client
request
- SSL has been enabled on the site and is not configured properly for WSUS.
- Something has modified the ACLs on the NTFS folders supporting IIS or the
%ProgramFiles% folder.


403 Substatus Error Codes for IIS

403.1 - Execute access forbidden.
403.2 - Read access forbidden.
403.3 - Write access forbidden.
403.4 - SSL required.
403.5 - SSL 128 required.
403.6 - IP address rejected.
403.7 - Client certificate required.
403.8 - Site access denied.
403.9 - Too many users.
403.10 - Invalid configuration.
403.11 - Password change.
403.12 - Mapper denied access.
403.13 - Client certificate revoked.
403.14 - Directory listing denied.
403.15 - Client Access Licenses exceeded.
403.16 - Client certificate is untrusted or invalid.
403.17 - Client certificate has expired or is not yet valid.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Thanks Lawrence.

OK, so after leaving this overnight, I had a look this morning and now I see
some machines under "All Computers" not "Unassigned Computers"

I have tried to move them to another group called Domain Servers, but they
don't appear there afterwards and just sit in "All Computers" The only
server that appears in the group Domain Servers is the WSUS server itself.
That shows a status of 99%

If I go to the WSUS server and run Windows Update, should it still go off to
the http://www.update.microsoft.com site? If not, then this still is not
right.

I don't think I have ever wrestled with a product as much as this one! The
main thing here is, these are all pretty much the same problems I had with
the last server.

I am seriously thinking about starting again from a completely fresh
installation. At the very least, I may try deinstalling WSUS, then
deinstalling IIS and reinstalling.


"Lawrence Garvin [MVP]" <> wrote in message
news:FB875578-216F-4F09-81C7-...
> "Phil Angus" <> wrote in message
> news:...
>
>> Checking Connection to WSUS/SUS Server
>> WUServer = http://192.168.0.103
>> WUStatusServer = http://192.168.0.103
>> UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
>> Connection to server. . . . . . . . . . . . . . . . . . PASS
>>
>> WinHttpDownloadFileToMemory(szURLDest, NULL, 0, NULL, NULL, NULL,
>> &downloadBuffer) failed with hr=0x80190193
>
> This is an HTTP '403' error attempting to access the Default Web Site
> /selfupdate virtual directory of the WSUS server.
>
> The specific subcode being encountered here can be obtained from the IIS
> logs and matched against this subcode listing for HTTP 403 errors.
> Assuming this is a fresh install on a fresh server, I'd start by
> reevaluating things you =changed= that are not documented in the Step By
> Step Guide as needing to be changed (which is, to be honest, *nothing*).
> If this wasn't a fresh server installation, then the question goes to
> what's changed on this server from a default installation of Win2003 and
> IIS6. Implementation of a SCW template is also a typical cause of issues
> with WSUS involving HTTP 403 errors as a result of ACL modifications on
> NTFS resources.
>
> In other words, I'm pretty confident that whatever is not the *default* on
> this server, is the culprit.
>
> Most likely causes are:
> - Host Headers are enabled and they're not matching the client request
> - The DWS is restricted to an IP Address that does not match the client
> request
> - SSL has been enabled on the site and is not configured properly for
> WSUS.
> - Something has modified the ACLs on the NTFS folders supporting IIS or
> the %ProgramFiles% folder.
>
>
> 403 Substatus Error Codes for IIS
>
> 403.1 - Execute access forbidden.
> 403.2 - Read access forbidden.
> 403.3 - Write access forbidden.
> 403.4 - SSL required.
> 403.5 - SSL 128 required.
> 403.6 - IP address rejected.
> 403.7 - Client certificate required.
> 403.8 - Site access denied.
> 403.9 - Too many users.
> 403.10 - Invalid configuration.
> 403.11 - Password change.
> 403.12 - Mapper denied access.
> 403.13 - Client certificate revoked.
> 403.14 - Directory listing denied.
> 403.15 - Client Access Licenses exceeded.
> 403.16 - Client certificate is untrusted or invalid.
> 403.17 - Client certificate has expired or is not yet valid.
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"Phil Angus" <> wrote in message
news:...

> OK, so after leaving this overnight, I had a look this morning and now I
> see some machines under "All Computers" not "Unassigned Computers"
>
> I have tried to move them to another group called Domain Servers,

You cannot move computers in/out of All Computers. "All Computers" is a
pseudo-group built from a rollup of all other computer group members.

> but they don't appear there afterwards and just sit in "All Computers" The
> only server that appears in the group Domain Servers is the WSUS server
> itself.

We should probably clarify how you're trying to make this change:

1. Is the WSUS Server configured to assign groups by [a] policy or [b] the
server console.

2. Have you configured Group Policy with "Client-side Targeting" *enabled*
or *disabled*?


> If I go to the WSUS server and run Windows Update, should it still go off
> to the http://www.update.microsoft.com site?

Yes.

> I don't think I have ever wrestled with a product as much as this one!

I feel your pain. But forgive me for being blunt... the nature of some of
your question suggest to me that perhaps you've not reviewed the product
documentation?
http://technet.microsoft.com/en-us/l...95(WS.10).aspx

> I am seriously thinking about starting again from a completely fresh
> installation. At the very least, I may try deinstalling WSUS, then
> deinstalling IIS and reinstalling.

These seem to be to be configuration, or operational problems, and
reinstalling the server is not likely to magically repair those issues.

And none of the above really even discusses the HTTP 403 errors -- which
aren't going to go away on their own.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

OK, so I have got a lot further now. Just one error, 3rd from bottom.

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is not running. PASS
Wuaueng.dll version 7.4.7600.226. . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
Option is from Policy settings

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
WUServer = http://backup
WUStatusServer = http//backup
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
WUServer & WUStatusServer do not Match. . . . . . . . . FAIL
Connection to server. . . . . . . . . . . . . . . . . . PASS
SelfUpdate folder is present. . . . . . . . . . . . . . PASS

"Lawrence Garvin [MVP]" <> wrote in message
news:38EB62CD-1690-4739-BCF2-...
> "Phil Angus" <> wrote in message
> news:...
>
>> OK, so after leaving this overnight, I had a look this morning and now I
>> see some machines under "All Computers" not "Unassigned Computers"
>>
>> I have tried to move them to another group called Domain Servers,
>
> You cannot move computers in/out of All Computers. "All Computers" is a
> pseudo-group built from a rollup of all other computer group members.
>
>> but they don't appear there afterwards and just sit in "All Computers"
>> The only server that appears in the group Domain Servers is the WSUS
>> server itself.
>
> We should probably clarify how you're trying to make this change:
>
> 1. Is the WSUS Server configured to assign groups by [a] policy or [b] the
> server console.
>
> 2. Have you configured Group Policy with "Client-side Targeting" *enabled*
> or *disabled*?
>
>
>> If I go to the WSUS server and run Windows Update, should it still go off
>> to the http://www.update.microsoft.com site?
>
> Yes.
>
>> I don't think I have ever wrestled with a product as much as this one!
>
> I feel your pain. But forgive me for being blunt... the nature of some of
> your question suggest to me that perhaps you've not reviewed the product
> documentation?
> http://technet.microsoft.com/en-us/l...95(WS.10).aspx
>
>> I am seriously thinking about starting again from a completely fresh
>> installation. At the very least, I may try deinstalling WSUS, then
>> deinstalling IIS and reinstalling.
>
> These seem to be to be configuration, or operational problems, and
> reinstalling the server is not likely to magically repair those issues.
>
> And none of the above really even discusses the HTTP 403 errors -- which
> aren't going to go away on their own.
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

On Fri, 4 Dec 2009 18:04:16 -0000, "Phil Angus" <> wrote:

>OK, so I have got a lot further now. Just one error, 3rd from bottom.
>
>
>Checking Connection to WSUS/SUS Server
> WUServer = http://backup
> WUStatusServer = http//backup
http: not http


> UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
> WUServer & WUStatusServer do not Match. . . . . . . . . FAIL


--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.