Re: Incorrect Server in WSUS Client Diagnostic

"wsus-fool" <wsus-> wrote in message
news:wsus-...

> no computers are showing up there.
> I ran the Client Diagnostics Tool and realize that the WSUS
> server my client is trying to connect to is WRONG. But I can't for the
> life of me find out where my client is getting that server name. I'm
> sure it has to do with the fact that there was a partial WSUS setup done
> about 2 years ago (and that is the server name that would have been used
> then), but it was never completed. I am 100% sure the my GPO is set up
> with the correct server name and I have run gpupdate /force on the
> client. Any ideas on where this incorrect server name may be coming
> from?

Yes, I'd suggest first looking for errant policies containing this
servername. Given the fact that the setup was "partial", and never
completed, I'd also surmise a possibility that existing policies (Default
Domain, Default Domain Controller) were modified, rather than creating
dedicated WSUS policies (the preferred solution) -- so I'd start by
inspecting the appropriate sections of those two (and other existing)
policies.

However, if your policy is linked at the =OU= level, it should be overriding
any =Domain= level policies that might be setting those values. If your
policy is not linked at the OU level, try doing that -- if nothing else it
may help isolate the level of the AD tree where the policy configuration is
coming from.

Another possibility is that your policy is not being applied at all, and the
value is coming from a Local Policy on the machine -- or that the value is
configured in the registry and no policy has ever 'unset' it. This, however,
is not as likely given that this client has the v7.2.6001.788 WUAgent
installed - and it had to have installed that updated WUAgent from somewhere
in the past 13 months.

Running GPRESULT would be recommended on this client to verify that your
specific WSUS GPO is being applied (even if it's being overridden by another
domain-level policy).

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"wsus-fool" <wsus-> wrote in message
news:wsus-...

> From looking at other posts, I tried to get to the wsusadmin
> from my client computer's browser as well (http://servername/wsusadmin).

What version of WSUS are you using?

1. If you're using WSUS v2, then based on the output of the Client
Diagnostic Tool, there is NO WSUS Server available at http://servername.

2. If you're using WSUS v3, then you need to be aware there is no web-based
administation tool in WSUS v3, and if you are using WSUS v3, and not aware
of that fundamental point, I'd respectfully suggest you take some time out
and review the Overview, Getting Started Guide, and Deployment Guide --
which, quite likely, will address your various other issues in getting the
server working.


> I received an error that I needed to use https

That's interesting.

> (I did the setup with SSL on port 443) so I tried that to no avail

No great surprise there. :-)

> I went back and changed my WSUS server in the GPO Editor
> to https://servername and still the same result.

Instead of *guessing* at what you should be configuring in your browser,
wouldn't it be more productive to first determine the *actual* URL of the
WSUS Server?


> Checking Connection to WSUS/SUS Server
> WUServer = https://servername
> WUStatusServer = https://servername
> UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
>
> VerifyWUServerURL() failed with hr=0x80072efd

What this tells us is that there's no WSUS server available at the
configured URL.

But, there's not much more I can tell you. First you have to know what the
server URL is supposed to be, and at this point feeding me fake names is
useless. I cannot help you unless you provide real information.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"wsus-fool" <wsus-> wrote in message
news:wsus-...


> 1. When I installed WSUS, the website to point the clients to said
> http://HERMES. This is also what I have set in the GPO, which is set up
> on an OU called Managed Users.

This could be problematic. The policy configuration is a *computer*
configuration, and should be linked to an OU containing Computers .. not
Users. If you've linked the GPO to a Users OU, that would explain why it's
not being applied.


> 2. I configured WSUS to use the default web site. When I view the
> properties of the Default Web Site in IIS, the IP is 10.101.10.253

The Default Web Site need to be configured to use "All Available" IP
addresses. This is necessary to support 'localhost' connectivity from the
WSUS Health Monitoring Service.


> 3. I am now seeing computers in the WSUS Console, but they are saying
> "Not yet reported". And on the WSUS Client Diagnostic Tool, I receive
> this error:
>
> VerifyWUServerURL() failed with hr=0x80190193

Good stuff. This is an HTTP 403 error. If you can go to the IIS logs on the
WSUS Server and see if IIS has recorded the specific web request that
corresponds to this execution of the Client Diagnostic Tool (It'll be a GET
to a resource in http://hermes/selfupdate/... ) we can get the subcode and
find out exactly what the issue is.

Note: The IIS logs are recorded in GMT so you'll need to do time conversions
to get the correct entries.

Typically HTTP 403 errors are triggered in the WUAgent environment when
WinHTTP is not configured correctly to use a proxy server, or authentication
with the proxy server is failing. If there is no proxy server configured on
the client (which is the case here), it could be a proxy server actually
blocking the request (in which case IIS won't have a log entry for the
request).

It can also be a misconfiguration in IIS. The fact that your IIS has a
specific address configured indicates that somebody has changed the IIS
configuration from the default at some point. This then begs the question of
what else has also been changed. I would recommend validating your IIS
permissions against those documented in the WSUS Operations Guide to ensure
IIS has the proper permissions configured to support WSUS operations.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Lawrence Garvin [MVP]" wrote:

> "wsus-fool" <wsus-> wrote in message
> news:wsus-...
>
>
> > 1. When I installed WSUS, the website to point the clients to said
> > http://HERMES. This is also what I have set in the GPO, which is set up
> > on an OU called Managed Users.
>
> This could be problematic. The policy configuration is a *computer*
> configuration, and should be linked to an OU containing Computers .. not
> Users. If you've linked the GPO to a Users OU, that would explain why it's
> not being applied.
>
>
> > 2. I configured WSUS to use the default web site. When I view the
> > properties of the Default Web Site in IIS, the IP is 10.101.10.253
>
> The Default Web Site need to be configured to use "All Available" IP
> addresses. This is necessary to support 'localhost' connectivity from the
> WSUS Health Monitoring Service.
>
>
> > 3. I am now seeing computers in the WSUS Console, but they are saying
> > "Not yet reported". And on the WSUS Client Diagnostic Tool, I receive
> > this error:
> >
> > VerifyWUServerURL() failed with hr=0x80190193
>
> Good stuff. This is an HTTP 403 error. If you can go to the IIS logs on the
> WSUS Server and see if IIS has recorded the specific web request that
> corresponds to this execution of the Client Diagnostic Tool (It'll be a GET
> to a resource in http://hermes/selfupdate/... ) we can get the subcode and
> find out exactly what the issue is.
>
> Note: The IIS logs are recorded in GMT so you'll need to do time conversions
> to get the correct entries.
>
> Typically HTTP 403 errors are triggered in the WUAgent environment when
> WinHTTP is not configured correctly to use a proxy server, or authentication
> with the proxy server is failing. If there is no proxy server configured on
> the client (which is the case here), it could be a proxy server actually
> blocking the request (in which case IIS won't have a log entry for the
> request).
>
> It can also be a misconfiguration in IIS. The fact that your IIS has a
> specific address configured indicates that somebody has changed the IIS
> configuration from the default at some point. This then begs the question of
> what else has also been changed. I would recommend validating your IIS
> permissions against those documented in the WSUS Operations Guide to ensure
> IIS has the proper permissions configured to support WSUS operations.
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>