Re: Incorrect Server in WSUS Client Diagnostic

Discussion in 'Update Services' started by Lawrence Garvin [MVP], Aug 21, 2009.

  1. "wsus-fool" <> wrote in message
    news:...

    > no computers are showing up there.
    > I ran the Client Diagnostics Tool and realize that the WSUS
    > server my client is trying to connect to is WRONG. But I can't for the
    > life of me find out where my client is getting that server name. I'm
    > sure it has to do with the fact that there was a partial WSUS setup done
    > about 2 years ago (and that is the server name that would have been used
    > then), but it was never completed. I am 100% sure the my GPO is set up
    > with the correct server name and I have run gpupdate /force on the
    > client. Any ideas on where this incorrect server name may be coming
    > from?


    Yes, I'd suggest first looking for errant policies containing this
    servername. Given the fact that the setup was "partial", and never
    completed, I'd also surmise a possibility that existing policies (Default
    Domain, Default Domain Controller) were modified, rather than creating
    dedicated WSUS policies (the preferred solution) -- so I'd start by
    inspecting the appropriate sections of those two (and other existing)
    policies.

    However, if your policy is linked at the =OU= level, it should be overriding
    any =Domain= level policies that might be setting those values. If your
    policy is not linked at the OU level, try doing that -- if nothing else it
    may help isolate the level of the AD tree where the policy configuration is
    coming from.

    Another possibility is that your policy is not being applied at all, and the
    value is coming from a Local Policy on the machine -- or that the value is
    configured in the registry and no policy has ever 'unset' it. This, however,
    is not as likely given that this client has the v7.2.6001.788 WUAgent
    installed - and it had to have installed that updated WUAgent from somewhere
    in the past 13 months.

    Running GPRESULT would be recommended on this client to verify that your
    specific WSUS GPO is being applied (even if it's being overridden by another
    domain-level policy).

    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Aug 21, 2009
    #1
    1. Advertising

  2. "wsus-fool" <> wrote in message
    news:...

    > From looking at other posts, I tried to get to the wsusadmin
    > from my client computer's browser as well (http://servername/wsusadmin).


    What version of WSUS are you using?

    1. If you're using WSUS v2, then based on the output of the Client
    Diagnostic Tool, there is NO WSUS Server available at http://servername.

    2. If you're using WSUS v3, then you need to be aware there is no web-based
    administation tool in WSUS v3, and if you are using WSUS v3, and not aware
    of that fundamental point, I'd respectfully suggest you take some time out
    and review the Overview, Getting Started Guide, and Deployment Guide --
    which, quite likely, will address your various other issues in getting the
    server working.


    > I received an error that I needed to use https


    That's interesting.

    > (I did the setup with SSL on port 443) so I tried that to no avail


    No great surprise there. :)

    > I went back and changed my WSUS server in the GPO Editor
    > to https://servername and still the same result.


    Instead of *guessing* at what you should be configuring in your browser,
    wouldn't it be more productive to first determine the *actual* URL of the
    WSUS Server?


    > Checking Connection to WSUS/SUS Server
    > WUServer = https://servername
    > WUStatusServer = https://servername
    > UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
    >
    > VerifyWUServerURL() failed with hr=0x80072efd


    What this tells us is that there's no WSUS server available at the
    configured URL.

    But, there's not much more I can tell you. First you have to know what the
    server URL is supposed to be, and at this point feeding me fake names is
    useless. I cannot help you unless you provide real information.


    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Aug 21, 2009
    #2
    1. Advertising

  3. "wsus-fool" <> wrote in message
    news:...


    > 1. When I installed WSUS, the website to point the clients to said
    > http://HERMES. This is also what I have set in the GPO, which is set up
    > on an OU called Managed Users.


    This could be problematic. The policy configuration is a *computer*
    configuration, and should be linked to an OU containing Computers .. not
    Users. If you've linked the GPO to a Users OU, that would explain why it's
    not being applied.


    > 2. I configured WSUS to use the default web site. When I view the
    > properties of the Default Web Site in IIS, the IP is 10.101.10.253


    The Default Web Site need to be configured to use "All Available" IP
    addresses. This is necessary to support 'localhost' connectivity from the
    WSUS Health Monitoring Service.


    > 3. I am now seeing computers in the WSUS Console, but they are saying
    > "Not yet reported". And on the WSUS Client Diagnostic Tool, I receive
    > this error:
    >
    > VerifyWUServerURL() failed with hr=0x80190193


    Good stuff. This is an HTTP 403 error. If you can go to the IIS logs on the
    WSUS Server and see if IIS has recorded the specific web request that
    corresponds to this execution of the Client Diagnostic Tool (It'll be a GET
    to a resource in http://hermes/selfupdate/... ) we can get the subcode and
    find out exactly what the issue is.

    Note: The IIS logs are recorded in GMT so you'll need to do time conversions
    to get the correct entries.

    Typically HTTP 403 errors are triggered in the WUAgent environment when
    WinHTTP is not configured correctly to use a proxy server, or authentication
    with the proxy server is failing. If there is no proxy server configured on
    the client (which is the case here), it could be a proxy server actually
    blocking the request (in which case IIS won't have a log entry for the
    request).

    It can also be a misconfiguration in IIS. The fact that your IIS has a
    specific address configured indicates that somebody has changed the IIS
    configuration from the default at some point. This then begs the question of
    what else has also been changed. I would recommend validating your IIS
    permissions against those documented in the WSUS Operations Guide to ensure
    IIS has the proper permissions configured to support WSUS operations.

    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Aug 25, 2009
    #3
  4. Lawrence Garvin [MVP]

    Goldie Guest

    "Lawrence Garvin [MVP]" wrote:

    > "wsus-fool" <> wrote in message
    > news:...
    >
    >
    > > 1. When I installed WSUS, the website to point the clients to said
    > > http://HERMES. This is also what I have set in the GPO, which is set up
    > > on an OU called Managed Users.

    >
    > This could be problematic. The policy configuration is a *computer*
    > configuration, and should be linked to an OU containing Computers .. not
    > Users. If you've linked the GPO to a Users OU, that would explain why it's
    > not being applied.
    >
    >
    > > 2. I configured WSUS to use the default web site. When I view the
    > > properties of the Default Web Site in IIS, the IP is 10.101.10.253

    >
    > The Default Web Site need to be configured to use "All Available" IP
    > addresses. This is necessary to support 'localhost' connectivity from the
    > WSUS Health Monitoring Service.
    >
    >
    > > 3. I am now seeing computers in the WSUS Console, but they are saying
    > > "Not yet reported". And on the WSUS Client Diagnostic Tool, I receive
    > > this error:
    > >
    > > VerifyWUServerURL() failed with hr=0x80190193

    >
    > Good stuff. This is an HTTP 403 error. If you can go to the IIS logs on the
    > WSUS Server and see if IIS has recorded the specific web request that
    > corresponds to this execution of the Client Diagnostic Tool (It'll be a GET
    > to a resource in http://hermes/selfupdate/... ) we can get the subcode and
    > find out exactly what the issue is.
    >
    > Note: The IIS logs are recorded in GMT so you'll need to do time conversions
    > to get the correct entries.
    >
    > Typically HTTP 403 errors are triggered in the WUAgent environment when
    > WinHTTP is not configured correctly to use a proxy server, or authentication
    > with the proxy server is failing. If there is no proxy server configured on
    > the client (which is the case here), it could be a proxy server actually
    > blocking the request (in which case IIS won't have a log entry for the
    > request).
    >
    > It can also be a misconfiguration in IIS. The fact that your IIS has a
    > specific address configured indicates that somebody has changed the IIS
    > configuration from the default at some point. This then begs the question of
    > what else has also been changed. I would recommend validating your IIS
    > permissions against those documented in the WSUS Operations Guide to ensure
    > IIS has the proper permissions configured to support WSUS operations.
    >
    > --
    > Lawrence Garvin, M.S., MCITP:EA, MCDBA
    > Principal/CTO, Onsite Technology Solutions, Houston, Texas
    > Microsoft MVP - Software Distribution (2005-2009)
    >
    > MS WSUS Website: http://www.microsoft.com/wsus
    > My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    >
     
    Goldie, Aug 25, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mcsepit

    WSUS Client Diagnostic tool

    mcsepit, Jul 23, 2009, in forum: Windows Update
    Replies:
    5
    Views:
    9,518
    mcsepit
    Aug 5, 2009
  2. Edward Ray
    Replies:
    5
    Views:
    1,610
    Lawrence Garvin
    Aug 19, 2005
  3. adc
    Replies:
    3
    Views:
    374
    Lawrence Garvin \(MVP\)
    Jan 29, 2006
  4. Simon
    Replies:
    5
    Views:
    1,047
    Lawrence Garvin [MVP]
    Sep 14, 2009
  5. Gregory Keperling

    WSUS Client Diagnostic Tool

    Gregory Keperling, Sep 12, 2006, in forum: Update Services
    Replies:
    2
    Views:
    354
    Gregory Keperling
    Sep 12, 2006
Loading...

Share This Page