|
|
I have 2 WSUS issues with my Windows SBS 2003 R2 server.
1. There are 63 computer(s) that have not registered with Update Services.
2. There are 1 computer(s) that have not contacted Update Services in 7 days.
Where do I start looking into this?
--
Freelance IT Consultant
Greenville, SC
|
|
|
|
Thanks for the reply.
The log file referenced appears to be for windows updates when run from the
local machine. I want to connect all PCs to the WSUS on my SBS Server. No
help in this log file.
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text]
|
|
How do you have your Group policy set for windows updates?
--
Chris Millette
MCP/Network Administrator
Community Bank & Trust
"Yosemite Sam" wrote:
[Quoted Text] > Thanks for the reply. > > The log file referenced appears to be for windows updates when run from the > local machine. I want to connect all PCs to the WSUS on my SBS Server. No > help in this log file. > -- > Freelance IT Consultant > Greenville, SC > > > "Winfried Sonntag [MVP]" wrote: > > > Yosemite Sam schrieb: > > > > > I have 2 WSUS issues with my Windows SBS 2003 R2 server. > > > > > > 1. There are 63 computer(s) that have not registered with Update Services. > > > 2. There are 1 computer(s) that have not contacted Update Services in 7 days. > > > > > > Where do I start looking into this? > > > > WindowsUpdate.log on each Client in %windir% Directory. > > > > Winfried > > -- > > http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx> > http://www.wsuswiki.com/Home> > |
|
|
|
Server is Windows 2003 SBS R2 and policy settings have not been changed from
the default at install of the R2.
I keep getting the message:
There are 1 computer(s) that have not contacted Update Services in 7 days
There are 63 computer(s) that have not registered with Update Services.
No computers are being updated.
It may help to know that this domain was formerly on Windows 2003 enterprise
server, and SUS.
I moved the domain over to Windows 2003 SBS server and installed WSUS as
part of the install. It has not worked since.
--
Freelance IT Consultant
Greenville, SC
"Millette" wrote:
[Quoted Text] > How do you have your Group policy set for windows updates? > -- > Chris Millette > MCP/Network Administrator > Community Bank & Trust > > > "Yosemite Sam" wrote: > > > Thanks for the reply. > > > > The log file referenced appears to be for windows updates when run from the > > local machine. I want to connect all PCs to the WSUS on my SBS Server. No > > help in this log file. > > -- > > Freelance IT Consultant > > Greenville, SC > > > > > > "Winfried Sonntag [MVP]" wrote: > > > > > Yosemite Sam schrieb: > > > > > > > I have 2 WSUS issues with my Windows SBS 2003 R2 server. > > > > > > > > 1. There are 63 computer(s) that have not registered with Update Services. > > > > 2. There are 1 computer(s) that have not contacted Update Services in 7 days. > > > > > > > > Where do I start looking into this? > > > > > > WindowsUpdate.log on each Client in %windir% Directory. > > > > > > Winfried > > > -- > > > http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx> > > http://www.wsuswiki.com/Home> > > |
|
I ran rsop.msc there is no policy for WSUS.
There is policy for Windows Update.
This is Windows 2003 SBS AD environment.
Maybe I could use some help with the GPO for WSUS.
I have only the default policies that R2 setup upon install.
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text]
|
|
|
|
|
[Quoted Text] > Yosemite Sam schrieb:
>
>> I ran rsop.msc there is no policy for WSUS.
>> There is policy for Windows Update.
>>
>> This is Windows 2003 SBS AD environment.
>>
>> Maybe I could use some help with the GPO for WSUS.
>> I have only the default policies that R2 setup upon install.
If this is an =R2= installation, and you've installed the R2 technologies,
and you're using WSUS v2 from the R2 technologies, then the installation
should have created *domain* level policies for Update Services, one for
servers, one for workstations. Neither are called "Windows Update", nor have
that term in their titles. There are three policies:
Small Business Server Update Services Common Settings Policy
Small Business Server Update Services Client Computers Policy
Small Business Server Update Services Server Computers Policy
The policies are selectively applied via security filtering. The SBS2003
server is explicitly added, by machine name, to the Server Computers Policy.
The Common Settings Policy only applies to domain member computers. Without
the Common Settings Policy applied, nothing will happen, because this is the
policy that contains the URL of the WSUS server.
If the policies are not being applied, to the workstations (or SBS server),
then troubleshoot this as a group policy issue. Start by running 'gpupdate
/force' on the SBS server and each of the workstations to see if the policy
updates. Make sure all of your computers have computer accounts.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
There is only 1 domain in the forrest. as far as I am able to tell the
policy is linked in 2 places.
SBSCmputers and at the domain level. It is not enforced. Should it be?
There are 5 containers that have computers in them. the SBSComputers
container has only 4. A total of 64 computers in the domain. None of the
computers are registered with WSUS.
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text]
|
|
Yosemite Sam schrieb:
[Quoted Text] > There is only 1 domain in the forrest. as far as I am able to tell the
> policy is linked in 2 places.
> SBSCmputers and at the domain level. It is not enforced. Should it be?
No.
> There are 5 containers that have computers in them. the SBSComputers
> container has only 4. A total of 64 computers in the domain. None of the
> computers are registered with WSUS.
Move the 64 Computers in the OU SBSComputers and restart the Clients
or wait one day.
Winfried
--
http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx
http://www.wsuswiki.com/Home
|
|
For background :
This domain started with a Windows 2003 Enterprise server. Later we added
the SBS Server, and demoted the previous DC according to the KB article
884453. Since all of the computers were already domain members they did not
need to be added to the domain. I did move 4 computers into the SBScomputers
container and run gpupdate /force. But they are still not registered in
WSUS. We went to great lengths to prevent users from losing their domain
account settings on their PCs, so I am reluctant to disjoin and rejoin the
computers.
If I use the SBS “\\<servername>/connectcomputer†should I expect different
results?
--
Freelance IT Consultant
Greenville, SC
"Yosemite Sam" wrote:
[Quoted Text] > There is only 1 domain in the forrest. as far as I am able to tell the > policy is linked in 2 places. > SBSCmputers and at the domain level. It is not enforced. Should it be? > > There are 5 containers that have computers in them. the SBSComputers > container has only 4. A total of 64 computers in the domain. None of the > computers are registered with WSUS. > -- > Freelance IT Consultant > Greenville, SC > > > "Winfried Sonntag [MVP]" wrote: > > > Yosemite Sam schrieb: > > > > > I ran rsop.msc there is no policy for WSUS. > > > There is policy for Windows Update. > > > > > > This is Windows 2003 SBS AD environment. > > > > > > Maybe I could use some help with the GPO for WSUS. > > > I have only the default policies that R2 setup upon install. > > > > Have a look in Active Directory User + Computers. Is the Client in the > > correct OU? > > > > Winfried > > -- > > http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx> > http://www.wsuswiki.com/Home> > |
|
"Yosemite Sam" <Yosemite.Sam[ at ]gsaa.com> wrote in message
news:160E0637-FF80-4776-9CE4-B99C61771A3F[ at ]microsoft.com...
[Quoted Text] > For background :
> This domain started with a Windows 2003 Enterprise server. Later we added
> the SBS Server, and demoted the previous DC according to the KB article
> 884453. Since all of the computers were already domain members they did
> not
> need to be added to the domain. I did move 4 computers into the
> SBScomputers
> container and run gpupdate /force. But they are still not registered in
> WSUS. We went to great lengths to prevent users from losing their domain
> account settings on their PCs, so I am reluctant to disjoin and rejoin the
> computers.
>
> If I use the SBS "\\<servername>/connectcomputer" should I expect
> different
> results?
Quite possibly!
None of the expectations, procedures, or configurations developed for
SBS2003 are written with the consideration that the SBS2003 "used to be a
full blown AD domain". There are gazillions of configuration things set up
when a machine/user is first created in an SBS2003 domain that will *never*
be done in an Enterprise domain based on Win2003.
Absolutely, you need to follow the instructions, explicily, for setting up
and configuring users and machines in the SBS domain.
I'd suggest deleting all users and machines in the domain, and rebuilding
every security principal from scratch, using the SBS System Manager =and=
the SBS wizards designed to perform these processes.
and.... btw.. the correct way to access the connect script is
http://sbsserver/connectcomputer from IE =AFTER= you've created the computer
accounts in AD using the SBS wizards.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
For background :
This domain started with a Windows 2003 Enterprise server. Later we added
the SBS Server, and demoted the previous DC according to the KB article
884453. Since all of the computers were already domain members they did not
need to be added to the domain. I did move 4 computers into the SBScomputers
container and run gpupdate /force. But they are still not registered in
WSUS. We went to great lengths to prevent users from losing their domain
account settings on their PCs, so I am reluctant to disjoin and rejoin the
computers.
If I use the SBS “\\<servername>/connectcomputer†should I expect different
results?
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text] > Yosemite Sam schrieb: > > > There is only 1 domain in the forrest. as far as I am able to tell the > > policy is linked in 2 places. > > SBSCmputers and at the domain level. It is not enforced. Should it be? > > No. > > > There are 5 containers that have computers in them. the SBSComputers > > container has only 4. A total of 64 computers in the domain. None of the > > computers are registered with WSUS. > > Move the 64 Computers in the OU SBSComputers and restart the Clients > or wait one day. > > Winfried > -- > http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx> http://www.wsuswiki.com/Home> |
|
3 new discoveries:
1. The names of the computers seems to have been a problem.... HE_DCW was
not allowed because of the _ . Changed name and GPUpdate / Force... then I
find 2 & 3 below.
2. I now find that WSUS policies are listed as "Denied (Security)"
How do I find the security setting blocking the policy?
3. The firewall policy shows "Denied (WMI Filter)"
Where do I look?
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text] > Yosemite Sam schrieb: > > > There is only 1 domain in the forrest. as far as I am able to tell the > > policy is linked in 2 places. > > SBSCmputers and at the domain level. It is not enforced. Should it be? > > No. > > > There are 5 containers that have computers in them. the SBSComputers > > container has only 4. A total of 64 computers in the domain. None of the > > computers are registered with WSUS. > > Move the 64 Computers in the OU SBSComputers and restart the Clients > or wait one day. > > Winfried > -- > http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx> http://www.wsuswiki.com/Home> |
|
3 new discoveries:
1. I tried to join a computer to the domain with the SBS Setup a computer
wizard.
I discovered that HE_DCW was not allowed because of the _ . I changed the
name to HE-DCW, then GPUpdate /Force… Then discovered 2 & 3 below.
2. SBS WSUS policy is listed as “Denied (Security)â€.
Where do I look for security to this policy?
3. SBS Firewall policy is listed as “Denied (WMI Filter)â€.
Where do I look for filters?
Thanks to all who are responding.
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text] > Yosemite Sam schrieb: > > > There is only 1 domain in the forrest. as far as I am able to tell the > > policy is linked in 2 places. > > SBSCmputers and at the domain level. It is not enforced. Should it be? > > No. > > > There are 5 containers that have computers in them. the SBSComputers > > container has only 4. A total of 64 computers in the domain. None of the > > computers are registered with WSUS. > > Move the 64 Computers in the OU SBSComputers and restart the Clients > or wait one day. > > Winfried > -- > http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx> http://www.wsuswiki.com/Home> |
|
For background :
This domain started with a Windows 2003 Enterprise server. Later we added
the SBS Server, and demoted the previous DC according to the KB article
884453. Since all of the computers were already domain members they did not
need to be added to the domain. I did move 4 computers into the SBScomputers
container and run gpupdate /force. But they are still not registered in
WSUS. We went to great lengths to prevent users from losing their domain
account settings on their PCs, so I am reluctant to disjoin and rejoin the
computers.
If I use the SBS “\\<servername>/connectcomputer†should I expect different
results?
3 new discoveries:
1. I tried to join a computer to the domain with the SBS Setup a computer
wizard.
I discovered that “HE_DCW†was not allowed as computer name because of the _
.. I changed the name to HE-DCW, then GPUpdate /Force… Then discovered 2 & 3
below.
2. SBS WSUS policy is listed as “Denied (Security)â€.
Set security to “Read & Apply Policy†for Authenticated Users on this policy?
3. Windows Update policy is listed as enabled, and Automatc updates allowed
Will it interfere with WSUS? I would think I should disable capability for
users to update or setup auto updates.
Thanks to all who are responding.
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text] > Yosemite Sam schrieb: > > > There is only 1 domain in the forrest. as far as I am able to tell the > > policy is linked in 2 places. > > SBSCmputers and at the domain level. It is not enforced. Should it be? > > No. > > > There are 5 containers that have computers in them. the SBSComputers > > container has only 4. A total of 64 computers in the domain. None of the > > computers are registered with WSUS. > > Move the 64 Computers in the OU SBSComputers and restart the Clients > or wait one day. > > Winfried > -- > http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx> http://www.wsuswiki.com/Home> |
|
For background :
This domain started with a Windows 2003 Enterprise server. Later we added
the SBS Server, and demoted the previous DC according to the KB article
884453. Since all of the computers were already domain members they did not
need to be added to the domain. I did move 4 computers into the SBScomputers
container and run gpupdate /force. But they are still not registered in
WSUS. We went to great lengths to prevent users from losing their domain
account settings on their PCs, so I am reluctant to disjoin and rejoin the
computers.
If I use the SBS “\\<servername>/connectcomputer†should I expect different
results?
3 new discoveries:
1. I tried to join a computer to the domain with the SBS Setup a computer
wizard.
I discovered that “HE_DCW†was not allowed as computer name because of the _
.. I changed the name to HE-DCW, then GPUpdate /Force… Then discovered 2 & 3
below.
2. SBS WSUS policy is listed as “Denied (Security)â€.
Set security to “Read & Apply Policy†for Authenticated Users on this policy?
3. Windows Update policy is listed as enabled, and Automatc updates allowed
Will it interfere with WSUS? I would think I should disable capability for
users to update or setup auto updates.
Thanks to all who are responding.
--
Freelance IT Consultant
Greenville, SC
"Winfried Sonntag [MVP]" wrote:
[Quoted Text]
|
|
"Yosemite Sam" <Yosemite.Sam[ at ]gsaa.com> wrote in message
news:0AD39709-BECD-4792-A2F6-76B8462DB469[ at ]microsoft.com...
[Quoted Text] >3 new discoveries:
>
> 1. The names of the computers seems to have been a problem.... HE_DCW was
> not allowed because of the _ . Changed name and GPUpdate / Force... then
> I
> find 2 & 3 below.
Yep... underscores have been illegal characters since the release of Active
Directory and the switch from WINS to DNS.
> 2. I now find that WSUS policies are listed as "Denied (Security)"
> How do I find the security setting blocking the policy?
Go to the policy, open the policy editor, and look to see which, if any,
security groups have permissions, or lack thereof, on the policy object.
> 3. The firewall policy shows "Denied (WMI Filter)"
What "firewall policy". Are we talking about an AD/GPO that's used to
configure the firewall. An AD/GPO that's used to configure clients to use
the firewall. Or a policy configured *on* the firewall to control its
operation?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Sorry for the repeated post I could not see my post after several hours and
assumed they were lost in the bit bucket.
I don't remember reading any warnings about any of these issues in the KB
article. If the KB article had mentioned them I would never have attempted
sliding the SBS serveer into the existing domain. Oh well "Spilt milk" and
al that stuff.
Would it be possible to save the user settings with the file and settings
transfer wizzard, delete user and computer acconts, and create them with the
SBS wizzard, then transfer settings back to the newly created user? I would
expect to lose the email accounts and have to move everything into a PST file
before the transfer and back from the PST file after the transfer. Can and
should I do this a few users at a time as time allows? Or would it need to be
a sweep?
--
Freelance IT Consultant
Greenville, SC
"Lawrence Garvin (MVP)" wrote:
[Quoted Text] > "Yosemite Sam" <Yosemite.Sam[ at ]gsaa.com> wrote in message > news:160E0637-FF80-4776-9CE4-B99C61771A3F[ at ]microsoft.com... > > For background : > > This domain started with a Windows 2003 Enterprise server. Later we added > > the SBS Server, and demoted the previous DC according to the KB article > > 884453. Since all of the computers were already domain members they did > > not > > need to be added to the domain. I did move 4 computers into the > > SBScomputers > > container and run gpupdate /force. But they are still not registered in > > WSUS. We went to great lengths to prevent users from losing their domain > > account settings on their PCs, so I am reluctant to disjoin and rejoin the > > computers. > > > > If I use the SBS "\\<servername>/connectcomputer" should I expect > > different > > results? > > Quite possibly! > > None of the expectations, procedures, or configurations developed for > SBS2003 are written with the consideration that the SBS2003 "used to be a > full blown AD domain". There are gazillions of configuration things set up > when a machine/user is first created in an SBS2003 domain that will *never* > be done in an Enterprise domain based on Win2003. > > Absolutely, you need to follow the instructions, explicily, for setting up > and configuring users and machines in the SBS domain. > > I'd suggest deleting all users and machines in the domain, and rebuilding > every security principal from scratch, using the SBS System Manager =and= > the SBS wizards designed to perform these processes. > > and.... btw.. the correct way to access the connect script is > http://sbsserver/connectcomputer from IE =AFTER= you've created the computer > accounts in AD using the SBS wizards. > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E> > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx> > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com> ..... > > > > |
|
"Yosemite Sam" <dcw[ at ]gsaa.com> wrote in message
news:30E86C56-1061-4DE0-8E02-F39EA7230388[ at ]microsoft.com...
[Quoted Text] > Sorry for the repeated post I could not see my post after several hours
> and
> assumed they were lost in the bit bucket.
>
> I don't remember reading any warnings about any of these issues in the KB
> article. If the KB article had mentioned them I would never have
> attempted
> sliding the SBS serveer into the existing domain. Oh well "Spilt milk"
> and
> al that stuff.
The problem is *not* with converting an existing domain from Win2003 to
SBS2003.
The problem is with how you expect the domain members to behave.
The SBS2003 client-side configuration events happen as a function of
actively joining a domain where the domain object has been created by
SBS2003, and the appropriate configurations applied as triggered by the SBS
wizards.
> Would it be possible to save the user settings with the file and settings
> transfer wizzard, delete user and computer acconts, and create them with
> the
> SBS wizzard, then transfer settings back to the newly created user?
Yes. However.... try this instead:
[1] Save user settings with file and settings wizard.
[2] Remove *computer* from domain.
[3] Remove user and computer *accounts* from domain.
[4] Create LOCAL account on computer and import F&STW to the LOCAL account.
[5] Recreate computer and user *accounts* using SBS2003 wizard.
[6] Log onto LOCAL account on computer and join domain using
http://servername/connectcomputer
which will then convert local profile into a domain profile.
> I would
> expect to lose the email accounts and have to move everything into a PST
> file
> before the transfer and back from the PST file after the transfer.
You can export all Outlook configuration information prior to separating
from the domain, and then reimport it after the machine has rejoined the
domain.
Also, make sure the OST (Offline Files Cache) is transferred from the old
profile to the new profile, if possible, or it will have to rebuilt.
Depending on the size of the mailbox, this could take some time.
> Can and
> should I do this a few users at a time as time allows? Or would it need to
> be
> a sweep?
You can do this one computer at a time, at your convenience.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
|