none
WSUS not working on VM's

    Question

  • Hi Guys

    My main machine runs windows 8 with hyper-V installed.

    On hyper V I have two VM DC's setup, DC-01 and DC-03

    I also have a VM client pc setup called PC-01

    I've setup and configured the server DC-03 with ADDS role, DNS role and WSUS role. I can confirm that all servers can communicate with each other and that the WSUS rules are enabled on the dc-03 firewall. Also have the firewall disabled on PC-01.

    I have set the GPO to apply to PC-01 to point to http://dc-03:8530 for its updates, I have checked in registry and it does point here. so GPO has applied.

    When trying to get updates from WSUS I receive error 80072EE2, from some reading this suggest is a problem with the connection to the server. I fi try and connect to http://dc-03/iuident.cab I do not get prompt to download a file, nor do I if I go to http://dc-03/selfupdate/wuident.cab ,

    Way I have my network setup on VM's is , DC-01 and DC-03 both have 2 virtual network cards, 1 card points to my router at home to get out to internet and also receives IP from my router. Other network card is set to internal and receives its IP from DHCP. this is same on both servers.

    PC-01 only has one VNIC and is set to internal again , receiving IP from DHCP.

    I have followed the trainsignal video for setting this up and various instruction's / youtube videos and they all make it look simple, it just seems to work but doesn't for me. If anyone can point out anything obvious that might cause this I would appreciate it.

    Long winded so thank you also for taking time to read

    Anthony


    • Edited by Dunn2010 Thursday, September 12, 2013 11:34 PM
    Thursday, September 12, 2013 11:02 PM

Answers

  • Thanks for the reply

    I found the problem, It was that the site and app pool on IIS was using the network service account which for some reason didn't have permissions to access the folders within program files it needed.

    Made a service account for this with releavant permissions and assigned it to use this instead and all is working. client can now connect and successfully get prompted to download zip when going to the dc-03/selfupdate/wuident.cab

    Cant believe this ended up being the issue. Spoke to a few of my colleagues who have not had this issue before but also haven't tried in a 2012 environment.

    Saturday, September 14, 2013 7:03 AM
  • Made a service account for this with releavant permissions and assigned it to use this instead and all is working.

    You're saying you created a different user-level account for running the AppPool (instead of the NETWORK SERVICE account) and granted that user account permissions to portions of the %ProgramFiles% folder tree?

    It seems to me that a more relevant fix would be to assign the correct ACLs to the WSUS resources, which includes the NETWORK SERVICE account having Read & Execute rights inherited from the %ProgramFiles%\Update Services\WebServices folder, and run the AppPool under the restricted account it is intended to run with.

    And the associated question: Why aren't those ACLs set correctly to begin with?

    The correct ACLs can be found in the WSUS Technical Reference Guide in Permissions on WSUS Directories and Registry Keys.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by Dunn2010 Thursday, October 17, 2013 10:36 PM
    Monday, September 16, 2013 1:58 PM
    Moderator

All replies

  • Hi Guys quick update

    after changing most of the permissions on the site within IIS to use the administrator account, I can now open the /selfupdate/wuident.cab file from the local host but still cannot from PC-01

    I also cannot telnet from pc-01 to dc-03 's ip on port 8530 , however every firewall in my network is disabled. and even when enabled the correct rules are in place to allow these connections

    Friday, September 13, 2013 6:33 AM
  • after changing most of the permissions on the site within IIS to use the administrator account, I can now open the /selfupdate/wuident.cab file from the local host but still cannot from PC-01

    Well, that's not good, but it does suggest that the permissions were not correct to begin with. How did the Web Server Role get installed on this server?

    I also cannot telnet from pc-01 to dc-03 's ip on port 8530 , however every firewall in my network is disabled. and even when enabled the correct rules are in place to allow these connections

    This may be meaningless. Did you install/enable the Telnet Server on the target machine?

    If you did, and it still fails, that would be consistent with the TIMEOUT errors you're getting trying to establish a WSUS connection.

    If i try and connect to http://dc-03/iuident.cab I do not get prompt to download a file, nor do I if I go to http://dc-03/selfupdate/wuident.cab

    These are meaningless results, as neither resource exists on a native WS2012 WSUS v6 installation.

    Way I have my network setup on VM's is , DC-01 and DC-03 both have 2 virtual network cards, 1 card points to my router at home to get out to internet and also receives IP from my router. Other network card is set to internal and receives its IP from DHCP. this is same on both servers.

    PC-01 only has one VNIC and is set to internal again , receiving IP from DHCP.

    My money is on this convoluted NIC setup being the culprit, and causing your internal traffic to be rerouted to the wrong places.

    I suggest you start with ONE virtual NIC per VM, assign them all to the EXTERNAL interface of the host, and get the thing working with a simple networking configuration first. Then if you want to get creative with more complex networking configurations, you'll know when it breaks that it's not the WSUS infrastructure, but rather the network infrastructure, since that's the only variable being changed.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, September 13, 2013 7:28 PM
    Moderator
  • Thanks for the reply

    I found the problem, It was that the site and app pool on IIS was using the network service account which for some reason didn't have permissions to access the folders within program files it needed.

    Made a service account for this with releavant permissions and assigned it to use this instead and all is working. client can now connect and successfully get prompted to download zip when going to the dc-03/selfupdate/wuident.cab

    Cant believe this ended up being the issue. Spoke to a few of my colleagues who have not had this issue before but also haven't tried in a 2012 environment.

    Saturday, September 14, 2013 7:03 AM
  • Made a service account for this with releavant permissions and assigned it to use this instead and all is working.

    You're saying you created a different user-level account for running the AppPool (instead of the NETWORK SERVICE account) and granted that user account permissions to portions of the %ProgramFiles% folder tree?

    It seems to me that a more relevant fix would be to assign the correct ACLs to the WSUS resources, which includes the NETWORK SERVICE account having Read & Execute rights inherited from the %ProgramFiles%\Update Services\WebServices folder, and run the AppPool under the restricted account it is intended to run with.

    And the associated question: Why aren't those ACLs set correctly to begin with?

    The correct ACLs can be found in the WSUS Technical Reference Guide in Permissions on WSUS Directories and Registry Keys.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by Dunn2010 Thursday, October 17, 2013 10:36 PM
    Monday, September 16, 2013 1:58 PM
    Moderator
  • I have no idea to be perfectly honest.

    And I was so convinced I must of done something wrong somewhere I deleted my VM and started again, this time everything went through using the network service account without giving me any issues what so ever. Not sure what I did first time round that may have affected this so much.

    All is well though, was testing in a lab and I learnt a lot from getting this little issue.

    And when it wasn't working I did do my best to get it working with network service but just couldn't.

    thanks for taking time to reply and I'll keep that link for wsus permissions.

    Anthony

    Thursday, October 17, 2013 10:36 PM