WSUS 3.0 SP2 on Server 2008 R2 not working (no console or other access)
-
Tuesday, June 05, 2012 3:47 AM
Hi,
In a brand new network with all 2008 R2 servers I setup WSUS. Initially I could not install the role from the Roles tool in Windows and had to install it from a downloaded file from Microsoft (which I later read is due to 2008 R2).
This ran fine for about 2 weeks, I had all the clients and workstations in groups, approving updates and installing them.. all tickety boo and then one day the console wont connect and I have not been able to get back into WSUS to do anything. I tried removing and re-installing WSUS (both keeping the local database and then deleting it the second time) but nothing helps. My event log reports the following every 6 hours:
- Event ID 13042 - Self-update is not working
- Event ID 12002 - The reporting web service is not working
- Event ID 12012 - The API Remoting Web Service is not working
- Event ID 12032 - The Server Synchronization Web Service is not working
- Event ID 12022 - The Client Web Service is not working
- Event ID 12042 - The SimpleAuth Web Service is not working
- Event ID 12052 - The DSS Authentication Web Service is not working
Some extra points based on what I have read:
- The server DOES have .net 4.0 installed
- WSUS has been removed and re-installed
- All servers are 2008 R2
- The server also runs Remote Desktop Services.. but aside from this is just a file and print server
Because this server (and the whole network) are brand new, standard practice is to run WSUS against the Microsoft update site and install all critical and optional updates and patches and etc..
While it was working, I can't recall installing anything that may have broken it, however typically Windows patches do not cause problems on our machines, so I do not pay too close attention to what gets installed.. Perhaps one of these updates broke WSUS?
Can anyone offer some suggestions for how to troubleshoot this and try get things moving again?
Thanks!
All Replies
-
Tuesday, June 05, 2012 8:03 AMTake a look at the WSUS and IIS services and see if they are running. Scan the server for viruses because they are the ones who disable Windows Updates and other services.
Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7
My Blog: www.vkernel.ro/blog
-
Tuesday, June 05, 2012 1:20 PMCheck the IIS Bindings...(right click on default website and choose bindings) make sure they have the right IP listed for your system. Then do a IISRESET from the command line. Check your host file to and make sure nothing is wrong in there as well. I had the same issue not long ago and it was a binding issue.
-
Tuesday, June 05, 2012 9:48 PM
Hi,
Thanks for your response. The Windows Update and World Wide Web Publishing services are both running on the server. The server also has Kaspersky Endpoint Security running on it to protect from viruses, etc..
I have also tried disabling Kaspersky and restarting the services to see if this is causing interference, but it did not help.
Cheers!
-
Tuesday, June 05, 2012 9:51 PM
Hi fillerj,
I had a look in the IIS manager console, right clicked default website and selected Edit bindings. In the window that appears we have HTTP, 80 and the correct LAN IP address of the server (this server only has one IP). The hostname and binding information fields are blank.
Thanks for taking the time to respond!
-
Wednesday, June 06, 2012 7:28 AMModerator
Hi,
> then one day the console wont connect and I have not been able to get back into WSUS to do anything.
Any error message when you launch WSUS console?
You mentioned you have Kaspersky Endpoint Security software installed on WSUS server, have you configured antivirus software to exclude WSUS content directory?
If you cannot access the WSUS console and a timeout error message appears, the CPU of the WSUS server may be at, or very close to, maximum utilization, which causes the database software to time out. If the database software times out, the WSUS console cannot be displayed.
One way of inadvertently overtaxing your WSUS server is to have antivirus software monitor the WSUS content directory. During synchronization, the antivirus software can overload the CPU.
Please ignore WSUS content in your antivirus software and check the result.
For more information please refer to following MS articles:
Issues with the WSUS 3.0 SP2 Administration Console
http://technet.microsoft.com/en-us/library/dd939877(v=WS.10).aspx
The DSS Authentication Web Service is not working.
http://social.technet.microsoft.com/Forums/en-US/configmgrsum/thread/c901eb7b-7c20-4fb8-87dd-93f128ec8703
WSUS web services not working
http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/5b443a1c-01eb-4b73-ad06-03700032bec2Lawrence
TechNet Community Support
-
Wednesday, June 06, 2012 10:26 PM
Hi Lawrence,
Initially yes, I was getting an error similar to one I found in one of your links which was basically:
The WSUS administration console was unable to connect to the WSUS Server via the remote API. Verify that the Update Services service, IIS, and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service. The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\. System.IO.IOException -- The handshake failed due to an unexpected packet format.
However the only advice I could find at the time was to re-install WSUS, which I did and now there is no connection at all (Cannot connect to SERVER. The Server may be using another port or different Secure Sockets Layer setting). Incidentally the WWW Publishing service did not have permission to interact with the desktop (which I have changed now) but it makes no difference. If I stop IIS then port 80 is no longer open on the server (using netstat -an) so nothing else seems to be interfering with IIS. If you point a browser to the server it brings up the IIS7 welcome page.
I have added an exclusion to Kaspersky to ignore the entire WSUS folder and run iisreset but this did not improve the situation.
Other then that, this server is doing nothing at all in terms of disk or CPU activity AT ALL (I mean seriously.. not a thing).
Thank you for your response.. but it seems this search continues..........
- Edited by Darrkon Wednesday, June 06, 2012 10:28 PM added details
-
Monday, June 11, 2012 7:19 AMModerator
Hi,
I found a related thread that describes same issue, answer has been confirmed by customer, you may try that.
Disable anonymous access on the APIRemoting30 virtual directory and set it to require Integrated Windows Authentication and Digest Authentication, and that should restore connectivity to your console.
If issue still exists, we recommend reinstall OS on the server then deploy WSUS and check the result.
For more information please refer to following MS articles:
WSUS event ID errors 12052, 12042, 12022, 12032, 12002 and 13042
http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/32d39515-0e71-42ed-aa42-0671e9dd3bf4Lawrence
TechNet Community Support
-
Wednesday, June 13, 2012 10:14 PM
Hi Lawrence,
Thanks for your response. I have checked to make sure the default website is enabled for Anonymous access and the ApiRemoting30 virtual directory has anonymous access disabled. I also looked at the article you linked to but these were different versions of Windows and WSUS.
I am trying the WSUSUTIL CHECKHEALTH command but the event log just lists the same errors that appear every 6 hours anyway.
Re-installing the operating system is a little drastic after being in operation for only a few months...
So my plan is:
- Uninstall Kaspersky Endpoint Security (a linked article from the one you mention indicates that Symantec Endpoint Security can mess with WSUS.. so lets try that)
- If that doesn't help, I will remove WSUS and re-install it.
- If that doesn't help, I will remove WSUS then remove IIS and re-install them both
- If that doesn't help, I will remove WSUS and try the option to install it in its own site (not the default site)
Lets hope one of these steps fixes the problem because option 5 'aint pretty
-
Monday, June 18, 2012 6:26 AM
OK I havent tried to install WSUS into its own site.. but I did remove and re-install WSUS and IIS but it makes no difference.. I install WSUS from the stand-alone installer of WSUS 3.0 SP2 because when you try and add the role from the roles page it fails to work.. this seems to be a known issue..
But yeah.. its still broken.. I am tempted to start a case with MS support because this is ridiculous..
-
Monday, June 18, 2012 6:43 AM
Darrkon,
Perhaps my reply post at http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/72f5195a-4c2b-4719-85d7-a8265eaba268 might help. The KB article to which I refer is only a matter of days old, so it could be easy enough to have missed if you just did an install a couple of weeks ago.
Good luck
The Commerce Company
-
Monday, June 18, 2012 11:48 PM
Hi CommerceCompany,
Thanks for taking the time to reply.. it was only a few hours before you posted that I stumbled across the patch mentioned in the article you linked to.. while the symptoms did not describe anything like I was experiencing I threw the patch on there anyway out of desperation..
Sadly after applying the patch and rebooting the server, the WSUS is still unmanageable and reporting the same errors as before.
I will post a solution if I ever find one.. or what I did to work around this at any rate..
Cheers!
-
Saturday, June 30, 2012 3:56 PMModerator
Some extra points based on what I have read:
- The server DOES have .net 4.0 installed
Have you tried removing .NET4 and then uninstalling/reinstalling WSUS?
Why is .NET4 installed on this machine? WSUS does not use nor need .NET4, in fact, it doesn't even LIKE .NET4! There are documented issues in this forum about co-existence issues with WSUS and .NET4.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Product Manager, SolarWinds
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Sunday, July 01, 2012 10:16 PM
Hi Lawrence,
Yes I actually did remove .net 4.0 and uninstall IIS and WSUS both, then re-installed them but still no good. I even tried removing and installing WSUS on a seperate website during its setup process but again.. no change.
For the past X years, when I build a server, I run WSUS until there are no ciritical, important or optional updates left to install from the Microsoft update server. We have never had any other application issues (and most of our software is custom in-house stuff) so I did not even think twice before installing .NET4 on this machine.
I thought since MS created the whole kit and kaboodle of software, that at least one program would pop up an error and refuse to install (The way you cant install the WSUS component from the list of roles and features in 2008 R2 and have to download it from the MS website).
- Edited by Darrkon Sunday, July 01, 2012 10:25 PM
-
Monday, July 02, 2012 1:07 AMModerator
Some of the issues may be tied to unsuccessful uninstallations and reinstallations, which are just re-manifesting the original problem.
You said the server was working fine for a couple of weeks and then went sideways. This strongly suggests human impact of some sort. Specifically, when the WSUS Health Management System starts throwing messages that services are not available (when they are), almost always that gets traced back to some sort of manual reconfiguration of the server that adversely affects the WSUS installation.
I know you've been through this several times, so I appreciate your frustration -- but I would suggest uninstalling WSUS as described in the Sticky Post How to Uninstall WSUS found at the top of this forum list. Uninstall .NET4 if it's still there. Reboot the server. Then, using the guidance provided in the WSUS Deployment Guide, reinstall the Web Server role and the WSUS role.
If this doesn't produce a working server, then let's do diagnostics from that point.
One question: Is there anything else installed on the system running WSUS, or is it a dedicated WSUS server?
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Product Manager, SolarWinds
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Wednesday, July 04, 2012 4:09 AM
Hi Lawrence,
Thanks for your patience and time for replying to my problem!!
I'll start from the bottom up:
This server was going to be a file and print server as well as an RDP server, mostly to provide support staff and admins a desktop environment they could log onto (not for general users) since this network is remote to where most of the people who support it are. As a result, this server has Remote Desktop Services installed, Remote Desktop licensing and File Services (File Server) role . It does not however hold any files or printers.
On the general application level it has very little.. It used to have Kaspersky Endpoint Security (client) but I have removed that. It has the Kaspersky MMC snap in installed to manage the AV server (AV server is installed elsewhere). It has the Backup Exec 2010 management console installed (backup exec server is installed elsewhere). It also has Java, Flash, Acrobat, VNC Enterprise, NetTime (clock sync utility) and WinRAR.
Then we have Microsoft report viewer redistributable 2005 and 2008 and MSXML 4.0 SP3. This is all stuff we have installed on most of our servers (we have a long batch file and document to follow for building a server) so everything is pretty standard.
I cannot for the life of me remember if one of these programs caused it to break.. it is possible I guess, but I couldn't point to a single one.
I will look for the sticky post you mention and follow the instructions to remove WSUS, make sure .NET 4 and IIS is gone, then try and re-install it all from scratch. If that doesn't work I will start removing the 3rd party apps and hopefully HOPEFULLY it will start working!
Thanks again,
Luke
- Edited by Darrkon Wednesday, July 04, 2012 4:32 AM
-
Wednesday, July 04, 2012 6:54 AM
Interesting I notice the following:
Remote SQL Server installation
You can install the WSUS 3.0 SP2 server software on a computer that is separate from the database server computer. In this case, the following additional criteria apply:
- The database server cannot be configured as a domain controller.
- The WSUS server cannot run Terminal Services.
We are running RDS.. but the SQL instance is local.. Still, I wonder if this is another undocumented feature?
I will try removing RDS tomorrow.. Following the uninstall guide and then installing IIS and WSUS did not help.. I made sure that all of the check items from your sticky post were gone from the server (and they were).. so yeah.. lets see what happens tomorrow.
Cheers
-
Thursday, July 05, 2012 7:08 PMModerator
You can install the WSUS 3.0 SP2 server software on a computer that is separate from the database server computer. In this case, the following additional criteria apply:
- The database server cannot be configured as a domain controller.
- The WSUS server cannot run Terminal Services.
We are running RDS.. but the SQL instance is local.. Still, I wonder if this is another undocumented feature?
In the above quote, the concern is about a machine that is functioning as an actual Terminal Server, and that doesn't affect just the remote SQL question -- but the entire WSUS server. WSUS is not supported when installed on a Terminal Server. Since your intent here was to initiate outbound Remote Desktop connections, the two are not related.
However, I suspect you will find that installing RDS is not a necessary action for the intended use you have described, and quite possibly the presence of RDS is contributing to the issues.
Remote Desktop (the application to connect to other systems) does not require any services, it is just an application, available on all Windows systems.
Remote Desktop Services is the renamed-for-Win2008R2 Terminal Services, and it is not necessary to make outbound RDC sessions, and it (or its predecesssor, Terminal Services) cannot coexist with WSUS.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Product Manager, SolarWinds
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Thursday, July 05, 2012 10:08 PM
Hi Lawrence,
That is very interesting what you are saying about WSUS not being supported on a terminal server.. I couldn't find anything from Microsoft that definitively stated so.. but right now nothing would surprise me.
I had envisaged RDS providing a personal desktop environment for all of the support staff who assist users on this network, so they could have their email, support documents and stuff configured under their profile on this machine, and simply RDP in when necessary. There would be multiple users simultaneously logged in to do this.. But the main thing I want working is WSUS.
So I will give RDS the heave-ho.. and probably remove/add WSUS again (just for fun) and see what happens. (I have left RDLicensing installed though.. I hope that wont cause a problem)
Fingers crossed and thanks again for your response.
- Edited by Darrkon Thursday, July 05, 2012 10:26 PM
-
Friday, July 06, 2012 1:16 PMModerator
I had envisaged RDS providing a personal desktop environment for all of the support staff who assist users on this network, so they could have their email, support documents and stuff configured under their profile on this machine, and simply RDP in when necessary. There would be multiple users simultaneously logged in to do this..
Ahh.. then you do want Remote Desktop Services -- I misunderstood the intent -- but an RDS server should be a dedicated server for that task with no other applications or services running on it.
I have left RDLicensing installed though.. I hope that wont cause a problem
No, it shouldn't. Infrastructure services, like RD Licensing, Windows Deployment Services, DNS, DHCP, will do fine on a WSUS server.
The reference for WSUS + RDS comes from the WSUS 3.0 SP1 Release Notes (and was likely also in the WSUS 3.0 RTM release notes, but they're no longer online; the note got dropped from the WSUS 3.0 SP2 Release Notes -- but then a LOT of important, but still relevant, stuff was dropped from the SP2 Release Notes).
WSUS 3.0 SP1 is not supported on servers running Terminal Services
Although WSUS 3.0 SP1 may still run on servers running Terminal Services, doing so is not supported or recommended. WSUS 3.0 SP1 will not run on a server running Terminal Services in configurations using remote SQL Server implementations. Because all remote custom actions (including installation) on a Terminal Services license server will be run as the system account, and the server's system account may not have permissions on the remote SQL Server, the installation may fail.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Product Manager, SolarWinds
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin- Edited by Lawrence GarvinMVP, Moderator Friday, July 06, 2012 1:17 PM
-
Monday, July 09, 2012 11:12 PM
Hi again!
Well I removed RDS components (but left licensing installed), then removed IIS and WSUS then re-installed IIS and WSUS and no surprises.. still doesn't work. Still getting errors to say that all of the services are not working and still cant get the MMC to connect to the server.
*groan* running out of things to try here :(
-
Thursday, July 26, 2012 2:03 AM
Well I have finally given up on this piece of shit server.. Decided we would do away with WSUS and put it somewhere else, so we would use this as a DHCP/file/print server.. but even DHCP wont run throwing all sorts of errors about cant contact the DC's to authorize itself.. I can ping both DC's from the server but who knows.
One thing I did notice (not sure how long this has been going on for) is that the NIC was set to the (initially) public location.. so I changed it to private, but it should be domain. Deleted the NIC team and configured a single NIC which initially discovered the domain, but reboot and it goes back to private network..Tried deleting network profiles and junk but nothing helped.
We are putting in the request to have the machine formatted and rebuilt.
What a pisser this has been
.png)
