Updates between machine and WSUS are inconsistent
-
Monday, November 19, 2012 1:10 AM
I recently I rebuilt our WSUS server. Ever since the rebuild all of our servers say that there is no update but WSUS reports that each server does, 15- 22 updates. Running wuauclt /detectnow /reportnow does not resolve the issue. This goes for all of our 2003 and 2008 servers. Windowsupdate log on each of the servers show no error, just that "0 Updates detected"
My WSUS server is 2008 R2 running WSUS 3.0 SP2
Anyone have any thoughts?
All Replies
-
Monday, November 19, 2012 5:31 PMModerator
I recently I rebuilt our WSUS server. Ever since the rebuild all of our servers say that there is no update but WSUS reports that each server does, 15- 22 updates. Running wuauclt /detectnow /reportnow does not resolve the issue. This goes for all of our 2003 and 2008 servers. Windowsupdate log on each of the servers show no error, just that "0 Updates detected"
My WSUS server is 2008 R2 running WSUS 3.0 SP2
Anyone have any thoughts?
Is this issue related to the other thread?
Or is this an entirely different issue on an entirely different WSUS server.
It will not be helpful to troubleshoot related issues in two different threads -- it will just confuse everybody in the process.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Monday, November 19, 2012 5:54 PMThey are on the same server yes. But the last issue was resolved by doing a system rebuild. I had no choice to rebuild as we were under a tight time constraint. So now things are better, but there are still inconsistencies between what WSUS and each client report.
-
Monday, November 19, 2012 6:16 PMModerator
Okay, so the first thing to understand is that updates "Needed" != updates "Available".
- The WSUS console displays updates that are needed.
- The WindowsUpdate.log reports updates that are available.
In order for an update to get from "needed" to "available" it must be:
- Approved for a target group that the client system is a member of.
- The update file for the update must be successfully downloaded to the WSUS server.
Once an update is approved and downloaded, then it will be available to a client system.
So, the first question -- has the WSUS server downloaded all of the files for the approved updates? (And a related question: How many updates did you approve after installing the WSUS server?)
Side note: wuauclt /detectnow /reportnow is an invalid command. It is functionally equivalent to wuauclt /detectnow. (The second parameter is ignored.)
There are three functional forms of the wuauclt command:
- wuauclt /detectnow - initiates a detection event; may use cached targeting information if it has not expired
- wuauclt /reportnow -- initiates a reporting event **IF** there are reporting events to be uploaded to the WSUS server (this requires that a previous successful event: detection, download, or installation, has occurred within the previous 20 minutes and has not yet been reported. If there are no events to report, this command does nothing!)
- wuauclt /resetauthorization /detectnow -- initiates a detection event; forces the expiration of any cached targeting information. This form of the command is required if group memberships have been changed on the WSUS server within the previous hour. It may also be required if clients are assigned to a new WSUS server (which, by definition, has new groups). The order of these parameters is critical; if the order is reversed, the /resetauthorization is ignored.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Monday, November 19, 2012 6:21 PM
Yes WSUS has downloaded all of the appropriate updates. The WSUS content folder is sitting at 109 GB of used space right now and all 28000+ updates have been approved for all target groups. We have run all functional forms if the wuauclt command with no result.Okay, so the first thing to understand is that updates "Needed" != updates "Available".
- The WSUS console displays updates that are needed.
- The WindowsUpdate.log reports updates that are available.
In order for an update to get from "needed" to "available" it must be:
- Approved for a target group that the client system is a member of.
- The update file for the update must be successfully downloaded to the WSUS server.
Once an update is approved and downloaded, then it will be available to a client system.
So, the first question -- has the WSUS server downloaded all of the files for the approved updates? (And a related question: How many updates did you approve after installing the WSUS server?)
Side note: wuauclt /detectnow /reportnow is an invalid command. It is functionally equivalent to wuauclt /detectnow. (The second parameter is ignored.)
There are three functional forms of the wuauclt command:
- wuauclt /detectnow - initiates a detection event; may use cached targeting information if it has not expired
- wuauclt /reportnow -- initiates a reporting event **IF** there are reporting events to be uploaded to the WSUS server (this requires that a previous successful event: detection, download, or installation, has occurred within the previous 20 minutes and has not yet been reported. If there are no events to report, this command does nothing!)
- wuauclt /resetauthorization /detectnow -- initiates a detection event; forces the expiration of any cached targeting information. This form of the command is required if group memberships have been changed on the WSUS server within the previous hour. It may also be required if clients are assigned to a new WSUS server (which, by definition, has new groups). The order of these parameters is critical; if the order is reversed, the /resetauthorization is ignored.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Tuesday, November 20, 2012 10:04 PMModerator
and all 28000+ updates have been approved for all target groups.
Most curious. All 28000+ update have been approved for ALL target groups -- even the 27,500 updates that will never be needed by any system again for the rest of eternity? And the client sees =0= updates as available. There are a lot of major issues implied by the above information, but none of it is consistent with the clients not downloading any updates that are reported as needed.
- Are you using client-side targeting?
- What is the setting for the Options | Computers dialog?
Quite frankly, I'm surprised the clients aren't throwing timeouts just trying to scan that number of approved updates, and I suspect there's a lot more detailed information in the WindowsUpdate.log than just the fact that =0= updates have been detected.
May I suggest reviewing the Manage Windows Server Update Services 3.0 SP2 chapter of the WSUS Operations Guide, particularly the first two sections on managing clients and groups, and managing updates, as it seems to me that there might be some confusion regarding the purpose of target groups, approvals, and the significance of approvals for updates that are already installed or not applicable.
After that, you'll probably want to -- yet again -- completely uninstall, and reinstall, your WSUS server, making note to not select the "Drivers" update classification (which should reduce the number of updates to around a few thousand), and to only approve the few hundred updates that are actually NEEDED by one or more of your client systems.
Among other things, you'll also find that reduces your download requirements by about a factor of 10, from 100+ GB to ~10GB.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin- Marked As Answer by Clarence ZhangModerator Tuesday, November 27, 2012 3:14 AM
.png)
