WSUS + GPO, Clients not appearing on WSUS

Tutte le risposte

• lunedì 13 agosto 2012 19:34

  Moderatore

   

   
  

  0

  I have confirmed that Gpresult /r has the client policy as being enforced, and the other rules in the policy is working.

  However the WindowsUpdate.log shows NULL for the WSUS server values.

  2012-08-13 12:17:25:163920 1488Agent  * WSUS server: <NULL>
  2012-08-13 12:17:25:163920 1488Agent  * WSUS status server: <NULL>

  Those two statements are contradictory. If the GPO is being applied, then the WUAgent would know what they were and display them in the logfile. The fact that they are reported as <null></null>is inconclusive evidence that the GPO with those values was not successfully applied.

  ---

  Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
  Product Manager, SolarWinds
  Microsoft MVP - Software Distribution (2005-2012)
  My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

  • Risposta
  • Citazione

   
• lunedì 13 agosto 2012 22:35

   

   
  

  0

  As you can see, gpresult /r shows that the Client Policy is being applied. And with the below displayed policy, you can see that the WSUS configurations are there.

  This ONLY happens with machines that are not in the domain controller OU in AD, All Domain Controllers apply to WSUS without issue. Its only the Workstations that do not (Including IT + Administrator Machines). All the other aspects (shown in GP below) such as the mapped drives, and printers are working fine, which shows that GP is working correctly and is applied on the machine.

  

  • Risposta
  • Citazione

   
• martedì 14 agosto 2012 20:58

   

   
  

  0
  Cant seem to figure out why the WSUS properties from the GPO will not take with Windows Update on the Client Machines
  • Risposta
  • Citazione

   
• martedì 14 agosto 2012 23:13

  Moderatore

   

   
  

  0

  As you can see, gpresult /r shows that the Client Policy is being applied. And with the below displayed policy, you can see that the WSUS configurations are there.

  And yet, the WindowsUpdate.log totally contradicts those two assertions. :-)

  Actually, the truth is I can't see anything that I consider to be authoritative because you've redacted so much information that nothing is authoritatively identifiable. For all I know the GPO you displayed from the GPMC is a totally different GPO in a totally different domain from the client where you ran GPRESULT. I'm not suggesting that you're attempting to deceive us; I'm just saying there's nothing in the information presented that proves anything that can be actionable.

  If you're not able to provide sufficient information in this forum such that we can make informed statements, then perhaps it might be better for you to pick up the phone and call Microsoft directly? If you want help here, you're going to have to provide *real* and *complete* information.

  This ONLY happens with machines that are not in the domain controller OU in AD, All Domain Controllers apply to WSUS without issue. Its only the Workstations that do not (Including IT + Administrator Machines).

  Do you think, perhaps, there might be some significance in this statement?

  ---

  Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
  Product Manager, SolarWinds
  Microsoft MVP - Software Distribution (2005-2012)
  My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

  • Risposta
  • Citazione

   
• mercoledì 15 agosto 2012 01:01

   

   
  

  0

  I redacted the company name from the logs. I do not want to publish that information.

  The Information that was removed, does not bear any relevance to the issue at hand.For  the purposes of this post, XXXXX-DC01 (dc) and XXXXX-NMS01 (wsus), XXXXX.ca (domain) will suffice, and as there is only one policy called "XXXXX Client Policy", it is safe to say that the policy is the same correct policy applied. The other aspects of the policy, such as the Mapped Drives + Printers ARE functioning, which demonstrates that the listed policy (the only one listed as applied) is in fact the correct policy.

  I do think however that there is great significance to the statement that policies with the WSUS configuration (both client + server (with exception to DCs)) do not seem to set wsus configurations (even though other configurations in the same policy do apply), while the Domain Controllers, on the other hand do. This leads me to believe there is something wrong on the GPO side in regards to configuration.

  • Risposta
  • Citazione

   
• mercoledì 15 agosto 2012 05:52

  Moderatore

   

   
  

  0
  Hi,
  
  Domain Controller doesn't automatically get added to the "Domain Controllers" WSUS Group.Pls first try to use the server side targeting.Disable the client side targeting in the GPO. Your GP must be incorrectly configured somewhere.
  
  regards,

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Risposta
  • Citazione

   
• mercoledì 15 agosto 2012 17:52

  Moderatore

   

   
  

  0

  I redacted the company name from the logs. I do not want to publish that information.

  Fine, then you should call Microsoft. My point is that the very issue you're experiencing may be because of something in the information you've redacted, and we would have no way to identify that for you. Getting reliable technical support in a forum requires full disclosure of the relevant information; if you cannot (or choose not) to fully disclose the information -- then seek a help source where you do feel comfortable disclosing that information.

  The Information that was removed, does not bear any relevance to the issue at hand.

  How do *you* know that? I certainly don't! You don't even know the cause of the problem yet! Therefore, until the cause of a problem is identifed, ALL information is relevant!

  For the purposes of this post, XXXXX-DC01 (dc) and XXXXX-NMS01 (wsus), XXXXX.ca (domain) will suffice

  I'm sorry, then I cannot help you. You're trying to find out why portions of a GPO are not being applied to any of the non-DC machines in your  domain -- a question, btw, which is, strictly speaking, off-topic for this forum -- and the only way that issue is going to be successfully diagnosed is to have the actual names of every object involved in the process, and their relationships to one another.

  as there is only one policy called "XXXXX Client Policy", it is safe to say that the policy is the same correct policy applied.

  And yet, the reality is that the client is *NOT* getting that policy! is it? So obviously there is more to the story, and given your propensity for redaction, it begs the question of what else is being redacted that we don't even know was redacted!?

  The other aspects of the policy, such as the Mapped Drives + Printers ARE functioning

  Which is also inconclusive, as those configurations might be coming from someplace else and not this GPO.

  which demonstrates that the listed policy (the only one listed as applied) is in fact the correct policy.

  Actually, it doesn't, but that seems somewhat insignificant in light of the larger issues.

  I do think however that there is great significance to the statement that policies with the WSUS configuration (both client + server (with exception to DCs)) do not seem to set wsus configurations (even though other configurations in the same policy do apply), while the Domain Controllers, on the other hand do.

  Good, so let's start with the basic point that the Domain Controllers are in a different OU from the rest of creation, and the only place your policy is being successfully applied is the Domain Controllers OU -- which is particularly ironic, because usually it's this OU which is the only OU where a a GPO does not get applied. Perhaps, as an aide to trying to assist you, you could describe in exact details (change the names if you must, but identify a consistent pseudo-name to use) how your Active Directory is organized, and where all of these other computers are held, and exactly which of these objects your "WSUS Group Policy" is linked to.

  This leads me to believe there is something wrong on the GPO side in regards to configuration.

  That's certainly *one* legitimate possibility. And, having made that conclusion, as noted above, this really isn't a *WSUS* issue anymore -- it's a Group Policy question. :-)

  ---

  Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
  Product Manager, SolarWinds
  Microsoft MVP - Software Distribution (2005-2012)
  My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

  • Risposta
  • Citazione

   
• mercoledì 15 agosto 2012 18:31

   

   
  

  0

  Hi rboelens

  I didn't read all the comments on this, so i hope this isn't a repeat, but I do have one question.

  In the screenshot of gpupdate /r you show that the policy is applied under "user settings" , but the wsus policy you are applying is a computer policy, not a user policy. Do you see your policy as applied under "COMPUTER SETTINGS" when you run gpresult /r (because this is what matters for that particular policy)

  My next comment is have you looked in the registry to see if the WSUS settings were actually applied? The should be in "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"

  
  
  

  • Modificato ACalcutt mercoledì 15 agosto 2012 18:31
  • Modificato ACalcutt mercoledì 15 agosto 2012 18:34
  •  
  • Risposta
  • Citazione

   
• mercoledì 15 agosto 2012 20:46

   

   
  

  0

  Yes, I thought that part was suspicious as well, but I didn't really think much of it at the time, I do not see any "computer settings" listed when running gpresult /r

  I assumed that MS just lumped it together in user policy as well.

  After looking in regedit, I was not able to find a WindowsUpdate key under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

  I find this odd, as the other configurations such as Mapped Network Drives + Printers are functioning and they are both written on the same policy.

  I created the policies, so I do know for a fact that there are no other policies which add those mappings and printers.

  Considering that the policies have both user and computer settings, why would only half apply, and the other half not?

  The way my OU's are organized, are as follows.

  GPO Trunk

   - Offices (by geographical location) <- Default Client Policy which contains the WSUS settings in question

   - - Departments <- Individual policies which contain policies such as Accounting Printers, HR Mapped drives etc (No WSUS Policies)

   - - Domain Controllers <- Domain Controller Policy which contains the WSUS settings that do actually work

   - - Servers <- Blank Policy for now (No WSUS Policies)

  All the policies are in the same folder as where the default ones are located.

  The Offices policy which contain the WSUS policy is applied and enforced throughout Offices and all its sub OUs. Domain Controllers OU has the domain controllers policy enforced as well.

  Based on the other parts of the generic policy (mapped drives + printers) that are working, I believe its safe to assume that the policy enforcement ties to the OU's are working correctly.

  Update - It would seem that the Computer Settings will not apply, despite the user settings in the same policy applying. I am now convinced that this is a GPO specific issue, and have sufficiently ruled out WSUS enough to continue this problem on the GPO Technet sections.

  http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/eea83d00-e91b-47b1-be47-2b1bdec7fbb5

  • Modificato rboelens mercoledì 15 agosto 2012 20:57
  • Modificato rboelens giovedì 16 agosto 2012 14:28
  •  
  • Risposta
  • Citazione

   
• giovedì 16 agosto 2012 19:16

   

   
  

  0

  From your screenshot i can see that your mapped drives and printers are user policies (notice they are under "User Configuration" in your group policy screenshot), and since your other gpresult screenshot shows your policy is being applied under "user settings" it makes sense that those particular policies are working.

  However, you should also see the policy as applied under "computer settings" also, since the wsus part of your policy is a computer policy (notice it is under "computer configuration" in the group policy screenshot.

  I'm no expert on this stuff, but one reason it may not be applying (which i have run into myself) is loopback processing isn't set up. Are you applying this policy to where your users are stored or where your computers are stored? If you are applying this to users and loopback processing isn't set up properly then you would see only the user policies get applied.

  This is what I see for my wsus policy when I do a gpresult

  

  • Risposta
  • Citazione

   
• giovedì 16 agosto 2012 20:35

   

   
  

  0

  I am applying these policies to the Office Location's OU. This OU contains both OU's for Users, Computers and Domain Controllers.

  I do not think I have Loopback processing set up, I vaguely remember seeing something about it not being configured somewhere.

  I see the difference with the Computer Settings and the User Settings and I do understand that they are different aspects of the policy, but what I do not understand is why mine is not (though after reading an article about loopback processing, it would seem like this may be the issue at hand.

  I will give it a shot and see if this resolves the problem :)

  • Risposta
  • Citazione

   
• giovedì 23 agosto 2012 18:32

   

   
  

  0

  After making a new + separate GP for Workstations (Computer Policy Only), WSUS is now functioning correctly,

  There are still odd inconsistencies such as the lack of "computer settings" when I run GPResult -r and the policy is not listed, but this is only the case when I run the command with a standard user. When running the command with an administrator account, or doing a "run as" under a user profile with an administrator's elevation, the computer settings show up on the results listing. I also noticed that when running it with user credentials (without elevation), the process hangs for a while, then finally spits out only the User Settings.

  That being Said, the WSUS portion of this is complete, and I would like to mark this as the answer.

  Computer Settings and User Settings Must be on separate policies, otherwise Looback Processing option must be configured (found in computer settings).

  Thank you for your help ACalcutt :)

  • Contrassegnato come risposta rboelens giovedì 23 agosto 2012 18:32
  •  
  • Risposta
  • Citazione