none
WSUS - Server refresh

    질문

  • Current scenario

    Production Environment:  (1) Windows 2003 WSUS server configured as replica in Production DMZ (Production clients connect to this server to get patches.)

    Test Enviornment:  (1) Windows 2003 WSUS server configured as the upstream server in Test DMS (Test clients connect to this server to get patches.)

    Firewall with NAT (From replica server in production dmz to the upstream server in the test DMZ)

    This scenario works great as we can download, test and approve in the TEST Environment and then synch a few times from the production DMZ and approvals and patches are brought over to the production LAN.

    I am replacing two existing Windows 2003 WSUS servers in the DMZ to Server 2008 R2.  The existing servers will be retired. 

    New scenario

    Step 1:  I installed and configured a new WSUS server in the Test DMZ (host name and ip different than the upstream) and configured  this WSUS server as replica and pointed to the existing upstream server and did a synch. 

    “Waited for initial synchronisation to complete. This will synchronise update files, approvals, and computer groups, but not other server settings.  This step saves you having to download your

    approved updates from the internet again.”


    1<sup>st</sup> problem:  the sych brought over all of the update files, and brought over the groups but not the computers in the groups.

    Step 2:  Download WSUS API Samples and Tools from Microsoft)

    Step 3:  Changed the new server from replica to standalone (will be the new upstream server)

    Next steps from tutorial found on web

    Step 4:  Run "wsusmigrationexport.exe settings.xml" to export the settings. This will backup your approvals and target groups to an XML file.
    Step 5:  Copy the XML file to the new server.
    Step 6:  On the new server open a command prompt and navigate to C:\Program Files\Update Services 3.0 API Samples and Tools\WsusMigrate\WsusMigrationImport folder. Run "wsusmigrationimport.exe settings.xml All None".

    Step 7:  Change the GPO in the Test Enviornment to point to the new Upstream Server.  (Success)

    Step 8:   Changed the NAT on the firewall to point to the new upstream server.

    Step 9:   Ran a synch from the (replica WSUS in the Production DMZ)  traffic passed through firewall no issue.

    Step 10: Turned off the Windows Update services on the existing upstream server which is being removed and replaced.

    NOTE:  The existing WSUS Replica server in the Production DMZ has not been changed at this point.

    2<sup>nd</sup> problem: 

    Downstream replica server does not show up in the downstream section on the console of  upstream server.  Also the computers from the Production LAN do not show up on the upstream server console.

    From the Replica server when attempting to Sych to the upstream server, synch fails  with the following message:

    WebException: The request failed with HTTP status 400: Bad Request.

    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()

       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)

       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)

       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()

       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

    I would like to get the replica and upstream server to communicate before proceeding any further.

    Any ideas on how I can get the replica to synch to upstream?

    Thanks.


    bc

    2014년 3월 27일 목요일 오후 3:01

답변

  • Would you recommend that I remove WSUS from the new Server in the TEST DMZ and reinstall?  Or should I do I fresh install for the PRODUCTION DMZ and test the replication from the new server?

    Personally.... rather than expend a lot of effort in troubleshooting a server that's about to be retired anyway, I would just install the NEW server in the Production network, point it to the NEW server in the Test network, and be done with the project.

    However, I will also note that having used the WSUSMigrationExport and WSUSMigrationImport utilities on a server that had already been built as a replica, plus on both a WSUS v3 server AND one patched with KB2720211, it's entirely possible that using the export/import utility hosed something in the new server. Those utilities were written for WSUS v2 and simply copied forward into the v3 Samples and Tools Kit. Also worty of note is that this is SAMPLE code, it's not been bugchecked, and others have encountered issues using these utilities on WSUS v3 systems (never mind the changes imposed by KB2720211 or KB2734608). Nonetheless, this is merely a possible cause but not a likely one.

    What is likely is that the HTTP 400 errors encountered during synchronization are being caused by a misconfiguration in the Web Server Role of the new 2008R2 server. So, yeah, rebuilding that server (assuming you still have the original WS2003 server available), might also be worthy of consideration.

    • Was the 2008R2 server fully patched (including all .NET 3.x updates) prior to installing WSUS?
    • How was the Web Server role installed on that server?
    • Was it installed in compliance with the guidance provided in the WSUS Deployment Guide for the required configuration of the Web Server role?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • 답변으로 표시됨 mcsepit 2014년 4월 4일 금요일 오후 11:49
    2014년 4월 1일 화요일 오후 12:53

모든 응답

  • Hi,

    Since WSUS server is on a windows server 2003, KB 2720211 will be required if you want to add a windows 2008r2 server. Is this KB applied?

    An update for Windows Server Update Services 3.0 Service Pack 2 is available

    http://support.microsoft.com/kb/2720211

    Hope this helps.

    2014년 3월 31일 월요일 오전 2:05
  • 1st problem:  the sych brought over all of the update files, and brought over the groups but not the computers in the groups.

    Correct. The computers must report to the server before they will appear on the server.

    Step 2:  Download WSUS API Samples and Tools from Microsoft)

    Why?

    Step 3:  Changed the new server from replica to standalone (will be the new upstream server)

    FWIW, this step can be done from the console.

    Step 4:  Run "wsusmigrationexport.exe settings.xml" to export the settings. This will backup your approvals and target groups to an XML file.

    Totally pointless. ALL of the approvals were replicated to the new server already!

    Any ideas on how I can get the replica to synch to upstream?

    Aside from Daniel's advice to properly patch the new servers, which is almost certainly the root cause here -- and those patches should have been installed before replication/synchronization, I would also suggest getting a more current (and correct) procedure to use. The "tutorial" that you "found on the web" has not been current or correct since sometime in 2007 when WSUS v3 was released; this procedure applied to WSUS v2 installations only.

    There are about a hundreds threads in this forum over the past six years that discuss the correct procedure to replicate a WSUS v3 server.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    2014년 3월 31일 월요일 오후 2:28
  • Thank you all for your feedback.

    Servers have been patched with KB 2720211

    The WSUS server in TestDMZ is correctly communicating with its clients in the Test LAN.  I am able to synch with microsoft with no issue.   I do on occassion keep getting Event ID 13042 (Self-update not working) Contrary to this event, my clients in the TEST DMZ are able to get updates.  (The original 2003 WSUS TESTDMZ Server has the Update services shut down)

    The issue is getting the WSUS Server in the ProductionDMZ to replicate to the new Upstream Server in the TESTDMZ. I continue to receive this message:  WebException: The request failed with HTTP status 400: Bad Request

    Would you recommend that I remove WSUS from the new Server in the TEST DMZ and reinstall?  Or should I do I fresh install for the PRODUCTION DMZ and test the replication from the new server?

    Thanks


    bc

    2014년 3월 31일 월요일 오후 3:10
  • Would you recommend that I remove WSUS from the new Server in the TEST DMZ and reinstall?  Or should I do I fresh install for the PRODUCTION DMZ and test the replication from the new server?

    Personally.... rather than expend a lot of effort in troubleshooting a server that's about to be retired anyway, I would just install the NEW server in the Production network, point it to the NEW server in the Test network, and be done with the project.

    However, I will also note that having used the WSUSMigrationExport and WSUSMigrationImport utilities on a server that had already been built as a replica, plus on both a WSUS v3 server AND one patched with KB2720211, it's entirely possible that using the export/import utility hosed something in the new server. Those utilities were written for WSUS v2 and simply copied forward into the v3 Samples and Tools Kit. Also worty of note is that this is SAMPLE code, it's not been bugchecked, and others have encountered issues using these utilities on WSUS v3 systems (never mind the changes imposed by KB2720211 or KB2734608). Nonetheless, this is merely a possible cause but not a likely one.

    What is likely is that the HTTP 400 errors encountered during synchronization are being caused by a misconfiguration in the Web Server Role of the new 2008R2 server. So, yeah, rebuilding that server (assuming you still have the original WS2003 server available), might also be worthy of consideration.

    • Was the 2008R2 server fully patched (including all .NET 3.x updates) prior to installing WSUS?
    • How was the Web Server role installed on that server?
    • Was it installed in compliance with the guidance provided in the WSUS Deployment Guide for the required configuration of the Web Server role?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • 답변으로 표시됨 mcsepit 2014년 4월 4일 금요일 오후 11:49
    2014년 4월 1일 화요일 오후 12:53
  • Hi,

    Any updates? Your feedback to Lawrence’s question may help to resolve the issue.

    Did you resolve the issue in another way?

    2014년 4월 3일 목요일 오전 1:28
  • Thank you again for you help!

    I tried to reinstall the wsus role and that kept failing.  Luckly, I had imaged the server in the TEST DMZ and placed the image back down on the server.  The WSUS and IIS roles have been installed. 

    I have not finished configuring the WSUS server, I ran out of time today.  But will update with the results next week.

    Thanks,

    Barb


    bc

    2014년 4월 4일 금요일 오후 11:53
  • Update - After reconfiguring and applying patches both dmz servers are communicating.

    I will now be deploying solar winds for 3rd party patches.

    Thanks,


    bc

    2014년 4월 21일 월요일 오후 1:07