none
Old GPOs referencing old WSUS server stuck on 2008 R2 primary domain controller

    Pregunta

  • We have a new WSUS server, so I changed the server name in the appropriate place in the registry on the domain controller (HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate).  In other words I'm hard coding it to WSUS, not using GPO to tell it the name.    But it never connected up to the new WSUS server. Suspecting it still had a pointer to the old server, I searched with regedit and found 2 pairs of entries as such:

    MyDomainName {unique long id#1} Machine - has the old WSUS server info

    MyDomainName {unique long id#1} User - is empty

    MyDomainName {unique long id#2} Machine - ALSO has the old WSUS server info

    MyDomainName {unique long id#2} User - is empty

    (Excuse my registry terminology if wrong) So, as you see, each entry actually is a pair with the same name, but the second (User) matching one is empty.

    The first entry of each pair has the following registry folder structure: Software-Policies-Microsoft-Windows-WindowsUpdate

    Under this are the 5 keys relating to WSUS, with one showing the old WSUS server name with some settings related to it.   So, at some point I assume we DID have a GPO that pushed this to the DC.  We do NOT anymore though....  After reading various forum posts about old GPO's sticking, here's my plan. Let me know if you think it sounds good.

    1. Export each of the 4 entries to the C: drive somewhere.

    2. Delete each of the 4 entries.

    3. Run Wuauclt.exe /detectnow (this makes it go out and look for the WSUS server referenced in the appropriate place in the registry as mentioned above.)

    I'm curious if anyone knows details as to why and how do these old GPOs get stuck on a machine? The only reason I know they're not coming from any CURRENT GPOs in Active Directory is that I checked all current GPOs and none have the old server name. Is there any way to match IDs showing in it's registry to IDs of current GPO's in active directory, so I can see if there's any more old GPO's other than these? (Although this is optional since I'm not having any issues beyond this one) Deleting entire key structures as some of these forum posts recommend seems risky, especially since I've isolated the two locations of my problem....I want to do as few steps as possible since this is a critical DC that I don't want to make unstable, or preferably not have to reboot either....

    martes, 08 de enero de 2013 19:58

Respuestas

  • Well, a simple reboot of the DC made it find the new WSUS server.  Why? Who knows!    No other changes were done.  

    this is likely because the WUAgent runs as a service which starts at system startup (wuauserv).
    when wuauserv starts, it reads the registry keys and operates using those settings. the settings are not read again until the wuauserv is restarted.
    to alter the active settings for WUAgent, you need to edit the settings and then issue:
    net stop wuauserv && net start wuauserv
    (this restarts the service)

    or, you can reboot the machine :)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marcado como respuesta lnd2011 miércoles, 27 de febrero de 2013 22:01
    miércoles, 27 de febrero de 2013 20:13

Todas las respuestas

  • Hi,

    To verify if the old GPO still applied to the server, you can run gpresult /h report.html command on the server and from the report you can get which GPOs are applying to this server and which GPO contained a setting for specifying WSUS server information. After find it, unlink it and remove the GPO then run gpupdate /force on the server.

    Your plan sounds ok to me.

    Regards,
    Cicely

    miércoles, 09 de enero de 2013 5:41
  • Thanks for the gpresult tip, but a couple questions from my post were unanswered, if anyone can answer them.  They are:

     

    I'm curious if anyone knows details as to why and how do these old GPOs get stuck on a machine?

    Is there any way to match IDs showing in it's registry to IDs of current GPO's in active directory, so I can see if there's any more old GPO's other than these?

    And a new one:  Does the presence of my domain name at the beginning of the keys definitively indicate that they originally came from a GPO in A.D.?  (versus local GPO)      Or is it there just because this is a domain controller....

    jueves, 24 de enero de 2013 21:23
  • Well, a simple reboot of the DC made it find the new WSUS server.  Why? Who knows!    No other changes were done.  
    miércoles, 27 de febrero de 2013 19:56
  • Well, a simple reboot of the DC made it find the new WSUS server.  Why? Who knows!    No other changes were done.  

    this is likely because the WUAgent runs as a service which starts at system startup (wuauserv).
    when wuauserv starts, it reads the registry keys and operates using those settings. the settings are not read again until the wuauserv is restarted.
    to alter the active settings for WUAgent, you need to edit the settings and then issue:
    net stop wuauserv && net start wuauserv
    (this restarts the service)

    or, you can reboot the machine :)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marcado como respuesta lnd2011 miércoles, 27 de febrero de 2013 22:01
    miércoles, 27 de febrero de 2013 20:13