none
Client Servers not updating from WSUS server

    Pertanyaan

  • I am doing something wrong, and have no idea what where the problems are.

    My understanding of how WSUS works:

    1. My master server synchronizes with the Microsoft website and drags in to my WSUS server all the updates that might apply to my client servers. This can be thousands, depending on the amount of time that has passed.

    2. My client servers, once configured to "see" the Master client, has a look at all the updates that the master dragged in, and the client decides which ones are applicable to it, and notifies the Master that the client needs some subset of the overall group that the Master dragged in from Microsoft. This typically happens once per day.

    3. The admin opens up the WSUS Master, and my some magic, approves all or some subset of the updates the client is looking for. This includes "forcing" an update by setting an deadline of the current time or some date in the past. The client then will drag in those updates to the client, when the client next contacts the WSUS Master, which is once a day.

    I am trying to test WSUS before it is rolled out to our production servers. The test bed is 4 VM partitions. One is my WSUS master server, and the 3 other partitions represent the 3 client server OS's we have on our environment: 2008R2, 2003, and 2003R2.

    I have edited the registry on each of the client servers so they are seen by the master server. The client servers all were recognized by the master server with 24 hours, as expected. I do not have Windows Update installed and configured on the client servers, since I want the clients to only get updates from the WSUS Master.

    I have also run multiple manual synchonizations from the master server, and I see a huge list updates that should be applied, with each of the client servers requiring some subset of the overall list. Each of the clients has, as expected, a subset of updates that it "wants" to load.

    I have then went into the WSUS Master, and through the menu "Updates-Critical Updates, Approval - "Any Except Declined', Status = "Needed", hit refresh, and got about 20 updates.

    I then selected all, right clicked on the first one, chose he Approve menu, chose All Computers, and chose Approved for Install. I then went back into through the same menu, chose Deadline, and chose the current time.

    I can't attach a screenshot (something that should be added to this forum), but when I have Approval = Approved", Status = "Needed", and 3 columns selected. Title shows the title of the update.  Installed/Not Applicable shows "33%" or "67%" (remember, I have 3 clients), and the Title= Approval column reads "Install(5/5)"

    But, as far as I can see, none of the updates are being installed by any of the client servers.

    I went into one of the client servers, and at a command prompt, typed " <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /><meta content="Word.Document" name="ProgId" /><meta content="Microsoft Word 12" name="Generator" /><meta content="Microsoft Word 12" name="Originator" /><link href="file:///C:%5CUsers%5Cpbatte%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml" rel="File-List" /><link href="file:///C:%5CUsers%5Cpbatte%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx" rel="themeData" /><link href="file:///C:%5CUsers%5Cpbatte%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml" rel="colorSchemeMapping" /><style><!-- /* Font Definitions */ @font-face {font-family:SimSun; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:宋体; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-536870145 1107305727 0 0 415 0;} @font-face {font-family:"\@SimSun"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-name:"Normal\,Text\,t"; mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:3.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; line-height:14.0pt; mso-line-height-rule:exactly; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Arial","sans-serif"; mso-fareast-font-family:SimSun; mso-bidi-font-family:"Times New Roman"; mso-font-kerning:12.0pt;} span.System {mso-style-name:"System\,sys"; mso-style-unhide:no; mso-style-locked:yes; mso-bidi-font-size:10.0pt; color:windowtext; border:none; font-weight:bold; mso-bidi-font-weight:normal; text-decoration:none; text-underline:none;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> </style>wuauclt /detectnow ", but that client is still not updating. I checked on the actual computer within the Computers/Windows 2003 Group I had set up, and it is the only computer in there. It still shows 160 of 160 Updates needed, and has been that way for a couple days.

    How many things am I doing wrong?

    29 Juni 2012 15:05

Jawaban

  • Under the File Status Column, for all 20 items the icon says "ready for installation".

    This means the files for these updates are downloaded to the WSUS server from Microsoft.
    Under the Installed/Not Applicable Column, all say 100%.
    That means nothing needs these updates -- either they have already successfully installed ot the clients, or they were never needed.
    Results: Comp 1 = 1 updates have not been installed
    Comp 2 = 30 updates have not been installed
    Comp 3 = 15 updates have not been installed
    Which suggests that there are updates needed by these systems that have not been approved for installation. Go to the All Updates node, filter on Approval="Unapproved" and Status="Needed", identify the updates that are Needed and NotApproved and determine if they should be approved.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Ditandai sebagai Jawaban oleh I_Batman 10 Juli 2012 14:04
    05 Juli 2012 20:15
    Moderator

Semua Balasan

  • You're not doing anything wrong. In fact, you have a very solid understanding of how the thing works.

    What I think may be missing here, certainly something not expressly mentioned -- after you approved the updates in the WSUS console, did you confirm that the WSUS server successfully downloaded (from Microsoft) the installation files associated with those updates?

    Enable the File Status icon in your updates view and determine which of three states it might be in.

    Review the main page of the WSUS Admin console and see if the WSUS server reports any updates waiting to be downloaded.

    Until the installation files are successfully downloaded to the WSUS server, the clients cannot install the updates -- and will forever report them as "Needed" but appear to do nothing about that.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    01 Juli 2012 23:55
    Moderator
  • Hi, sorry for the delay.
    We had a network overhaul in the past days that has been quite time-consuming.

    With regards to your question whether I have approved the updates, I HOPE the answer is yes. Bottom line, I don't know if I am reading the results properly. What I see is detailed below.

    I think I am now getting some conflicting results, or I am mis-reading something. When I look under the Updates menu, it appears nothing updated.
    But when I look under the Computers menu, it appears that updates were done.

    Under the Update Services/Updates/Critical Updates:
    I have selected Approved from the Approval menu, and from the Status Menu: Installed/Not Applicable.

    I am seeing 20 items.
    Under the File Status Column, for all 20 items the icon says "ready for installation".
    Under the Installed/Not Applicable Column, all say 100%.
    Under the Approval Column, 19 read "Install (5/5) and one reads Install.

    Now, when I go to the Computers menu, I am looking at all 3 of the test client servers in my environment. (Each test device has one of the 3 OS that exist in our environment).

    I have the Status Rollup column and the Installation Status column enabled. The results for each computer are different (as expected), but the results for each computer are identical when comparing the 2 columns.

    Results: Comp 1 = 1 updates have not been installed, 74 Updates have been installed, 3127 updates not applicable.

    Comp 2 = 30 updates have not been installed, 120 updates have been installed, 3052 updates are not applicable

    Comp 3 = 15 updates have not been installed, 46 updates are waiting for the computer to be restarted to complete installation, 41 updates have been installed, 3100 updates are not applicable.

    05 Juli 2012 16:19
  • Under the File Status Column, for all 20 items the icon says "ready for installation".

    This means the files for these updates are downloaded to the WSUS server from Microsoft.
    Under the Installed/Not Applicable Column, all say 100%.
    That means nothing needs these updates -- either they have already successfully installed ot the clients, or they were never needed.
    Results: Comp 1 = 1 updates have not been installed
    Comp 2 = 30 updates have not been installed
    Comp 3 = 15 updates have not been installed
    Which suggests that there are updates needed by these systems that have not been approved for installation. Go to the All Updates node, filter on Approval="Unapproved" and Status="Needed", identify the updates that are Needed and NotApproved and determine if they should be approved.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    • Ditandai sebagai Jawaban oleh I_Batman 10 Juli 2012 14:04
    05 Juli 2012 20:15
    Moderator
  • Thanks for the detailed explanation.

    It helps a lot.

    I think what I am still having an issue with is trying to figure out the best way to maintain/ roll out the updates.

    I have built a small test bed with 3 groups, ecah representing one of the 3 OS's we have in our environment. The way I interpret the WSUS GUI, there are 2 ways to decide what updates are required and roll them out.

    One way is through the "Updates" section of the WSUS GUI. I first selected all the updates under critical/ approval = unapproved, status = failed or needed. I then approved ALL in there that were not superceded by another. Anything that was superceded, I set approval to "declined". I then went through the same procedure with items under "security updates", "wsus updates", and finally "update rollups".

    However, I can also access the servers on an individual basis, or group basis, using the various groups I have created. This is the location that I will have to use longterm, since we not want to update all computers until we have updated a test group first and evaluated the impact of the updates. But what is the best methodology to use when selecting computers/updates from this menu? It seems quite difficult to approve a lot of updates in one fell swoop when faced with 80 or 90 servers in a group. From what I am seeing, I have to update every update on a one-by-one basis, and only computers within a group on a one-by-one basis?

    Am I missing something? 

    09 Juli 2012 15:17
  • For purposes of approving updates, the method you used is certainly appropriate. (Although I would recommend waiting to decline the superseded updates until you've confirmed that they're absolutely not needed -- by virtue of the newer update being successfully installed on all applicable systems.)

    The computers view is more appropriate for monitoring and managing the status of computers. You cannot manage approvals from the computers view (although you can launch a detailed status report for a computer, and approve updates from within the report for the group(s) that may be missing approvals). You might encounter this process by identifying that a computer is not getting update(s) that it needs because it's not in a group where the update has been approved.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    09 Juli 2012 19:49
    Moderator
  • Thanks for your help Lawrence. It has been a big help. I am having a couple more issues with WSUS, but it might be better if I opened a new thread that more explicitly described the problem.

    10 Juli 2012 14:04