locked
WSUS offline not working RRS feed

  • Question

  • Hello

    I'm trying to create a WSUS offline for a zone without network (named for the example FRDC.zone).

    I've exported all WSUScontent and metadata from a source WSUS.

    It's all imported to the offline WSUS.

    The configuration of 'update files and languages" is the same on the source and destination wsus.


    My clients (W7 and XP) are connected to the offline WSUS, and are shown on the console. We can see there are updates to install.

    On the client : windows update says "up to date" !


    A log for a W7 client (name for example windows01) :


    2016-03-16    06:07:49:464     964    38c    AU    #############
    2016-03-16    06:07:49:464     964    38c    AU    ## START ##  AU: Search for updates
    2016-03-16    06:07:49:464     964    38c    AU    #########
    2016-03-16    06:07:49:464     964    38c    AU    <<## SUBMITTED ## AU: Search for updates [CallId = {55174188-DDFA-4A9C-829D-0B373AA87818}]
    2016-03-16    06:07:49:464     964    300    Agent    *************
    2016-03-16    06:07:49:464     964    300    Agent    ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2016-03-16    06:07:49:464     964    300    Agent    *********
    2016-03-16    06:07:49:464     964    300    Agent      * Online = Yes; Ignore download priority = No
    2016-03-16    06:07:49:464     964    300    Agent      * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2016-03-16    06:07:49:464     964    300    Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2016-03-16    06:07:49:464     964    300    Agent      * Search Scope = {Machine}
    2016-03-16    06:07:49:495     964    300    Setup    Checking for agent SelfUpdate
    2016-03-16    06:07:49:495     964    300    Setup    Client version: Core: 7.6.7600.320  Aux: 7.6.7600.320
    2016-03-16    06:07:51:803     964    300    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab with dwProvFlags 0x00000080:
    2016-03-16    06:08:11:848     964    300    Misc     Microsoft signed: NA
    2016-03-16    06:08:11:848     964    300    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\TMPAD24.tmp with dwProvFlags 0x00000080:
    2016-03-16    06:08:41:861     964    300    Misc     Microsoft signed: NA
    2016-03-16    06:08:41:861     964    300    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab with dwProvFlags 0x00000080:
    2016-03-16    06:08:41:876     964    300    Misc     Microsoft signed: NA
    2016-03-16    06:08:41:876     964    300    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab with dwProvFlags 0x00000080:
    2016-03-16    06:08:41:876     964    300    Misc     Microsoft signed: NA
    2016-03-16    06:08:41:907     964    300    Setup    Determining whether a new setup handler needs to be downloaded
    2016-03-16    06:08:41:907     964    300    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe with dwProvFlags 0x00000080:
    2016-03-16    06:08:41:923     964    300    Misc     Microsoft signed: NA
    2016-03-16    06:08:41:923     964    300    Setup    SelfUpdate handler update NOT required: Current version: 7.6.7600.320, required version: 7.6.7600.320
    2016-03-16    06:08:41:923     964    300    Setup    Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.320"
    2016-03-16    06:08:42:578     964    300    Setup    Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.320" is already installed.
    2016-03-16    06:08:42:578     964    300    Setup    Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320"
    2016-03-16    06:08:42:609     964    300    Setup    Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320" is already installed.
    2016-03-16    06:08:42:609     964    300    Setup    Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320"
    2016-03-16    06:08:42:656     964    300    Setup    Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.320" is already installed.
    2016-03-16    06:08:42:656     964    300    Setup    SelfUpdate check completed.  SelfUpdate is NOT required.
    2016-03-16    06:08:46:447     964    300    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
    2016-03-16    06:08:46:447     964    300    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://FRTLSCDZDC.zone.secu:8530/ClientWebService/client.asmx
    2016-03-16    06:08:46:462     964    300    PT    WARNING: Cached cookie has expired or new PID is available
    2016-03-16    06:08:46:462     964    300    PT    Initializing simple targeting cookie, clientId = 3ecfbc03-13db-4cd4-a103-93ed08b90339, target group = Windows7, DNS name = windows01.zone
    2016-03-16    06:08:46:462     964    300    PT      Server URL = http://FRDC.zone:8530/SimpleAuthWebService/SimpleAuth.asmx
    2016-03-16    06:10:01:727     964    300    Agent      * Found 0 updates and 82 categories in search; evaluated appl. rules of 5521 out of 7583 deployed entities
    2016-03-16    06:10:01:727     964    300    Agent    *********
    2016-03-16    06:10:01:727     964    300    Agent    **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2016-03-16    06:10:01:727     964    300    Agent    *************
    2016-03-16    06:10:01:883     964    578    AU    >>##  RESUMED  ## AU: Search for updates [CallId = {55174188-DDFA-4A9C-829D-0B373AA87818}]
    2016-03-16    06:10:01:883     964    578    AU      # 0 updates detected
    2016-03-16    06:10:01:883     964    578    AU    #########
    2016-03-16    06:10:01:883     964    578    AU    ##  END  ##  AU: Search for updates [CallId = {55174188-DDFA-4A9C-829D-0B373AA87818}]
    2016-03-16    06:10:01:883     964    578    AU    #############
    2016-03-16    06:10:01:883     964    578    AU    Successfully wrote event for AU health state:0
    2016-03-16    06:10:01:883     964    578    AU    Featured notifications is disabled.
    2016-03-16    06:10:01:883     964    578    AU    AU setting next detection timeout to 2016-03-16 07:04:30
    2016-03-16    06:10:01:883     964    578    AU    Setting AU scheduled install time to 2016-03-17 02:00:00
    2016-03-16    06:10:01:883     964    578    AU    Successfully wrote event for AU health state:0
    2016-03-16    06:10:01:883     964    578    AU    Successfully wrote event for AU health state:0
    2016-03-16    06:10:06:735     964    300    Report    REPORT EVENT: {A803330A-BFC0-4CF1-8D29-1A2EB7618AB1}    2016-03-16 06:10:01:727+0100    1    147    101    {00000000-0000-0000-0000-000000000000}    0    0    AutomaticUpdates    Success    Software Synchronization    Windows Update Client successfully detected 0 updates.
    2016-03-16    06:10:06:735     964    300    Report    REPORT EVENT: {5CA51629-3BFB-43A3-95E2-36A2FA37FF96}    2016-03-16 06:10:01:727+0100    1    156    101    {00000000-0000-0000-0000-000000000000}    0    0    AutomaticUpdates    Success    Pre-Deployment Check    Reporting client status.
    2016-03-16    06:10:06:735     964    300    Report    CWERReporter finishing event handling. (00000000)
    2016-03-16    06:23:43:937     964    300    Report    Uploading 2 events using cached cookie, reporting URL = http://FRDC.zone:8530/ReportingWebService/ReportingWebService.asmx
    2016-03-16    06:23:43:952     964    300    Report    Reporter successfully uploaded 2 events.


    I didn't find any solution.

    Any idea ?



    Tuesday, March 22, 2016 3:37 PM

Answers

  • clients will not perform updating if they cannot receive the update-package-payload.

    Your screenshot shows that your WSUS has not been able to complete the content reconciliation (it thinks it needs to download lots of payload).

    either your import/reconciliation is still running, or has aborted, or never began.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Tuesday, March 29, 2016 6:32 AM

All replies

  • Hi ouafnico,

    Do a test that checking update online on client, see if the clients have needed updates, then check on the offline WSUS server, search the KB number, check if the KB has been approved on the WSUS server.

    Also check computers' status, check if they have reported to the WSUS server recently, and check if there are computers needing updates in "All computers overview".

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 23, 2016 6:42 AM
  • Hello

    I've check on clients, they tell "up to date".

    On WSUS server, I see there are successfully reported (every 2 hours). On the report for each, I saw all updates needed, already approuved.

    Wednesday, March 23, 2016 6:53 AM
  • Hi ouafnico,

    I mean check for update online not from WSUS server, this is used to verify if the clients are really "up to date".

    Sometime when we check online, we may see clients have updates that haven't been installed, while check updates from WSUS server, the result may show as the client is "up to date", if there are some issue with WSUS server.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.



    Wednesday, March 23, 2016 6:57 AM
  • I can't, this is a restricted zone, with no external access for servers and clients.

    But they are not uptodate, there are XP SP3 and W7 SP1 installed from DVD, so miss a lot of updates :)

    On wsus I saw they miss a lot of updates.

    Wednesday, March 23, 2016 7:05 AM
  • Hi ouafnico,

    >Server URL = http://FRTLSCDZDC.zone.secu:8530/ClientWebService/client.asmx

    >Server URL = http://FRDC.zone:8530/SimpleAuthWebService/SimpleAuth.asmx

    I noticed that the FQDN of the WSUS sever is different in the Server URL, what is the server FRTLSCDZDC.zone.secu?

    We may check if the WSUS GPO for the clients are all correct, check the related registry keys on WSUS client, check if the WUserver and WUStatusServer is configured with same value:

    https://technet.microsoft.com/en-us/library/cc708449(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, March 24, 2016 2:11 AM
  • Hello

    In fact the server is FRTLSCDZDC.zone.secu, but I have changed the name on the first post to do not post the real name on the web, but I've missed it somewhere ;)

    I will check the gpo/registry keys :)

    Thursday, March 24, 2016 6:35 AM
  • About the registry keys :

    on HKEYLM\Software\Policies\Microsoft\Windows\WindowsUpdate

    TargetGroup = Windows7 (the group exist on WSUS)

    TargerGroupEnabled = 1

    WUServer and WUStatusServer are configured to http://FRTLZSCDZDC.zone.secu:8530

    on AU key:

    AUOptions=4

    DetectionFrequency=2

    DetectionFrequencyEnabled=1

    NoAutoUpdate=0

    ScheduledInstallDay=0

    ScheduleInstallTime=3

    UseWUServer=1

    Friday, March 25, 2016 10:32 AM
  • Hi ouafnico,

    Seems well about the registry keys.

    Could you provide a screenshot of over WSUS overview:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 28, 2016 2:00 AM
  • Hello

    The console show this.

    http://hpics.li/a2aadde

    About the "sync", I don't know what I need to configure, because it's an "offline" wsus", it shows failed. I've disabled the sync.



    • Edited by ouafnico Tuesday, March 29, 2016 5:35 AM
    Tuesday, March 29, 2016 5:34 AM
  • clients will not perform updating if they cannot receive the update-package-payload.

    Your screenshot shows that your WSUS has not been able to complete the content reconciliation (it thinks it needs to download lots of payload).

    either your import/reconciliation is still running, or has aborted, or never began.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Tuesday, March 29, 2016 6:32 AM
  • The error is just because I've configured this :

    http://hpics.li/8a61d4a

    But what do i need to put here because the server is in "offline" network ?

    The import was successfully done.

    Iif I configure it to "synchronize from another wsus server", like himself the sync is OK and report no errors, but the clients still does not get updates.

    Tuesday, March 29, 2016 7:14 AM
  • Sounds like you have imported the catalogue but not the updates.

    * The updates can only be present in the offline WSUS is they are present on the online WSUS as only the online WSUS can download them.

    * WSUS will only download files if it thinks they are needed.

    Basically if you want the online WSUS to download updates for XP, you need an XP box connected to the online WSUS, if you want updates for Win2008, you need a Win2008 box connected to the online WSUS server...etc. You cannot just fire up a WSUS server as an online server to get exports from if the online server has no similar clients as far as I am aware.

    Thsi also creates other issues, for example if your offline network has a plain Win7 install, and a Win7 SP1 client connected to the online WSUS, you will not get any Win7 pre-SP1 updates.

    I have had this issue recently and I only got around it by taking a copy of the online WSUS server, and importing that into the offline network. Let your clients update from that the first time so they are upto date now, and then use the normal export/import procedure going forward.

    Tuesday, March 29, 2016 4:18 PM
  • The error is just because I've configured this :

    http://hpics.li/8a61d4a

    No, it's not.

    But what do i need to put here because the server is in "offline" network ?

    The import was successfully done.

    If I configure it to "synchronize from another wsus server", like himself the sync is OK and report no errors, but the clients still does not get updates.

    Your import/reconciliation was not successful, or, you have performed approvals on the disconnected server, for updates which were not available on the connected server.
    So, the disconnected server wants to download the missing content/payloads (it has an approval but doesn't have the content payload).

    The most common cause of this, is that the content reconciliation has failed.
    Content reconciliation occurs during/after import. The database/metadata is imported into the disconnected server SUSDB, and then the content/payload is reconciled so that updates metadata in the SUSDB has the matching content/payload, to serve to clients.

    If the source WSUS didn't (yet) have the content/payload, or, the content/payload was not successfully reconciled on the disconnected WSUS, you will have this exact problem.

    content/payload reconciliation can take quite some time, especially the first time you do an import (it can take hours).

    Are these indicators changing/moving at all, on the disconnected WSUS? or are they stuck?

    On the connected WSUS, are there any updates waiting-to-download?

    check the logfiles at c:\program files\update services\logs\ (on both servers) - are there errors?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, March 29, 2016 8:23 PM
  • The WSUSContent copy was good, and the import without error.

    I just have this "waiting to content" on the offline wsus when he is configured as "sync to windows update" and stay stuck. If I configure it to sync to himself the waiting content disapears.

    How can I reset properly the WSUS ? I can try to reimport it on the offline, but if I just remove/reinstall the wsus service it seems it all stay on the windows internal database.. how to reset it? (warning the wsus offline is a DC too).

    I will get the logs..

    Thursday, March 31, 2016 5:54 AM
  • The WSUSContent copy was good, and the import without error.

    I just have this "waiting to content" on the offline wsus when he is configured as "sync to windows update" and stay stuck. If I configure it to sync to himself the waiting content disapears.

    How can I reset properly the WSUS ? I can try to reimport it on the offline, but if I just remove/reinstall the wsus service it seems it all stay on the windows internal database.. how to reset it? (warning the wsus offline is a DC too).

    I will get the logs..


    You can use the WSUSUTIL.EXE utility to perform a reset (this will force a content reconciliation)

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 31, 2016 6:57 AM