WSUS Multi-Layer Replication Issue RRS feed

  • Question

  • I manage WSUS for a set of networks that don't have internet access. Currently, we have one "master" WSUS server (with internet access) that an WSUS on each isolated network connects to as a replica, and this system has worked fine. However, we're in the process of moving to a more secure network design, which requires an additional layer of replication. I'm trying to set up the first server on the new topology, but it's not downloading updates for the clients to install.

    The systems details are:

    "Master":  Server 2008 R2, Update Services 3.2.7600.226

    "Relay":  Server 2016, Update Services 10.0.14393.0

    "Segment":  Server 2012 R2, Update Services 6.3.9600.16384

    On both the Relay and Segment servers, the WSUSContent folder is practically empty (only about 10MB of files on the Relay, 0 on the Segment).  On the main screen, the Relay says Updates Needing Files = 0; Segment says needing 5,360 but downloaded 0 of 198GB.

    The Relay was set up by someone else, and is set up as Do Not Store Update Files Locally, both the Master and Segment are set to Store Update Locally On This Server, with Download Update Files To This Server Only When Updates Are Approved.  Is this mismatch the cause of the problem?  I found other forum posts saying this can be done, but seems counterintuitive to me.

    Thank you in advance.

    Tuesday, July 17, 2018 4:47 PM

All replies

  • Hello NMillerEMN,


    Glad to help.


    At first, let us confirm your topology. "master" is the upstream server which connecting to Microsoft, and "Relay" is a replica of "master", "Segment" is a replica of  "Relay". Is it right? Feel free to let me know if there is any misunderstanding.


    If above information is correct, make sure that you choose the correct Upstream Server and port on "Relay" and "Segment". You could check them in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.


    And check the connectivity by opening http://WSUSserver:8530/ClientWebService/client.asmx  on "Relay" and "Segment" (Please change wsusserver name to their upstream server).


    If there is no problem and the error persists, if would be helpful if you could provide the windowsuptade.log of  "relay" after it finishing a synchronization.


    Look forward to your feedback.


    Best Regards,

    Ray Jia

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 18, 2018 5:35 AM
  • Ray,

    The topology is correct.

    There are no upstream server names or ports at the registry location you specified, nor to the best of my knowledge should there be (the registry location you gave is where client settings are kept, not server; please re-confirm this path).

    On Segment, I'm able to access a Client Service page for Relay, which talks about how to create a client to call the service.  However, on Relay, I get a "Server Error in '/ClientWebService' Application" message when trying the Master address.  However, I get the same message from other Segment-level servers that direct-connect to Master, and they're working fine.

    Thursday, July 19, 2018 3:40 PM
  • The relay needs to have the policy changed to store updates on that system (as far as I know) or the segment system can't ever physically get the updates because it's upstream (relay) doesn't have them.

    IMO, The second issue is that your OLDEST server system is your master and it has a problem with Windows 10 Upgrades. You should put a 2012+ server as your master (2016 preferably).

    The 3rd issue would be that if you're getting errors visiting the client web service URL, try downloading the iuident.cab file


    If you can't download that, check your firewall settings. If you can, is there a proxy between the relay and the master?

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    Friday, July 20, 2018 4:18 AM
  • Hello NMillerEMN,


    Thanks for feedback.


    I am sorry for that wrong registry. However, you could check the source server in the downstream wsus console and make sure the entry is correct.


    The mismatch of store location should not be the reason of this issue. On the Segment, WSUS would download update files from Microsoft when clients want get them.


    So you should invest the connectivity between Segment and Microsoft, check if Segment could download or import update from Internet.


    Look forward to your feedback.


    Best Regards,

    Ray Jia

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 20, 2018 7:57 AM