locked
WSUS still failing after postinstall for 3159706 RRS feed

  • Question

  • Pulling my hair out over here. Burned most of Friday and now half of Monday when I realized it was still broken.

    re-read all the bits and pieces, restarted services, restarted server, mmc is still broken, client still not getting updates.

    Triple-checked all the steps in kb, re-ran postinstall /servicing and found this in the log:

    2016-08-15 16:43:43  Postinstall started
    2016-08-15 16:43:43  Detected role services: Api, UI, WidDatabase, Services
    2016-08-15 16:43:43  Start: LoadSettingsForServicing
    2016-08-15 16:43:43  WID instance name: MICROSOFT##WID
    <snip declaration & sql code>2016-08-15 16:44:02  Install type is: Reinstall
    2016-08-15 16:44:02  Install type is Reinstall, but should be Upgrade.  Cannot service the database
    2016-08-15 16:44:02  Swtching DB to multi-user mode......
    2016-08-15 16:44:08  Finished setting multi-user mode
    2016-08-15 16:44:08  Starting service W3SVC
    2016-08-15 16:44:08  Starting service WSUSService
    2016-08-15 16:44:09  Postinstall completed

    What's my next move?

    Monday, August 15, 2016 11:59 PM

Answers

  • I ended up torching the server and reinstalling Windows from scratch, then WSUS, IIS and WID from powershell, then KB3159706, manually running the steps in the 3159706 kb and letting it synchronize. https://support.microsoft.com/en-us/kb/3159706

    Once that was all complete and I tried connecting from a Win7 Pro and Win10 Enterprise client, I was still getting errors like I was at the beginning (0x80072ee2 and 0x80244010) http://server.fqdn:port/SimpleAuthWebService/SimpleAuth.asmx worked correctly.

    Ultimately--and this is now a FULL WEEK of screwing around-- I found a blog post relating to ConfigMgr 2012 that described the same errors and behavior

    https://blogs.technet.microsoft.com/configurationmgr/2015/03/23/configmgr-2012-support-tip-wsus-sync-fails-with-http-503-errors/

    I went into IIS and adjusted the amount of memory allocated to the WsusPool up to 2GB (2097152 KB if your math is rusty) and recycled the pool and after that all the clients started reporting "Windows is up to date" (they're not, there's just no approved updates yet) so now I can start going through those and getting things back to where they were last week.


    Friday, August 19, 2016 10:26 PM

All replies

  • Hi DocJelly,

    If the WSUS is still crash after doing the manual steps in KB3159706. I would reinstall the WSUS role.

    To uninstall WSUS completely:

    1. Remove the role in server manager;

    2. Delete SUSDB and SUSDB_log in C:\windows\WID\Data;

    3. If the SUSDB cannot be deleted completely, we may install SQL server manager studio to detach SUSDB;

    4. Delete related WSUS site and content folders.

    Then install WSUS role again, and install the KB with manual steps, check if it could work.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, August 16, 2016 6:18 AM
  • Will I have to re-approve everything and set it up from scratch if I do that?
    Tuesday, August 16, 2016 3:54 PM
  • Hi DicJeelly,

    Yes, my above reply is about set up WSUS server from scratch.

    Since we can't determine if the WSUS database is crash, so, it's hard to say if use the original database could work.

    WSUS server is easy to rebuild, do you have worries about rebuilding it?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, August 17, 2016 2:02 AM
  • Hi Anne, I just was concerned with the amount of re-approving and re-downloading but it doesn't matter now. I burned the whole day yesterday trying to get it installed. The first time i forgot to remove SUSSD.mdfg and ldf so when it started back up, the old database was still there.

    The second time I reinstalled it, there was no tools folder, so post-install failed

    The third time I reinstalled it, the tools were there but it couldn't create a new SUSDB and kept complaining it couldn't find it.

    The fourth time I reinstalled it, I made sure to uncheck WID feature itself, IIS features, removed SUSDB files, content folder, IIS website, rebooted for good measure then ran postinstall from command line instead and it worked.

    When I left work at 7pm last night, it was synchronizing. When I came in this morning it had finished synchronizing 11,000+ updates, but no clients had tried to connect so nothing was "needed" and now I'm faced with no clients able to connect to the WSUS server because of an error 0x80072efe

    IIS is showing that the site is listening on 8530 for HTTP and 8531 for HTTPS, and GPO specifies https://my.server.name.fqdn:8531 for both detecting updates and for intranet statistics server.

    EDIT: this log is from when I did wuauclt.exe /detectnow
    Last few lines of windowsupdate.log from a Windows 7 client:

    2016-08-17    09:42:21:535    1100    284    Misc    WARNING: Send failed with hr = 80072efe.
    2016-08-17    09:42:21:535    1100    284    Misc    WARNING: SendRequest failed with hr = 80072efe. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
    2016-08-17    09:42:21:535    1100    284    Misc    FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072efe
    2016-08-17    09:42:21:535    1100    284    PT      + Last proxy send request failed with hr = 0x80072EFE, HTTP status code = 0
    2016-08-17    09:42:21:535    1100    284    PT      + Caller provided credentials = No
    2016-08-17    09:42:21:535    1100    284    PT      + Impersonate flags = 0
    2016-08-17    09:42:21:536    1100    284    PT      + Possible authorization schemes used =
    2016-08-17    09:42:21:536    1100    284    PT    WARNING: GetAuthorizationCookie failure, error = 0x80072EFE, soap client error = 5, soap error code = 0, HTTP status code = 200
    2016-08-17    09:42:21:536    1100    284    PT    WARNING: Failed to initialize Simple Targeting Cookie: 0x80072efe
    2016-08-17    09:42:21:536    1100    284    PT    WARNING: PopulateAuthCookies failed: 0x80072efe
    2016-08-17    09:42:21:536    1100    284    PT    WARNING: RefreshCookie failed: 0x80072efe
    2016-08-17    09:42:21:536    1100    284    PT    WARNING: RefreshPTState failed: 0x80072efe
    2016-08-17    09:42:21:536    1100    284    PT    WARNING: PTError: 0x80072efe
    2016-08-17    09:42:21:536    1100    284    Report    WARNING: Reporter failed to upload events with hr = 80072efe.


    • Edited by DocJelly360 Wednesday, August 17, 2016 4:54 PM
    Wednesday, August 17, 2016 4:51 PM
  • Hi DocJelly,

    >https://my.server.name.fqdn:8531

    Do you configured SSL for the WSUS server, https is for SSL, if you didn't configure SSL for the WSUS server, we need to use http and port 8530;

    If you indeed configured SSL for WSUS, then do clients trust the certificate used by the WSUS server, we need to store the root certificate on WSUS clients.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 18, 2016 1:59 AM
  • Hi Anne, I DID have SSL set up on my old WSUS server, before this update took it down. My GPO is using HTTPS. I changed the reg keys on one machine to HTTP and port 8530 to test, and got some different error codes, but still error codes and no computers showed up in the WSUS console.

    SO I decided to open up IIS Manager and enable SSL on the web services according to this kb: https://technet.microsoft.com/en-ca/library/bb633246.aspx

    When I got to ClientWebService, I got an error when opening SSL settings "There was an error while performing this operation" "filename \\?\C:\Program Files\Update Services\WebServices\ClientWebService\web.config Line number: 4 Error: Configuration file is not well-formed XML" so, naturally I opened it in notepad and the first part of the file is gibberish:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
        
      <      or SyncPrinterquireDYNAMICeDEBUG COMPILquestLength="4096ScheWUShield"
     d="tr="true"1077enablespoPsed="trgnt a96O
     rwise,e Refres <add   <ser07Length="4096elow
        paths foettings  name="Micr      dd nTypes>
            </web96ScheWUShield"
     d="tr="true"1077nnese ed="trgnt Formb ex (.pdb7nnme="Md"
    )     </web96nnerformeWUShied ke     B>
    e"
       dd c   nedHarelr  r6eiedthe liex>
           <!-- Thnvi    l.Ilf38y  service  Re <add   <ser07r0rue over httpsd="trgnt F) -r07Length="4096elow
     lilol o
     r ings

    essnvi   nnme="Md"
    ,m/en-uperformsystem.web>

    Is there a way I can get the proper web.config file from a cab or the installation files to replace this and see if it fixes it?

    Otherwise, what else am I supposed to do? burn the whole server down, reinstall windows from scratch and just try again?

    Thursday, August 18, 2016 4:15 PM
  • I ended up torching the server and reinstalling Windows from scratch, then WSUS, IIS and WID from powershell, then KB3159706, manually running the steps in the 3159706 kb and letting it synchronize. https://support.microsoft.com/en-us/kb/3159706

    Once that was all complete and I tried connecting from a Win7 Pro and Win10 Enterprise client, I was still getting errors like I was at the beginning (0x80072ee2 and 0x80244010) http://server.fqdn:port/SimpleAuthWebService/SimpleAuth.asmx worked correctly.

    Ultimately--and this is now a FULL WEEK of screwing around-- I found a blog post relating to ConfigMgr 2012 that described the same errors and behavior

    https://blogs.technet.microsoft.com/configurationmgr/2015/03/23/configmgr-2012-support-tip-wsus-sync-fails-with-http-503-errors/

    I went into IIS and adjusted the amount of memory allocated to the WsusPool up to 2GB (2097152 KB if your math is rusty) and recycled the pool and after that all the clients started reporting "Windows is up to date" (they're not, there's just no approved updates yet) so now I can start going through those and getting things back to where they were last week.


    Friday, August 19, 2016 10:26 PM
  • Hi DocJelly,

    Glad to hear you figured out the issue finally. And thanks for feeding back the detailed process and solution.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, August 22, 2016 8:02 AM