locked
Software Updates ADR Issue: "Failed to download the update from the internet. Error = 5" RRS feed

  • Question

  • "Failed to download the update from internet. Error = 5"

    The above is the error I am getting when running any ADR. The error is quite clear software updates are failing to download and Error = 5 being a permissions error its clear that the downloads are failing due to incorrect permissions applied to the download path. 

    Here is the last bit of my ruleengine.log, everything above is the same except for the update trying to be downloaded of course:
    --------------------------------------------------------------------------------------------------------------------------
    Failed to download the update from internet. Error = 5 SMS_RULE_ENGINE 6/26/2014 9:21:59 AM 5148 (0x141C)
    Failed to download ContentID 16860969 for UpdateID 16857152. Error code = 5 SMS_RULE_ENGINE 6/26/2014 9:21:59 AM 5148 (0x141C)
    Downloading contents (count = 1) for UpdateID 16857255 SMS_RULE_ENGINE 6/26/2014 9:21:59 AM 5148 (0x141C)
    List of update content(s) which match the content rule criteria = {16861141} SMS_RULE_ENGINE 6/26/2014 9:21:59 AM 5148 (0x141C)
    Downloading content with ID 16861141 in the package SMS_RULE_ENGINE 6/26/2014 9:21:59 AM 5148 (0x141C)
    Failed to download the update from internet. Error = 5 SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Failed to download ContentID 16861141 for UpdateID 16857255. Error code = 5 SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Failed to download any update SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Failed to download update contents. SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    No new update was added to the package. Package "SCP0008A" would not be updated. SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Failed to run the DownloadAction for the AutoDeployment. SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    STATMSG: ID=8706 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_RULE_ENGINE" SYS=SCCM-MPS.DSCICORP.COM SITE=SCP PID=2376 TID=5148 GMTDATE=Thu Jun 26 13:22:00.164 2014 ISTR0="SMS Rule Engine" ISTR1="Failed to download one or more content files" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Enforcing Create Deployment Action SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
      Create Deployment Rule Action XML is: <DeploymentCreationActionXML xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><CollectionId>SCP00055</CollectionId><IncludeSub>true</IncludeSub><Utc>false</Utc><Duration>0</Duration><DurationUnits>Hours</DurationUnits><AvailableDeltaDuration>0</AvailableDeltaDuration><AvailableDeltaDurationUnits>Hours</AvailableDeltaDurationUnits><SuppressServers>Checked</SuppressServers><SuppressWorkstations>Unchecked</SuppressWorkstations><PersistOnWriteFilterDevices>Unchecked</PersistOnWriteFilterDevices><AllowRestart>true</AllowRestart><DisableMomAlert>false</DisableMomAlert><GenerateMomAlert>false</GenerateMomAlert><UseRemoteDP>true</UseRemoteDP><UseUnprotectedDP>true</UseUnprotectedDP><UseBranchCache>true</UseBranchCache><EnableDeployment>true</EnableDeployment><EnableWakeOnLan>true</EnableWakeOnLan><AllowDownloadOutSW>false</AllowDownloadOutSW><AllowInstallOutSW>true</AllowInstallOutSW><EnableAlert>true</EnableAlert><AlertThresholdPercentage>90</AlertThresholdPercentage><AlertDuration>7</AlertDuration><AlertDurationUnits>Days</AlertDurationUnits><EnableNAPEnforcement>false</EnableNAPEnforcement><UserNotificationOption>DisplaySoftwareCenterOnly</UserNotificationOption><LimitStateMessageVerbosity>false</LimitStateMessageVerbosity><StateMessageVerbosity>10</StateMessageVerbosity><AllowWUMU>true</AllowWUMU><AllowUseMeteredNetwork>true</AllowUseMeteredNetwork></DeploymentCreationActionXML> SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
      Rule XML is: <AutoDeploymentRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DeploymentName>Test ADR</DeploymentName><DeploymentDescription>Test ADR</DeploymentDescription><LocaleId>1033</LocaleId><UseSameDeployment>false</UseSameDeployment><EnableAfterCreate>true</EnableAfterCreate><NoEULAUpdates>false</NoEULAUpdates><AlignWithSyncSchedule>false</AlignWithSyncSchedule><ScopeIDs><ScopeID>SMS00UNA</ScopeID></ScopeIDs></AutoDeploymentRule> SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
      Criteria Filter Result XML is: <AutoDeploymentRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DeploymentName>Test ADR</DeploymentName><DeploymentDescription>Test ADR</DeploymentDescription><LocaleId>1033</LocaleId><UseSameDeployment>false</UseSameDeployment><EnableAfterCreate>true</EnableAfterCreate><NoEULAUpdates>false</NoEULAUpdates><AlignWithSyncSchedule>false</AlignWithSyncSchedule><ScopeIDs><ScopeID>SMS00UNA</ScopeID></ScopeIDs></AutoDeploymentRule> SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
        Parsing Deployment Action XML... SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
        Parsing Rule XML... SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Could not find element DeploymentId SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Could not find element UpdateGroupId SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Could not find element UpdateGroupName SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
        SQL is: select cis.CI_ID from vCI_ConfigurationItems cis join vProvisionedCIs pci on cis.CI_ID = pci.CI_ID where cis.CI_ID in (16793068, 16793070, 16793441, 16793445, 16793531, 16793686, 16793688, 16794597, 16794600, 16794602, 16794604, 16795443, 16795445, 16795709, 16795711, 16796210, 16796222, 16796292, 16796298, 16799495, 16799503, 16799602, 16799700, 16799703, 16799705, 16799712, 16799718, 16800300, 16800302, 16800367, 16800369, 16800371, 16800375, 16801224, 16801227, 16801237, 16801239, 16801287, 16801289, 16801559, 16801566, 16801996, 16802034, 16802839, 16802841, 16803306, 16803310, 16803420, 16803422, 16806477, 16806479, 16809354, 16809360, 16809393, 16809397, 16809774, 16809786, 16809792, 16813338, 16813348, 16813636, 16813638, 16814948, 16814950, 16815151, 16815153, 16817088, 16817102, 16817108, 16817398, 16817400, 16818677, 16818691, 16825397, 16840448, 16840458, 16840460, 16840462, 16840690, 16840700, 16840702, 16840710, 16840824, 16840826, 16842640, 16842641, 16842802, 16842803, 16842841, 16842870, 16842871, 16842896, 16842917, 16843017, 16843042, 16843049, 16843051, 16845981, 16846404, 16846751, 16846757, 16848017, 16848021, 16848664, 16848687, 16849383, 16849385, 16852506, 16852514, 16852516, 16855484, 16857102, 16857151, 16857152, 16857255) order by cis.CI_ID SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
          0 of 115 updates are downloaded and will be added to the Deployment. SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    The rule resulted in no updates being found. Skip deployment creation or update... SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    CRuleHandler: Enforcing Actions for Rule 16777228 failed! SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    CRuleHandler: ResetRulesAndCleanUp() SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Updated Failure Information for Rule: 16777228 SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    CRuleHandler: Deleting Rule 16777228 SMS_RULE_ENGINE 6/26/2014 9:22:00 AM 5148 (0x141C)
    Found notification file C:\Program Files\Microsoft Configuration Manager\inboxes\RuleEngine.box\16777228.RUL SMS_RULE_ENGINE 6/26/2014 9:22:10 AM 5148 (0x141C)
    RuleSchedulerThred: Change in Rules Object Signalled. SMS_RULE_ENGINE 6/26/2014 9:22:10 AM 5228 (0x146C)
    Refreshed ScheduleList instance for Rule (16777228) from schedule string () with next occurence (12/31/1969 7:00:00 PM) SMS_RULE_ENGINE 6/26/2014 9:22:10 AM 5228 (0x146C)
    FindNextEventTime found next event for RuleID 0 as :1/1/2038 12:00:00 AM SMS_RULE_ENGINE 6/26/2014 9:22:10 AM 5228 (0x146C)
    RuleEngine: Got next rule execution time successfully. Next event is in  12369097 minutes SMS_RULE_ENGINE 6/26/2014 9:22:10 AM 5228 (0x146C)
    Sleeping for 15 minutes SMS_RULE_ENGINE 6/26/2014 9:22:10 AM 5228 (0x146C)
    --------------------------------------------------------------------------------------------------------------------------

    Also, I do not have a patchdownloader.log anywhere, Ive checked all aforementioned locations from various sources and it just simply does not exist on my SCCM server. Here is my setup:

    Server1: Primary server with all roles installed locally except the site database is on its own server. WSUS is installed locally here and DB is stored here. 
    Server2: SQL DB for Primary site DB
    Server3: Secondary remote site running MP, DP, SUP. DB is SQL Express local. 

    So the SUP role was installed successfully on both server1 first and server 2 second with the site servers accounts. The SUP Synchronizes successfully and I can see a large list of updates available for use but not downloaded of course. I have set WSUS option to store updates locally and have plenty of space at the target destination.

    So here is my issue, I have been working on this issue for the better part of a week and understand the error code from the ruleengine.log to be a permissions issue. I have also proved this out but creating a test ADR with minimal updates and applied NTFS perms to the target path for Modify with the everyone group (testing purposes only). The updates downloaded successfully. So this puts me right back to where I was, knowing its a permissions issue but not understanding what permissions are needed. Let me explain further.

    The best way to start is to show what perms I have to the target location for downloads/wsus/sup anything:

    Path: \\Server1\UpdatesAndDefinitions    (permissions being applied to the UpdatesAndDefinitions root folder)
    SCCMAdmin (account used for most SCCM tasks except for NA) / Modify / Share and NTFS
    Server1$ (primary site server) / Modify / NTFS
    Everyone / read and execute / NTFS and Share

    There are other system generated perms but the above three are the important ones. So hence my confusion I know that the SCCMAdmin account or the Server its self has to be accessing the target directory so why is it failing with a permissions issue?

    My next step was to enable Auditing on the target path. Doing so revealed just what I thought and through me into further frustration:

    A network share object was accessed.

    Subject:
    Security ID: SYSTEM
    Account Name: SCCM-MPS$
    Account Domain: DSCI
    Logon ID: 0x3e7

    Network Information:
    Source Address: fe80::306a:8827:8672:3ba5
    Source Port: 50329

    Share Name: \\*\UpdatesAndDefinitions


    -----------------------------------------------------------------------------------

    A handle to an object was requested.

    Subject:
    Security ID: DSCI\sccmadmin
    Account Name: sccmadmin
    Account Domain: DSCI
    Logon ID: 0xad903c

    Object:
    Object Server: Security
    Object Type: File
    Object Name: F:\UpdatesAndDefinitions
    Handle ID: 0xf5c

    Process Information:
    Process ID: 0x10cc
    Process Name: C:\Windows\explorer.exe

    Access Request Information:
    Transaction ID: {00000000-0000-0000-0000-000000000000}
    Accesses: READ_CONTROL
    ReadAttributes

    Access Mask: 0x20080
    Privileges Used for Access Check: -
    Restricted SID Count: 0

    Now I may not be the best I traversing through the mess of audit entry's and translating them, but from what I can see the two accounts that have the proper share and ntsf perms ive listed above are indeed the ones accessing the target location and the audit code is success. I filter for failures and found no audits for failures whatsoever yet my downloads still fail religiously, unless of course I open myself up with the everyone group.

    So next... I tried adding in the Network Service account with proper permissions, the Local Service Account, my user account, and all no go's.
    Next... I remove the SUP roles from SCCM checked the logs for deinstall confirmations, and reinstalled these roles. No Go!

    If anyone can assist I would be in your debt and very grateful. 

    Oh last note, but very important note I'm running SCCM 2012 SP1 CU4

    Thanks,

    Michael

    MichaelSpaulding

    Thursday, June 26, 2014 2:06 PM

Answers

All replies

  • I just tested with the everyone group further; I added everyone with modify for ntfs and just read only for share and downloads failed!

    I then changed the share perms for everyone to change and the ntfs to read/execute and poof downloads complete! Obviously change share perms for everyone leaves me open which Id like to prevent, so finding what account is being used is crucial.

    I have already tried adding all of the SCCM accounts I use and the servers themselves as change perms to share and ntfs and have not had any luck.

     


    MichaelSpaulding

    Thursday, June 26, 2014 3:16 PM
  • Monday, July 7, 2014 1:56 AM
  • I m Also having same issue, how did you fix this issue.
    Sunday, March 13, 2016 8:27 PM