locked
Offline WSUS does not recognize imported updates as downloaded RRS feed

  • Question

  • I have been running WSUS for over a year and we recently bought new servers. With my new install, WSUS 3.0 SP2 on Windows Server 2003 x64, when I import the downloads WSUS never recognizes that they are there. Right now my WSUS is showing 182 updates with 0.0 MB of 11,510.26 MB downloaded. This is an offline WSUS server so I restore the updates to the WsusContent directory before importing the metadata using the wsusutil import command. I have even attempted to cancel the download requests and then retry the download with no success. I verified the updates I am looking for are in fact downloaded and sitting there waiting. I have added the IUSR account as a User instead of a Guest because our domain disables the guest account. In IIS I have checked the Integrated Windows Logon on both the WSUS Administration web site and the Default web site because our domain also denies Anonymous User access. WSUS is installed on port 8530.

    I have been troubleshooting this problem for 2 weeks now attempting to get it to work but I am at my wits end. Is there something I am missing? Maybe something with the Virtual Directories in IIS? Or a permissions issue I am overlooking? I would really appreciate any help to get this thing online on this new server.

    Thank you!

    Thursday, April 29, 2010 2:29 PM

Answers

  • I have been running WSUS for over a year and we recently bought new servers. With my new install, WSUS 3.0 SP2 on Windows Server 2003 x64, when I import the downloads WSUS never recognizes that they are there. Right now my WSUS is showing 182 updates with 0.0 MB of 11,510.26 MB downloaded. Thank you!

    The most typical cause of this scenario is not properly following the documented procedure for importing into the disconnected server.

    Please see the section Set Up a Disconnected Network in the WSUS Deployment Guide to verify that you are performing the steps in the correct order and manner required. Also note that the import process may take several hours to fully reconcile the imported metadata against the content store; however, if you are getting queued download requests (with BITS), this indicates an issue with the content restore -- either the restore is being performed after the import, or the ACLs on the restore points are being disrupted..

    The requisite permissions for IIS and NTFS are documented in appendices of the WSUS Operations Guide, and you should review them to ensure you are not causing any issues by removing required permissions.

    Another common cause of this scenario is a result of how the restore of the content library is performed. Restoring the \WSUS or \WSUSContent folder quite often results in the destruction of local SIDs in the ACLs for those folders that are necessary to the functioning of WSUS. The preferred backup/restore point are the SUBfolders of ~\WSUSContent, which ensures that the ACLs on the ~\WSUSContent folder are preserved and properly inherited to the restored subfolders ('00' thru 'FF').

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, April 29, 2010 6:25 PM

All replies

  • I have been running WSUS for over a year and we recently bought new servers. With my new install, WSUS 3.0 SP2 on Windows Server 2003 x64, when I import the downloads WSUS never recognizes that they are there. Right now my WSUS is showing 182 updates with 0.0 MB of 11,510.26 MB downloaded. Thank you!

    The most typical cause of this scenario is not properly following the documented procedure for importing into the disconnected server.

    Please see the section Set Up a Disconnected Network in the WSUS Deployment Guide to verify that you are performing the steps in the correct order and manner required. Also note that the import process may take several hours to fully reconcile the imported metadata against the content store; however, if you are getting queued download requests (with BITS), this indicates an issue with the content restore -- either the restore is being performed after the import, or the ACLs on the restore points are being disrupted..

    The requisite permissions for IIS and NTFS are documented in appendices of the WSUS Operations Guide, and you should review them to ensure you are not causing any issues by removing required permissions.

    Another common cause of this scenario is a result of how the restore of the content library is performed. Restoring the \WSUS or \WSUSContent folder quite often results in the destruction of local SIDs in the ACLs for those folders that are necessary to the functioning of WSUS. The preferred backup/restore point are the SUBfolders of ~\WSUSContent, which ensures that the ACLs on the ~\WSUSContent folder are preserved and properly inherited to the restored subfolders ('00' thru 'FF').

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, April 29, 2010 6:25 PM
  • Hello Lawrence

    I will also need your assistance in this regard.

    I am actually trying to setup an offline WSUS, but I got stucked on setting the "Choose Upstream Server" configuration. Since the Offline WSUS will not connect directy neither to "Synchronize from Microsoft Update" nor "Sychronize from another WSUS Server", how should this part be configured.

    Thanks.

    Thursday, May 20, 2010 2:03 PM
  • I am actually trying to setup an offline WSUS, but I got stucked on setting the "Choose Upstream Server" configuration. Since the Offline WSUS will not connect directy neither to "Synchronize from Microsoft Update" nor "Sychronize from another WSUS Server", how should this part be configured.
    A disconnected server should always be configured as an UPSTREAM server, synchronizing from "Microsoft", even though no actual Internet connection exists.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, May 21, 2010 4:17 AM
  • Thanks for the response. I am actually having some problems with my configuration and I thought I could continue here rather than starting a new thread.

    I have configured 2 WSUS servers (Online and Offline) and practically all options were with the default configuration. Downloading for MS-site unto the Online and Export from the Online to the Offline also went without any problem. However, I observed the following on both servers

    1) None of the available updates (All Updates, Critical Updates, Security Updates, WSUS Update) are being listed, so I do not have the possibility to approve anything. Selecting any of them always indicates "0 updates of 200 shown, 1244 total". What should I do to have them shown?

    2) When trying to access the Intranet update site either local on WSUS-Server (http://localhost) or through client (http://WSUS-Server), it showing IIS startup page. Is there any additional configuration required or there is subdirectory I need to access?

    Thanks.

    Tuesday, May 25, 2010 1:51 PM
  • 1) None of the available updates (All Updates, Critical Updates, Security Updates, WSUS Update) are being listed, so I do not have the possibility to approve anything. Selecting any of them always indicates "0 updates of 200 shown, 1244 total". What should I do to have them shown?
    It sounds to me like you simply have set the filter options incorrectly on these views. Try setting Approval="Any Except Declined" and Status="Any" and then click on "Refresh Now". 
    2) When trying to access the Intranet update site either local on WSUS-Server (http://localhost) or through client (http://WSUS-Server), it showing IIS startup page.
    And so it should. WSUS is not a browser-based service.
    Is there any additional configuration required or there is subdirectory I need to access?
    It occurs to me that you might find some benefit from reviewing the product documentation.

    WSUS Overview
    WSUS Step-By-Step (Installation) Guide

    WSUS Deployment Guide
    WSUS Operations Guide

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, May 26, 2010 2:00 AM
  • I have a disconnected WSUS server and a connected one.  I had the same problem.  You have to do three things:

     

    1) Copy the update files, I use NTBackup and do a incremental backup each time

    2) Dump and restore the update metadata

    3) dump and restore the "Approval data"

     

    Here's what I do:

    1) Aquire the "Update" metedata using "wsusutil export somedate.cab somedate.log"

    The somedate.log is just a log for the results of the export, not required for the import.

    2) Acuire the "Approval" metadata using "WSUSMigrationExport" somedate.xml

    3) Aquire the update files using a incremental "ntbackup"

    Then move those three datasets to the High side and:

    1) Restore the update files using the restore option in "ntbackup"

    2) Import the "Approval" metadata with:

    WSUSMigrationImport somedate.xml TargetGroups None

    WSUSMigrationImport somedate.xml Approvals None

    WSUSMigrationImport somedate.xml Approvals DeleteUnmatchedTargetGroups

    3) Import the "Update" metadata with "wsusutil import somedate.cab somedate.log"

    The somedate.log is just a log for the results of the import.

    You will most likely get errors from the above commands. So now you have to do a couple things over again because of a "Catch 22" situation where the importing of the Approvals somewhat depends on the importing of the update metadata and vice versa.

    4) Run: "WSUSMigrationImport somedate.xml Approvals None"

    Run: "wsusutil import somedate.cab somedate.log"

    5) Now do a "wsusutil reset" to get wsus to check all the metadata jives with the file content.

    A requirement of this is both the Low and High side must have the same computer "Groups" or the "Approval" metadata can get messed up. Be very patient during the whole process because it can take hours to complete the third item, importing of the Update metadata. There is a command to verify that the Update metadata and the Approval metadata match the actual file content. This is: wsusutil reset. This should be done in concert with a second dos window monitoring the BITS queue with the following command:

    bitsadmin /monitor /allusers

    This assumes the bitsadmin program is installed of course, and it is on our WSUS servers now. This process will take hours to complete and there is no direct indication the process is finished other than the CPU activity is low. The "wsusutil reset" command returns shortly after it is run, but it just kicks off the verification process which takes hours to complete.

     

    Hope that helps

     

    Doug P



    Thursday, April 14, 2011 5:34 PM
  • Another common cause of this scenario is a result of how the restore of the content library is performed. Restoring the \WSUS or \WSUSContent folder quite often results in the destruction of local SIDs in the ACLs for those folders that are necessary to the functioning of WSUS. The preferred backup/restore point are the SUBfolders of ~\WSUSContent, which ensures that the ACLs on the ~\WSUSContent folder are preserved and properly inherited to the restored subfolders ('00' thru 'FF').


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com

    Hi Lawrence,

    In case of destruction of local SIDs in the ACLs, there's something that can be done to recover these "lost" download files? I'm getting nervous because i can't see a light at the end of the tunnel - in other words, i would have to download 120GB of update files that i had downloaded once???

    Thanks!


    Att,
    lpozatti
    --------
    CompTIA Security+
    CobIT Foundation
    MCP

    Wednesday, March 21, 2012 9:48 AM
  • In case of destruction of local SIDs in the ACLs, there's something that can be done to recover these "lost" download files?

    Yes. Clear the BITS download queue (if it has any pending items), repair the ACL on WSUSContent and all child objects, then run wsusutil reset which will initiate a reconciliation between the approved updates and the content in the folder. With the repaired ACL the WSUS service will now be able to "see" those files and will properly update the status to "Files are downloaded" where appropriate.

    If any files are physically missing on the disconnected server, however, the 'reset' command will generate new BITS download queue requests.

    I must also say.. I'm curious about =120GB= of content! A typical WSUS server has about one-tenth of that space utilization.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, March 21, 2012 10:12 PM
  • Hi Lawrence, thanks again for your support! But you can tell me how can I perform to repair the file's ACLs, to, after that, run the wsusutil reset.

    Best regards!


    Att,
    lpozatti
    --------
    CompTIA Security+
    CobIT Foundation
    MCP


    • Edited by lpozatti Friday, March 23, 2012 12:20 PM
    Thursday, March 22, 2012 10:26 AM
  • how can I perform to repair the file's ACLs

    Set them to what they are supposed to be. Use your connected server as a guide for what should be defined.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Friday, March 23, 2012 12:44 PM
  • I have stepped through checking acls and found the following:

    According to the Ops Guide, permissions on WSUSInstallDir\Inventory is supposed to be
    NT AUTHORITY\NETWORK SERVICE:(OI)(CI)R
    BUILTIN\Users:(OI)(CI)R
    NT AUTHORITY\Authenticated Users:(OI)(CI)R
    BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F

    However, on both servers (the one that works and the one that doesn't), the only permissions on \Inventory are
    BUILTIN\Users:(OI)(CI)R
    BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F

    I have also found, contrary to the Ops Guide, that both servers do not have Read permission for Network Service on the WSUSContent parent folder  ('Updates' of C:\Updates\WSUSContent).



    • Edited by StevenBaty Thursday, August 21, 2014 7:11 PM
    Thursday, August 21, 2014 6:28 PM
  • I have also found, contrary to the Ops Guide, that both servers do not have Read permission for Network Service on the WSUSContent parent folder  ('Updates' of C:\Updates\WSUSContent).

    The permissions on the ~\WSUSContent folder are the only ones of interest. I'm not sure what "Ops Guide" you're looking in but the available permissions are documented in the Technical Reference Guide in:

    IIS Settings for WSUS 3.0 SP2 Web Services

    but it does not document the permissions for the WSUSContent folder.

    Nonetheless, they are discussed in at least a dozen different threads in this forum in the past year.

    The correct ACL for the WSUSContent folder is:

    • SYSTEM, Network Service, WSUS Administrators, and Administrators - FULL CONTROL, inherited to all downstream objects
    • USERS - Read & Execute, List Folder Contents, Read, inherited to all downstream objects.

    The NETWORK SERVICE account should not have any rights on the parent folder.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, August 22, 2014 1:57 AM