locked
WSUS changed, new Policy, old configurtion RRS feed

  • Question

  • Hello,

    i had an MS Server 2008R2 WSUS. I worked with GPO's, all worked fine. I build a new MS server 2012R2 with the WSUS Server Role, configured it and changed the "internal Path" in the GPO to "newserver:8530".

    When I check the configuration for the GPO it took my changes to "newserver:8530".

    On the clients I carried ot gpupdate /force but rsop.msc shows me the old URL, in the Registry ist the old WSUS and if I try to "windows update", I get an error.

    When i change the Registry-key on this client to the correct, the new URL, I can update. When I do gpupdate /force, I get the old Wsus entry, even if the report of the GPO shows the new URL.

    I deleted the GPO, build it new, gpupdate on client: old URL. I have no other GPO, which kann avoid the correct use.

    Any ideas?

    Thanks in advance, Jens

    Thursday, September 1, 2016 12:39 PM

Answers

  • Hell Anne,

    many thanks for your support. I did all the things, you describe, all tests positive, new Policy. The fault depended on the not working replication. The PDC Emulator had 29 Policies, the others 24. A look in the configuration (GPO MSC, Report, shows correct configuartion, in the Filesystem, sysvol, there was the old information.

    The solution was to do an adprep /rodcprep, really. Therefore we do not use RODC's, I didnt did this (2 years ago!!!).

    After executing the command, immediatley the testfiles in sysvol were replicated, on all 6 DC's t24 Policies, all values were correct, WSUS-Clients began to register.

    Cheers, Jens

    • Marked as answer by R3pSol Tuesday, September 6, 2016 9:10 AM
    Tuesday, September 6, 2016 9:10 AM

All replies

  • Am 01.09.2016 schrieb R3pSol:

    i had an MS Server 2008R2 WSUS. I worked with GPO's, all worked fine. I build a new MS server 2012R2 with the WSUS Server Role, configured it and changed the "internal Path" in the GPO to "newserver:8530".

    When I check the configuration for the GPO it took my changes to "newserver:8530".


    On the clients I carried ot gpupdate /force but rsop.msc shows me the old URL, in the Registry ist the old WSUS and if I try to "windows update", I get an error.

    When i change the Registry-key on this client to the correct, the new URL, I can update. When I do gpupdate /force, I get the old Wsus entry, even if the report of the GPO shows the new URL.

    I deleted the GPO, build it new, gpupdate on client: old URL. I have no other GPO, which kann avoid the correct use.

    There is a second GPO with your old WSUS or the old settings are with
    GPEDIT.MSC applied on your clients.

    If you have more than one Domain Controller, check replication between
    the DCs. Is Replication working correctly? Create a TXT on first DC,
    change to second DC, is the TXT here?

    Or delete the new one, restart the Client and run on the client in a
    admin Commandline: gpresult /H && gpresult.html [ENTER]. Have a look
    in gpresult.html, did you find a second GPO? Are there more then one
    Site in AD?

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Thursday, September 1, 2016 4:26 PM
  • Hey Winfried,

    thank you for your answer, it is very appreciated

    the surroundings:

    2008R2 domain, 3 Sites with one 2008R2 DC and on 2012R2 dc, domain functional Level 2008R2

    I searched through all policies for the old WSUS server, nothing. I tried to delete an old WSUS-Poliy, 4 years old, no internal path, but I was not able to: access denied.

    I tried this: https://support.microsoft.com/en-us/kb/294257

    this worked: dsacls <var class="sbody-var" style="box-sizing:border-box;font-family:'Segoe UI', 'Segoe UI Web', 'Segoe UI Symbol', 'Helvetica Neue', 'BBAlpha Sans', 'S60 Sans', Arial, sans-serif;font-size:15px;line-height:20px;">distinguished_name</var> /R "<var class="sbody-var" style="box-sizing:border-box;font-family:'Segoe UI', 'Segoe UI Web', 'Segoe UI Symbol', 'Helvetica Neue', 'BBAlpha Sans', 'S60 Sans', Arial, sans-serif;font-size:15px;line-height:20px;">domain_name</var>\domain admins"

    this worked not: dsacls <var class="sbody-var" style="box-sizing:border-box;font-family:'Segoe UI', 'Segoe UI Web', 'Segoe UI Symbol', 'Helvetica Neue', 'BBAlpha Sans', 'S60 Sans', Arial, sans-serif;font-size:15px;line-height:20px;">distinguished_name</var> /G "<var class="sbody-var" style="box-sizing:border-box;font-family:'Segoe UI', 'Segoe UI Web', 'Segoe UI Symbol', 'Helvetica Neue', 'BBAlpha Sans', 'S60 Sans', Arial, sans-serif;font-size:15px;line-height:20px;">domain_name</var>\domain admins":GA, access denied

    I tried to generate a text-file for to test the replication, I was not able to on the whole disk, I am only able to generate a folder. In the Windows Explorer, right click I get only new folder, nothing else. So, there must be a problem with the rights on the C-HDD.

    I copied a text-file in C:\Windows\SYSVOL\sysvol\empolis.local\scripts, started Replication via AD Sites an Services, no Replication to both of the Replication Partners, one in the same site.

    Now I have 4 Problems:

    Non working WSUS in one Site (the other 2 sites aren't upgrades yet)

    Replication Problem, even the diag tool confirmed a full functional replication

    Problems with rights on the HDD c:\ on "First DC"

    Not able to delete a Policy: Deletion denied

    Winfried, I am aware of that this is a big building site, but may be, there is one thing that causes the all problems.

    Any idea ist appreciated, cheers, Jens

    Friday, September 2, 2016 7:44 AM
  • Hi R3pSol,

    1. Did you create the new WSUS policy to the correct OU;

    2. Do you run gpresutl/h report.html on the WSUS clients, what is the result, it's better to provide a screenshot?

    3. Do you logon the DC with domain admin account to do the related configurations, such as delete the old policy;

    4. Does the command dc/diag on the DC completely pass?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Tuesday, September 6, 2016 8:52 AM
  • Hell Anne,

    many thanks for your support. I did all the things, you describe, all tests positive, new Policy. The fault depended on the not working replication. The PDC Emulator had 29 Policies, the others 24. A look in the configuration (GPO MSC, Report, shows correct configuartion, in the Filesystem, sysvol, there was the old information.

    The solution was to do an adprep /rodcprep, really. Therefore we do not use RODC's, I didnt did this (2 years ago!!!).

    After executing the command, immediatley the testfiles in sysvol were replicated, on all 6 DC's t24 Policies, all values were correct, WSUS-Clients began to register.

    Cheers, Jens

    • Marked as answer by R3pSol Tuesday, September 6, 2016 9:10 AM
    Tuesday, September 6, 2016 9:10 AM
  • Hi R3pSol,

    Glad to hear you have solved the issue and thanking for feeding back, cheers :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 6, 2016 9:14 AM