locked
Some servers not in the correct group RRS feed

  • Question

  • Hello.

    I have a 3-node Hyper-V cluster. The 3 nodes are all identical servers, in the same OU in AD, and getting the same Group Policies. RSOP shows the correct WSUS settings on each one, however, in WSUS Server 1 is correctly listed in the Servers Group. Server 2 and Server 3 are only listed in the All Computers Group. Server 1 is 99% compliant, Server 2 is 100% compliant and Server 3 is 0%, having 'not reported'. These servers have been running for months (with the exception of Server 3 which was purchased at the same time, but only recently added to the Hyper-V cluster).

    Adding Server 3 to the cluster seems to have also interfered with CAU, as that now fails as well. Troubleshooting that led me to the WSUS server, which in turn led me to the inconsistent state.

    How do I get all 3 of them in the Servers OU and communicating when GPO seems to be assigning the correct settings already? Could this be a local firewall issue on the new server? is the a way to 'unregister' the new server from WSUS and 're-register' it?

    Thank you.

    Monday, February 4, 2019 7:25 PM

Answers

  • So that tells me 1 of 2 things. Either WSUS options 'displays' that it's using computer targeting but really behind the scenes it isn't, or WSUS is FUBAR.

    Since you had to switch it to use WSUS groups and then switch back when you created the group A, I'd say the install of WSUS is FUBAR and I'd recommend a reinstall of that server.

    https://www.ajtek.ca/wsus/how-to-remove-wsus-completely-and-reinstall-it/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by lavinrc Thursday, February 28, 2019 9:06 PM
    Tuesday, February 26, 2019 1:31 AM

All replies

  • Check out my blog post that deals with how to fix this and why it happens.

    https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, February 4, 2019 8:36 PM
  • Hello,
     
    In general, the WSUS setting for cluster nodes is no different from a standalone WSUS client, except that we usually select "only automatically download updates" when enable CAU. In terms of grouping and reporting, there should be no difference.
     
    For the computer group issue, make sure that you select manage computer via group policy in the WSUS setting.
     
     According to your description, only server 1 appears in the correct group, does it appear in the All Computers? And do server 2 and server 3 appear in the unassigned computers? However, we could remove server 2 and 3 from the WSUS console, then run the following script on the server 2 and 3. And then check the results.
     
    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow
    usoclient.exe startscan
     
    For the not reporting issue, are they located in the same subnet? However, we could think of it as a issue in a standalone server. That means we should confirm the connectivity first.
     
    Make sure there are no problem with Ping, DNS, firewall, proxy, port, etc.
     
    Browsing the following URL on the server 3, check if there is a prompt for file downloading.
     
    Http://YourWSUSServer:8530/Selfupdate/wuident.cab
     
    Change the bold part to your actual WSUS server.
     
    If everything is OK but the issue persists, are there any error messages in the Windows Update? You could also upload the windowsupdate.log for further troubleshooting.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 5, 2019 8:23 AM
  • Thank you for these suggestions. I deleted the servers from WSUS and ran the powershell script that Adam provided. At that point, the WSUS snap-in stopped working. I rebooted the server and the WSUS snap-in was working again.

    I do see an error message in the Event Viewer indicating that the local system account (S-1-5-18) does not have access to runt he BrokerService. I found an article on how to manually address that but all options in the BrokerService COM object are grayed out, so I assume that Group Policy is managing this?

    I also ran Adam's powershell script against another server that I saw not registering correctly. That server is currently not listed anywhere that I can find it in WSUS.

    Server 2 and Server 3 are now correctly listed in the Servers group, and Http://YourWSUSServer:8530/Selfupdate/wuident.cab is accessible from Server3 (I immediately get an error message that I am trying to download a file from a non-trusted source).

    Server 3 is still listed as 0% reported. I will give it some time to see if that updates.

    I also noticed that a McAfee scan is currently running on the WSUS server, and the CPU utilization is hovering around 60%. This is a virtual server with 2 vcpu's. Should I increase that?

    to answer your other question, Server 1 was originally listed correctly in the Servers group. Server 2 and Server 3 were listed in the All Computers group (not the Unassigned Computers group). All of the computers in WSUS are now correctly in groups, but with a large number "Not Yet reported"



    • Edited by lavinrc Tuesday, February 5, 2019 1:48 PM
    Tuesday, February 5, 2019 1:43 PM
  • https://www.ajtek.ca/wsus/wsus-system-requirements-what-should-i-plan-for/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, February 5, 2019 1:58 PM
  • Thank you for that confirmation Adam. I am already above those specs so I guess I'll leave the vcpu's alone for a while and just keep an eye on it.
    Tuesday, February 5, 2019 2:05 PM
  • You're welcome :)

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, February 5, 2019 2:08 PM
  • Hello,
     
    I noticed that you have not updated for several days. So has your issue been solved? Or is there any update?
     
    Feel free to feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 11, 2019 2:03 AM
  • Hello.

    Sorry for the delay, but no, these suggestions have not fixed the issue. After running the scripts mentioned above, the servers did list correctly in the Servers Group, but 1 of them was still listed as 0% even days later. In removing them and running the scripts a second time, some other issue arose (the WSUS console on the server would not load, and even rebooting the server would not correct it). I ended up removing the WSUS feature and rebooting, deleting all files o the D:\ (which is where we were storing updates) and then trying to re-install WSUS.

    Now, WSUS is installed, but there is a post-installation task that fails every time, saying "Failed to start and configure the WSUS service". But when I acknowledge that error message and look in services.msc, I can see that the WsusService is running, even if I manually stopped it *before* running the post-installation task.


    • Edited by lavinrc Wednesday, February 13, 2019 2:44 PM
    Wednesday, February 13, 2019 2:43 PM
  • https://www.ajtek.ca/wsus/how-to-remove-wsus-completely-and-reinstall-it/

    Make sure .NET 4.7 is NOT installed - remove the KB update (see the note in the Install section of the guide above).


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, February 13, 2019 2:49 PM
  • Thank you Adam!

    I followed the instructions, including manually deleting the WID folder and verifying that the server is only at .NET Framework 4.6.2, then re-installed WSUS again.

    This time, the Server Manager wizard (Add Roles and Features) still failed when i clicked on 'run post installation tasks', but when I launched Windows Server Update Services manually and selected the newly recreated D:\UpdateServicesPackages location, that wizard succeeded.

    I am now going to recreate the Computer Groups that Group Policy is telling workstations to use, and hopefully later today I'll see some activity.

    Wednesday, February 13, 2019 5:05 PM
  • After a few hours, the server still seems to be synchronizing, but workstations are currently listed as either 'Not Yet Reported', or some do have a timestamp and a percentage of compliance, but are not moving into the groups. I moved a few manually, but as new ones report in, they are not moving into the groups that GPO is telling them to use.

    I went through Group Policy this morning and made sure that the new groups in WSUS had the same names as the policy would be looking for.

    Wednesday, February 13, 2019 8:32 PM
  • Are you sure they are 'exact'

    https://community.spiceworks.com/topic/2192118-computer-not-getting-assigned-to-correct-wsus-group


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, February 13, 2019 8:37 PM
  • Yes, I did not use any special characters and I am confident that they are exact. Here is a server that checked in hours ago but is still in 'Unassigned Computers':

    and here is the GPResult file from that same server:

    I'm also a bit confused as to where all of these computer names came from since I uninstalled WSUS and deleted the database. This list was almost *immediately* available under "Unassigned Computers'
    • Edited by lavinrc Wednesday, February 13, 2019 10:24 PM
    Wednesday, February 13, 2019 10:21 PM
  • Please make sure that the 'group' in the GPO does not contain a space either before or after the word Servers.

    Perhaps disable the option, click OK, enable the option and type Servers. If that doesn't fix the problem, turn the option back to use the WSUS MMC console for management, rename the Servers group to "a", re-enable the computer targeting option, and then adjust the GPO to point to "a" for the group.

    The quick addition of systems back in could mean that your GPOs are set to have systems check for updates sooner than the default every 22 hours.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Thursday, February 14, 2019 6:19 AM
  • This morning there was no change. All of the computers were still in 'Unassigned Computers'. I ran through the steps that you suggested, including disabled the Group assignment in GPO, deleting and creating a new 'Servers' group and then enabling teh group assignment again (typing in 'Servers).

    During this process, there were 2 more glitches. First, I selected one of the computers that was 99% compliant and looked at it's report. The missing updates were not approved (which made sense because I had not set up automatic approvals yet). I manually approved those 16 updates, then looked at another computer. this time I looked at the *full* report, not just the report for missing updates. When I moved off of that update page (which listed about 4,000 updates total), the whole console closed. I launched WSUS again, and it connected and displayed the main page. I then went into automatic approvals and enabled the Default Automatic Approval Rule, and selected to run it. When it completed running, the console went into an error screen saying that there was an error connecting to the service. I clicked the 'Restore Node' button and it re-connected, correctly displaying computers again (although still it he Unassigned Computers group).

    I looked at the policies and I cannot see where to set the frequency that computers connect with WSUS, and I'd be very surprised if that had been changed anyway. We set the 'download and install' or 'download and schedule' options to be once a week. Is the a setting somewhere else for reporting to the server? I also noticed that there is still only about 30% of the computers that have reported to WSUS. How would 70% of the computers have an 'instant' record in WSUS, but not have reported days later? should I manually delete them all and wait a day or two to see what gets a record again?

    Thursday, February 14, 2019 1:42 PM
  • "Automatic Updates detection frequency" is the policy you're looking for.

    I'd say delete all of the systems, let them re-connect.

    Did you try the 'a' group or just re-type the original group you created?


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Friday, February 15, 2019 6:21 PM
  • Hello again.

    I have deleted all of the workstations in WSUS, created a new group named "A", and changed the GPO for the IT department computers to use that group.

    The workstations have all re-registered with WSUS, all reporting 99% compliance, but not a single one is in a group. Not even the IT computers that were told to use the new "A" group. They are all in Unassigned Computers.

    I have also confirmed with GPRESULT that the new group "A" is the one listed in "Target group name for this computer" , and that "Automatic Updates detection Frequency" has not been set.

    Monday, February 25, 2019 9:35 PM
  • So that tells me 1 of 2 things. Either WSUS options 'displays' that it's using computer targeting but really behind the scenes it isn't, or WSUS is FUBAR.

    Since you had to switch it to use WSUS groups and then switch back when you created the group A, I'd say the install of WSUS is FUBAR and I'd recommend a reinstall of that server.

    https://www.ajtek.ca/wsus/how-to-remove-wsus-completely-and-reinstall-it/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by lavinrc Thursday, February 28, 2019 9:06 PM
    Tuesday, February 26, 2019 1:31 AM
  • Thank you Adam.

    That was actually a fresh reinstall of tat server (the WSUS console kept jamming and we would have to restart the serer to get it running again), but I'm up for reinstalling again.

    And since groups worked *before* the re-install, maybe this will correct that.

    It's virtual, so i will just destroy the whole thing and start from scratch.

    Tuesday, February 26, 2019 4:35 PM
  • Success! After destroying the WSUS server and rebuilding it from scratch (and letting it run overnight),clients are finally back in groups.

    Thank you for all of your help on this!

    Thursday, February 28, 2019 9:07 PM
  • You're welcome :)

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Friday, March 1, 2019 1:07 AM