locked
Troubleshooting files and steps for disconnected network RRS feed

  • Question

  • I'm kinda at my wits end here.

    I've got a disconnected environment using Windows 2008R2 WSUS servers (WSUS 3.2) which has stopped recognizing new updates.  I''ve already worked past the metadata export size problem, but now even though I've copied all the WsusContent and metadata between networks, checked the products and classifications and approval rules, and checked the permissions on WsusContent, but the WSUS server continues to show hundreds of gigabytes of updates that are waiting on files.

    My source server shows no updates waiting on files.

    I've spot-checked some files that are showing as file download pending and was able to physically locate the indicated files in the WsusContent structure.

    I don't understand why the system isn't showing the updates as available and I'm not sure what log files, if any, show the system actually performing a validation of files indicated by the metadata.

    I poked around in the database some.  I found some tables that show values that looked to be related to the status of the update files.  Even tried to manually update one of the entries for the known good file, but it didn't seem to change the status of the update in the WSUS Management Console.

    At this point, I've event uninstalled WSUS server, reinstall, reapplied patches for WSUS and recreated the database.  While systems automatically re-registered with the server and the newest products and classifications are showing in the console, the file download status hasn't changed.  Its currently showing "Downloaded 8 mb or 24X,XXX" (didn't write down the exact number).

    I'm stuck.  Not sure what to try next.

    Tuesday, June 14, 2016 7:44 PM

All replies

  • windows event viewer will show events related to Update Services

    There is also c:\program files\update services\logfiles

    And also c:\windows\windowsupdate.log

    The reconciliation of database/metadata/content, after an import, can take quite a long time.

    You could also consider the use of wsusutil reset


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, June 14, 2016 9:25 PM
  • windows event viewer will show events related to Update Services

    There is also c:\program files\update services\logfiles

    And also c:\windows\windowsupdate.log

    The reconciliation of database/metadata/content, after an import, can take quite a long time.

    You could also consider the use of wsusutil reset


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thanks Don.  I was unsure about using wsusutil reset.  In the references I'd found, they all said this was done on the source server if there were updates that needed downloading.  It was unclear if reset would initiate a check against local files before queuing downloads (that would of course never happen on a disconnected system).

    I'll check the logs.  Currently I'm running trying a suggestion I saw to run a wsusutil movecontent in order to basically force the proper permissions to be applied.  I'm again not sure if this also forces a rectification of the metadata against the actual content directory.

    The movecontent process was taking a long time to run, though it looks to me like a few updates may have changed status to "ready to install"  I'll know more tomorrow (or more likely Thursday when I'm in the office again).

    Tuesday, June 14, 2016 9:52 PM
  • Hi dant98,

    What is the detailed version of WSUS server 2008R2, if it is not version 3.2.7600.274, please install KB2938066 to upgrade it, check if it could work.

    After importing, you may also reindex WSUS database:

    https://technet.microsoft.com/en-us/library/dd939795(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, June 15, 2016 5:39 AM
  • Hi dant98,

    What is the detailed version of WSUS server 2008R2, if it is not version 3.2.7600.274, please install KB2938066 to upgrade it, check if it could work.

    After importing, you may also reindex WSUS database:

    https://technet.microsoft.com/en-us/library/dd939795(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Anne,

    Thanks, I'll check my version number and give this a try.

    The content move operation didn't fix the problem.

    -Dan

    Thursday, June 16, 2016 11:44 AM
  • so initially, I thought I was only at 7600.226, but after running the update twice and finding no change, realized I had to look at the server version listed on the status page, not the version in the registry or in the about menu.

    Either way, this wasn't an instant fix.  I'm running a metadata import again to see it that will re-check the files.

    Also ran the db maintenance.

     
    • Edited by dant98 Thursday, June 16, 2016 4:48 PM
    Thursday, June 16, 2016 4:47 PM
  • Hi dant98,

    What is the situation now, could it work after waiting for a period of time?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Monday, June 20, 2016 2:18 AM
  • Hi Dant98,

    your issue might also occur, because updates are approved on the offline server that are not approved on the online server. See the thread below for importing the approvals as well:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/77748904-99a8-4772-946b-5c91ab1af4e5/after-installing-kb2828185-how-to-import-approvals?forum=winserverwsus

    Best regards,

    Andrei


    We could change the world, if God would give us the source code.

    Monday, June 20, 2016 8:43 AM
  • Anne,

    I'm going to check this morning and see if anything has changed in the status over the weekend.

    Andrei,

    Thanks for joining the conversation.  I can follow the process for exporting approvals from the online server to the disconnected server, though I believe I have them match correctly already.  I say this because I can physically match files listed in on the disconnected server to files that actually exist on its \WsusContent folder structure.  This would lead me to believe the system is either not looking in the right place, doesn't think it has access, or isn't actually performing a file check like it should.

    I'll check the SoftwareDistribution log for any information.  Would there be any messages in there indicating that it can't find the update files in the content directory?

    Monday, June 20, 2016 12:44 PM
  • Hi dant98,

    What is the suitable now, could it work after waiting for a period of time?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    So there has been a change, but doesn't seemed to have actually fixed anything.

    Last week the system was showing like 8 MB of 282,929.29 MB of updates on 13,656 files needing downloaded.

    This morning it is now showing 282,858.50 MB of 282,929.29 MB of updates on 13,656 files needing downloaded.  I would think this means the system now knows it has most of the files for those updates, but hasn't marked the updates as ready?  Is there something I should or could do to force?  Even if I'm missing some updates for some reason, I'd rather it have 99.97% of those updates available to the clients than for it to hold them all because of the other 0.0003% of the missing update files.

    Monday, June 20, 2016 1:05 PM
  • It can take a number of hours after the metadata import for WSUS to catalogue the files in the content folder you copied over and process them for use. If you have not exported / imported approvals then you will now need to approve the imported updates before they will be rolled out.

    You should not need to re-index the database each time you import updates, you just need to give it a little time to sort itself out.

    Monday, June 20, 2016 3:45 PM
  • Giving it time wasn't the answer either.  I was aware that the processing took time, but it was give over the weekend and I was out of the office yesterday and no change today.  I did export a new metadata file and updates and import them again on Tuesday.

    System still showing ~285MB of 290MB downloaded and 13,800 updates needing files (more updates and files than before).  This is better than the first time through where I have 8MB of 290MB, but in the current state, it won't even deploy the updates that it thinks has files.

    Now I was just looking in the SoftwareDistribution log and I can see where the system was trying to download files and failing.  I checked the location for a couple of the files and at least the ones listed in the log don't physically exist on the system.  I'm going to check the source server next to see if the files referenced exist there and maybe I can track this thing back to a difference in approvals.

    FWIW, I'd like to get all critical and security updates and service packs for my current windows versions, SQL server, SilverLight, VisualStudio, and my current Office versions.  I've selected the appropriate products and and classifications in the source server, in fact I also have updates and update rollups selected on the source server. On the source server I have the default automatic approval rule configured to approved all these categories.  On the destination server, I'm only auto-approving Critical, Security, and Service Packs.  

    My understanding is that this should auto-deploy all the Critical, Security, and Service Pack, but make available all the updates and update rollups if I wanted to deploy them on my disconnected network.  In any event, I would think that I'd have more metadata and update files on my disconnected server than I'm actually asking to deploy to clients, not less.  

    Thursday, June 23, 2016 2:01 PM
  • So yesterday I did another major operation to try and get fixed.  I selected ALL my approved updates and set them to "Unapproved."  Then I re-ran my automatic approval rule to approve the updates I really want.  This looks to have reduced the total count of updates needed from 13,8XX to 9,XXX.  But on the negative end as of this morning WSUS was showing that it has 24MB of like 124,000MB or something.  Clearly it needs to rectify the situation.

    The SoftwareDistribution log is showing a lot of timeout messages.  I thought to try updating SQL to possibly help with this.  I went from SQL2008R2SP1 to SP3.  Still getting timeout messages after the reboot and right now the Admin console seems to be having trouble connecting.  I'm actually hoping that this is a good sign that WSUS is in the middle of rectifying it's metadata of approved updates against its local cache, but I guess only time will tell.

    Friday, June 24, 2016 2:33 PM
  • Hi dant98,

    >I'm actually hoping that this is a good sign that WSUS is in the middle of rectifying it's metadata of approved updates against its local cache, but I guess only time will tell.

    What's going on now?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, June 27, 2016 7:44 AM
  • Didn't mean to leave you hanging, Anne.

    As of this morning, I still couldn't get the console to connect to the service.  I rebooted the box and then the console would connect, but it was still showing that it needed a lot of update files.

    I'm going a different direction now... desperate times, desperate measures.  

    I've installed and patched WSUS on a virtual machine I had available.  Fresh Database.  No previous settings.

    I've started by deleting the default auto approval rule and I've only selected Windows 2008R2 product category along with the Critical Updates, Security Updates, and Service Packs in the classifications tab.

    I'm in the process of running the metadata import now.  I'm hoping that when done, I'll see zero files needing updates and I can start moving forward.  I'll have to adjust my GPOs to point clients to a different WSUS server, but otherwise maybe I can get functional again.

    The only weird thing things time is that because I didn't want to make a large virtual disk to host the updates on the ESX cluster, instead I moved the WSUS content over to a network share on a NAS and pointed the WSUS installation there with the movecontent -skipcopy command.  I made sure the computer account for the new WSUS server has full control over the path.  Crossing Fingers...

    Monday, June 27, 2016 4:04 PM
  • Hi dant98,

    If you need further help, feel free to feed back.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, July 7, 2016 9:33 AM