locked
Various issues after migrating to new WSUS server RRS feed

  • Question

  • Hi,

    To get Windows 10 upgrades working via SUS i've recently built a new WSUS 4.0 server and started moving some clients\servers over (via GPO) from our WSUS 3.0 server.  The first couple of test clients reported in OK, did the relevant Windows 10 upgrade and all was fine.  I added a couple of 2008 servers, they also worked fine.  

    However, I've now started moving a few more clients over and am getting a variety of weird issues such as:

    1. One client, that hasn't been turned on for months is reporting into WSUS as needing 11 updates (which seems a small number anyway), yet the client itself says it doesn't need any.  The client has been left running for several days with no change to this.  When i run the update troubleshooter it finds issues and fixes them.  Then i reboot and immediately run the troubleshooter again and it shows that it fixes the same problem.  I've also tried manually fixing the components (stopping services, deleting relevant files, re-registering dll's etc), but no updates appear on the client, even though WSUS shows it reporting in and needing 11 updates.  

    2. Another client is reporting as completely up to date, no updates required, yet does needs updates (as visible via the Updates on the client).  I've tried the same troubleshooting on this client as the one above.

    3. Another client (that has reported in previously and upgraded Windows 10) is now not reporting in to the server.  The last status time is from a couple of weeks ago (when it was last turned on) but is not reporting now.  When i go to the client and click Check Updates manually it comes back saying 'We couldn't connect to the Update Service......'  and running the update powershell command doesn't seem to work.

    Please could anyone let me know if they have any ideas as to what i can try next?  The fact that some machines are checking and working normally, and that i've only just built the WSUS box means i don;t really want to start again!

    Thanks in advance

    EDIT:  I've just moved the first client listed above back to its original location in AD, so that it picked up the original WSUS server via GPO and it's suddenly started doing updates from the original SUS server.  Do i need to do something specific to clients before migrating them to a new SUS server?
    • Edited by alfie-t Tuesday, November 7, 2017 3:03 PM
    Tuesday, November 7, 2017 11:14 AM

Answers

  • My script takes care of these issues. Remember a new server does not mean that it's clean or optimized!

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    If after running my script, some clients still don't report in properly, use the following script on the affected client machines from an Admin Cmd Prompt:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Marked as answer by alfie-t Wednesday, November 8, 2017 12:58 PM
    Tuesday, November 7, 2017 3:33 PM

All replies

  • My script takes care of these issues. Remember a new server does not mean that it's clean or optimized!

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    If after running my script, some clients still don't report in properly, use the following script on the affected client machines from an Admin Cmd Prompt:

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Marked as answer by alfie-t Wednesday, November 8, 2017 12:58 PM
    Tuesday, November 7, 2017 3:33 PM
  • Hi Sir,

    Have you tried the change the following settings on WSUS server :

    Made the following "Advanced Settings" for WSUS Application Pool in IIS : Queue Length: 25000 from 10000 Limit Interval (minutes): 15 from 5 "Service Unavailable" Response: TcpLevel from HttpLevel Private Memory Limit (KB): 0 from 18342456 Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first) replace <httpRuntime maxRequestLength="4096" /> with <httpRuntime maxRequestLength="204800" executionTimeout="7200"/>

    Also ,disable IPv6 for client .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 8, 2017 7:08 AM
  • Hi Adam,

    I've no idea specifically what's fixed it, but an hour or so after running your script one of the failing clients started working so it's looking good so far.  Many thanks for this - the only issue i have with your script at the moment is it failed to send the email, but that's probably a mis-config of the variables.

    Thanks again

    Wednesday, November 8, 2017 1:01 PM
  • Hi Adam,

    I've no idea specifically what's fixed it, but an hour or so after running your script one of the failing clients started working so it's looking good so far.  Many thanks for this - the only issue i have with your script at the moment is it failed to send the email, but that's probably a mis-config of the variables.

    Thanks again

    I've made you a believer!!! W00t!!!

    Yes, that would be a mis-config. Lucky for you, I thought of that too for -FirstRun and it outputs a TXT Log in the same folder as the script regardless for instances like this.

    You should fix your variables or switch it to only create a file log (can either be TXT or HTML).


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, November 8, 2017 1:29 PM