locked
Manual Synchronization Starts in Console and then Disappears RRS feed

  • Question

  • We have a WSUS 3.0 server running on a 2008 server.  When I go to start a manual synchronization from the console, the entry for the new sync appears for a few moments and then disappears.  There are no new updates in the Updates/All Updates section.  Additionally, all of my custom Update Views have disappeared although the built in ones remain.

    I checked permissions on several folders and had to add the Network Service back to several of them like c:\windows\temp, c:\windows\microsoft .net\framework... and c:\wsus.

    Any assistance you can provide would be greatly appreciated.  Thanks.

     

     

    Sunday, May 23, 2010 4:56 PM

Answers

  • It had been moved to an OU with a set of tighter security GPOs.  Once it was moved back to the appropriate OU and had a "gpupdate /force" run on it, it still behaved badly.  After posting this, I moved the server into an OU with only the Default Domain policy, did a "gpupdate /force" and then ran a secedit with the default security template, but it's still not working properly.

    This really does feel like a permissions issue.  If only I could find out which files and directories the sync process is trying to update...

    If you implemented a tighter secure OU and then simply moved the machine to another OU, those 'security changes' implemented by the tighter OU will not simply be rolled back.

    You're either going to have to reinstall the OS to get it back to the default security configuration, explicitly use the Security Configuration Wizard with a template from a default server installation, or identify the specific changes made by that more secure OU and roll them back individually.

    You have, fundamentally, though, identified the cause of your issues.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, May 25, 2010 12:48 AM

All replies

  • Has this server ever been synchronized successfully?

    Was the Setup Wizard completed succesfully at installation?

    Does the server have full access to the Internet on ports 80 and 443?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, May 24, 2010 4:56 PM
  • This server has been in use for more than a year.  It stopped working properly a few weeks ago. I have found a few different places where the Network Service has been stripped of permissions, like the %windir%\temp\ folder and the %\windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ folder and the c:\wsus\ folder.  I've managed to get all of the other features working except for the synchronization.

    Our WSUS server doesn't connect to the internet in order to get updates.  Instead, we have an upstream (I hope that's the correct term) server that it downloads patches from.

     

    Monday, May 24, 2010 7:25 PM
  • This server has been in use for more than a year.  It stopped working properly a few weeks ago.
    Then the first question to be considered is this: What CHANGED on this server "a few weeks ago" that caused it to stop working?
    I have found a few different places where the Network Service has been stripped of permissions, like the %windir%\temp\ folder and the %\windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ folder and the c:\wsus\ folder.  I've managed to get all of the other features working except for the synchronization.
    It sounds to me like somebody implemented the Security Configuration Wizard on this machine? If so, I would suggest UNDOING the implementation of any security template applied to the machine.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, May 24, 2010 8:26 PM
  • It had been moved to an OU with a set of tighter security GPOs.  Once it was moved back to the appropriate OU and had a "gpupdate /force" run on it, it still behaved badly.  After posting this, I moved the server into an OU with only the Default Domain policy, did a "gpupdate /force" and then ran a secedit with the default security template, but it's still not working properly.

    This really does feel like a permissions issue.  If only I could find out which files and directories the sync process is trying to update...

    Monday, May 24, 2010 10:08 PM
  • It had been moved to an OU with a set of tighter security GPOs.  Once it was moved back to the appropriate OU and had a "gpupdate /force" run on it, it still behaved badly.  After posting this, I moved the server into an OU with only the Default Domain policy, did a "gpupdate /force" and then ran a secedit with the default security template, but it's still not working properly.

    This really does feel like a permissions issue.  If only I could find out which files and directories the sync process is trying to update...

    If you implemented a tighter secure OU and then simply moved the machine to another OU, those 'security changes' implemented by the tighter OU will not simply be rolled back.

    You're either going to have to reinstall the OS to get it back to the default security configuration, explicitly use the Security Configuration Wizard with a template from a default server installation, or identify the specific changes made by that more secure OU and roll them back individually.

    You have, fundamentally, though, identified the cause of your issues.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, May 25, 2010 12:48 AM