none
WSUS and SCCM integration : Message ID 7000 & 7003

    שאלה

  • LEGEND:

    VMWSUS : Our virtualized WSUS server

    SCCMP : Primary SCCM Site Server

     

    So I had the SCCM/WSUS integration working in Beta 2 but it seems that upgrading to SCCM RTM has broken it.

     

    I get the following messages on the primary site server while the WSUS component is loaded:

     

    SMS WSUS Configuration Manager failed to configure proxy settings on WSUS Server "SCCMP".

    Possible cause: WSUS Server version 3.0 and above is not installed or cannot be contacted.
    Solution: Verify that the WSUS Server version 3.0 or greater is installed. Verify that the IIS ports configured in SMS are same as those configured on the WSUS IIS website.You can receive failure because proxy is set but proxy name is not specified or proxy server port is invalid.

     

    [please note i am not using a proxy server for internet access, no proxy server was specified in the setup, and the internet explorer options do not have a proxy server specified and is not set to auto-detect]

     

    and

     

    SMS WSUS Configuration Manager failed to monitor WSUS Server "SCCMP".

    Possible cause: WSUS Server version 3.0 and above is not installed or cannot be contacted.
    Solution: Verify that the WSUS Server version 3.0 or greater is installed. Verify that the IIS ports configured in SMS are same as those configured on the WSUS IIS website.

     

    I also get the following error on the WSUS component error log on the WSUS remote system:

     

    Failures were reported on WSUS Server "VMWSUS" while trying to make WSUS database connection with SQL Exception error code -2146232060.

    Possible cause: SQL Database service is not running or cannot be accessed.
    Solution: Verify that the SQL Server and SQL Server Agent services are running and can be contacted.

     

    The SQL database is of course running and agents are started (otherwise WSUS wouldn't work anyway)

     

    Yes, the WSUS 3.0 Admin Console is on the SCCMP machine and the site server roles are on both machines.

     

    And yes, I can connect to the WSUS console on my WSUS server and see my machines/updates.

     

    (most commonly asked question it looks like from reading Doug's responses)

     

    More info on the WSUS box if it helps you guys come up with an answer.

    Our WSUS server runs in a VM with a SAN network virtually hosting its Content.

    The SQL database lives on a clustered SQL machine.

     

     

    I pretty much get a 7000/7003 error constantly in my logs. Any idea what's wrong?

    יום חמישי 01 נובמבר 2007 18:47

תשובות

  •  

    Whoever is still running into this issue the answer is in Config manager guide, page 15

    ¾  The default ports specified for a custom Web site are port 8530 for HTTP and port 8531 for HTTPS (SSL).  These will need to be specified when designating the active SUP through the console.  If these are not specified, and the default Configuration Manager settings are used (port 80 and port 443), Configuration Manager will not be able to communicate with the SUP, and a failure will be logged under the SMS_WSUS_SYNC_MANAGER component in the site status.  An error 6703, 7000 or 7003 will appear with the message “WSUS server not configured.”

     

     

    I hope this helps.

    emp

    יום שישי 11 אפריל 2008 14:11

כל התגובות

  • If you had it working with beta 2, what version/build of WSUS are you using? We didn't really support the RTM build of WSUS 3.0 with SCCM beta 2 (though very late in the beta 2 we did get to some testing that indicated it worked fine).

     

    יום שישי 02 נובמבר 2007 02:00
  • Hey Wally! Good meeting you at the User's Group in Austin on Wednesday!

    Sorry, I goofed and didn't mention that the SCCM 2007 code was at the RTM level now (upgraded to trial as soon as i could).. but yea in SCCM Beta 2 with the WSUS 3.0 code I got it to work just fine.

    I am using WSUS 3.0 now....
    יום שישי 02 נובמבר 2007 03:54
  •  

    I can supply any log files or supporting information you guys need to solve this.
    יום שישי 02 נובמבר 2007 20:35
  • Please verify you have the WSUS 3.0 RTM installed rather than the pre-release RC version.

     

    These errors are about WSUS ports - are you sure that you have followed this guidance:

     

    "The fully qualified domain name (FQDN) is used by WSUS Synchronization Manager, a component for software updates in Configuration Manager 2007, when connecting to Windows Server Update Services (WSUS) running on the active software update point to initiate software updates synchronization. When the FQDN is not valid, the connection will fail. Use the following procedure to verify the FQDN on the site system where the active software update point is installed.

    To verify the FQDN settings for the software update point site system

    1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> - <site name> / Site Settings / Site Systems.

    2. Right-click the site system where the active software update point is installed, and then click New Role.

    3. Verify that the Specify a fully qualified domain name (FQDN) for this site system on the intranet option is selected and the Intranet FQDN value is correct. When the site is in native mode, verify that the Internet FQDN value is correct.

      If the FQDN settings are correct, click Cancel to exit the wizard, and skip the last step of this procedure.

    4. Click Next, click Next again without selecting any new site roles, click Next once more, and then click Close.

     

    When a Configuration Manager 2007 site server is in native mode, or when the active software update point is configured to use Secure Sockets Layer (SSL), there are five virtual roots that must be configured to use a secured channel on the active software update point server and active Internet-based software update point server, if configured. The virtual roots are located under the Web site used by the Windows Server Update Services (WSUS) server, and they are modified by using the Internet Information Services (IIS) Manager. After the virtual roots have been configured, you must run the WSUSUtil tool to let the health monitoring component of WSUS know that it should use SSL.

    Use the following procedure to configure SSL on the WSUS server.

    To configure SSL on the WSUS server

    1. On the WSUS server, open Internet Information Services (IIS) Manager.

    2. Expand Web Sites, and then expand the Web site for the WSUS server. It is recommended that the WSUS Administration custom Web site be used, but the default Web site might have been chosen when installing WSUS.

    3. Perform the following steps on the WSUS Web site or on the APIRemoting30, ClientWebService, DSSAuthWebService, SelfUpdate, ServerSyncWebService, and SimpleAuthWebService virtual directory that reside under the WSUS Web site:

      1. Right-click the Web site or virtual directory, and then click Properties.

      2. Click the Directory Security tab, and then click Edit in the Secure Communications section.

      3. Select Require secure channel (SSL), and then click OK.

      4. Click OK to close the properties for the virtual root.

    4. Close IIS Manager.

    5. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <subject name in the signing certificate>.

    When the Configuration Manager 2007 site server is in native mode or when the active software update point is configured to use Secure Sockets Layer (SSL), and when a custom Web site is used to host the Microsoft Windows Server Update Services (WSUS) 3.0 services, you must configure the WSUS Administration Web site to use a Web server signing certificate. Once configured, the certificate is added to the Trusted Root Certification Authorities store on the local computer. This procedure steps through the process of using the same certificate that is used by the Configuration Manager site systems for authentication and encryption when the site is in native mode, but you can use a different Web server signing certificate as long as the certificate is added to the WSUS Administration Web site and that the certificate resides in the Trusted Root Certification Authorities store on client computers. The Web server certificate can be installed on the Web site by using a script or the Internet Information Services (IIS) Manager console.

    Important

    The WSUS Administration Web site must be assigned a signing certificate where the Subject Name or Subject Alternate Name contains the Internet fully qualified domain name (FQDN).

    Use the following procedure to use IIS to add the Web server signing certificate to the WSUS Web site.

    To add the signing certificate to the WSUS Web site

    1. On the WSUS server, open Internet Information Services (IIS) Manager.

    2. Expand Web Sites, right-click the WSUS Administration Web site, and then click Properties.

    3. Click the Directory Security tab, and then click Server Certificate.

    4. On the Welcome to the Web Server Certificate Wizard page, click Next.

    5. On the Server Certificate page, click Assign an existing certificate, and then click Next.

    6. On the Available Certificates page, select the Web server certificate that was requested when configuring the site for native mode. You can identify the certificate by the Intended Purpose field that has a value of Server Authentication and the Friendly Name that was configured when requesting the certificate. Click Next.

      Note

      The site server will use either the default Web site or a Configuration Manager custom Web site (SMSWeb), depending on how the site was configured. To find the certificate used by the other site systems, view the certificate by going to the Web site properties, and then click View Certificate on the Directory Security tab. Use this certificate when selecting certificates for the WSUS Web page.

    7. On the SSL Port page, configure the port number for SSL (HTTP). When using the WSUS custom Web site, the default SSL port number is 8531. For the step-by-step procedures on how to find the port number, see How to Determine the Port Settings Used by WSUS. Click Next.

    8. On the Certificate Summary page, click Next.

    9. On the Completing the Web Server Certificate Wizard page, click Finish.

    10. Click OK to close the properties for the Web site.

    11. Close IIS Manager."

    יום חמישי 08 נובמבר 2007 18:45
  • Ports are the default for WSUS, nothing was changed there. Not to mention this worked in Beta 2 and only since the upgrade to RTM bits has it stopped working.

    As a test I brought up another VM with WSUS 3.0 (RTM bits, not RC bits) and it gives me the same error messages.

    I can connect to the WSUS console from my SCCMP machine just fine. I see all the updates and clients reporting in.
    יום חמישי 08 נובמבר 2007 19:19
  • Can you post snippets of the log files containing the errors? 

     

    Should be looking at WCM.log, wsyncmgr.log

     

    Also, please look at this from the just-released SCCM docs:

     

    http://technet.microsoft.com/en-us/library/bb932161.aspx

     

    יום שלישי 13 נובמבר 2007 02:18
  • Doug Eby has a copy of the log files above. Don't feel comfortable posting them here.

     

    If you can shoot me an email I can email you the same logs!

     

     

    יום שלישי 13 נובמבר 2007 17:32
  • I had a similar issue. The problem was that I installed WSUS with a custom web site with port of 8530 and when I defined my SUP, I didn't change the default port of 80. For a while I was very confused, what was my problem, because I had the same error message:

    Possible cause: WSUS Server version 3.0 and above is not installed or cannot be contacted.

    So I thought I had some kind of WSUS version problem, before I read the latter part: CANNOT BE CONTACTED!

     

     

     

    • הוצע כתשובה על-ידי spidey24 יום חמישי 16 ספטמבר 2010 13:09
    יום שלישי 20 נובמבר 2007 20:40
    מנחה דיון
  • Marc,

     

    Thanks for the outline.

     

    All these items are configured and checks-out exactly like the documentation says it should, yet our SCCM server is still logging hundreds upon hundreds of 7000 and 7003 errors in both the "SMS_WSUS_CONTROL_MANAGER" and "ConfigMgr Software Update Point" status.

     

    I've read this post and followed the instructions, as well as spend a few days searching the web for similar issues, and running thru each and every TechNet Troubleshooting SUP/WSUS area I could find.

     

    Is there anything else that can be done to resolve these two errors short of formatting the server ???

     

    Thx !

    Marcus

     

    יום חמישי 17 ינואר 2008 20:30
  •  

    I'm guessing in Mixed Mode there is no fix for these errors. I've searched high-n-low, but after following the documentation a dozen times over, these errors continue to flood the SCCM server.

     

    Anyone have any additional input, or is MS building a patch for this ?

     

    Thx guys !

     

    Marcus
    יום שלישי 22 ינואר 2008 17:08
  • I am getting the same errors, but only from the WSUS_Control_Manager.  So if anyone has found anything yet, that would be great.  I am running in mixed mode as well.


    Thanks in advance!

     

    יום שני 28 ינואר 2008 20:40
  • If it is the port issue, then it is NOT an SCCM issue, but an WSUS issue. I've heard that is fixed in SP1 of WSUS 3.0.

     

    יום שני 28 ינואר 2008 21:38
  • If this is the port issue, I have heard that it is fixed in WSUS 3.0 SP1. It is not an SCCM issue but rather WSUS.

     

    יום שני 28 ינואר 2008 21:39
  • Thx again Wally !!!!

     

    This is great news about SP1. I'll visit the WSUS forums to see if anyone has a temp workaround for this.

     

    Marcus

     

    יום שלישי 29 ינואר 2008 20:50
  •  

    יום שלישי 29 ינואר 2008 20:52
  •  

    Are you using SSL? Here's what we did to fix this at our site...

    wsusutil.exe configuressl <fqdn>

     

    ...on the WSUS box.

    יום שישי 01 פברואר 2008 16:47
  • ....in Mixed Mode, so this doesn't work.

    Thx for posting it though.

     

    Considering we've had well over 1000 views on this post alone tells me a lot of people are having this issue.

     

    Marcus

     

    יום שלישי 05 פברואר 2008 21:40
  • We're in SCCM 2007 Mixed Mode as well.

     

    We have, however, selected Enable SSL for this WSUS server from the General tab of the Software Update Point Component Properties.

     

    Additionally, our Reporting Point (which is also our Software Update Point) is using SSL.

    יום רביעי 06 פברואר 2008 15:03
  • OK, I found the issue on our site.  When I installed WSUS I did not use the default website.  So I was given the ports of 8530 and 8531.  At some point I was messing with ports in IIS, I don't know why, I was just fiddling.  Anyway, I changed the ports for WSUS and that is when the problem started.  I tried reinstalling the software update point and that never fixed it.  When I looked through the WSUS Control Manager status log, I noticed it was still trying to point to the original ports

     

    No connection could be made because the target machine actively refused it 10.100.0.150:8530. 

     

    So I changed the ports in IIS again and bingo!

     

    Somewhere in SCCM that entry is fixed from the orginal install of the software update point install.  If there is a way to change it, then you could probably change ports.

     

    Good luck.

     

    יום רביעי 06 פברואר 2008 16:45
  • Same.....

     

    I had to use the non-default web site, for which the ports were listed as the default ports of 8530/8531. In our environment I was forced to change those ports to 2000/2001.

     

    I changed these in IIS, then opened the WSUS console and deleted the old entry and re-connected to WSUS using port 2000.

     

    Is this what you're referring to, or were there extra steps you took to resolve this ? As for SCCM, did you find a place in there where the old default ports are still locked in ???

     

    Thx for the post !!! We're getting closer !

    Marcus

     

    יום חמישי 07 פברואר 2008 22:07
  • I did not find where the ports were locked down in SCCM.  I ended up just changing the ports in IIS so they matched what SCCM was looking for.  I tried to uninstall/install the SUP in SCCM, and use different ports, but that didn't work.

     

    Mark

     

    יום שני 11 פברואר 2008 13:55
  • Well, you have the Software Update Point Component settings under Component Configuration, but my ports match in there too. So, this issue is still unresolved.

     

    M

     

    יום שני 11 פברואר 2008 16:46
  • As stated earlier in this thread, is it possible that SP1 for WSUS has addressed this issue. As you guys apply SP1 for WSUS, please re-post here about your results and whether SP1 has corrected this issue for you.

     

    Thx !!

    Marcus

    יום שלישי 12 פברואר 2008 18:21
  • Marcus -

     

    What I meant by my last post was that I think it is actually hardcoded elsewhere.  I changed the ports in the SUP Component but I was still getting errors looking for the old ports.

     

    Mark

     

    יום רביעי 13 פברואר 2008 17:02
  • Interesting.....

     

    I still get the same 7000/7003 errors with all the settings config'd. Let's hope SP1 for WSUS addresses this. Let us know if you that works for you.

     

    M

     

    יום רביעי 13 פברואר 2008 18:51
  • Hello,

     

    If you are using the WSUS custom Web site and ports 8530 and 8531 try running the following:

     

    wsusutil.exe usecustomwebsite true 

     

    The utility is located at %programfiles%\Update Services\Tools.  If you are using a custom port (not 80/443 or 8530/8531) you can configure this via a registry setting by going to HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup\Port Number.

     

    Let me know if that helps.

     

    Doug

     

     

     

    • הוצע כתשובה על-ידי Kiodos יום רביעי 20 יוני 2018 21:51
    יום רביעי 13 פברואר 2008 22:32
  • I guess what I was getting at was that I am using the custom ports.  I attempted to change the ports in IIS to something different.  I changed the settings in Config Mgr to point to the new ports and received this error No connection could be made because the target machine actively refused it 10.100.0.150:8530 in the WSUSCtrl.log.  I even tried to uninstall the Software Update Point and reinstall it using the new ports, and received the same error.  There is a setting somewhere that remembers the old ports regardless of uninstalling or changing the information in the SUP Component.  When I changed everything back in IIS and SCCM to 8530 and 8531, it worked fine. 

     

     

    Mark

    יום חמישי 14 פברואר 2008 13:30
  • Bizarre !

     

    Although I changed the ports settings in the WSUS Console, IIS and the Component in SCCM for Software Updates, sure enough this reg settings was still hard-coded to 8530 !!!

     

    I changed it in the registry and will re-test to see if this resolved my 7000 and 7003 errors !

     

    Thx Doug !

     

    Marcus

     

    יום שישי 15 פברואר 2008 19:01
  •  

    Whoever is still running into this issue the answer is in Config manager guide, page 15

    ¾  The default ports specified for a custom Web site are port 8530 for HTTP and port 8531 for HTTPS (SSL).  These will need to be specified when designating the active SUP through the console.  If these are not specified, and the default Configuration Manager settings are used (port 80 and port 443), Configuration Manager will not be able to communicate with the SUP, and a failure will be logged under the SMS_WSUS_SYNC_MANAGER component in the site status.  An error 6703, 7000 or 7003 will appear with the message “WSUS server not configured.”

     

     

    I hope this helps.

    emp

    יום שישי 11 אפריל 2008 14:11
  •  

    Thank you,

     

    Yes, we were talking about these documentation originally as well, but the issue came when we were forced to use ports 2000/2001 because 8530/31 was not going to be approved for opening.

     

    I have since been able to convince them that 8530/31 "must" be open and once we moved back to the default ports, everything has been fine.

     

    M

    יום שישי 11 אפריל 2008 15:34
  • Unfortunately for the guide, we're using ports 8530 and 8531 and we're still getting those 7000 and 7003 error messages., So that information isn't really a fix.
     
    יום שלישי 06 מאי 2008 15:08
  • I am also getting the same errors.  My ports are setup correctly between the SUP and SCCM.

     

    יום שישי 09 מאי 2008 15:45
  • For my situation, I was originally forced to use 'open' ports 2000/2001, and although that was changed in IIS, SCCM/SUP, WSUS I still got the errors and non-connectivity.

     

    Once the 8530/8531 ports were approved in-shop, I switched back to the defaults and it began to work like expected.

     

    New development: Higher in this post it was pointed out that a "registry" entry was not being changed/configured properly to reflect my 2000/2001 settings.

     

    For my situation, this explained the reason the 2000/2001 port settings didn't work. The registry was still set to 8530, so once I moved everything back to 8530, it obviously began to work.

     

    Look here for that reg setting:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup]
    @=""
    "PortNumber"=dword:00002152

     

    Marcus
    יום שישי 09 מאי 2008 16:57
  • Our errors were being caused by using an authentication account which wasn't needed at the proxy.
    Once we set up the proxy settings to not use the account, everything was copacetic.
    יום שישי 09 מאי 2008 18:25
  • I'm using port 8530/8531 too and for my case the solution for this problem was:

     

    In Wsus console:

    1. Right click in server and "Remove from console"

    2. Right click in Update Services and "Connect to server" using port 8530 and check to use ssl.

    3. on Options start WSUS Server configuration Wizard and reconfigure the server.

     

    I don't know if the step three is really necessary.

     

    Alex

    יום שלישי 20 מאי 2008 18:58
  • Solution for errors:

    • Source: Windows Server Update, Category: Web Services, Event ID: 12002
    • Source: Windows Server Update, Category: Web Services, Event ID: 12012
    • Source: Windows Server Update, Category: Web Services, Event ID: 12032
    • Source: Windows Server Update, Category: Web Services, Event ID: 12022
    • Source: Windows Server Update, Category: Web Services, Event ID: 12042
    • Source: Windows Server Update, Category: Web Services, Event ID: 12052
    • Source: ASP .NET 2.0.50727.0, Category: Web Event, Event ID: 1310

    Steps:

    1. Find a temporary folder TEMP under %Systemroot%. 
    2. Grant full permissions on the TEMP folder the NETWORK SERVICE user account.
    3. To reset Internet Information Services (IIS), type iisreset on the command prompt.

    For more information about similar problem with Microsoft .NET Framework version 1.1 read: http://support.microsoft.com/kb/825791

     

    J.

     

     

     

    יום שני 09 יוני 2008 12:07
  • I have been banging my head against the wall on this one myself.

    I believe i found the solution (at least it is working in my lab).

    When SCCM is in native mode and WSUS is configured for SSL you may recieve the error MSG ID 7000 & 7003 "SMS_WSUS_COMPONENT_MANAGER failed to monitor WSUS server..."

    "SMS_WSUS_COMPONENT_MANAGER failed to configure the proxy settings for WSUS server..."

     

    Assuming the documentation was followed from Microsoft on installing and configuring SCCM as well WSUS and all other settings have been set properly, go to your SCCM server open IE/Tools/Options/Connections/Lan settings and check "Automatically Detect Settings."

     

    once i made this change on both the SCCM and WSUS servers my errors went away.

     

    hope this helps for those banging their head like i was over this..

    • הוצע כתשובה על-ידי 967jones יום רביעי 16 יוני 2010 14:53
    יום חמישי 04 ספטמבר 2008 17:27
  • I have been searching everywhere for a Solution to the 7000 and 7003 errors. I think I've got it and wanted to share it with you.

    I am in SCCM Mixed mode and am not using certificates currently.
    WSUS is on a separate server installed as default web server using port 80.
    All SCCM accounts are in the WSUS admin group on the WSUS server.
    Also, I do not have an internal proxy server.

    What I found was to go to the Site Settings and on EACH of your site systems setup as the SUP role and change the Proxy settings to enabled and use port 80. Be sure to put your WSUS server into the Proxy Name space. :)


    Magically there are no more 7000 or 7003 errors and my Site is all green. :)

    Hope it helps
    • הוצע כתשובה על-ידי kmartin2264 יום שלישי 20 ינואר 2009 22:34
    • נערך על-ידי kmartin2264 יום שלישי 20 ינואר 2009 22:36 Left out a detail
    יום שלישי 20 ינואר 2009 22:33
  • This worked for me in my virtual test environment.

    Thanks.

    יום חמישי 08 יולי 2010 18:43
  • Hello,

     

    If you are using the WSUS custom Web site and ports 8530 and 8531 try running the following:

     

    wsusutil.exe usecustomwebsite true 

     

    The utility is located at %programfiles%\Update Services\Tools.  If you are using a custom port (not 80/443 or 8530/8531) you can configure this via a registry setting by going to HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup\Port Number.

     

    Let me know if that helps.

     

    Doug

     

     

     

    This was the little bit I was missing. Thanks Doug.

    Thomas Faherty

    יום רביעי 20 יוני 2018 21:50