none
WSUS not downloading the updates

    Question

  • Hi All,

      I have installed WSUS 3 SP2 on Windows 2003 server. I have created a computer and  moved 3 machines for the test purpose. I have approved several updates for XP, 2003 and it seems it is not downloading the updates. C:\WSUS\UpdateServicesPackages drive has empty since i have installed and accepted the updates.

    When i click on the WSUS server node i have the followin ifno
    Updates needing files : 9
    downloaded 0.0 of 18.97 MB

    What seems to be the problem?





    swamy
    Monday, November 30, 2009 9:25 AM

Answers

  • I have installed WSUS 3 SP2 on Windows 2003 server. I have created a computer and moved 3 machines for the test purpose. I have approved several updates for XP, 2003 and it seems it is not downloading the updates.
    It's not related to your immediate issue, but I note that you've not indicated in the above actions that you configured any policies for the clients

    C:\WSUS\UpdateServicesPackages drive has empty since i have installed and accepted the updates.
    This folder has nothing to do with normal WSUS operations. (It's used by Local Publishing.)

    When i click on the WSUS server node i have the followin info
    Updates needing files : 9
    downloaded 0.0 of 18.97 MB

    What seems to be the problem?
    Looks to me like the content cannot be downloaded from the Internet (but, then, you pretty much knew that). <g>


    Review the Application Event Log on the WSUS Server to determine the reason(s) for the blocked download. The five most common causes, in order of likelihood, are:

    1. The firewall/proxy/router between the WSUS server and the Internet does not properly support the HTTP v1.1 protocol specification, particularly with respect to the Range Protocol Header, which is required by BITS to faciliate downloads.

    2. The content store is contained on a volume other than the system volume and the NETWORK SERVICE account does not have *READ* permissions on the root of that volume.

    3. Quotas have been implemented on the WSUS server and are blocking the ability of BITS to write to the filestore.

    4. The WSUS server is not properly configured to use a required proxy server (although, typically, this scenario blocks synchronization as well as content downloads).

    5. The firewall is blocking outbound access, or file downloading, on port 80.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, November 30, 2009 6:27 PM
    Moderator

All replies

  • I have installed WSUS 3 SP2 on Windows 2003 server. I have created a computer and moved 3 machines for the test purpose. I have approved several updates for XP, 2003 and it seems it is not downloading the updates.
    It's not related to your immediate issue, but I note that you've not indicated in the above actions that you configured any policies for the clients

    C:\WSUS\UpdateServicesPackages drive has empty since i have installed and accepted the updates.
    This folder has nothing to do with normal WSUS operations. (It's used by Local Publishing.)

    When i click on the WSUS server node i have the followin info
    Updates needing files : 9
    downloaded 0.0 of 18.97 MB

    What seems to be the problem?
    Looks to me like the content cannot be downloaded from the Internet (but, then, you pretty much knew that). <g>


    Review the Application Event Log on the WSUS Server to determine the reason(s) for the blocked download. The five most common causes, in order of likelihood, are:

    1. The firewall/proxy/router between the WSUS server and the Internet does not properly support the HTTP v1.1 protocol specification, particularly with respect to the Range Protocol Header, which is required by BITS to faciliate downloads.

    2. The content store is contained on a volume other than the system volume and the NETWORK SERVICE account does not have *READ* permissions on the root of that volume.

    3. Quotas have been implemented on the WSUS server and are blocking the ability of BITS to write to the filestore.

    4. The WSUS server is not properly configured to use a required proxy server (although, typically, this scenario blocks synchronization as well as content downloads).

    5. The firewall is blocking outbound access, or file downloading, on port 80.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, November 30, 2009 6:27 PM
    Moderator
  • Hi Lawrence,

    Please forgive me for necroposting, especially within a thread that has been marked as an answered question. 

    However I am experiencing a very similar issue to that of the OP and one of your five [5] explanations is most likely the cause.

    I am running WSUS 3.0 SP2 on a Windows Server 2003 SP1 OS and I am not able to successfully download any of the updates for the production, or WSUS, server.

    All of the clients within the domain and of the WSUS server successfully download and receive updates.  It is only the server itself that cannot download them, and therefore can certainly not install them.

    You mentioned that one of the reasons for the updates failing to dowload could be due to the content store being located on a volume other than the system volume. 

    This is the exact configuration of the WSUS server which I am operating.

    I applied the permission settings for the WSUS folders on the other volume and within the registry per the following Microsoft TechNet article:

    http://technet.microsoft.com/en-us/library/cc708545(WS.10).aspx

    However, I noticed the following differences of permissions between the volume's root and the three WSUS subfolders (differences from one folder to the next are highlighted in BOLD):

    (%windir%= C:\)

    (%otherdir%= E:\)

    E:\ Permission Properties

    • Administrators - Full Control
    • Creator Owner - Special
    • Domain Admins - Full Control
    • Network Service - Full Control
    • System - Full Control

    E:\WSUS Permission Properties

    • Administrators - Full Control
    • Creator Owner - Special
    • Domain Admins - Full Control
    • Network Service - Full Control
    • System - Full Control

    E:\WSUS\UpdateServicesDBFiles Permission Properties

    • Administrators - Full Control
    • Network Service - Full Control
    • System - Full Control
    • Users - Read and Execute
    • (Creator Owner and Domain Admins are absent)

    E:\WSUS\UpdateServicesPackages Permission Properties

    Adminsitrators - Full Control

    • Network Service - Read and Write
    • System - Full Control
    • Users - Read and Execute
    • WSUS Administrators - Full Control
    • (Administrators, Creator Owner and Domain Admins are absent)

    E:\WSUS\WSUSContent

    • Adminsitrators - Full Control
    • Network Service - Full Control
    • System - Full Control
    • Users - Read and Execute
    • WSUS Administrators - Full Control
    • (Creator Owner and Domain Admins are absent)

    And in regards to the Permission Properties for the registry keys defined in the aforementioned TechNet article, the only changes made were the following:

    • The Users group was added with Read access to the \HKLM\Software\Microsoft\Update Services\Server Registry key.
    • The following accounts already had Full Control permissions to the \HKLM\Software\Microsoft\Update Services\Server\Setup Registry key:
      • ASP.NET (Is not present, nor can the account be located)
      • Network Service(for Windows Server 2003)
      • WSUS Administrators

    It is my understanding that the ASP.NET account is generally used by the NT AUTHORITY\NETWORK SERVICE. If I am incorrect, please let me know.

    Do those permissions look acceptable to you or do they need to all match the root folder on the E:\ Volume?

    Thank you so very much for taking the time to read this post, and for answering my inquiries as well.

    I look forward to receiving your response at your convenience.

    Saturday, October 16, 2010 7:22 PM
  • I am running WSUS 3.0 SP2 on a Windows Server 2003 SP1 OS . . .

    You have a critical deficiency in your deployment environment and this is the cause -- not any of the possible reasons cited in the thread you originally posted to.

    You need to apply Windows Server 2003 Service Pack 2 to your WSUS server, along with all of the relevant updates released in the past 18 months.

    The reason it appears that this server is not downloading updates is because it does not have the current service pack applied, and updates have not been available for Windows Server 2003 Service Pack 1 since April, 2009!


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com

    Monday, October 18, 2010 3:13 PM
    Moderator
  • I apologize, Lawrence.  I do have the latest Service Pack applied to this server.  Again, I apologize for causing any misunderstanding.

     

    Monday, October 18, 2010 4:46 PM
  • Okay, continuing from there.

    This thread is about the WSUS server being able to download content from *MICROSOFT* to the server content store. Specifically this thread is about a *SERVER*-side issue.

    You do not have a server-side issue as evidenced by the fact that all other clients are successfully downloading and installing updates from the WSUS server and reporting back to the WSUS Server.

    What this situation represents is a *CLIENT*-side issue with the Windows Server OS that is hosting WSUS, and you should troubleshoot this just as you would any other Win2003 server system in your network.

    • Is the server in the correct OU?
    • Is a GPO linked to that OU?
    • Is the GPO being applied to this system?
    • Have you confirmed that using GPRESULT, RSOP. or visual inspection of the registry and/or WindowsUpdate.log?
    • Is the Automatic Updates service started?
    • What results do you get from the Client Detection Tool (assuming this is an x86 system)?
    • What is recorded in the WindowsUpdate.log when a detection is attempted?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, October 18, 2010 4:58 PM
    Moderator
  • I apologize for the delay in response; I was attending a seminar all day yesterday.

    I now understand to what you are referring about this question having to be in another thread.  Would you like me to create a new thread, or should we just continue within this one?

    In regards to your questions:

    • Is the server in the correct OU?

    Yes, the server is contained within the "Domain Controller" OU within Active Directory Users and Computers, along with the user "Administrator".  However, within Group Policy Management, the Security Filtering for this OU specifies the following users:

    Authenticated Users

    Domain Admins

    Enterprise Admins

    System

    I'm not certain if this is an issue, but it is my understanding that the specific users do not have to be defined within the Security Filtering section as long as Authenticated Users are present.  Please inform me if I am wrong.

    • Is a GPO linked to that OU?

    Yes, an active and linked GPO is assigned to this OU.  It is using the provided "Default Domain Controllers" GPO.

    • Is the GPO being applied to this system?

    Yes, this GPO is enforced on this server.

    • Have you confirmed that using GPRESULT, RSOP. or visual inspection of the registry and/or WindowsUpdate.log?

    After running GRESULT and saving the output to a .txt file, I can determine that this GPO is being applied successfully.  If you would like to see the .txt file, please let me know and I will be more than willing to provide it.

    • Is the Automatic Updates service started?

    Yes, the Automaitc Updates service is set to Automaitc and is Started.  Also, the Background Intelligent Transfer Service is set to Manual and is Started.  The Cryptographic Services service is set to Automatic and is Started.

    • What results do you get from the Client Detection Tool (assuming this is an x86 system)?

    Using wuauclt.exe /detectnow forces the updates to download.  After several minutes, Windows prompts me to restart the server to finish installing the updates.

    • What is recorded in the WindowsUpdate.log when a detection is attempted?

    Within the windowsupdate.log, the DwnldMgr initiates successfully, downloads the updates, and isntalls them correctly. 

    I don't want to give you unneccesary information, but I do want to answer your question.  If you would like to view the log file, please let me know and I can certainly provide that for you.

    It seems that invoking wuauclt.exe /detectnow has successffuly downloaded and installed the updates from the WSUS server.

    Could you please inform me of any subsequent procedures or issues that need to be addressed in order to enable the detection tool to automaitcally execute and operate when needed?

    I sincerely appreciate all of your assistance, Lawrence.  Thank you very much. 

    Wednesday, October 20, 2010 2:46 PM
  • Using wuauclt.exe /detectnow forces the updates to download.  After several minutes, Windows prompts me to restart the server to finish installing the updates.

    Within the windowsupdate.log, the DwnldMgr initiates successfully, downloads the updates, and isntalls them correctly. 

    It seems that invoking wuauclt.exe /detectnow has successffuly downloaded and installed the updates from the WSUS server.


    That leaves me with this question: On what information did you base your conclusion (assumption?) that the machine was not downloading updates?

    It looks to me like the machine is working perfectly.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, October 20, 2010 8:36 PM
    Moderator
  • Using wuauclt.exe /detectnow forces the updates to download.  After several minutes, Windows prompts me to restart the server to finish installing the updates.

    Within the windowsupdate.log, the DwnldMgr initiates successfully, downloads the updates, and isntalls them correctly. 

    It seems that invoking wuauclt.exe /detectnow has successffuly downloaded and installed the updates from the WSUS server.


    That leaves me with this question: On what information did you base your conclusion (assumption?) that the machine was not downloading updates?

    It looks to me like the machine is working perfectly.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com


    I am basing this claim on the fact that any and all updates for Windows Server 2003, listed in WSUS, would download successfully but never install.

    Observing the list of "All Updates" within the "Failed or Needed" filter, I could see that only updates for the server had either failed or were needed.  Updates for the clients would install properly, and therefore were not within this filtered list.

    When I would investigate the status of a specific update for Windows Server 2003 that did not install, the only information I received was, "Download Successful" (perhaps not that exact phrase, but it was indicating that the update had donwloaded, but had not installed).

    After you provided many helpful and valuable troubleshooting procedures, I was also able to determine that the machine was working perfectly.  However, this was only evident after I had ran wuauclt.exe /detectnow.

     

    Thursday, October 21, 2010 3:08 PM