Scenario

Consider a client workstation that it is using a WSUS Server that is located in the DMZ behind Forefront TMG. This WSUS Server is not a domain member. There is a group policy specifying the WSUS Server name as shown below:

Symptom

When the client workstation is running Windows Update it receives an error 0x8024402c, which appears in the Windows Update log (check KB902093 for default location) as shown below:

Troubleshooting

During the course of troubleshooting of this issue the following items were validated:

  • The DNS Server correctly had an entry for the WSUS Server
  • The DC was able to resolve the WSUS Server name.
  • The client was able to resolve the WSUS Server name using nslookup command, but it was not able to resolve when using ping command.

To better understand what it was happening the following steps were done on the client workstation:

  1. Ran ipconfig /flushdns
  2. Started Netmon capture.
  3. Ran the command ping srvwus.crop.contoso.com.
  4. Stopped the capture.

On the netmon capture it was possible to see that the answer from the DNS Server came incorrectly as shown below:

At this point, we know that name resolution works fine and that the client is able to talk to the DNS Server. To isolate potential name resolution issue we tried to ping to SRVWSUS using the IP address and got the result below:

This indicates that the local machine didn’t know what to do with that request.

Solution

The client workstation was missing the IP address of the default gateway. Once we added the default gateway the client workstation was able to obtain updates.