Saturday, 29 March 2014

Troubleshoot WSUS clients and server

When you consider the issues of WSUS there are multiple thing to refer. These two parts are mainly the communication of WSUS server and communication of client computers. Let us consider the parts one by one.

Communication of WSUS server

1. When you have an issue with WSUS it is really necessary to make sure that WSUS server is working correctly, then only the clients will get the updates properly. In order to make sure that the WSUS is working correctly we have the in built MS utility called as 'wsusutil' which will help you to manage the server using command line. Since we need to make sure that WSUS is working correctly we can check the health of WSUS and make sure that it is working as expected.

a) Open command prompt and redirect to the below directory using the command 'cd C:\Program Files\Update Services\Tools'
b) Now type the command 'wsusutil.exe checkhealth' and ENTER. It will take few seconds to complete and once it is completed open the application event viewer and make sure that it has generated 'Event id 10000, source: Windows server update' which indicates that WSUS is working correctly. Search for any error messages in the Microsoft Knowledge Base for more troubleshooting information or post a comment on this article.

Note: You may fail to perform check health by the error message update service is not running. In this case open 'services.msc' from 'run' and make sure that the service 'update service' is running and startup type as 'automatic'. If you would like to more details about using 'wsusutil' follow the below link to get it.
2. If the initial step is success you can continue with remaining steps. WSUS server and its details are specified through GPO hence it is really necessary to make sure that there are no GPO errors reported in server. Review the application and system logs to make sure that there are no Active directory or GPO related errors. If you found anything resolve the same and continue with the investigation.
3. Check whether the server can reach the WSUS client by pingWSUSClient and make sure that the client is listed under 'Computers' in WSUS server console.
If you are unable to ping the clients make sure that the firewall or proxy servers does not prevent the communication. And make use of the 'telnet' command to trace the route.

         Communication of client computers

When we consider the WSUS clients there are multiple thing , perform the below steps to confirm the clients have got proper details of WSUS.

1. Make sure that there are no AD and GPO related errors in your domain controllers and affected clients(Check through System and application logs of event viewer). It is really necessary to do this since the clients are pulling the WSUS server details through group policy and any errors related to this may not allow those to get correct details.
2. Run a rsop and make sure that under Microsoft update service WSUS settings are defined properly.
Open Run-> Type 'rsop.msc' and ENTER. It will generate the group policy result which indicates the policies that are applied to this computer.
Expand Computer configurations->Administrative tools->Windows components and locate the policy 'specify intranet Microsoft  update service  location' is pointed to WSUS server.
That is the WSUS server will be specified as 'http://WSUSservername:8530 '. If the settings are incorrect make the necessary changes in server GPO and make sure that it receives in clients.

 3. If the clients are receiving GPO correctly those details will be listed in registry as well. Make sure the server details are present on the registry as well.
Open run command and type 'reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' which should return the value with your server details and looks like this:

WUServer    REG_SZ  http://WSUSServerName
WUStatusServer      REG_SZ  http://WSUSServerName

Note: You will have the above output only if your clients are configured to get updates  from WSUS server.
Else you can manually locate the registry directory and view the information are correct.
Open registry editor and locate 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' and see the WSUS server details are correct.

 4. Verify that clients can reach the WSUS server by performing the below steps:
Open the web browser and type' http://<WSUSServerName>/' if the results prompt you for downloading a file named as '' you can safely cancel it and it shows the client is able to communicate with WSUS server and there is no connectivity issue. If the webpage fails to respond and does not ask for the file to download it indicates that may be a communication issue, name resolution or WSUS server is not configured properly. One of the useful link in this situation is(self update issues)
5. Determine the last time that the clients has updated. This can be done in two ways either through report of WSUS administration console or from the registry values present in clients. It is more convenient to use the second option if you have the direct access to affected clients.
a) If you want to get the details using report viewer follow these steps:
Open the Update Services console on the WSUS server. Click the Reports icon and then click Computer Detailed Status. Browse the computers to find the problematic computer and examine the updates that have been successfully installed, as well as those that have not yet been installed.
b) To get the details directly from the client computer open the registry editor and locate the directory,  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results now each folders determine the status of WSUS updates like 'Detect' shows the last time the client detected on server and checked for updates. 'Download' will show the last date and time the updates installed and 'Install' says the last date and time that it has successfully installed the updates.

6. Download and install the  windows update troubleshooter which can fix most of the common issues.
7. When clients are not receiving the updates, determine whether its because of a problem that is affected the entire functionalities of Windows updates on clients or because of WSUS. So manually locate the 'Windows Updates' and click on 'Check for updates' to make sure that it is reporting that there are updates to install. If it is listed as there are updates pending to install do not initiate to install because by these steps we are checking whether there is any cryptographic service provider errors or a file Windows Update requires (named catalog store) is corrupted.
If there are error reported for this follow the below links to find the solution for some of the error codes.
8. All the client windows updates action details are stored locally named as 'WindowsUpdate.log'. Verify these logs and check whether there is any issue reported in logs. Follow these methods to get the latest logs.
The below link will help you to read the windows logs:
For server 2003\XP the - C:\winnt\WindowsUpdate.log
For 2008\Windows 7- C:\windows\WindowsUpdate.log
Else on Run command you can simply type 'WindowsUpdate.log' to open it.
9. Allow the affected client to reestablish the connection once again with WSUS . In order to achieve that, locate the affected client in the 'Computers' list of WSUS console  and delete it(Right click->Delete). Now on affected client open command prompt and type 'wuauclt /detectnow' wait for 30 minutes and check the logs that is available in client. Check the windows update logs from the time of doing these steps and see whether it reported any errors.
Search for any error messages in the Microsoft Knowledge Base for more troubleshooting information.
10. I have seen in may cases deleting  and regenerating the SUS client ID on affected clients will provide a solution for update errors.
On the affected client open command prompt and type the below commands,
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f
net start wuauserv
The first and last command will stop and start the Windows update service on this computer. The other two will delete the SUS client ID. Now wait for another 15 minutes and observe the status.
11. There are many WSUS troubleshooting tools available through MS. Please follow the below link to get those and check whether it help you to resolve the issue.

No comments:

Post a Comment