Constant WSUS issues (Connection Errors)
-
WSUS is your only option. Yes it sucks.
Unless you want to pay many thousands for a 3rd party solution.
Delete that corrupt profile. Use that script. -
@momurda said in Constant WSUS issues (Connection Errors):
WSUS is your only option. Yes it sucks.
Unless you want to pay many thousands for a 3rd party solution.
Delete that corrupt profile. Use that script.Well we already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.
-
@dave247 said in Constant WSUS issues (Connection Errors):
already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?
Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus -
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?
Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsusDell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GB
Storage: Data volume is 1.72 TB (with only about 40 GB used)I will check out those scripts here shortly.
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?
Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsusDell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GBI will check out those scripts here shortly.
You have a Hardware Host Dedicated to WSUS? What else is on this server?
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?
Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsusDell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GBI will check out those scripts here shortly.
You have a Hardware Host Dedicated to WSUS? What else is on this server?
Yes, this server is set up as a dedicated WSUS server and a fresh install of Server 2016 and the WSUS role (if anything just to test and try out WSUS). Nothing else running on here at all.
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?
Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsusDell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GBI will check out those scripts here shortly.
You have a Hardware Host Dedicated to WSUS? What else is on this server?
Yes, this server is set up as a dedicated WSUS server and a fresh install of Server 2016 and the WSUS role (if anything just to test and try out WSUS). Nothing else running on here at all.
WOW, I would not waste that much on a WSUS Server, I would have setup a VM on a Hyper-V Server 2016 Host and use a VM with 2 vCPU, 16 GB RAM and 500 GB of space.
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?
Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsusDell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GBI will check out those scripts here shortly.
You have a Hardware Host Dedicated to WSUS? What else is on this server?
Yes, this server is set up as a dedicated WSUS server and a fresh install of Server 2016 and the WSUS role (if anything just to test and try out WSUS). Nothing else running on here at all.
WOW, I would waste that much on a WSUS Server, I would have setup a VM on a Hyper-V Server 2016 Host and use a VM with 2 vCPU, 16 GB RAM and 500 GB of space.
ok, I really don't want to get off topic like this... I am just trying get WSUS to work to try it out and see how well I can manage Windows updates. I haven't even activated Windows 2016 because I plan to move this to a virtual machine later. It's not the point. Again, this is just to try out WSUS and get it working, which I have been yet to do.
-
@dave247 said in Constant WSUS issues (Connection Errors):
I'm so used to them not helping me...
That might be a problem going forward. All event logs have information and tell you every possible problem, just have to get used to reading them. Never just gloss them over.
I'm assuming you are opening the snapin via the local machine versus a remote. That screen happens when you can't connect to it. Your error in the event log means that it can't connect to the site via SSL. Open IIS and make sure that it has a self-signed cert generated for the site. Or make sure the site is up on HTTP and open it that way in MMC. That should fix the problem.
-
Hi, I ran in to this before and have the fix for it on the wiki at work.
Give me a bit to grab it. It has to do with AppPool settings if I remember correctly, on the IIS server.
Edit: I'm just gonna do screenshots because I'm feeling lazy atm, sorry.
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?
Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsusDell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GBI will check out those scripts here shortly.
You have a Hardware Host Dedicated to WSUS? What else is on this server?
Yes, this server is set up as a dedicated WSUS server and a fresh install of Server 2016 and the WSUS role (if anything just to test and try out WSUS). Nothing else running on here at all.
WOW, I would waste that much on a WSUS Server, I would have setup a VM on a Hyper-V Server 2016 Host and use a VM with 2 vCPU, 16 GB RAM and 500 GB of space.
ok, I really don't want to get off topic like this... I am just trying get WSUS to work to try it out and see how well I can manage Windows updates. I haven't even activated Windows 2016 because I plan to move this to a virtual machine later. It's not the point. Again, this is just to try out WSUS and get it working, which I have been yet to do.
I didn’t think I went off topic. Let’s go through yourur setup. What Database are you using WID or SQL?
-
-
I wouldn't download all available updates. That's going to kill your available capacity.
Instead, set it to only download approved updates.
I've been doing WSUS for a long time. I really don't ever have to worry about it, other than approving updates manually. They can be set to be approved automatically, but I just can't yet.
-
@tim_g said in Constant WSUS issues (Connection Errors):
I wouldn't download all available updates. That's going to kill your available capacity.
Instead, set it to only download approved updates.
I've been doing WSUS for a long time. I really don't ever have to worry about it, other than approving updates manually. They can be set to be approved automatically, but I just can't yet.
How do you normally handle mobile users with WSUS?
-
@black3dynamite said in Constant WSUS issues (Connection Errors):
@tim_g said in Constant WSUS issues (Connection Errors):
I wouldn't download all available updates. That's going to kill your available capacity.
Instead, set it to only download approved updates.
I've been doing WSUS for a long time. I really don't ever have to worry about it, other than approving updates manually. They can be set to be approved automatically, but I just can't yet.
How do you normally handle mobile users with WSUS?
We don't have any mobile users who are off-domain or never get on to the network, so they all eventually get updated.
Anyone who would be isolated from the domain and updating, is set to have automatic updates done when the device is given to them. If they don't update, they don't get back onto the network.
-
The ultimate goal is LANless, but it's a long process to get there when you have a lot of internal apps and things you can't give external access to. But we're moving to lanless / cloud as we can. Once we're there, the need for Windows gets slimmer and slimmer... then I'd go the dnf-automatic route
SodiumSuite comes to mind as well, even before reaching the LANless point.
-
delete me
-
Tim_G:
I finally got back to this and made those adjustments to my wsus resource pool and it seems to work now, so that's really good. However, I am stuck again with getting computers to show up in my wsus group. I have followed your guide and:
- Made a group in AD called "wsus workstations" and added some machines to test with
- Created a GPO called "wsus workstations policy" and changed security filtering to apply to the wsus workstations group
- Created a group in wsus called "workstations" and then pointed my wsus workstations policy GPO's "Enable client side targeting" and pointed it to the workstations wsus group.
I have not been able to see any of my computers show up.
EDIT: I've been thinking about it.. I'm not 100% clear on where to actually put my WSUS group policy. At first, I added it to a test OU which had some computers I put in there for testing. However, since I'm specified that the GPO is to apply to the wsus workstations group, I don't think it matters where I put it now, does it? My wsus workstations group is in a completely different OU than the workstations or the GPO. Its been a little while since I worked on group policy so I've just realized that I'm a bit rusty.. however, maybe this is part of why it's not working...
Also, I am thrown off by what you mean in this part of your guide:
NOTE: Updates will NOT install and your server will NOT reboot unless you go into the WSUS console, and specifically approve updates to the WSUS group you specified in this policy.
In simple terms, just make sure you do NOT approve updates in WSUS, and your servers/clients will be fine.It seems like you're saying both do and do not approve updates in wsus. I don't get it.
-
@dave247 said in Constant WSUS issues (Connection Errors):
I have not been able to see any of my computers show up.
If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.
Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.
-
@dave247 said in Constant WSUS issues (Connection Errors):
I've been thinking about it.. I'm not 100% clear on where to actually put my WSUS group policy.
Put it where it will hit the computers it should be configuring. If you put the GPO in a test OU, then the computers must be in there too, somewhere under that OU in which you place the GPO.
