question

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 asked DolleEdward-3388 answered

2019 Servers Not Connecting to WSUS

I have built three Windows 2019 VMs and none of them are joining the WSUS server.

I have done the following troubleshooting to no avail:

Verified the servers are in the correct IP network.
Verified the servers are in the correct AD group.
Verified that the servers are part of the correct GPO and that the WSUS group policy is enabled and enforced.
Verified that the servers can reach these two links:
http://server.domain.local:8530/selfupdate/iuident.cab
http://server.domain.local:8530/ClientWebService/client.asmx
Verified that the servers can ping the WSUS servers via their domain name.
Verified that IPv6 is not enabled. It is not enabled on any of our servers.
Solarwinds is not monitoring these servers yet.
Verified that the registry key KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer is set to 1.
Verified that the servers are trying to get updates from the WSUS.
No SCCM in the system.
Server Cleanup Wizard ran successfully last week.

What could be causing these not to show up?

windows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

Thanks. I can't turn on IPv6 without talking to management first.

I am trying the second link on one of the servers now.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

So far I do not see the server but I know to wait 24-48 hours. Are there any events in event viewer that would show the server trying to contact the WSUS server?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

I am looking at the windowsudate.log file and find a few failures:
Misc FAILED [8024000C] LoadHistoryEventFromRegistry completed
Agent FAILED [80240013] m_services.Add()
Agent FAILED [80240013] Method failed [CAgentServiceManager::DelayedInit:2678]
Agent FAILED [80240013] Method failed [CAgentServiceManager::CreateServiceObjectAndAddIntoMap:2034]

What do they errors mean? I can post more of the log if necessary. It does look to me as if the server has downloaded updates from the WSUS and yet the server still does not show up in the console.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

Just a question - when you say not showing up in the WSUS console - are you saying it's not showing up at all under "All Computers" with the Status of "Any", or not in the group you're expecting it to show up?

The client side script usually allows it to show up right away, and then report back in 12-48 hours later.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered AJTek-Adam-J-Marshall commented

It is not showing up here:
129158-image.png




They should show up in Unassigned Computers. Then I move them to one of the environment groups.


image.png (67.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Perhaps, perhaps not.

Do you have Computer Targeting enabled?
https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-2-computer-groups-update-views/

Now let’s turn on client side targeting as our computer groups are now created. Click on Options. Click on Computers and choose “Use Group Policy or registry settings on computers” and press OK.

Do they show up in All Computers with the Status of Any?

FYI - it's recommended you use computer targeting - it makes it SO MUCH easier.

0 Votes 0 ·
DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

I do not. It is set to use the Update Service console.

You know I am going to ask - will making this change break anything?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

If you change it to Computer Targeting - you need to use GPO or Registry edits to ensure the computers are moved into place.

See part 4 and 5 of my guide

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/
https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-5-linking-your-gpos-inheritance-is-your-friend/

If you change to computer targeting, you don't manually move computers - the GPO does it for you.

If you don't plan your computer targeting beforehand, I'm pretty sure the existing computers will move to the unassigned computers group unless they've been targeted to another computer group via GPO/Registry.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

We have GPO's for the three environments but the normal course of action is a new server is put into a group, either on-prem server or hosting site server. Then we connect to the WSUS console and check Unassigned Computers. Once they show up there we move the server into one of the other groups.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

Take some time to review my guide - it makes things much easier. I'd also recommend to read other guides on my site as they will give you so much information.

If you wanted to keep your current structure, you'd create a GPO for your Production Servers, and apply it to the OU - any computer placed in that OU will be automatically directed to the Production Servers Group in the WSUS Console - automatically without manual adjustments. If you delete the computer object and run the client side script, it will re-appear automatically in the Production Servers group in the WSUS Console, again, without manual adjustments.

So much nicer and easier.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.