question

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 asked DolleEdward-3388 answered

2019 Servers Not Connecting to WSUS

I have built three Windows 2019 VMs and none of them are joining the WSUS server.

I have done the following troubleshooting to no avail:

Verified the servers are in the correct IP network.
Verified the servers are in the correct AD group.
Verified that the servers are part of the correct GPO and that the WSUS group policy is enabled and enforced.
Verified that the servers can reach these two links:
http://server.domain.local:8530/selfupdate/iuident.cab
http://server.domain.local:8530/ClientWebService/client.asmx
Verified that the servers can ping the WSUS servers via their domain name.
Verified that IPv6 is not enabled. It is not enabled on any of our servers.
Solarwinds is not monitoring these servers yet.
Verified that the registry key KEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer is set to 1.
Verified that the servers are trying to get updates from the WSUS.
No SCCM in the system.
Server Cleanup Wizard ran successfully last week.

What could be causing these not to show up?

windows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

OK, I moved one of these servers to the AD group that points to the on-prem WSUS server and it showed up.
Now I have a new question - why is the WSUS server at the hosting site not discovering new servers but the on-prem one is? The only difference I see between the two is the hosting site has WID Connectivity and WSUS Services installed and the on-prem one does not.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

After running Dev server patching this past weekend the new 2019 server in this environment never ran the patches according to the GPO settings that are applied to it. I have moved it into a different OU to see if the on-prem WSUS server picks it up and will report back status tomorrow.

Any other ideas on why this is not working would be appreciated.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered AJTek-Adam-J-Marshall commented

I think they are in there too. Is it better to run the WSUS console on my PC or on the WSUS server itself?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

On a client PC using RSAT tools

You should take 3 hours and watch the 2 videos from Dan Holme that I have on my guide here:

https://www.ajtek.ca/guides/role-based-access-security/

It will open your eyes on a really sweet way to manage AD - including a custom MMC that has all the snap-ins.

Windows Admin Center is the 'new way' of doing things which takes the same principals of the custom MMC, however it's not there yet - and certainly doesn't work with WSUS.

1 Vote 1 ·
DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered AJTek-Adam-J-Marshall commented

OK, I will review it. In the meantime, any idea on why the server doesn't show up in the console? The windows update log shows the correct IP Address and port in the log and it looks like it downloaded updates from the WSUS server but I am not sure.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Check "All Computers" with status of "Any"

It's likely in here. If not, re-run the client side script - if there are duplicate WsusClientId's then this will 'populate' as "another" computer and you'll never see it.

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

Take some time to review my guide - it makes things much easier. I'd also recommend to read other guides on my site as they will give you so much information.

If you wanted to keep your current structure, you'd create a GPO for your Production Servers, and apply it to the OU - any computer placed in that OU will be automatically directed to the Production Servers Group in the WSUS Console - automatically without manual adjustments. If you delete the computer object and run the client side script, it will re-appear automatically in the Production Servers group in the WSUS Console, again, without manual adjustments.

So much nicer and easier.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

We have GPO's for the three environments but the normal course of action is a new server is put into a group, either on-prem server or hosting site server. Then we connect to the WSUS console and check Unassigned Computers. Once they show up there we move the server into one of the other groups.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

If you change it to Computer Targeting - you need to use GPO or Registry edits to ensure the computers are moved into place.

See part 4 and 5 of my guide

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/
https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-5-linking-your-gpos-inheritance-is-your-friend/

If you change to computer targeting, you don't manually move computers - the GPO does it for you.

If you don't plan your computer targeting beforehand, I'm pretty sure the existing computers will move to the unassigned computers group unless they've been targeted to another computer group via GPO/Registry.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered

I do not. It is set to use the Update Service console.

You know I am going to ask - will making this change break anything?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DolleEdward-3388 avatar image
0 Votes"
DolleEdward-3388 answered AJTek-Adam-J-Marshall commented

It is not showing up here:
129158-image.png




They should show up in Unassigned Computers. Then I move them to one of the environment groups.


image.png (67.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Perhaps, perhaps not.

Do you have Computer Targeting enabled?
https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-2-computer-groups-update-views/

Now let’s turn on client side targeting as our computer groups are now created. Click on Options. Click on Computers and choose “Use Group Policy or registry settings on computers” and press OK.

Do they show up in All Computers with the Status of Any?

FYI - it's recommended you use computer targeting - it makes it SO MUCH easier.

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

Just a question - when you say not showing up in the WSUS console - are you saying it's not showing up at all under "All Computers" with the Status of "Any", or not in the group you're expecting it to show up?

The client side script usually allows it to show up right away, and then report back in 12-48 hours later.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.