For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx
Tips & Solutions for Common WSUS Issues
Deployment
• Documentation
• Database Engine
• Target Group Management
Operations
• Superseded updates
• Server Cleanup Wizard
Diagnostics
• Content Downloading
• Duplicate SusClientID
• High CPU Utilization
• Client Diagnostics Tool
• WindowsUpdate.log
Common WSUS Issues in Deployment Operations and Diagnostics
1. Author
Lawrence Garvin, WSUS MVP
Common WSUS Issues in
Deployment, Operations, and
Diagnostics: Tips & Solutions
2. Tips & Solutions for Common WSUS Issues
Deployment
» Documentation
» Database Engine
» Target Group Management
Operations
» Superseded updates
» Server Cleanup Wizard
Diagnostics
» Content Downloading
» Duplicate SusClientID
» High CPU Utilization
» Client Diagnostics Tool
» WindowsUpdate.log
3. Deployment
Documentation
Release Notes (Must Read)
» http://go.microsoft.com/fwlink/?LinkId=71268 (WSUS v3 SP1)
» http://go.microsoft.com/fwlink/?LinkId=139840 (WSUS v3 SP2)
WSUS Overview (New to Windows Update or WSUS)
» http://go.microsoft.com/fwlink/?LinkId=71266
Step By Step Guide (First Time Installation)
» http://go.microsoft.com/fwlink/?LinkId=71267
Deployment Guide (Advanced Installations)
» http://go.microsoft.com/fwlink/?LinkId=79983
Operations Guide (How to Use WSUS)
» http://go.microsoft.com/fwlink/?LinkId=139828
TechNet Library (Online)
» http://technet.microsoft.com/en-us/library/dd939796(WS.10).aspx
4. Deployment
Database Engine
Windows Internal Database vs. SQL Server® Express
Edition
SQL Server Express limited to 4GB database size
» SQL 2008 R2 increases to 10GB
SQL Server Express limited to 1 CPU
SQL Server Express limited to 1GB RAM
Windows Internal Database not limited
5. Deployment
WSUS Target Groups
Two groups created at installation
» Unassigned Computers
» All Computers
Default group assignment methodology is Server-Side
Targeting
Groups defined in policy must be manually created on the
WSUS server
There is NO association between Active Directory® OUs and
WSUS Target Groups except that OUs are a method to
convey a policy setting to a group of client systems
6. Deployment
WSUS Target Groups
Grouping strategies:
» By installed operating system
• E.g. Windows XP®, Windows 2003, Windows 2008, Windows 7
» By function or purpose
• E.g. DomainControllers, SQL, Microsoft Exchange Server®
» By location
• E.g. Corporate, Seattle, Miami, Australia
» These strategies can all be used together
Groups can be hierarchical
Clients can belong to multiple groups
10. Deployment
WSUS Target Groups
WSUS Server = Server; Policy = Enabled
» Server will permit assignment of group memberships
» Client will ignore changes made at the server because it
believes it is authoritative
» Client will scan/report based on the group(s) assigned in the
GPO
11. Deployment
WSUS Target Groups
WSUS Server = GP; Policy = Not Enabled
» Server will prohibit assignment of group memberships
» Client will query WSUS Server for current group membership(s)
» Client will scan/report based on the group(s) last assigned at
the server
» New clients will be assigned to Unassigned Computers
12. Operations
Superseded Updates
Handling superseded updates
» All superseded updates will be reported as Needed until an
update in the chain is installed.
» The Windows Update Agent (WUA) can recognize a
superseded update and that a superseding update is available.
» Ensure update is superseded for all applicable platforms.
» Declining unneeded superseded updates assists in
performance by reducing WUA scanning overhead.
16. Operations
Server Cleanup Wizard
Recommended frequency of execution
» Minimum: The Server Cleanup Wizard should be executed at least
monthly. The most ideal time is after your monthly Patch Tuesday
cycle, when new updates have been approved, and the Agent has
now reported older updates as NotApplicable.
» Recommended: If you have auto-approval rules in place for
Definition Updates, particularly for Forefront Client Security, you
should be using the Server Cleanup Wizard on a weekly basis.
17. Operations
Server Cleanup Wizard
Recommended order of execution
1. Delete computers – reducing number of computers in the database
reduces the query effort to identify machines with “Needed” updates in later
phases.
2. Decline expired updates – This is usually a very short list, particularly if the
option to auto-decline expired revisions is approved.
3. Decline superseded updates – The update must not have an active
approval or be reported as needed by any client. Older updates that were
approved previously must be manually reset to Not Approved.
4. Delete expired updates/revisions – This is the most resource intensive step
because it requires removing rows from the database, which requires the
rewriting of associated index files.
5. Delete unneeded files – Once all updates have been set to the correct
approval status or deleted, then the deletion of files will have the most
effective result.
18. Operations
Server Cleanup Wizard
Special considerations for use in a Replica environment.
» Assign all approvals/declinations; complete all downloads.
» Synchronize all servers and verify servers are idle.
» Disable synchronization on all servers.
» Run Server Cleanup Wizard on all servers.
» Manually synchronize all servers and confirm no unexpected changes.
» Re-enable synchronization on all servers.
19. Diagnostics
Content Downloading – General Notes
Apparent slow downloading – Understanding BITS
Issues affecting download failures on the WSUS Server are logged
in the Application Event Log of the WSUS Server
There are two commonly encountered download failures:
» HTTP v1.1 Range Protocol Header
» Write Access Denied on non-SYSVOL volume
20. Diagnostics
Content Downloading – Range Protocol Header
The Background Intelligent Transfer Service (BITS) requires the
use of HTTP v1.1 Range Protocol Headers in order to support
download and resume functionality.
Some third party firewall and proxy server appliances and software
either do not support, or have not been properly configured by
default, to support the full capabilities of HTTP v1.1.
Most notably this occurs in older SonicWall appliances.
» SonicWall has documented the necessary configuration changes on
their support website.
21. Diagnostics
Content Downloading – Access Denied
A long standing defect in the .NET Framework v2.0 installer fails to
properly configure permissions for the NT AUTHORITYNetwork
Service account on volumes other than SYSVOL.
When WSUS is then configured to place the ~WSUSContent
folder on a non-SYSVOL volume, WSUS is unable to write to the
content store.
22. Diagnostics
Content Downloading – Access Denied
The remediation is to add READ
permissions to the ROOT of the
non-SYSVOL volume for the
Network Service account.
23. Diagnostics
Duplicate SusClientID
Caused, almost exclusively, by cloning physical or virtual machines
from a master image containing a SusClientID registry value.
Manifests in a number of different possible ways.
» The most common is by the continual appearance and
disappearance of machines in the WSUS Admin Console, marked by
a fixed number of machines always in the list. The fixed number
indicates the actual number of unique SusClientIDs in the
environment.
» It may also manifest as error codes 0x80070002, 0x80070006,
0x80072ee2, 0x80072efd, 0x80072efe, 0x8007400D, or 0x80244015
in the WindowsUpdate.log.
24. Diagnostics
Duplicate SusClientID
This issue, with WUA v5.8 (WSUS v2) was resolvable by using the -reseal
parameter with sysprep. This worked because the WUA also maintained a
value named AccountDomainSID, and used that value to determine if the
SusClientID needed to be regenerated (anytime the AccountDomainSID
no longer matched the machine SID).
This 'feature' was removed in the WUA v7 (WSUS v3) client, leaving
'sysprep -reseal' a non-functional solution to this issue.
Good News!: New capabilities have been added to the WUA v7.4 (WSUS
v3 SP2) client, which will now auto-detect the presence of duplicate
SusClientIDs and automatically generate a new (unique) SusClientID.
25. Diagnostics
Duplicate SusClientID
Best: Upgrade to WSUS v3 SP2 and WUAgent v7.4
Preferred: Remove the SusClientID value from the master image
before cloning.
Post-cloning: Remove the SusClientID value from each cloned
machine and restart the AU service (or reboot).
See KB903262 for remediation details:
» http://support.microsoft.com/kb/903262
26. Diagnostics
SVCHOST.EXE 100% CPU Utilization
WSUS v2.0/WUA v5.8 (Upgrade to WSUS 3.0 SP1 and apply
KB927891)
WUA v7.1.6000.65, the WSUS 3.0 SP1 native client (Upgrade
WSUS to Service Pack 2 and update WUA to v7.4.7600.226)
Large number of updates installed on Microsoft Office® 2003
(Reinstall Office 2003; apply Service Pack 3)
Outlook® 2003 installed on Office XP® (SBS2003 environments
with Office XP on desktop) (Upgrade Office XP to Office 2003)
Undeclined superseded updates on WSUS server (Decline
superseded updates)
27. Diagnostics
SVCHOST.EXE 100% CPU Utilization
WUA v7.4.7600.226, the WSUS 3.0 SP2 native client and a conflict
with the Group Policy setting “Download missing COM
components”
» http://social.technet.microsoft.com/Forums/en-
US/winserverwsus/thread/daf131c5-6a4f-45d1-a03f-c39cea436b6f
28. Diagnostics
Client Diagnostics Tool
is a console application (command-line only)
is a 32-bit application (not available for 64-bit)
was written for WSUS v2 (knows nothing about WSUS v3)
can be downloaded from the MS Download Center or from the
“Tools and Utilities” link on the WSUS Home Page
» http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-
8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
29. Diagnostics
Client Diagnostics Tool
Tests four areas of interest
The machine state (Rights, Services, WUA version)
AU Settings
Proxy Configuration (WinHTTP, IE)
Ability to connect to the WSUS Server (selfupdate).
35. Diagnostics
WindowsUpdate.log
Located in %windir% (usually C:WINDOWS)
Is a rolling log file (~30 days or 2MBytes)
Detailed analysis guide contained in KB902093
Key areas of interest:
» Service startup
» Selfupdate Check
» Detection
» Downloading
» Reporting
49. Helpful Resources
Hope these tips help you quickly solve your
WSUS errors. To free up more of your time, try
SolarWinds Patch Manager
Watch Video Test Drive Live Demo
Ask Our Community Download 30-day Free Trial
Click any of the links above
- Slide 49 -
50. Author: Lawrence Garvin, WSUS MVP
Thank You!
Feedback or questions
lawrence.garvin@solarwinds.com