April 2006 - Posts
I just noticed a Warning Alert in MOM Operator Console and it says:
DESCRIPTION
Unable to expand message 17055 [-1073724769] 18265 Log backed up: Database: SADAD_AX30_SP3_Live, creation date(time): 2005/02/01(12:50:12), first LSN: 3655:705:1, last LSN: 3655:765:1, number of dump devices: 1, device information: (FILE=1, TYPE=DISK: {'E:\SQL2000\MSSQL\...\....200604301345.TRN'}). Name: SQL Server is unable to collect events due to insufficient permissions
and as the rule says 'SQL Server is unable to collect events due to insufficient permissions' (Microsoft SQL Server\SQL Server 2000\SQL Server 2000 Event Collection).
CAUSE
Then I started to trace the reason for this event and this was due to a change in MOM Service Account. Previously, MOM service was running under NT AUTHORITY\SYSTEM aka LOCAL SYSTEM ACCOUNT context and it has all the required permission to SQL installation (MSSQL directory). When I changed this to MOM ACTION ACCOUNT using 'Update Agent Settings' in the administrator console, it started to run under NT AUTHORITY\NetworkService context with these warning alerts.
WORKAROUND
I found that AUTHORITY\NetworkService is not having enough permission on SQL installation (MSSQL directory). So, to troubleshoot this error, I have added NT AUTHORITY\NetworkService the permission to Read & Execute on SQL installation (MSSQL directory - %programfiles%\Microsoft SQL Server\) directories. Problem solved!
Are there any known issues if WSUS is installed on OWA Server?
Personally, I wouldn't install WSUS on OWA or any Exchange Server. But, it is totally supported configuration. Note that WSUS will be installed on a new site - "WSUS Administration" site on TCP PORT 8530 and SSL 8531.
OWA by default will be installed on Default Web Site (on TCP PORT 80 and SSL 443) which can have Secure Sockets Layer (SSL) encryption to provide the secure method for accessing OWA. By enabling SSL on the Exchange Server virtual directory, the URL used to access will change from HTTP:// to HTTPS://
In that case, ClientWebService & Selfupdate virtual directories which are in Default Web Site have to be excluded from SSL encryption or else Selfupdate will not work.
Is it possible to configure WSUS to delete older computers which are not reported in WSUS for quite a time?
To clean up the old computer objects, use CleanStaleComputers from Windows Server Update Services API Samples and Tools.
CleanStaleComputers: This sample application removes computers from the Update Services
server that have not contacted the server in a specified number of days.
USAGE:
CLEANSTALECOMPUTERS /DAYS:[1-365] /DELETE:{YES | NO} /PROMPT:{YES | NO}
/DAYS. Days since the computer contacted the server
/DELETE. Delete from the Update Services server or move to the Stale
computers group
/PROMPT. Prompt before moving/deleting computers
WSUS Product Team has heard this request and the capability to clean old stale computers is under consideration for the next version along with the ability to clean up old/superseded updates from the tool.
MORE INFORMATION
Windows Server Update Services API Samples and Tools
http://download.microsoft.com/download/8/d/0/8d068114-bd66-4fde-a04c-aeaa9d1fe640/Update%20Services%20API%20Samples%20and%20Tools.EXE
What can you expect in WSUS 3.0?
http://msmvps.com/blogs/athif/archive/2006/04/12/What_can_you_expect_in_WSUS_3_0.aspx
You see the following warning in WindowsUpdate.log - Reporter failed to upload events with hr = 80244008.
2006-04-25 14:02:20 928 e74 PT WARNING: GetConfig failure, error = 0x80244008, soap client error = 8, soap error code = 0, HTTP status code =
200
2006-04-25 14:02:20 928 e74 Report WARNING: Reporter failed to upload events with hr = 80244008.
2006-04-25 14:04:28 908 b0 PT WARNING: GetConfig failure, error = 0x80244008, soap client error = 8, soap error code = 0, HTTP status code =
200
2006-04-25 14:04:28 908 b0 Report WARNING: Reporter failed to upload events with hr = 80244008.
2006-04-25 14:04:28 908 b0 PT WARNING: GetConfig failure, error = 0x80244008, soap client error = 8, soap error code = 0, HTTP status code =
200
2006-04-25 14:04:28 908 b0 Report WARNING: Reporter failed to upload events with hr = 80244008.
This happens if tbEventInstance table exceeds 1 million events and then blocks the client computers from reporting back to the WSUS server. In this case, you might want to reconsider WUA detection cycle (I have seen the same symptoms where the detection cycle was set to every 1-3 hours) and delete all the current events from the tbEventInstance table.
Try the hot fix and workaround mentioned in the article http://support.microsoft.com/default.aspx?scid=kb;en-us;909131
WSUS is not downloading Windows Defender Updates. Why?
Window Defender Updates will be classified as "Definition Updates" (The updates are titled "Definition Update 1.14.XXXX.X for BETA Windows Defender"). Open WSUSAdmin Console - Click on Options - Click on Synchronization Options - Click on Products and Classifications - You need to select "Windows Defender" under "Products Category" and "Definition Updates" under "Update Classifications" - Click OK and save settings.
WUA is not detecting Windows Defender Updates. Why?
Once, the WD updates are synchronized on WSUS, you need to approve Definition Updates for Detection. Open WSUSAdmin Console - Click on Options - Click on Automatic Approval Options - Click on Approve for Detection - Click on Add/Remove Classifications - Select Definition Updates - Click OK and save the settings.
Similarly, you can automatically approve for installation.
NOTE:
Windows Defender (Currently Beta2) must be installed on the client for which you are approving Definition Updates. Windows Defender is currently available to a limited group of Beta testers. For more information about Windows Defender and Microsoft's stance on spyware see:
http://www.microsoft.com/athome/security/spyware/default.mspx
DnldMgr * Updates to download = 1
Agent * Title = Definition Update
1.14.1288.5 for BETA Windows Defender (KB915597)
MORE INFORMATION
Windows Defender Team Blog
http://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx
New updates available for beta2 Windows Defender today
http://blogs.technet.com/wsus/archive/2006/02/13/New_updates.aspx
New Product Category & Classification for Windows Defender
http://blogs.technet.com/wsus/archive/2006/01/16/417545.aspx
WSUS is not downloading Malicious Software Removal Tool (MSRT). Why?
The Malicious Software Removal Tool is in the Update Rollup category. Make sure you have that selected Update Rollups to synchronize with MU. Update Rollups classification is not selected by default, you must select "Update Rollups" under "Update classifications" to synchronize with MU.
When you select "Update Rollups" under "Update classifications", you might notice other roll-up packages (like Update Rollup for Windows XP e.t.c) are seen in WSUSAdmin console. Note that only Metadata for those rollups will be downloaded and the update files will not be downloaded unless you approve them for "Install".
How do I verify whether the MSRT removal tool has run on a client computer?
You can examine the value data for following registry entry to verify the execution of the tool.
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Entry name: Version <GUID> (d0f3ea76-76c8-4287-8cdf-bdfee5e446ec)
Every time the tool is run, independent of the results of the execution, the tool will record a GUID to the registry to indicate that it has been executed. You can find the list of version GUID's on http://support.microsoft.com/?kbid=891716&SD=tech#E2ACAAA
How do I change the WSUS Replica Server mode as the Master Server (USS)?
You will need to uninstall WSUS including the WSUS database (but you can let the "Downloaded update files" continue to be installed so that you don't have to re-download all the content again), and then install WSUS again.
Is it possible to set the locale of the replica server to be different from the parent server?
Unfortunately, this scenario is not possible with WSUS 2.0. The configuration of the replica child server is always exactly the same as the replica parent - same language settings, same filter settings for Products and Update Classifications. All configuration of a replica server is performed at the master server only.
Is it possible to set the Replica server to download the content from Microsoft?
NO, WSUS Replica Server can only download the content from WSUS Master Server (USS). This is something WSUS Team is looking into for the next release however. For more information on future release take a look at - What can you expect in WSUS 3.0?
How do I create Target Groups on Replica Server?
If a downstream child server needs additional target groups unique to it, those will have to be created on the upstream server only and that will be replicated to the DSS.
How do I see a report of machines configured to use Replica Server?
You have to connect to each replica server to see a report of machines configured to user Replica Server. WUA can only report to the WSUS server it is configured to get the updates from, and it will only be visible at that WSUS server. Microsoft has published a WSUS Reporting Rollup Sample Tool to demonstrate centralized monitoring and reporting for WSUS. The tool rolls up update and computer status from all the WUS servers in your WSUS implementation in a single report. More information on http://www.wsuswiki.com/WsusRollupToolSample.
WSUS Replica Server failed to approve some updates. Why?
ApplicationException: Failed to approve some updates --->
System.Data.SqlClient.SqlException: Timeout expired. The timeout period
elapsed prior to completion of the operation or the server is not responding.
at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcessReal(Boolean allowRedirect)
For WSUS database timeout errors, create extra indexes for the WSUS database to improve performance. More information on Timeout Approving Updates in WSUS/ Approving updates takes long time in WSUS.
WSUS Replica Server Failed to approve some expired updates on WSUS Replica Server (DSS)
ApplicationException: Failed to approve some updates --->
System.Data.SqlClient.SqlException: Explicit deployments to updates that are
expired are not allowed.
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcessReal(Boolean allowRedirect)
Expired Updates cannot be synchronized to DSS. More information on http://msmvps.com/blogs/athif/archive/2006/05/13/94665.aspx
Note:
In this blog entry, WSUS Replica Server / WSUS Child Server means WSUS Down Stream Server (DSS) and WSUS Master Server means WSUS Upstream Server (USS).
Justin Harter - MOM MVP has an excellent write up on HOW TO "Create a Task to Display Service Packs & Hotfixes" for selected MOM AGENT in MOM Operator Console which can be downloaded from MOM GUIDES on MOMresources.com.
The procedure to create the task is achieved by simple WMIC command (one line);
wmic /node:$Computer Name$ qfe GET description,hotfixid,installedby,installedon,servicepackineffect
But, there is a known issue if $Computer Name$ contains special characters like '-' or '/'. For instance, if your $Computer Name$ = RIYADH-DC-01, then you will see 'Invalid Global Switch' message in the output window when you ran this task.
To run this task succesfully, you might want to edit Task Command line as follows;
wmic /node:'$Computer Name$' qfe GET description,hotfixid,installedby,installedon,servicepackineffect
Note that '' for $Computer Name$.
PREVIOUS COMMAND:
wmic /node:$Computer Name$ qfe GET description,hotfixid,installedby,installedon,servicepackineffect
NEW COMMAND:
wmic /node:'$Computer Name$' qfe GET description,hotfixid,installedby,installedon,servicepackineffect
Justin, if you are reading this blog entry then kindly edit it in your PDF file. Once again thanks for the documentation :-)
If you are looking for some .vbs script to query / enumerate installed hotfixes, then check out http://msmvps.com/blogs/athif/archive/2005/11/20/76035.aspx
Is WSUS compatible with SQL Server 2005?
SQL 2005 (any edition) is not a supported environment for WSUS 2.0. Officially WSUS is not supported on SQL Server 2005 by Microsoft, at this time.
However, I have seen some folks in the community successfully installing WSUS 2.0 on SQL Server 2005. It's an "unsupported" configuration at this time. It is recommended to install WSUS on SQL 2000 instead of SQL 2005.
Referring to my previous blog entry What can you expect in WSUS 3.0?, WSUS Admins were curious to know more about the future release!!!
...You will be pleased to know that Microsoft will be talking about WSUS 3.0 release at the Microsoft Management Summit (www.mms2006.com) mid next week. Way to go!
Heads up from WSUS Product Team - WSUS New Category: Windows Live™. Today you will see a new product category in WSUS for Windows Live. Updates will be offered for both beta and final products, and will include security updates, critical updates, and tools.
SYMPTOMS
You see the following in Status of Downloads during WSUS Synchronization with MU and they synchronization hangs;
| Status of Downloads |
| Updates needing files: |
44 |
| Downloading 20.62 MB of 526.00 MB |
You see the following error in Application Event Log;
Event Type: Error
Event Source: Windows Server Update Services
Event Category: Synchronization
Event ID: 364
Description:
Content file download failed. Reason: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.
Source File:
/msdownload/update/v3-19990518/cabpool/windowsxp-kb329441-x86-deu_add906039f76792094f57cc70f55397.exe
Destination File:
D:\WSUS\WsusContent\02\894D6674015D614B6933A109FB3BA02D7466D202.exe.
You also see the following in TO DO List in WSUSAdmin Console;
To Do List
Check your server configuration
One or more Update Service components could not be contacted. Check your server status and ensure that the Windows Server Update Service is running. Non-running services: ContentSyncAgent, WSUSService.
And when you restart WSUSservice, you see the following error in Application Event Log;
Event Type: Error
Event Source: Windows Server Update Services
Event Category: Update Services Service
Event ID: 424
Description:
The content synchronization agent did not respond within the expected timeout.
CAUSE
This is most likely a problem with a proxy server or firewall (that you have) that does not support HTTP 1.1 Range Requests. BITS downloads use HTTP 1.1 range requests commonly while running in the background download mode. If you have a proxy or firewall that either block these requests or does not fully support them, you might run into this issue.
Enable HTTP 1.1 Range Requests from FIREWALL
If you have a SonicWALL device on your network then, you can use the following steps to resolve this issue:
- Navigate to http://<your_router_IP_address>/diag.html from a computer on your network (by default this URL will be http://192.168.168.168/diag.html).
- Enable the setting to allow HTTP byte range requests in the gateway anti-virus filtering process.
- Reboot the SonicWALL firewall device .
- Attempt to download again.
Contact your firewall support for procedure to enable HTTP 1.1 Range Requests.
WORKAROUND
If you are unable resolve this issue from the proxy/firewall side, then try these steps as a workaround on the WSUS server,
1.
Set BitsDownloadPriorityForeground=1 using osql.exe on WSUS SQL instance.
-
net stop WSUSservice
- CD "%ProgramFiles%\Update Services\tools\osql"
- osql.exe -S <SQL instance name> -E -b -n -Q "USE SUSDB update tbConfigurationC set BitsDownloadPriorityForeground=1"
-
net start WSUSservice
Notes
-
When you run the above command-line, you will get the output as - "(1 row affected)".
-
The osql utility can be found under the "%ProgramFiles%\Update Services\Tools\osql" folder.
-
Provide the servername with the -S parameter. [Replace <SQL instance name with your SQL server if you are using SQL or %computername%\WSUS if you are using WMSDE]
2. OR,
Download the Server Diagnostic Tool and run WsusDebugTool.exe /Tool:SetForegroundDownload
Note
-
The use of BITS caching with servers other than Microsoft Update or Software Update Services servers is not supported.
-
The Microsoft Update cache rule calculates the size of an object based on its content length, and does not include the length of the headers.
MORE INFORMATION
Using Binary Delta Compression (BDC) Technology to Update Windows Operating Systems
http://www.microsoft.com/downloads/details.aspx?FamilyID=4789196c-d60a-497c-ae89-101a3754bad6&DisplayLang=en
Microsoft Update Caching
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sp2.mspx#BITSCaching
Windows Server Update Services (WSUS) Support Tools
http://msmvps.com/blogs/athif/archive/2005/08/31/64767.aspx
SonicWALL firewall may interfere with Media Center guide downloads
http://blogs.msdn.com/astebner/archive/2005/11/23/496503.aspx
You see the following warning message in WindowsUpdate.log, "WARNING: Update Service: Failed to update backup store"
DtaStor WARNING: Update Service: Failed to update backup store.
Actually, you can ignore the "WARNING: Update Service: Failed to update backup store" message. Note that it is a warning, and not an error. It does not break the WUA and the updates are still detected and applied successfully.
However, there are couples of things to check viz;
- Make sure Automatic Update Service is Started and set to AUTOMATIC.
- Do not scan Microsoft Windows Update or Automatic Update related files as this will lock the files.
- The Windows Update or Automatic Update database file - Exclude the Datastore.edb file from %windir%\SoftwareDistribution\Datastore.
- The transaction log files - Edb*.log, Res1.log, Res2.log, Edb.chk, Tmp.edb located in %windir%\SoftwareDistribution\Datastore\Logs.
PROCEDURE TO REBUILD THE DATASTORE
To re-create the DATASTORE IF the Datastore.edb file is corrupted, follow this procedure;
- NET STOP WUAUSERV.
- Rename %windir%\SoftwareDistribution folder and %windir%\WindowsUpdate.log file .
- NET START WUAUSERV.
Quote from Bobbie Harder [WSUS PM]:
Hi Folks - after some investigation on this one it does in fact turn out to be a beginning warning log entry. Fundamentally when there is any corruption in the WUA datastore which contains the clients update history and status, detection logic and opt-in status to Microsoft Update, the database is rebuilt.
MORE INFORMATION
Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158#ENACAAA
Scott Roberts posted an excellent vb script on http://blogs.technet.com/exchange/archive/2006/04/12/425060.aspx which can detect or download just the IMF Update's based on the parameter passed whilst executing the script. This script is very handy as it detects / downloads IMF updates only.
To enable IMF updates using WSUS, take a look at my previous blog entry;
Updating Intelligent Message Filter v2 via WSUS
http://msmvps.com/blogs/athif/archive/2006/03/21/Updating_Intelligent_Message_Filter_v2_via_WSUS.aspx
USAGE:
cscript //nologo imfUpdateScript.vbs Detect (this command will detect IMF updates).
cscript //nologo imfUpdateScript.vbs Install (this command will install IMF updates).
NOTE: I have saved the script as imfUpdateScript.vbs.
Scott also promised a post on the WSUS blog next week on how to create a script that will show how to do the automatic approval of IMF Updates only at the WSUS server. Kudos Scott!
UPDATE (5/14/2006): Posted the same on blog.
Many-a-times WSUS Admins, wonder if they can automatically deploy hot fixes which are not supported by WSUS or which are not available on WindowsUpdate.com. The simple answer is NO and you have to use SMS or some script to install them.
Alternately, If the computers are in an Active Directory Domain, then you might want to take a look at this excellent script posted by Torgeir Bakken (MVP).
Notes from Torgeir Bakken (MVP):
- You should do it in a computer startup script (with a GPO that is applied to you computers) instead of a logon script. A computer startup script runs as part of the boot up process (before the user logs in). It runs under the system context and has local admin rights.
- As you need to access a file over the network from the computer startup script, you need to put the file on a network share and grant read access for the AD group "Domain Computers" to the share.
- Note that the script creates a registry marker when the update is installed, so the next time the script is run, it sees this marker, and skips the installation of the update (to avoid repeating installations).
- You will need to change the path to the exe file (I have used a dummy path in the script), and maybe the command line switches for the update.
- I have added the command line switches /u /q /z to the command line in the script, it should work on all MS updates that uses update.exe to install (most do).
- /u: Unattended mode.
- /q: Quiet mode (no user interaction).
- /z: Do not restart when installation is complete.
- If you want the computer to automatically reboot after the install (if the update needs it), remove the /z switch.
Below is a VBScript you can put in a computer startup script that will install a MS update.
Script code:
'--------------------8<----------------------
sExePath = "\\server\share\folder\something.exe"
sSwitches = "/u /q /z"
Set oShell = CreateObject("WScript.Shell")
sRegKey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate"
' suppress error in case values does not exist
On Error Resume Next
' check for marker
sRegMarkerValue = "" ' init value
sRegMarkerValue = oShell.RegRead( sRegKey & "\Hotfix1Installed")
On Error Goto 0
' to be sure update is installed only once, test on marker
If sRegMarkerValue <> "yes" Then
oShell.Run Chr(34) & sExePath & Chr(34) & " " & sSwitches, 1, True
' create marker
oShell.RegWrite sRegKey & "\Hotfix1Installed", "yes"
End If
'--------------------8<----------------------
WSH 5.6 documentation (local help file) can be downloaded from here if you haven't got it already:
http://msdn.microsoft.com/downloads/list/webdev.asp
UPDATE (5/7/2006):
Access to drivers and hotfixes via the Microsoft Update (MU) Catalog site is tightly integrated with WSUS 3.0 to enable easy drivers and hotfix access.
ReadMe for Windows Server Update Services states that WSUS is not supported on servers running Terminal Services. Yes, that's true but it should be clear that WSUS will be supported on Terminal Server Remote Desktop for Administration Mode (RDP).
Issue 5: WSUS is not supported on servers running Terminal Services
For this Windows Server Update Services (WSUS 2.0) release, it is recommended that you do not install WSUS on a server running Terminal Services.
Hey, WSUS Product Team, you might want to make it clear as follows;
- WSUS is not supported on servers running Terminal Services in Application Mode.
- WSUS will still be supported on Terminal Server in Remote Desktop for Administration Mode (RDP).
To determine the mode in which a server is currently running, perform these steps:
- Start Terminal Services Configuration snap-in (Start, Programs, Administrative Tools, Terminal Services Configuration).
- Select the Server Settings in the snap-in's left pane.
- In the right pane, check the Licensing attribute.
MORE INFORMATION
Frequently Asked Questions About Terminal Services
http://www.microsoft.com/windowsserver2003/community/centers/terminal/terminal_faq.mspx
ReadMe for Windows Server Update Services
http://technet2.microsoft.com/WindowsServer/en/Library/4244109a-395a-4ff8-9989-ea55ab0964a31033.mspx
I have collected and added some more wishes which are answered with reference to my previous blog entry on http://msmvps.com/blogs/athif/archive/2006/04/12/What_can_you_expect_in_WSUS_3_0.aspx.
Today is my birthday (April 16, 1981) and I am going to treat my self by cleaning and organizing WSUS WIKI as I used to do almost daily. Way to go!
Thomas Lee has added an excellent WISH - Client Troubleshooting Tools Needed on WSUS-WIKI. This is worth reading and I really appreciate if these can incorporated in WSUS 3.0.
Folks, this is your chance to add your wish on the wiki and for sure WSUS Product Team is going to look at those.
The solution provided in KB Replication does not occur for one Exchange server in the organization is little inaccurate (last reviewed May 28, 2004). It incorrectly states the 'Replication' registry DWORD entry. The correct DWORD entry is 'Replication Flags' instead of just 'Replication'.
********************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\EMAIL_SERVER\Public-GUID]
"Replication Flags"=dword:00000001
********************************************************************
I would appreciate if Exchange MVP's or anyone with known contacts in Exchange Team can pass this information.
Source: http://support.microsoft.com/default.aspx?scid=kb;en-us;812294
I misunderstood the KB and the solution is actually right.
More Posts
Next page »