Discussion:
WSUS - No client computers
(too old to reply)
Lawrence Garvin
2005-10-12 05:56:48 UTC
Permalink
Moved to microsoft.public.windows.server.update_services, where a more
detailed response is waiting.
I just installed WSUS on Windows 2003 SBS Premium server
Install worked great. Update and syncronize worked great! I have all the
downloads ready to go, but there are not client computers listed in either
"All computers" nor "Unassigned computers".
Lawrence Garvin
2005-10-12 06:05:11 UTC
Permalink
This is common occurrence on SBS2003, and it's generally caused because the
Default Web Server does not normally have anonymous access permission
enabled on SBS2003. Enable anonymous access permission on the Default Web
Server, and verify that anonymous access permissions are enabled on the
/selfupdate and /clientwebservice virtual directories in the Default Web
Serer.

Then, let's see if the SBS2003 server can get updates from itself.

Make sure you have a GPO linked to the "Domain Controllers" OU and
configured for Option #3 so that the server will not automatically install
the updates.

Then, wait five minutes for the policy to refresh if the GPO was not already
configured/linked.

Then, run the Client Diagnostic Tool on the SBS2003 and post the results
here.

Then, wait 20 minutes, run 'wuauclt /detectnow' from Start | Run on the
SBS2003 server, wait 20 more minutes, and then post the most recent hour of
log entries in the %windir%\WindowsUpdate.log.

If the server can successfully talk to itself, then we'll venture out into
checking the clients. It's entirely possible that merely 'fixing' the
permissions on the DWS will repair everything and by the time we 'verify'
the server works with itself, the clients will already be updating and
reporting.
Post by Lawrence Garvin
Moved to microsoft.public.windows.server.update_services, where a more
detailed response is waiting.
I just installed WSUS on Windows 2003 SBS Premium server
Install worked great. Update and syncronize worked great! I have all the
downloads ready to go, but there are not client computers listed in either
"All computers" nor "Unassigned computers".
Michael P. Quinlan
2005-10-14 21:25:03 UTC
Permalink
Thank you Lawrence,

Your hyperlink worked great! I found it.

I checked the anonymous access permissions in IIS for the Default Web
Server, /selfupdate and /clientwebservice. They were all fine. I assume you
know that the Directory Security Tab enforces IP Address security for ONLY my
local LAN 10.10.0.1 and 127.0.0.1 addresses.

No Joy: Day six.

I will go ahead and research to try to find the: Client Diagnostic Tool
next and keep you posted on my progress.

Thanks again for the hyperlink. It really helps. I know I have seen you
guys just fly through these newsgroups, but I have trouble. Thanks again.

I will keep you posted on my progress.

Michael
Post by Lawrence Garvin
This is common occurrence on SBS2003, and it's generally caused because the
Default Web Server does not normally have anonymous access permission
enabled on SBS2003. Enable anonymous access permission on the Default Web
Server, and verify that anonymous access permissions are enabled on the
/selfupdate and /clientwebservice virtual directories in the Default Web
Serer.
Then, let's see if the SBS2003 server can get updates from itself.
Make sure you have a GPO linked to the "Domain Controllers" OU and
configured for Option #3 so that the server will not automatically install
the updates.
Then, wait five minutes for the policy to refresh if the GPO was not already
configured/linked.
Then, run the Client Diagnostic Tool on the SBS2003 and post the results
here.
Then, wait 20 minutes, run 'wuauclt /detectnow' from Start | Run on the
SBS2003 server, wait 20 more minutes, and then post the most recent hour of
log entries in the %windir%\WindowsUpdate.log.
If the server can successfully talk to itself, then we'll venture out into
checking the clients. It's entirely possible that merely 'fixing' the
permissions on the DWS will repair everything and by the time we 'verify'
the server works with itself, the clients will already be updating and
reporting.
Post by Lawrence Garvin
Moved to microsoft.public.windows.server.update_services, where a more
detailed response is waiting.
I just installed WSUS on Windows 2003 SBS Premium server
Install worked great. Update and syncronize worked great! I have all the
downloads ready to go, but there are not client computers listed in either
"All computers" nor "Unassigned computers".
Michael P. Quinlan
2005-10-17 18:41:12 UTC
Permalink
Hi Lawrence,

I think we are getting closer!
Post by Lawrence Garvin
Make sure you have a GPO linked to the "Domain Controllers" OU and
configured for Option #3 so that the server will not automatically install
the updates.
I am not sure I know how to do this.

I was able to download and run the Client Diag tool from:

http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx

Hyperlinks really help me to find things. I get stuck with out them. It
takes me days of research and interruptions before I find things, extending
my troubleshooting and installation.

Here are my client diag results.

C:\Program Files\Update Services\Tools>clientdiag

WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 5.8.0.2469. . . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
Option is from Control Panel

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy
CLIENTSNAME-DOMAIN:8080
User IE ProxyByPass
10.10.2.24;10.10.2.25;10.10.2.26;<local>
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL

Press Enter to Complete

No Joy: Day nine
Lawrence Garvin [MVP]
2005-10-18 00:29:47 UTC
Permalink
Post by Michael P. Quinlan
Checking AU Settings
AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
Option is from Control Panel
This confirms that we're not getting values from policy, but rather from
local settings.
Post by Michael P. Quinlan
Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL
And... because the policy is not set, the client has no way to know it's
supposed to use a WSUS server, and thus ends up using Automatic Updates,
downloading from windowsupdate.microsoft.com, and waiting for the updates to
be installed.
Post by Michael P. Quinlan
Post by Lawrence Garvin
Make sure you have a GPO linked to the "Domain Controllers" OU and
configured for Option #3 so that the server will not automatically install
the updates.
I am not sure I know how to do this.
Hmmm... a tutorial on Group Policy configuration and management is a bit
beyond the scope of this newsgroup, and it's a bit more complex than a
simple answer, but I'll try point you in the right direction.

First, it's going to require some orientation and familiarity with these
tools, available on your server.
- Active Directory Users and Computers
- Group Policy Management Console

Next best place to go is the WSUS Deployment Guide, starting with the
section "Determine a Method to Configure Automatic Updates Clients" on p58.
You can get the Deployment Guide at
http://www.microsoft.com/downloads/details.aspx?FamilyId=E99C9D13-63E0-41CE-A646-EB36F1D3E987&displaylang=en
Michael P. Quinlan
2005-10-21 04:26:05 UTC
Permalink
OK Lawrence!

I think we are making real progress:

C:\Program Files\Update Services\Tools>clientdiag

WSUS Client Diagnostics Tool

Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 5.8.0.2469. . . . . . . . . . . . . PASS
This version is WSUS 2.0

Checking AU Settings
AU Option is 4: Scheduled Install . . . . . . . . . . . PASS
Option is from Policy settings

Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use

Checking Connection to WSUS/SUS Server
WUServer = http://<DomainServerName>:8530
WUStatusServer = http://<DomainServerName>:8530
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS
Connection to server. . . . . . . . . . . . . . . . . . PASS
SelfUpdate folder is present. . . . . . . . . . . . . . PASS

Press Enter to Complete

GPOs were easy. It was a two step process. I had already created my own
GPO, but had not linked it (as you had asked me to). When I linked my
created GPO ClientDiag.exe started PASSing!

Now my Server is showing up, but not my clients. So my next step is to link
my GPO to something else, but what?

I think I am almost there!

Michael
Lawrence Garvin [MVP]
2005-10-21 06:07:39 UTC
Permalink
Post by Michael P. Quinlan
GPOs were easy. It was a two step process. I had already created my own
GPO, but had not linked it (as you had asked me to). When I linked my
created GPO ClientDiag.exe started PASSing!
Voila! :-)
Post by Michael P. Quinlan
Now my Server is showing up, but not my clients. So my next step is to link
my GPO to something else, but what?
Ahhh... okay, there will be three places in SBS2003 you'll need to link
GPOs.

First, for the SBS2003 server, you already succeeded, by linking the GPO
to the "Domain Controllers" OU.

Second, for any other servers, you'll want to link the same GPO to the
"MyBusiness\Computers\SBSServers" OU.

Third, for any other desktop computers, you'll want to link a different
GPO to the "MyBusiness\Computers\SBSComputers" OU.

Note: You /may/ have computers in the "Computers" container, listed a
bit higher in the screen (right above "Domain Controllers"). You should drag
and drop anything in this "Computers" container into either the SBSServers
or SBSComputers OUs, so that the GPOs can be applied. You cannot link a GPO
to a container, only to an OU.
Post by Michael P. Quinlan
I think I am almost there!
Michael
Michael P. Quinlan
2005-10-21 18:04:04 UTC
Permalink
Thanks Lawrence,
Post by Lawrence Garvin [MVP]
Ahhh... okay, there will be three places in SBS2003 you'll need to link
GPOs.
First, for the SBS2003 server, you already succeeded, by linking the GPO
to the "Domain Controllers" OU.
Now, I have 4 computers in WSUSAdmin! 1 Domain and 3 Clients. In addition
to using the existing "Domain Controllers" OU...
1.) I have created three Organizational Units in "My Business" - Computers:
a) Sales
b.) Operations
c.) Administration

2.) I have created three WSUS GPOs under "Group Policy Objects" to control
each of them.
3.) I have linked each GPO to an Organizational Unit (OU) under the OU.
4.) I have used Active Directory to find the computers from each group and
"moved" each computer into its proper Organizational Unit OU.
5.) I waited until the next morning and there they were in WSUSAdmin webpage.

so I think I am really getting there now.
I have a few final wrinkles to iron out. All of my computers show up in
both "All computers" as expected and also under "Unassigned Computers", which
seems bad.

1.) How do I assign unassigned computers so WSUS knows they are assigned?
2.) There is probably a flaw in this approach, in that each time I add a new
computer to the Domain, I must be sure to "move" them to the proper OU or
they will not show up in "All computers" at all. It could be hard to manage
if I forget to add a new PC to the proper OU. There is probably a smarter
way to do this, so that all new comptuers that join the domain get a
"default" update schedule until I move them to the proper OU and they show up
somewhere in WSUS. I would guess I would just make a default WSUS GPO and
link it somewhere. How would I do this?
Post by Lawrence Garvin [MVP]
Second, for any other servers, you'll want to link the same GPO to the
"MyBusiness\Computers\SBSServers" OU.
I still have this on my "to-do" list
Post by Lawrence Garvin [MVP]
Third, for any other desktop computers, you'll want to link a different
GPO to the "MyBusiness\Computers\SBSComputers" OU.
'
Is this the answer to Question 2. above?
You have had a great sense of answering my questions before I ask them.
Post by Lawrence Garvin [MVP]
Note: You /may/ have computers in the "Computers" container, listed a
bit higher in the screen (right above "Domain Controllers"). You should drag
and drop anything in this "Computers" container into either the SBSServers
or SBSComputers OUs, so that the GPOs can be applied. You cannot link a GPO
to a container, only to an OU.
I will double check this, but I think I am clear on this one.
Lawrence Garvin [MVP]
2005-10-22 01:13:50 UTC
Permalink
Post by Michael P. Quinlan
I have a few final wrinkles to iron out. All of my computers show up in
both "All computers" as expected and also under "Unassigned Computers", which
seems bad.
Not necessarily. The computers in "Unassigned Computers" will appear there
as a result of one of three scenarios:

(1) The client computers are not configured to use client-side targeting.

(2) The target group name configured in policy does not exist (or is
misspelled) on the WSUS server, resulting in the clients being placed in the
only available (default) group "Unassigned Computers".

(3) The target group name was assigned via policy /after/ the client
originally registered with the WSUS server. The client should automatically
migrate to the assigned group name, but I've seen occasions where this did
not happen as expected. In this instance, you may need to temporarly
reconfig the server to server-side targeting, and manually place the client
computer in the desired group, then reset the server to client-side
targeting.
Post by Michael P. Quinlan
1.) How do I assign unassigned computers so WSUS knows they are assigned?
A more general answer... it depends on whether you're using client-side
targeting or server-side targeting. I'll refer you to the Deployment Guide
for the explanation on this, as it's difficult to fully cover in a couple of
sentences.
Post by Michael P. Quinlan
2.) There is probably a flaw in this approach, in that each time I add a new
computer to the Domain, I must be sure to "move" them to the proper OU or
they will not show up in "All computers" at all.
If you don't assign them to the OU... they'll never get the Group Policy!
That's just the nature of Active Directory.
Post by Michael P. Quinlan
It could be hard to manage
if I forget to add a new PC to the proper OU. There is probably a smarter
way to do this, so that all new comptuers that join the domain get a
"default" update schedule until I move them to the proper OU and they show up
somewhere in WSUS. I would guess I would just make a default WSUS GPO and
link it somewhere. How would I do this?
It revolves around creating a default OU for new computers, and linking a
'default' GPO to that OU.
Post by Michael P. Quinlan
Post by Lawrence Garvin [MVP]
Second, for any other servers, you'll want to link the same GPO to the
"MyBusiness\Computers\SBSServers" OU.
I still have this on my "to-do" list
Post by Lawrence Garvin [MVP]
Third, for any other desktop computers, you'll want to link a different
GPO to the "MyBusiness\Computers\SBSComputers" OU.
'
Is this the answer to Question 2. above?
Maybe... if you assign SBSComputers as the default OU for new systems. But
there's some reasons why you might not want to do that. The first being... a
new server. The second being the advantages that can come by joining a new
computer to an "Under Construction" OU, which can be configured to expedite
the installation of updates.

See http://wsusinfo.onsitechsolutions.com/articles/012.htm for some
background on how this can be used.
Post by Michael P. Quinlan
You have had a great sense of answering my questions before I ask them.
Post by Lawrence Garvin [MVP]
Note: You /may/ have computers in the "Computers" container, listed a
bit higher in the screen (right above "Domain Controllers"). You should drag
and drop anything in this "Computers" container into either the SBSServers
or SBSComputers OUs, so that the GPOs can be applied. You cannot link a GPO
to a container, only to an OU.
I will double check this, but I think I am clear on this one.
Just to follow up with the above discussions... by default, the "Computers"
container is the default container for new systems when joining a SBS
domain.
Michael P. Quinlan
2005-10-21 02:46:07 UTC
Permalink
O.K. Let's try to break this down. I will try it one step at a time. It is
far to important to just write it off as "too-hard-to" install WSUS for all
of my clients. To start with I am on a Windows 2003 SBS Premium server with
ISA 2000. When I check in MMC under "Client Computers" in MMC they are all
there, so WSUS is clearly not picking up All computers from there.
Post by Lawrence Garvin
Server, and verify that anonymous access permissions are enabled on the
/selfupdate and /clientwebservice virtual directories in the Default Web
Serer.
Is this http://<domainname>:8530 or http://<domainname>/selfupdate?

They are both returning the same "HTTP Error 403 - Forbidden" errors. I
checked and Anonomous was enabled for both. I can get to
http://<domainname>:8530/WSUSAdmin with no problem.
Interesting. I also checked the WSUS Administration website in addition to
the Default website. selfupdate and clientwebservice did NOT have ANONOMOUS
LOGIN in the Permissions groups there. Did you mean for me to add it to the
WSUS Administration website, NOT the Default website? If so, how long do I
have to wait? I tried adding ANONOMOUS LOGIN in Permissions there and it did
not change from the 403 Forbidden errors.

I notice my computer count is 0 and my unassigned computer count is 0 on
http://<domainname>/WSUSAdmin computers.
Lawrence Garvin [MVP]
2005-10-21 06:01:38 UTC
Permalink
Post by Michael P. Quinlan
O.K. Let's try to break this down. I will try it one step at a time. It is
far to important to just write it off as "too-hard-to" install WSUS for all
of my clients. To start with I am on a Windows 2003 SBS Premium server with
ISA 2000. When I check in MMC under "Client Computers" in MMC they are all
there, so WSUS is clearly not picking up All computers from there.
No... WSUS gets "All Computers" from itself. "All Computers" is a rollup of
whatever is in "Unassigned Computers" along with whatever is in the rest of
the user-created target groups.

WSUS only gets computer information in one way. The client computer initiate
a detection and registers with the WSUS server by reporting its status.
Post by Michael P. Quinlan
Post by Lawrence Garvin
Server, and verify that anonymous access permissions are enabled on the
/selfupdate and /clientwebservice virtual directories in the Default Web
Serer.
Is this http://<domainname>:8530 or http://<domainname>/selfupdate?
Both..and then some more. First, understand that on SBS2003 you actually
have /two/ websites you need to be aware of for WSUS functionality.

The Default Web Site, on port 80, has the bare functionality necessary to
provide selfupdating capabilties for legacy AU clients. This consists of two
virtual directories, 'selfupdate' and 'clientwebservice' (technically,
'clientwebservice' is an application directory, but for our purposes the
moniker virtual directory will serve the purpose), and two files in the root
of the website: iuident.cab and wutrack.bin, which are copied from the
%programfiles%\update services\webservices\root folder into
C:\inetpub\wwwroot.

The second website is the WSUS virtual server, on port 8530, which is where
all of the functionality for WSUS is contained.

ALL virtual servers and ALL virtual directories must have anonymous access
permissions enabled /except/ the WSUSAdmin virtual directory, which should
only have "Integrated Authentication" enabled. (This is what ensure that
only admins can get to the WSUSAdmin site.)
Post by Michael P. Quinlan
They are both returning the same "HTTP Error 403 - Forbidden" errors.
'403' errors are quite often a sign that a proxy server is interfering.
Typically, if the client has connected to the web server, but is being
denied access because of permissions. I'm going to defer any more
information in this response, because I know you posted a message a couple
hours after this one, and it seems to indicate you're making good progress.
Post by Michael P. Quinlan
I checked and Anonomous was enabled for both. I can get to
http://<domainname>:8530/WSUSAdmin with no problem.
Interesting. I also checked the WSUS Administration website in addition to
the Default website. selfupdate and clientwebservice did NOT have ANONOMOUS
LOGIN in the Permissions groups there.
This is definitely part of the problem.
Post by Michael P. Quinlan
Did you mean for me to add it to the
WSUS Administration website, NOT the Default website?
It needs to be added to both websites (Default Web Site /and/ WSUS
Administration)
/and/ it also needs to be added to all of the directories in each of those
two websites,
which includes 'selfupdate', 'clientwebservice', 'simpleauthwebservice',
'content' at a minimum for client functionality.

Do not add anonymous access to the virtual directory named 'WSUSAdmin'.
Post by Michael P. Quinlan
If so, how long do I
have to wait? I tried adding ANONOMOUS LOGIN in Permissions there and it did
not change from the 403 Forbidden errors.
I notice my computer count is 0 and my unassigned computer count is 0 on
http://<domainname>/WSUSAdmin computers.
Michael P. Quinlan
2005-11-01 23:26:05 UTC
Permalink
Hi Lawrence,

I just wanted to close the loop.

I have all computers installed and working great. They all show up in
WSUSAdmin now. I went into computers and made sure each computer was a
member of the various COMPUTER GROUPS I created and everything is working
great!

Thank you for your patience and great answers to all of my issues.

Michael
SME
2006-06-29 05:25:02 UTC
Permalink
I have followed all of the steps above, but still have no computers showing
up in my computers list. I am getting that '403' error, so could you possibly
explain that a bit more?
Post by Lawrence Garvin [MVP]
Post by Michael P. Quinlan
O.K. Let's try to break this down. I will try it one step at a time. It is
far to important to just write it off as "too-hard-to" install WSUS for all
of my clients. To start with I am on a Windows 2003 SBS Premium server with
ISA 2000. When I check in MMC under "Client Computers" in MMC they are all
there, so WSUS is clearly not picking up All computers from there.
No... WSUS gets "All Computers" from itself. "All Computers" is a rollup of
whatever is in "Unassigned Computers" along with whatever is in the rest of
the user-created target groups.
WSUS only gets computer information in one way. The client computer initiate
a detection and registers with the WSUS server by reporting its status.
Post by Michael P. Quinlan
Post by Lawrence Garvin
Server, and verify that anonymous access permissions are enabled on the
/selfupdate and /clientwebservice virtual directories in the Default Web
Serer.
Is this http://<domainname>:8530 or http://<domainname>/selfupdate?
Both..and then some more. First, understand that on SBS2003 you actually
have /two/ websites you need to be aware of for WSUS functionality.
The Default Web Site, on port 80, has the bare functionality necessary to
provide selfupdating capabilties for legacy AU clients. This consists of two
virtual directories, 'selfupdate' and 'clientwebservice' (technically,
'clientwebservice' is an application directory, but for our purposes the
moniker virtual directory will serve the purpose), and two files in the root
of the website: iuident.cab and wutrack.bin, which are copied from the
%programfiles%\update services\webservices\root folder into
C:\inetpub\wwwroot.
The second website is the WSUS virtual server, on port 8530, which is where
all of the functionality for WSUS is contained.
ALL virtual servers and ALL virtual directories must have anonymous access
permissions enabled /except/ the WSUSAdmin virtual directory, which should
only have "Integrated Authentication" enabled. (This is what ensure that
only admins can get to the WSUSAdmin site.)
Post by Michael P. Quinlan
They are both returning the same "HTTP Error 403 - Forbidden" errors.
'403' errors are quite often a sign that a proxy server is interfering.
Typically, if the client has connected to the web server, but is being
denied access because of permissions. I'm going to defer any more
information in this response, because I know you posted a message a couple
hours after this one, and it seems to indicate you're making good progress.
Post by Michael P. Quinlan
I checked and Anonomous was enabled for both. I can get to
http://<domainname>:8530/WSUSAdmin with no problem.
Interesting. I also checked the WSUS Administration website in addition to
the Default website. selfupdate and clientwebservice did NOT have ANONOMOUS
LOGIN in the Permissions groups there.
This is definitely part of the problem.
Post by Michael P. Quinlan
Did you mean for me to add it to the
WSUS Administration website, NOT the Default website?
It needs to be added to both websites (Default Web Site /and/ WSUS
Administration)
/and/ it also needs to be added to all of the directories in each of those
two websites,
which includes 'selfupdate', 'clientwebservice', 'simpleauthwebservice',
'content' at a minimum for client functionality.
Do not add anonymous access to the virtual directory named 'WSUSAdmin'.
Post by Michael P. Quinlan
If so, how long do I
have to wait? I tried adding ANONOMOUS LOGIN in Permissions there and it did
not change from the 403 Forbidden errors.
I notice my computer count is 0 and my unassigned computer count is 0 on
http://<domainname>/WSUSAdmin computers.
Lawrence Garvin (MVP)
2006-06-30 23:36:41 UTC
Permalink
Post by SME
I have followed all of the steps above, but still have no computers showing
up in my computers list. I am getting that '403' error, so could you possibly
explain that a bit more?
The HTTP '403' error is recorded when a proxy server or firewall denies
access to a requested resource.

The key step is to verify that the proxy configuration of the client system
is properly configured.

The best way to do that is to run the Client Diagnostic Tool and post the
results here for further analysis.
--
Lawrence Garvin, M.S., MVP-Software Distribution
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, eveything else is at
http://wsusinfo.onsitechsolutions.com
...
Michael P. Quinlan
2005-10-14 04:12:51 UTC
Permalink
Hi Lawrence,

I think the following link does the trick for anyone trying to follow this
thread:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.softwareupdatesvcs

It gets us to the group, but I cannot find the question or the answer there?

Do I have to wait a couple of days before it shows up?
Post by Lawrence Garvin
Moved to microsoft.public.windows.server.update_services, where a more
detailed response is waiting.
I just installed WSUS on Windows 2003 SBS Premium server
Install worked great. Update and syncronize worked great! I have all the
downloads ready to go, but there are not client computers listed in either
"All computers" nor "Unassigned computers".
Lawrence Garvin [MVP]
2005-10-14 04:41:26 UTC
Permalink
Actually that link gets you to the /SUS/ group...

The /WSUS/ newsgroup will be found at
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.update_services

but I understand that the /link/ may not appear on the website proper --
there are still some issues internal as MS in terms of getting those links
updated.

The thread was available moments after I posted the original reply.
Post by Michael P. Quinlan
Hi Lawrence,
I think the following link does the trick for anyone trying to follow this
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.softwareupdatesvcs
It gets us to the group, but I cannot find the question or the answer there?
Do I have to wait a couple of days before it shows up?
Post by Lawrence Garvin
Moved to microsoft.public.windows.server.update_services, where a more
detailed response is waiting.
I just installed WSUS on Windows 2003 SBS Premium server
Install worked great. Update and syncronize worked great! I have all the
downloads ready to go, but there are not client computers listed in either
"All computers" nor "Unassigned computers".
Michael P. Quinlan
2005-10-14 04:17:14 UTC
Permalink
Thank you Lawrence,

I am having trouble getting there to see the answer and have had trouble
jumping newsgroups to track the threads for answers for other people's
postings that have been moved.

Can you post hyperlinks to the article or at least the group
microsoft.public.windows.server.update_services to see the messages that are
moved?

Michael
Post by Lawrence Garvin
Moved to microsoft.public.windows.server.update_services, where a more
detailed response is waiting.
I just installed WSUS on Windows 2003 SBS Premium server
Install worked great. Update and syncronize worked great! I have all the
downloads ready to go, but there are not client computers listed in either
"All computers" nor "Unassigned computers".
Rob
2007-04-04 17:56:11 UTC
Permalink
Lawrence. I am having the same problem. All of my gpo settings are correct
for My Business\Computers\SBS Computers. I can see the server but none of
the clients show up. How did you get your client computers to show up? I
have also run the gpupdate /force to send the gpo changes to all of the
computers.

Thanks,

Rob
Post by Lawrence Garvin
Moved to microsoft.public.windows.server.update_services, where a more
detailed response is waiting.
I just installed WSUS on Windows 2003 SBS Premium server
Install worked great. Update and syncronize worked great! I have all the
downloads ready to go, but there are not client computers listed in either
"All computers" nor "Unassigned computers".
Winfried Sonntag [MVP]
2007-04-04 19:55:06 UTC
Permalink
Post by Rob
Lawrence. I am having the same problem. All of my gpo settings are correct
for My Business\Computers\SBS Computers. I can see the server but none of
the clients show up. How did you get your client computers to show up? I
have also run the gpupdate /force to send the gpo changes to all of the
computers.
Start > Run > rsop.msc on a XPSP2 Client. Is there your GPO with
settings?

Winfried
--
http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx
http://www.wsuswiki.com/Home
Rob
2007-04-04 21:06:03 UTC
Permalink
Winfried,

I am all set. I just did not wait long enough for all of the clients to
respond. One other question. I did notice that the updates downloaded to
the clients but did not install. I have the gpo set to run every day at
12:00 p.m. Does that mean that the updates will not install until that time.
This service was fully functional after noon today.

Thank you for your response.
Post by Winfried Sonntag [MVP]
Post by Rob
Lawrence. I am having the same problem. All of my gpo settings are correct
for My Business\Computers\SBS Computers. I can see the server but none of
the clients show up. How did you get your client computers to show up? I
have also run the gpupdate /force to send the gpo changes to all of the
computers.
Start > Run > rsop.msc on a XPSP2 Client. Is there your GPO with
settings?
Winfried
--
http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx
http://www.wsuswiki.com/Home
Winfried Sonntag [MVP]
2007-04-04 21:47:43 UTC
Permalink
Post by Rob
I am all set. I just did not wait long enough for all of the clients to
respond.
OK, thanks for response. ;)
Post by Rob
One other question. I did notice that the updates downloaded to
the clients but did not install. I have the gpo set to run every day at
12:00 p.m. Does that mean that the updates will not install until that time.
Do you select the option 4? If yes, are your users local
administrators? If yes, activate a *user* config:
Disable all windows update functions > enabled.

Winfried
--
http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx
http://www.wsuswiki.com/Home
Lawrence Garvin (MVP)
2007-04-04 23:18:03 UTC
Permalink
Post by Rob
I have the gpo set to run every day at
12:00 p.m. Does that mean that the updates will not install until that time.
Yes.
Post by Rob
This service was fully functional after noon today.
That's the most likely cause, then. :-)

They should install tomorrow.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Rob
2007-04-05 14:24:00 UTC
Permalink
Patience is a virtue that I do not always have. I should have realized that
I needed to wait until noon today for the updates to install. Some of them
actually installed when the computers were started this morning. Odd??
Post by Lawrence Garvin (MVP)
Post by Rob
I have the gpo set to run every day at
12:00 p.m. Does that mean that the updates will not install until that time.
Yes.
Post by Rob
This service was fully functional after noon today.
That's the most likely cause, then. :-)
They should install tomorrow.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-04-05 22:03:45 UTC
Permalink
Post by Rob
Patience is a virtue that I do not always have. I should have realized that
I needed to wait until noon today for the updates to install. Some of them
actually installed when the computers were started this morning. Odd??
Not necessarily. If the update were detected/downloaded before noon and
scheduled for installation, but the system was powered down before noon, the
updates would be installed at the next power up.

Also, there's the variable of 'user interaction'. If a user has local admin
privileges, or you've enabled the policy "Allow non-admins to receive update
notifications", then a user can interactively initiate the installation.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Rob
2007-04-05 17:58:02 UTC
Permalink
Everything is running fine except that some computers do not show up in the
list of computers. They are receiving updates and if I change the gpo to a
different time and run gpupdate /force on the client the time does change in
the Automatic Updates. That tells me that it is receiving the group policy
for SBS Computers. But four of them will not show up in the computer list
under WSUS.

Any thoughts?
Post by Lawrence Garvin (MVP)
Post by Rob
I have the gpo set to run every day at
12:00 p.m. Does that mean that the updates will not install until that time.
Yes.
Post by Rob
This service was fully functional after noon today.
That's the most likely cause, then. :-)
They should install tomorrow.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Lawrence Garvin (MVP)
2007-04-05 22:05:55 UTC
Permalink
Post by Rob
Everything is running fine except that some computers do not show up in the
list of computers. They are receiving updates and if I change the gpo to a
different time and run gpupdate /force on the client the time does change in
the Automatic Updates. That tells me that it is receiving the group policy
for SBS Computers. But four of them will not show up in the computer list
under WSUS.
This is a diagnostics opportunity. The question is why are they not showing
up even though they're getting updates.

Most likely cause is that they have a duplicated SusClientID, and they're
flip-flopping in the database with one or more other clients, and you're
only seeing a partial list when you inspect the computer list.

See this article for further discussion, and resolution:
http://wsusinfo.onsitechsolutions.com/articles/025.htm
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Rob
2007-04-05 18:02:06 UTC
Permalink
To add to that. I remember that these computers used to be in the "Computer"
location and I moved them to SBS Computers. Is this the cause. And, if so
how do I fix it?
Post by Rob
Winfried,
I am all set. I just did not wait long enough for all of the clients to
respond. One other question. I did notice that the updates downloaded to
the clients but did not install. I have the gpo set to run every day at
12:00 p.m. Does that mean that the updates will not install until that time.
This service was fully functional after noon today.
Thank you for your response.
Post by Winfried Sonntag [MVP]
Post by Rob
Lawrence. I am having the same problem. All of my gpo settings are correct
for My Business\Computers\SBS Computers. I can see the server but none of
the clients show up. How did you get your client computers to show up? I
have also run the gpupdate /force to send the gpo changes to all of the
computers.
Start > Run > rsop.msc on a XPSP2 Client. Is there your GPO with
settings?
Winfried
--
http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx
http://www.wsuswiki.com/Home
Lawrence Garvin (MVP)
2007-04-05 22:07:33 UTC
Permalink
Post by Rob
To add to that. I remember that these computers used to be in the "Computer"
location and I moved them to SBS Computers. Is this the cause. And, if so
how do I fix it?
The "Computer" location is a container, and cannot have policy applied.

:"SBS Computers" is an OU, and may or may not have a policy linked.

Changing locations in Active Directory will not have any affect on WSUS
functionality =except= to the extent that you've changed policies being
applied to the client system.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Rob
2007-04-05 23:52:01 UTC
Permalink
So, what would cause a few computers to not show up in the computer view of
WSUS even though the machines are getting updates?
Post by Lawrence Garvin (MVP)
Post by Rob
To add to that. I remember that these computers used to be in the "Computer"
location and I moved them to SBS Computers. Is this the cause. And, if so
how do I fix it?
The "Computer" location is a container, and cannot have policy applied.
:"SBS Computers" is an OU, and may or may not have a policy linked.
Changing locations in Active Directory will not have any affect on WSUS
functionality =except= to the extent that you've changed policies being
applied to the client system.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
Winfried Sonntag [MVP]
2007-04-06 14:03:14 UTC
Permalink
Post by Rob
So, what would cause a few computers to not show up in the computer view of
WSUS even though the machines are getting updates?
Try this Script: http://msmvps.com/blogs/athif/pages/66376.aspx

Winfried
--
http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx
http://www.wsuswiki.com/Home
Lawrence Garvin (MVP)
2007-04-06 21:06:09 UTC
Permalink
Post by Rob
So, what would cause a few computers to not show up in the computer view of
WSUS even though the machines are getting updates?
That would be a question for the WindowsUpdate.log. :-)
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E

Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx

And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Continue reading on narkive:
Loading...