Discussion:
Problems with using wsus on a domain controller
(too old to reply)
Tom
2006-01-16 12:41:03 UTC
Permalink
Hi everyone,
I am using WSUS to keep all the machines on my domain updated. It is working
fine for all my client computers but I am having some problems with the
servers. I have set the option "Auto download and notify for install" on all
my servers. What I have noticed is that if I log in as a domain administrator
to these servers I am never notified to install the latest updates. This is
the case even though events are logged which tell me that the updates have
been downloaded and are ready for installation. This is not a problem for
member servers as I just log in as a local admin and then I receive
notification and can install the updates. The problem is that there is no
local admin account for domain controllers and therefore I cannot find a way
to update my domain controllers.
Does anybody know why the update notification does not appear when I log in
as a domain administrator?
Thanks,
Tom
Nick Payne
2006-01-16 23:18:03 UTC
Permalink
Are you sure the GP setting is the same for DCs as for member servers (DCs
are normally in a different OU). When you run rsop.msc from a DC console
while logged in as domain admin, what does it show you for the update
notification setting?
Post by Tom
Hi everyone,
I am using WSUS to keep all the machines on my domain updated. It is working
fine for all my client computers but I am having some problems with the
servers. I have set the option "Auto download and notify for install" on all
my servers. What I have noticed is that if I log in as a domain administrator
to these servers I am never notified to install the latest updates. This is
the case even though events are logged which tell me that the updates have
been downloaded and are ready for installation. This is not a problem for
member servers as I just log in as a local admin and then I receive
notification and can install the updates. The problem is that there is no
local admin account for domain controllers and therefore I cannot find a way
to update my domain controllers.
Does anybody know why the update notification does not appear when I log in
as a domain administrator?
Thanks,
Tom
Tom
2006-01-17 12:42:03 UTC
Permalink
Hi Nick,
I am running Windows 2000 so I cannot use rsop on the computer but I am
pretty sure that the GP is correct. I have it set on the OU which contains
the domain controllers. The unusual thing is that the updates are actually
being downloaded to the domain controllers (as evidenced by the event viewer
logs) but I do not get notification to install them. I cannot find any
unusual errors in event viewer either.
I will have to keep digging. Meanwhile any other ideas would be appreciated.
Post by Nick Payne
Are you sure the GP setting is the same for DCs as for member servers (DCs
are normally in a different OU). When you run rsop.msc from a DC console
while logged in as domain admin, what does it show you for the update
notification setting?
Post by Tom
Hi everyone,
I am using WSUS to keep all the machines on my domain updated. It is working
fine for all my client computers but I am having some problems with the
servers. I have set the option "Auto download and notify for install" on all
my servers. What I have noticed is that if I log in as a domain administrator
to these servers I am never notified to install the latest updates. This is
the case even though events are logged which tell me that the updates have
been downloaded and are ready for installation. This is not a problem for
member servers as I just log in as a local admin and then I receive
notification and can install the updates. The problem is that there is no
local admin account for domain controllers and therefore I cannot find a way
to update my domain controllers.
Does anybody know why the update notification does not appear when I log in
as a domain administrator?
Thanks,
Tom
Dave Mills
2006-01-17 07:32:35 UTC
Permalink
Are you using RDP to connect to the DCs. Are the DCs W2003 or W2K

On Mon, 16 Jan 2006 04:41:03 -0800, Tom
Post by Tom
Hi everyone,
I am using WSUS to keep all the machines on my domain updated. It is working
fine for all my client computers but I am having some problems with the
servers. I have set the option "Auto download and notify for install" on all
my servers. What I have noticed is that if I log in as a domain administrator
to these servers I am never notified to install the latest updates. This is
the case even though events are logged which tell me that the updates have
been downloaded and are ready for installation. This is not a problem for
member servers as I just log in as a local admin and then I receive
notification and can install the updates. The problem is that there is no
local admin account for domain controllers and therefore I cannot find a way
to update my domain controllers.
Does anybody know why the update notification does not appear when I log in
as a domain administrator?
Thanks,
Tom
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
Tom
2006-01-17 12:46:06 UTC
Permalink
What does RDP stand for? The DCs are W2K.
Post by Dave Mills
Are you using RDP to connect to the DCs. Are the DCs W2003 or W2K
On Mon, 16 Jan 2006 04:41:03 -0800, Tom
Post by Tom
Hi everyone,
I am using WSUS to keep all the machines on my domain updated. It is working
fine for all my client computers but I am having some problems with the
servers. I have set the option "Auto download and notify for install" on all
my servers. What I have noticed is that if I log in as a domain administrator
to these servers I am never notified to install the latest updates. This is
the case even though events are logged which tell me that the updates have
been downloaded and are ready for installation. This is not a problem for
member servers as I just log in as a local admin and then I receive
notification and can install the updates. The problem is that there is no
local admin account for domain controllers and therefore I cannot find a way
to update my domain controllers.
Does anybody know why the update notification does not appear when I log in
as a domain administrator?
Thanks,
Tom
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
Dave Mills
2006-01-17 17:50:36 UTC
Permalink
RDP = Remote Desktop Protocol. i.e. Terminal Services. There is talk
that the Icon does not show up if you connect using terminal services.
However it works most of the time for my W2K server. Occasionally I
need to wait a while or even run wuauclt /detectnow to get it to show
though


On Tue, 17 Jan 2006 04:46:06 -0800, Tom
Post by Tom
What does RDP stand for? The DCs are W2K.
Post by Dave Mills
Are you using RDP to connect to the DCs. Are the DCs W2003 or W2K
On Mon, 16 Jan 2006 04:41:03 -0800, Tom
Post by Tom
Hi everyone,
I am using WSUS to keep all the machines on my domain updated. It is working
fine for all my client computers but I am having some problems with the
servers. I have set the option "Auto download and notify for install" on all
my servers. What I have noticed is that if I log in as a domain administrator
to these servers I am never notified to install the latest updates. This is
the case even though events are logged which tell me that the updates have
been downloaded and are ready for installation. This is not a problem for
member servers as I just log in as a local admin and then I receive
notification and can install the updates. The problem is that there is no
local admin account for domain controllers and therefore I cannot find a way
to update my domain controllers.
Does anybody know why the update notification does not appear when I log in
as a domain administrator?
Thanks,
Tom
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
Vova Bazanov
2006-01-18 15:50:35 UTC
Permalink
First, sorry for bad english. When many (more, than one) administrators
simultaniusly logged to server (for example, one work on server locally - and
go avay, leaving the console locked; after that second one logon to server
via rdp) - imho only the first admin recieve the update notification. May be,
this is a problem?
Post by Dave Mills
RDP = Remote Desktop Protocol. i.e. Terminal Services. There is talk
that the Icon does not show up if you connect using terminal services.
Dave Mills
2006-01-19 00:16:17 UTC
Permalink
Your English if far better than my grasp of any other language, we
understand you.

You may have it right here. I have heard may statements that
connection via RDP (Term Services) fails to show the icon but on my
systems it usually does. Then I am usually the only admin to connect
to the servers. The others who can only do so once in a while. This is
consistent with the frequency that I have not got the icon. I will
start watching more closely


.On Wed, 18 Jan 2006 07:50:35 -0800, Vova Bazanov <Vova
Post by Vova Bazanov
First, sorry for bad english. When many (more, than one) administrators
simultaniusly logged to server (for example, one work on server locally - and
go avay, leaving the console locked; after that second one logon to server
via rdp) - imho only the first admin recieve the update notification. May be,
this is a problem?
Post by Dave Mills
RDP = Remote Desktop Protocol. i.e. Terminal Services. There is talk
that the Icon does not show up if you connect using terminal services.
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
Tom
2006-01-20 15:04:03 UTC
Permalink
Thanks for all your help Dave and Vova.
The discussion was interesting but unfortunately it does not solve my
problem as I do not get the icon even when I am not connecting via terminal
server or any other method.
I will keep digging and if I come up with a solution I'll post it here if
you are interested.
Tom
Post by Dave Mills
Your English if far better than my grasp of any other language, we
understand you.
You may have it right here. I have heard may statements that
connection via RDP (Term Services) fails to show the icon but on my
systems it usually does. Then I am usually the only admin to connect
to the servers. The others who can only do so once in a while. This is
consistent with the frequency that I have not got the icon. I will
start watching more closely
..On Wed, 18 Jan 2006 07:50:35 -0800, Vova Bazanov <Vova
Post by Vova Bazanov
First, sorry for bad english. When many (more, than one) administrators
simultaniusly logged to server (for example, one work on server locally - and
go avay, leaving the console locked; after that second one logon to server
via rdp) - imho only the first admin recieve the update notification. May be,
this is a problem?
Post by Dave Mills
RDP = Remote Desktop Protocol. i.e. Terminal Services. There is talk
that the Icon does not show up if you connect using terminal services.
--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.
Andy Smith
2006-02-17 11:18:46 UTC
Permalink
Hi,

Just searching through the newsgroup and found this topic.

I am experiencing the same behaviour, i.e. using policy settings as per
below for pilot/test 2003 Member Servers

Policy Setting
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 10

Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 10:00

Policy Setting
Delay Restart for scheduled installations Disabled
Do not adjust default option to 'Install Updates and Shut Down' in Shut
Down Windows dialog box Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down
Windows dialog box Enabled
Enable client-side targeting Enabled
Target group name for this computer PILOT-Servers-2003

Policy Setting
No auto-restart for scheduled Automatic Updates installations Disabled
Re-prompt for restart with scheduled installations Disabled
Reschedule Automatic Updates scheduled installations Disabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates:
http://our.wsus.server
Set the intranet statistics server: http://our.wsus.server
(example: http://IntranetUpd01)


I check the Windowsupdate.log, it says that the download has occurred.
If I log on to the console (not via terminal services) as my Domain
Admin account I do not get any prompt from the AU client that updates
are ready to be installed. The policy settings are definately being
applied. If I logoff the console as Domain Admin, then log back on with
the local administrator, the AU tray icon appears in a few seconds and
the "updates are ready to be installed" prompt appears.

I have an identically configured GPO for pilot/test 2000 Servers and I
see the same behaviour there too.

As an aside, on the 2003 server I initially did NOT have the two
'Install Updates and Shut Down' policy settings configured. So I was
logged on to the console as my Domain Admin a/c and when I logged off
it came up with the 'Install Updates and Shut Down' option - so, in
that case, it WAS detecting that updates were ready to install, but
only on the shutdown screen, not via the AU tray icon.

Using the local administrator account isn't a big deal for us, but I
guess that we would have the same problem as the OP if doing this on a
Domain Controller.
Lawrence Garvin
2006-02-18 02:06:21 UTC
Permalink
It would be preferable to look at -actual- output from the registry, or
policy tools, or the actual logfiles, in order to diagnose. It's very
difficult (and sometimes misleading) to diagnose from /input/ values, when
really what matters is what happens on the "output" side (i.e. did the
policy actually get applied, can the WUA use the values configured in the
policy, can the WUA talk to the server successfully).

However, I'm not seeing anything in your post that really necessitates
reviewing that information, so there's nothing specific for me to ask for.

As for your tray icon question -- sounds like your Domain Admin account is
not a member of the local Administrators group. WSUS and WUA privileges are
granted -only- to the local Administrators account. If a domain account or
domain group is not a member of that local group, the domain principal will
not have access to WSUS/WUA.
Post by Andy Smith
Hi,
Just searching through the newsgroup and found this topic.
I am experiencing the same behaviour, i.e. using policy settings as per
below for pilot/test 2003 Member Servers
Policy Setting
Allow Automatic Updates immediate installation Enabled
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 10
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 10:00
Policy Setting
Delay Restart for scheduled installations Disabled
Do not adjust default option to 'Install Updates and Shut Down' in Shut
Down Windows dialog box Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down
Windows dialog box Enabled
Enable client-side targeting Enabled
Target group name for this computer PILOT-Servers-2003
Policy Setting
No auto-restart for scheduled Automatic Updates installations Disabled
Re-prompt for restart with scheduled installations Disabled
Reschedule Automatic Updates scheduled installations Disabled
Specify intranet Microsoft update service location Enabled
http://our.wsus.server
Set the intranet statistics server: http://our.wsus.server
(example: http://IntranetUpd01)
I check the Windowsupdate.log, it says that the download has occurred.
If I log on to the console (not via terminal services) as my Domain
Admin account I do not get any prompt from the AU client that updates
are ready to be installed. The policy settings are definately being
applied. If I logoff the console as Domain Admin, then log back on with
the local administrator, the AU tray icon appears in a few seconds and
the "updates are ready to be installed" prompt appears.
I have an identically configured GPO for pilot/test 2000 Servers and I
see the same behaviour there too.
As an aside, on the 2003 server I initially did NOT have the two
'Install Updates and Shut Down' policy settings configured. So I was
logged on to the console as my Domain Admin a/c and when I logged off
it came up with the 'Install Updates and Shut Down' option - so, in
that case, it WAS detecting that updates were ready to install, but
only on the shutdown screen, not via the AU tray icon.
Using the local administrator account isn't a big deal for us, but I
guess that we would have the same problem as the OP if doing this on a
Domain Controller.
Andy Smith
2006-02-21 11:10:44 UTC
Permalink
Hi Lawrence,

For info, the domainname\Domain Admins group IS a member (as you'd
expect) of the local Administrators group on our member servers (which
is why I was surprised that it did not prompt me for updates
installation when I logged on with the domain account). On the other
hand, our Windows build is one that is locked down to an extent via
configurataion and GPOs built by our Head Office, so I'm not surprised
if things don't work as I expect sometimes! ;-)
Lawrence Garvin
2006-02-22 02:51:02 UTC
Permalink
Given that information, the next thing you want to look for is to see if the
User Policy prohibiting interaction with the WUA and WU/MU websites has been
enabled. If it has, you might want to lobby to have that policy /removed/
for Domain Administrators!
Post by Andy Smith
Hi Lawrence,
For info, the domainname\Domain Admins group IS a member (as you'd
expect) of the local Administrators group on our member servers (which
is why I was surprised that it did not prompt me for updates
installation when I logged on with the domain account). On the other
hand, our Windows build is one that is locked down to an extent via
configurataion and GPOs built by our Head Office, so I'm not surprised
if things don't work as I expect sometimes! ;-)
Andy Smith
2006-02-22 15:27:49 UTC
Permalink
Bingo!

The OU where our Domain Admin accounts are stored has a (previously
undetected by me) user policy being applied that sets "Remove access to
use all Windows Update features" to Enabled. [Thanks to our Enterprise
Admins for that one...] Fortunately, it's a domain level policy, so I
can change it locally.

Thanks for pointing me in the right direction Lawrence.

"Vova Bazanov" <bazanovv{a}gmail.com>
2006-02-20 05:43:02 UTC
Permalink
May be, this can help - then deploying WSUS I need to configure Automatic
Updates service startup in GPO with some special permissions. Sorry, I can't
remember, what issue is it fixing :( but, may be, this can help You?

permissions:
NT AUTHORITY\SYSTEM Full Control
BUILTIN\Administrators Full Control
NT AUTHORITY\Interactive Read
NT AUTHORITY\Authenticated Users Read
Continue reading on narkive:
Loading...