How Do I Configure WSUS?

[mrgulic]

I have done the following in accordance to instrucitons found on the net.

WSUS is installed on an SBS2003 system.

Moved computer objects into one of the following OU's under

Forest: myDomain
--Domains
---myDomain
----MyBusiness
-----Computers
------SBSComputers
------SBSServers

In each of the OU's SBSComputers & SBSServers is a linked GPO called myWSUS containing the following details.

Computer Configuration (Enabled)
-Administrative Templates
--Windows Components/Windows Update

[b]Policy Setting [/b]
-Allow Automatic Updates immediate installation: [b]Enabled[/b]
 
-Automatic Updates detection frequency: Enabled 
--Check for updates at the following interval (hours): [b]1 [/b]
 
[b]Policy Setting[/b]
-Configure Automatic Updates: [b]Enabled [/b]
--Configure automatic updating: [b]4 - Auto download and schedule the install[/b]

-The following settings are only required and applicable if 4 is selected. 
--[b]Scheduled install day:  0 - Every day[/b] 
--[b]Scheduled install time: 14:00[/b]
 
[b]Policy Setting [/b]
Specify intranet Microsoft update service location: [b]Enabled[/b] 
Set the intranet update service for detecting updates: [b][URL unfurl="true"]http://wsus.myDomain[/URL][/b]
Set the intranet statistics server: [b][URL unfurl="true"]http://wsus.myDomain[/URL][/b]

WSUS is set in Options to get computers from GPO

I did a gpupdate at the command prompt

gpresult from a client machine shows that the policy was applied.

I checked the WSUS console an hour later and no systems had been added the the computer group.

I don't know where to go from here.

I can't find any usefull information anywhere. Thanks in advance for your assistance.

 

[mrgulic]

I did something last night that apparently caused some systems to import into WSUS. Now the question is why are the others not there? All the systems are identical windows 2003 or xp systems aside from the applicatons running on them.

Someone must have an idea. WSUS and SCOM are two of the most difficult microsoft apps to get running "out of the box" that i have experienced. I'm getting a bald spot on my head from scratching it thinking about this one.

 

[TechyMcSe2k]

http://www.petri.co.il/install_wsus_3_on_sbs_2003.htm

http://technet.microsoft.com/en-us/library/cc720456.aspx

WSUS uses IIS to update most client computers automatically to WSUS-compatible Automatic Updates software. To accomplish this, WSUS Setup creates a virtual directory named Selfupdate under the Web site running on port 80 of the WSUS server. This virtual directory, called the self-update tree, contains the WSUS-compatible Automatic Updates software

If you used a custom port:
If you already have a Web site on the computer where you intend to install WSUS, you should use the setup option for creating a custom Web site. This option puts the WSUS Web site on port 8530. This port is not configurable.

the client will need to point to

http://wsus.mydomain:8530

http://technet.microsoft.com/en-us/library/cc720452.aspx

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[mrgulic]

The clients that show up in the WSUS console appear to be accepting updates.

The problem is that not all the clients from active directory show up in WSUS. I have 2 OU's linked to the GPO I created for WSUS. One OU contains xp clients and the other one contains 2003 server clients.

It would appear that the cause of this is the the policy is not getting to all the systems. I did a "gpresult" on the 4 clients in WSUS and it shows the gpo, however when i checked a few that were not in WSUS they did not show the wsus gpo. So the problem is the GPO in not getting to most if the systems. Strange because I have several GPO's that i pushed out with no problem, one for RDP and one for NTP.

Thanks for taking the time to reply.

 

[TechyMcSe2k]

In the permissions for the GPO; add Domain Computers. See if that helps at all.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[mrgulic]

If you mean permissions under "Security Filtering" in group policy then I added the "Domain Computers" as you suggested.

Afterwards I did a "gpupdate /force /wait:0" then waited 5 minutes and did a "gpresult" with no change. A refresh of the WSUS console showed no change either.

Still, if it had worked it would have added all systems in the domain, not just the ones under the target OU's as needed.

 

[TechyMcSe2k]

in the gpresult, it does not see that GPO at all? strange....something is preventing it from seeing that GPO at all.


________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[mrgulic]

This is the gpresult from a server that the gpo push is not working:

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Auditing Policy
        Default Domain Controllers Policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy
        Small Business Server Domain Password Policy
        Default Domain Policy
        myRDP
        myNTP

This is the gpresult from a server that the gpo push is working:

   Applied Group Policy Objects
   -----------------------------
       myWSUS
       Small Business Server Client Computer
       Small Business Server Remote Assistance Policy
       Small Business Server Lockout Policy
       Small Business Server Domain Password Policy
       Default Domain Policy
       myRDP
       myNTP

BUT, I did a "gpresult" on the WSUS server itself and it shows the WSUS gpo was applied but the sever does not show up in the WSUS console.

I am at a loss for and explaination. Nothing is consistant.

 

[TechyMcSe2k]

In the GPResult, do you see "The following GPO's were not applied because they were filtered out"? Is it in that list in either Computer or User settings? If so, what is the Filtering reason?

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[mrgulic]

Ok, this is really strange. Now it would appear that the wsus object is showing up in the systems that didnt show it yesterday.

How is it possible that it took this long to propagate the change?

Still they are still not showing up in the WSUS console.

 

[TechyMcSe2k]

Do they have the latest Windows Update activeX control installed? You can access Windows Update to get it; or follow the IIS instructions above

WSUS has always been flaky in this respect.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[mrgulic]

all the servers are virtual machines cloned from the same template so unless the different applications installed on them contained that update then they are all identical as far as updates go.