WSUS 3.0, clients not connecting 1

[TheCandyman]

I have SBS 03 Prem, not RC2. I installed WSUS 3.0 on it and set it up as i went though the configurations. The WSUS connects and gets the updated i requested, but the clients don't connect. I went to the group policy and told them to update to http://myserver/selfupdate, and also http://myserver:8530/selfupdate but i get an "directory listing denied" error. I tried that link on the server as well and got the same error. I logged in as Admin, and still got the same error. Isn't that where the client computers are supposed to try and connect to??

PS - all clients are XP SP2

 

[porkchopexpress]

I'm not at a server to check right now but i think it should just be

http://myserver

and with the port number if you set it to a specific port it's 80 by default.

 

[TheCandyman]

My issue is with getting the GPO to work. i run the client Diag and get this error:

Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
        UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL

I opened up "gpedit.msc" and under computer config > Administration Templates > Windows Components > Windows Update and changed all the setting correctly in there to match the install documents. But the clients still don't connect, so how do i get those settings in GPO to go to all computers?

 

[ShackDaddy]

Which policy are you making changes to when you add the changes? Or did you create a new policy for the WSUS stuff to be applied to the clients from? Are you using the Group Policy Management console that's built into the Server Management interface, under Advanced Settings?

I rolled out WSUS 3.0 for an SBS network in February, and I only had them connect to

http://server:8530.

I enforced it narrowly on the specific OU that only contained workstations for the site that I was interested in having updated.

ShackDaddy
Shackelford Consulting

 

[TheCandyman]

Take a look here:

http://tempimage.hopto.org/Untitled3.gif

I am making the changes as you see in that pic. Shouldn't that apply to all computers? I'm sort of new to GPO/OU if you can't tell. What should i do???????

 

[porkchopexpress]

Why are you not setting this using Active Directory rather than local policy?

 

[TheCandyman]

Hey porkchopexpress,

I remember reading that WSUS wasn't well incourprated with AD, and so the only open was through GPO. You saying the AD is an option? If so how would you do it that way?

 

[ShackDaddy]

Earlier I said "Are you using the Group Policy Management console that's built into the Server Management interface, under Advanced Settings?"

That's what you should be using for Group Policy deployment. You should create a new policy using that tool and attach it to your domain, or at least your Computers OU. It looks a bit like you are trying to set local policy on a per-computer basis, rather than using the main tool that integrates with AD.

You are using the wrong tool. Do not use GPEdit.msc. Use the tool that's in the Server Management -> Advanced toolset. And don't edit an existing policy, create a new one!

ShackDaddy
Shackelford Consulting

 

[TheCandyman]

You're right ShackDaddy,

I was using the gpedit, i applied those settings to the 'Advanced Management' section then GPO. Take a look again and let me know if this is better.

http://tempimage.hopto.org/Untitled2.gif

-(Noob question coming)-
So creating the GPO in this area makes the client computers use these settings? Also, in the right pane, Under 'Enforced', shouldn't i change that to 'yes'?

Sorry for the basic questions, but i need to start somewhere i guess.

 

[ShackDaddy]

Now you have one of the default policies being applied in two places. If it's being applied at the top of the OU tree, it doesn't need to be reapplied. Best way to do this is to create a new policy, not reuse an existing one. Best not to mess with the default settings if your goal is to introduce new settings.

And yes, set it to Enforced.

To get a client to take the settings, you want to go to the client command-line, and type "gpupdate /force". Then I'd reboot it for good measure, then check the Auto-Update settings on the client. They'll probably be grayed out.

ShackDaddy
Shackelford Consulting

 

[TheCandyman]

I think it works, i say think because i have to restart the server late tonight from an update which affects wsus. But the client i did the 'gpupdate /force' on, the update is now grayed out and it wasn't before! So i'll take that as a good sign. I'll let you know if it working tomorrow!

 

[ShackDaddy]

Sounds like it's working. By tomorrow, your clients will have mostly updated their local computer policies and be using the server for updates. Glad this worked out for you.

ShackDaddy
Shackelford Consulting

 

[TheCandyman]

Thanks ShackDaddy & porkchopexpress!!

The clients connected and the first computer updated when it logged in. FINALLY!!

Once again thanks for walking me through the GPO, i learned a lot thanks to your patience. Most just post once then move on.

 

[Danny28]

Are you running Win2k3SBS R2? If you are, then you need to uninstall WSUS 3.0 because you have installed everything incorrectly. For WSUS 3.0 to function properly with with SBS R2, you first install WSUS 2.0 using the R2 disc provided. You do not customize any options (especially assigning computers based on group policy). Changing this setting will break the SBS wizards.

Then, you install WSUS 3.0. When the configuration wizard appears just after installation, you immediately CANCEL the wizard. Then you will be able to access WSUS from the SBS server management console. The reporting functionality is also updated to included WSUS related items.

If you are not using version R2 of win2k3SBS, then none of this integration exists, so it doesn't matter. I would try a fresh install of WSUS though anyway. Also check the permissions on the WSUS virtual directories in IIS. Sometimes these get messed up especially when someone stops using the wizards and does things manually. In particular, you might be missing the directory permissions to allow anonymous access via the IUSR_.... account.