Tuesday, February 23, 2010

WSUS

To ensure that the self-update tree is working properly
Confirm that there is a Web site set up on port 80 of the WSUS server.

Type the following at the command prompt of the WSUS server:

cscript WSUSInstallationDrive:\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs

If you have WSUS client self-update running on port 80 of the WSUS server, see the next section.

Check IIS logs on the WSUS Server
Check the IIS logs on the WSUS server. IIS logs are typically located in %windir%\system32\LogFiles\W3SVC1 for the default Web site. If you copied the Wutrack.bin file to the \InetPub\wwwroot folder on the WSUS server when you set up client self-update, you can open the IIS logs and search for Wutrack.bin to attempt to locate error messages about why self-update is failing. Typical errors might be 404 (file not found) 401/403 (authentication/access), and 500 (Internal server error). Use IIS Help to troubleshoot any problems found in the IIS logs.

If you have installed Windows® SharePoint® Services on the default Web site in IIS, configure it to not interfere with Self-update
If you install Microsoft Windows Sharepoint Services on the same server that is running WSUS, you might get the following issues:

An "Access denied" message appears when Automatic Updates tries to update itself, and the latest Automatic Updates will not be running.

On the Home page, a message appears warning you that the SelfUpdate service is not available.

If client computers are not running the WSUS-compatible version of Automatic Updates, they will not be able to receive updates through WSUS.

To resolve this issue
Grant Anonymous access (Anonymous Auth) to the Default Web site, ClientWebService and Selfupdate v-roots in IIS.

Exclude specific requests from being intercepted by the Windows Sharepoint Services ISAPI DLL by doing the following:

Open the Windows Sharepoint Services Central Administration Site (click Start, point to Administrative Tools, and then click Sharepoint Central Administration).

Click Virtual Server Configuration, and then click Configure Virtual Server Settings.

Click Default Web Site.

Click Virtual Server Management, and then click Define managed paths.

In the Add a new pathbox, set the type to excluded path. Under Path, type the following:
"/iuident.cab"
"/wutrack.bin"
"/clientwebservice"
"/Selfupdate"

Check network connectivity on the WSUS client computer
Check network connectivity on the WSUS client computer. Use Internet Explorer to determine if self-update files on the WSUS server are accessible to the client computer. If you perform the following procedure and are prompted to download or open the files, you have verified network connectivity. It is not necessary to save or open the files. You cannot self-update Automatic Updates this way. If you do not have access to these files, troubleshoot network connectivity between the WSUS client computer and the WSUS server.

To check network connectivity on the WSUS client computer
Click Start, and then click Run.

In the Open box, type iexplore and then press ENTER

In the Internet Explorer Address bar, type:

http://WSUSServerName/iuident.cab

where WSUS server name is the name of your WSUS server. Ensure that you are prompted to download or open Iuident.cab. This verifies network connectivity from the WSUS client and the availability of the Iuident.cab file on the WSUS server.

If there are any boxes prompting you to download or save, click Cancel. In Internet Explorer Address bar, type:

http://WSUSServerName/selfupdate/AU/x86/osvariable/languagevariable/wuaucomp.cab

where WSUSServerName is the name of your WSUS server and where osvariable is a variable indicating the operating system of the client computer. The possible variables for osvariableare NetServer, W2K or XP, and where languagevariable is a variable indicating the language of the operating system of the client computer. The possible variables for oslanguage are based on the standard 2- to 4-letter language abbreviations. For example, here is a URL for a client computer running an English version of Windows XP:

http://WSUSServerName/selfupdate/AU/x86/XP/EN/wuaucomp.cab

Ensure that you are prompted to download or save Wuaucomp.cab. This verifies network connectivity from the WSUS client and the availability of the Iuident.cab file on the WSUS server. If you are prompted to save or download both of these files, see the next section.

Check logs on the SUS client computer
Check the %windir%\windows update.log on the client computer to see if there has been any activity or any attempts to contact the server. Check the %systemdrive%\program files\windowsupdate\v4\urllog.dat file on the client computer for cached server pingbacks if the client computer has not been able to communicate with the server.

These files are hidden by default. Use the following procedure to display hidden files and folders in Windows Server 2003.

To display hidden files and folders on Windows Server 2003
In Control Panel, open Folder Options.

On the View tab, under Hidden files and folders, click Show hidden files and folders.

If you can find no problem with the logs on the WSUS client, see the next section.

Manipulate registry settings on the SUS client computer
If all else has failed, you can attempt to manually manipulate registry settings to get the client computer to self-update to the WSUS client.

To manually manipulate registry settings on the SUS client computer
Click Start, and then click Run.

In the Open box, type regedit and then click OK.

In Registry Editor, navigate to the WindowsUpdate key by expanding the following:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

If the WindowsUpdate key does not exist, do the following:

On the menu, click Edit, point to New, and then click Key.

Type WindowsUpdate as the name for the new key.

Double-click the WUServer setting, type the URL to your WSUS server, and then press ENTER.

If the WUServer setting does not exist, do the following:

On the menu, click Edit, point to New, and then click String Value.

Type WUServer as the setting name.

Double-click the WUStatusServer setting, type the URL to your WSUS server, and then press ENTER.

If the WUStatusServer setting does not exist, do the following:

On the menu, click Edit, point to New, and then click String Value.

Type WUStatusServer as the setting name.

Navigate to the following:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

If the AU key does not exist, do the following:

On the menu, click Edit, point to New, and then click Key.

Type AU as the name for the new key.

Verify that the UseWUServer setting has a value of 1 (0x1).If it does not, modify it by double-clicking the setting and then changing the value.

If the UseWUServer setting does not exist, do the following:

On the menu, click Edit, point to New, and then click DWORD Value.

Type UseWUServer for the setting name.

Navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

Enable and configure Automatic Updates through Control Panel:

Click Start, click Control Panel, and then double-click Automatic Updates.

In the Automatic Updates dialog box, specify download and installation options, and then click OK. Make sure that Turn off Automatic Updates is not selected.

Ensure that the AUState setting has a value of 2 (0x2). If it does not, modify it by double-clicking and changing the value.

If the LastWaitTimeout setting exists, delete it.

If the DetectionStartTime setting exists, delete it.

At the command prompt, type the following, and then press ENTER to stop the Automatic Updates service:

net stop wuauserv

At the command prompt, type the following, and then press ENTER to restart the Automatic Updates service:

net start wuauserv

Wait approximately 6 to 10 minutes for the self-update to occur.

To force the SUS client computer to check with the WSUS server
Wait approximately one minute, and then refresh the registry. You should now see the following settings and values:

DetectionStartTime (REG_SZ) YYYY.MM.DD HH.MM.SS. The DetectionStartTime value is written in local time, but the detection actually occurs 5 minutes after the time noted.

LastWaitTimeout (REG_SZ) YYYY.MM.DD HH.MM.SS. The LastWaitTimeout value is written in GMT or Universal Time, and represents the actual time that detection occurs.

Although these values refer to the time that detection is going to start, the first phase of detection is the process of checking whether a self-update is necessary. Therefore, these values actually refer to when self-update from the SUS client to the WSUS client should occur.

If the client software has not self-updated after ten minutes, refresh the \Auto Update registry key. If the LastWaitTimeout value has changed and is now 24 hours later than its previous value, that indicates that Automatic Updates was not able to contact the server URL that you specified in the WUServer value.
Posted by at No comments:

Wednesday, December 30, 2009

SCCM



All things SMS, System Center Configuration Manager, Active Directory, Group Policy, Virtualization, Security, Gadgets, Technology.




In this second part of the SCCM How To series I will walk through the setup process.  This is pretty straight forward the major difference is that it adopts the task sequence process like SCCM itself.  The setup process is based on the idea that it is a new installation of a single site, the other options are to go through an upgrade and for a multi site install. 

NOTE: If you have not read the first article in this series please review it before the installation to save yourself some time and frustration.

To recap from first article in the series there are some prerequisites that have to be met before you can install SCCM they are .NET Framework 2.0,  MMC 3.0 for Windows 2003, SQL 2005 SP2, MS06-030, COM+ 1.5 Hotfix RollupHotfix 913538, Hotfix 932303, Hotfix 925335, you also have to have SQL 2005 installed.  Make sure you read the release notes before you get started and if you are installing on a server instead of virtually, make sure you server meets the minimum requirements.

NOTE: This is based on prelimiary Beta software that may change prior to release so this steps may or may not work for the release version of SMS.

To start the installation execute the autorun.exe.  This will display the menu to start the install of SMS Version 4(SCCM 2007), System Center Updates Publisher, the Application Compatibility Toolkit Connector, view the SMS Documentation, or Exit. 

Select SMS Version 4 and this will take you to the next where you will be reminded to read the release notes, know the name of your SQL server, have SQL 2005 SP1 or later installed, and that the hardware has met the minimum requirements.  I have 1GB of RAM for my VPC since the db constraints are not that serious, if you are using a virtual machine and are planning on using a backup of your SMS db, you will need more RAM dedicated to your virtual machine.  A side note, I use VPC because of the drag and drop file support in VPC 2007 that you don't yet get in Virtual Server.  Click the Next button to start the process. 

If you are installing on a new system not upgrading you will be presented with the choices Install an SCCM Site Server, Install or Upgrade SCCM Administrator Console, the other options would be to Upgrade existing SMS 2003 Installation or SCCM installation, perform Site Maintenance or Reset this Site, and Uninstall SCCM, we obviously want the first choice to install SCCM. 

After you click the Next button you will get the EULA, and must check the I accept box and click the Next button.

On the next window you will be presented with the choices of going through Custom settings or Simple settings.  Since we are IT people, we want Custom.  The simple settings will not allow us to choose the install path of SMS or other settings.

 

 

 

Click Next and on the next screen you will be presented with the choice of installing a Primary site or Secondary site, the default selection is to install a Primary site so you only need to click the Next button.

 

 

On the next screen you will be presented with the SCCM Customer Experience Improvement Program, this option cannot be changed at this point, but if you choose to opt out you can do so after the install by going to the Help menu, just click Next, and Next again on the Product Key screen, this is populated for you during the Beta.

 

 

 

 

On the next screen you will specify the installation path, this is where you will specify the drive you want the SMS bits to be installed, since I have three drives my second drive is where I want to install SMS so I changed the path to E:\Program Files\MicrosoftSCCM2007\ instead of the default of C:\..

If you have completed the worksheets then you should reference them beginning with the next window.  On the next window you will fill in your site code and site name.  I chose "DDD" for my site code, and Dimension Data NA SCCM Central Site.

The next window is new to SCCM, this is where you choose either SCCM Native Mode, or SCCM Mixed Mode.  Do not confuse this with Advanced security and Standard security in SMS 2003.  SCCM has only one level of security and it is Advanced security. 

To explain these two choices native mode makes use of your PKI infrastructure and a certificate that you have signed for your site server.  This is the highest security level of security available for SCCM and this forces a two way authentication from the client and the server.  In Mixed mode it is similar to Advanced security in SMS 2003 but you can choose to manually approve clients prior to allowing them to be assigned to your site, automatically approve clients that are joined to your domain, or approve all clients without regard to wether they are part of your domain. 

More information about the security changes in SCCM 2007 can be found here.

Because I do not have a PKI server setup in my virtual environment I am going to select Mixed mode.

 

 

 

 

 

After you click Next the following window is where you can choose the client agents to install and enable.  By default all of them are selected minus NAP.  I chose the defaults and this includes Software Inventory, Hardware Inventory, Advertised Program, Software Updates, Software Metering, Desired Configuration Management, and Remote Tools.

The next window is where you configure your SQL database settings, the name of your SQL server, and the site database name.  My SQL server is local and I am going with the default db name.

After making your choices and selecting Next, you will choose the computer where the SCCM provider will be installed, this must match your SQL server.  The provider is what you use to communicate with the SQL db.  Since my SQL db is installed local, my provider is going to run on my same server, if you are running your SQL server on a different server you should specify it here.

The next window is where you specify the server that is going to function as your Management Point, since I am using a single server I will choose my server.  You can also choose not to install an MP at this point and to do it in the admin console later.

On to the next window, this is where you can configure the ports that SMS communicates on.  Specifically this is the ports that the clients communicates with the server on.  The default is port 80, if you have something else running on port 80 or you want to use a different port number then you should specify it here.  You can change this later in the admin console and alternately you can use HTTPS in Native mode.  I will use port 80 for my installation.

Almost done, the next screen is the summary page for the installation choices.  Take a look at the components and their configuration, if they need to be adjusted use the Back button, if they are as you would like, then click the Next button.

The installer will run a check for the prerequisites and display any prerequisites that have not been met and if they can be bypassed.  If you have any listed you may be able to click the Resolve button to have it automatically fixed for you.  In my example you can see I am missing the KB 897667 but I can proceed because it is only a warning.  To start the install click the Begin Install button.

The install process is not as quick as SMS 2003 is, but it does display a rather verbose install progress dialog that is new.

The setup of SCCM is completed but there are still a few more steps.

Click to see larger image

Click the Next button on the installation summary screen and then click Finish, do not check the box to open the admin console.

NOTE: You must have WSUS installed and running before this step.  It is not neccessary to configure it to download updates and you can cancel out of the wizard part of the WSUS configuration settings.  If you do not install WSUS your site will not be able to scan for or deploy updates.

We need to start the setup again to install the System Center Update Publisher, which installs the WSUS server components to be able to setup a Software Update Point (SUP) and sync it with Microsoft Update and also to install patches on your clients.

So click on the second selection to start the install of System Center Update Publisher.

On the first screen click the Next button.

On the EULA screen select the I accept radio button and then click the Next button.

The next window is where you will configure the database that is used to store the update information.  I am going to use the local SQL database.

The next window will show that you do not have a WSUS server installed.  You could alternately use a remote WSUS server or install the WSUS server locally outside of this installation.  Since it is not a full functioning WSUS server and since we have SQL installed locally I am going to let WSUS install on the same server that SCCM is installed on.  I have heard from a number of customers that the older versions before 3.0 would only work for a short period of time and then stop working, leaving them in a difficult place if they did not use SMS or did not use SMS for patching.  I think this was related to the database and I don't think we will see the same problems because we are going to use a slimmed down version of WSUS, a new version, as well as a full blown SQL 2005 backb end.

Click the Install button to kick off the install of WSUS.

 

After the install completes click the Next button.

The next dialog will ask you which instance of SQL you want to use based on the SQL server you specified previously.

After you click Next you will choose where to install the files to, I am going to install to the same drive as SMS.  After you have chosen where to install and made any adjustments you need, click the Next button.

The next dialog will allow you to review you settings before the install begins, if you do not want to change anything then click the Next button to start the installation.

This install should only take a minute or two, it is much faster than the SCCM install.  When it finishes click the Finish button and then on the Setup screen click the Exit button unless you want to install the ACT connector.

The installation of SCCM 2007 along with the SUP are now complete.

In the next article I will cover how to configure SCCM including the software updates.

Regards,

Satish

Satish |

Posted by at No comments:
Subscribe to: Posts (Atom)