These might be a bit of a noob question, i would like to ensure that wsus is patching my environment.
Environment:
Server - Windows Server 2003 (Approx 50 servers)
Desktop - Windows 7 (Approx 16,000 clients)
SQL - Server 2005
WSUS Setup:
WSUS Central server has 5 Upstream Servers, Each Upstream server has max 10 downstream servers
All servers are in replica mode of WSUS Central.
All Upstram Servers have a DNS entry of WSUSDM all downstream servers have a DNS entry of WSUSSA
Firstly, is there anything i should be concerned about in these following error logs from the SoftwareDistribtion.log file.
WSUS Centeral Log File.
All servers are running WSUS 3.0 SP2 3.2.7600.226
All Clients are running WSUS 3.2.7600.256
2014-07-01 15:31:43.596 UTC Warning WsusService.20 ServerCertificateValidator.VerifyServerCertificate The server certificate validation failed because of an SSL policy error: RemoteCertificateChainErrors
2014-07-01 15:31:43.596 UTC Error WsusService.20 WebServiceCommunicationHelper.ProcessWebServiceProxyException ProcessWebServiceProxyException found Exception was WebException but Retry
Limit Exceeded. Action: No Retry, Fail. Exception Details: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
2014-07-01 15:45:49.248 UTC Warning w3wp.1 SoapUtilities.CreateException ThrowException: actor = http://dch-inf02.prod.main.ntgov/ClientWebService/client.asmx, ID=f3901ab5-e342-4fca-ac52-c11dbf6ef702, ErrorCode=ConfigChanged, Message=, Client=097e5c2a-6d7e-4845-86a6-65fdd6ada322
2014-07-01 15:45:49.248 UTC Warning w3wp.1 SoapUtilities.CreateException ThrowException: actor = http://dch-inf02.prod.main.ntgov/ClientWebService/client.asmx, ID=f3901ab5-e342-4fca-ac52-c11dbf6ef702, ErrorCode=ConfigChanged, Message=, Client=097e5c2a-6d7e-4845-86a6-65fdd6ada322
WSUSDM Log Files
2014-07-01 15:00:35.174 UTC Info WsusService.23 CatalogSyncAgent.UpdateServerHealthStatusBasedOnError ServerHealth: Updating Server Health for Component: CatalogSyncAgent, Marking as Not Running
2014-07-01 15:00:49.815 UTC Error WsusService.21 RollupEventReporter.RollupComputerStatus RollupComputerStatus cant be retried. Exception: System.Web.Services.Protocols.SoapException:
There was an exception running the extensions specified in the config file. ---> Maximum request length exceeded.
2014-07-01 15:00:49.815 UTC Error WsusService.21 RollupEventReporter.RollupComputerStatus RollupComputerStatus cant be retried. Exception: System.Web.Services.Protocols.SoapException:
There was an exception running the extensions specified in the config file. ---> Maximum request length exceeded.
WSUSSA Log Files
2014-07-01 04:30:59.491 UTC Info WsusService.10 CatalogSyncAgent.UpdateServerHealthStatusBasedOnError ServerHealth: Updating Server Health for Component: CatalogSyncAgent, Marking as Not Running
2014-07-01 06:31:40.614 UTC Warning w3wp.14 SoapUtilities.CreateException ThrowException: actor = http://wsussa:8530/ClientWebService/client.asmx, ID=5a970209-fcd3-4ae0-81a4-af33d6e6436b,
ErrorCode=ConfigChanged, Message=, Client=b1af20b7-1620-4500-9c20-33eebfe3000b
2014-07-01 11:06:23.289 UTC Warning w3wp.22 DBConnection.OnReceivingInfoMessage The join order has been enforced because a local join hint is used.
2014-07-01 21:52:06.634 UTC Warning w3wp.6 SoapUtilities.CreateException ThrowException: actor = http://wsussa:8530/ClientWebService/client.asmx, ID=08cfa494-5a05-45e0-9a5d-d647d7b52662,
ErrorCode=InvalidParameters, Message=parameters.OtherCachedUpdateIDs, Client=a02bc5f9-cdcf-45df-a9fc-0cde19f410ce
((This error is very frequent)
2014-06-26 08:48:55.855 UTC Info w3wp.1 CabUtilities.CheckCertificateSignature File cert verification failed for C:\Program Files\Update Services\autest.cab with 2147942402
2014-06-26 08:48:55.855 UTC Info w3wp.1 WsusTestKeys.AreTestKeysAllowed Server test key check: test keys are NOT allowed
((This error is very frequent)
Next, under the server statistics of each tier the Updates count does not match.
i have looked at the products and classifications and they do not match on each teir, and i cannot change them because the option are disabled because it is a replica server, if this is a replica server should these not match ?
Using the WSUSDebugTool /Tool:GetConfiguration on the WSUS Central (the one that indicates SSL errors) there is a section
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup
in which the UsingSSL = 0. however the <NewDataSet><Table> has <UseProxy>true</UseProxy> im assuming that a certificate in the store needs to be present. in this sertificate for IIS or for WSUS ?
Also when i attempt to load Certification Authority i get an error message: "the specified service does not exist as an installed service" Would this cause an issue ?
i have used the command HTTPCFG query ssl at the command prompt and recieved nothing.
C:\Program Files\Update Services\Tools>httpcfg query ssl
C:\Program Files\Update Services\Tools>
would this indicate that a SSL Certificate isnt installed, thus causing WSUS server not to retrieve updates
in the event log of the Upstream Server WSUSDM there is a event log indicating "No client computers have ever contacted the server." since all the clients are pointed to WSUSSA this would be considered normal behavior as they dont directly report back to the WSUSDM server ?
if a downstream server is decommissioned and not removed from WSUS would this cause issues ? currently there is one device added that i cannot access and has not host entry (assumption is that it doesnt exist anymore)
The other thing i thought was strange was the Wsus Database files are not the same. and content folders are mismatched
WSUS Central:
mdf = 4,836,416kb Modified /6/2014
ldf = 2,377,088kb Modified /6/2014
Content = 28gig @ 9449 Files
WSUSDM:
mdf = 7,832,768kb Modified: 1/7/2014
ldf =1,623,488kb modified: 26/6/2014
Content = 68.4gig @ 41179 files
WSUSSA:
mdf = 4,177,088kb modified 1/7/2014
ldf = 47,616 Modified 1/7/2014
Content = 66.8gig @ 39260 Files.
Yet looking in the console under downstream servers node. it indicates that the servers have sync'ed in the last 2 days. and under the Syncronization node it indicates that there were 5 new updates and 5 expired updates. again because these servers are replicated. should this be the same ?
As for the WSUS Cenrtal server. inside the config file there is.
<StatsDotNetWebServiceUri>http://localhost</StatsDotNetWebServiceUri> - navigating indicates the page is under construction
<ReportingServiceUrl>https://statsfe2.update.microsoft.com</ReportingServiceUrl> - 403 Access Forbidden
<MUUrl>https://www.update.microsoft.com/v6</MUUrl> - 403 Access Forbidden
last but not least, entries in /Tools:GetConfiguration that do not match First line is the Central and the second is one of the WSUSDM, third is WSUSSA
<ReportingServiceUrl>https://statsfe2.update.microsoft.com</ReportingServiceUrl>
<ReportingServiceUrl>https://stats1.update.microsoft.com</ReportingServiceUrl>
<ReportingServiceUrl>https://stats1.update.microsoft.com</ReportingServiceUrl>
<EncryptionKey>Co9Ebojsrexv/MCDxA4YjJG3fvXtq94A</EncryptionKey>
<EncryptionKey>BWpjkyQPmrhNGYuSTGGDajxwhjtRldYi</EncryptionKey>
<EncryptionKey>usPm+irDAaBjdrJ/L+7IiRTeL8ZHYNCk</EncryptionKey>
<ServerTargeting>false</ServerTargeting>
<ServerTargeting>false</ServerTargeting>
<ServerTargeting>true</ServerTargeting>
<SyncToMU>true</SyncToMU>
<SyncToMU>false</SyncToMU>
<SyncToMU>false</SyncToMU>
<UpstreamServerName />
<UpstreamServerName>WSUSCentral</UpstreamServerName>
<UpstreamServerName>wsusdm</UpstreamServerName>
Only the Central requires this. the others are not configured.
<UseProxy>true</UseProxy>
<ProxyName>150.191.12.11</ProxyName>
<ProxyServerPort>8080</ProxyServerPort>
<AnonymousProxyAccess>true</AnonymousProxyAccess>
<LogLevel>0</LogLevel>
<LogLevel>0</LogLevel>
<LogLevel>3</LogLevel>
<LogPath />
<LogPath />
<LogPath>%programfiles%\\Update Services\\LogFiles\\SoftwareDistribution.log</LogPath>
<HandshakeAnchor>27719569,2014-06-30 23:31:09.075</HandshakeAnchor>
<HandshakeAnchor>414213,2014-07-01 15:00:02.556</HandshakeAnchor>
<HandshakeAnchor>484173,2014-06-30 00:04:15.367</HandshakeAnchor>
<LogDestinations>0</LogDestinations>
<LogDestinations>0</LogDestinations>
<LogDestinations>3</LogDestinations>
<RedirectorChangeNumber>3010</RedirectorChangeNumber>
<RedirectorChangeNumber>0</RedirectorChangeNumber>
<RedirectorChangeNumber>0</RedirectorChangeNumber>
<LogRolloverFileSizeInBytes>0</LogRolloverFileSizeInBytes>
<LogRolloverFileSizeInBytes>0</LogRolloverFileSizeInBytes>
<LogRolloverFileSizeInBytes>20000000</LogRolloverFileSizeInBytes>
<ConfigurationChangeNumber>414180</ConfigurationChangeNumber>
<ConfigurationChangeNumber>484347</ConfigurationChangeNumber>
<ConfigurationChangeNumber>199857</ConfigurationChangeNumber>
Installation Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup
:
Version:3
InstallLanguage:ENU
ProxyPassword:
SmtpUserPassword:
VersionString:3.2.7600.226
ConfigurationSource:0
ServicePackLevel:2
TargetDir:C:\Program Files\Update Services\
InstallType:1
EnableRemoting:1
WsusAdministratorsSid:S-1-5-21-476334246-1065586131-1552328902-1011
WSUSReportersSid:S-1-5-21-476334246-1065586131-1552328902-1010
SqlServerName:DCH-INF02
SqlAuthenticationMode:WindowsAuthentication
SqlDatabaseName:SUSDB
SqlUserName:
SqlEncryptedPassword:
SqlInstanceIsRemote:0
wYukonInstalled:0
ContentDir:E:\WSUS
PortNumber:80
EncryptionKey:System.Byte[]
IISTargetWebSiteIndex:1
IISTargetWebSiteCreated:False
IISUninstallConfigFilePath:C:\Program Files\Update Services\setup\UninstallSettings.xml
IISPreviousInstallRevision:
IISInstallRevision:3.2.7600.226
IIsDynamicCompression:-1
EncryptionParam:System.Byte[]
UsingSSL:0
HostHeader:
Matches for all servers except for the Sids, SUSServer Name and IIS Target Website Index
Thank you for taking the time to read all this. the reson this post has eventuated is because i have several hundred computers in the fleet that have "Computer has never updated" or some other random error, i would like to ensure that the servers are in working order and not causing issues first.
Thank you for your time.