WSUS Downstream Server Issues

[Gamingphreek]

Recently a customer I am supporting stood up a WSUS Server so that, instead of manually downloading updates every week and moving them to our offline environment, we could download directly.

This is all well and good, but I am having some problems

WSUS 3.0 SP2 was already installed. I merely changed the options to point to the Upstream server instead of MS. Unfortunately, despite the fact that I didn't check the "replica server" box, I am unable to select which products I want to download from the Upstream Server.

I am able to configure my own Approval rules and computer groups like an Autonomous Downstream Server should though.

Can anyone explain to my why I seem to be stuck in replica server mode yet still have some autonomous mode abilities? I honestly am sick of waiting for every single product update EVER (Including updates from 2003) to download only to decline and delete them. My WSUS Content folder is >70GB on something that should be about half that size.

------------------

On a separate note, can someone confirm for me that, provided you have a hardware firewall, it is proper practice on Server 2008 to merely disable the Firewall but leave the service running?

Thanks,
-Kevin

 

[drebo]

The firewall service in 2008 is useful for a variety of reasons and is a prerequisite for certain things. Disabling the firewall, but leaving the service active is standard practice.

 

[imagoon]

Check to see if the "Only download the updates when approved" is checked in 'update files and locations.'

edit:

If it is not checked, check it and then run the server cleanup wizard. It should drop a ton of the updates.

 

[Gamingphreek]

I'll go check that ASAP. Thanks for the tip imagoon!

I think out Security Policy has 2 or 3 other services disabled as well (Error Reporting Service for instance). Should all of those be started but disabled functionally as well?

I don't mean to make this a "lets help Gamingphreek on everything that he is struggling with on the network" thread, but while I check on the WSUS status, can anyone recommend a good way to:

A. Configure Windows for offline/secure environments
B. Trace down programs/services sending random UDP packets and broadcast messages out across the network

Ever since I fixed the issues with the Firewall service, I have been getting absolutely bombarded with E-Mails from our Hardware Firewall. Instead of filtering the E-Mails, I would love to get to the root of the problem. (A recursive netstat -b didn't help much at all)

Thanks,
-Kevin

 

[Gamingphreek]

The box regarding "Only download the updates when approved" is checked. It is possible that they are leftover from a previous dump when we were manually importing updates. Even still I feel like we have a lot of updates that are not use.

The error I get when I click on "Products and Classifications" is:
"This server is configured to synchronize from an upstream Windows Server Update Services Server. The products and classifications can only be configured on the upstream server"

That to me sounds no different than a replica server save for the fact that I choose what is approved and what is not.

Am I way off base here?

 

[imagoon]

That sounds like a replica server. For the heck of it have you tried checking "replica server" hitting ok and putting it back? Or maybe try running the clean up wizard and see if like you said they are left overs? I have never tried to convert a WSUS server after it is up I always installed fresh. Sounds to me like you converted it at one point?

 

[Gamingphreek]

That sounds like a replica server. For the heck of it have you tried checking "replica server" hitting ok and putting it back? Or maybe try running the clean up wizard and see if like you said they are left overs? I have never tried to convert a WSUS server after it is up I always installed fresh. Sounds to me like you converted it at one point?

When I click on replica server, the message changes to reflect the fact that is a replica server. So I essentially have the same situation except I can't determine approve/decline rules.

I don't know how the server was setup before I took control. It could very well have been a replica server.

I'm guessing my best course of action would be to completely uninstall WSUS from the Server roles and reinstall it (Maybe there is an installation configuration option that was previously set). My question regarding this is whether or not I need to log into the SQL Server and clear all relevant entries there as well as delete the WSUS directory structure (WSUSContent etc...).

-Kevin

 

[Gamingphreek]

Hi,

I am having this problem, can anyone help me on this on finding out the solution?

Appreciate if you can help to check on possible causes why our WSUS downstream servers are unable to synch with the upstream server.

When the scheduled synchronization starts, the percentage status is not moving, its idle with 0% and remains like that until its stopped. Manual synchronization is also the same.

Troubleshooting steps taken so far:

- Ping upstream server (both hostname & IP) - ok, able to ping
Upstream server host is configured using IP in downstream server Wsus console
Tried changing from IP to hostname - same problem persist

-restarted BITS & Update Services service on downstream server

-checked upstream server, able to synch update from MS Update server successfully

Upstream Server : California

Downstream Server: Lake Forest

So you are able to ping with both hostname and IP, but you are unable to synchronize from it.

Does the upstream server use SSL? If so, is it configured on your Downstream server?

When you type in the IP Address into a browser, you should be greeted with an IIS placeholder page. Are you able to do that? Is the upstream server running an up-to-date IIS service?

-Kevin