Server 2012 WSUS failure...need help

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,983
So I built and tried to deploy a server 2012 WSUS and its not working right.

Installed Server 2012 and added the server to the domain with no issues.

changed the server to a static IP address and created a new record so that the IP resolves correctly and NSlookup functions.

Added WSUS role which also added IIS and a silent install of SQL 2012 Express WID Database automatically.

The domain is running 2008 R2.

Added a group policy for WSUS and pointed to the server at HTTP:\\servername:8530


Now here starts the problems.

When I first set up WSUS everything appeared to work and both machines that I added to the WSUS via GP showed up fine.

Now both clients have a 0x80244019 error while trying to connect.

I finally got my one client to connect by changing the address twice, but now WSUS shows 13 updates available and none of those are showing on the client when I run windows update. The WSUS console shows that my one client is connecting, but doesn't offer updates.

Running Starwinds WSUS tester shows either a proxy issue HTTP issue or some sort of IIS issue.

I removed all the relevant roles from the machine rebooted and added them, but all the settings were remembered correctly.

Trying to look for WSUS 4.0 help online is close to useless.

I'm close to considering blowing it all away and starting over from scratch.

Any ideas? And good tools? Ways to verify the configuration step by step to find the fault?

I'm thinking the problem is IIS.

Any help would be greatly appreciated.
 
Do you have a suffix search order for your domain on your clients? Can you ping the wsus server by shortname from them?

The client boxes weren't cloned by any chance after the gp was up and in place. If you clone a box that's already in WSUS it won't show up until you fix some stuff.
 
Suffix search order doesn't appear to be an issue.

We have three sites (two of which has a local DNS) The record exists on all the DNS server. I can resolve ping or a shared folder on the WSUS server with no issues.

The client boxes were not cloned, but the one that I not yet be able to get back was upgraded to windows 8...and has the same network name as it did when it was a windows 7 box.
 
I Found 2k12 extremely buggy. Shares stop working, ts crashes, slow responding dns. Although changes look good on paper a lot of the features don`t work correctly. ITs like they didnt test shit.
 
Added a group policy for WSUS and pointed to the server at HTTP:\\servername:8530
First observation.. if you used backslashes in your URL, then that's broken for sure.

When I first set up WSUS everything appeared to work and both machines that I added to the WSUS via GP showed up fine.

Now both clients have a 0x80244019 error while trying to connect.
The 0x80244019 error is an HTTP 404 which means the resource being sought is not where the client is looking. But we really need to see this error in context in order to determine what is actually missing. That means posting the series of log entries from the WindowsUpdate.log for the entire detection event of that client.

Trying to look for WSUS 4.0 help online is close to useless.
This could be because there is no such entity as "WSUS 4.0". The WSUS on Windows Server 2012 is WSUS v6.2, and you're actually on the bleeding edge for deploying WSUS on Windows Server 2012 to start. However, the good news is -- other than the product installation steps, which are slightly different -- configuring a WSUS v6 server is identical to configuring a WSUS v3 server -- and for that, the best place to start is the WSUS Deployment Guide (WSUS v3 | WSUS v6) in the TechNet Library. Beyond that, the premier source for assistance with WSUS is the TechNet WSUS Forum.

Any ideas? And good tools? Ways to verify the configuration step by step to find the fault?
I would also encourage you to obtain the free SolarWinds Diagnostic Tool for the WSUS Agent, which will help you validate and troubleshoot your client-side configurations and potentially identify exactly what the issue might be.

I'm thinking the problem is IIS.
Actually, highly unlikely. Almost always these scenarios are caused by misconfigurations, usually in the GPO. The HTTP 404 and your use of the double-backslash above is a strong indication. :)

--
Lawrence Garvin, M.S., MCITP, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP (WSUS) 2005-2013
 
Last edited:
First observation.. if you used backslashes in your URL, then that's broken for sure.


The 0x80244019 error is an HTTP 404 which means the resource being sought is not where the client is looking. But we really need to see this error in context in order to determine what is actually missing. That means posting the series of log entries from the WindowsUpdate.log for the entire detection event of that client.


This could be because there is no such entity as "WSUS 4.0". The WSUS on Windows Server 2012 is WSUS v6.2, and you're actually on the bleeding edge for deploying WSUS on Windows Server 2012 to start. However, the good news is -- other than the product installation steps, which are slightly different -- configuring a WSUS v6 server is identical to configuring a WSUS v3 server -- and for that, the best place to start is the WSUS Deployment Guide (WSUS v3 | WSUS v6) in the TechNet Library. Beyond that, the premier source for assistance with WSUS is the TechNet WSUS Forum.


I would also encourage you to obtain the free SolarWinds Diagnostic Tool for the WSUS Agent, which will help you validate and troubleshoot your client-side configurations and potentially identify exactly what the issue might be.


Actually, highly unlikely. Almost always these scenarios are caused by misconfigurations, usually in the GPO. The HTTP 404 and your use of the double-backslash above is a strong indication. :)

--
Lawrence Garvin, M.S., MCITP, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP (WSUS) 2005-2013



Well what can I say:

  • The backslashes were not the problem....as they were not there. There were many typos in my previous post. (tired frantic postings and late nights)

  • The 0x80244019 error is as you spoke it, but a 404 error could be caused by a great many things.
  • Microsoft has documentation that referes to WSUS 4.0 but I 'm guessing that Windows Server WSUS is v6.2. I'll check out the WSUS 6 deployment guide.
  • I mentioned I had used a tool. I used the SolarWinds and not starwinds Disgnostic Tool for the WSUS agent.

  • I'm not certain what the exact problem was, probably something broken at the local GPO level. Removal of the GPO and resetting the key in the registry is probably what resolved part of the problem.

    I changed and verified a pile of settings last night before giving up. This morning I arrived in at work...and everything is working correctly.

Go figure...
 
I Found 2k12 extremely buggy. Shares stop working, ts crashes, slow responding dns. Although changes look good on paper a lot of the features don`t work correctly. ITs like they didnt test shit.

I haven't seen any of that. Although I have to admit, It appears Microsoft shuffled around quite a few things.

My Server 2012 WSUS VM ran like crap until I assigned it a second logical CPU.
 
I changed and verified a pile of settings last night before giving up. This morning I arrived in at work...and everything is working correctly.

Go figure...

Good thing you got it working. WSUS can be a real PITA, especially when MS deploys updates that hose it. On the upside, you won't have to wade through the arrogant replies of a certain "Head Geek" on Microsoft's website to find your answers.
 
I Found 2k12 extremely buggy. Shares stop working, ts crashes, slow responding dns. Although changes look good on paper a lot of the features don`t work correctly. ITs like they didnt test shit.

Which features? I'm running lots of 2012 servers in my lab at home without any problems.


As for WSUS, I usually find the problems are in the GPO. GPResult /h will give you some pretty good output so you can verify that the policy is applying properly and that the settings are correct.
 
Which features? I'm running lots of 2012 servers in my lab at home without any problems.

I have the same experience.

I have a 5 node 2012 hyperv cluster, DHCP, DNS, KMS, and various other servers -- about 20 in total -- all running 2012 in my production environment without issue.

With Windows 8, my lab (read: my desktop) has turned into my VM host and I just run all my virtuals from my desktop now. But all my virtuals are 2012...
 
.net 3.5 failing to install. (even with command line)
Core to GUI ends up half the time corrupting the OS.
SFC /scannow is unable to fix problems.
DNS was very slow, unless you use explicit forwarders. Its like root hits were not working.
Hyper-v with SMB will fail for what ever reason to publish certain folders can access the share but stupid hyper v will not see it.(I ended up using Vmware instead of hypershit)
TS setup is horridly broken if you setup the server one by one, or if you TS server breaks you can't remove it from deployment. Can't uninstall any TS features.
Certificate push for TS doesn't work correctly.
Activation some times works and sometimes it doesn't, can't resolve server name.
Stupid certificate import is dumb for TS. it asks for pfx not cer which you most like will get from a certificate authority. You then have to do import export -re import.work around.
TSmanager.msc is not loaded correctly, can't find it, I would like to take a look at a TS session I can't cause the feature is not there.


Not to mention fuckwad UI.. Fucking METRO. Must DIE. Stupid cocksucking charms bar.
 
Last edited:
Which features? I'm running lots of 2012 servers in my lab at home without any problems.


As for WSUS, I usually find the problems are in the GPO. GPResult /h will give you some pretty good output so you can verify that the policy is applying properly and that the settings are correct.

I'll have to try that, just to see what it shows.
 
.net 3.5 failing to install. (even with command line)
Core to GUI ends up half the time corrupting the OS.
SFC /scannow is unable to fix problems.
DNS was very slow, unless you use explicit forwarders. Its like root hits were not working.
Hyper-v with SMB will fail for what ever reason to publish certain folders can access the share but stupid hyper v will not see it.(I ended up using Vmware instead of hypershit)
TS setup is horridly broken if you setup the server one by one, or if you TS server breaks you can't remove it from deployment. Can't uninstall any TS features.
Certificate push for TS doesn't work correctly.
Activation some times works and sometimes it doesn't, can't resolve server name.
Stupid certificate import is dumb for TS. it asks for pfx not cer which you most like will get from a certificate authority. You then have to do import export -re import.work around.
TSmanager.msc is not loaded correctly, can't find it, I would like to take a look at a TS session I can't cause the feature is not there.


Not to mention fuckwad UI.. Fucking METRO. Must DIE. Stupid cocksucking charms bar.

Let me help you:

.net 3.5 can be installed. The correct way is to install it via DSIM. The installation file is on the Server 2012 iso in the "extra" folder.

I've seen the core to full GUI bug. Most of the time its due to the install media being corrupt.

SFC /Scannow will be unable to fix problems if the original file is corrupted too.

Also Server 2012 has full online self-healing NTFS. Checkdisk is not needed 99% of the time now.

I haven't seen the DNS issues. Did you follow the "Definitive Microsoft DNS Guide" http://blogs.technet.com/b/askds/ar...ill-ever-find-from-microsoft.aspx?PageIndex=2

I've had no such problems with Hyper-V. Perhaps you could start a thread and we could assist you further?

TS does not exist anymore in Server 2012 nor did it really exist in Server 2008 R2 its now called "remote desktop services". You might find what you are looking for here: http://blogs.msdn.com/b/rds/

I've only seen the activation bug when I had tried to install from a corrupted iso. The install completed but was flaky as hell.

I 've used pfx for certificate import many times on Microsoft products. Where have you been?

Did you try TSadmin.msc?

You need to use the Remote Desktop Services installation option in the "Add Roles and Features" wizard (not "role-based or feature-based"). It will install the necessary services on the server(s) you select, and you can then select "per user" or "per device" in Server Manager > Remote Desktop Services > Overview > Deployment Overview/Tasks > Edit Deployment Properties > RD Licensing. I think you also need to create a server collection and add your session host servers to it. The licensing diagnoser should report everything working correctly then.
Of course the license server should be activated and appropriate licenses installed (per user/per device).

http://social.technet.microsoft.com/Forums/en-US/winserverTS/threads/
 
Last edited:
.net 3.5 failing to install. (even with command line)
Core to GUI ends up half the time corrupting the OS.
SFC /scannow is unable to fix problems.
DNS was very slow, unless you use explicit forwarders. Its like root hits were not working.
Hyper-v with SMB will fail for what ever reason to publish certain folders can access the share but stupid hyper v will not see it.(I ended up using Vmware instead of hypershit)
TS setup is horridly broken if you setup the server one by one, or if you TS server breaks you can't remove it from deployment. Can't uninstall any TS features.
Certificate push for TS doesn't work correctly.
Activation some times works and sometimes it doesn't, can't resolve server name.
Stupid certificate import is dumb for TS. it asks for pfx not cer which you most like will get from a certificate authority. You then have to do import export -re import.work around.
TSmanager.msc is not loaded correctly, can't find it, I would like to take a look at a TS session I can't cause the feature is not there.

I'm sure you went through TechNet docs to ensure you were configuring it properly and then opened a support case when you were sure to try to address all of these "bugs?"
 
So here's my feedback.


Microsoft gave us a turd with Server 2012 WSUS, and here's why and how I resolved the issue.


The WID or Windows Internal Database in Server 2012 is Microsoft SQL 2012 express.


IF you accept drivers and multiple OS patches, rollups and feature packs you will have a very pathetic running box from the get go.

In my instance between Server 2008-2012, Desktop OSs Win XP -Win8, Office 2010-2013, Exchange and some other server application s I was approaching 30,000 objects and over 100GB of data for my WSUS server.

SQL 2012 express can only use 1GB of RAM and can hold a database up to 10GB. While configuring WSUS you need to go through the approval/deny list multiple times.

With the WID and the above items being included in the database, the database is overwhelmed completely.

If you install your own real SQL database, I do not believe this limitation will be a problem. I had to use some crafty powershell commands to purge the drivers from my database. Once those 24,000+ objects were gone my WSUS sprang to life. Removing the language packs helped again.

I'm down to around 8,500 objects and the WSUS runs fairly decently now. I had plenty of resources available, that the system refused to use. It just sat there at 100% CPU for long periods frozen. It doesn't help that Microsoft made SQL more cache dependent and less I/O locked. Since Microsoft has limited SQL 2012 express to 1GB of RAM trying to use WSUS in its fullest without a FULL SQL install is a lose-lose proposition.

Verdict: Don't install ANY drivers into your Server 2012 WSUS database unless you are using a full SQL install.
 
Verdict: Don't install ANY drivers into your Server 2012 WSUS database unless you are using a full SQL install.

That's kinda a given on any version of WSUS. ;) I manually approve/disapprove most updates, except critical and security patches now. I never allow language packs, drivers, office addons etc.
 
IF you accept drivers and multiple OS patches, rollups and feature packs you will have a very pathetic running box from the get go.

Wrong there, 3 2012 boxes in production, fully updated and patched. Main box is running WDS, WSUS and both work out of the gate when i configured them and have been running smooth for... 2 months now.

in my WSUS i have nvidia, ati, realtek, broadcom drivers, but all downloaded from MS site directly via WSUS,no problems here....i only have 63 systems pulling from that box...but still works fine for windows 7 x64 Ent, Server 2008, Server 2008 R2 and server 2012 systems.
 
Now I will say..that I am running WSUS as a VM with 2 cores....but the host is basically idling.

It was pretty crummy.

To be more specific my VM is in Hyper-V running on a 2008 R2 host.

I'm going to move everything to a 2012 Server temporarily while I reinstall the host as Server 2012. Then I plan on moving everything back.
 
Let me help you:

.net 3.5 can be installed. The correct way is to install it via DSIM. The installation file is on the Server 2012 iso in the "extra" folder.

I've seen the core to full GUI bug. Most of the time its due to the install media being corrupt.

SFC /Scannow will be unable to fix problems if the original file is corrupted too.

Also Server 2012 has full online self-healing NTFS. Checkdisk is not needed 99% of the time now.

I haven't seen the DNS issues. Did you follow the "Definitive Microsoft DNS Guide" http://blogs.technet.com/b/askds/ar...ill-ever-find-from-microsoft.aspx?PageIndex=2

I've had no such problems with Hyper-V. Perhaps you could start a thread and we could assist you further?

TS does not exist anymore in Server 2012 nor did it really exist in Server 2008 R2 its now called "remote desktop services". You might find what you are looking for here: http://blogs.msdn.com/b/rds/

I've only seen the activation bug when I had tried to install from a corrupted iso. The install completed but was flaky as hell.

I 've used pfx for certificate import many times on Microsoft products. Where have you been?

Did you try TSadmin.msc?

You need to use the Remote Desktop Services installation option in the "Add Roles and Features" wizard (not "role-based or feature-based"). It will install the necessary services on the server(s) you select, and you can then select "per user" or "per device" in Server Manager > Remote Desktop Services > Overview > Deployment Overview/Tasks > Edit Deployment Properties > RD Licensing. I think you also need to create a server collection and add your session host servers to it. The licensing diagnoser should report everything working correctly then.
Of course the license server should be activated and appropriate licenses installed (per user/per device).

http://social.technet.microsoft.com/Forums/en-US/winserverTS/threads/

I hate the new nomenclature. Call me old fashion but a Terminal server is still terminal server and independent os is a VDI. Those two shouldn't be confused fucking; Microsoft marketing team. I don't give a flying fuck what they call it its still TS. Half the shit is in server 2012 is still referred as TS.

Any way if you go install TSgateway. Web access serperatly from the wizard then you will fail to install other roles on other server. The only saving grace of 2012 is install speed I just nuked the VM started from scratch.

The install media is just fine nothing wrong with it because I installed 6 other servers with it.

Tsgateway.msc doesn't work correctly either if you don;t have a roll installed on the management server. Doesn't exist. This is using the newfangled server manager.
I couldn't locate tsadmin.msc either. In 2008r2 it was easy to peak at some ones terminal session. Now I have no idea how to do this. I'm sure there is its just hidden.

Actually if you purchase a SSL its always a .crt or cer. No such thing as a PFX from a signing authority. Check out the structure of certificate formats and you will know that. If you use self signed then PFX is fine but a EV or Non EV 3rd party cert no such thing. Sound like you use self signed.. I don't.

The .net is a stupid bug that should have been fixed by microsoft.I mainly use powershell not cmd prompt(easier for me). Don't know what it was but the server said it installed the .net 35 but it didn't work. I had to do it one more time before it registered. They should have fixed the original install, this is just pure laziness on Microsoft end.

SFC /scannow was unable to fix the server for no apparent reason. Media is fine as I said I installed 6 other servers from it. Lots of times the SFC will stall as well.

Licensing diagnoser is great if you have licensing installed I am still running this on the 120 trial. Only diagnoses

DNS issue was resolved by using a forwarder.

Oh thank you Captain obvious links to stuff I already exhaustively looked at before my post.. I wasn't asking for help FYI I was saying there are bugs in the OS. Derp I know how to use Google.
 
The .net is a stupid bug that should have been fixed by microsoft.I mainly use powershell not cmd prompt(easier for me). Don't know what it was but the server said it installed the .net 35 but it didn't work. I had to do it one more time before it registered. They should have fixed the original install, this is just pure laziness on Microsoft end.

The netfx3 feature has dependencies that might not be met. If you're using dism with /enable-feature, add the /all parameter and it will make sure the feature is installed, as well as the dependencies, and it will be enabled.

You also have to supply the source you want to install from. I would prefer MS to just put the source on the hard drive (like 2k8), but I can understand their reason. 2012 is going to get virtualized ALOT. So the smaller the footprint, the better for the customers.

This is from memory, but should get you a working installation of .net 3.5 on your 2012 machine without running the command line twice.

Code:
dism /online /enable-feature /featurename:netfx3 /source:d:\source\sxs /all

If you're using powershell (add-windowsfeature), I *think* you have to add all of the modules for .net manually (net-framework-*), but I'm not 100% sure. I haven't looked into it much because I've been using DISM for a while now and I'm comfortable with it.
 
The netfx3 feature has dependencies that might not be met. If you're using dism with /enable-feature, add the /all parameter and it will make sure the feature is installed, as well as the dependencies, and it will be enabled.

You also have to supply the source you want to install from. I would prefer MS to just put the source on the hard drive (like 2k8), but I can understand their reason. 2012 is going to get virtualized ALOT. So the smaller the footprint, the better for the customers.

This is from memory, but should get you a working installation of .net 3.5 on your 2012 machine without running the command line twice.

Code:
dism /online /enable-feature /featurename:netfx3 /source:d:\source\sxs /all


If you're using powershell (add-windowsfeature), I *think* you have to add all of the modules for .net manually (net-framework-*), but I'm not 100% sure. I haven't looked into it much because I've been using DISM for a while now and I'm comfortable with it.
Install-WindowsFeature is the powershell equivalent.

I do like 2012 changes but the bugs need to be fixed. I don't think I will put into production until sp1. 2k8r2 is very mature issues are easily solved because of the ample amount of issues posted on the internet.

Is the footprint smaller? Hard to say, its nice as core but there are to many limits on core installs. With GUI its on par with 2k8r2. Memory footprint also seems to be almost identical. Knowing all the issues with SFC I am definetley no deploying core installs. Not worth the headaches later down the road.

The only feature thats nice is a bit faster boot time. The storage spaces is also buggy which I will not touch, it has issues and known ones. since I use sans mostly and I doubt I will ever use HyperV lots of the stuff is not going to be utilized by me. I also use Veeam so again I don't need storage spaces or plainly can't use them.

I just wish the CHARMS bar would no disapear it makes a real headache to work with. Search also through Metro blows. File Explorer is much better. I just don't understand why they made Metro part of 2012. I want to install classic shell or even start is back but I don't want to compromise stability of the os with 3rd party programs.

Again there are just to many bugs to deal with still. It seems the testing on server 2012 was really poor and knowing the fiasco of windows 8 I am not surprised since they share the same core.
 
Install-WindowsFeature is the powershell equivalent.

My bad; it used to be install-windowsfeature; looks like they changed it to add-windowsfeature just for windows 2012.

they made Metro part of 2012. I want to install classic shell or even start is back but I don't want to compromise stability of the os with 3rd party programs.


Again there are just to many bugs to deal with still. It seems the testing on server 2012 was really poor and knowing the fiasco of windows 8 I am not surprised since they share the same core.

I can agree with you on the metro menu and 2012. Most admins (I hope; I really do hope!) aren't accessing their servers from the console. In a remote control window, it's near impossible to not get frustrated trying to open the charm menus. Carefull installing a replacement start menu, as I installed one on my lab machines last night, and now they all go to a black screen when you power them on.


I can't agree with your comments on Win8, though. I haven't seen any complaints that didn't have to do with metro, and that isn't the core of Win8 or Server 2012. They are both very solid operating systems.
 
My bad; it used to be install-windowsfeature; looks like they changed it to add-windowsfeature just for windows 2012.



I can agree with you on the metro menu and 2012. Most admins (I hope; I really do hope!) aren't accessing their servers from the console. In a remote control window, it's near impossible to not get frustrated trying to open the charm menus. Carefull installing a replacement start menu, as I installed one on my lab machines last night, and now they all go to a black screen when you power them on.


I can't agree with your comments on Win8, though. I haven't seen any complaints that didn't have to do with metro, and that isn't the core of Win8 or Server 2012. They are both very solid operating systems.

I came across more bugs today this one is funny. Office 2007 Enterprise installed on a Windows 8 machine causes Word documents to remove spaces between words making giagantic run on words.

If you think Windows 8 is stable try and attach one to a SBS 2008 server.
 
SBS2008 is special anyway, if you don't have a specific update you can't join a Windows 7 machine either.
 
Now I will say..that I am running WSUS as a VM with 2 cores....but the host is basically idling.

It was pretty crummy.

To be more specific my VM is in Hyper-V running on a 2008 R2 host.

I'm going to move everything to a 2012 Server temporarily while I reinstall the host as Server 2012. Then I plan on moving everything back.

mine is ona 4 core with 6G of ram but i also run several other things from with in that same VM

WDS, WSUS, Vipre AV server, LanSweeper
 
Doesn't work to well if your in RDS or VNC or VMWare console.

But thanks for being captain obvious.

It works full screen, it works in Hyper-V, and I'm pretty sure it works in VMware.

But thanks for being condescending.
 
Wrench00,
Be nice or I 'll lock the thread and you'll have to whine somewhere else...;)

Signed, Captain Obvious
__________________________________________________________________________________________________________________________________________

Anyhow.....I've successfully used startisback on server 2012.

I haven't seen as many issues on server 2012 as some of you, but I can share my experiences.
 
It works full screen, it works in Hyper-V, and I'm pretty sure it works in VMware.

But thanks for being condescending.

Your Welcome and
No it doesn't work. work in a Windowed RDS. Doesn't work in properly in VNC(kaseya or enable). Ironically it works in VMware. I just activates my local workstation.

I am upgrading my main host to 64gigs per cpu then after march prolly 128 per cpu.. My 2nd Host is limited to 32 gigs of ram and third host is lowly 16gig. I am currently running about 24 VMs.
 
Back
Top