Switching WSUS server and Windows 8.1/Server2008/Server2012 clients won't connect, Windows 7/Server2003 is fine

Similar Messages

• Disconnect WSUS server and Process of Approving Updates via Metadata.

  Hi Folks:
  I have recently setup 2 WSUS servers.   The first one has connectivity to the Internet and of course has access to Microsoft updates.   The second WSUS server is part of a disconnected network.   Both WSUS servers are supporting client workstations
  of various operating system versions.   The connected WSUS server is fairly easy, from a management viewpoint.   I simply check to see what updates are "Needed" and I approve them for download.   However, the disconnected WSUS server
  is the one that I need some advice on.   I want to have a fairly simply procedure for the disconnected WSUS server, but here is the procedure that I think would work:
  Transfer metadata and updates via disc from the connected WSUS server to the disconnected WSUS server (using documented export/import procedure).
  Check to see what is "Needed" updates on the disconnected WSUS server, once the WSUS server has had a chance to absorb all the imported metadata and updates.   This means that the disconnected WSUS server has determined from it's supported
  client workstations, what updates are required.
  Generate a list of those "Needed" updates in some form, so that I can now approve those updates on the CONNECTED WSUS server for download.  
  Once those updates have been downloaded to the connected WSUS server, transfer the updates and metadata again to the disconnected WSUS server.   Approve those updates, so that they can now be sent out to the client workstations on the disconnected
  network.
  If that is my procedure (can someone like Lawrence Garvin), please let me know, if that sounds correct.   I'm concerned about the double export/import of the metadata and updates.
  Also, I'm wondering if it would be better to have separate connected WSUS server for supporting the disconnected WSUS to keep things straight.
  For example:
  One connected WSUS servers supporting the set of client workstations, that are on the connect WSUS server's network.
  One disconnected WSUS server supporting the set of client workstations that are on the disconnected WSUS server's network.
  One more connected WSUS server, that would be used to download and transfer metadata and updates to the disconnect WSUS server.   The advantage in keeping this separate, is that you would never confuse approved updates between the connected network
  client workstations and the disconnected network client workstations.  Especially, if they have different versions of software, that require updating.  
  Any input would be appreciated.

  You will likely also want to configure your WSUS server to "Download express installation files." under the "Update Files and Languages," setting on your options.
  I will unequivocally disagree with this statement, for several reasons:
  First, there's nothing that needs to be deployed that would use Express Installation Files anyway. Express Installation Files were designed to facilitate the deployment of Very Large Updates (read: SERVICE PACKS) across slow-speed links by significantly
  reducing the size of the binary that must be downloaded by the CLIENT. There are NO service packs in the catalog that won't already be installed on any client system.
  Second, in exchange for that ability of clients to download less, it significantly increased the size of the binary that must be downloaded by the SERVER from Microsoft. Express Installation Files will cause hundreds of gigabytes of extra binaries to be
  downloaded, which will need to be transferred to the disconnected server. None of which will actually ever be used.
  Third, most disconnected networks do not include WAN links, so the primary purpose of Express Installation File is contra-indicated by the very scenario being discussed.
  Otherwise by default you might get just an installer downloaded onto the WSUS server and clients might still need internet access to download the actual package contents.
  It would seem that you do not correctly understand Express Installation Files.
  There is an in-depth explanation of Express Installation Files in the WSUS Deployment Guide. For additional information see
  https://technet.microsoft.com/en-us/library/dd939908(v=ws.10).aspx#express
  I also would not recommend a internet facing WSUS server just to provide updates to the disconnected WSUS server as that will also need to download a full copy of the content to that server when it is likely already downloaded onto your internet
  / production WSUS server anyway.
  Seemingly you are also not actually familiar with the documented guidance for how to manage disconnected networks. An Internet-facing (connected) WSUS server is *exactly* how this is done.
  You may also find this part of the Deployment Guide to be useful reading:
  Configure a Disconnected Network to Receive Updates
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

  Hello,
  I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
  881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
  When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
  VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
  Can you help me, how can I debug or troubleshoot this problem ?
  I am unable to update software on ASA5505 side.

  Hello,
  Hire is what my config look like:
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 120 set pfs
  crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 140 set pfs
  crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
  crypto dynamic-map outside_dyn_map 160 set pfs
  crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 180 set pfs
  crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 200 set pfs
  crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 2
   authentication pre-share
   encryption 3des
   hash sha
   group 1
   lifetime 86400
  crypto isakmp policy 3
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  tunnel-group HW-CLIENT-GROUPR type ipsec-ra
  tunnel-group HW-CLIENT-GROUP general-attributes
   address-pool HW-CLIENT-GROUP-POOL
   default-group-policy HW-CLIENT-GROUP
  tunnel-group HW-CLIENT-GROUP ipsec-attributes
   pre-shared-key *******
  group-policy HW-CLIENT-GROUP internal
  group-policy HW-CLIENT-GROUP attributes
   password-storage enable
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value cisco_splitTunnelAcl
   nem enable

• WSUS server and client configuration issues

  I just inherited WSUS from my predecessor (it was turned off because of a full disk) so I’m still learning how to use it. Turning it back on I changed where updates should come from, they were stored locally and now I’m pulling them down off of the Microsoft
  Update location. What I’m seeing is that I have a bunch of computers that WSUS “sees” but are showing “Failed or Needed” status. Unless I visit each machine and manually do the updates this status does not change. Additionally I have some client computers
  (Windows 7) that are not showing up as managed by WSUS. If I reading this right I’m running version Update Services 6.2.9200.16384 on Management Console 3.0 Version 6.2 (build 9200) on Windows Server 2012.
  How can I force WSUS to automatically update the “Failed and Needed” devices?
  How can I get those clients that are not being managed by WSUS to be managed?
  Some of the things that I have done so far on the server and clients are:
  Create a GPO (see attached for WSUS)
  wuauclt
  /detectnow
  wuauclt /reportnow
  wuauclt.exe /detectnow
  gpupdate /force after
  modifying the GPO
  I even ran the SolarWinds WSUS diagnostic (as a non-administrator) and got this as the output:
  # Solarwinds® Diagnostic Tool for the WSUS Agent # 1/23/2015
  Machine state
    User rights:  User does not have administrative rights (Administrator rights are not available)
    Update service status:  Running
    Background Intelligent Transfer service status:   
  Running
    OS Version:  Windows 8.1 Pro
    Windows update agent version:   7.9.9600.17489 (WU Agent is OK)
  Windows Update Agent configuration settings
    Automatic Update:    Enabled
    Options:  Automatically download and notify of installation
    Use WSUS Server: Not found (There is no such key)
    Windows Update Server:  Not found (There is no such key)
    Windows Update Status Server:  Not found (There is no such key)
    WSUS URLs are identical:  Values are empty
  WSUS Server Connectivity -- Connectivity check is impossible
  So, my questions are:
  What tool do I use to configure the client machine?
  How do I get WSUS to update my clients?
  Thanks
  Sam

  Steven,
  I'm pretty sure that this is not the right forum to discuss this in but just so we can close this case.
  On my computer I ran the command gpupdate /force I
  then rebooted my computer to make sure that the group policy would be updated. The first screen shot is from my domain controller and the second is from my computer. As you can see the Domain Controller has the correct settings but the local machine doesn't.
  Other parts of the DC GPO settings have worked so I'm somewhat comfortable that it is being propagated properly.

• WSUS server and Microsoft Online Catalog Inconsistency

  Hello, after a full sync, my WSUS server is showing the update for system center endpoint protection 2012 client 4.6.305.0 (KB2998627) and a few others, but I cannot find this update in Microsoft's online catalog for updates, is there a reason to that? (http://catalog.update.microsoft.com/v7/site/home.aspx).
  How do I check for consistencies?

  Hello, after a full sync, my WSUS server is showing the update for system center endpoint protection 2012 client 4.6.305.0 (KB2998627) and a few others, but I cannot find this update in Microsoft's online catalog for updates, is there a reason to that?
  Not everything is published in all sources, and this update is not documented in KB894199 so there's no way to really know.
  How do I check for consistencies?
  What exactly do you mean by this? What "consistencies" are you wanting to check for?
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Upstream WSUS Server and Sync

  Hello,
  Environment : 1. Server 2008 R2 Main Upstream server, hosts update content locally, SQL DB on another system. 
  2.  2 - Server 2008 R2 downstream servers, host update and sql content locally.
  We had our Main Upstream WSUS server crash after applying KB2734608-x64 on a Server 2008 R2 box. Our database resides on a different SQL server on the same domain. When we tried to launch the WSUS interface the mmc console
  it would crash. ( MMC has detected an error in a snap in and will unload it. was the error). Looked at the logs and it seems like it could not connect to the database. Anyways after trying many fixes, i decided to re-install WSUS until it got to the point
  where it would not allow me to re-install got errors in the log of " InstallWsus: MWUS installation failed ( error 0x80070643: fatal error during installation with other ones like CInstallDriver and CSetupDriver:.....blah blah). I was messing with the
  back end database and accidentally deleted it, so i had to restore the latest  backup from a month ago ( we typically back on a weekly basis with incrementals, but our backups where failing and we didn't know of this because of a complicated situation
  with our client..anyways). My question is once i get the WSUS connected backup what can i expect from the downstream servers in terms of Synchronization? I am assuming initially we will have re approve all updates on the upstream server, before the downstream
  server successfully sync? I know i have to recycle the WSUS application pool and reset the update content, anything else? Also any advice on installing that patch? We initially tried to install it because some clients were not reporting into the console properly.
  ( I know we are on a downward spiral here, any help is appreciated. Will probably end up rebuilding the VM from scratch re-installing WSUS ) 
  Server 2008 - MCITP, Server 2012 - MCSA

  Because you had previously attempted the installation of KB2734608 on the WSUS server, it's likely that the database schema has already been modified, making it impossible to connect a downlevel WSUS server to that database. It's unfortunate that you uninstalled
  WSUS (probably not necessary and notably complicates the situation), but c'est la vie.
  Of course, apparently all that is also irrelevant since you also trashed the back-end database and restored it, so now that database does not have the schema mods imposed by KB2734608.
  So, once you get this new WSUS server installed to the restored database, the downstream servers (where I presume you have not yet installed KB2734608 since this update must be installed from the top down) will just keep on truckin'. The only updates you'll
  need to approve are the ones that were approved since the last database backup (which hopefully was after you approved this month's Patch Tuesday updates, otherwise you'll likely have a fair amount of work to be done).
  Successful synchronization is not a function of the state of the approvals on the upstream server, but if there are any updates NotApproved on the upstream server that were previously approved, a replica server will lose those approvals and client systems
  won't get the update until it is (re)approved, the replica resynchronized, and the client performs another detection to (re)find that (new) approval.
  I don't know where the "recycle the app pool and reset the update content" stuff is coming from. You're installing a new front-end WSUS server onto an existing database that's already functional. No other actions are required.
  As regards successfully installing KB2734608, I suggest thoroughly reading the KB article for starters... TWICE!
  First requirement of successfulling installing this update is having a healthy
  WSUS server. Not sure why your particular installation failed (installation failures of KB2734608 are pretty rare, as opposed to those encountered by KB2720211), but they're almost always related to existing dysfunctions within the WSUS server.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Network Policy Server windows 7 non domain wireless clients could not connect (Event id 6273 reason code 265)

  Hi,
  We have successfully configured network policy server on windows server 2012 and all wireless clients could connect to our network except windows 7 and xp non domain clients.The clients that are successfully authenticated includes windows 8,mobile users
  (andriod + iOS) domain as well as non domain clients.If we join windows 7 pc to the domain it  successfully connects but non domain clients could not connect.We have large number of windows 7 users that have their own laptop machines and we dont want
  each laptop to join the domain.
  On server event 6273 generated with reason code 265 "The certificate chain was issued by an authority that is not trusted".Plz help how to resolve this issue.I have searched on the internet but no proper solution found.

  Hi,
  According to the error message, it seems that you used certificate-based authentication methods and the non-domain computers has no Trusted Root Certificate for the CA that enrolled the certificate for the NPS.
  For more detailed information, please refer to the links below:
  Certificates and NPS
  Manage Trusted Root Certificates
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Server 2012 R2 Hyper-V Client won't connect to Host.

  Hi I have a server with 2012 R2 and Hyper-V is installed. I have set my VM's up and everything on the server is working perfectly. I installed the hyper-v role on my Win 7 x64 machine and it will not connect to my server. I ended up calling in to microsoft
  and they have determined it's a bug. I really need a work around does anyone know of a work around?
  Thanks,
  DB

  Hi,
  You can install the Windows Management Framework 4.0, then use PowerShell to manage the Hyper-V.
  More information:
  Windows Management Framework 4.0
  http://www.microsoft.com/en-us/download/details.aspx?id=40855
  Hyper-V Cmdlets in Windows PowerShell
  http://technet.microsoft.com/en-us/library/hh848559.aspx
  The third party related article:
  How to install Windows PowerShell 4.0
  http://blog.powershell.no/category/windows-server-2012-r2/
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Macbook Air (Mid-2013) and iPhone 5s IOS version 8.1 won't connect via bluetooth, anyone know how to fix this problem?

  I have a Macbook Air running OS-X Yosemite and an iPhone 5s running IOS version 8.1. Every time I try to connect the devices via bluetooth is won't connect saying my Macbook Air isn't supported when in actuality it is. Anyone know how to fix this issue? I have restarted both my Mac/Iphone and have turned bluetooth on/off and nothing seems to help. Bluetooth pairing didn't work before I updated to IOS 8.1 so I doubt that is the issue here.

  Pairing an iPhone to a computer (Mac or Windows) is only supported for personal hotspot (sharing the iPhone's cellular internet connection) and then only if your cellular plan supports it. More information: Bluetooth: Why can't I pair my iPhone or iPad with my computer?

• Lion server shows up in Finder "Shared" section but won't connect

  My Lion server iMac shows up both on my home LAN and from work in the Finder Shared section.
  Other Shared servers show up (just Lion not Lion Server) and work fine, as usual.
  When clicking on the Lion server icon the Finder tries to connect and then is unable (no password entered).  Connect As doesn't do anything.  Also, removed the original entry in Keychain so there's no password every requested nor given, just fails.
  Any ideas ?

  Well, after much fumbling, I checked out ifelix' site again, and the trick was to select "shared" instead of "open" in Authentication Mode on the PC. I am not sure what the setup on my PC is now, but it works, and thats the main thing
  mini dual core Mac OS X (10.4)

• Windows XP MCE sees network but won't connect

  Hello
  I've managed to get my AAEB working with two of my computers, one is a regular desktop which is connected through the wired outputs, this works like a charm.
  The other is my personal laptop, an Acer Ferrari with Windows XP pro, this now also works perfectly on the wireless system.
  Now I'm trying to get my brothers laptop to connect to our network and internetconnection through the AAEB. His laptop sees the network but when I try to connect to it it's not possible, I never even get to the part where I have to enter the password.
  I'm using WPA/WPA2 for security and as stated having no problems on my own computer that's running WinXP Pro, but this one that runs WinXP MCE can't connect.
  I've tryed disabling the security on the AAEB and when I do that it's possible to connect with the WinXP MCE.
  Please help :'(

  Thank you very much for your suggestion.
  It might be me who doesn't understand fully what you mean but my problem is that I can't get the PC to connect to the wireless network.
  If I plug in a ethernet cable everything works like a charm however. But I just get an error when trying to connect to the Wlan that the network might not be available anymore, eventhough I'm using it on my personal laptop at this very moment.
  edit in response to your post also, I never get far enough for it to even try to recieve an IP
  Message was edited by: Dennis Hampe

• I've not upgraded to IOS 6 on my ipad, and my Verizon hotspot on my Iphone won't connect to my Ipad

  My Verizon hotspot on my Iphone won't connect to my Ipad and hasn't for a few weeks..
  Have tried re-booting the system, holding down keys etc.
  I have no idea what to do now as I am 100% technically challenged.
  Thank you for any very simple instructions on how to proceed

  It's in recovery mode and can't be used until you connect to a computer and restore it through iTunes.

• Can I export a PDF in InDesign Server and return it to the calling client?

  Using Java/CORBA between a client machine and InDesign Server, I would like to:
  1. Make a remote call to InDesign server  to create a document, passing IDML as a parameter on the call
  2. Make another remote call to InDesign server to export a PDF, returning the PDF on the call return.
  Is this possible? I notice that the doExport method does not return a PDF to the calling client. Instead, it saves the PDF on the server. I don't see any apis which would allow me to do the above.
  The use case here is a web application which need to "preview" an image. The image consists of a template and some variable data which is sent to an InDesign server for composition and is returned as an image.
  Thanks for any help.

  I fail to see the issue. You have added crop marks, have you not? For all intents and purposes those are marks that are supposed to be visible and printable for cutting in the real world. If you don't want them, don't use them. Acrobat can generate them on the fly for printing, anyway.
  Mylenium

• TS3899 Have just uploaded iOS7 and now cannot get mail as device won't connect with server. Apple ID is ok  - any suggestions?

  Have just loaded iOS7 and now I cannot send or receive mail . Device message is : cannot open mail cannot connect with server. Any ideas?

  Had the same problem.  Deleted my account and readded it...still didn't work.  Had a call with Apple, and they couldn't figure out why the Exchange server wouldn't work.  They had me set up mail through Gmail, and that finally worked.  There must be a bug they need to fix for the Exchange Server. 

• Windows 7 client won't connect with 802.1x security

  Having issues connecting a windows 7 dell laptop with cisco unified wireless infrastructure.  Currently running 4 4402 WLCs and 1 wism.  The client in question is trying to connect to an AP that sits on one of the controllers on the wism.  WLC code running is 6.0.199.  If I configure the windows 7 client to an ssid with wpa2 with preshared key it works with no issue.  It's really problematic with 802.1x, wondering if there is addition settings on the adapter in win 7 that I'm missing or have overlooked.
  Thank you in advance for any suggestions to a solution to my problem
  Regards,
  izzy

  Windows is going to want to use the credentials that you login to the machine.  SO if you logged is as "administrator" but you need to authenticated as domain\John.Smith  you need to manipulate the credentials.
  If you are logging in to the machine with valid domain credentiasl though, it becomes a bit more difficult.
  So, is this the only type of machine having an issue?  What is the driver version and chipset type?
  you can run debug client < cliet ma address > and watch what is happening from the controllers persepctive. You can also see what username is being sent to the AAA server.
  Cheers,
  Steve
  If  this helps you and/or answers  your question please mark the question as "answered" and/or rate it, so  other users can easily find it.