skepticals |
Don,
I have not setup targeted groups using Group Policy (that I am aware of). One thing that is different about the computers being duplicated is they are running software called “Deep Freeze” that “freezes” the hard drive. I’m not sure if this has anything to do with it; maybe something is acting weird when I freeze/thaw the computers? I’m not sure where to look or what to do - I could not find detailed information on how the WSUS works.
You mention using wuauclt /detectnow. Should I be running this? I have been using a web-based interface to the WSUS for cheking on updates. Sorry, I am new to the WSUS.
spadasoe |
If you have a GPO in place, the wuauclt/detectnow tells the machine to check in with the WSUS server and see if updates are needed. A proper GPO will schedule this with a redetection interval (default is 22 hours, I run my every 6 hours). You should not need to browse for updates. That is what WSUS is used for.
Check the following link for information regarding multiple entries in the server database.
<a href="http://wsus.editme.com/WSUSFAQ" rel="nofollow">http://wsus.editme.com/WSUSFAQ</a>
SGBotsford |
I played with WSUS for 3 days, and finally gave it up as being in the sledgehammer for gnats category.
I have 50 windows boxes, but as they are all clients, they are for all practical purposes identical — at least as far as winsooze is concernted. I wanted a reasonably fast way to stay on top of the patch situation, without downloading for each individual computer.
WSUS is NOT the answer — I was spending hours and hours and getting nowhere fast. Selecting patches to rollout is the blind leading the blind. Supercedes Superceded, augments, features.
Anyway, I have ended up using a system called autopatch. It’s what I consider a reasonable compromise: Each month they distribute an update with all the important stuff, and some of the minor stuff. You extract this into a directory. Then you point your computer at that directory, run autopatch. It brings up the selections. The defaults are pretty reasonable. You can go through and select (quite rapidly) and you can save your set to a file. It has an unattended mode. It takes 30 minutes to learn. If, like me, you have ignored all patches since win2k SP4 came out it takes about an hour to do them all.
It’s free.
Best of all, I can take the current patch set home on a CD (I have dialup) and run it there.
Recommended.
Caveats: I do not run AD.
skepticals |
spadasoe,
My current GPO settings are as follows:
Policy Setting
Allow non-administrators to receive update notifications Disabled
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 3 - Every Tuesday
Scheduled install time: 22:00
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: <a href="http://servername" rel="nofollow">http://servername</a>
Set the intranet statistics server: <a href="http://servername" rel="nofollow">http://servername</a>
(example: <a href="http://IntranetUpd01" rel="nofollow">http://IntranetUpd01</a>)
All other settings are set to not configured.
Is there something I should be doing to avoid the duplicats?
Swiftd |
I don’t use DeepFreeze, but I’ve heard a lot about it. What’s going to happen is when you have the machine up, it’ll create the SID the first time it connects to the WSUS server, but it’ll be lost when it is either rebooted or it gets the initial image applied again (I don’t know if it does this, but you get the idea). You’ll need to thaw the images long enough for them to get the SID or run the wuauclt /resetauthorization /detectnow command and then freeze them again. That’ll save the SID in the registry for when it gets rebooted. Of course, if you’re using DeepFreeze, I don’t think using WSUS is going to help with patching your images. It’ll undo whatever you’ve just done when it reboots…
Don
spadasoe |
I believe deepfreeze is the issue here. It sounds like it is a clientSID issue. Check the following:
<a href="http://www.wsus.info/forums/index.php?showtopic=6348" rel="nofollow">http://www.wsus.info/forums/index.php?showtopic=6348</a>
<a href="http://www.wsus.info/forums/index.php?showtopic=9122" rel="nofollow">http://www.wsus.info/forums/index.php?showtopic=9122</a>
Your GPO looks almost like mine.
skepticals |
Swiftd,
I suspected DeepFreeze to be the problem. I should not have a problem with thawing the workstations long enough to connect to the WSUS server.
You mention that a WSUS is useless with deepfreeze because the setting will be lost on a reboot; however, I can schedule a “maintenance” time that will thaw the computer and block access to the local machine at the same time. This will open a window of time that the computers will update and then reboot frozen. (At least it says so)
Does the clientSID only need to be created the first time? Will the constant thawing and freezing change this? or once the workstation has a SID, it will have it for good?
How do I delete all the current entries?
Thank you for all the help.
Swiftd |
Once the ClientID is created on the thawed machine, it stores it in the registry. It never changes unless you force it to, so you are safe to freeze it again.
That’s cool that you can thaw the machine and then freeze it again after the updates are applied. That being said, you could do that and your image would be updated with the latest patches.
Deleting the duplicate machines is as simple as click on it and selecting “Delete machine” (I believe) in the upper left corner of the page. It’ll ask you something in reference to deleting the machine from the WSUS server or deleting the instance of the machine (that duplicate). Remove it from WSUS, thaw the machine, and wait for the new machines to appear in WSUS. You can then freeze them as they are listed in WSUS.
A note of caution:
WSUS is strange and quirky. I’ve seen where machines are configured identically to each other. They have literally everything setup the same in GPO and/or manually. One of the machines works fine and the other doesn’t. I still haven’t figured out why this is the case, but no matter what I’ve tried, I still cannot get some machines to work properly. Fortunately, it’s free so you don’t waste your money on it and there’s a lot of people out there who use it (support groups), but unfortunately, it needs work still. It’s light years better than SUS was, but not as good as any commercial product out there (Patchlink, Altairis, SMS, etc). Plus it patches MS products only… It’s definitely not the panacea and you’ll probably still spend time patching by hand or using a second product to catch those other applications. It’s like Microsoft’s apology for making their products insecure…
Don
skepticals |
Don,
Thank you for all your input. I have heard other horror stories about WSUS. I guess I want to feel the pain myself 
I would like to at least be familiar with it before moving on to another application. We do not have the money for one right now and if I do not suffer now, I won’t know the benefit of the new software! Haha.
First of all, I will try to resolve the duplicate machines in the list. From there, I will see how WSUS operates. Cross your fingers.
Thanks again.
J
Swiftd |
It’s definitely hard to beat “free” even if that means some pain. You may also find yourself using WSUS complimented with other products or methods to update the computers (like scripts or GPO deployments). I use WSUS and think it’s worth _more_ than you pay for it :), I just wanted you to walk into as an informed user.
Happy motoring,
Don
VietBob |
I’ve only been working with WSUS for a week or two, but it’s been working very well for our needs! I’ve set up several groups, set new patches for all groups to detect, then depending on what the patch is about either my test group or my test group and the less significant group are set to install, the next week if everything seems to be fine I set the remaining groups to install. The DST update has been installed on all clients and servers now; before WSUS I had most clients on Automatic Update and had to manage the updates individually on the more critical clients and servers.
One resource you may find helpful is at <a href="http://www.wsus.info/forums/" rel="nofollow">http://www.wsus.info/forums/</a>
-Bob
dwiebesick |
Someone on another list that I am on had the same problem. This is the link to that forum
<a href="http://mcpmag.com/forums/forum_posts.asp?tid=3321" rel="nofollow">http://mcpmag.com/forums/forum_posts.asp?tid=3321</a>
Could it be duplicate SIDs?
dmw
skepticals |
Thanks for the replies. I will take a look at that web site.
My issue has been resolved and the problem was with Deep Freeze. The computers were blocking changes to the registry; so everytime the computers would boot they would reassociate with the WSUS server.
I do have an additional problem now. All but one of the computer is listed. I am not sure why this one is different I still need to troubleshoot this. We will see. Thanks again.
OS, Servers, SQL Server, Security, Desktops, Management, Microsoft Windows, Patch management, DataCenter, Tech support
I am very new to the Windows update server (WSUS). I installed and configured the update server and everything seems to be working. I added some settings in my group policy and applied the GP to an OU and went on my way. The clients started to appear in the list of workstations on the WSUS server; so I assumed everything is working great - I began to organize the computers into groups. I now notice that I am having multiple instances of a computer listed. For example, under "Public" I have P1.server.local listed, but I also have three more instances of the same computer listed in the Unassigned Computers list.
0
