Newly-built replica WSUS server's clients can't find updates or report status

3

WSUS 3.0 SP2 on Windows Server 2008 R2.

I built a new box to replace my old WSUS box which was still on Server 2003.

All clients using the WSUS server can't find updates and don't report status.

C:\Windows\WindowsUpdate.log on one of the clients:

2013-05-09  10:04:48:629     764    494 AU  Triggering AU detection through DetectNow API
2013-05-09  10:04:48:629     764    494 AU  Triggering Online detection (non-interactive)
2013-05-09  10:04:48:630     764    7b0 AU  #############
2013-05-09  10:04:48:630     764    7b0 AU  ## START ##  AU: Search for updates
2013-05-09  10:04:48:630     764    7b0 AU  #########
2013-05-09  10:04:48:630     764    7b0 AU  <<## SUBMITTED ## AU: Search for updates [CallId = {E7AC5D1F-612A-4879-9B77-83C692868D11}]
2013-05-09  10:04:48:630     764    64c Agent   *************
2013-05-09  10:04:48:630     764    64c Agent   ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
2013-05-09  10:04:48:630     764    64c Agent   *********
2013-05-09  10:04:48:630     764    64c Agent     * Online = Yes; Ignore download priority = No
2013-05-09  10:04:48:630     764    64c Agent     * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2013-05-09  10:04:48:630     764    64c Agent     * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2013-05-09  10:04:48:630     764    64c Agent     * Search Scope = {Machine}
2013-05-09  10:04:48:630     764    64c Setup   Checking for agent SelfUpdate
2013-05-09  10:04:48:630     764    64c Setup   Client version: Core: 7.6.7600.256  Aux: 7.6.7600.256
2013-05-09  10:04:48:630     764    64c Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2013-05-09  10:04:48:637     764    64c Misc     Microsoft signed: Yes
2013-05-09  10:04:50:897     764    64c Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2013-05-09  10:04:50:901     764    64c Misc     Microsoft signed: Yes
2013-05-09  10:04:50:902     764    64c Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2013-05-09  10:04:50:907     764    64c Misc     Microsoft signed: Yes
2013-05-09  10:04:50:909     764    64c Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2013-05-09  10:04:50:913     764    64c Misc     Microsoft signed: Yes
2013-05-09  10:04:50:927     764    64c Setup   Determining whether a new setup handler needs to be downloaded
2013-05-09  10:04:50:927     764    64c Setup   SelfUpdate handler is not found.  It will be downloaded
2013-05-09  10:04:50:928     764    64c Setup   Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
2013-05-09  10:04:50:931     764    64c Setup   Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2013-05-09  10:04:50:931     764    64c Setup   Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2013-05-09  10:04:50:955     764    64c Setup   Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2013-05-09  10:04:50:955     764    64c Setup   Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2013-05-09  10:04:50:990     764    64c Setup   Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2013-05-09  10:04:50:990     764    64c Setup   SelfUpdate check completed.  SelfUpdate is NOT required.
2013-05-09  10:04:51:205     764    64c PT  +++++++++++  PT: Synchronizing server updates  +++++++++++
2013-05-09  10:04:51:205     764    64c PT    + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://wsus-server.company.local/ClientWebService/client.asmx
2013-05-09  10:04:51:266     764    64c PT  WARNING: Cached cookie has expired or new PID is available
2013-05-09  10:04:51:266     764    64c PT  Initializing simple targeting cookie, clientId = 9f4df40d-f61e-41d5-9fd2-3cdce1823f45, target group = Servers, DNS name = wsus-server.company.local
2013-05-09  10:04:51:266     764    64c PT    Server URL = http://wsus-server.company.local/SimpleAuthWebService/SimpleAuth.asmx
2013-05-09  10:04:51:286     764    64c PT  WARNING: GetCookie failure, error = 0x8024400D, soap client error = 7, soap error code = 300, HTTP status code = 200
2013-05-09  10:04:51:286     764    64c PT  WARNING: SOAP Fault: 0x00012c
2013-05-09  10:04:51:286     764    64c PT  WARNING:     faultstring:System.Web.Services.Protocols.SoapException: Fault occurred
   at Microsoft.UpdateServices.Internal.SoapUtilities.ThrowException(ErrorCode errorCode, String message, String[] clientIds)
   at Microsoft.UpdateServices.Internal.ClientImplementation.GetCookie(AuthorizationCookie[] authCookies, Cookie oldCookie, DateTime lastChange, DateTime currentClientTime, String protocolVersion)
2013-05-09  10:04:51:286     764    64c PT  WARNING:     ErrorCode:ConfigChanged(2)
2013-05-09  10:04:51:286     764    64c PT  WARNING:     Message:(null)
2013-05-09  10:04:51:286     764    64c PT  WARNING:     Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"
2013-05-09  10:04:51:286     764    64c PT  WARNING:     ID:f50afcf7-2117-495c-9123-9aa4bf683520
2013-05-09  10:04:51:296     764    64c PT  WARNING: Cached cookie has expired or new PID is available
2013-05-09  10:04:51:296     764    64c PT  Initializing simple targeting cookie, clientId = 9f4df40d-f61e-41d5-9fd2-3cdce1823f45, target group = Servers, DNS name = wsus-server.company.local
2013-05-09  10:04:51:296     764    64c PT    Server URL = http://wsus-server.company.local/SimpleAuthWebService/SimpleAuth.asmx
2013-05-09  10:04:55:116     764    64c PT  +++++++++++  PT: Synchronizing extended update info  +++++++++++
2013-05-09  10:04:55:116     764    64c PT    + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://wsus-server.company.local/ClientWebService/client.asmx
2013-05-09  10:04:55:170     764    64c PT  WARNING: GetExtendedUpdateInfo failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200
2013-05-09  10:04:55:170     764    64c PT  WARNING: SOAP Fault: 0x000190
2013-05-09  10:04:55:170     764    64c PT  WARNING:     faultstring:System.Web.Services.Protocols.SoapException: Fault occurred
   at Microsoft.UpdateServices.Internal.SoapUtilities.ThrowException(ErrorCode errorCode, Exception e, Int32 eventLogEntryId, String[] clientIds, Boolean logToEventLog)
   at Microsoft.UpdateServices.Internal.ClientImplementation.GetExtendedUpdateInfo(Cookie cookie, Int32[] revisionIds, XmlUpdateFragmentType[] fragmentTypes, String[] locales)
2013-05-09  10:04:55:170     764    64c PT  WARNING:     ErrorCode:InternalServerError(5)
2013-05-09  10:04:55:170     764    64c PT  WARNING:     Message:(null)
2013-05-09  10:04:55:170     764    64c PT  WARNING:     Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetExtendedUpdateInfo"
2013-05-09  10:04:55:170     764    64c PT  WARNING:     ID:37740867-4b9f-4394-b58b-12aad48d7b97
2013-05-09  10:04:55:170     764    64c PT  WARNING: PTError: 0x8024400e
2013-05-09  10:04:55:170     764    64c PT  WARNING: GetExtendedUpdateInfo_WithRecovery: 0x8024400e
2013-05-09  10:04:55:170     764    64c PT  WARNING: Sync of Extended Info: 0x8024400e
2013-05-09  10:04:55:170     764    64c PT  WARNING: SyncServerUpdatesInternal failed : 0x8024400e
2013-05-09  10:04:55:171     764    64c Agent     * WARNING: Exit code = 0x8024400E
2013-05-09  10:04:55:171     764    64c Agent   *********
2013-05-09  10:04:55:171     764    64c Agent   **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2013-05-09  10:04:55:171     764    64c Agent   *************
2013-05-09  10:04:55:171     764    64c Agent   WARNING: WU client failed Searching for update with error 0x8024400e
2013-05-09  10:04:55:180     764    bf4 AU  >>##  RESUMED  ## AU: Search for updates [CallId = {E7AC5D1F-612A-4879-9B77-83C692868D11}]
2013-05-09  10:04:55:180     764    bf4 AU    # WARNING: Search callback failed, result = 0x8024400E
2013-05-09  10:04:55:180     764    bf4 AU    # WARNING: Failed to find updates with error code 8024400E
2013-05-09  10:04:55:180     764    bf4 AU  #########
2013-05-09  10:04:55:180     764    bf4 AU  ##  END  ##  AU: Search for updates [CallId = {E7AC5D1F-612A-4879-9B77-83C692868D11}]
2013-05-09  10:04:55:180     764    bf4 AU  #############
2013-05-09  10:04:55:180     764    bf4 AU  Successfully wrote event for AU health state:0
2013-05-09  10:04:55:180     764    bf4 AU  AU setting next detection timeout to 2013-05-09 13:04:55
2013-05-09  10:04:55:181     764    bf4 AU  Successfully wrote event for AU health state:0
2013-05-09  10:04:55:181     764    bf4 AU  Successfully wrote event for AU health state:0
2013-05-09  10:05:00:171     764    64c Report  REPORT EVENT: {1C2D6590-41BD-464D-AE18-289CB7D6E254}    2013-05-09 10:04:55:171+0200    1   148 101 {00000000-0000-0000-0000-000000000000}  0   8024400e    AutomaticUpdates    Failure Software Synchronization    Windows Update Client failed to detect with error 0x8024400e.
2013-05-09  10:05:00:191     764    64c Report  CWERReporter::HandleEvents - WER report upload completed with status 0x8
2013-05-09  10:05:00:191     764    64c Report  WER Report sent: 7.6.7600.256 0x8024400e 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2013-05-09  10:05:00:191     764    64c Report  CWERReporter finishing event handling. (00000000)

I found several old blogs and forum entries that link this to a fault in Office 2003 SP1, with the fix being to decline/approve/decline that update, but this hasn't fixed it for me.

The Microsoft WSUS client & server diagnostic tools don't run on x64 systems.

Anybody had any luck with this before?

update: I find this in C:\Program Files\UpdateServices\LogFiles\SoftwareDistribution.log:

2013-05-13 14:02:46.437 UTC Warning w3wp.6  SoapUtilities.CreateException   ThrowException: actor = http://wsus-server.company.local/ClientWebService/client.asmx, ID=4db89865-40da-4520-a126-d196e3db07b6, ErrorCode=ConfigChanged, Message=, Client=d9ce7281-379b-49b8-8944-7f593c32397b
2013-05-13 14:02:50.867 UTC Error   w3wp.6  ClientImplementation.GetExtendedUpdateInfo  System.ArgumentException: The database does not contain a URL for the file 3F7E7915F44A6133B990A22A87604854C34BDF4E.

Google fails me completely if I search for "3F7E7915F44A6133B990A22A87604854C34BDF4E", so I'm not sure exactly what that is, but it seems that its DB entry is somehow incomplete. Sync logs with the upstream WSUS show no errors.

update 2: So it seems as if there's something weird with my upstream. I've found that if I install a new WSUS instance & sync it from Microsoft, all works perfectly well. If I make it a downstream replica of my existing WSUS server, either during the configuration, or afterwards, it breaks. Even more strange, my upstream itself and another existing replica appear to be functioning just fine. It looks as if I'm just going to build new WSUS instances in all 3 sites and start fresh, ignoring the existing upstream.

update 3: I built a new WSUS upstream server, started clean so as to not bring over whatever weirdness was going on in the original upstream's DB. Pointed my 2 replicas at my new upstream. Everything was fine for several days. 5 days ago the replicas stopped getting status updates from clients again. WTF?!?!

update 4: I have logged a support request with Microsoft on this, hopefully some good will come out of it.

update 5: After Microsoft product support spent countless hours checking and re-checking all the same stuff I'd already checked, I suspect I have stumbled upon the cause. Our Junior sysadmin recently discovered Local Update Publisher and started using it to push Adobe & Java updates to workstations. The time of Local Update Publisher's installation coincides perfectly with the time the downstream clients last reported status. I am going through the product documentation to determine what I need to do to fix this.

windows
wsus
asked on Server Fault May 9, 2013 by ThatGraemeGuy • edited Jul 31, 2013 by ThatGraemeGuy

3 Answers

2

I had a similar issue not to long ago when migrating to WSUS 3.0 SP2 on Windows Server 2008 R2. After quite a few frustrating hours I finally resolved it with KB2720211. I'm not sure why it worked since it doesn't seem to directly address the error code I was receiving from clients at the time (800b0001), however it seemed logical to make sure the WSUS version was fully patched before getting further into diagnostics.

You can use the instructions from http://support.microsoft.com/kb/2720211

Since my setup only involved one WSUS server I only had to use the following instructions from the site after downloading the patch.

1.Set up WSUS. To do this, at a command prompt, type one of the following commands, as applicable to your system:
WSUS-KB2720211-x64.exe /q C:\MySetup.log
WSUS-KB2720211-x86.exe /q C:\MySetup.log

The update will install immediately, without any prompts.

2.Review the setup log to verify the upgrade was successful. To do this, at a command prompt, type C:\MySetup.log.

3.Make sure that IIS and the WSUS service are stopped. To do this, at a command prompt, type the following commands:

iisreset/stop
net stop wsusservice

answered on Server Fault May 14, 2013 by Miguel • edited May 14, 2013 by Nathan C
1

The 0x8024400D/SOAP 0x12c errors are almost always (these days) a manifestation of clients with duplicate SusClientIDs. See Microsoft KB903262 for remediation instructions.

The 0x8024400E/SOAP 0x190 errors are typically manifestations of bad updates in the WSUS database. Make sure you have declined all expired updates (the ones typically that are "bad), as well as decline all superseded/not-needed updates.

answered on Server Fault May 10, 2013 by Lawrence Garvin
0

So nearly 3 months later and after dozens of hours spent by Microsoft PSS on this, I finally stumbled on the answer.

It turns out that the root cause was an incomplete implementation of Local Update Publisher.

When you implement Local Update Publisher, you are supposed to distribute the WSUS SSL certificate to all WSUS clients as a Trusted Publisher and Trusted Root Certificate Authority. It turns out that my colleague who implemented it only distributed it to workstations, not servers.

I'm not clear on the exact details under the hood, but as soon as I distributed the SSL certificate to all WSUS clients, they started receiving their updates and reporting status as per normal.

answered on Server Fault Jul 31, 2013 by ThatGraemeGuy

User contributions licensed under CC BY-SA 3.0