WSUS clients don't want to upgrade after changing server?
Then we go to you. (WITH)
We've all had situations where something stopped working. This article will focus on WSUS (more information about WSUS can be obtained ΠΈ). More specifically, how to force WSUS clients (that is, our computers) to receive updates again after migrating or restoring an existing update server.
So the situation is the following
The WSUS server died. More precisely, the RAID controller is already in 2000 of release. But this fact did not add joy. After a short fuss (with attempts to restore the RAID ruined by the dying controller), it was decided to send everything to deploy a new WSUS server.
As a result, we got a working WSUS, which for some reason did not connect clients.
Moments: WSUS is bound with FQDN through the internal DNS server, the WSUS server is registered in group policies and distributed to clients through AD, default settings for the server, before starting all actions, update WSUS itself and synchronize updates.
After analyzing the situation, several key points were identified
- Client clinch (talking about wuauclt) when trying to connect to the SID of the old WSUS server.
- Problem with uninstalled updates downloaded from the old WSUS server.
- Parking services that affect wuauclt (we are talking about wuauserv, bits and cryptsvc). Parking occurred for various reasons that were not analyzed in detail.
As a result, the whole solution resulted in a small script that is distributed by group policies through AD or with your own hands (and feet). The script uses the safest repair option and has not brought any negative results for six months of use.
I will describe what is being done (for those who are especially curious)
We park the update server service, clean the security descriptor of the WSUS communication service, remove existing updates from the previous WSUS, clean the registry from mentions of the previous WSUS, start the automatic update services (wuauserv), the background intelligent transfer service (bits) and the cryptography service (cryptsvc), at the very end, we forcibly knock on WSUS with resetting authorization, detecting a new WSUS and generating a report to the server.
And as always: you perform all the actions described above and below at your own peril and risk. Please make sure that all necessary data is saved before executing the script.
Script
net stop wuauserv
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
del /f /s /q %windir%SoftwareDistributiondownload*.*
REG DELETE "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate" /v PingID /f
REG DELETE "HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate" /v SusClientId /f
net start wuauserv && net start bits && net start cryptsvc
wuauclt /resetauthorization /detectnow /reportnowSource: habr.com