Monday, 23 January 2012

Install and Configure WSUS Server

Q: Software list for server:
  1. IIS 7.0
  2. servermanagercmd -install web-asp-net web-static-content web-windows-auth web-mgmt-compat web-metabase
  3. servermanagercmd -i web-mgmt-console
  4. Microsoft sql server 2005 sp1
  5. Microsoft wsus server 2005 sp1-download it and then install it.
  6. Microsoft report viewer 2005
  7. Microsoft wsus client wuau22.msi

Tools for server:
  1. gpresult.exe

Q: Software list for client machine:

  1. wsus client agent ‘wuau22.msi’
  2. windowsupdateagent30 –x86.exe
  3. group policy client side extension

Tool for client:
1. clientdiag.exe wsus client diagnostic tool


1.      Installing WSUS 3.0 SP1 on Windows Server 2008

Install WSUS pre-requisites

First, install the WSUS operating system pre-requisites.  These pre-requisites are listed on the WSUS 3.0 release notes and can be installed using the ServerManagerCMD.exe command line tool.
C:\>servermanagercmd -install web-asp-net web-static-content web-windows-auth we
b-mgmt-compat web-metabase
Start Installation...
[Installation] Succeeded: [Web Server (IIS)] Management Tools.
[Installation] Succeeded: [Web Server (IIS)] Web Server.
[Installation] Succeeded: [Web Server (IIS)] IIS 6 Management Compatibility.
[Installation] Succeeded: [Web Server (IIS)] Common HTTP Features.
[Installation] Succeeded: [Web Server (IIS)] Security.
[Installation] Succeeded: [Web Server (IIS)] Application Development.
[Installation] Succeeded: [Windows Process Activation Service] .NET Environment.
[Installation] Succeeded: [Windows Process Activation Service] Process Model.
[Installation] Succeeded: [Web Server (IIS)] IIS 6 WMI Compatibility.
[Installation] Succeeded: [Web Server (IIS)] IIS 6 Metabase Compatibility.
[Installation] Succeeded: [Web Server (IIS)] Windows Authentication.
[Installation] Succeeded: [Web Server (IIS)] ISAPI Extensions.
[Installation] Succeeded: [Web Server (IIS)] ISAPI Filters.
[Installation] Succeeded: [Web Server (IIS)] Static Content.
[Installation] Succeeded: [Web Server (IIS)] Default Document.
[Installation] Succeeded: [Web Server (IIS)] Request Filtering.
[Installation] Succeeded: [Web Server (IIS)] IIS 6 Management Console.
[Installation] Succeeded: [Web Server (IIS)] IIS 6 Scripting Tools.
[Installation] Succeeded: [Web Server (IIS)] .NET Extensibility.
[Installation] Succeeded: [Web Server (IIS)] ASP.NET.
Success: Installation succeeded.
Though it is not a pre-requisite I also find it useful to install the IIS7 Management Console.
C:\>servermanagercmd -i web-mgmt-console
Start Installation...
[Installation] Succeeded: .
[Installation] Succeeded: [Windows Process Activation Service] Configuration API
[Installation] Succeeded: [Web Server (IIS)] IIS Management Console.
Success: Installation succeeded.

2.      Next, download and install Microsoft Report Viewer 2005 SP1.


3.      Install the Microsoft SQL server 2005 service pack 2

4.      Install the wsus 3.0 sp1

5.      Run the ‘windows server update service 3.0 sp1’ from the ‘administrative tools’. And configure it from the option menu and then select the ‘windows server update service configuration wizard’.

a.       Configure the automatic approvals

                                                              i.      On the Update service administrator console that opens when the setup ends, click options and on the options tab. On the options window, click automatic approvals.

                                                            ii.      On the automatic approval window, check the default automatic approval rule (automaticly approves critical and security updates) and click new rule if you wish to add additional auto-approve rules for specific products or classifications.

                                                          iii.      On the add rule wizard specify any other auto approve rules that you wish by product or classification.

                                                          iv.      On the choose product and classifications window, check only forefront-forefront client security and click ok.

                                                            v.      Back on the add rule window under step 3, type rule name (ex. FCS Update rule) and click ok twice.

6.      Now it is time to install the software on the client machine and configure the client machine

a.       The wsus client wuau22.msi (windowsupdate30 x86) on client machine from the server that is running active directory.

b.      Configure the wsus client registry settings using the ‘group policy’ from the ‘domain controller’.









c.       Turn Windows Defender on or off if it is vista.

                                                              i.      In the domain controller-> administrative tools->group policy object-> computer configuration->administrative template-> windows defender-> then enable the ‘windows defender’

d.      Check this following registry settings added to the registry of each Windows client at this location:


7.      Enable the anonymous access to default site:

iis manger->sites-> default web site-> authentication-> enable anonymous access
1. ClientWebService
2. Content
3. DssAuthWebService
4. ReportingWebService
5. ServerSyncWebService
6. SimpthAuthWebService
7. SelfUpdate

8.      WSUS clients not updating or checking in with server:

net stop wuauserv
Del c:\windows\windowsupdate.logs (XP Client)
net start wuauserv
wuauclt.exe /resetauthorization (do not do this because it will reset the local policy-windows update configuration)
uauclt.exe /detectnow
wuauclt.exe /reportnow

On client computers running Windows 2000, you can type the following at a command prompt: secedit /refreshpolicy machine_policy enforce.

9.      Download the clientdiag.exe - wsus client diagnostic tool

Q. To check the client is updating from the wsus server use the following two tools from the client machine:
Q. How to check wsus Client is installed in the client pc
The first thing to check is whether the client computer is using the latest Automatic Update client version. 
 The current version of the Windows Update Agent (the WSUS client component in AU) is determined by the version of the WUAUENG.DLL, located in %systemroot% \system32 folder. If the version of WUAUENG.DLL is 5.4.3790.1000 or greater, the WSUS client (or WUA) is installed. A version less than 5.4.3790.1000 indicates that SUS or earlier AU version 1.0 is installed.

Q: How do I verify that the AU client is installed correctly?
  • Look at the IIS Logs of the website running on port 80 for Self Update Attempts
  • Check the version of one of the Windows Update Agent binaries.
    • %windir%\system32\wuaueng.dll should be version or higher after a successful selfupdate.
  • From an IE browser on the client, try the following URLs to ensure that you are prompted to download or save:
    • http://wsusservername/
    • http://wsusservername/selfupdate/AU/x86/XP/EN/
  • Look at the Windows Update log on your local client for Self Update Success.
  • Look at the Windows Update log for Detect Success.
The AU software for WUS includes the following:

wuaserv.dll is the service dll(Windows Update AutoUpdate Service), but there some of the other key files are:
wuauclt.exe(Windows Update AutoUpdate client)
wuaueng.dll(Windows Update AutoUpdate Engine)
wupdmgr.exe(Windows Update Manager for NT)
qmgr.dll (BITS service dll)
wuapi.dll(Windows Update Client API)
wucltui.dll(Windows Update Client UI Plugin)
wupdinfo.dll(Windows Update Info for NT)
wups.dll(Windows Update client proxy stub)
wuv3is.dll(Windows Update Engine)
wuweb.dll(Windows Update Web Control)

Q: How do I force an AU Client to detect and download approved updates from a WSUS Server?
A. Run this command from Command prompt at the AU client:
wuauclt.exe /detectnow
Use the Resultant Set of Policies (RSOP), like Group Policy Management Console, GPMC, or GPRESULT.EXE to investigate if the policies are being correct applied to your client systems.

Client Connection Problem to WSUS Errir 80072efd
Make sure ANONYMOUS access is enabled for the following virtual
directories from IIS;
1. ClientWebService
2. Content
3. DssAuthWebService
4. ReportingWebService
5. ServerSyncWebService
6. SimpthAuthWebService
7. SelfUpdate

Q: Enable client side targeting:
If you want to assign a client to more than one computer group, you should separate the computer group names with a semicolon plus a space: Group1; Group2.

Netstat-command line tool

Friday, 6 January 2012

Server 2008: Default Printer Setup using GPO

  1. 1. Enable Loopback Processing in Windows Server 2008. I am unable to find following:
    • In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
    • Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.

  2. 2.On my Windows Server 2008 R2 Server (you can do this on a Windows Server 2008 server as well), I navigate to the Printer extension under User Configuration. (User Configuration\Preferences\Printers). Right click on ‘Printers’  and select ‘ New’, then choose a type of printer you’d like to add. I’m choosing Shared Printer, but you can manage TCP/IP and Local Printers with GP Preferences as well.

    Now the configuration dialog to find and optionally map the printer: I’m just going to browse for the printer I want by clicking on the ‘…’ button next to the Share Path cell.

    Ah ha! Familiar browser window. Searching the directory yields 2 shared printers; one that’s already shared to my client, and one that’s not. I select the Epson, which populates the Share Path field with its full address.
    And now that I have the full address of the shared printer, the option to “set this printer as default…” is enabled. I can also select “only if a local printer is not present” if I want, but I don’t want to.

    Item Level Targeting
    This is the good part!
    Once you have created a shared printer to deploy there is a tab on the properties of that called “Common” , if you click on that and place a tick in the “Item Level Targeting” and click on the Targeting Button a whole new world opens up!
    Many possibilities
    Click on the New Item and just have a look at the possibilities there. The one I was interested in was the Organisational Units option. Because what I want to happen is if a computer is in a specific OU install and make printer X the default.
    OU selection
    With this option I was able to achieve just that. Just select the OU that the Computer should belong to by using the Browse Button and select the Computer in OU radio box.