Windows Infra Masters: March 2015

SCCM software updates issue on DMZ servers

· We were facing issue with multiple DMZ network that software updates are not getting deployed through SCCM.At the same time there some server which was getting successfully updated with SCCM

· We started troubleshooting with comparing two DMZ server , one server with software updates are working properly and one with error in software updates.

o <server1> – Win 2003 Working Server

o <server2> – Win 2003 Affected Server

· In CCM logs we were getting bellow error after running “software update scan Cycle”

o “OnSearchComplete - Failed to end search job. Error = 0x80072ee2.”

· After doing research we understand that client is not able to reach http://<severname>.<domainname>.com:8530/clientwebservice/wusserverversion.xml url on SCCM server

Tools Used ,

· Fist tool we used is Microsoft’s Netmon.

· We started Netmon on both server and started “software update scan Cycle” .

· In Netmon we monitor “CcmExec.exe”.

· But after analyzing Netmon Capture data, nothing found strange.

· Its showing packets are getting drop but nothing specific regarding any port bock on affected server.

· Communication entrees showing between sccm client and sccm servers but reach http:// <severname>.<domainname>.com:8530/clientwebservice/wusserverversion.xml

· We tried to access this url from internet browser and its working really fine.

· Thane we used other tool WSUS Client Diagnostic Tool

http://www.microsoft.com/en-in/download/details.aspx?id=30827

· We ran this tool on both server

· On working server <server1> it pass all diagnostic test .But on affected server it failed with following error

Checking Connection to WSUS/SUS Server
WUServer = http:// <severname>.<domainname>.com:8530
WUStatusServer = http:// <severname>.<domainname>.com:8530
UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS

VerifyWUServerURL() failed with hr=0x801901f7

No Error description could be found

· We research on Google for above error not got any valuable information.

· Then we ran Netmon and WSUS Client Diagnostic Tool simultaneously to monitor what is happening in background.

· We started monitor WSUS Client Diagnostic Tool process in Netmon and found that on affected server its going to proxy server – <severname>.<domainname>.pri:8080 to get http:// <severname>.<domainname>.com:8530/clientwebservice/wusserverversion.xml url and not able to established connection whereas on working server its directly going to SCCM server and getting required url successfully .

· <severname>.<domainname>.pri:8080 is not in use and also not configure anywhere in system. Moreover <severname> is local address and can’t be reach using any proxy.

· Than we started removing any proxy cache in registry, we started finding, is any proxy settings are hardcoded any ware. We manually configure proxy in internet explorer and provided http:// <severname>.<domainname>.com in proxy bypass … still it didn’t worked.

· Its seem sccm client was not looking in IE setting for proxy settings.

· Also when we analysis windowsupdate.log file we also found following entry

· There is a tool on windows 2003 proxycfg that tweaks the below entry
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings

· What we can do is 2 things;
Eithere run proxycfg [-p <server-name> [<bypass-list>]] which sets proxy server and optional bypass list, for example proxycfg -p PROXYSERVER http:// <severname>.<domainname>.com or if you have defined in your browser under local settings, a proxy with a bypass list of IPs/server you can use

· proxycfg -u to import the proxy settings of the IE ,And restarted Automatic Windows Updates

· As we have already defined proxy with a bypass settings in IE We ran proxycfg -u command on affected server .

· After running above commanded “software update scan Cycle” completed successfully!!!

Wednesday 4 March 2015

software updates are not getting deployed through SCCM

SCCM software updates issue on DMZ servers