This project has moved. For the latest updates, please go here.

[Auto-Solved] WSUS Replica Downstream Server Problems - Folder & Id field red - missing cab files

Topics: Configuration Issue
Sep 26, 2013 at 3:09 PM
Edited Sep 26, 2013 at 4:07 PM
First off, great project and thanks for the hard work in adding features and addressing problems. Here's the scenario:

We have our main server 2k8 R2 WSUS server that downloads MS patches and stores them locally. We can publish MS and third party patches to our Win 7 clients with no problems from that server. We proceeded to set up a replica 2k8 R2 server and it does synchronize and show both MS and the third party patches published from the upstream server, however, all third party patches show the path in the Folder field red and the string in the Id field orange. WSUS clients directed to that server are unable to detect the third party update packages but if pointed to the upstream server they have no problem detecting/installing them. We noticed that this is caused because the cab files are not being replicated, if we copy the cab files manually from the upstream server then the field clears the red status but once a WSUS synchronization is performed the files are deleted. MS patching works fine from the replica server. Both servers and clients are using the same 2048 bit self signed certificate that was generated on the main upstream server. Any input on what the problem may be?
Sep 26, 2013 at 4:46 PM
Ok, so I made headway when I was triple checking things and noticed the certificate on the replica server missing from Trusted Publishers (facepalm). Added certificate and this appears to have resolved my problem. I am guessing that WSUS was rejecting the packages because they weren't signed by a trusted publisher (yes, thank you ahead of time for the captain obvious award). I will post back with any further issues. Interesting thing is that the Id field still shows up orange...
Marked as answer by DCourtel on 10/5/2013 at 5:04 AM
Coordinator
Sep 26, 2013 at 7:51 PM
I am guessing that WSUS was rejecting the packages because they weren't signed by a trusted Publisher
That's right. The wsus doesn't trust the file, even if it came from his upstream server, so it reject it.
Interesting thing is that the Id field still shows up orange...
This is a normal situation. Replica servers doesn't fill the "UpdateServicesPackages" folder. Only Upstream servers does it. This is why the field is in Orange and not Red. The situation can be normal.
Sep 26, 2013 at 8:07 PM
That makes sense, thanks for the clarification. We are deploying 13 remote branch replica servers so this should be interesting.
Sep 18, 2014 at 3:42 PM
Hello,

i have the same kind of setup..
My upstream server will download the patches from MS ad i will push it to the downstream servers.. its working fine.
I have one upstream and two down stream servers. Three are cross domain servers.
I have installed the WPP on upstream and open install the certificate on one of the downstream server.
And pushed it via gpo to the respective clients. I am able to detect the clients. But package showing as unknown.
I dont know What to check where to check.
please help me.

thanks,
Naresh
Sep 18, 2014 at 5:57 PM

Have you made certain that you installed the certificate on the downstream servers?

Sep 18, 2014 at 6:40 PM
Edited Sep 18, 2014 at 6:47 PM
Yes, i have installed the same certificate on downstream server and clients as well.

Now package status has changed form "unknown" to "not installed"
Sep 18, 2014 at 7:10 PM

What version of Windows Server are you running?

Is your downstream server working for MS updates?

Have you set the downstream server as a replica server in WSUS role configuration?

You did not mention whether you installed WPP on the downstream servers.

Sep 18, 2014 at 7:21 PM
Windows Server 2008
Yes, its working fine for MS updates
Yes, thats why it is getting updates (i am not sure)
no, i haven't installed the WPP on downstream servers. i think its not required
Sep 18, 2014 at 7:25 PM

I would have to reference the documentation to be certain but actually I am pretty sure WPP is required on the downstream client, this may be your problem.

At least that is how I have it working anyway.

Sep 18, 2014 at 7:25 PM

When I said “downstream client” I meant downstream server.

Sep 18, 2014 at 7:28 PM
i dont think so... if it is the case, did you installed on all 13 servers ?
Sep 18, 2014 at 7:32 PM

Yes, it is installed on all 13 of our downstream replica servers and working flawlessly.

Sep 18, 2014 at 7:34 PM
And are you creating the package on all the servers or only on upstream server ?
Sep 18, 2014 at 7:34 PM

Also make sure your certificate is installed in the “computer” store and not under “user” certificate store.

Sep 18, 2014 at 7:36 PM

Packages are created only on the upstream server and then they replicate to the others after synchronization just like WSUS updates do.

Sep 18, 2014 at 7:37 PM
Yes certificate is under computer store only both in root and publisher
Sep 18, 2014 at 7:38 PM
But this WPP is like a portable software, how can it run as a service ?
Sep 18, 2014 at 7:41 PM

It doesn’t, it simply puts packages in the WSUS content folder and utilizes it’s service. I’m not sure of the technical details but I believe that is how it works. I also ran into a problem with UAC so be sure you are running WPP as administrator to avoid problems by right-clicking and selecting run-as administrator.

Sep 18, 2014 at 7:44 PM

We can agree to disagree but I would suggest simply trying to install WPP on one of your downstream servers just to eliminate it as the possible culprit. It is entirely possible that it is not necessary but I am just going on the way I have it setup and working for almost a year now on 14 servers.

Sep 18, 2014 at 7:45 PM
Oh ok, i am the domain administrator..
And when you installed the WPP on downstream servers, while connecting the servers which option did you select >
Local or Remote? I mean downstream or upstream
Sep 18, 2014 at 7:46 PM
Oh dont get angry boss.. sure i will give it a try
Sep 18, 2014 at 7:52 PM

I understand you are probably logged in as an administrator but contingent on your UAC settings you may need to actually use the “run-as” feature to launch the program as administrator.

The downstream servers are set to local in the WPP settings if that is what you are referring to.

Sep 18, 2014 at 7:53 PM

Not getting angry, just want to be sure we don’t miss something simple to expedite the resolution of your problem.

Sep 18, 2014 at 7:56 PM
For example A is my Upstream and B is my downstream.
Currently i am running WPP on A as local means "A"
So, you are saying that i should run on downstream server as "B"
Then it will be run as local, how the application will contact A, using certificate ?
Sep 18, 2014 at 8:01 PM
Edited Sep 18, 2014 at 8:14 PM
It is set to local on both servers, WSUS takes care of the rest since the downstream server is a replica server.
Sep 18, 2014 at 8:04 PM
Sorry boss, i am not able to view the images.

I tried in different browsers
Sep 18, 2014 at 8:16 PM
Can you send those screen shots to my email ?
naresh_raks@yahoo.co.in
Sep 18, 2014 at 8:45 PM
Edited Sep 18, 2014 at 8:48 PM
Thanks, got the images..
Coordinator
Sep 18, 2014 at 9:16 PM
Hi, no need to install WPP on all downstream servers. As all your downstream servers are replica, you can't publish update onto a replica, so no need WPP on downstream. You can even install WPP on a Workstation and manage your Wsus from that computer (Wsus console need to be installed first).
Sep 18, 2014 at 9:18 PM
Edited Sep 18, 2014 at 9:19 PM
Thanks DCourtel for clearing that up as I was not sure but didn't want to overlook anything. I guess the only reason we installed it on the downstream servers was to check the status of 3rd party updates without having to synchronize (we are limited on bandwidth between our sites).
Sep 18, 2014 at 9:39 PM
Edited Sep 18, 2014 at 10:00 PM
if i install WSS on workstation, do i need to all wsus servers in WPP console or only upstream is fine ?

And do i need to generate the certificate again ?
Because i already pushed this certificate to all the clients :(
Sep 19, 2014 at 9:36 AM
Edited Sep 19, 2014 at 9:40 AM
Hi Adorr,

as you suggest i am running WPP on downstream as well.
but on downstream server the package is showing in red color ?
is there is any fault ?

And i am able to detect the client on upstream. But when i pass the "detect now" command on downstream its giving error :(
Sep 19, 2014 at 2:19 PM
According to DCourtel you were correct that WPP is not required on the downstream server so that is apparently unrelated, regardless I find it useful in troubleshooting for scenarios such as the one you have now. I have encountered exactly what you are describing and it was a certificate issue. For sake of posterity I would export the certificate from the functional upstream server and reimport that certificate file into the downstream servers computer Trusted Root Certification Authorities certificates folder and Trusted Publishers certificates folder. When I encountered this problem I was certain I had imported the same certificate but when I did it the aforementioned way it solved my problem and I felt a little silly afterword.
Sep 19, 2014 at 3:02 PM
I have the same certificate on both servers and on client as well.
Any how i will re-import the certificate on downstream server and let you know.
Sep 19, 2014 at 3:04 PM
Edited Sep 19, 2014 at 3:05 PM
I believe you 100%, I compared the certificates prior to reimporting them in my installation and everything looked the same but for some reason reimporting them did the trick for me. Doesn't hurt to give it a shot just be sure to export a new one from the functional upstream server and not simply reimport the old one.
Sep 19, 2014 at 3:08 PM
Which certificate should i export?
Root or publisher or wsus
I believe all are same, but i just want to conform
Sep 19, 2014 at 3:17 PM
It should not matter because they are all the same (or should be anyway).
Sep 19, 2014 at 3:31 PM
No Luck.
Its still the same :(
Sep 19, 2014 at 3:34 PM
Hmmm, did you force a WSUS synchronization and reconnect with WPP on the downstream server?
Sep 19, 2014 at 3:40 PM
yes, i did that
Sep 19, 2014 at 3:47 PM
Have you been through your event logs to see if anything stands out after you synchronize?
Sep 19, 2014 at 4:00 PM
Can you tell me the location of the log file
Sep 19, 2014 at 4:18 PM
Start -> Administrative Tools -> Event Viewer and search for Windows Server Update Services in the Application log. See if you find any errors.
Sep 19, 2014 at 4:25 PM
No boss,
i couldn't find anything :(
Sep 19, 2014 at 4:37 PM
I sent you a message to your e-mail.
Sep 19, 2014 at 6:00 PM
Thanks a lot Adorr for all your support :)
Sep 19, 2014 at 7:07 PM
Edited Sep 19, 2014 at 7:10 PM
My pleasure, and just for anyone else encountering similar problems it ended up being resolved after finding the certificate was under the User certificates rather then Computer certificates and the WSUS server was set to a different port then the default port 80 that can be configured under the WPP settings. Changed the certificate location and port in WPP and clients were able to pull 3rd party updates.
Marked as answer by DCourtel on 9/22/2014 at 1:50 PM
Nov 27, 2014 at 6:05 PM
Edited Nov 28, 2014 at 4:25 AM
Hi Adorr,

Again i am getting the same issue :(
It worked fine till last month.. i haven't changed any settings.. Ports , certificate is fine.. but sill on the client side the package showing in red color.
What could be the issue.. i have created the package in 25th, i should reach the down stream servers on 26th(as per schedule).
Arrival date, created date showing properly.. i tried revise the package.. but no luck... what could be the issue :(

Thanks,
Naresh
Dec 1, 2014 at 2:14 PM
Hello Naresh, I was out of the office last week so I apologize for the delay. I have a couple questions regarding your problem; is it the Folder field that is showing up red on the replica server? If you browse to the path in the WSUS content store does the .cab file exist there? Is this a new replica server where this is occurring or all replica servers?

When I encountered this it definitely did end up being a certificate issue. I would check the Windows Event Viewer Application log and filter the view by Windows Server Update Services source on the replica server after performing a synchronization to see if you are getting any errors as a start.
Please let me know what you find. Also, reference my last post above to be sure server port and certificate is in right location if it is a new replica server.