Note: This article has been updated as of 11/30/2010. See comments in red below.
Hello System Center,
In this post I'd like to share information gleaned from a quarters worth of support incidents as regards Configuration Manager 2007 Software Update Points configuration and operations. The goal is for this post to help by providing details on common problems driving calls to support and is focused on the area involving the SUP operations.
It is worth noting that Windows Software Update Server (WSUS) is a key dependency for the Software Update Point (SUP). When WSUS isn't happy, the SUP is also going to have a bad day... Along with this it’s crucial to allow WSUS to be configured by Configuration Manager - as independent configuration of the WSUS Server usually ends in tears, or at least an unruly conflict.
The online TechNet library for Configuration Manager has a plethora of topics covering Software Update Point (SUP) configurations so please explore the relevant links at need.
Before beginning, ensure your familiar with the core topics: About the Software Update Point http://technet.microsoft.com/en-us/library/bb632674.aspx
Some of the common problems found with Software Update Points:
Two dependencies in WSUS loom large for Configuration Manager and lead the way for call drivers in this area. Being aware of these two issues might save you time and suffering down the line. I will also note that while not yet released (and thus subject to change) WSUS 3.0 SP2 should provide relief from both of the following problems. Please keep in mind that until WSUS 3.0 SP2 is released, tested with, and supported for use by Configuration Manager, it may introduce problems which cannot be anticipated.
1. Issue per KB 954960. This first common problem is an issue which results in some clients failing to pull down updates from the WSUS Server (SUP). This problem is documented in KB 954960 and occurs due to a recent revision to a Microsoft Office 2003 Service Pack 1 (SP1) update that causes some WSUS 3.0 servers to incorrectly synchronize the revised update with the update’s approvals. When the affected client computers communicate with such a server, the Web service is unable to process the approvals. Therefore, the detection is unsuccessful.
Resolution: The WSUS KB 954960 article provides a download link for the update directly.
2. WSUS Server Uninstalls. Continuing to drive support calls is the problem where the WSUS Server underlying the SUP is found to have been deinstalled.. Forums posts correlate this problem with Server Reboots as well as being linked to SMS Site Backup operations. What is understood is this occurs when WSUS is installed on the Site Server, and an MSI repair call is made to WSUS which fails.
While there is no current fix for this problem it is expected to be resolved by WSUS 3.0 SP2 (This is indeed fixed with Service Pack 2) - which is still in beta at this time. Fortunately there are two widely discussed workarounds to be found on the forums which should help:
· Move the WSUS server off of the Configuration Manager Site server. Note: To date this issue has only been confirmed when WSUS and Configuration Manager are installed on the same machine.
· A manual registry edit can be implemented to prevent the WSUS repair from launching. For more on this please reference various forums postings such as this one: http://social.technet.microsoft.com/Forums/en-US/configmgrsum/thread/ec73565a-93df-48d6-b411-35ffec7d25e4/
Synchronization with Microsoft Updates
When the SUP fails to sync with Microsoft Updates the support hotline rings. There is really only one flavor of problem seen with regularity, so please check this out and potentially save yourself some coin.
Note: This same problem impacts Upstream/Downstream and related Server Sync operations.
1. Port and Proxy Configurations and Authentication. Whether the proxy is hardware, software, on the SUP or on the network, the results are the same. Incorrect configurations equal a sync failure. This includes omitting a proxy, defining one when not needed, WPAD configurations, as well as incorrect authentication, filtering, or port details. It’s recommended you work with your Networking Team to identify any proxy configurations which might exist. I regret that tools and approaches to investigating this type of issue are beyond the scope of this blog. Find more here:
Configuration Manager SUP Configurations
When external dependencies are in hand the next common call driver involves configuration choices for the Software Update Point. These are common enough to represent an ongoing class of issues and to be worth identifying here.
1. Active SUP - With all the configuration details necessary it's not uncommon to overlook defining an Active SUP. Fortunately it's quick and easy to do. Find more here:
2. Ports on the SUP - Bringing up the tail end of common issues is the configuration of the SUP Ports. This is a simple task yet is often overlooked and not validated. It's easy to correct when incorrect as well. If your SUP is involved in a problem, please make this simple check which may be part of the puzzle. Find more here:
The following are resources you may find of use when approaching Software Update Pont issues and strategies:
SuperFlows for Software Updates: http://technet.microsoft.com/en-us/library/ff385001.aspx
Software Update related TechNet Forums: http://social.technet.microsoft.com/Forums/en-US/configmgrsum/threads/
WSUS Homepage on TechNet: http://technet.microsoft.com/en-us/wsus/default.aspx
WSUS Team Blog: http://blogs.technet.com/wsus/default.aspx
Brent Dunsire Product Quality Program Manager System Center Configuration Manager 2007
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis
I saw this posted over on The Configuration Manager Support Team Blog and thought it worth sharing: