- PR -

SUSでクライアントが更新できない

投稿者	投稿内容
つよぽん会議室デビュー日: 2004/08/13 投稿数: 1	投稿日時: 2004-08-13 12:15 はじめまして。早速ですが、AD+GPOによってクライアントPCを500台程度、SUSで集中管理していましたが、あるときから突然、クライアントのアップデートができなくなりました。（多分全部のクライアントPCが同じ事象だと思います。）現在でも始めてドメインに登録したPCは、きちんとアップデートを実行していますが、すでにSUSによってパッチがあてられたPCのみが更新ができないようです。しかしGPOの自動アップデートの項目をすべて無効にして、クライアントPCのほうで直接MSのサイトからパッチをダウンロードするよう操作ができる設定にすると、きちんとダウンロードできるようです。いろいろ検索してみましたが、似た事象がMSのNewsGroup（microsoft.public.softwareupdatesvcs）に投稿されていました。クライアントのログなども見ましたが、パッチをダウンロードせずに、いきなりサービスがシャットダウンするような内容になっており、このスレッドでも今までもたびたび議論されていたものと同じような事象のようです。 MSのサイト自体には助けになるようなものがほとんどなかったので、同じような境遇の方はおられるのか、何らかの設定ミスか、またはすでに対策を実行された方に助けていただきたいと思います。 Hi All, Yesterday Microsoft and I found a very critical bug in MS04-018 (KB823353). I was troubleshooting a SUS problem in a +500 machines environment. All machines stopped getting updates from SUS by July. I went through every single step to troubleshoot the problem but nothing helped. So, I opened a case with Microsoft Professional Support. After spent 2 days over the phone, we found the problem. The KB823353, instead of all other patches, tries itself to connect to Windows Update site over the internet, regardless any settings you may have made through GPO or Registry. There is a service called BITS (Background Intelligence Transnfer Service) in every Windows 2000/XP machines. This service is responsible for transfering the Automatic Update (AU) content from SUS Server. When the downloads are being done, The AU feature creates a folder under Program Files called WindowsUpdate and create many subfolder underneath. You may see a folder called wuaudnld.tmp. If you go in that folder, you see a folder called CAB. Within this folder, there is one folder for each update. Within it, you may see the update file ([name of file].exe). If the name os the files is someting like BIT*.TMP and has a size of 0KB, BINGO!, You are the one who has the problem. If you don't see this folder structure, It means your client has no update to be installed at this time or never installed one by using AU. The KB823353 instructs the BITS service to connect over the internet, directly through your default gateway, to get the update instead of using the SUS server. Even if you have proxy set up, it doesn't check for it. As many companies has limited access to the internet or have proxy-enabled networks, this attempt will fail. (because the machines cannot access internet through the gateway) If it is the case, the BITS service will keep trying to connect to internet to get the KB823353 Update. The BITS service creates a job for each update it requests. Then it put all the jobs in a queue. The jobs are sequencial which means one job cannot start before the current job is finished. In other words, all patches will be in the BITS queue in your client wait for the KB823353 job to get finished. That's why you will see BIT.TMP file in the patches folders. You can run BITSADMIN.EXE (avaiable in Support Tools) to see the BITS queue. type BITSADMIN /LIST /ALLUSERS in the prompt. To troubleshoot this problem, do the steps bellow: - go to SUSADMIN webpage. Clear all the checkbox near the KB823353 (there is 4 patches) and then click on Approve Buttom. It will make the patches unapproved. - Disable all Windows Update feature for your entire network (usually do this through GPO at domain level with No Override setting enforced. BITS queue get empty when AU is disable) - Wait 2 days or more (to make sure all clients get this gpo applied, specially if you have users that come in the office rarely, like sales person with laptops) - Re-enable Windows Update in your network.(by remove this GPO) The clients will start getting the updates again after the next AU cycle. Microsoft wasn't aware of this problem by the time I called them. I expect they are working right now to fix this bug and release a patch for this patch (isn't it comic?). Have Fun! _________________

投稿者

投稿内容

つよぽん: 会議室デビュー日: 2004/08/13; 投稿数: 1

投稿日時: 2004-08-13 12:15

はじめまして。
早速ですが、AD+GPOによってクライアントPCを500台程度、SUSで集中管理していましたが、あるときから突然、クライアントのアップデートができなくなりました。（多分全部のクライアントPCが同じ事象だと思います。）

現在でも始めてドメインに登録したPCは、きちんとアップデートを実行していますが、すでにSUSによってパッチがあてられたPCのみが更新ができないようです。しかしGPOの自動アップデートの項目をすべて無効にして、クライアントPCのほうで直接MSのサイトからパッチをダウンロードするよう操作ができる設定にすると、きちんとダウンロードできるようです。

いろいろ検索してみましたが、似た事象がMSのNewsGroup（microsoft.public.softwareupdatesvcs）に投稿されていました。
クライアントのログなども見ましたが、パッチをダウンロードせずに、いきなりサービスがシャットダウンするような内容になっており、このスレッドでも今までもたびたび議論されていたものと同じような事象のようです。

MSのサイト自体には助けになるようなものがほとんどなかったので、同じような境遇の方はおられるのか、何らかの設定ミスか、またはすでに対策を実行された方に助けていただきたいと思います。

Hi All,

Yesterday Microsoft and I found a very critical bug in MS04-018 (KB823353). I was troubleshooting a SUS problem in a +500 machines environment.
All machines stopped getting updates from SUS by July. I went through every single step to troubleshoot the problem but nothing helped. So, I opened a case with Microsoft Professional Support. After spent 2 days over the phone, we found the problem.

The KB823353, instead of all other patches, tries itself to connect to Windows Update site over the internet, regardless any settings you may have made through GPO or Registry.

There is a service called BITS (Background Intelligence Transnfer Service) in every Windows 2000/XP machines. This service is responsible for transfering the Automatic Update (AU) content from SUS Server. When the downloads are being done, The AU feature creates a folder under Program Files called WindowsUpdate and create many subfolder underneath.
You may see a folder called wuaudnld.tmp. If you go in that folder, you see a folder called CAB. Within this folder, there is one folder for each update. Within it, you may see the update file ([name of file].exe). If the name os the files is someting like BIT***.TMP and has a size of 0KB, BINGO!, You are the one who has the problem.

If you don't see this folder structure, It means your client has no update to be installed at this time or never installed one by using AU.

The KB823353 instructs the BITS service to connect over the internet, directly through your default gateway, to get the update instead of using the SUS server. Even if you have proxy set up, it doesn't check for it.

As many companies has limited access to the internet or have proxy-enabled networks, this attempt will fail. (because the machines cannot access internet through the gateway)

If it is the case, the BITS service will keep trying to connect to internet to get the
KB823353 Update. The BITS service creates a job for each update it requests. Then it put all the jobs in a queue. The jobs are sequencial which means one job cannot start before the current job is finished. In other words, all patches will be in the BITS queue in your client wait for the KB823353 job to get finished. That's why you will see BIT**.TMP file in the patches folders.

You can run BITSADMIN.EXE (avaiable in Support Tools) to see the BITS queue. type BITSADMIN /LIST /ALLUSERS in the prompt.

To troubleshoot this problem, do the steps bellow:

- go to SUSADMIN webpage. Clear all the checkbox near the KB823353 (there is 4 patches) and then click on Approve Buttom. It will make the patches unapproved.
- Disable all Windows Update feature for your entire network (usually do this through GPO at domain level with No Override setting enforced. BITS queue get empty when AU is disable)
- Wait 2 days or more (to make sure all clients get this gpo applied, specially if you have users that come in the office rarely, like sales person with laptops)
- Re-enable Windows Update in your network.(by remove this GPO)

The clients will start getting the updates again after the next AU cycle.

Microsoft wasn't aware of this problem by the time I called them. I expect they are working right now to fix this bug and release a patch for this patch (isn't it comic?).

Have Fun!
_________________

＠IT SpecialPR

SUSでクライアントが更新できない

スキルアップ／キャリアアップ（JOB@IT）