The Realm of the Verbal Processor

Jarvis's Ramblings

SCCM and WSUS issues

[Update June 3, 2008: Refer to this post for issues related to SCCM and WSUS as well. The info in it might be more relevant.]

Lately I have been working with System Center Configuration Manager 2007 (SCCM)…the latest version of Systems Management Server from Microsoft. Wow is this thing powerful. I enjoyed SMS 2003, but SCCM is a huge improvement. The process has not been without speed bumps, but overall it is just simply an awesome framework for computer management.

The most significant speed bump I have had lately has been in the area of computer patching. SCCM uses WSUS (Windows Server Update Services) for its patching component. Basically you install WSUS and SCCM manages WSUS. There are several settings that need to be lined up for this to operate. Links to those settings can be found here, here, and here.

A couple of the things to make sure are in order are:

  1. Proxy settings on the SUP properties are set correctly. (Use it or not, and if so make sure it is pointing to the right place.)
  2. On the SUP component configuration, ensure that the port numbers are correct. If WSUS is installed to the default web site, the ports should be 80/443. If it is using a custom web site, it defaults to 8530/8531…unless you told it something different. Open IIS Administration to check the properties on the WSUS Administration web site to see what it is set to. Make sure the ports in IIS and the SUP component match.

I had all of those settings lined up per the documentation (no proxy required…ports configured correctly), but was still getting errors. I first reported these issues on myITforum.com and a TechNet forum.

Basic gist is that after setting things up per documentation, SCCM was not able to successfully connect to WSUS and manage the WSUS settings. The SMS_WSUS_SYNC_MANAGER log shows that the synchronization failed because of an HTTP 401 “unauthorized” message. This is followed by another log entry that states “SMS WSUS Synchronization failed” because “WSUS Server not configured”. It also gave the incredibly helpful [sarcasm] error code of “214500037: Unspecified error”.

After doing some more digging, I started correlating messages in three log files…WSUS_SYNC_MANAGER, the WSUS IIS log file, and the SCCM server’s Security log. Here is what I found…

When the synchronization starts, an event is logged in the SYNC_MANAGER log stating that a synchronization started (message ID 6701). Exactly five minutes later a 6703 message appears to state that the synchronization failed (that’s the one I referenced above). At the same time as the 6701 message, there are corresponding messages in the IIS and Security logs. In the security log is a success logon audit message. The user name is the SCCMServer$ account. The IP address was listed as the IP of the proxy server. Hey…wait a sec…I told it not to use the proxy. [Edit: Based on my memory, I’m pretty sure the Security Log message is only there the first time it tries to synchronize. I saw it after reboots. Not sure when it would appear again…probably some time period that it needs to re-authenticate. I know it did not appear on subsequent synchronization attempts unless I rebooted. I didn’t give it time to go through any normal process to come up again…it was too easy to reboot and force the entry to appear again. Nice having a lab environment!] Hmmm…on to the IIS logs. Again at the same time as the 6701 message and the security log message comes the following (key parts emphasized):

2007-10-23 16:16:14 W3SVC2097571970 [IP of the SCCM server] POST /ApiRemoting30/WebService.asmx – 8530 – [IP of the proxy server] Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254

From that message (if I interpret it correctly) we can see that the process is trying to connect to the WSUS component on the SCCM server with a client IP address that is the proxy server. We also see that this request is getting the 401 (unauthorized) message.

Now…why the heck is the proxy server being contacted? Yes we have a proxy server, however it is not required on the network segment where the SCCM/WSUS server resides. (It is enabled but not required on that segment for reasons that are beyond the scope of this post.) All checkboxes for using the proxy are unchecked. (SUP and IE settings). Yet it is still using the proxy. Why?

Here is what I think is going on. We know that when SCCM tries to connect to WSUS, it is using the computer account for the SCCM server. This account appears to be doing proxy auto-configuration (even though all checkboxes inside SCCM tell it not to use the proxy). The auto-configuration is setting the proxy to the DNS name of the proxy…i.e. proxy.company.com. This is getting resolved to the IP of the proxy server, and then SCCM is using that proxy IP to connect. This is failing out. Not sure why…probably a misconfiguration on our proxy server. (If I check the proxy boxes in the SUP, it fails there also.)

So, there appears to be a dual problem. First is an issue with our proxy server that helped uncover the second problem…SCCM appears to be getting proxy auto-config info even though the proxy boxes are unchecked.

So…now that I’ve figured out the issue…what can I do about it? I don’t manage the proxy and don’t want to spend the time figuring out what it going on with it. My co-worker Karl came up with a great idea that ended up being a great workaround. Set up a host file entry for proxy.company.com that points to a bogus IP address. Then when the server gets the auto-config and tries to contact the proxy server, it goes to a dead IP and then goes on to connect without the proxy info. Worked like a charm. Thanks Karl.

So…there you have my forensics of the SCCM/WSUS issue. Feel free to pick it apart and offer improvements.

Advertisements

October 23, 2007 - Posted by | ConfigMgr, tech

19 Comments

  1. […] and WSUS issues Read the article… […]

    Pingback by SCCM and WSUS issues - Rod Trent at myITforum.com | October 24, 2007

  2. hi, There:
    I have created a bogus IP address for a Proxy.company.com setting in my DNS service.

    but it also failed.

    Comment by Cheston Dong | October 27, 2007

  3. Were you experiencing all of the other symptoms I listed? If not, you may not have the same issue.

    You mention setting this in your DNS service. I didn’t go that far…we have a legitimate reason for having the proxy in our DNS. I only put this in the host file on the server. If you put a bogus address for your proxy server in DNS, you will almost assuredly cause problems with other clients who need the proxy.

    A couple of assumptions…depending on how much sleep you’ve had recently, it might be easy to overlook these…

    First…I assume you put your network’s actual DNS name in the entry instead of verbatim “company.com”…i.e. microsoft.com if you worked at Microsoft.

    Second…I’m also assuming you changed “proxy.company.com” to the actual address that the server account is getting. i.e. it might be wpad.company.com or something like that…depends on how your DNS is set up to point to your proxy server.

    Comment by Jarvis | October 27, 2007

  4. Great article… It has just solved my problem at a customer.
    Same issue… I have no control over the ISA Server nor did I know the existence of the ISA Server.

    Thanks for very well written article…

    Best Regards
    Ronni Pedersen

    Comment by Ronni Pedersen | December 19, 2007

  5. Glad it helped Ronni. Thanks for the encouragement.

    Hope you have a great day!

    Comment by Jarvis | December 19, 2007

  6. This is a great article, but I am having a different issue. The issue that I am having is that I am using a proxy server. I
    am running WSUS and SCCM on the same box. The proxy server requires this setting. Allow basic authentication (password is sent in cleartext). I can check this box on the WSUS configuration. It works fine for a little while. SCCM 2007 will change the setting and uncheck the box for allow basic authentication (password is sent in cleartext). The question is how can I force SCCM 2007 to send the password in cleartext.

    Thanks
    Reggie

    Comment by Reggie | December 26, 2007

  7. Reggie,
    I haven’t specifically run into the issue that you are referring to.

    Have you looked at the SCCM forum on myITforum.com? That is a great resource for nearly all things related to SCCM. Another one is the Technet SCCM forum. I think I have links to both of them up in the article.

    Hope that helps,
    Jarvis

    Comment by Jarvis | December 26, 2007

  8. Hi there,

    Super cool article – and great that you have come up against the problem that I am stuck with! However, I can’t seem to get your resolution to work :(
    My lab has SCCM and WSUS on separate boxes; SCCM is in native mode and WSUS is configured for SSL. I still get the errors outlined in your article but am wondering the following:

    The bogus IP address in the hosts file: is this in the hosts file residing on the WSUS server only? If so, should it be in the form:
    NonExistantServer.mydomain.com UnusedIPAddressOnMyNetwork

    eg dummyserver.dummy.com 192.168.2.10?

    Many thanks in advance (apologies for the oh-so-new-to-this-game question) :)

    Dave

    Comment by Dave | January 6, 2008

  9. Dave,
    Thanks for the encouragement on the article. I appreciate it.

    One possibility could be that you swapped the IP/Hostname order in the host file. The host file should look like:
    192.168.2.10 dummyserver.dummy.com

    My setup was that SCCM and WSUS are on the same box running in mixed mode, so you have some extra complexity that my environment did not have. Also, as for which host file…I think it would be the SCCM server’s host file…the errors are part of the SCCM process.

    Jarvis

    Comment by Jarvis | January 6, 2008

  10. I’m having the same problem myself. I’m not sure that I can implement this solution, since the autoproxy wpad.dat file specifies the IP of our proxy server and not the name. So I don’t think there’s a way to trick the SCCM/WSUS server using the HOSTS file.

    Does anyone know a workaround for a situation like this?

    Maybe see if I can get the OK to create a separate WPAD file for the atuoproxy entry on this subnet and use hosts names in that one. Than I should be able to use the HOSTS file trick. Otherwise, possibly get rid of the autoproxy entry altogether. We are pushing out proxy settings to clients using a GPO anyways. This shouldn’t really need to be there. Especially since it’s a server-only subnet.

    Comment by jrensink78 | January 9, 2008

  11. The host file was a creative work around, if you don´t want to use the host file.

    1. Open the IIS Manager go to the folder “Web Sites” look at “Administration of WSUS”. HTTP port 8530 and HTTPS (SSL) port is 8531.

    After that, change the IP Address from *All Unassigned* to the server Address.
    2. Right click on the “Administration of WSUS” and chose Properties. Chose the IP from the list box.

    And you’re done.

    HTH
    God luck

    Comment by Shanti Lindström | May 30, 2008

  12. That has potential. If that works…and is that easy…I feel like a bit of a dope for not trying it myself already.

    Comment by Jarvis | May 30, 2008

  13. Today I had the same issue(SMS WSUS Synchronization failed.
    Message: WSUS server not configured.
    Source: CWSyncMgr::DoSync.
    The operating system reported error 2147500037: Unspecified error ) I was able to overcome this. The name in the proxy was not matching (FQDN) what was in DNS ( I pinged the proxy name from the command prompt). Later, I added an entry in the host file which had the host name (present in proxy) and IP address ( from the ping result). That worked. Now, SCCM server is able to sync.

    Comment by Nag | June 26, 2008

  14. We had a similar issue, Proxy authentication failed error 407.

    We had to remove “automatically detect settings” from IE connection, for the system settings. -> Launch Internet Explorer as system, remove “Automatically detect settings” from the IE connenction settings. We had to do this to prevent WPAD configuration being applied

    If you are running SCCM on Server 2008 check this out for how to launch IE as system: https://verbalprocessor.com/2007/12/05/running-a-cmd-prompt-as-local-system/

    Comment by Christian | July 16, 2008

  15. You are correct Christian…and thanks for the plug for my “cmd prompt as system” post!

    Also…if you are running on Server 2008, you will be better off looking at the other post that is referenced on the first line of this post…it is much more relevant.

    Comment by Jarvis | July 16, 2008

  16. I’m suffering from a similar problem, but can’t get my head around what’s going on. I’ve followed the guides and the links that were pasted.
    My WSYNCMGR.LOG shows the following: (I’ve altered some details but they are consistent throughout the logs)
    Found local sync request in site contol file
    Performing sync on local request
    STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SERVER SITE=SMS PID=2912 TID=2556 GMTDATE=Thu Aug 07 14:56:15.520 2008 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Sync failed: WSUS server not configured. Source: CWSyncMgr::DoSync
    STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SERVER SITE=SMS PID=2912 TID=2556 GMTDATE=Thu Aug 07 15:01:15.606 2008 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Sync failed. Will retry in 60 minutes
    Sync time: 0d00h04m59s
    Waiting 60 minutes for requests...

    I’m seeing this in my IIS log…
    2008-08-07 15:04:26 W3SVC1045235440 1.1.1.1 POST /ApiRemoting30/WebService.asmx - 8530 - 1.1.1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 1 0

    I’m not sure what I should be looking for in my Security logs, they aren’t making much sense to me.

    Any ideas? :-|
    Cheers,
    MRaybone.

    Comment by Mark Raybone | August 7, 2008

  17. Hello

    I had the same problems.. but different solution which other founds usefull also

    -> add a IIS certificate for 8531 port.
    -> REBOOT (REBOOT ! don’t hesitate:)

    start a Run synch from Software update repository..

    Look at Wsyncmgr.log.. to my lab it’s started working !

    Hope this will help

    EBE

    Comment by EBE | September 9, 2008

  18. Hi

    Above document helped me to troubleshoot, in my case what I did was removed SSL port (8531)from IIS SUS website and it started working fine.

    Thanks

    Comment by Laljeev M | December 30, 2008

  19. I had this issue with the Unspecified Error. This server is a SCCM 2007 R2 box with all of the roles installed on the same box. To resolve this issue I needed to do the following two things: Install an SSL certificate on the WSUS IIS Site with the Primary Name set to the FQDN of my server and then configure the proxy settings of the SCCM Software Update Point to be the FQDN of my server with a port of 8531.

    Microsoft has made SCCM overly complicated for no reason. This whole product could be so much simpler…

    Comment by Matt | November 23, 2009


Sorry, the comment form is closed at this time.