Saturday, April 12, 2014

Windows Update Services on Windows Server 2012 R2

I am trying to modernize a bit.  My products support Windows Server 2008, Windows Server 2008 R2, SQL Server 2005-2008/2008R2, and SharePoint 2007/2010.  My home network is a 2008 R2 domain.  My mission was to introduce Windows Server 2012 R2, SQL Server 2012 R2, and SharePoint 2013 with Project Server 2013.

This hasn't been easy.

Figuring that after (depending on which version of which product) x number of years, things would get  easier to install, configure, and go live with.  Installing Windows 2012 R2 was a breeze of course.  Adding the various roles and features I need was easy as well.  Until I hit Windows Update Services (WSUS).

I like WSUS for my domain because I can pick and choose what updates go out to the house computers.  In previous versions of Windows, it was pretty straight forward.  Simply add the necessary roles and features to your server, talk to Windows Update about the types of updates you want, possibly create some rules to auto-approve the updates, setup a GPO object so your machines are looking at your local WSUS, reboot about 12 times, and you are ready to go.

This time, with Windows 2012 R2, this became a serious hassle.  Absolutely nothing worked.  For the machine hosting WSUS, I couldn’t even get it to talk to Windows Update even though it was a vanilla install straight from the ISO downloaded from MSDN.  The MMC snapin wouldn’t initialize, the client machines couldn’t see it, and WSUS kept complaining about not being able to connect to the service.

Time to start over.

After many hours today I finally got the WSUS host to talk to Windows Update.  Unfortunately, I don’t know why it started to communicate.  I just kept plugging away at all of the “answers” on the web, rebooting, turning services on and off, renaming the SoftwareDistribution folder, deleting the crypto directory, etc, etc, until it finally worked. My intention was to track these modifications and create a tool that would do what Microsoft didn’t, which is to make WSUS work on Windows Server 2012 R2 right out the box.  Unfortunately, I didn’t track changes because I was ripping through trying to get it to work.

I wasn’t even trying to spend the day messing with this.  I wanted to get my Windows 2012 + SharePoint 2013 + Project Server 2013 instance up so I could see what it would take to deploy my stuff.  That will be a topic of another post.

What I can tell you is this:  once you get everything working except for clients talking to the WSUS host, you have a big problem. I really can’t explain why Microsoft did this, but the web services WSUS requires have quite the spastic web.configs.  None of them have the correct protocols in their respective web.configs.  I had to not only manually edit each web service .config, but I also had to take ownership of the file because the owner is “TrustedInstaller” so even though I am a domain admin, I could not edit and save the configs to fix the problem.

Hours later…

Everything is working great.  Here’s what you need to know:

Your web configs are wrong.  Open IIS Manager and select the following:

image

Open the web.config in Explore and look:

<webServices>
  <protocols>
    <remove name="Documentation"/>
  </protocols>

  <!-- Run SOAP Header Filter with ClientWebService -->
  <soapExtensionTypes>
    <add type="Microsoft.UpdateServices.WUShield,WUShield"
    priority="1"
    group="0" />
  </soapExtensionTypes>
</webServices>

Nope, not going to work!  There is nothing there for get and post, so you will get something like this.

You really need your <webServices> * to look like this:

<webServices>
  <protocols>
    <remove name="Documentation"/>
    <!-- <add name="HttpSoap1.2"/> -->
    <add name="HttpSoap"/>
    <add name="HttpPost"/>
    <add name="HttpGet"/>
    <!-- <add name="HttpPostLocalhost"/> -->
    <add name="Documentation"/>
  </protocols>

  <!-- Run SOAP Header Filter with ClientWebService -->
  <soapExtensionTypes>
    <add type="Microsoft.UpdateServices.WUShield,WUShield"
    priority="1"
    group="0" />
  </soapExtensionTypes>
</webServices>

So do that!  But your challenge will be to get Windows to let you.  It’s not difficult.  Just take ownership from TrustedInstaller and add your logged on user credentials, edit the file, save, and then you are golden.

You have to do something similar for all of WSUS web services except some don’t require the SOAP components of web.config.  Not hard to figure out.  Simply try to browse to the web service endpoint.  If not doesn’t give you something like this:

image

Then you have some work to do.

Microsoft: This is not okay.  It also isn’t documented anywhere that I can find.  I figured this out by research.  Windows 2012 is a derivative of Windows 8*, which few like so it would seem you would pay more attention to your enterprise users.  That being said, I am really digging the new UI.  I don’t like it on my workstations but I do like it on the server. 

HTH,

Colby

No comments :

Disclaimer

Content on this site is provided "AS IS" with no warranties and confers no rights. Additionally, all content on this site is my own personal opinion and does not represent my employer's view in any way.