Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 228
Reply with quote  #1 
Since a couple of months we are having problems with the Windows Automatic Update on our Win2016 servers.
Some patches don't seem to install. Server is saying "restarting...." forever. We have to turn it off.  After rebooting it sometimes reverts the patch, sometimes it's just fine.
We have better experience with sconfig.cmd (option 6), but again not always.

Those servers use the MS site for their updates, but we experience the same problems when we use WSUS as the source.

We have a feeling that 'connectivity' could be a problem, but that's rather a gut feeling.

Anyone having the same problem?  Suggestions ?

__________________
Pieter Demeulemeester
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 69
Reply with quote  #2 
Have you read the article about dual scanning in windows 2016 updating? It basicly scans ms.com aswell as wsus. I suggest you read it over, it might give you some ideas.

We had a ton of issues with win16, with servers ignoring gpo settings timing out of the dual scanning and no internet connections, etc. The “good” thing nothing of this shows up as an clear error in the events. I would almost say the server product is becoming worse than before.. one issue was with the builtin defender which completely ignored our gpo settings as well as the metro settings and kept scanning our file based database locations, which trashed iur performance. Its becoming more and more of a black box, which isnt bad if we don’t have to troubleshoot it so much.

While im typing im remembering a consultant who said 2gb memory for AD servers is enough in azure, which caused our monthly patch window to take 12 hours! Lots of .net processes causing 100% cpu load, sometimes looking like the system is doing nothing at all with shutting down and starting up taking forever. I would suggest giving your servers some more mem and cpu just to see if it fixes your problem.

__________________
-----
Home is where is sleep
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 228
Reply with quote  #3 
Hi Dennis, thanks for the reply.
Do you mean an article in particular?  I've read https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/ and  https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/ .

Our servers are not WSUS client.  We used WSUS as a test to see if we could solve the problem that way, but no.  But it surely confirms that 'connectivity' could be a key part of the problem.
You don't use Watchguard as a firewall by any chance ? If you do not feel comfortable saying this on a public forum, please send me a private message or mail.
We're planning a test with a server that will not go through a Watchguard to connect to Internet.

__________________
Pieter Demeulemeester
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 228
Reply with quote  #4 
Solved.
Based on article https://support.microsoft.com/en-us/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p
 we changed the firewall policy.
Previously we used Application Control on the firewall for Windows Udpates. Now we use a simple Packet Filter for those FQDNs.
The servers are able to update now.


__________________
Pieter Demeulemeester
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 24
Reply with quote  #5 
Thank God for people who explain how the problem was solved. Thank you for that. Some people mark a thread solved with no explanation.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.