Hi everyone, Joao Madureira here. During the course of this week we saw an increase of cases installing Knowledge Base article KB 2720211. What follows are some guidelines we’ve established when facing some problems installing this KB.
UPDATE – 9/4/2012: There is a new update available that includes 2720211 plus many other fixes, including those that address some of the issues discussed in this article. You can find information on this new update here.
Before Installing the KB
WSUS Health Checks
As mentioned in the KB article, please follow instructions on how to perform basic health checks on a WSUS Server using the following TechNet websites:
· Reindex the WSUS Database (http://technet.microsoft.com/en-us/library/dd939795(v=ws.10))
You can use the wsusmigrationmigrationimport/Wsusmigrationexport tools to back up the approvals and computer groups. Before installing the KB, copy these files to C:\program files\update services\tools.
- Download the API samples and tools at http://download.microsoft.com/download/5/d/c/5dc98401-bb01-44e7-8533-3e79ae0e0f97/Update%20Services%203.0%20API%20Samples%20and%20Tools.EXE and get the WSUSmigrationexport.exe from it.
- http://wsus.codeplex.com/releases/view/18460 <-compiled version for wsusmigrationimport with http://support.microsoft.com/default.aspx?scid=kb;EN-US;945348
Next, open notepad and copy the following text to it:
wsusutil.exe export c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log
Save this as backup.bat.
Open notepad and copy the following text to it:
wsusutil.exe import c:\wsusbackup\metadata.cab c:\wsusbackup\metadata.log
wsusmigrationimport3.exe c:\wsusbackup\configuration.xml all none
Save this as restore.bat.
Now, if you encounter a problem installing the KB, you have a valid backup and can use the restore.cmd to get back the metadata and approvals after reinstalling WSUS.
After Installing the KB
Four main issues have been encountered as follows:
Issue caused by patch?
WSUS server stops synchronizing with Microsoft Update
The website verifications are not accurate
No. Recommend disabling.
WSUS server stops working and also fails to reinstall.
Errors in errorlog for Windows internal database
Issue 1 : WSUS server stops synchronizing with Microsoft Update.
Workaround: remove WSUS , leaving the database on the uninstall.
When removing WSUS , the first screen after asking to uninstall will be what are the items you want to remove with the uninstall. Leave all options UNCHECKED.
Proceed with uninstalling. After finishing, install WSUS again.
Add the role again in Server manager (Windows Server 2008 and Windows Server 2008 R2) or download WSUS 3 SP2 from the following location:
Start the install and choose the options to connect to the database server or Windows Internal database. As in the example, I am connecting to my Windows Internal Database.
Then choose “use existing database” and proceed with the install.
Issue 2 : Website Verifications are not accurate.
The problem is currently under investigation and the workaround is to temporarily disable the website verification with wsusutil. WSUS is working fine, it synchronizes and updates clients. The mechanism to verify the websites is the one alerting on Event viewer.
Open a command prompt and navigate to C:\program files\update services\tools
You can save the following text below to a batch file or run the following commands to stop verifying the websites:
wsusutil HealthMonitoring CheckSelfUpdate off
wsusutil HealthMonitoring CheckReportingWebService off
wsusutil HealthMonitoring CheckApiRemotingWebService off
wsusutil HealthMonitoring CheckServerSyncWebService off
wsusutil HealthMonitoring CheckClientWebService off
wsusutil HealthMonitoring CheckSimpleAuthWebService off
wsusutil HealthMonitoring CheckDssAuthWebService off
After running it, you will have to restart the WSUS service. If you are still at the command prompt, you can simply do a net stop wsusservice && net start wsusservice
Issue 3 : WSUS server stops working and also fails to reinstall.
After installing the fix, WSUS stops working. The console doesn’t open and softwaredistribution.log displays the following messages:
2012-06-15 19:26:36.976 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.
2012-06-15 19:26:03.778 UTC Warning w3wp.8 SoapExceptionProcessor.SerializeAndThrow Discarding stack trace for user NT AUTHORITY\SYSTEM, IP Address fe80::e949:3535:dace:fef4%13, exception System.Data.SqlClient.SqlException: Access to module dbo.spConfiguration is blocked because the signature is not valid.
2012-06-15 19:26:03.778 UTC Error w3wp.8 GenericDataAccess.DumpStateMachineLog DumpStateMachineLog encountered an error. Exception: System.Data.SqlClient.SqlException: Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.
When trying to reinstall WSUS it fails. In order to locate what is causing the installation to fail, go to Run > type %temp%. Locate the WSUSCAXXXXX.log ( where XXXXX will be date_time the machine ran the setup). The error will be like in the transcript:
Changed database context to ‘SUSDB’.
Executing string: CREATE CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] FROM FILE = ‘C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\wsussigndb.cer’
Warning: The certificate you created is expired.
Executing string: ALTER CERTIFICATE [MS_SchemaSigningCertificateD7A4348D8F461363128D655AE4589B8206B74257] ATTESTED BY ‘C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\SchemaSig\WSUSSignDb.dll’
Msg 15299, Level 16, State 1, Server \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query, Line 6
The signature of the public key is invalid.
The solution for reinstalling WSUS will be the following:
Assuming the WSUS is not installed anymore, remove Server Manager > Features > Windows Internal database.
Navigate to C:\windows and locate the folder sysmsi . Rename this folder to sysmsi_old
Try to install WSUS again with the option to install the Windows Internal database.
Issue 4 : Errors in errorlog for Windows internal database (updated)
If you are seeing the error below in the SQL Errorlog and the database has been patched, we have verified these instructions:
NOTE Errorlog is located at c:\windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Log
2012-06-14 11:39:40.93 spid53 Access to module dbo.spSetupLogin is blocked because the signature is not valid.
1) Stop WID using NET STOP MSSQL$MICROSOFT##SSEE
2) Backup the existing patched database files (file copy will work). Usually this is at C:\WSUS\UpdateServicesDbFiles (this location was chosen by the customer when they initially installed WSUS).
3) Start WID using NET START MSSQL$MICROSOFT##SSEE
4) Reinstall WSUS3 SP 2 to a new database (“Create a new Database”).
5) Reinstall the patch – IMPORTANT!
6) Stop WID using NET STOP MSSQL$MICROSOFT##SSEE
7) Restore the existing patched database by copying the files you backed up to C:\WSUS\UpdateServicesDbFiles
8) Start WID using NET START MSSQL$MICROSOFT##SSEE
9) Run the patch again with the following command: – the patch should be able to add the missing signatures automatically. If it fails again,please send us the log files (C:\reinstallpatch.log, mwusca***, wsusca***,mwussetup***, wsussetup***, wsussetupmsi*** in your %temp% or %temp%\.. WSUS-KB2720211-x64.exe C:\reinstallpatch.log
Joao Madureira | Senior Support Escalation Engineer
App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/