Windows-Server-2012-R2

SCCM SUP 無法與 WSUS 伺服器連接 - 未安裝 WSUS 伺服器 3.0 SP2 或更高版本

  • June 10, 2015

在 6 月 1 日,我們的一個軟體更新點失去了連接到其 WSUS 伺服器的能力:

WSUS Control Manager failed to monitor WSUS Server "SCCM.ad.contoso.gov". Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.

日誌文件表明未SMS_WSUS_CONFIGURATION_MANAGER安裝 WSUS 3.0 SP2 或 SMS SUP 服務(SMS_WSUS_CONFIGURATION_MANAGER 和 SMS_WSUS_CONTROL_MANAGER)無法聯繫到:

Error   Milestone   004 6/8/2015 5:01:30 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    7003    WSUS Control Manager failed to monitor WSUS Server "SCCM.ad.contoso.gov".    Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.  Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.
Error   Milestone   004 6/8/2015 5:01:30 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    7000    WSUS Control Manager failed to configure proxy settings on WSUS Server "SCCM.ad.contoso.gov".    Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.  Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.You can receive failure because proxy is set but proxy name is not specified or proxy server port is invalid.
Information Milestone   004 6/8/2015 4:01:39 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    4609    Component Status Summarizer set the status of component "SMS_WSUS_CONTROL_MANAGER", running on computer "SCCM.ad.contoso.gov", to Critical.    Possible cause: The component is experiencing a problem.  Solution: Diagnose and fix the problem by:  1. Examining the status messages that the component reports.  2. Correcting the problem.  3. Instructing Component Status Summarizer to reset the counts of Error, Warning, and/or Informational status messages reported by the component. To reset the counts, right-click Reset Counts on the component in the Component Status summary in the Configuration Manager Console. When the counts are reset, Component Status Summarizer will change the status of the component to OK. This might take some time if site "004" is a child site.  4. Delete any unwanted status messages from the site database, if necessary.  5. Monitor the component occasionally to verify that the problem does not reoccur.    Possible cause: The component is OK and you were unnecessarily alerted because the Component Status Thresholds are set too low for the component.  Solution: Increase the Component Status Thresholds for the component using the Thresholds tab of the Component Status Summarizer Properties dialog box in the Configuration Manager Console.    Possible cause: The component is flooding the status system by rapidly reporting the same message repeatedly.  Solution: Diagnose and control the flood of status messages by:  1. Verifying that the component is actually flooding the status system. View the status messages reported by the component and verify that the same message is continually reported every several minutes or seconds.  2. Noting the Message ID of the flooded status message.  3. Creating a Status Filter Rule for site "004" that instructs Status Manager to discard the flooded status message when component "SMS_WSUS_CONTROL_MANAGER" on computer "SCCM.ad.contoso.gov" reports it.   4. Verifying that your sites' databases were not filled up by the flooded status message.  Del
Information Milestone   004 6/8/2015 4:01:39 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    4605    Component Status Summarizer detected that component "SMS_WSUS_CONTROL_MANAGER", running on computer "SCCM.ad.contoso.gov", has reported 5 or more Error status messages during the Component Status Threshold Period.    Possible cause: The count equals or exceeds the Component Status Critical Threshold (5 status messages) for Error status messages for the component.  Solution: Component Status Summarizer will set the component's status to Critical in the Component Status summary in the Configuration Manager Console.

我驗證了 WSUS 角色確實仍然安裝在 SCCM.ad.contoso.gov 上;然而,它似乎並不健康。我無法使用 Windows Server Update Services MMC 管理單元與其連接,並且事件日誌中充滿了可追溯到 6/1 的以下錯誤:

PS C:\Windows\system32> Get-EventLog -LogName Application -Source "Windows Server Update Services" -After $(Date -Month 06 -Day 07)

 Index Time          EntryType   Source                 InstanceID Message
  ----- ----          ---------   ------                 ---------- -------
 267564 Jun 08 04:14  Error       Windows Server Up...        12052 The DSS Authentication Web Service is not working.
 267563 Jun 08 04:14  Error       Windows Server Up...        12042 The SimpleAuth Web Service is not working.
 267562 Jun 08 04:14  Error       Windows Server Up...        12022 The Client Web Service is not working.
 267561 Jun 08 04:14  Error       Windows Server Up...        12032 The Server Synchronization Web Service is not w...
 267560 Jun 08 04:14  Error       Windows Server Up...        12012 The API Remoting Web Service is not working.
 267559 Jun 08 04:14  Error       Windows Server Up...        12002 The Reporting Web Service is not working.
 267558 Jun 08 04:14  Warning     Windows Server Up...        10021 The catalog was last synchronized successfully ...

我驗證了 WsusService 確實在執行,然後檢查了 IIS:

SCCM 應用程序池

嗯。那可能不太好。WsusPool 應用程序池可能應該正在執行…如果我手動啟動 WsusPool,我可以通過瀏覽到http://SCCM.ad.contoso.gov:8530/Selfupdate…連接到 WSUS WebServices,然後在大約 15 分鐘後應用程序池停止。

它還在錯誤的埠(8530/8531)上執行!大約一個月前,在 PFE 的幫助下,我們將此 SUP 配置為可供基於 Internet 的客戶端使用。重新配置的一部分意味著 WSUS Web 服務需要重新定位到 80/443,以便它們可以通過我們的外圍防火牆使用。

我沒有關於我們使用的確切命令的文件,但我有理由確定它是WSUSUtil.exe usecustomwebsite false應該將 WSUS 從其“WSUS 管理”IIS 移回綁定在 *:80 和 * 下的預設網站:443。

再次。不是這種情況:

SCCM IIS 站點

那不好。看起來 WSUS 站點已神奇地遷移回其獨立站點,因為…有趣!如果 SCCM SUP 在 80/443 上尋找 WSUS,但它不再存在,難怪它不起作用。

如果我查看WSUSUtil.exe正在操作的系統資料庫項 ( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\PortNumbner),我發現它仍然認為 WSUS 應該在 80 上執行。

也許我只需要跑WsusUtil.exe不止一次來獲得額外的……樂趣嗎?

C:\Program Files\Update Services\Tools>WsusUtil.exe usecustomwebsite false
Using port number: 80

除了… IIS 中沒有任何變化。我要麼不記得我們之前為移動 WSUS IIS 站點所做的步驟,要麼有什麼東西壞了。

我真的有兩個問題:

  • WSUS 網站“WSUS 管理”已返回其安裝配置,作為綁定到 *:8530 和 *:8531 的獨立 IIS 網站,但係統的基礎部分認為它應該在綁定到 * 的“預設網站”下執行:80 和 *:443。
  • WsusPool 應用程序池不斷崩潰或停止阻止我重新配置 SUP 點以在其原始 *:8530 和 *:8531 埠上使用 WSUS。

在這一點上,我有點不知如何繼續解決這個問題。由於明天即將發布 Microsoft 更新,我真的想避免重新安裝 WSUS 角色和/或 SUP。

有關進一步故障排除的任何建議?

jscott的幫助下,我將系統資料庫項HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup與他的基礎設施中的系統資料庫項進行了比較,發現它們不一致。像這樣的值IISTargetWebSiteIndex被設置為“WSUS 管理”IIS 站點的 id,但該PortNumber值設置為 80,它通過 *:80 綁定到Default Web Site.

由於我們在這台伺服器上已經經歷了至少三次重新配置 WSUS 的迭代,因此似乎最好重新安裝角色以確保事情保持一致,儘管仍然損壞。

我終於去了微軟支持那裡,有人親切地指出 WsusPool 應用程序池的私有記憶體使用限制為 18530 KB。我們昨天早上取消了限制,從那以後一切都執行良好。我不確定這個限制是如何設置的,或者它是否是預設的,但對我來說似乎很小。

引用自:https://serverfault.com/questions/697461