Unable to expand message: SQL Server is unable to collect events due to insufficient permissions

I just noticed a Warning Alert in MOM Operator Console and it says:


DESCRIPTION


Unable to expand message 17055 [-1073724769] 18265 Log backed up: Database: SADAD_AX30_SP3_Live, creation date(time): 2005/02/01(12:50:12), first LSN: 3655:705:1, last LSN: 3655:765:1, number of dump devices: 1, device information: (FILE=1, TYPE=DISK: {‘E:\SQL2000\MSSQL\…\….200604301345.TRN’}). Name: SQL Server is unable to collect events due to insufficient permissions 


and as the rule says ‘SQL Server is unable to collect events due to insufficient permissions’ (Microsoft SQL Server\SQL Server 2000\SQL Server 2000 Event Collection).


CAUSE


Then I started to trace the reason for this event and this was due to a change in MOM Service Account. Previously, MOM service was running under NT AUTHORITY\SYSTEM aka LOCAL SYSTEM ACCOUNT context and it has all the required permission to SQL installation (MSSQL directory). When I changed this to MOM ACTION ACCOUNT using ‘Update Agent Settings’ in the administrator console, it started to run under NT AUTHORITY\NetworkService context with these warning alerts.


WORKAROUND


I found that AUTHORITY\NetworkService is not having enough permission on SQL installation (MSSQL directory). So, to troubleshoot this error, I have added NT AUTHORITY\NetworkService the permission to Read & Execute on SQL installation (MSSQL directory – %programfiles%\Microsoft SQL Server\) directories. Problem solved!

WSUS and OWA

Are there any known issues if WSUS is installed on OWA Server?


Personally, I wouldn’t install WSUS on OWA or any Exchange Server. But, it is totally supported configuration. Note that WSUS will be installed on a new site – “WSUS Administration” site on TCP PORT 8530 and SSL 8531.


OWA by default will be installed on Default Web Site (on TCP PORT 80 and SSL 443) which can have Secure Sockets Layer (SSL) encryption to provide the secure method for accessing OWA. By enabling SSL on the Exchange Server virtual directory, the URL used to access will change from HTTP:// to HTTPS:// 


In that case, ClientWebService & Selfupdate virtual directories which are in Default Web Site have to be excluded from SSL encryption or else Selfupdate will not work.

Delete Older Not Reported Stale Computers

Is it possible to configure WSUS to delete older computers which are not reported in WSUS for quite a time?


To clean up the old computer objects, use CleanStaleComputers from Windows Server Update Services API Samples and Tools.


CleanStaleComputers: This sample application removes computers from the Update Services
server that have not
contacted the server in a specified number of days.


USAGE:


CLEANSTALECOMPUTERS /DAYS:[1-365] /DELETE:{YES | NO} /PROMPT:{YES | NO}


/DAYS. Days since the computer contacted the server
/DELETE. Delete from the Update Services server or move to the Stale
computers group
/PROMPT. Prompt before moving/deleting computers 


WSUS Product Team has heard this request and the capability to clean old stale computers is under consideration for the next version along with the ability to clean up old/superseded updates from the tool. 


MORE INFORMATION


Windows Server Update Services API Samples and Tools
http://download.microsoft.com/download/8/d/0/8d068114-bd66-4fde-a04c-aeaa9d1fe640/Update%20Services%20API%20Samples%20and%20Tools.EXE


What can you expect in WSUS 3.0?
http://msmvps.com/blogs/athif/archive/2006/04/12/What_can_you_expect_in_WSUS_3_0.aspx

Reporter failed to upload events with hr = 80244008

You see the following warning in WindowsUpdate.log – Reporter failed to upload events with hr = 80244008.


2006-04-25 14:02:20  928 e74 PT WARNING: GetConfig failure, error = 0x80244008, soap client error = 8, soap error code = 0, HTTP status code =
200
2006-04-25 14:02:20  928 e74 Report WARNING: Reporter failed to upload events with hr = 80244008.
2006-04-25 14:04:28  908  b0 PT WARNING: GetConfig failure, error = 0x80244008, soap client error = 8, soap error code = 0, HTTP status code =
200
2006-04-25 14:04:28  908  b0 Report WARNING: Reporter failed to upload events with hr = 80244008.
2006-04-25 14:04:28  908  b0 PT WARNING: GetConfig failure, error = 0x80244008, soap client error = 8, soap error code = 0, HTTP status code =
200
2006-04-25 14:04:28  908  b0 Report WARNING: Reporter failed to upload events with hr = 80244008.


This happens if tbEventInstance table exceeds 1 million events and then blocks the client computers from reporting back to the WSUS server. In this case, you might want to reconsider WUA detection cycle (I have seen the same symptoms where the detection cycle was set to every 1-3 hours) and delete all the current events from the tbEventInstance table.


Try the hot fix and workaround mentioned in the article http://support.microsoft.com/default.aspx?scid=kb;en-us;909131

WSUS and Windows Defender Updates

WSUS is not downloading Windows Defender Updates. Why?

Window Defender Updates will be classified as “Definition Updates” (The updates are titled “Definition Update 1.14.XXXX.X for BETA Windows Defender”). Open WSUSAdmin Console – Click on Options – Click on Synchronization Options – Click on Products and Classifications – You need to select “Windows Defender” under “Products Category” and “Definition Updates” under “Update Classifications” – Click OK and save settings.


WUA is not detecting Windows Defender Updates. Why?


Once, the WD updates are synchronized on WSUS, you need to approve Definition Updates for Detection. Open WSUSAdmin Console – Click on Options – Click on Automatic Approval Options – Click on Approve for Detection – Click on Add/Remove Classifications – Select Definition Updates – Click OK and save the settings.


Similarly, you can automatically approve for installation.


NOTE:


Windows Defender (Currently Beta2) must be installed on the client for which you are approving Definition Updates. Windows Defender is currently available to a limited group of Beta testers. For more information about Windows Defender and Microsoft’s stance on spyware see:
http://www.microsoft.com/athome/security/spyware/default.mspx


DnldMgr   * Updates to download = 1
Agent   *   Title = Definition Update
1.14.1288.5 for BETA Windows Defender (KB915597)


MORE INFORMATION


Windows Defender Team Blog
http://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx


New updates available for beta2 Windows Defender today
http://blogs.technet.com/wsus/archive/2006/02/13/New_updates.aspx


New Product Category & Classification for Windows Defender
http://blogs.technet.com/wsus/archive/2006/01/16/417545.aspx

WSUS and Malicious Software Removal Tool (MSRT)

WSUS is not downloading Malicious Software Removal Tool (MSRT). Why?


The Malicious Software Removal Tool is in the Update Rollup category. Make sure you have that selected Update Rollups to synchronize with MU. Update Rollups classification is not selected by default, you must select “Update Rollups” under “Update classifications” to synchronize with MU.


When you select “Update Rollups” under “Update classifications”, you might notice other roll-up packages (like Update Rollup for Windows XP e.t.c) are seen in WSUSAdmin console. Note that only Metadata for those rollups will be downloaded and the update files will not be downloaded unless you approve them for “Install”.


How do I verify whether the MSRT removal tool has run on a client computer?

You can examine the value data for following registry entry to verify the execution of the tool.


Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Entry name: Version <GUID> (d0f3ea76-76c8-4287-8cdf-bdfee5e446ec)


Every time the tool is run, independent of the results of the execution, the tool will record a GUID to the registry to indicate that it has been executed. You can find the list of version GUID’s on http://support.microsoft.com/?kbid=891716&SD=tech#E2ACAAA

WSUS Replica Down Stream Server (DSS) – Issues and FAQ

How do I change the WSUS Replica Server mode as the Master Server (USS)?


You will need to uninstall WSUS including the WSUS database (but you can let the “Downloaded update files” continue to be installed so that you don’t have to re-download all the content again), and then install WSUS again.


Is it possible to set the locale of the replica server to be different from the parent server?


Unfortunately, this scenario is not possible with WSUS 2.0. The configuration of the replica child server is always exactly the same as the replica parent – same language settings, same filter settings for Products and Update Classifications. All configuration of a replica server is performed at the master server only.


Is it possible to set the Replica server to download the content from Microsoft?


NO, WSUS Replica Server can only download the content from WSUS Master Server (USS). This is something WSUS Team is looking into for the next release however. For more information on future release take a look at – What can you expect in WSUS 3.0?


How do I create Target Groups on Replica Server?


If a downstream child server needs additional target groups unique to it, those will have to be created on the upstream server only and that will be replicated to the DSS.


How do I see a report of machines configured to use Replica Server?


You have to connect to each replica server to see a report of machines configured to user Replica Server. WUA can only report to the WSUS server it is configured to get the updates from, and it will only be visible at that WSUS server. Microsoft has published a WSUS Reporting Rollup Sample Tool to demonstrate centralized monitoring and reporting for WSUS. The tool rolls up update and computer status from all the WUS servers in your WSUS implementation in a single report. More information on http://www.wsuswiki.com/WsusRollupToolSample.

WSUS Replica Server failed to approve some updates. Why?

ApplicationException: Failed to approve some updates —>
System.Data.SqlClient.SqlException: Timeout expired.  The timeout period
elapsed prior to completion of the operation or the server is not responding.
at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadP­rocessReal(Boolean allowRedirect)

For WSUS database timeout errors, create extra indexes for the WSUS database to improve performance. More information on Timeout Approving Updates in WSUS/ Approving updates takes long time in WSUS.

WSUS Replica Server Failed to approve some expired updates on WSUS Replica Server (DSS)

ApplicationException: Failed to approve some updates —>
System.Data.SqlClient.SqlException: Explicit deployments to updates that are
expired are not allowed.
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcessReal(Boolean allowRedirect)

Expired Updates cannot be synchronized to DSS. More information on http://msmvps.com/blogs/athif/archive/2006/05/13/94665.aspx

Note:

In this blog entry, WSUS Replica Server / WSUS Child Server means WSUS Down Stream Server (DSS) and WSUS Master Server means WSUS Upstream Server (USS).

Create a Task to Display Service Packs & Hotfixes in MOM Operator Console

Justin HarterMOM MVP has an excellent write up on HOW TO “Create a Task to Display Service Packs & Hotfixes” for selected MOM AGENT in MOM Operator Console which can be downloaded from MOM GUIDES on MOMresources.com.


The procedure to create the task is achieved by simple WMIC command (one line);


wmic /node:$Computer Name$ qfe GET description,hotfixid,installedby,installedon,servicepackineffect


But, there is a known issue if $Computer Name$ contains special characters like ‘-‘ or ‘/’. For instance, if your $Computer Name$ = RIYADH-DC-01, then you will see ‘Invalid Global Switch’ message in the output window when you ran this task.


To run this task succesfully, you might want to edit Task Command line as follows;


wmic /node:’$Computer Name$’ qfe GET description,hotfixid,installedby,installedon,servicepackineffect


Note that ” for $Computer Name$.


PREVIOUS COMMAND:


wmic /node:$Computer Name$ qfe GET description,hotfixid,installedby,installedon,servicepackineffect


NEW COMMAND:


wmic /node:$Computer Name$ qfe GET description,hotfixid,installedby,installedon,servicepackineffect


Justin, if you are reading this blog entry then kindly edit it in your PDF file. Once again thanks for the documentation :-)


If you are looking for some .vbs script to query / enumerate installed hotfixes, then check out http://msmvps.com/blogs/athif/archive/2005/11/20/76035.aspx

WSUS and SQL Server 2005

Is WSUS compatible with SQL Server 2005?


SQL 2005 (any edition) is not a supported environment for WSUS 2.0. Officially WSUS is not supported on SQL Server 2005 by Microsoft, at this time.


However, I have seen some folks in the community successfully installing WSUS 2.0 on SQL Server 2005. It’s an “unsupported” configuration at this time. It is recommended to install WSUS on SQL 2000 instead of SQL 2005.