J
JustUnplugIt
Hello,
Having problems with updates on one 2012R2 server acting as a branch office DC. I'll try to give the 10k ft. view and then get into a little detail:
Discovered this DC (among others) was having replication issues due to something that happened when introducing a new 2016 DC into the network core (Default-First-Site). Due to a system time inconsistency, a few existing DCs saw the new DC with an incorrect system time and decided to immediately tombstone replication (all within a 48 hour period). This issue has been resolved by using the 'Allow replication with divergent and corrupt partner' registry flag.
The DC in question also had the additional problem of a MismatchedJournalID on SYSVOL, preventing updates to SYSVOL share. This has been corrected using the 'blur flags' registry flag.
The DC in question functions on the network as a DC perfectly fine, serving DHCP, DNS, Login queries without issue.
Now the detail:
The same DC in question has one (or possibly several) problem(s) with Windows Updates. This is manifesting as an inability to remote desktop to the OS. I have to use the virtual console to log into the server. I receive a very basic error 'An Authentication error has occurred. The function requested is not supported. Remote Computer: <Sterilized SERVERNAME>'
This leads me to believe the update having to do with the CredSSP encryption is missing; so I begin to investigate the automatic updates.
I find that update KB2919355 has been installed every evening for about a year and a half, sometimes reporting as 'Succeeded' and sometimes reporting as 'Failed'. When it fails it has a failure code of 8024613.
In researching this, I cannot find other instances of this update behaving this way, multiple offers even after succeeding. Although I've seen a general article about this behavior with updates from the days of Windows 7 which did not provide any helpful information.
Also when researching this update, I find that the update proper (KB2919355) is almost a 700MB update whereas the update which has been installed repeatedly on the server was only 37KB in size. I'm guessing that the 37KB item is the 'ClearCompressionFlags.exe' prerequisite to the actual KB update. Funny thing is I can't install any update at this point, every update I try to install, manually or otherwise returns the message: 'This Update is not applicable to your computer'.
I've manually verified (by reviewing the installed update history) that none of these updates (2919355, it's prerequisites or subsequent required updates) have been installed on this system and the option that I'm supposed to find in local security policy to work-around the CredSSP remote desktop failure does not exist in this server; so I can positively verify that these updates are not installed.
The Windows Update Logfile reports successfully identifying, downloading and installing the update 2919355. It does not, however, report successful installation back to WSUS, so WSUS still thinks it needs this update, even though it's been installed over 400 times (over 50% of which reported success). WSUS believes this is the only update missing from this server, reports 99% overall installation and only the 1 update missing.
I've tried manually installing all relevant updates (pre-req, 2919355 and subsequent required KBs) all of which fail as not applicable. Tried disabling the Antivirus service (which has never in 15 years given me a problem with Windows Updates) and all logs report success; however I can't get past this one update on this one server.
I'm stumped, hoping someone can provide some insight.
TIA,
The solution is always the last thing you look at... -M
Continue reading...
Having problems with updates on one 2012R2 server acting as a branch office DC. I'll try to give the 10k ft. view and then get into a little detail:
Discovered this DC (among others) was having replication issues due to something that happened when introducing a new 2016 DC into the network core (Default-First-Site). Due to a system time inconsistency, a few existing DCs saw the new DC with an incorrect system time and decided to immediately tombstone replication (all within a 48 hour period). This issue has been resolved by using the 'Allow replication with divergent and corrupt partner' registry flag.
The DC in question also had the additional problem of a MismatchedJournalID on SYSVOL, preventing updates to SYSVOL share. This has been corrected using the 'blur flags' registry flag.
The DC in question functions on the network as a DC perfectly fine, serving DHCP, DNS, Login queries without issue.
Now the detail:
The same DC in question has one (or possibly several) problem(s) with Windows Updates. This is manifesting as an inability to remote desktop to the OS. I have to use the virtual console to log into the server. I receive a very basic error 'An Authentication error has occurred. The function requested is not supported. Remote Computer: <Sterilized SERVERNAME>'
This leads me to believe the update having to do with the CredSSP encryption is missing; so I begin to investigate the automatic updates.
I find that update KB2919355 has been installed every evening for about a year and a half, sometimes reporting as 'Succeeded' and sometimes reporting as 'Failed'. When it fails it has a failure code of 8024613.
In researching this, I cannot find other instances of this update behaving this way, multiple offers even after succeeding. Although I've seen a general article about this behavior with updates from the days of Windows 7 which did not provide any helpful information.
Also when researching this update, I find that the update proper (KB2919355) is almost a 700MB update whereas the update which has been installed repeatedly on the server was only 37KB in size. I'm guessing that the 37KB item is the 'ClearCompressionFlags.exe' prerequisite to the actual KB update. Funny thing is I can't install any update at this point, every update I try to install, manually or otherwise returns the message: 'This Update is not applicable to your computer'.
I've manually verified (by reviewing the installed update history) that none of these updates (2919355, it's prerequisites or subsequent required updates) have been installed on this system and the option that I'm supposed to find in local security policy to work-around the CredSSP remote desktop failure does not exist in this server; so I can positively verify that these updates are not installed.
The Windows Update Logfile reports successfully identifying, downloading and installing the update 2919355. It does not, however, report successful installation back to WSUS, so WSUS still thinks it needs this update, even though it's been installed over 400 times (over 50% of which reported success). WSUS believes this is the only update missing from this server, reports 99% overall installation and only the 1 update missing.
I've tried manually installing all relevant updates (pre-req, 2919355 and subsequent required KBs) all of which fail as not applicable. Tried disabling the Antivirus service (which has never in 15 years given me a problem with Windows Updates) and all logs report success; however I can't get past this one update on this one server.
I'm stumped, hoping someone can provide some insight.
TIA,
The solution is always the last thing you look at... -M
Continue reading...