Home > Articles > Certification > Microsoft Certification

  • Print
  • + Share This
This chapter is from the book

Troubleshooting the Deployment of Service Packs and Updates

In a perfect world, the tools and methodologies discussed in this chapter are smoothly implemented and always work. Of course, in the real world, things do not always work as expected, and sometimes troubleshooting skills are necessary. Specific errors, issues, and steps to resolve issues are described in the sections that follow.

Troubleshooting SUS

Errors and issues related to SUS are outlined in Table 3.5. The associated cause and a possible resolution are provided for each issue.

Table 3.5 SUS Issues

Error or Issue

Cause

Resolution

Event ID 7024, server- specific error 2147944102. BITs does not start on Windows 2000 Server with Terminal Services (TS). After you install the automatic updates version 2.2 client on a Windows 2000 computer that has TS installed, BITS doesn't start and does not download the job that was passed to the service.

TS is set to start automatically. If this service is disabled, BITS does not start.

Remove the TS, or reset the service so that it starts automatically.

The automatic update client does not seem to have performed a detection cycle.

Unknown.

Force a detection by running gpedit.msc to configure the SUS server location. Configure the intranet Microsoft Update Service Location policy. Set the automatic updates policy to Not Configured. After setting the automatic updates policy to Not Configured, you can turn the service on and off by using the Control Panel. Start the tool in the Control Panel or use the Automatic Updates tab in Windows XP, set the option as desired, clear the Enable Automatic Updates check box, and then click Apply to apply the change. Within a few seconds, click to enable automatic updates and then click OK to force a detection cycle. Verify the changes by checking the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\
WindowsUPdate\Autoupdate.Verify that the AUState value is 2; check the DetectionStartTime value, which should be approximately the time of the last used automatic updates. The value is deleted after the detection cycle occurs (5 to 10 minutes). Finally, view the logfile for entries.

The automatic updates does not detect approved updates from SUS.

The client is unable to resolve the name of the server and/or the client does not receive policy settings.

First, look for an entry like client 2002/05/02 17:38:42:22:38l.42 Success IUENGINE Querying Software UpdateCatalog from http://servername/autoupdate/getmanifest.asp in the %SYSTEMROOT%windows Update.log file.The date in this entry should be after the most recent update time. If it is not, update detection has not occurred. You can force detection by stopping the automatic update service and editing the registry key HKLM\Software\Microsoft\Windows\CurrentVersion
\WindowsUPdate\Autoupdate.Then, you delete the LastWaitTimeout value and restart the service. After you do this, you should look for error codes in the Windows Update logfile.

Miscellaneous error codes are found in the update log file.These are codes generated when the client is trying to read the update information on the SUS server.

These may be due to various problems o n the Web server side, and the error codes may lead you to a solution.

If a hexadecimal error code begins with 0x8019, convert the last three digits to decimal to get the HTTP status code. For example, 0x80190194 is status code 404.

The client is not getting updates, and the client was configured through manual editing of the registry.

Entries may not be in the correct place in the registry.

Use gpedit.msc to configure the client to make sure that registry entries are created in the correct location. In gpedit, under Computer Configuration, Administrative Template, select Action, Add/Remove Template. Click add and add the wuau.adm file. Then expand the Windows Components, Windows Update portion of Computer Configuration, Administrative Templates and configure the Windows Update policy.

The client was configured using group policy, but does not detect updates.

The computer may not be getting the group policy.

Use the gpresult tool from theWindows 2000 Resource Kit to determine whether the client computer is receiving the policy settings.

An error occurs when you attempt to load wuau.adm with poledit in WindowsNT 4.0: The error is ."unexpected keyword; found garbled characters: the file cannot be loaded."

wuau.adm uses Unicode, but Windows NT 4.0 does not.

Open the wuau.adm file in Notepad and chose File, Save As. Then, disable the Save As Unicode check box

Error 0x801900194 is logged in the Windows Update logfile when the client queries autoupdatedrivers/getmanifest.asp.

This is an expected error that does not indicate a problem. The client is checking for driver updates, and SUS can't synchronize them. (This is actually a 404, "file not found," error.)

You are setting up SSL for accessing the IIS, and the IIS on the SUS server does not display the Content\EULA folder.

The Content\EULA folder does not appear until SUS has performed at least one successful synchronization.

Log on locally and manually synchronize the SUS server. Then set up SSL for remote administration.

The client cannot detect updates.

The client uses port 80 to detect updates. If the root of the Web site, the /content virtual root, or the /selfupdate virtual root is configured to use SSL, automatic update clients cannot detect updates.

Remove the SSL requirement from these folders.

SUS setup does not finish.

Many possibilities exist: The administrator is not logged on; SUS was installed through group policy with user settings; Internet Explorer5.5 is not detected; an NTFS partition is not detected; Service Pack 2 or 3 is not detected; or there was an attempt to install SUS on a non-NTFS drive.

Modify the system to correct these errors. You might also need to turn off services that aren't required, such as antivirus software. Also, you should check the Event Viewer for messages. You need to be sure to upgrade to Windows Installer version 2.0 and turn on the Windows Installer logger. (More information can be found in knowledge base article 223300.)


Troubleshooting hfnetchk

As you learned earlier in this chapter, hfnetchk is a command-line hotfix assessment tool that you can use to determine the hotfix status of multiple Windows operating systems and products. hfnetchk reports the service pack status of the computer as well. It does not download patches nor provide any way to update systems.

The most common problem experienced when using hfnetchk is typos. When you're troubleshooting problems with hfnetchk, the first thing to check is the accuracy of the entered command line. Other common problems include the following:

  • False positives—These problems occur when hfnetchk reports the need to apply a fix that is already applied. These reports should be considered suspect because there are a number of known issues where it is difficult for hfnetchk to determine whether a fix has been applied. These issues are documented in the notes. The report refers to a knowledge base article or to other information that either details how to determine whether the hotfix has been applied or why it might not be possible to determine. Known issues include MS01-022 and MS98-001.

  • hfnetchk displaying a message that the checksum is invalid and the file version is equal to or less than what is expected—If you have this problem, most likely the file is old and the patch has not been installed.

  • hfnetchk displaying a message that the checksum is invalid and the file version is greater than expected—If you have this problem, most likely you have installed a nonsecurity-related patch that just happens to install a file that is also in the hotfix. You might be protected from the vulnerability because the later version of the file might also include the fix.

  • After you install required patches, checksums still noted as bad—Another patch can sometimes install an even newer version of the file replaced by a hotfix. You should check file versions against those in knowledge base articles to verify that the correct files are present. You can use sigverif.exe (a Windows 2000 command-line tool) to verify that the Microsoft signature is on system files. This eliminates the possibility that a Trojan Horse version of the file was installed on the system.

  • Inability to read the XML file—The computer may not be able to access the XML file from the Microsoft site or cannot locate the one listed by using the –x switch. In this case, you need to verify the Internet connection or verify the alternate location and its accessibility. You can test to see that the local network or local copy of the file is not corrupt by attempting to open it in your browser. A good file will be readable in the browser.

Troubleshooting MBSA

The use of MBSA is straightforward and usually does not generate many errors. However, even though mistakes can occur with proper use, requirements and common problems in MBSA's configuration are detailed in the documentation that is downloaded with the tool. Administrators and users often choose to ignore these items, and therefore errors occur. Common errors or omissions and their resolution are detailed in Table 3.6.

Table 3.6 Common MBSA Problems and Solutions

Error or Problem

Cause

Solution

Unable to determine the computer file system type in Windows NT.

A registry check cannot verify that drives are hard disks. There may be a missing registry key in Windows NT.

There is currently no solution to this problem .

Different results occur between MBSA and Windows Update.

Windows Update carries critical updates only for Windows operating systems. MBSA security updates are missing for Windows and other applications, such as SQL Server. MBSA always looks for the latest hotfix. Windows Update may not because its scope is different.

There is currently no solution to this problem. Microsoft indicates that it is working to make scans consistent between products.

Can't install on Windows NT.

MBSA is not designed to be installed on Windows NT. MBSA can scan Windows NT from the Windows 2000 installation; it just cannot run on Windows NT.

Install MBSA on Windows 2000.

Can't find systems on the network

The DNS server is unreachable.

Make sure DNS services are.running and reachable.

MBSA cannot read or locate the XML file.

Another application may have unregistered the XML parser.

Reregister the parser by using regsvr32 mscml.dll.


Troubleshooting Installation Problems

Problems can occur when you attempt to add service packs and/or hotfixes during installation. Table 3.7 lists known problems and their resolution.

Table 3.7 MBSA Installation Problems

Product and Problem

Cause

Solution

RIS client cannot join the domain.

A prestaged computer account is disabled in Active Directory.

Enable (or reset) the account.

A stop 0x0000006b error is received, or setup stops when installing a Windows XP Service Pack 1 client via RIS.

NT LAN Manager (NTLM) version 2 is used during the client-logon phase of RIS installation of Windows XP Service Pack 1 and later. The problem is with SMB signing not always occurring

Obtain a fix from Microsoft.

Using RIS, you get an error message saying that you have entered an invalid password and that you continue the installation and attempt to join the domain later.

You might have this problem during a RIS installation including Windows 2000 Service Pack 2. This is a problem with Kerberos, which substituted the computer name for the username that is necessary to join a domain.

As a workaround, you can shut off the computer if you have this problem. You can then restart the computer, and Setup will restart and successfully complete. To solve this problem, you must obtain a fix from Microsoft and change RIS to install Service Pack 3.

You get Error 86, "The Windows to complete andis not correct," when attempting to map a drive using net use during an unattended installation of Service Pack 2.

The unattended installation is slipstreamed. Or The net use command is run directly from the cmdlines.txt file as net use [driveletter:] [\\computername\sharename\][password] [/user:[domainname\username] In this case, domainname is the name of the domain the computer is a member of.

Allow the GUI portion of Windows to complete and then reboot the computer. The installation will continute Or Use a nonexistent domain name.

You cannot use a combination installation of Windows 2000, Service Pack 2, and post-Service Pack 2 hotfixes form a network share.

Hotfixes already included in Service Pack 2 are inadvertently added to the share. Service Pack 2 fixes (that is, post–Service Pack 1 fixes) have an sp2.cat file that contains the necessary signatures to allow Windows file protection to properly function. If the fix is slipstreamed into the share point, the new sp2.cat file overwrites the old and breaks Windows file protection.

You should slipstream only Windows Service Pack 3 and later fixes into a combination (Service Pack 2, Windows 2000, and hotfix) installation share.

You get the message "The BINL service cannot locate a flat image with a version of the riprep image" or the message "Missing CD image."

This might occur when you're using RIS to install Windows 2000 Professional from an image created with riprep.exe or when attempting to create the riprep image. If a riprep image is used, a RIS server must find a CD-ROM-based image that matches the riprep image that is selected from the Client Installation Wizard. When no CD-ROM-based image is available, installaiton fails. The error also occurs when you run riprep.exe on a computer that has a hotfix that updates ntoskrnl.exe or you attempt to run riprep.exe on a computer that has a service pack installed but no image with the same service pack exists on the computer.

Make sure the proper CD-ROM–based images are available.

Hotfixes in the [SetupHotfixesToRun] section of the svcpack.inf file are not installed.

This technique does not work until Service Pack 2.

Update installation to include a more current service pack.

During an attempt to slipstream a Windows 2000 service pack into a CD-ROM–based image on a the RIS server using the update –s switch, the following error occurs, "An error has occurred copying files from the of service pack share to the the distribution folder."

The slipstream switch for update.exe does not support slipstreaming to a CD-ROM–based RIS image.

Use risetup.exe to create the CD-ROM–based RIS image that has a slipstreamed service pack. You can create slipstreamed installation folder on another server, share the folder, and then use risetup.exe. When you're prompted for the location the files, type the path to share.

RIS clients stop responding at the Setup Is Starting Windows 2000 screen.

If a slipstreamed CD-ROM–based image is attempted, the error "An error has occurred copying files from the service pack share to the distribution folder" occurs. The slipstream switch does not support this.

Use risetup.exe to create the CD-ROM–based RIS image that has a slipstreamed service pack. You can create the slipstreamed installation folder on another server, share the folder, and then use risetup.exe. When you're prompted for the location of the files, type the path to the share.


Troubleshooting qchain

qchain works to ensure that hotfixes are installed in the proper order for Windows NT and to ensure that hotfixes chained without a reboot do not install the wrong updated version of a file. However, qchain may not work correctly if hotfixes contain binary files, as listed in the HKLM\System\CurrentControlSet\Control\Session Manager\KnownDLLs registry key. The reason appears to be the code used to identify the version of these files. Post–Service Pack 2 hotfixes have been corrected to identify correct file versions and eliminate this problem.

Troubleshooting Windows Update

Errors can occur during use or attempted use of the Windows Update site. Table 3.8 enumerates the error conditions and explains possible causes and solutions. Many of these errors and problems are caused by failed installations or damaged scripting engines. Thus, removing and then reinstalling the Windows Update script engine often resolves Windows Update problems.

Table 3.8 Problems with Windows Update

Error or Problem

Cause

Solution

You are prompted to install the March 4 security update, even though you have already done so or have installed Service Pack 3 for Windows 2000 (which includes the update).

The Java Runtime Environment (JRE) from Sun Microsystems is installed. This sets the HKEY_LOCAL_machine\ Software\Microsoft\ Active Setup\Components\{08b0e5co-4fcb-11cf-aaa5-00401c608500} key to 3802, which triggers the prompt.

If Windows 2000 (Service Pack 3) or Windows XP Service Pack 1 and Microsoft Virtual Machine 5.00.3805 are installed, this may not apply. Removing the JRE does not change the key. You need to reinstall the update to update the registry value to 3805.

The error "JavaScript:void(0)" The scripting engine is appears in the Internet Explorer status bar, and no downloadable file is received.

The scripting engineis damaged

Download and install a new engine.

The Download button appears dimmed after components are chosen.

The Internet Explorer cache/history needs to be cleared or the control is damaged.

Clear the Internet Explorer cache and history, remove Windows Update controls, and install a new Windows script.

The Download button does not work.

There's a problem with the Visual Basic scripting engine.

Clear the Internet Explorer cache, install a new script engine, and disable antivirus software or Internet filter software.

You get Error 403, "Access denied/forbidden."

There may be interference from ATGuard personal firewall or other security, Ad removal, download assistant, or Web accelerator software. The Windows update control may be damaged or missing. The host file may be damaged or contains incorrect information. There may be missing or damaged Internet Explorer files.

Remove suspect software and try using Windows Update again. If it still does not work, remove Windows Update controls and install a new scripting engine.

The WINUP-Blank Page is displayed. You might get the message "Done, but with errors on page" in the Internet Explorer status bar.

The Visual Basic Scripting support (VBScript) component failed to install properly or became corrupted after installation.

Remove the Windows Update controls and then reinstall them.

You are accessing through a proxy server or firewall and receive one of the following messages: "Cannot display page" or "Download and installation failed." The site hangs on the "Please Wait" window as it starts to initialize the product catalog.

Possible software incompatibility could involve WinProxy by Otis Software, WinGate by Deerfield.com, or Internet Gate from MaccaSoft. Possible caching of the Windows Update page might interfere with installation and initialization; port 80 or 443 may be disabled (both of these are used by Windows Update); and client machines may not be configured to allow active scripting or download and initialization of ActiveX controls.

Clear the proxy cache and configure it to exclude the Windows Update site; enable ports 80 and 443; set Internet Explorer security on the client to Medium or lower, with Active Scripting enabled and allowing download and initialization of ActiveX controls.

You get an error about installing a dependency.

The software control did not download or install properly.

Uninstall the control and then reinstall it.

An unknown error occurs.

The software control did not download or install properly.

Uninstall the control and then reinstall it.

You chose not to download the software controls or there was a problem with downloading the controls, and much of the Windows Update site is unavailable to you. If you would like to download the controls, you need to click Try Again.

The software control did not download or install properly.

Uninstall the control and then reinstall it.

You get the error "Your Internet Explorer security settings are set too High. In order to use the Windows Update site, you need to set your security settings at Medium."

Windows Update requires Medium to Low security

Set Internet Explorer security settings to Medium.settings.

You get the error "Internet Explorer cannot open the Internet site address. A connection to the server cannot be established."

TCP/IP connectivity problems are occurring.

Troubleshoot TCP/IP connectivity.

The computer stops responding (hangs) when you attempt to download a file from the Windows Update site.

A script may be corrupt.

Install a new Windows Update script.

You encounter an error when loading the script (that is, when downloading critical update).

The Windows script is damaged.

Reinstall or remove and install the script.

You receive an "unknown error (-2147024770)" message when trying to install a Windows update.

Internet Explorer is corrupt or some system files are not registered correctly.

Repair the Internet Explorer installation by using Control Panel, Add/Remove Programs.If the Add/Remove Programs applet does not display Internet Explorer 5.5, use the command rundll32 setupwbv.dll,ie5maintenance.


Alert

The first problem in Table 3.8 is an interesting one. Not only does it reveal an interesting application conflict, which may result in an unnecessary warning, but the problem can actually prevent another advisory from occurring. Thus, it may mask a potential security vulnerability. The issue occurs because a third-party product modifies the registry key that is used by hfnetchk and the Windows Update site to determine whether a patch has been added. This results in a warning even if the patch has been installed. It also prevents a warning on another update (which requires the first to be installed). Fixing the first problem allows the Windows Update site or hfnetchk to give the correct warning if it affects the system. The two security bulletins to examine are MS02-013 and MS02-052. More information can be found in knowledge base article 329077.

TIP

You should use security zones to avoid the problem created when you lock down Internet Explorer and then try to use Windows Update. Windows Update requires that active scripting be enabled and the client be set to allow the download and initialization of ActiveX controls. You can put the Windows Update site address in the Trusted Sites zone and allow those activities there. You can then restrict them in the other security zones.

  • + Share This
  • 🔖 Save To Your Account