출처 : http://technet.microsoft.com/en-us/library/cc708554.aspx
WSUS uses IIS to automatically update most computers to the WSUS-compatible Automatic Updates (WSUS client). This process is called client self-update. To accomplish client self-update, WSUS Setup creates a virtual directory under the WSUS Web site named Selfupdate. This virtual directory holds the WSUS-compatible Automatic Updates. This is called the selfupdate tree.
Using Group Policy to point client computers to your WSUS server should eventually cause an Automatic Updates detection and client self-update. For more information about this process, see Deploying Microsoft Windows Server Update Services.
Troubleshooting client self-update issues
If the client self-update does not work automatically, use the following suggestions to troubleshoot the problem.
How to differentiate between the SUS client and WSUS client
Use the Automatic Updates user interface (UI) to differentiate between the SUS and WSUS clients. The following illustrations show the user interface of the SUS and WSUS clients.
Verify that the client software in your organization can self-update
Some computers might already have the WSUS client installed. Other computers might have a version of Automatic Updates that is incapable of performing self-update. For more information see Deploying Microsoft Windows Server Update Services. If the clients in your organization are capable of and require self-update, but are still not self-updating, see the next section.
Verify that the SUS clients are pointed to the WSUS server
If you have the WSUS client installed but the client computer is pointed to a SUS server, Automatic Updates falls into legacy mode and the client computer uses the SUS client user interface. In this case you need to redirect the computer away from the SUS server to get the WSUS client to function. When you point Automatic Updates away from the SUS server, it automatically comes out of legacy mode and the new client user interface appears.
If your client computers are pointed to the WSUS server and you do not see the WSUS client user interface shown above, see the next section.
Check for the selfupdate tree on the WSUS server
WSUS uses IIS to automatically update most client computers to the WSUS-compatible Automatic Updates. To accomplish this, WSUS Setup creates a virtual directory named Selfupdate, under the Web site running on port 80 of the computer where you install WSUS. This virtual directory, called the self-update tree, holds the latest WSUS client. For this reason, you must have a Web site running on port 80, even if you put the WSUS Web site on a custom port. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS only uses the site on port 80 to host the self-update tree.
To ensure that the self-update tree is working properly-
Confirm that there is a Web site set up on port 80 of the WSUS server.
-
Type the following at the command prompt of the WSUS server:
cscript WSUSInstallationDrive:\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs
-
If you have WSUS client self-update running on port 80 of the WSUS server, see the next section.
Check IIS logs on the WSUS Server
Check the IIS logs on the WSUS server. IIS logs are typically located in %windir%\system32\LogFiles\W3SVC1 for the default Web site. If you copied the Wutrack.bin file to the \InetPub\wwwroot folder on the WSUS server when you set up client self-update, you can open the IIS logs and search for Wutrack.bin to attempt to locate error messages about why self-update is failing. Typical errors might be 404 (file not found) 401/403 (authentication/access), and 500 (Internal server error). Use IIS Help to troubleshoot any problems found in the IIS logs.
If you have installed Windows® SharePoint® Services on the default Web site in IIS, configure it to not interfere with Self-update
If you install Microsoft Windows Sharepoint Services on the same server that is running WSUS, you might get the following issues:
- An "Access denied" message appears when Automatic Updates tries to update itself, and the latest Automatic Updates will not be running.
- On the Home page, a message appears warning you that the SelfUpdate service is not available.
If client computers are not running the WSUS-compatible version of Automatic Updates, they will not be able to receive updates through WSUS.
To resolve this issue-
Grant Anonymous access (Anonymous Auth) to the Default Web site, ClientWebService and Selfupdate v-roots in IIS.
-
Exclude specific requests from being intercepted by the Windows Sharepoint Services ISAPI DLL by doing the following:
- Open the Windows Sharepoint Services Central Administration Site (click Start, point to Administrative Tools, and then click Sharepoint Central Administration).
- Click Virtual Server Configuration, and then click Configure Virtual Server Settings.
- Click Default Web Site.
- Click Virtual Server Management, and then click Define managed paths.
- In the Add a new pathbox, set the type to excluded path. Under Path, type the following:
"/iuident.cab"
"/wutrack.bin"
"/clientwebservice"
"/Selfupdate"
- Open the Windows Sharepoint Services Central Administration Site (click Start, point to Administrative Tools, and then click Sharepoint Central Administration).
Check network connectivity on the WSUS client computer
Check network connectivity on the WSUS client computer. Use Internet Explorer to determine if self-update files on the WSUS server are accessible to the client computer. If you perform the following procedure and are prompted to download or open the files, you have verified network connectivity. It is not necessary to save or open the files. You cannot self-update Automatic Updates this way. If you do not have access to these files, troubleshoot network connectivity between the WSUS client computer and the WSUS server.
To check network connectivity on the WSUS client computer-
Click Start, and then click Run.
-
In the Open box, type iexplore and then press ENTER
-
In the Internet Explorer Address bar, type:
http://WSUSServerName/iuident.cab
where WSUS server name is the name of your WSUS server. Ensure that you are prompted to download or open Iuident.cab. This verifies network connectivity from the WSUS client and the availability of the Iuident.cab file on the WSUS server.
-
If there are any boxes prompting you to download or save, click Cancel. In Internet Explorer Address bar, type:
http://WSUSServerName/selfupdate/AU/x86/osvariable/languagevariable/wuaucomp.cab
where WSUSServerName is the name of your WSUS server and where osvariable is a variable indicating the operating system of the client computer. The possible variables for osvariableare NetServer, W2K or XP, and where languagevariable is a variable indicating the language of the operating system of the client computer. The possible variables for oslanguage are based on the standard 2- to 4-letter language abbreviations. For example, here is a URL for a client computer running an English version of Windows XP:
http://WSUSServerName/selfupdate/AU/x86/XP/EN/wuaucomp.cab
-
Ensure that you are prompted to download or save Wuaucomp.cab. This verifies network connectivity from the WSUS client and the availability of the Iuident.cab file on the WSUS server. If you are prompted to save or download both of these files, see the next section.
Check logs on the SUS client computer
Check the %windir%\windows update.log on the client computer to see if there has been any activity or any attempts to contact the server. Check the %systemdrive%\program files\windowsupdate\v4\urllog.dat file on the client computer for cached server pingbacks if the client computer has not been able to communicate with the server.
These files are hidden by default. Use the following procedure to display hidden files and folders in Windows Server 2003.
To display hidden files and folders on Windows Server 2003-
In Control Panel, open Folder Options.
-
On the View tab, under Hidden files and folders, click Show hidden files and folders.
-
If you can find no problem with the logs on the WSUS client, see the next section.
Manipulate registry settings on the SUS client computer
If all else has failed, you can attempt to manually manipulate registry settings to get the client computer to self-update to the WSUS client.
To manually manipulate registry settings on the SUS client computer-
Click Start, and then click Run.
-
In the Open box, type regedit and then click OK.
-
In Registry Editor, navigate to the WindowsUpdate key by expanding the following:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\
If the WindowsUpdate key does not exist, do the following:
-
On the menu, click Edit, point to New, and then click Key.
-
Type WindowsUpdate as the name for the new key.
-
Double-click the WUServer setting, type the URL to your WSUS server, and then press ENTER.
If the WUServer setting does not exist, do the following:
On the menu, click Edit, point to New, and then click String Value.
-
Type WUServer as the setting name.
-
Double-click the WUStatusServer setting, type the URL to your WSUS server, and then press ENTER.
If the WUStatusServer setting does not exist, do the following:
On the menu, click Edit, point to New, and then click String Value.
-
Type WUStatusServer as the setting name.
-
Navigate to the following:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
If the AU key does not exist, do the following:
On the menu, click Edit, point to New, and then click Key.
-
Type AU as the name for the new key.
-
Verify that the UseWUServer setting has a value of 1 (0x1).If it does not, modify it by double-clicking the setting and then changing the value.
If the UseWUServer setting does not exist, do the following:
On the menu, click Edit, point to New, and then click DWORD Value.
-
Type UseWUServer for the setting name.
-
Navigate to the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
-
Enable and configure Automatic Updates through Control Panel:
Click Start, click Control Panel, and then double-click Automatic Updates.
-
In the Automatic Updates dialog box, specify download and installation options, and then click OK. Make sure that Turn off Automatic Updates is not selected.
-
Ensure that the AUState setting has a value of 2 (0x2). If it does not, modify it by double-clicking and changing the value.
-
If the LastWaitTimeout setting exists, delete it.
-
If the DetectionStartTime setting exists, delete it.
-
At the command prompt, type the following, and then press ENTER to stop the Automatic Updates service:
net stop wuauserv
-
At the command prompt, type the following, and then press ENTER to restart the Automatic Updates service:
net start wuauserv
-
Wait approximately 6 to 10 minutes for the self-update to occur.
-
Wait approximately one minute, and then refresh the registry. You should now see the following settings and values:
DetectionStartTime (REG_SZ) YYYY.MM.DD HH.MM.SS. The DetectionStartTime value is written in local time, but the detection actually occurs 5 minutes after the time noted.
LastWaitTimeout (REG_SZ) YYYY.MM.DD HH.MM.SS. The LastWaitTimeout value is written in GMT or Universal Time, and represents the actual time that detection occurs.
Although these values refer to the time that detection is going to start, the first phase of detection is the process of checking whether a self-update is necessary. Therefore, these values actually refer to when self-update from the SUS client to the WSUS client should occur.
-
If the client software has not self-updated after ten minutes, refresh the \Auto Update registry key. If the LastWaitTimeout value has changed and is now 24 hours later than its previous value, that indicates that Automatic Updates was not able to contact the server URL that you specified in the WUServer value.