Installing Windows Server Update Services on Windows Server 2012 is not a complicated task in theory: because it is now a part of the OS, you even don’t have to download it, just click through the step-by-step installation wizard in Server Manager. If you don’t believe me, take a look at this step-by-step tutorial with screenshots.
For me it was not that easy. I’m obviously an install-failed-error magnet, but according to the tremendous amount of forum posts in the topic, I’m not alone. So here are my solutions.
A kind notice:
The solutions below worked for me, but use them on your own risk!
The server is a fresh WS 2012 install, promoted to a domain controller. I have not found any documentation that would state that this is a non-supported scenario.
NTFS permissions
According to the Prepare for Your WSUS Deployment TechNet article, the NT Authority\Network Service account must have Full Control permissions to the following folders, otherwise the WSUS Administration snap-in may fail:
- %windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files
- %windir%\Temp
The beauty is that – as you can read in the doc – the first folder might not exist if IIS is not installed. WSUS requires IIS, and fortunately the installer is smart enough to install the Web Role as well. What’s more, it installs only those IIS components that are required to WSUS, so if you follow the “minimal install” principle, you probably want to let the WSUS installer setup IIS as well. But how to set the folder permissions before starting the installer, if the installer creates the folder?
Role Services
In a sunny Friday afternoon you may reach this step in the install wizard:
If you want to click all three components, be prepared to the following error message:
The following features cannot be installed on the same server: Database, WID Database.
A little background info:
- The WID Database (which is checked by default) means that the setup installs the Windows Internal Database, which is a mini SQL Server engine. It has some limitations, but perfectly suitable for WSUS, especially in a single server scenario.
- The Database (which is not checked by default) means, that the setup creates the WSUS database in an existing SQL Server instance, which can even reside on another computer. If you want to select this option, please read the WSUS database requirements section of the documentation.
The important is that the default two checks are perfect, you don’t need all three.
Restart without results
The installer may run fine for a while, until:
The request to add or remove features on the specified server failed.
The operation cannot be completed, because the server that you specified requires a restart.
Of course you can restart your server, but that won’t solve anything. After restarting the server, you have to restart the WSUS installation which will end with the same results again and again.
The solution is to modify your group policy. Start the Group Policy Management Console and edit the Default Domain Controllers Policy. In the Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment branch, edit the Log on as a service setting, and add the following accounts: IIS_WPG, NETWORK, NETWORK SERVICE, SERVICE.
After saving the GPO, don’t forget the update the policy:
gpupdate /target:computer
Post-Installation tasks
After the installation wizard completes, you will see – if you really look for it – a Launch Post-Installation tasks link which you must click. This essentially continues the installation.
Until it fails:
Configuration failed. A log file was created at C:\Users\username\AppData\Local\Temp\tmpXXXX.tmp
I encourage you to look into the log file, because it is detailed and very readable. For example:
Config file did not contain a value "ContentDirectory"
Microsoft.UpdateServices.Administration.CommandException:
A required configuration value was not found in the system.
Yes, it is missing a setting which you probably entered in the graphical wizard! If you are a command line guru there is a tool for you called wsusutil.exe in the C:\Program Files\Update Services\Tools folder, however it fails with the same error.
Both the GUI and the command line tool are missing the value from the C:\Windows\System32\ServerManager\ComponentConfiguration\UpdateServices-Services.xml file. If you open this file, you will find this (I added line breaks for readability):
<?xml version="1.0" encoding="utf-16"?>
<INSTANCE CLASSNAME="ServerComponent_UpdateServices_Services">
<PROPERTY NAME="ContentDirectory" TYPE="string">
</PROPERTY>
<PROPERTY NAME="ContentLocal" TYPE="boolean">
<VALUE>true</VALUE>
</PROPERTY>
</INSTANCE>
If you have eyes for XML, you see immediately, that that ContentDirectory value is definitely missing. No problem, just add it:
<?xml version="1.0" encoding="utf-16"?>
<INSTANCE CLASSNAME="ServerComponent_UpdateServices_Services">
<PROPERTY NAME="ContentDirectory" TYPE="string">
<VALUE>C:\WSUS</VALUE>
</PROPERTY>
<PROPERTY NAME="ContentLocal" TYPE="boolean">
<VALUE>true</VALUE>
</PROPERTY>
</INSTANCE>
It you run Notepad as administrator, you will be able to save the changes. Click the Launch Post-Installation tasks link again, it will run longer.
Database
For me it ran longer, but failed later. It created another log file in the Temp folder, this time with the following error:
Fatal Error: SqlException (0x80131904): Invalid object name ‘SUSDB.dbo.tbSchemaVersion’.
This means something is wrong with the database. If you read the log you can see, that the database exists, the installer could connect to it, however the specified table is missing.
I checked the C:\Windows\WID\Data folder where I found the SUSDB.mdf and SUSDB_log.ldf files, so the database really existed, probably because it was created by a previous installation attempt. However its 2112 KB size was suspicious, because it closely matched to the size of the model.mdf. My guess was that the database was created, but it is still empty.
My idea was to delete the database and hopefully the installer will create it again. Deleting the files was surprisingly easy, but when I checked the error.log file in the Log folder after restarting the service, it because obvious that the database server is missing the files.
So the correct solution is to connect to the database server and drop the database. If you don’t want to install SQL Server Management Studio, you can go with the SQLCMD command line tool which is available as a very small standalone installer from here: Microsoft Command Line Utilities 11 for SQL Server
If you don’t read the System Requirements section the MSI installer will warn you that it requires the ODBC Driver 11 for SQL Server as well.
Downloading these two MSI files is not obvious from Internet Explorer at all. First it aggressively blocks the popup windows, and second:
Security Alert: Your current security settings do not allow this file to be downloaded.
If you don’t want to fight with the browser, you can download this 7MB content on another computer and move it to the server via Remote Desktop.
Now you have SQLCMD in this folder:
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn
You will also need the connection string to WID:
np:\\.\pipe\MICROSOFT##WID\tsql\query
I prefer using SQLCMD with a command file, because that makes editing and re-executing SQL commands easy. So you can create a file called wsus.sql with this content:
select name from sys.sysdatabases
drop database susdb
select name from sys.sysdatabases
And run it from the command prompt:
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i c:\temp\wsus.sql
With this you’ve dropped the WSUS database, but thankfully the WSUS installer will create it again with the correct table structure. After completing the install wizard and the post-installation tasks you can start the WSUS Administration console and run the server configuration wizard.
The WSUS server is installed now, but you still have to configure the clients and setup SSL.
I learned it. I share it. 