Last Updated on 2016-11-22.
[:en]Windows Updates seem to get even more dangerous, like I described in previous posts.
This time I was updating all Windows 2016 servers manually with patch KB3197954, which was necessary to make the servers load updates from WSUS again.
It looks like this update can cause a lot of trouble, especially on AD domain controllers.
Symptoms
- The DCs do not recognize they are in the default LAN domain network topology, but in a public or private network.
- This causes FSMO errors, DCs do not sync any more, startup scripts do not work, DFS issues, etc.
- You also see this behaviour in Windows Firewall. The domain is not recognized, so the public profile is loaded.
Solution
For whatever reason, the update modified the startup behaviour of important services.
On the most machines (not all) the following services were not started:
Common Service Name |
Service Name (German) |
Wrong state |
Correct state |
| WAS | Windows-Prozessaktivierungsdienst | Deactivated | Manual |
| Net Tcpport Sharing | Net. TCP-Portfreigabedienst | Deactivated | Manual |
| Netlogon | Anmeldedienst | Manual | Automatic |
Note: Netlogon is the most important one. E.g. the WAS service is not always needed.
In other network scenarios there could be other services affected. If not sure, have a look at the Windows event log.
Update 2017-05:
Besides, if the firewall loads the wrong profile even if all services are started, a wrong gateway could also be the cause.
E.g. if you mainly use IPv4 and do not need IPv6 in your LAN, try to disable IPv6 in the network adapter’s properties. Reference[:]
Hi,
I have a brand new installation of Windows Server 2016 WSUS server (Fully patched until 18-Dec-2016). My network consists of about 1000 client-side operating systems and 300 server-side. The clients range from Windows 7 to Windows 10 version 1607. The servers are from Windows Server 2008 to Windows Server 2016. Every computer can connect to WSUS and pull the updates except for Windows Server 2016.
Each time I check for updates on a Windows Server 2016, I get this error: “We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.”
Event Viewer: Windows Update failed to check for updates with error 0x80072EFD.
The strange thing is, WSUS server puts a green check mark for Windows Server 2016s, but I am sure there are some updates available for them.
I have installed all the Cumulative Updates (CUs) so far available for Windows Server 2016 on one of my 2016 installations manually, to see if that would solve the problem, but it didn’t.
Are you aware of any issue in Windows Server 2016 Update Agent in regard to WSUS or I need some configuration changes on WSUS server to make the connection happen?
Yours.
You could start with some basics, e.g. look for a certain Win2016 update on your WSUS server, then try to find it in your WSUS content directory, then check if is accessible via IIS / HTTP.
As far as I remember, I had to manually install KB3197954 to get any Win2016 updates, so double check if it is installed.
Also have a look at your WindowsUpdate.log on your clients (servers); Powershell -> Get-WindowsUpdateLog
I can not get my 2016 WSUS server to work at all. I keep getting errors and cant connect at the server. I can get to it from the Servername:8530 but when i load the MMC it will not connect. No updates are coming through.