Menu Sidebar
Menu

Convert a Dynamic IP to Static

Working on a project where on some servers the DHCP assigned addresses needs to be converted to static. Since there is always more than one…I needed to script it.

Here is a quick way to do it via PowerShell.

Hope this helps!

Oracle to charge for Java Updates & how you can disable them

Prepare for 2019

Oracle has announced that, effective January 2019, Java SE 8 public updates will no longer be available for “Business, Commercial or Production use” without a commercial license.

End of Public Updates for Oracle JDK 8

Oracle will not post further updates of Java SE 8 to its public download sites for commercial use after January 2019. Customers who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 8 or previous versions can get long term support through Oracle Java SE Advanced Desktop, or Oracle Java SE Suite. For more information, and details on how to receive longer term support for Oracle JDK 8, please see the Oracle Java SE Support Roadmap.

Is Oracle Java still free?

The current version of Java – Java SE 9 as well as Java SE 8 – is free and available for redistribution for general purpose computing. Java SE continues to be available under the Oracle Binary Code License (BCL) free of charge.

Java Runtime Environment (JRE) use for embedded devices or use of commercial features may require a license fee from Oracle. Read more about embedded use of Java SE, or contact your local Oracle sales representative to obtain a license.

What releases of Java technology are currently available?

The Java Platform, Standard Edition (Java SE) and Oracle Java SE Advanced and Suite products are currently shipping from Oracle in the form of the Java Development Kit (JDK), and Java Runtime Environment (JRE). The current releases of the software and links to older versions are available from the Java SE download page.

What are the Oracle Java licensing changes?

Due to the Oracle Java license cost changes, companies will need to collect and identify every application that is running Java SE 8 before the beginning of 2019. Doing so will ensure an accurate forecast of costs and potential non-compliance risk for future software audits in upcoming years.

What about the Java license costs?

The Oracle Technology Global Price List as of May 1, 2018 provides information about current pricing (in dollars):

Products & Metrics Named User Plus (NUP) Software Update (License & Support) Processor (Proc) Software Update (License & Support) *Note
Java SE Advanced Desktop $40 $8.80 A
Java SE Advanced $100 $22.00 $5,000 $1,100 B
Java SE Suite $300 $66.00 $15,000 $3,300 B

*Note:

A: The Named User Plus minimum for this program is 2,000 NUP licenses.

B: The Named User Plus minimum for this program is 10 NUP per Processor.

What should you do now?

In light of Oracle’s recent announcement, companies should begin considering:

  • How to anticipate the situation?
  • How many Java installations do we have, where and why?
  • Are there usages embedded?
  • Can we replace Java with another technology?
  • What will the cost be in January 2019?

Oracle suggests running a tool to find Java installations using a Java package called Java Usage Tracker. This will report information like:

  • The Java versions
  • Application name
  • Type (applet, command line, etc).
  • Location and more

However, the Oracle Java Usage Tracker requires a commercial license 🙂  – even though it’s included in the installer that comes with the free components.

Disabling Java Updates

Small to Medium sized organizations may not want to pay and should consider disabling updates altogether.

Windows Server 2008R2/2012/2012R2/2016 (x64)

There’s a registry setting in HKEY_LOCAL_MACHINE  that will allow you to completely disable both update notifications and the update functionality.

The full path of the key is HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy

The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates.

When updates are enabled:

64-bit registry redirection:

There is a subkey located at HKLM\Software\Wow6432Node  that contains the relevant settings for 32-bit applications, and within here, is the expected JavaSoft registry key. This is similar to the automatic system controlled C:\Windows\SysWOW64 directory for 32-bit compatiblity.

To disable updates, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\

Create a new DWORD value called EnableAutoUpdateCheck , and set it to 0.

Change the key EnableJavaUpdate to 0; this stops any needing to install updates, and annoying prompts that non-admin users get for installing updates.

Windows Server 2003/2008 (x86)

Stop the update utility from running by deleting the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched

Reboot the server.

In rare cases the control panel needs to be opened as administrator. To do this follow the steps below:

Save this as Java32_Fix.reg and run and it will fix those javacpl.exe as Administrator/Control Panel issues once and for all:

Alternately, this is for 64bit OS’s running 32bit Java:

Windows (10 & 2016) Build 1709 & 1803 cannot connect to SMB Shares

Applies to: Windows 10, version 1803, Windows Server version 1803, Windows 10, version 1709, Windows Server Datacenter Core, and Windows Server Standard Core

As users and organizations are upgrading to Windows 10 Build 1709/1803 they should be aware that SMB 1.0 is no longer installed by default. Among other things, this is going to start a lot of problems especially for the networking and security departments where they might be trying to figure out if it is a firewall that is blocking or an AV program that is limiting the access to the share.

In Windows 10 Fall Creators Update (1709), and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. It was superseded by SMBv2 and later protocols starting in 2007. Microsoft publicly deprecated the SMBv1 protocol in 2014.

SMBv1 has the following behavior in Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3):

  • SMBv1 now has both client and server sub-features that can be uninstalled separately.
  • Windows 10 Enterprise and Windows 10 Education no longer contain the SMBv1 client or server by default after a clean installation.
  • Windows Server 2016 no longer contains the SMBv1 client or server by default after a clean installation.
  • Windows 10 Home and Windows 10 Professional no longer contain the SMBv1 server by default after a clean installation.
  • Windows 10 Home and Windows 10 Professional still contain the SMBv1 client by default after a clean installation. If the SMBv1 client is not used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.
  • In-place upgrades and Insider flights of Windows 10 Home and Windows 10 Professional do not automatically remove SMB1 initially. If the SMBv1 client or server is not used for 15 days in total (excluding the time during which the computer is off), they each automatically uninstall themselves.
  • In-place upgrades and Insider flights of Windows 10 Enterprise and Windows 10 Education do not automatically remove SMB1. An administrator must decide to uninstall SMB1 in these managed environments.
  • Automatic removal of SMB1 after 15 days is a one-time operation. If an administrator re-installs SMB1, no further attempts will be made to uninstall it.
  • The SMB version 2.02, 2.1, 3.0, 3.02, and 3.1.1 features are still fully supported and included by default as part of the SMBv2 binaries.
  • Because the Computer Browser service relies on SMBv1, the service is uninstalled if the SMBv1 client or server is uninstalled. This means that Explorer Network can no longer display Windows computers through the legacy NetBIOS datagram browsing method.
  • SMBv1 can still be reinstalled in all editions of Windows 10 and Windows Server 2016.

If you try to connect to devices that support only SMBv1, or if these devices try to connect to you, you may receive one of the following errors messages:

You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

 

All of Windows Cipher Suites

Working on a security project and I needed a reference guide as to what cipher suites are supported on what OS.

So I have documented a list of the default cipher suites and their preferred order for every Windows Server version. These were gathered from fully patched operating systems.

These are the server defaults for reference only. I do not recommend using the default cipher suites or the order listed.

Windows Server 2003
TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA

Windows Server 2008
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA

Windows Server 2008 R2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Windows Server 2012
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA

Windows Server 2012 R2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Windows Server 2016
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSL_CK_RC4_128_WITH_MD5

 

List Domain Admins & Enterprise Admins in a domain

If you want to find out how many domain/ enterprise admins are active/inactive in domain you can use the following PowerShell command to figure out:

Get the list of domain admins and check if they are enabled.

Get the list of enterprise admins and check if they are enabled.

 

What version of SQL Server do I have?

Working with so many versions of SQL a quick reference list is always helpful that shows the versions numbers and service packs.

  • A downloadable version of an Excel workbook that contains all the build versions together with their current support lifecycle stage for 2005 through the current version is available. Click to download this Excel file now. (File name: SQL Server Builds V3.xlsx)

This unofficial build chart lists all of the known Service Packs (SP), Cumulative Updates (CU), patches, hotfixes and other builds of MS SQL Server 2017, 2016, 2014, 2012, 2008 R2, 2008, 2005, 2000, 7.0, 6.5 and 6.0 that have been released.

Useful articles:

Quick summary:

All SQLServer service packs are cumulative, meaning that each new service pack contains all the fixes that are included with previous service packs and any new fixes.

RTM (no SP) SP1 SP2 SP3 SP4
 SQL Server 2017
     codename vNext
14.0.1000.169
*new
 SQL Server 2016 13.0.1601.5 13.0.4001.0
or 13.1.4001.0
 SQL Server 2014
12.0.2000.8 12.0.4100.1
or 12.1.4100.1
12.0.5000.0
or 12.2.5000.0
 SQL Server 2012
     codename Denali
11.0.2100.60 11.0.3000.0
or 11.1.3000.0
11.0.5058.0
or 11.2.5058.0
11.0.6020.0
or 11.3.6020.0
11.0.7001.0
or 11.4.7001.0
 SQL Server 2008 R2
     codename Kilimanjaro
10.50.1600.1 10.50.2500.0
or 10.51.2500.0
10.50.4000.0
or 10.52.4000.0
10.50.6000.34
or 10.53.6000.34
 SQL Server 2008
     codename Katmai
10.0.1600.22 10.0.2531.0
or 10.1.2531.0
10.0.4000.0
or 10.2.4000.0
10.0.5500.0
or 10.3.5500.0
10.0.6000.29
or 10.4.6000.29
 SQL Server 2005
     codename Yukon
9.0.1399.06 9.0.2047 9.0.3042 9.0.4035 9.0.5000
 SQL Server 2000
     codename Shiloh
8.0.194 8.0.384 8.0.532 8.0.760 8.0.2039
 SQL Server 7.0
     codename Sphinx
7.0.623 7.0.699 7.0.842 7.0.961 7.0.1063

All SQLServer service packs are cumulative, meaning that each new service pack contains all the fixes that are included with previous service packs and any new fixes.

NSLookup still showing IP of demoted Domain Controller

So had an interesting issue today where a Domain Controller (DC) was demoted yet the IP of the demoted DC was still showing up when running nslookup internaldomain.local

Demoted DC: MWDC04 / IP: 10.14.111.111

I had done the metadata cleanup and tried many suggestions when googling the subject. To my surprise none of the solutions I found worked.

I had removed the IP address from the Primary DNS Server and saw entries for:

(same as parent folder) Host(A)  10.14.111.111
(same as parent folder) NameServer (NS)  10.14.111.111

I also looked under internaldomain.local > _msdcs and deleted entries from there.

After clearing the cache and waiting for replication, did a nslookup again and the IP was still there.

Well, there are some good and bad things about Microsoft DNS.

The BAD:

You cannot search DNS values in DNS Management. You are limited to searching just the names.

THE GOOD:

All DNS entries are stored in a flat file on the DNS Server “C:\WINDOWS\system32\dns\internaldomain.local.dns” (The default location). JACKPOT!

I opened it up in Notepad++, did a search for IP and DNS name of the demoted server(MWDC04-10.14.111.111) and started deleting matched entries. I was so surprised to find entries that were deeply buried under “domaindnszones” & “forestdnszones” and a few other subzones.

Cleared the cache again and waited for replication. Once replication completed I tried nslookup internaldomain.local and this time it didn’t list the demoted DC anymore.

I hope this saves others time, because finding a record in DNS might be like searching for a needle in a haystack!

ConfigMgr 2012 R2 – WSUS sync fails with HTTP 503 errors

Ran into this issue with ConfigMgr 2012 R2 where it was unable to synchronize Software Update Point with the WSUS server. A review of the component status messages for the SMS_WSUS_SYNC_MANAGER component on the primary site server reveals errors related to WSUS synchronization which are similar to the following:
Message ID: 6703 WSUS Synchronization failed. Message: The request failed with HTTP status 503: Service Unavailable. Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer.

Got the following error when trying to open Update Services on the WSUS server

Error: Connection Error An error occurred trying to connect to the WSUS server. This error can happen for a number of reasons. Please contact your network administrator if the problem persists. Click the Reset Server Node to connect to the server again.

In addition to the above, attempts to access the URL for the WSUS Administration website (i.e., http://CMCASSERVER:8530) fails with the error:

HTTP Error 503. The service is unavailable

In this situation, the most likely cause is that the WsusPool Application Pool in IIS is in a stopped state, as shown below.

Also, the Private Memory Limit (KB) for the Application Pool is probably set to the default value of 1843200 KB.

If you encounter this problem, increase the Private Memory Limit to 4GB (4000000 KB) and restart the Application Pool. To increase the Private Memory Limit, select the WsusPool Application Pool and click Advanced Settings under Edit Application Pool. Then set the Private Memory Limit to 4GB (4000000 KB).

After the Application Pool has been restarted, monitor the SMS_WSUS_SYNC_MANAGER component status, wcm.log and wsyncmgr.log for failures. Please note that it may be necessary to increase the Private Memory Limit to 8GB (8000000 KB) or higher depending on the environment.

Now WSUS is back online!

Older Posts

Mohammed Wasay

Dallas based Design Technologist & Hybrid Developer