 
|
|
|||
|
|
||||
Windows 2000/2003/XP Tips
Most Recent Version:
2000 sp4 (as of: 12/2/2003)
2003 sp1 (as of: 2/2/2006)
XP sp2 (as of: 2/2/2006)
Questions:
1) How do I
enable IP forwarding?
2) I applied SP2+ to Office, and now I cannot
connect to Exchange.
3) How do I set up an SUS server?
4) I swapped out motherboards, and now I get a
BSOD error: STOP: 0x0000007B INACCESSIBLE_BOOT_DEVICE
5) Terminal Server (Remote Access) keeps telling
me license limit exceeded.
6) store.exe process is taking all of my available memory!
7) I am trying to get a self-generated SSL certificate to work
on IIS and I keep getting display errors in my browser.
8) I get "There are currently no logon
servers available to service the logon request" error trying
to map a drive.
9) How do I backup and restore EFS files and
access?
10) How do I set up a WSUS server?
Answers:
1) How do I enable IP forwarding?
-
Start regedit.exe.
-
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
-
Double-click IPEnableRouter.
-
Set the value to 1. Click OK.
-
Close regedit.
-
Reboot the machine.
Answer applies to 2000/XP.
2) I applied SP2+ to Office, and now I cannot connect to Exchange.
You get: "Unable to open your default
e-mail folders" when using Outlook, or "The name
could not be resolved. The server containing the Global
Address List is no longer available" when testing your
mail settings in Control Panel\Mail\MS Exchange Server. and give the value of your Exchange server. Required files: WUAU22.msi - updated client update software for XP (pre sp1) & win2000 (pre sp3) One possible problem you may have is that you
no longer have the correct IDE drivers to load the hard
disk. To add the drivers: boot the drive in the old machine Load ALL IDE .sys files. Do this by
extracting atapi.sys, intelide.sys, pciide.sys, and
pciidex.sys from \winnt\system32\i386\driver cache\i386\driver.cab
into the winnt\system32\drivers directory. Make necessary registry edits. Take
the following file, paste into a .reg file, and
double-click on the file. This will modify your
registry (obviously, you are warned about editing the
registry!)
Known problem: sp2 and higher can use load
balanced Global Catalog servers, but if you have only one, it
gets confused. So you have to manually specify the server to
use in the... where else? ... registry!
HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider\DS Server
3) How do I set up an SUS
server?
sus10sp1.exe - SUS server software
wuau.adm - GPO add-in for Windows Update
Setting up SUS server 1.0sp1
------------------------------
1) install SUS server on w2k or win2003 SERVER
2) synchronize the server (this will download hundreds of MB of patches for
2000 and XP. It will take a while).
3) Web server will be set up on port 80 (you MUST use port 80). However, if 80 is used,
set up alias IP address for the server and use aliased IP, port 80.
To administer the SUS server, connect to http://<yourSUSserver/SUSadmin
Configuring the client (see http://www.susserver.com for details)
-------------------------------
1) You can do this via GPO or manually for each client with regedit
2) REGEDIT method:
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\
KEY TYPE VALUE
------------------ ----------- -----------------------
WUServer Reg_SZ http://<yourSUSserver>
WUStatusServer Reg_SZ http://<yourSUSserver>
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\
AUOptions Reg_DWORD 2 (notify user)
3 (download and notify of install)
4 (do it and don't tell user)
NoAutoRebootWithLoggedOnUsers Reg_DWORD 0 or 1
NoAutoUpdate Reg_DWORD 0 or 1
RescheduleWaitTime Reg_DWORD 1-60 (minutes after a reboot)
ScheduledInstallDay Reg_DWORD 0-7 (0=every day, 1=sunday...)
ScheduledInstallTime Reg_DWORD 0-23
UseWUServer Reg_DWORD 0 or 1 (forces WUServer useage)
Make sure you restart the Automatic Update service on the client.
3) GPO policy:
Edit your default GPO (or whichever policy applies to affected users). You can
access this policy by going into "Active Directory Users and Computers", right click on your
domain, and click "Properties". Click the "Group Policy" tab. Edit the effective policy.
Go down to "computer Configuration\Administrative Templates". Right click "Administrative
Templates" and click "Add Remove Templates". Add a template. Browse to "wuau.adm" template
and add it in. If you do not have the SUS GPO add-in, you can download it from Microsoft.
Now, under "Administrative Templates\Windows Components" there is a "Windows Update"
folder. Inside are at least 4 options. At a minimum, configure the following:
Configure Automatic Updates - enabled, 2
Specify ... update service location - enabled, for both fields, enter
"http://<yourSUSserver>"
This will push above registry changes to the clients. You may have to restart the
Automatic Update Service on the clients.
Verify Updates have occurred
---------------------------------
1) Check the client log. This is usually in c:\windows\Windows Update.Log.
2) You can schedule downloads at regular intervals (described above). If you want to FORCE
a download, do the following:
HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\
AUState=2
Delete "LastWaitTimeout"
3) restart Automatic Update service. Your client should try to connect within a few
minutes.4) I swapped out motherboards,
and now I get a BSOD error: STOP: 0x0000007B
INACCESSIBLE_BOOT_DEVICE
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\primary_ide_channel]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\secondary_ide_channel]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\*pnp0600]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\*azt0502]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="atapi"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\gendisk]
"ClassGUID"="{4D36E967-E325-11CE-BFC1-08002BE10318}"
"Service"="disk"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#cc_0101]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_0e11&dev_ae33]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1039&dev_0601]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1039&dev_5513]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1042&dev_1000]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_105a&dev_4d33]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0640]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1095&dev_0646]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1097&dev_0038]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10ad&dev_0001]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10ad&dev_0150]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10b9&dev_5215]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10b9&dev_5219]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_10b9&dev_5229]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="pciide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_1106&dev_0571]
"Service"="pciide"
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_1222]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_1230]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_2411]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_2421]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_7010]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_7111]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_8086&dev_7199]
"ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"
"Service"="intelide"
;Add driver for Atapi (requires atapi.sys in drivers directory)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
"ErrorControl"=dword:00000001
"Group"="SCSI miniport"
"Start"=dword:00000000
"Tag"=dword:00000019
"Type"=dword:00000001
"DisplayName"="Standard IDE/ESDI Hard Disk Controller"
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,61,00,74,00,61,00,70,00,69,00,2e,\
00,73,00,79,00,73,00,00,00
;Add driver for intelide (requires intelide.sys in drivers directory)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Tag"=dword:00000004
"Type"=dword:00000001
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,6e,00,74,00,65,00,6c,00,69,\
00,64,00,65,00,2e,00,73,00,79,00,73,00,00,00
;Add driver for pciide (requires pciide.sys and pciidex.sys in drivers
directory)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Tag"=dword:00000003
"Type"=dword:00000001
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,70,00,63,00,69,00,69,00,64,00,65,\
00,2e,00,73,00,79,00,73,00,00,00
5) Terminal Server (Remote Access) keeps telling me license limit exceeded.
Without a Terminal Server license, you can
only have 2 administrative (can't be a regular user either)
sessions at a time. Default behavior for TS is to
maintain session information even if you terminate the
client. That way, when you log back on, all your
programs are still there. The drawback is tons of stale
sessions.
To prevent this, go to Control Panel >
Administrative Tools > Terminal Server Configuration.
In the right hand window, right click > Properties on
RDP-Tcp. Go to the "Sessions" tab. Check
"Override User Settings" and set session
timeouts. Make sure Disconnected sessions are terminated
within desirable period of time. You probably want to
set an "Idle session limit" as well, so that some
idiot doesn't walk away from his computer while still logged
in to a session. If disconnected sessions STILL do not
terminate properly, see KB216783.
6) store.exe process is taking all of my available memory!
Store.exe is an Exchange process that caches
information in memory for faster retrieval. It is
designed to take all the memory it can, but will return it
when other processes require it. Needless to say, this
is not always optimal.
To set a maximum cache size, you will need to edit the
Active Directory LDAP information directly. Think of it
like RegEdit for AD (if that makes you feel any better!)
Apparently, any LDAP client will work, but KB266768
describes the process using adsiedit.msc (you will need to
load this from the W2K Resource Kit).
Open adsiedit and connect to your AD server (connection
point > naming context > config container > computer
> select or type domain or server, and type in your AD
server. Under "advanced", enter AD
administrator credentials. Hit OK. Open:
Services/Microsoft Exchange/<domain>/Administrative Groups/<admin group>/Servers/<AD server>/Information Store
Right click Info store > properties >
select a property to view > msExchESEParamCacheSizeMax.
Edit the max cache size in blocks of 4kb. So 1MB = 256.
Restart the Information Store Service.
7) I am trying to get a self-generated SSL certificate to work on IIS and I keep getting display errors in my browser.
Make sure that when you create a certificate
from an IIS request file, you are REALLY logged in to the
Microsoft Certificate Server with Administrator
credentials. If you are logged in as a regular user, you
will NOT get "Web Server" as a template type (only
"basic EFS" and "user"), and the certs you
create will not have a subject of "www.<yourwebserver>",
but instead have a userid as subject (if you see "IUSR_<certsrvhost>").
Verify you are logged in as Administrator when
generating a certificate. Also verify you are forcing
NTFS credentials on the /certsrv web subdirectory. If
you are allowing anonymous access, you will have problems.
8) I get "There are currently no logon servers available to service the logon request" error trying to map a drive.
I was getting errors in my event viewer describing how "The redirector was unable to initialize security context or query context attributes." (Event ID 3034), and further down, how "The kerberos subsystem is having problems fetching tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Please contact your system administrator." (Event ID 10). So I forced kerberos to use TCP, according to KB244474. Basically add a DWORD value = 1 of:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxPacketSize
You will have to create the key if it doesn't exist. I am not sure why this occurred in the first place, but I had done this on a WAN domain member to speed up processing, so perhaps that screwed something up. The DC does NOT have this registry edit - only the client.
9) How do I backup and restore EFS files and access?
EFS (Encryping File System) is a built in
method of encryption for Windows 2000, 2003, and XP. It
is very easy to use (right click a file or folder >
Properties > Advanced > Encrypt....). Under XP,
encrypted files/folders appear green in color.
Theoretically, this procedure should work for any modern
Windows OS, but my testing is under XP Pro sp2.
The BACKUP:
First thing: backup your personal certificate/key.
Without the encryption key, you cannot recover data! Go
to Start > Run, and type "mmc". This brings up a
blank management console. Go to File > Add/Remove Snap-in
> Add > Certificates > Add > My user account. You
will see something similar to this:
Next, drill into Certificates -Current User
> Personal > Certificates. You should see at least
one certificate (if you have already created EFS encrypted
files) whose intended purpose is "Encrypting File
System". We will export this to a file. Right
click on the certificate > All Tasks > Export.
This will bring up the export wizard. Make SURE to
export the private key (this is NOT the default) - you cannot
recover data without it! The private key requires a
password to protect it. Assign whatever you want, but
make sure you remember it, because you will need it later on
when you re-import it. The rest is pretty much
default. Save the result - it will create a file with a
.pfx extension. Back this file up somewhere safe (CD,
backup tape, etc.)
Backup your encrypted files. You can copy them to
CD, another server, tape, etc., but be careful - copying to
devices that don't support EFS may decrypt the files.
This generally happens when you copy to a non-NTFS file system
(FAT floppy, ISO9660/Joliet CDROM, etc), and you should get a
warning. If you wish to archive the EFS files in an
encrypted state to a non-NTFS filesystem, try using
ntbackup.exe (built in to windows), which will create a .bkf
archive file which itself is not encrypted, but contains
all the encrypted files. This makes EFS much more
portable.
The RESTORE:
So you boned your computer, huh? OK, on a new or rebuilt
computer, copy the .pfx personal certificate and your EFS
files (you may have to extract from an EFS catalog). Go
back into MMC like we did for the backup, and right click on
Personal > All Tasks > Import, and point to your .pfx
file. The only thing you should have to type is the
private key password. Other than that, take all the
defaults, and the certificate will appear in your list.
If you have other certificates, you might have to remove
them. I didn't test this, but others claimed these
interfered with your EFS recovery cert. VOILA! You
should be able to open your EFS files again. Note: the
files should be local to your restore computer. For some
reason, network mounted drives did not work in this scenario.
10) How do I set up a WSUS server?
WSUS (Windows Software Update Service) is the heir to SUS (see question 3), and has a couple of advantages over SUS (they were going to name the new version "WUS", but decided against it since MS already gets enough flack). SUS could only download and install security hotfixes. WSUS can do hotfixes, service packs, drivers and non critical updates, as well as updates for MS Office and Exchange. Oh, yeah, and it is supported, while SUS goes bye-bye! So update now you losers! There is one major disadvantage, however. WSUS is a big pig. Not only is the software itself bloatware, but it also requires a SQL server, .NET and a bunch of other crap to work. Don't worry, it's all free, but you will be installing stuff for a while.
The INSTALL (for Windows 2000 - this is slightly different than Win2003)
requirements:
-
about 6GB NTFS free space (30 recommended)
-
Windows 2000 sp4 or Windows 2003 server with IIS installed.
-
All clients must be at least Windows 2000 sp3, Windows 2003, Windows XP or newer.
Now download: -
MSI installer v3.1 (only required for W2K ... do NOT install this if you have a later version already installed. The installer service will then fail to start. You can then use "msiexec.exe /regserver" to fix)
-
SQL or MSDE (only for w2k - I tried SQL 2005 on Win2000, but it didn't want to go, so I used MSDE)
install:
- MSI 3.0 and BITS 2.0, then reboot
- .NET 1.1 and sp1, then reboot
- MSDE 2000a, then reboot
- install WSUS
CONFIGURE:
Log in to the web server and synchronize (on the main page) with Microsoft. This will download the list of patches available. This will take a while.
Before we download the patches, we might choose to do a couple of things. First of all, you can set up WSUS to use an SSL cert so that information transmitted through the web browser is encrypted. This is not necessary, but can be done through IIS the way normal SSL sites are configured.
Another thing you might want to do is go to "Options" tab in WSUS interface > Synchronization Options. You can set up automatic daily update checks at the top of the page. Classifications allow you to decide whether service packs, drivers, etc., or just critical updates are downloaded (affects download size). Finally, at the bottom, click "Advanced". Under "Languages", choose "Download only those updates that match the locale of this server". This is important because if you don't, WSUS will download something like 15 GB of crap - you know - XP SP1 English, XP SP1 French, XP SP1 Mumbutu, etc. I know that in the future when you are reading this, you will laugh at me and say "15 GB! My wristwatch-communicator gets more spam in an hour! But back here in 2006, that is still a ton of junk. In fact, did you know they used to make hard drives smaller that 15GB? My co-worker Al actually spent $500 on a 5 MEGABYTE hard drive in the 80s. He is still kicking himself.
Next, approve the necessary patches - which can be done on the "Updates" tab. Select all the updates you wish to approve, and click "Approve for Installation", then choose "Install" from the pull down menu. Some patches may still not approve since they have expired or have been superseded. Don't worry about those. Once you approve the patches, they will start downloading (this will take HOURS on a FAST connection, so go watch a couple of movies). You can find status information on the download on the "Home" tab.
OK, so far so good. You should have the server itself set up. However, under the "Home" tab at the bottom, the "To Do List" should still say something like "no computers have connected", which means you have the patches, but no clients have gotten them from you! We need to tell the clients to get updates from us, and not www.windowsupdate.com. To do this, we can either make registry changes, or in a domain environment, modify a GPO.
Editing the registry (Workgroup environments):
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
(REG_SZ keys)
WUServer=http://Your-SUS-Server:8530 (or whatever
port you are using for WSUS)
WUStatusServer=http://Your-SUS-Server:8530
There are a number of options in the AU directory, but here are some critical ones:
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
(DWORD keys)
NoAutoUpdate = 0
AUOptions = 3 (3 means download automatically, but
prompt for install)
NoAutoRebootWithLoggedOnUsers = 1
RescheduleWaitTime = 22 (hours between detect events)
UseWUServer = 1
And close it off with the usual: reboot, etc.
Creating a GPO (Domain Environments):
First, you need a WSUS template for your AD server's GPO. This is usually not a problem as W2K sp4 and W2003 have the wuau.adm template built in. Go to MMC, and add the GPO you wish to edit. The picture below shows editing of the Default Domain Policy, but MS does not recommend this.
Go
down the GPO into Computer Configuration > Administrative
Templates > Windows Components > Windows Update. If the
Update folder is not there, load the template by right clicking
"Administrative Templates > Add/Remove Templates" and
select the wuau.adm
file.
At a minimum, you will want to configure the first two
settings.
Option 1: Configure
Updates
Option 2: Specify location
The rest of the options
are gravy. You will not need them, but they affect reboot
behavior and so forth.
OK, so once you have done this, you need to propagate the GPO
to the domain. This will happen automatically, but you can
speed it up with a GPO push from the command line:
Win2000: secedit /refreshpolicy machine_policy /enforce
Win2003: gpupdate /force
This may still take 10 or 20 minutes to propagate. Once changes have been made, on the client, you can type: "wuauclt /detectnow" to force the client to look for updates (not necessary... but will speed things up). Once the client has gotten updates, these machines should appear on the WSUS web page under "Computers" tab. If nothing still appears, verify registry changes (listed above) have occurred. Also, I had this issue and everything looked fine. I ended up reinstalling WSUS (just WSUS - not all the prereqs), and everything worked!