Not sure how many of you here deal with Dell switches....

I just got a refurb N3024P from xByte.com. I unpacked it and then booted it up and started configuring. Things have gone fine so far except I am having a lot of trouble using TFTP (of all things) to update firmware and export configs, etc.

I do have a TFTP server running currently which I've used to grab firmware updates many times in the past for other N3000 switches. I just now tested TFTP with another N3000 switch to make sure I could export the running config to the TFTP folder as a test.txt file. It works perfectly and the file showed up right away and there were no errors.

I attempted the same thing with my new N3024 but it just sits there and says "0 bytes transferred" and then eventually fails. I used the EXACT same command as with the other switch, except I exported to "test2.txt".

NOTE: Yes the path is correct and yes TFTP is running on the server. I also ran WireShark on my server and filtered for TFTP and noticed that there was no traffic at all. So it's as if TFTP is not even running on the N3024P switch..

Commands that were used:

console# en
console# copy running-config tftp://192.168.10.36/Switches/filename.txt

The switch from xByte has the same firmware as the other N3000 which I have successfully tested TFTP on:

active: 6.3.3.8
backup: 6.3.2.3
current-active: 6.3.3.8
next-active: 6.3.3.8

Any thoughts?

@tim_g said in Constant WSUS issues (Connection Errors):

Did you specify the WSUS group in the group policys?

Yes, via the "Enable client side targeting" option

@dbeato said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why

I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.

oh.. well that's the way I had it at first and it seemed to work (kinda). I was just following Tim_G's guide on SpiceWorks

ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why

@tim_g said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

@tim_g said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

I have not been able to see any of my computers show up.

If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.

Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.

I set this up before a few weeks ago with a different server and I had computers show up and at that time I didn't even configure group policy or anything.. I will keep waiting though.

Whenever you apply computer group policy, or change a computers AD group membership (add/remove), you'll need to reboot the computer. Computer changes take effect during boot, user changes at login.

I usually just run cmd as admin and run gpupdate /force, which usually works. I also check with gpresult /h. That being said, I did reboot things in an attempt to get them working this time.. still no dice.

@tim_g said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

I have not been able to see any of my computers show up.

If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.

Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.

I set this up before a few weeks ago with a different server and I had computers show up and at that time I didn't even configure group policy or anything.. I will keep waiting though.

Tim_G:

I finally got back to this and made those adjustments to my wsus resource pool and it seems to work now, so that's really good. However, I am stuck again with getting computers to show up in my wsus group. I have followed your guide and:

1. Made a group in AD called "wsus workstations" and added some machines to test with
2. Created a GPO called "wsus workstations policy" and changed security filtering to apply to the wsus workstations group
3. Created a group in wsus called "workstations" and then pointed my wsus workstations policy GPO's "Enable client side targeting" and pointed it to the workstations wsus group.

I have not been able to see any of my computers show up.

EDIT: I've been thinking about it.. I'm not 100% clear on where to actually put my WSUS group policy. At first, I added it to a test OU which had some computers I put in there for testing. However, since I'm specified that the GPO is to apply to the wsus workstations group, I don't think it matters where I put it now, does it? My wsus workstations group is in a completely different OU than the workstations or the GPO. Its been a little while since I worked on group policy so I've just realized that I'm a bit rusty.. however, maybe this is part of why it's not working...

Also, I am thrown off by what you mean in this part of your guide:

NOTE: Updates will NOT install and your server will NOT reboot unless you go into the WSUS console, and specifically approve updates to the WSUS group you specified in this policy.
In simple terms, just make sure you do NOT approve updates in WSUS, and your servers/clients will be fine.

It seems like you're saying both do and do not approve updates in wsus. I don't get it.

delete me

@dbeato said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

@dbeato said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

@dbeato said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.

Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?

Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

Dell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GB

I will check out those scripts here shortly.

You have a Hardware Host Dedicated to WSUS? What else is on this server?

Yes, this server is set up as a dedicated WSUS server and a fresh install of Server 2016 and the WSUS role (if anything just to test and try out WSUS). Nothing else running on here at all.

WOW, I would waste that much on a WSUS Server, I would have setup a VM on a Hyper-V Server 2016 Host and use a VM with 2 vCPU, 16 GB RAM and 500 GB of space.

ok, I really don't want to get off topic like this... I am just trying get WSUS to work to try it out and see how well I can manage Windows updates. I haven't even activated Windows 2016 because I plan to move this to a virtual machine later. It's not the point. Again, this is just to try out WSUS and get it working, which I have been yet to do.

@dbeato said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

@dbeato said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.

Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?

Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

Dell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GB

I will check out those scripts here shortly.

You have a Hardware Host Dedicated to WSUS? What else is on this server?

Yes, this server is set up as a dedicated WSUS server and a fresh install of Server 2016 and the WSUS role (if anything just to test and try out WSUS). Nothing else running on here at all.

@dbeato said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.
It seems like no matter what I do though, this is going to be a huge pain in my assholes.

Alright, so what are the RAM and Storage on this server? What CPU resources have you provided to this system?

Also take a look at Adamj's WSUS Script
http://www.adamj.org/clean-wsus.html
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

Dell PowerEdge R420
CPU: Xeon E5-2430 @ 2.20 GHz (2 Processors)
RAM: 56.0 GB
Storage: Data volume is 1.72 TB (with only about 40 GB used)

I will check out those scripts here shortly.

@momurda said in Constant WSUS issues (Connection Errors):

WSUS is your only option. Yes it sucks.
Unless you want to pay many thousands for a 3rd party solution.
Delete that corrupt profile. Use that script.

Well we already purchased Desktop Central from ManageEngine a while back.. that was in the thousands.. however, we got an IT audit and it showed that we were missing a lot of past updates. When doing a Windows Update search on the host itself, I often find that it discovers missing updates. When I check DesktopCentral, it says it's not missing updates. Checking with DesktopCentral support, they tell me that Windows updates and patches can supersede old ones. Based on research and shit, I think it's just a matter of the Windows registry making it appear that we are missing updates. However, I still think some of my machines are actually missing updates. Hense why I want to use WSUS to comb through my systems with Microsoft's own product, to try to find any missing updates, vs doing it manually.

It seems like no matter what I do though, this is going to be a huge pain in my assholes.

@jaredbusch said in Constant WSUS issues (Connection Errors):

@dave247 said in Constant WSUS issues (Connection Errors):

1. Why does it suck?

Because the WSUS instance itself needs maintenance weeklyish or it bogs down and pukes.

2. What else would you recommend for managing Windows updates that doesn't suck?

Sadly, no. I let Windows do it and just force reboots weekly.
This does not help you and your need for compliance reporting.

ok well I have a bunch of servers and workstations and I'd like to be able to have some form of management over the updates. Also, I don't want to have them all reaching out to Microsoft to download updates..

@jaredbusch said in Constant WSUS issues (Connection Errors):

WSUS sucks to manage. Good luck.

Well hey there Mr helpful.

1. Why does it suck?
2. What else would you recommend for managing Windows updates that doesn't suck?

@momurda said in Constant WSUS issues (Connection Errors):

Did you do this:
Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC. System.IO.IOException -- The handshake failed due to an unexpected packet format.

Other thing to try is the "Last WSUS Script Youll Ever Need" from Overdrive on SW, or whatever he calls it now.
https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

lmao no, my eyes just glossed over after reading part way through the event log. I'm so used to them not helping me... I just deleted it, so I'll see if that helps. Checking out the script now too.

Where I work, we've been using a 3rd party tool for Windows OS updates and patches. It has had issues for a while and I'm sick of dealing with it, so now I'm finally getting my feet wet with WSUS.

I added the WSUS role to a 2012 R2 server we already have running and I completed the initial setup and configuration and let it download updates for the products I specified. Then after it was done, and before I could do anything else, I started getting this error:

So I rebooted a few times, googled it, removed and re-added the role as well as increased the memory limit on the resource pool in IIS, tried turning off Windows firewall, etc, but I still got the error.

I eventually decided to set up a brand new Windows Server 2016 on a spare server I have, solely for WSUS and ran through the setup process again, this time, using Tim_G's guide. I got to about "Step 4: Configure WSUS" when I got the same connection error again.

I'm not sure why this is happening, especially when the server is a brand new install, and it's already downloaded updates. This brand new server doesn't even have any group policy applied to it yet, as I've just joined it to the domain, FWIW.

Another screenshot:

I did notice some warnings in Event Viewer under Applications, event ID 7032:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.
Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC. System.IO.IOException -- The handshake failed due to an unexpected packet format.

I guess the item listed in the event log is the reason for the connection error, but I have no idea why it's happening. I have been messing with this all week and I can't seem to get WSUS to bloody work.

@dashrender said in Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall):

@dave247 said in [Trying to understand this particular VLAN configuration (Dell N3000 & SonicWall)](/post/366783

My confusion:

• In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?

Not sure

• I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated

VLANs aren't always tagged. The port that traffic is on can dictate what VLAN that traffic is on, just the same as the default VLAN.

• I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs

In your case, you don't have two different pieces of traffic untagged. Untagged traffic from the connected device on those ports is tagged by the switch with VLAN 2 tags via the switchport general pvid 2 command.

• I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.

Correct. VLAN 2 is handled purely inside the switch.

• Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

Correct. The switch is adding tags to VLAN 2 packets.

So it's kinda like a VLAN within a VLAN, or a sub-VLAN?.. ugh idk why this is so hard to comprehend for me

Hi guys, I'm an idiot trying to wrap my head around VLANs, specifically with one particular configuration I have set up. First thing, this has been set up for a while now and it's working fine, as I had help from Dell support. I'm just not 100% clear on how this works.

Overview: I set up two VLANs, one for corporate wifi and the other for guest. Two SonicPoints (wifi access points) connect directly to specifically configured ports on the switch, then a third port connects to X3 on the SonicWall. I then can further apply rules to each wifi zone from the SonicWall.

SonicWall firewall (which has these zones of interest):

LAN: X1
WLAN: X3
WLAN-Guest: X3:V200

PowerConnect N3048P:

VLAN 0: Default data VLAN (not tagged)
VLAN 2: Corp wifi
VLAN 200: Guest wifi

Here are the port configurations on the switch. The first two connect to SonicPoint access point units, and the third connects to X3 of the SonicWall:

interface Gi5/0/25
switchport mode general
switchport general pvid 2
switchport general allowed vlan add 2
switchport general allowed vlan add 200 tagged
exit
!
interface Gi5/0/27
switchport mode general
switchport general pvid 2
switchport general allowed vlan add 2
switchport general allowed vlan add 200 tagged
exit
!
interface Gi5/0/29
switchport mode general
switchport general pvid 2
switchport general allowed vlan add 2
switchport general allowed vlan add 200 tagged
exit

My confusion:

• In the switch config, why does VLAN 200 have "tagged" added next to the command but 2 does not?
• I thought VLANs were always tagged (except the default VLAN) and that's how traffic was differentiated
• I don't understand how VLAN 2 and the data VLAN could both be untagged and still separated as VLANs
• I do see that the PVID of each port is set to 2, and that each port allows traffic from 2 and 200. So based on this, I am assuming that VLAN 2 and 200 tagged from the perspective of the switch, but only 200 is tagged from the perspective of the SonicWall.
• Does this mean that the switch is tagging only VLAN 2 and the SonicWall is tagging only VLAN 200, but the switch is allowing traffic from both VLAN 2 and 200?

@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Can we get a photo of the checklist with ur info scratched out?

That way we have what you have to go off of, and no more assumptions need to be made.

We need the complete context to give accurate recommendations.

I will have to get it from my boss. My boss only verbally told me about this and then sent me a snippet of the suggested solution which I transcribed and posted here.

I see.

But we can't really use that.

We need to see the actual requirement, and for all we know that is just one of many possible recommendations for complying with some unknown requirements.

Right. I just provided that because that's what my boss provided me as it related to the auditors in that it is one of the solutions they provide on the matter -- a solution which I had completely un-done when I had enough of dealing with static IPs and rolled out DHCP again.

@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Can we get a photo of the checklist with ur info scratched out?

That way we have what you have to go off of, and no more assumptions need to be made.

We need the complete context to give accurate recommendations.

I will have to get it from my boss. My boss only verbally told me about this and then sent me a snippet of the suggested solution which I transcribed and posted here.