All of the Server 2003 virtual machines are missing from the WSUS inventory. Poor servers… they are missing the party.
Well not really, they are still getting updates, according to the logs. However, they are not reporting in. They are party lurkers.
This is an old problem, and only took a little digging. All of our 2003 VMs came from a common VMware template. Since the template once connected to our WSUS server, it already had a unique SusID in the registry, so all the clones have the same ID.
To fix, I used the cmd script here:
I had to remove the “pause” commands, then I used “dsquery” to find all of of the relevant servers in our infrastructure:
dsquery * ou=Servers,ou=ets,ou=resources,dc=campus,dc=ad,dc=uvm,dc=edu -attr cn operatingSystem -limit 2000 > servers.txt
I isolated the Server 2003 systems from this list:
find "2003" servers.txt > 2003servers.txt
I then did some quick text processing to remove everything but the host names from the output file. The final step, we use psexec.exe from SysInternals to run the SusID reset script:
psexec.exe @2003servers.txt -s -c AU_Clean_SID.cmd
I ended up running “psexec.exe” a second time to force the “wuauclt.exe /resetauthorization /detectnow” bit a second time. Psexec.exe requires the “-d” switch when running this command remotely. I think the WUAU service needed time to get fully operational before running the authorization token reset. Perhaps a pause command would be of assistance in cmd script linked above? Anyway, all of the Server 2003 hosts have come back to the party and are socializing nicely.
For my next trick, I am going to try to match up the WUAU XP client list with our AD XP client list to see if we have a lot of silent XP systems. If we rely on standard tools, we could use a query similar to the following to extract XP computer objects with their last logon time:
dsquery * domainRoot -Filter "(&(objectclass=computer)(operatingSystem=Windows XP Professional))" -attr Name LastLogonTimeStamp -limit 20000 > xp.txt
There is an excellent cmd script here that will convert the “lastLogonTimestamp” into human-readable format.
However, it probably would be easier to use “dsquery computer domainRoot -inactive 4”, since processing of “lastLogonTimestamp” against current local time can be challenging in CMD (easier with PowerShell).