SCCM SUP 无法连接 WSUS 服务器 - 未安装 WSUS 服务器版本 3.0 SP2 或更高版本

6 月 1 日，我们的一个软件更新点无法连接到其 WSUS 服务器：

WSUS Control Manager failed to monitor WSUS Server "SCCM.ad.contoso.gov". Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.

日志SMS_WSUS_CONFIGURATION_MANAGER文件表明 WSUS 3.0 SP2 未安装或无法通过 SMS SUP 服务 (SMS_WSUS_CONFIGURATION_MANAGER 和 SMS_WSUS_CONTROL_MANAGER) 联系：

Error   Milestone   004 6/8/2015 5:01:30 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    7003    WSUS Control Manager failed to monitor WSUS Server "SCCM.ad.contoso.gov".    Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.  Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.
Error   Milestone   004 6/8/2015 5:01:30 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    7000    WSUS Control Manager failed to configure proxy settings on WSUS Server "SCCM.ad.contoso.gov".    Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.  Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.You can receive failure because proxy is set but proxy name is not specified or proxy server port is invalid.
Information Milestone   004 6/8/2015 4:01:39 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    4609    Component Status Summarizer set the status of component "SMS_WSUS_CONTROL_MANAGER", running on computer "SCCM.ad.contoso.gov", to Critical.    Possible cause: The component is experiencing a problem.  Solution: Diagnose and fix the problem by:  1. Examining the status messages that the component reports.  2. Correcting the problem.  3. Instructing Component Status Summarizer to reset the counts of Error, Warning, and/or Informational status messages reported by the component. To reset the counts, right-click Reset Counts on the component in the Component Status summary in the Configuration Manager Console. When the counts are reset, Component Status Summarizer will change the status of the component to OK. This might take some time if site "004" is a child site.  4. Delete any unwanted status messages from the site database, if necessary.  5. Monitor the component occasionally to verify that the problem does not reoccur.    Possible cause: The component is OK and you were unnecessarily alerted because the Component Status Thresholds are set too low for the component.  Solution: Increase the Component Status Thresholds for the component using the Thresholds tab of the Component Status Summarizer Properties dialog box in the Configuration Manager Console.    Possible cause: The component is flooding the status system by rapidly reporting the same message repeatedly.  Solution: Diagnose and control the flood of status messages by:  1. Verifying that the component is actually flooding the status system. View the status messages reported by the component and verify that the same message is continually reported every several minutes or seconds.  2. Noting the Message ID of the flooded status message.  3. Creating a Status Filter Rule for site "004" that instructs Status Manager to discard the flooded status message when component "SMS_WSUS_CONTROL_MANAGER" on computer "SCCM.ad.contoso.gov" reports it.   4. Verifying that your sites' databases were not filled up by the flooded status message.  Del
Information Milestone   004 6/8/2015 4:01:39 AM SCCM.ad.contoso.gov SMS_WSUS_CONTROL_MANAGER    4605    Component Status Summarizer detected that component "SMS_WSUS_CONTROL_MANAGER", running on computer "SCCM.ad.contoso.gov", has reported 5 or more Error status messages during the Component Status Threshold Period.    Possible cause: The count equals or exceeds the Component Status Critical Threshold (5 status messages) for Error status messages for the component.  Solution: Component Status Summarizer will set the component's status to Critical in the Component Status summary in the Configuration Manager Console.

我确认 WSUS 角色确实仍安装在 SCCM.ad.contoso.gov 上；但它似乎不太健康。我无法使用 Windows Server Update Services MMC SnapIn 连接它，事件日志中充满了可追溯到 6/1 的以下错误：

PS C:\Windows\system32> Get-EventLog -LogName Application -Source "Windows Server Update Services" -After $(Date -Month 06 -Day 07)

  Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
  267564 Jun 08 04:14  Error       Windows Server Up...        12052 The DSS Authentication Web Service is not working.
  267563 Jun 08 04:14  Error       Windows Server Up...        12042 The SimpleAuth Web Service is not working.
  267562 Jun 08 04:14  Error       Windows Server Up...        12022 The Client Web Service is not working.
  267561 Jun 08 04:14  Error       Windows Server Up...        12032 The Server Synchronization Web Service is not w...
  267560 Jun 08 04:14  Error       Windows Server Up...        12012 The API Remoting Web Service is not working.
  267559 Jun 08 04:14  Error       Windows Server Up...        12002 The Reporting Web Service is not working.
  267558 Jun 08 04:14  Warning     Windows Server Up...        10021 The catalog was last synchronized successfully ...

我确认 WsusService 确实正在运行，然后检查了 IIS：

嗯。这可能不太好。WsusPool 应用程序池可能正在运行...如果我手动启动 WsusPool，我可以通过浏览连接到 WSUS WebServices http://SCCM.ad.contoso.gov:8530/Selfupdate...然后在大约 15 分钟后应用程序池停止。

而且它还在错误的端口 (8530/8531) 上运行！大约一个月前，在 PFE 的帮助下，我们配置了这个 SUP，使其可供基于 Internet 的客户端使用。重新配置的一部分意味着 WSUS Web 服务需要重新定位到 80/443，以便它们可以通过我们的外围防火墙使用。

我没有关于我们使用的具体命令的文档，但我有理由相信它是WSUSUtil.exe 使用自定义网站 false这应该将 WSUS 从其“WSUS 管理”IIS 移回绑定在 *:80 和 *:443 下的默认网站。

再次。事实并非如此：

嗯，这可不是什么好事。看起来 WSUS 网站已经神奇地迁移回了其独立网站，因为……真有趣！如果 SCCM SUP 正在 80/443 上寻找 WSUS，而 WSUS 不再存在，难怪它无法正常工作。

如果我查看注册表项（HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\PortNumbner）实用程序正在操纵我发现它仍然认为 WSUS 应该在 80 上运行。

也许我只是需要跑WsusUtil.exe多一次来获得更多的……乐趣？

C:\Program Files\Update Services\Tools>WsusUtil.exe usecustomwebsite false
Using port number: 80

除了... IIS 中没有任何变化。我要么不记得我们之前移动 WSUS IIS 站点的步骤，要么就是出了问题。

我确实有两个问题：

• WSUS 网站“WSUS 管理”已恢复到其安装时的配置，作为绑定到 *:8530 和 *:8531 的独立 IIS 网站，但系统底层部分认为它应该在绑定到 *:80 和 *:443 的“默认网站”下运行。
• WsusPool 应用程序池不断崩溃或停止，阻止我重新配置 SUP 点以在其原始 *:8530 和 *:8531 端口上使用 WSUS。

此时，我有点不知道如何继续解决此问题。由于明天即将发布 Microsoft Update，我真的希望尽可能避免重新安装 WSUS 角色和/或 SUP。

关于进一步排除故障有什么建议吗？