WSUS synchronization fails with SoapException

WSUS synchronization fails with SoapException

Applies to: WSUS - All versionsWindows Server 2016Windows Server 2012 R2Windows Server 2012 Less

Symptoms


Windows Server Update Services (WSUS) synchronization fails, and you receive the following error message:

Additionally, an error message that resembles the following is logged in the WSUS log file (%ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log) on the WSUS server:

Cause


This issue occurs if the WSUS servers are configured to use the old synchronization endpoint, https://fe2.update.microsoft.com/v6. This endpoint was fully decommissioned and is no longer reachable after July 8, 2019.

Resolution


To fix the issue, change the synchronization endpoint in WSUS configuration to https://sws.update.microsoft.com.

To do this, follow these steps on the topmost WSUS server that connects directly to Microsoft Update, such as the root WSUS server in a WSUS hierarchy:

  1. Close all WSUS consoles.
  2. At an elevated PowerShell command prompt, run the following PowerShell scripts.

    Note Don't run the scripts on a WSUS server that’s not the topmost server. If the server isn’t connected to the Internet, synchronization may fail.
    For WSUS version 3.x:

    [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
    $server = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
    $config = $server.GetConfiguration()
    # Check current settings before you change them
    $config.MUUrl
    $config.RedirectorChangeNumber
    # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6
    $config.MUUrl = "https://sws.update.microsoft.com"
    $config.RedirectorChangeNumber = 4002
    $config.Save();
    iisreset
    Restart-Service *Wsus* -v

    Note WSUS servers that are running Windows Server 2008 (without the latest update) or earlier versions may be using the https://update.microsoft.com/v6 or https://www.update.microsoft.com synchronization endpoints. Because these versions of Windows don’t support SHA256 certificate authentication, use the following settings in the PowerShell scripts:

    $config.MUUrl = " https://sws1.update.microsoft.com"
    $config.RedirectorChangeNumber = 3011
    For WSUS on Windows Server 2012 and later versions:

    $server = Get-WsusServer
    $config = $server.GetConfiguration()
    # Check current settings before you change them
    $config.MUUrl
    $config.RedirectorChangeNumber
    # Update the settings if MUUrl is https://fe2.update.microsoft.com/v6
    $config.MUUrl = "https://sws.update.microsoft.com"
    $config.RedirectorChangeNumber = 4002
    $config.Save()
    iisreset
    Restart-Service *Wsus* -v

  3. Verify that WSUS synchronization succeeds.

More Information


Windows Server 2008 End of Support: Are you Prepared?

On July 14th, 2015, Microsoft’s widely deployed Windows Server 2003 reached end of life after nearly 12 years of support. For millions of enterprise servers, this meant the end of security updates, leaving the door open to serious security risks. Now, we are fast approaching the end of life of another server operating system – Windows Server 2008 and Server 2008 R2, which will soon reach end of support on January 14, 2020.

Nevertheless, many enterprises still rely on Windows Server 2008 for core business functions such as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on these workloads for critical business applications and to support their internal services like Active Directory, File Sharing, and hosting internal websites.

What does this mean for you?

End of support for an operating system like Windows Server 2008 introduces major challenges for organizations who are running their workloads on the platform. While a small number may be ready to fully migrate to a new system or to the cloud, the reality is that most organizations aren’t able to migrate this quickly due to time, budgetary, or technical constraints. Looking back at Windows Server 2003, even nine months after the official EOS, 42% of organizations indicated they would still be using Windows Server 2003 for 6 months or more, while the remaining 58% were still in the process of migrating off of Windows Server 2003 (Osterman Research, April 2016). The same is likely to occur with the Server 2008 EOS, meaning many critical applications will continue to reside on Windows Server 2008 for the next few years, despite the greatly increased security risks.

What are the risks?

The end of support means organizations must prepare to deal with missing security updates, compliance issues, defending against malware, as well as other non-security bugs. You will no longer receive patches for security issues, or notifications of new vulnerabilities affecting your systems. With constant discovery of new vulnerabilities and exploits – 1,450 0days disclosed by the ZDI in 2018 alone – it’s all but guaranteed that we will see additions to the more than 1300+ vulnerabilities faced by Windows Server 2008. The lack of notifications to help monitor and measure the risk associated with new vulnerabilities can leave a large security gap.

This was the case for many organizations in the wake of the 2017 global WannaCry ransomware attack, which affected over 230,000 systems worldwide, specifically leveraging the EternalBlue exploit present in older Windows operating systems. While Microsoft did provide a patch for this, many weren’t able to apply the patches in time due to the difficulty involved in patching older systems.

What can security and IT teams do?

The most obvious solution is to migrate to a newer platform, whether that’s on-premise or using a cloud infrastructure-as-a-service offering such as AWS, Azure, or Google Cloud.

However, we know many organizations will either delay migration or leave a portion of their workloads running in a Windows Server 2008 environment for the foreseeable future. Hackers are aware of this behavior, and often view out-of-support servers as an easy target for attacks. Security teams need to assess the risk involved with leaving company data on those servers, and whether or not the data is secure by itself. If not, you need to ensure you have the right protection in place to detect and stop attacks and meet compliance on your Windows Server 2008 environment.

How can Trend Micro help?

Trend Micro Deep Security delivers powerful, automated protection that can be used to secure applications and workloads across new and end of support systems. Deep Security’s capabilities include host-based intrusion prevention, which will automatically shield workloads from new vulnerabilities, applying an immediate ‘virtual patch’ to secure the system until an official patch is rolled out – or in the case of EOS systems – for the foreseeable future.

Deep Security also helps monitor for system changes with real-time integrity monitoring and application control, and will secure your workloads with anti-malware, powered by the Trend Micro Smart Protection Network’s global threat intelligence. Deep Security’s broad platform and infrastructure support allows you to seamlessly deploy security across your physical, virtualized, cloud, and containerized workloads, and protecting your end of life systems throughout and beyond your migration.

Learn how easy it is to deploy virtual patching to secure your enterprise and address patching issues.

 

Source
https://blog.trendmicro.com/windows-server-2008-end-of-support-are-you-prepared/

OpenDns setup on Windows Server 2012 and 2012 R2

Setting up DNS Forwarding for Windows Server 2012 and 2012 R2

 

The basic instructions are as follows, with screenshots of what you should expect to see included below.

 

1. From the Start menu, start typing DNS, then select DNS from the search results.

2. Choose the server you want to edit, then select Forwarders.

3. Click the edit button.

4. Add OpenDNS addresses in the IP address list.

Please write down your current DNS settings before switching to OpenDNS, in case you want to return to your old settings for any reason.

The addresses for Open DNS are:

  • 208.67.222.222
  • 208.67.220.220
  • 208.67.222.220
  • 208.67.220.222

Then click OK.

6. Click OK once more

source:

https://support.opendns.com/hc/en-us/articles/228008907-Windows-Server-2012-and-2012-R2

How to create a virtual machine in Hyper-V

From Microsoft Website:

Create a virtual machine by using Hyper-V Manager

  1. Open Hyper-V Manager.
  2. From the Action pane, click New, and then click Virtual Machine.
  3. From the New Virtual Machine Wizard, click Next.
  4. Make the appropriate choices for your virtual machine on each of the pages. For more information, see New virtual machine options and defaults in Hyper-V Manager later in this topic.
  5. After verifying your choices in the Summary page, click Finish.
  6. In Hyper-V Manager, right-click the virtual machine and select connect.
  7. In the Virtual Machine Connection window, select Action > Start.

Create a virtual machine by using Windows PowerShell

  1. On the Windows desktop, click the Start button and type any part of the name Windows PowerShell.
  2. Right-click Windows PowerShell and select Run as administrator.
  3. Get the name of the virtual switch that you want the virtual machine to use by using Get-VMSwitch. For example,
    Get-VMSwitch  * | Format-Table Name  
    
  4. Use the New-VM cmdlet to create the virtual machine. See the following examples.

     Note

    If you may move this virtual machine to a Hyper-V host that runs Windows Server 2012 R2, use the -Version parameter with New-VM to set the virtual machine configuration version to 5. The default virtual machine configuration version for Windows Server 2016 isn't supported by Windows Server 2012 R2 or earlier versions. You can't change the virtual machine configuration version after the virtual machine is created. For more information, see Supported virtual machine configuration versions.

    • Existing virtual hard disk - To create a virtual machine with an existing virtual hard disk, you can use the following command where,
      • -Name is the name that you provide for the virtual machine that you're creating.
      • -MemoryStartupBytes is the amount of memory that is available to the virtual machine at start up.
      • -BootDevice is the device that the virtual machine boots to when it starts like the network adapter (NetworkAdapter) or virtual hard disk (VHD).
      • -VHDPath is the path to the virtual machine disk that you want to use.
      • -Path is the path to store the virtual machine configuration files.
      • -Generation is the virtual machine generation. Use generation 1 for VHD and generation 2 for VHDX. See Should I create a generation 1 or 2 virtual machine in Hyper-V?.
      • -Switch is the name of the virtual switch that you want the virtual machine to use to connect to other virtual machines or the network. See Create a virtual switch for Hyper-V virtual machines.
        New-VM -Name <Name> -MemoryStartupBytes <Memory> -BootDevice <BootDevice> -VHDPath <VHDPath> -Path <Path> -Generation <Generation> -Switch <SwitchName>  
        

        For example:

        New-VM -Name Win10VM -MemoryStartupBytes 4GB -BootDevice VHD -VHDPath .\VMs\Win10.vhdx -Path .\VMData -Generation 2 -Switch ExternalSwitch  
        

        This creates a generation 2 virtual machine named Win10VM with 4GB of memory. It boots from the folder VMs\Win10.vhdx in the current directory and uses the virtual switch named ExternalSwitch. The virtual machine configuration files are stored in the folder VMData.

    • New virtual hard disk - To create a virtual machine with a new virtual hard disk, replace the -VHDPath parameter from the example above with -NewVHDPath and add the -NewVHDSizeBytes parameter. For example,
      New-VM -Name Win10VM -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath .\VMs\Win10.vhdx -Path .\VMData -NewVHDSizeBytes 20GB -Generation 2 -Switch ExternalSwitch  
      
    • New virtual hard disk that boots to operating system image - To create a virtual machine with a new virtual disk that boots to an operating system image, see the PowerShell example in Create virtual machine walkthrough for Hyper-V on Windows 10.
  5. Start the virtual machine by using the Start-VM cmdlet. Run the following cmdlet where Name is the name of the virtual machine you created.
    Start-VM -Name <Name>  
    

    For example:

    Start-VM -Name Win10VM  
    
  6. Connect to the virtual machine by using Virtual Machine Connection (VMConnect).
    VMConnect.exe  
    

Options in Hyper-V Manager New Virtual Machine Wizard

The following table lists the options you can pick when you create a virtual machine in Hyper-V Manager and the defaults for each.

PageDefault for Windows Server 2016 and Windows 10Other options
Specify Name and LocationName: New Virtual Machine.

Location:C:\ProgramData\Microsoft\Windows\Hyper-V\.

You can also enter your own name and choose another location for the virtual machine.

This is where the virtual machine configuration files will be stored.

Specify GenerationGeneration 1You can also choose to create a Generation 2 virtual machine. For more information, see Should I create a generation 1 or 2 virtual machine in Hyper-V?.
Assign MemoryStartup memory: 1024 MB

Dynamic memory: not selected

You can set the startup memory from 32MB to 5902MB.

You can also choose to use Dynamic Memory. For more information, see Hyper-V Dynamic Memory Overview.

Configure NetworkingNot connectedYou can select a network connection for the virtual machine to use from a list of existing virtual switches. See Create a virtual switch for Hyper-V virtual machines.
Connect Virtual Hard DiskCreate a virtual hard disk

Name: <vmname>.vhdx

LocationC:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\

Size: 127GB

You can also choose to use an existing virtual hard disk or wait and attach a virtual hard disk later.
Installation OptionsInstall an operating system laterThese options change the boot order of the virtual machine so that you can install from an .iso file, bootable floppy disk or a network installation service, like Windows Deployment Services (WDS).
SummaryDisplays the options that you have chosen, so that you can verify they are correct.

- Name
- Generation
- Memory
- Network
- Hard Disk
- Operating System

Tip: You can copy the summary from the page and paste it into e-mail or somewhere else to help you keep track of your virtual machines.