User Groups – Q4-2008 LANDesk Support Update. The LANDesk Community.
Post on 19-Dec-2015
225 Views
Preview:
Transcript
User Groups – Q4-2008
LANDesk Support Update
The LANDesk Community
Community – Overview LANDesk Community is the people who use our
products› LANDesk support team, developers and SEs› Partners / ESPs› Customers
Everyone who uses our product has different knowledge
Combined knowledge of these people is a very valuable resource
Purpose of Community is to enable these people to share knowledge with each other› Everyone gets smarter
Community - Website
Best source of technical information for people who use LANDesk products
One website combines knowledgebase, forums, downloads, blogs, and support portal› Shared login› Ability to search all content from one place› Available to EVERYONE
Community - Forums Anyone can post a question, anyone can answer it Easy to collaborate with experts Learn from fellow customers and their real-world
examples, experience, and best practices› (50% of answers provided in the community are
from people who don’t work for LANDesk) Reputation system to recognize top contributors
› People who ask the questions decide which answers are best and reward points accordingly
Community - Knowledgebase Content includes:
› Solutions to incidents reported to support team› BKM documents and troubleshooting guides› Tips and tricks from customers and partners
Interactive knowledge› Anyone can contribute knowledgebase content
(even you!)› Users can comment on articles – automatically
notifies the article author to review the comment and article
› Users can rate articles – highest rated articles have increased visibility
Community – Support Portal
LANDesk PMA/EMA customers can use the support portal to open and manage incidents with the Customer Support team
Integrating the portal with the community site enables single-sign on across both systems› Access the portal at:
http://community.landesk.com/support/community/portal
Suggestions for improvement are ALWAYS welcome
Agent Installation Issues
Agent Install Top Issues
Machine no longer detected in the console after upgrade
Running uninstallwinclient.exe does not remove all services
One or more services (policy.invoker, TMCsvc, etc) are missing
Inventory scans aren't being set to core server after agent upgrade
Agent Issues - The Problem The Microsoft API calls LANDesk uses for agent updates do not
allow children of a given process to kill the parent process’s with an open socket. This may cause problems agent upgrade due to the Alerting functionality which may have inherited rights to the parent socket if in use. When the Alerting Agent (collector.exe) cannot be stopped, this process keeps the CBA agent from fully stopping and thus when the uninstall attempts to run only part of the CBA agent is removed.
This essentially means that since we launch the upgrade process with residentagent.exe, we can’t kill the process to update it because it is now the parent of the update process. This problem will cause different end results as indicated by the previous slide.
Agent Issues – The Fix
http://community.landesk.com/support/docs/DOC-4449
LANDesk now recommends using Advance Agent for ALL agent upgrades for 8.7 and 8.8 because of the before mentioned parent / child termination problem. Since Advance Agent runs it’s own service, all components / services of the existing installed agent can be terminated and upgraded.
This post SP2 patch should also be applied http://community.landesk.com/downloads/patch/CLN-977388.2-2.zip
Read the FAQ: http://community.landesk.com/support/docs/DOC-4686
How to troubleshoot Integrated Security Remote Control
Troubleshooting Process
Step 1 - Verify the security type is set to 9. Step 2 - Obtain all the logs. Step 3 - Determine where in the integrated
security process, the failure is occurring. Step 4 - Search the Community for Errors
Step 1 – Verify the security type is 9 On the Agent workstation, check the following
key in the registry:
HKLM\Software\Intel\LANDesk\WUSER32DWORD: SecurityType
Step 2 – Obtain all the logs
Viewer Logs
Remote Console Logs Filename Default Path Description
Console.exe.log ManagmentSuite (on the console) Logs Console activity.
Connection Messages.txt
n/a – In the Remote Control ISSCNTR.EXE interface.
Logs the attempt to connect and authenticate and the result.
Web Console Logs Filename Default Path Description
Connection Messages.txt
n/a – In the Remote Control ISSCNTR.EXE interface.
Logs the attempt to connect and authenticate and the result.
Client Logs
Client Logs Filename Default Path Description
Issuser.log C:\Program Files\LANDesk\LDClient
Logs any attempts made to remote control the client.
Isswuser32.log C:\Program Files\LANDesk\LDClient
This log must be manually created to enable verbose logging.
Alertlog.xml
C:\Program Files\LANDesk\Shared Files\cbaroot\alert\queue
XML file where each alert that is sent is stored.
Alert.log C:\Program Files\LANDesk\Shared Files Log for alert.exe. Logs any alert transmissions.
Core Server Logs
Core Logs
Filename Default Path Description
exYYMMDD.log C:\Windows\System32\LogFiles\W3SVC1
IIS log. Logs traffic to web server.
w3wp.exe.log C:\Windows\System32\InetSrv
Log for the web service process w3wp.exe. Each application pool has a w3wp.exe process and can log to this file.
UserValidatorErrLog.txt \ManagementSuite
Any failed attempts by the web service or LANDesk1 Com+ Application to enumerate groups on the domain are logged here.
LANDesk.ManagementSuite.Information.log \ManagementSuite\Log
Logs the signing of the signed rights document.
Step 3 - Determine where the failure occurs
The LANDesk Remote Control Process
Remote Control Viewer connects to agent on port 9535.
Agent responds with security type 9 which means Integrated Security.
Console contacts the Core Server’s RemoteControlServices.asmx web service
Note: Please review this Community Article:
Understanding Remote Control User Authenticationhttp://community.landesk.com/support/docs/DOC-4670
The Core Server queries for rights from the database for the user. The Core Server sends and ldping to the client and requires a
response. The Core Server checks if user is in the Managementsuite group.
Note: the LANDesk1 COM+ Application identity is used to enumerate groups on the domain. Any failures to enumerate groups on the domain are logged tot his file: UserValidatorErr.txt. Troubleshooting this is the same as troubleshooting the Unable to Validate errors when open the web console:
LDMS 8.8 Matrix for successful authentication when logging into the Web Consolehttp://community.landesk.com/support/docs/DOC-3020
Core Server sends the signed rights document to the Remote Control Viewer.
If permission is granted in the signed rights document, the Remote Control Viewer is allowed to establish a session with the agent.
Step 4 – Search the CommunityIf you find an error, such as the following:ERROR on 10/31/2008 12:13:11 PM with user CALDOR\Administrator,
and core vm88:
GetGroupUsers() : NetGroupGetUsers failed with an ERROR_LOGON_FAILURE code. IIS may not have permission to query the domain for group information.
Then you search the Community for “NetGroupGetUsers failed”, you will find these and more articles: Doc-3012 - The account used for the LANDesk1 COM+ Application Identity is locked
Doc-3006 - User is in a nested Active Directory Security Group - Global group with default LANDeskComPlus identity
LANDesk Antivirus
Using LANDesk Antivirus over WAN links
Option added for “View as report” in Antivirus Activity and status information Window.
LANDesk Antivirus
LANDesk Antivirus
Using LANDesk Antivirus over WAN links:
To make this work effectively you should read the following community article:
http://community.landesk.com/support/docs/DOC-3197
And apply the following patch:AV-2079588.2
LANDesk Antivirus
LANDesk Antivirus
Option added for “View as Report” in Antivirus Activity and status information window.
Patch AV-1265688.2 adds this right-click reporting option.
LANDesk Power Management
LANDesk Power Management
LANDesk Power Management FAQ: http://community.landesk.com/support/docs/DOC-3237
How LANDesk Power Management Works:
http://community.landesk.com/support/docs/DOC-4592
LANDesk Inventory and Software Monitoring
Limit/Prevent Software Scanning
[Exclude Folders]
/RSS /F-
http://community.landesk.com/support/docs/DOC-4464
SLM Office Data is incorrect
Main office suite data is correct Office applications that are not part of the
main suite and are not the same version as the main suite will report incorrect usage data
http://community.landesk.com/downloads/patch/SLM-2027487.6-2.zip
LANDesk File Downloading
Why add Downloading Technologies
Reduce WAN traffic If download is interrupted do not lose the work that
was done Allow for distributed environment Allow machines to get packages while out of
network – LANDesk Management Gateway Do not disturb other network traffic Pre-stage packages to allow for faster
deployments with less user disruption Allow for authenticated share access
Downloading Technologies
Checkpoint Restart Targeted Multicast Local cache Peer to Peer Subnet Aware Downloading Preferred Server Bandwidth throttling Dynamic Bandwidth Throttling Run From Source Downloading to Clients through the Gateway
Check Point Restart
LANDesk downloads use a byte level check point restart
- HTTP and UNC both use this technology› If a file download is interrupted then on resume the
download will restart at the failed byte› What a partial looks like in SDMCache on the client
@@partial@@firefox.exe
Targeted Multicast Targeted Multicast
› A Multicast domain is discovered› A Multicast Representative for the domain is selected › The files are Unicast to the Rep and then Multicast to the Domain › Multicast packets have TTL set to 1 can not cross a Router
Common Issues › Additional files failed to download
Cause 1: The TMC is UDP based and if packets are lost then the machine will fail out of the Task.
Cause 2: TMC is multicast traffic and requires that the switches and OS be using the Same version of IGMP › XP SP2 updated the version of IGMP causing many failures in Multicast
Cause 3:Switches isolated Multicast traffic causing discovery to find more Multicast subnet than actual Subnets
As a UDP based Protocol packets are sent multiple times to increase the robustness and reliability of Multicast.
Local Cache
The agent installation creates a folder › \\Client\Program Files\LANDesk\Ldclient\SDMCache
This folder is used as a temporary storage location for files that are being transferred
Files are cleaned out of this folder automatically › Defaults are 2 days for clients and 14 days for MDR
MDR is only used in TMC task
Files in this folder and registered with the TMC service can be peer downloaded
Peer to Peer
When the agent needs a file, a file discovery packet is sent to local peers › Peers respond with percentage of requested file in
cache › If multiple peers have the file then the fastest
response time is taken Peer will only allow 7 remote peer connections
Peer to Peer
Peer to peer downloading› Always attempted› If peer only is selected install will fail if not available on
the local subnet Issues
› Selecting Peer download only in the Advance agent If peer only is selected, make sure to Pre-cache the file
› The files have timed out and been deleted from the SDMCache
Peer to Peer File Discovery TMC Service
› Listens for File requests › File requests are verified against the files registered with the
TMC service› When LANDesk downloads the file the file is automatically
registered › If a file is to be manually added to the folder
Stop the LANDesk Targeted Multicast service Add the files Start the Service
What is registered on a client› Registrations are stored in the registry key
HKLM\software\Intel\LANDesk\LDWM\Distribution\Multicast\Cache files
Peer aware downloading
Need moredata?
No Done
Send file discovery message
Yes
Response? NoDownload from
source
Start
Peer has moreof file?
Yes
NoPeer is
downloading?
No
Download from peer
Yes Yes
Overview
Order of locations attempted › Local cache› Peer› Preferred server › Source
Subnet Aware Download
Subnet Aware Download
Peer aware downloading› Limits remote downloading to a single computer› Collective bandwidth usage
Configured in Delivery methods
Step 6: Machines that were off turn on and are back on the network. They check with the Core Server for policies required and missed by the client.
Subnet Rep & Peer Download
46
CORE SERVER
L2 SWITCH
ROUTER
ROUTER
L2 SWITCH
L2 SWITCH256k
T1
ROUTER
Step 1: LANDesk administrator schedules distribution to clients across the enterprise
Step 2: The best Subnet Representative is selected in each subnetStep 3: Subnet Representative begins the download of the package(s)
Step 4: Other targeted machines start to pull from another machine that already has parts of the package in it’s cache.
Step 5: If the best Subnet Representative fails or stops another machine will pickup where it left off and become that new Subnet Representative
ON ON ON ON ON ON ONOFFOFF OFF OFF OFF OFF OFF
Preferred Server
This was designed to allow for distributed staging servers › Allow for authentication› Allow for clients to find the best Staging server› Invisible to the client when it is redirected› Allow for servers to only work for specific subnets
Preferred Server
Ldredirect is the file responsible for this Shares must be the same name
› Directory structure must be the same on source and preferred server
Configured at the core› Didn’t want passwords from web console going over
HTTP› Accessed from Preferred Server menu option in
console› Passwords are only on the Core and the Client make
a request to the Core to access a share
Preferred servers
49
Preferred Servers
50
Preferred servers
Controlling how many servers are detected› Can be from 0 (don’t use) to 7› Registry value listed in ntstacfg.in#› SOFTWARE\LANDesk\ManagementSuite\WinClient\
SoftwareDistribution\DynamicPreferredServers
51
Preferred Servers Clients track which Preferred Servers were used
› Ldredirect favors servers that had the file› Temporary in memory history
Cleared periodically (default 1 hours) Cleared when application exits
Preferences configured via the registry (in ntstacfg.in#)› SOFTWARE\LANDesk\ManagementSuite\WinClient\
SoftwareDistribution› ServerHistoryUseCount
defaults to 3, minimum number of times server must be used in order to be more preferred
› ServerHistoryCacheTime Defaults to 3600 seconds, the amount of time to remember that a server
was used.
52
Preferred Servers
Building the list on the Client› Cached server usage first, servers used more than the
minimum number of times first Server used most is first Will not be repeated in list
› Append dynamic preferred servers› Append preferred servers from registry
53
Synchronizing Preferred ServersExample http://community.landesk.com/support/docs/DOC-2288
To synchronize the content of the core server and a preferred server using the robocopy utility do the following:
1. In the Management Suite Console go to Tools | Distribution | Manage Scripts. Create a new custom script with the following line:[MACHINES]LocExec1=C:\progra~1\landesk\managementsuite\ldlogon\packages\robocopy\Robocopy.exe \\<your core server> \ldlogon\packages \\<PreferedServer>\ldlogon\packages /mir /IPG:3Save the script with the desired name.
2. Download the robocopy utility from Microsoft's web site. The utility is part of the Windows Resource Kit. At this time the URL to download the Windows Resource kit is:http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
Copy the robocopy.exe file to the location specified in the script. In the example above, it is c:\program files\LANDesk\ManagementSuite\ldlogon\packages\robocopy.
3. Check that the scheduler service is running as a user that has rights to the preferred server share. Preferably the scheduler service should run as a domain admin account. To change the user account that the scheduler service runs as, on the core server go to Configure | Services | Scheduler tab | Change Login. Use the format of domain\user when entering the credentials.
4. The same directory structure must exist on the preferred server that exists on the core server. For example, if you have created a directory called packages in the LDLOGON share on the core server, then the preferred server must have an LDLOGON\packages directory as well.
5. Create a scheduled task by right clicking on the newly created script and choose Schedule. This will create a scheduled task.
6. Drag and drop the core server onto the scheduled task. The script will run the locexec command on the core, and run the robocopy.exe with the specified parameters.
Preferred Server UNC Authentication
Used when accessing a UNC location› Check first then authenticate› Connections dropped when complete
Credentials obtained from the core› HTTPS web server› Client authenticates by listing trusted certificate
hashes
55
UNC web service usage
56
Is my cert in list?
Fail request
Return credentials
Authenticated
No
No
Yes
Yes
Core HTTPS web service
Client authenticates by listing trusted certificate hashes
Core goes to the database directly
Dynamic Bandwidth throttling
Configured as a percentage of the available bandwidth to use
While downloading the time delay to get a package is monitored based on the time the delay between packets is increased or decreased › This allows for the download to be dynamically adjust
the amount of bandwidth that is being used › Switch: Polite=
File based bandwidth detection
DFS bandwidth detection problem› Always went to the root DFS server
Download a portion of the primary package file to determine bandwidth› If the whole file is smaller, then the whole file is downloaded
Enabled for SDClient by registry key› SOFTWARE\LANDesk\ManagementSuite\WinClient\
SoftwareDistribution› UseDownloadForBandwidth – non zero to enable› DownloadSize –bytes to download 1024 – 65535 supported› Keys are in the ntstacgf.in# file
58
Run From Source
Allows for an installation to run directly for the Share › This is the same as mapping a Drive and executing
the software › Preferred Server credentials are used to map the drive › Once the application is launched there is no control
over the throughput
Policy Downloads & the Gateway
Clients that communicate through the gateway › Check local cache› Check peers › Attempt to communicate with the package server
If this is the Core Server then the request is routed through the Gateway › Gateway Clients LDWM registry key must be configured with the
Core Server name that is listed in the Default Agent Configuration.
Scenario 1
You want the package to trickle regardless of network congestion.
In the case the Network is congested, you want the download to be polite.
You only want one machine at a time to be able to go back to the core server for the package.
Scenario 2
You have a Remote site that cannot download across the WAN
You need to set up a delivery method that will not cross the WAN to try and get the files.
You can pre-cache files
Scenario 3
You have a Remote Subnet with clients that only communicate through the Gateway.
Files are pre-staged on one of these clients. Can a Peer download the package from another
peer?
top related