User Groups – Q4-2008

LANDesk Support Update

The LANDesk Community

Community – Overview LANDesk Community is the people who use our

products› LANDesk support team, developers and SEs› Partners / ESPs› Customers

Everyone who uses our product has different knowledge

Combined knowledge of these people is a very valuable resource

Purpose of Community is to enable these people to share knowledge with each other› Everyone gets smarter

Community - Website

Best source of technical information for people who use LANDesk products

One website combines knowledgebase, forums, downloads, blogs, and support portal› Shared login› Ability to search all content from one place› Available to EVERYONE

Community - Forums Anyone can post a question, anyone can answer it Easy to collaborate with experts Learn from fellow customers and their real-world

examples, experience, and best practices› (50% of answers provided in the community are

from people who don’t work for LANDesk) Reputation system to recognize top contributors

› People who ask the questions decide which answers are best and reward points accordingly

Community - Knowledgebase Content includes:

› Solutions to incidents reported to support team› BKM documents and troubleshooting guides› Tips and tricks from customers and partners

Interactive knowledge› Anyone can contribute knowledgebase content

(even you!)› Users can comment on articles – automatically

notifies the article author to review the comment and article

› Users can rate articles – highest rated articles have increased visibility

Community – Support Portal LANDesk PMA/EMA customers can use the support

portal to open and manage incidents with the Customer Support team

Integrating the portal with the community site enables single-sign on across both systems› Access the portal at:

http://community.landesk.com/support/community/portal

Suggestions for improvement are ALWAYS welcome

Agent Installation Issues

Agent Install Top Issues

Machine no longer detected in the console after upgrade

Running uninstallwinclient.exe does not remove all services

One or more services (policy.invoker, TMCsvc, etc) are missing

Inventory scans aren't being set to core server after agent upgrade

Agent Issues - The Problem The Microsoft API calls LANDesk uses for agent updates do not

allow children of a given process to kill the parent process’s with an open socket. This may cause problems agent upgrade due to the Alerting functionality which may have inherited rights to the parent socket if in use. When the Alerting Agent (collector.exe) cannot be stopped, this process keeps the CBA agent from fully stopping and thus when the uninstall attempts to run only part of the CBA agent is removed.

This essentially means that since we launch the upgrade process with residentagent.exe, we can’t kill the process to update it because it is now the parent of the update process. This problem will cause different end results as indicated by the previous slide.

Agent Issues – The Fixhttp://community.landesk.com/support/docs/DOC-4449LANDesk now recommends using Advance Agent for ALL agent

upgrades for 8.7 and 8.8 because of the before mentioned parent / child termination problem. Since Advance Agent runs it’s own service, all components / services of the existing installed agent can be terminated and upgraded.

This post SP2 patch should also be applied http://community.landesk.com/downloads/patch/CLN-977388.2-2.zip

Read the FAQ: http://community.landesk.com/support/docs/DOC-4686

How to troubleshoot Integrated Security Remote Control

Troubleshooting Process

Step 1 - Verify the security type is set to 9. Step 2 - Obtain all the logs. Step 3 - Determine where in the integrated

security process, the failure is occurring. Step 4 - Search the Community for Errors

Step 1 – Verify the security type is 9 On the Agent workstation, check the following

key in the registry:

HKLM\Software\Intel\LANDesk\WUSER32DWORD: SecurityType

Step 2 – Obtain all the logs

Viewer Logs

Remote Console Logs Filename Default Path Description

Console.exe.log ManagmentSuite (on the console) Logs Console activity. Connection Messages.txt

n/a – In the Remote Control ISSCNTR.EXE interface.

Logs the attempt to connect and authenticate and the result.

Web Console Logs Filename Default Path Description

Connection Messages.txt

n/a – In the Remote Control ISSCNTR.EXE interface.

Logs the attempt to connect and authenticate and the result.

Client Logs

Client Logs Filename Default Path Description

Issuser.log C:\Program Files\LANDesk\LDClient

Logs any attempts made to remote control the client.

Isswuser32.log C:\Program Files\LANDesk\LDClient

This log must be manually created to enable verbose logging.

Alertlog.xml

C:\Program Files\LANDesk\Shared Files\cbaroot\alert\queue

XML file where each alert that is sent is stored.

Alert.log C:\Program Files\LANDesk\Shared Files Log for alert.exe. Logs any alert transmissions.

Core Server Logs

Core Logs Filename Default Path Description

exYYMMDD.log C:\Windows\System32\LogFiles\W3SVC1

IIS log. Logs traffic to web server.

w3wp.exe.log C:\Windows\System32\InetSrv

Log for the web service process w3wp.exe. Each application pool has a w3wp.exe process and can log to this file.

UserValidatorErrLog.txt \ManagementSuite

Any failed attempts by the web service or LANDesk1 Com+ Application to enumerate groups on the domain are logged here.

LANDesk.ManagementSuite.Information.log \ManagementSuite\Log

Logs the signing of the signed rights document.

Step 3 - Determine where the failure occurs

The LANDesk Remote Control Process

Remote Control Viewer connects to agent on port 9535.

Agent responds with security type 9 which means Integrated Security.

Console contacts the Core Server’s RemoteControlServices.asmx web service

Note: Please review this Community Article:

Understanding Remote Control User Authenticationhttp://community.landesk.com/support/docs/DOC-4670

The Core Server queries for rights from the database for the user. The Core Server sends and ldping to the client and requires a

response. The Core Server checks if user is in the Managementsuite group.

Note: the LANDesk1 COM+ Application identity is used to enumerate groups on the domain. Any failures to enumerate groups on the domain are logged tot his file: UserValidatorErr.txt. Troubleshooting this is the same as troubleshooting the Unable to Validate errors when open the web console:

LDMS 8.8 Matrix for successful authentication when logging into the Web Consolehttp://community.landesk.com/support/docs/DOC-3020

Core Server sends the signed rights document to the Remote Control Viewer.

If permission is granted in the signed rights document, the Remote Control Viewer is allowed to establish a session with the agent.

Step 4 – Search the CommunityIf you find an error, such as the following:ERROR on 10/31/2008 12:13:11 PM with user CALDOR\Administrator,

and core vm88:GetGroupUsers() : NetGroupGetUsers failed with an

ERROR_LOGON_FAILURE code. IIS may not have permission to query the domain for group information.

Then you search the Community for “NetGroupGetUsers failed”, you will find these and more articles: Doc-3012 - The account used for the LANDesk1 COM+ Application Identity is locked

Doc-3006 - User is in a nested Active Directory Security Group - Global group with default LANDeskComPlus identity

LANDesk Antivirus

Using LANDesk Antivirus over WAN links

Option added for “View as report” in Antivirus Activity and status information Window.

LANDesk Antivirus

LANDesk Antivirus Using LANDesk Antivirus over WAN links:

To make this work effectively you should read the following community article:

http://community.landesk.com/support/docs/DOC-3197

And apply the following patch:AV-2079588.2

LANDesk Antivirus

LANDesk Antivirus Option added for “View as Report” in Antivirus

Activity and status information window.

Patch AV-1265688.2 adds this right-click reporting option.

LANDesk Power Management

LANDesk Power Management LANDesk Power Management FAQ:

http://community.landesk.com/support/docs/DOC-3237

How LANDesk Power Management Works:

http://community.landesk.com/support/docs/DOC-4592

LANDesk Inventory and Software Monitoring

Limit/Prevent Software Scanning

[Exclude Folders]

/RSS /F-

http://community.landesk.com/support/docs/DOC-4464

SLM Office Data is incorrect

Main office suite data is correct Office applications that are not part of the

main suite and are not the same version as the main suite will report incorrect usage data

http://community.landesk.com/downloads/patch/SLM-2027487.6-2.zip

LANDesk File Downloading

Why add Downloading Technologies Reduce WAN traffic If download is interrupted do not lose the work that

was done Allow for distributed environment Allow machines to get packages while out of network

– LANDesk Management Gateway Do not disturb other network traffic Pre-stage packages to allow for faster deployments

with less user disruption Allow for authenticated share access

Downloading Technologies Checkpoint Restart Targeted Multicast Local cache Peer to Peer Subnet Aware Downloading Preferred Server Bandwidth throttling Dynamic Bandwidth Throttling Run From Source Downloading to Clients through the Gateway

Check Point Restart LANDesk downloads use a byte level check

point restart - HTTP and UNC both use this technology

› If a file download is interrupted then on resume the download will restart at the failed byte

› What a partial looks like in SDMCache on the client @@partial@@firefox.exe

Targeted Multicast Targeted Multicast

› A Multicast domain is discovered› A Multicast Representative for the domain is selected › The files are Unicast to the Rep and then Multicast to the Domain › Multicast packets have TTL set to 1 can not cross a Router

Common Issues › Additional files failed to download

Cause 1: The TMC is UDP based and if packets are lost then the machine will fail out of the Task.

Cause 2: TMC is multicast traffic and requires that the switches and OS be using the Same version of IGMP › XP SP2 updated the version of IGMP causing many failures in Multicast

Cause 3:Switches isolated Multicast traffic causing discovery to find more Multicast subnet than actual Subnets

As a UDP based Protocol packets are sent multiple times to increase the robustness and reliability of Multicast.

Local Cache The agent installation creates a folder

› \\Client\Program Files\LANDesk\Ldclient\SDMCache This folder is used as a temporary storage

location for files that are being transferred Files are cleaned out of this folder automatically

› Defaults are 2 days for clients and 14 days for MDR MDR is only used in TMC task

Files in this folder and registered with the TMC service can be peer downloaded

Peer to Peer When the agent needs a file, a file discovery

packet is sent to local peers › Peers respond with percentage of requested file in

cache › If multiple peers have the file then the fastest

response time is taken Peer will only allow 7 remote peer connections

Peer to Peer Peer to peer downloading

› Always attempted› If peer only is selected install will fail if not available on

the local subnet Issues

› Selecting Peer download only in the Advance agent If peer only is selected, make sure to Pre-cache the file

› The files have timed out and been deleted from the SDMCache

Peer to Peer File Discovery TMC Service

› Listens for File requests › File requests are verified against the files registered with the

TMC service› When LANDesk downloads the file the file is automatically

registered › If a file is to be manually added to the folder

Stop the LANDesk Targeted Multicast service Add the files Start the Service

What is registered on a client› Registrations are stored in the registry key

HKLM\software\Intel\LANDesk\LDWM\Distribution\Multicast\Cache files

Peer aware downloading

Need moredata? No Done

Send file discovery message

Yes

Response? No Download fromsource

Start

Peer has moreof file?

Yes

No Peer isdownloading?

No

Download from peer

Yes Yes

Overview Order of locations attempted

› Local cache› Peer› Preferred server › Source

Subnet Aware Download

Subnet Aware Download Peer aware downloading

› Limits remote downloading to a single computer› Collective bandwidth usage

Configured in Delivery methods

Step 6: Machines that were off turn on and are back on the network. They check with the Core Server for policies required and missed by the client.

Subnet Rep & Peer Download

46

CORE SERVER

L2 SWITCH

ROUTER

ROUTER

L2 SWITCH

L2 SWITCH256k

T1

ROUTER

Step 1: LANDesk administrator schedules distribution to clients across the enterprise

Step 2: The best Subnet Representative is selected in each subnetStep 3: Subnet Representative begins the download of the package(s)Step 4: Other targeted machines start

to pull from another machine that already has parts of the package in it’s cache.

Step 5: If the best Subnet Representative fails or stops another machine will pickup where it left off and become that new Subnet Representative

ON ON ON ON ON ON ONOFFOFF OFF OFF OFF OFF OFF

Preferred Server This was designed to allow for distributed staging

servers › Allow for authentication› Allow for clients to find the best Staging server› Invisible to the client when it is redirected› Allow for servers to only work for specific subnets

Preferred Server Ldredirect is the file responsible for this Shares must be the same name

› Directory structure must be the same on source and preferred server

Configured at the core› Didn’t want passwords from web console going over

HTTP› Accessed from Preferred Server menu option in

console› Passwords are only on the Core and the Client make

a request to the Core to access a share

Preferred servers

49

Preferred Servers

50

Preferred servers Controlling how many servers are detected

› Can be from 0 (don’t use) to 7› Registry value listed in ntstacfg.in#› SOFTWARE\LANDesk\ManagementSuite\WinClient\

SoftwareDistribution\DynamicPreferredServers

51

Preferred Servers Clients track which Preferred Servers were used

› Ldredirect favors servers that had the file› Temporary in memory history

Cleared periodically (default 1 hours) Cleared when application exits

Preferences configured via the registry (in ntstacfg.in#)› SOFTWARE\LANDesk\ManagementSuite\WinClient\

SoftwareDistribution› ServerHistoryUseCount

defaults to 3, minimum number of times server must be used in order to be more preferred

› ServerHistoryCacheTime Defaults to 3600 seconds, the amount of time to remember that a server was

used.

52

Preferred Servers Building the list on the Client

› Cached server usage first, servers used more than the minimum number of times first

Server used most is first Will not be repeated in list

› Append dynamic preferred servers› Append preferred servers from registry

53

Synchronizing Preferred ServersExample http://community.landesk.com/support/docs/DOC-2288

To synchronize the content of the core server and a preferred server using the robocopy utility do the following:1. In the Management Suite Console go to Tools | Distribution | Manage Scripts. Create a new custom script with the

following line:[MACHINES]LocExec1=C:\progra~1\landesk\managementsuite\ldlogon\packages\robocopy\Robocopy.exe \\<your core server> \ldlogon\packages \\<PreferedServer>\ldlogon\packages /mir /IPG:3Save the script with the desired name.

2. Download the robocopy utility from Microsoft's web site. The utility is part of the Windows Resource Kit. At this time the URL to download the Windows Resource kit is:http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

Copy the robocopy.exe file to the location specified in the script. In the example above, it is c:\program files\LANDesk\ManagementSuite\ldlogon\packages\robocopy.

3. Check that the scheduler service is running as a user that has rights to the preferred server share. Preferably the scheduler service should run as a domain admin account. To change the user account that the scheduler service runs as, on the core server go to Configure | Services | Scheduler tab | Change Login. Use the format of domain\user when entering the credentials.

4. The same directory structure must exist on the preferred server that exists on the core server. For example, if you have created a directory called packages in the LDLOGON share on the core server, then the preferred server must have an LDLOGON\packages directory as well.

5. Create a scheduled task by right clicking on the newly created script and choose Schedule. This will create a scheduled task.

6. Drag and drop the core server onto the scheduled task. The script will run the locexec command on the core, and run the robocopy.exe with the specified parameters.

Preferred Server UNC Authentication Used when accessing a UNC location

› Check first then authenticate› Connections dropped when complete

Credentials obtained from the core› HTTPS web server› Client authenticates by listing trusted certificate

hashes

55

UNC web service usage

56

Is my cert in list?

Fail request

Return credentials

Authenticated

No

No

Yes

Yes

Core HTTPS web service

Client authenticates by listing trusted certificate hashes

Core goes to the database directly

Dynamic Bandwidth throttling Configured as a percentage of the available

bandwidth to use While downloading the time delay to get a

package is monitored based on the time the delay between packets is increased or decreased › This allows for the download to be dynamically adjust

the amount of bandwidth that is being used › Switch: Polite=

File based bandwidth detection DFS bandwidth detection problem

› Always went to the root DFS server Download a portion of the primary package file to

determine bandwidth› If the whole file is smaller, then the whole file is downloaded

Enabled for SDClient by registry key› SOFTWARE\LANDesk\ManagementSuite\WinClient\

SoftwareDistribution› UseDownloadForBandwidth – non zero to enable› DownloadSize –bytes to download 1024 – 65535 supported› Keys are in the ntstacgf.in# file

58

Run From Source Allows for an installation to run directly for the

Share › This is the same as mapping a Drive and executing

the software › Preferred Server credentials are used to map the drive › Once the application is launched there is no control

over the throughput

Policy Downloads & the Gateway Clients that communicate through the gateway

› Check local cache› Check peers › Attempt to communicate with the package server

If this is the Core Server then the request is routed through the Gateway › Gateway Clients LDWM registry key must be configured with the

Core Server name that is listed in the Default Agent Configuration.

Scenario 1 You want the package to trickle regardless of

network congestion. In the case the Network is congested, you want

the download to be polite. You only want one machine at a time to be able

to go back to the core server for the package.

Scenario 2 You have a Remote site that cannot download

across the WAN You need to set up a delivery method that will not

cross the WAN to try and get the files. You can pre-cache files

Scenario 3 You have a Remote Subnet with clients that only

communicate through the Gateway. Files are pre-staged on one of these clients. Can a Peer download the package from another

peer?