Various Software Delivery Solution Purging Issues Work Around Methods

Article:TECH38845  |  Created: 2008-01-28  |  Updated: 2009-05-27  |  Article URL http://www.symantec.com/docs/TECH38845
Article Type
Technical Solution


Issue



What methods can be used to address problems caused by the Altiris Software Delivery Solution 6.0 Automated purging?


Solution



In the 6.x versions of Software Delivery Solution for Windows there are a number of purging issues that have been uncovered during troubleshooting.  Altiris Development is aware of these issues and is working toward a complete resolution of these items that should be available around the 7.x release of the Altiris Notification Server and Software Delivery Solution.

In the meantime, the methods introduced in this document to work-around these problems have been tested in a number of customer environments, but have not been reviewed by the Altiris Quality Assurance testing team. Before implementing any of these workarounds in a production environment, It is recommended to test the methods against a test server. 

It is worth noting that often times all of the steps in this document should be followed, for full resolution of these issues.

The Altiris Software Delivery Solution for Windows purging mechanism is controlled at the following page in the Altiris Console:

 

Symptoms and Causes 

 NOTE!  The symptoms and causes do not line up completely with the work around items.  As such, the Work Around section will indicate which steps are required for which issues.

Permission Issues

Description

Security Permissions can also cause many of the issues documented here. The reason for this problem is that when a user requests software from the Altiris Software Portal, the user's account is the only account granted permissions to the Software Delivery Task that is created. Members of the Altiris Administrators group are not granted access to these Tasks. This issue is further complicated by the Software Delivery Purge mechanism because the purge mechanism uses the Notification Server Application Identity account to run the purging. Without permissions to edit or delete the Software Delivery Tasks created by the user, the purge will fail.

Common Symptoms

  • Software Delivery Purge fails with message "Rights do not include deletion"
  • Members of the "Altiris Administrators" group are unable to manage Software Delivery Tasks or Sequential Tasks and recieve permission errors when attempting to access them.

Complete Work Around: Correct Permission Issues

Software Portal Collections

Description

When either a regular Software Program or Sequential Task is selected in the Software Portal, the Notification Server checks to see if the computer where the request is being made from has a collection.  If it does, the process continues.  If it does not, it creates an automatic collection with the one computer in it with the format SWRCollection_%COMPUTERNAME%.  Since an automatic collection is subject to collection updates, it will be included with every collection update that applies to it.

Though the single computer collections created by a Software Portal request do not, by nature, show up in the Collection Picker, the Collection Picker mechanism must examine each collection as part of the picker tree population process.  If many of these collections are created and purging does not remove them, this can slow down the picker population significantly.  In some instances this has caused timeouts to occur with the picker.

Common Symptoms

  • Slow Collection Update Performance.
  • The Software Portal generates a collection with a single computer in it when a Software Portal request is made.  The number of collections can grow significantly if purging isn’t properly removing them.  This causes collection updates for Notification Server to perform poorly.
  • Collection Picker slow to load
  • When a Software Portal request is made, the Software Portal generates a collection with a single computer in it.  The number of collections that are created as a result of this behavior can grow significantly if purging is not properly removing them.  This can cause the collection picker to take a long time to load as it has to cycle through all collections to identify which ones should be displayed.

Complete Work Around: Correct Permission Issues, Delete Portal Collections

Improperly Purged Tasks

Description

When purging executes against a software request, it first purges the item from SWDSoftwareRequest, followed by SWDAdvertisement.  However Altiris Support has noted that sometimes the purge from SWDAdvertisement does not remove the row for from the Item table.  When this occurs the link from the single computer collection to the Task remains, and thus the broken task will be included when the machine requests its Client Configuration.  The process to fetch the task fails with the error seen above.

Software Portal Tasks and Sequential Tasks are scheduled to ‘Run as soon as the computer is notified."  This schedule ensures that when the computer is ‘tickled’ during the Software Portal request process it will run the Task or Sequential Task as soon as it receives it.  The standard Altiris Agent treatment of this type of schedule is to mark the Task or Sequential Task as ‘Run’ in the AeXSWDPolicy.xml file.  The Task or Sequential Task still exists in the client’s client policy XML file, but the Altiris Agent knows not to run it due to the AeXSWDPolicy.xml file.  When the Altiris Agent is uninstalled and reinstalled, that file is deleted, and thus the Agent on reload will not know it already ran those previous Portal Tasks or Sequential Tasks.  The same is true if the system is reimaged but retains the same NS record on reload.

Common Symptoms

  • High number of License Errors in the Notification Server log.
  • If a Task is only partially purged, it means it has been removed from either the SWDAdvertisement table, or the Item table, but not both. When this scenario occurs, errors will be generated by client machines for each partial task that has been assigned.
  • The error when this symptom occurs will be similar to this:

    Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log
    Priority: 2
    Process: aexsvc.exe (7904)
    Thread ID: 8156
    Module: AltirisNativeHelper.dll
    Source: AdvertisementItemEx::OnBuildClientConfigXml2
    Description: The specified resource failed to obtain a license (Resource: <COMPUTERNAME>, Product Altiris Software Delivery Solution, Exception: Unable to build the client configuration XML for advertisement with guid Software Request - <NAME OF SOFTWARE REQUEST>.
    Reason: Did not get a row for Software Delivery Advertisement "Software Request - <NAME OF SOFTWARE REQUEST>", Guid = Software Request - <NAME OF SOFTWARE REQUEST> from the SWD tables., Exception Type: Altiris.NS.Exceptions.AeXException
  • Reimaging a computer causes the machine to execute all of the old Software Portal Requests
  • Reinstalling the Altiris Agent causes the machine to execute all of the old Portal Requests 

Complete Work Around: Correct Permission Issues, Delete Orphaned Tasks

Work Around

The following section provides the full methods of implementing the work around items to ensure the purging issues do not adversely affect your Notification Server Infrastructure.

Correct Permission Issues

For All Issues

First, you must ascertain the correct IDs for the Altiris Administrator's Read and Delete permissions based off the following query: 

SELECT stp.Id, sp.[Name], sr.[Name], st.Trustee FROM SecurityTrusteePermission stp

LEFT JOIN SecurityTrustee st ON st.Guid = stp.TrusteeGuid

LEFT JOIN SecurityRole sr ON sr.TrusteeGuid = stp.TrusteeGuid

JOIN SecurityPermission sp ON sp.Guid = stp.PermissionGuid

WHERE sr.[Name] = 'Altiris Administrators'

ORDER BY PermissionguId

Once you've discovered the Read and Delete numbers, you'll need to update the sql script (Update Portal Permissions.zip) before running it. Follow these steps:

  1. Open the UpdatePortalPermissions.sql file in a text editor (notepad works).
  2. There are multiple queries, each with a set of numbers within. 
  3. In the attached script the numbers are 22 and 19. 
  4. If you end up with 22 and 21 as the numbers, replace all 19s with 21s. 
  5. Other numbers should not be changed, such as the following , 1 shown in each query.
  6. Save the script once the change has been made.

When looking at the SQL script in the attached Update Portal Permissions.zip file, you will see several queries.  It does not matter what order you use in changing the numbers.  The script is updating read and write permissions for the following: 

Altiris.NS.SWDWin32.SWPortal.SoftwareRequest

Software Request%

Software Delivery Task for program :%

Synchronization Task%

The attached file UpdatePortalPermissions.zip is a sql query that can be run in SQL Query Analyzer or SQL Managment Studio. This query updates the permissions on all Portal items to allow the "Altiris Administrators" group rights to the Task, which will allow regular purging to execute successfully. 

It is recommended to create a SQL maintenance item to run the script nightly to ensure new tasks that are created are also updated with the new security permissions.

DISABLE Tasks - For those tasks that have been created but never made it down to execute on the target system, use the EXE inside DisablePortalTask_187169.zip.

The attached .exe file can be used to disable approved Software Delivery tasks created by the Software Portal requests as well as Sequential SWD related tasks.

Instructions for use:

  1. Run the .exe in a command prompt.
  2. Use the switch /SEQ to disable all the sequential Software Delivery-related tasks 
  3. Use the switch /SWD to disable all the approved Software Delivery Portal tasks

Note: This .exe has not been fully verified by QA and is used entirely at the risk of the user. Despite this, no issues have been reported from any users using this EXE.

Delete Portal Collections

For Collection Issues

The attachment DeleteCollectionItems.zip can be used to delete old Software Portal Collections. To use this file the following steps are necessary:

  1. Download DeleteCollectionItems.zip file
  2. Extract the contents to the Altiris Notification Server folder: 
    "install path\Program Files\Altiris\Notification Server\Bin\" 
  3. Open DeleteCollectionItems.cs in a text editor
  4. Line 19 begins with the text "static public string sql ="
    Edit the date found at the end of Line 19 to be yesterday's date.
     
  5. Connect to the Altiris Notification Server as a user that is in the "Altiris Administrator" group.
  6. Open a command prompt and execute the following:

    NScript.exe DeleteCollectionItems.cs

Delete Orphaned Tasks

For Task Issues

The two types of items available in the Portal. First, a Standard Software Delivery Package-Program, and second, a Sequential Software Delivery Task.  The two work around methods here overlap, but if you are using Sequential Tasks in the portal it is recommended to do both, whereas if you are only using Standard Package-Program selection only the first need be done.

First Method

The attached file DeletePortalsItems.zip will need to be run to delete item statements against Tasks and Sequential subtasks.  Although part of the tasks have been removed, the item delete mechanism will still execute properly to remove the remnants.

To use this file the following steps are necessary:

  1. Download DeletePortalsItems.zip file
  2. Extract the contents to the Altiris Notification Server folder: 
    "install path\Program Files\Altiris\Notification Server\Bin\"  
     
  3. Connect to the Altiris Notification Server as a user that is in the "Altiris Administrator" group.
  4. Open a command prompt and execute the following:

    NScript.exe DeletePortalItems.cs
  5. When the previous command has completed, execute the following

    NScript.exe DeletePortalItemsSeq.cs
  6. Once these have completed, it is recommended that these be run nightly. One method of doing so is to create a batch file with both options and setup a Windows Scheduled Task to execute them using the Altiris Administrator's credentials.

Second Method

The attached file RemovePortalSequentialTask.zip is a self-contained executable that can be run on the SQL Server to delete all Sequential Tasks requested from the Software Portal.  If someone is in the process of requesting a sequential task when this executable is run, it is possible their request will be deleted before it’s delivered. As a result, it is highly recommended that this executable be run during off-hours.

 

To invoke, run the executable on the Notification Server at install path\Program Files\Altiris\Notification Server\Bin located on the NS.  This is supported with SQL on-box and off-box as we use the NS APIs to make the deletion calls.


Legacy ID



40233


Article URL http://www.symantec.com/docs/TECH38845


Terms of use for this information are found in Legal Notices