First, a bit of information about our environment. We have been using Deployment Solution 6 for years. Up until a few months ago, our general deployment has been with 6.9 SP5 MR3 or 6.9 SP6 servers. We felt the desire to be able to target more dynamic groups of computers rather than simply static targets, and so wanted to move to Symantec Management Platform 7.5 to help accomplish this. We've had the infrastructure built up for this, but never had full buy-in from the team actually using the images and so it was decided that with some contracted support, we could finally make this change.
We contracted to have some assistance to validate our Symantec Management Platform 7.5 SP1 HF3 with ITMS installation, and then apply best practices to help things work more reliably. Here are a few of our lessons learned, some of which have been fixed by more recent updates, some of which are still requiring a workaround to be fully functional.
Problem: When using SSL with deployment, if your server certificate/binding does not match the FQDN name of the server, the PECT agent was unable to successfully complete the computer account lookup.
Cause: When setting up CEM, tried to change the certificates to make Cloud Enabled Management work "better" and broke everything.
Solution: Wiped the server and entire database and restarted matching the FQDN and the certificate again, as it had been before.
Problem: Sysprepping an image strips out SSL certificates. We have an internal CA with certificates deployed through group policy and domain membership. This means that secure Site servers can't communicate with the agents post-image-deployment, because the CA, and by extension the SMP server, are no longer trusted.
Workaround: Copy the certificates back to the computer pre-image-capture while in Automation. Set a batch file contained in the folder to run certmgr for the 2 certificates needed (Server and CA) into the setupcomplete.cmd file to be run after the computer is imaged.
More information on this issue can be found in TECH224579. While the article says that it was an issue through HF2, it's still an issue in HF5. It may or may not be an issue in 7.6, but we haven't made that upgrade yet.
Problem: The setupcomplete.cmd file didn't run after imaging.
Solution: The SetupComplete.cmd file is case sensitive. If the capitalization isn't proper, the script won't run.
Problem: Sysprepping an image leaves the Unattend.xml in the %SystemRoot%\System32\Sysprep folder. If you told the computer to rejoin the domain, that will contain account credentials stored in plain text.
Workaround: Use a Run Script task to delete the file pre-image-capture while in Automation.
Problem: Having the DS 6.9 DAgent installed on a computer which is being Prepared for Image Capture causes problems, as the DS 6.9 DAgent will apparently wipe the setupcomplete.cmd file post imaging and possibly some other little bits. This definitely causes problems with trying to re-inject certificates post-imaging, and may also cause problems for anything else that's supposed to be part of a complicated job.
Workaround: Send an uninstall job to the DS 6.9 DAgent before you Prepare for Image Capture.
Problem: Sometimes when you have hardened security and you're provisioning a Cloud Enabled Management server, it will ask for credentials to communicate with the SMP server. Normal accounts will fail to communicate, and simply leave the server status as red/problematic.
Solution: Using the SMP service account (Application Identity) to authenticate fixes the issue. You can still use the Local System account to run the services, as suggested, but just make sure that you give it an account which can actually access your SQL server.
Problem: The Client Task Data Loader service is set to Automatic start, but requires SMP Agent to finish starting first, or it can't get status updates and wipes the status on all jobs currently in progress but uncompleted.
Workaround: Set the CTD Loader service to Automatic (Delayed) startup so that it starts around the same time as the SMP Agent, which is also set to Automatic (Delayed) startup.
Since we've already had a few times when we've referred back to these notes, we felt it would be helpful to make some of these issues and their solutions more easily available for discovery online, rather than just sitting in my email client as typed information.