Rolling Out the NSAgent in an Enterprise Domain Environment

Whenever a new implementation of the Altiris infrastructure takes place in a customer's environment, there is the challenge to identify and roll out the NSAgent to all computers in that environment. Which sounds like an easy task in the first place, often turns out to be harder than expected. Common challenges are:

• How many computers do we actually have?
• How do we handle computers in remote locations?
• How do we handle laptops or computers which are not permanently connected to the network?
• How do we make sure that we don't install any agent on servers?

One option is certainly an AD integrated rollout via ADs own Software Delivery mechanism. But what was the reason again, the customer wanted to use Altiris Software Delivery instead AD? Right: AD does not always work and does not provide any report about succeeded or failed installations.

The Altiris Notification Server has all of the bits and pieces already on board which are needed for a successful enterprise rollout. Anyway, some preparation is needed to get it done right.
Here an overview of the steps:

1. Run an AD import
2. Create a new collection with AD workstations that do not have the NSAgent
3. Enable the push installation
4. Monitor the agent rollout

Run an AD Import

In order to be able to import computer information from Active Directory, the AD Connector must be installed first on the Notification Server. The latest version is available from here: http://www.solutionsam.com/solutions/6_0/...

It is suggested to also get the latest Hotfix for this component from here:
https://kb.altiris.com/article.asp?article=34704&p=1

It is suggested to run a one-time import at first and then enable the AD import schedule to occur once a night. To run the one-time import, do the following:

• Open the NS Console
• Go to > View > Configuration > Server Settings > Notification Server Infrastructure > Microsoft Active Directory Import
• In the right frame click on the row "Import Computer resources..." to highlight it and then click on the "Full Import" Icon
  
  

  Click to view.

• Once the Status column indicates a green checkmark, the import has finished successfully.

Assuming that the import worked fine, it is suggest to schedule the import to re-occur every night (or more frequent, if needed). The purpose of the schedule is to target also computers which have been recently added to the domain.

To schedule the import, click on the "specified schedule" link in the "Import Computer resources..." section and define your schedule. I usually setup a "Full" weekly and daily "Update" or delta import. But it is suggested that you review the times of the pre-defined shared schedules and modify them for your own environment, if needed. After the schedule has been defined, ensure that you check the "Enabled" checkbox left from the import rule and click on "Apply".

To ensure that AD objects which no longer exist in AD are also from the Notification Server database, you should enable the "Directory Synchronization Schedule" at the bottom of the page. Depending on the amount of changes in your AD, a nightly, weekly or monthly schedule should be selected.

Review Imported Computer Data

By default the NS will create collections based on your AD Organizational Units. These can be reviewed from the console via:
> View > Resources > Collections > Directory Collections

Click to view.

It is important to understand that ALL AD computer objects have been imported (workstations and servers). If the target is to rollout the NSAgent to workstations only, then a new collection has to be created first, which contains all AD imported computers, but excludes servers.

Create a New Collection with AD Imported Workstations Without the NSAgent

As we do not even have Basic Inventory data of the imported computers, we cannot utilize the native collection builder interface and simply exclude the "All Servers" collection. We are limited to use very few data classes while building this collection.

To create such a collection, do the following:

• From > View > Resources go to > Computer Collections
• Right-Click on "My Collections" and select > New > Collection
• In the "Name" field type: AD imported Workstations without NSAgent
• Open the "Query" section and select "Enter SQL directly"
• Replace the existing code with the following code and click on "Apply"
  

  select Guid from vResource where Guid in 
     ( 
      SELECT vc.[Guid] FROM vComputer vc 
      join inv_aex_ac_identification ii on 
      vc.guid = _resourceguid 
      WHERE 
      vc.[Guid] NOT IN 
      ( 
       SELECT DISTINCT agent.[_ResourceGuid] FROM Inv_AeX_AC_Client_Agent agent 
       WHERE agent.[Agent Name]='Altiris Agent' OR agent.[Agent Name]='Altiris eXpress NS Client' 
      ) 
      AND 
      ( 
       LOWER(vc.[OS Name]) LIKE '%windows nt%' 
       OR LOWER(vc.[OS Name]) LIKE '%windows 2000%'  
       OR LOWER(vc.[OS Name]) LIKE '%windows vista%' 
       OR LOWER(vc.[OS Name]) LIKE '%windows xp%' 
      ) 
      AND LOWER(vc.[System Type]) like '%win%' 
      AND vc.[IsLocal] = 1  
      AND ii.[os type] NOT IN ('server', 'domain controller', 'enterprise')    
     )
     
  

  

  Click to view.

After clicking on the "Apply" button you will be presented with a list of imported workstations from your AD which do not have the NSAgent installed.

Review the list and identify that all of the listed computers are ready for an Altiris Agent deployment. If certain systems shall be excluded, it is possible to edit the collection and exclude specific systems in the "Explicit Inclusions and Exclusions" section of the screen via "Resources excluded from this collection".

This collection is automatically updated by the Notification Server. Each computer which will be added to Active Directory will be imported via the automatic schedule into the NS and will automatically appear in this collection.

Every computer on which the NSAgent has been installed will automatically disappear from this collection.

Enable the Automatic Push Installation

The automatic push installation can be configured from the following location:
> Configure > Agents > Agent Push

Agent Push Configuration

Before enabling the Agent Push, the settings of the NSAgent Package should be reviewed to ensure that it will be rolled out with the wanted options. To check the NSAgent package, click on the "Installation Settings" button.

I do not go through all of the possible options, but focus on the most important settings. In general the NSAgent rollout will first distribute the NSAgent bootstrap (about 300 KB in size) as a push which will then download the NSAgent itself (about 6 MB) from the Notification Server OR from the closest Package Server. In a highly distributed environment with many sites which are connected through slow links, it is suggested to FIRST install the NSAgent to dedicated computers in remote sites which will function as Package Servers and THEN enable an automatic push installation of the NSAgent to the other computers.

If Package Servers are in place, the option "Download Agent Package from closest Package Server" should be enabled to ensure that workstations in remote sites will not download the NSAgent from the Notification Server.

Beside the NSAgent Configuration Policy ( > Configure > Agents > Desktop Settings) it is possible to specify, if the NSAgent should be visible in the system tray, during the rollout, before it has a chance to poll its policy. Depending if the NSAgent icon should be displayed or not, enable or disable the option "Show the Altiris Agent Icon in the System Tray". This setting should match the policy which is configured for workstations.

By default the Notification Server will use the "Application Identity Account" which is the account under which the Notification Server Service is running, to connect to the remote computers. As it needs to connect to the admin$ share on the remote computers, local admin rights are needed on the remote computers. If the "Application Identity Account" is only a domain user account with local admin rights on the Notification Server, then another account needs to be defined in the section "Use the following admin account instead of application credentials". It is suggested to specify a domain admin account in domain format (DOMAIN\Account name).

Workstations must be able to resolve the FQDN, WINS name or IP address of the Notification Server (based on what is defined in the policy) in order to connect successfully to the Notification Server. If this connection (or name resolution) requires the usage of a proxy server, then the option "Use Proxy" has to be enabled (assuming that the proxy server settings are configured in the Internet Explorer connection settings on the target workstation).

Also have a look at the other options and then on "Save Settings".

Click to view.

Enable the Agent Push

On the bottom of the Altiris Agent Installation screen there is the option "Scheduled Push to Computers" which by default pushes the NSAgent to computers which belong to a collection which includes NT based workstations and servers without the NSAgent which are known to the system (for example via the AD import).

First we need to change the target collection to the collection we created above:

• Click on the edit icon right from "All Windows NT/2000/XP/2003 Computers with no Altiris Agent installed"
• De-Select the default collection
• Browse to > Collections > Computer Collections > My Collections and check in the collection: "AD imported Workstations without NSAgent" and click on "Apply"

Now we need to think about a schedule in which we want to try to install the NSAgent on our workstations. It is important to keep in mind that the installation does NOT happen in the same time on all of the computers. Instead the Notification Server will try to connect to the first computer in the list, then goes to the second one, the third one, and so on.

In practice I have seen about 15 to 30 seconds of delay before trying to push the NSAgent to the next computer in the list.

If an environment has around 200 workstations, a schedule of "Every 2 hours" can be setup to re-try the push installation on computers where it failed earlier because the machine was not available. As a thumb rule I add one hour into my schedule per 100 workstations. If your AD has many "old" computer accounts of computers which do not exist anymore, you will get a lot of red entries in the Notification Server log files, as those systems can not be reached. Simply ignore those error messages, or clean up your AD.

Ensure that you enable the checkbox beside "Enable Schedule", and then click on "Apply".

Monitor the Agent Rollout

Simply click on the button "View Installation Status Report" and then on "Run this report" and "Refresh" to see how the rollout is progressing in your environment.