Intel,Altiris Group

Back to Library

Troubleshooting Out of Band Management and Real-Time System Manager for vPro Technology versions 7.0: Part 2 

Nov 09, 2010 03:37 PM

Troubleshooting issues with the Intel® AMT setup and configuration process can be a daunting prospect. This series walks through the troubleshooting methods to pinpoint where problems originate and how to fix them.

Part 2: Setup and Configuration - Intro to Server Components

Out Of Band Management
   Out of Band Management Solution
   Out of Band Setup and Configuration
Intel SCS Component
   Install
   Oobprov.exe
   AMTSCS Virtual Web-site
Symantec_CMDB_IntelAMT Database
   Important tables

Setup and configuration isn't a single road. There are two primary paths to reaching a configured state, not counting the simple 'Small Business Mode'. Pre-shared Keys (TLS-PSK) and Remote Configuration (certificate-based TLS) provide two methods for authenticating with the Setup and Configuration Server and receiving a Profile to set it into a Configured state. Understanding the server components is essential to properly diagnosing and troubleshooting problems with the process. Part 3 of this series will cover the symptoms and their likely causes, including troubleshooting details.

The following components integrate in the following manner:

Out of Band Management

Out of Band Management contains 3 main components, with further components broken down as shown here:

  • Out of Band Management Solution Install
    • NS-based Tasks and Agents
    • Setup and Configuration Console Nodes
  • OOB Site Services
    • Includes instances of the AMTConfig Service that points to the main Symantec_CMDB_IntelAMT database
  • Intel SCS Component - This is Intel code for interacting with AMT systems
    • AMTConfig Service
    • IntelAMT database

Out of Band Management Solution

The installer for this Solution creates the Symantec Management Console pages and underlining code that intersect directly with the Intel SCS component. Consider those pages as hooks into Intel SCS. Intel SCS can install without Out of Band Management. Everything located in the Symantec Management Console under Settings > All Settings > Remote Management > Out of Band Management > Configuration Service Settings ties directly through the AMTSCS web service to access the Symantec_CMDB_IntelAMT database (with the exception of DNS Configuration, Service Location, and Delayed Setup and Configuration).

This installer also creates the Tasks, Packages, and Plug-ins used for Out of Band Management, including:

  • Out of Band Discovery - This is an EXE that uses the standard NS Software Plug-in Delivery to detect the presence of AMT and pull certain data out, including the UUID. This is used heavily for FQDN mapping and is an important part of the best setup and configuration method.
  • Out of Band Task Agent - This agent installs like any other Symantec Management Agent Plug-in. It's used to function with ASF, or to restart the Hello Packet sequence with Delayed Setup and Configuration in Remote Configuration.
  • Delayed Setup and Configuration Task - This restarts the Hello Packet sequence, and requires the Out of Band Task Agent.
  • Filters and Packages - Filters and Packages for the above items.
  • Oobprov.exe - This is the Setup and Configuration agent that assists the SCS in configuring and setting up AMT client systems.

Important points:

  1. Out of Band Management NS items will work without IntelSCS, but the Configuration Service Settings, Intel AMT Systems, and Logs nodes mostly require Intel SCS to be installed and properly configured.

  2. Installed Alone most of the above nodes will not function. The default error shown here will show with ANY problem:
    • Error connecting to the Intel® AMT Setup and Configuration Server. Verify that Intel® AMT Setup and Configuration Service security settings are configured and AMTConfig service is running. See documentation for details on troubleshooting the Intel® Setup and Configuration Server Installation.
  3. The errors may have other information past the first bullet point, with another warning box containing additional information. These usually give a more specific message concerning the problem. I've rarely found that the message above accurately points to the source of the problem. See this screenshot for an example:

Out of Band Setup and Configuration

This installer is truly just a wrapper for the Intel SCS installation. It does provide a crucial function. It lays down the following folder structure where the Intel SCS Component is installed from:

  • Install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\Out of Band managent\IntelSCS

The installer does execute an automatic attempt to install Intel SCS using the script located at the above location named scsinstall.iss. This install makes the following assumptions:

  1. The SQL database server and instance is the same one the Notification Server is using
  2. The AMTConfig service account will run under the Altiris Application Identity credentials
  3. The Database install and user will be the Symantec Management Platform Application Identity Account
  4. The Default Web Site is available for install of the AMTSCS virtual directory

Intel SCS Component

The Intel Setup and Configuration Service component is provided by Intel and supported by Symantec. This includes the following components:

  1. Symantec_CMDB_IntelAMT database - Like the Symantec_CMDB database is for Notification Server, the IntelAMT database is the backbone of the SCS component. The following items are included in the database:
    1. Hello packet data
    2. Queues for Setup and Configuration, and Maintenance actions
    3. Settings for SCS
    4. Security keys
    5. AMT machine data
    6. AMT Profiles
  2. AMTConfig Service - This service is the piece that talks to the AMT systems and processes items in the database queues. It also calls oobprov.exe to assist in setup and configuration, primarily to obtain the FQDN for the system.
  3. AMTSCS and AMTSCS_RCFG Virtual Directories - In IIS SCS creates 2 virtual directory that contain the interfaces Out of Band Management Console uses to connect to the IntelAMT database. Its simple structure belies the importance of this interface.

Keep in mind the following:

  1. Failures to install are almost always security related. See the below 'Install' section for more information.
  2. The IntelAMT and Symantec_CMDB databases are required to be installed to the same SQL instance for Resource Synchronization to work (Resource Synch is the process of importing AMT systems from SCS to NS. In cases where a system is already managed by NS, the data will be merged in the existing NS record)

Install

  1. Often when you install Out of Band Management Solution the assumptions cause the Intel SCS component to fail in one way or another, and a message is thrown giving basic instructions on how to install it manually. In some ways I prefer the manual installation so each setting can be directly controlled. When this happens, it's important to follow these steps to avoid issues:
  1. Log onto the Notification Server with the Application Identity, or if not allowed, log on as the user that has rights to the Notification Server and the SQL Server.
  2. Stop IIS on the Notification Server, shut down all Altiris Consoles, stop the AMTConfig service, and shut down any SQL consoles (SQL Enterprise Studio, Query Analyzer, etc). While this can be difficult to arrange, it ensures all necessary accesses and resources are available, and can avoid issues or required reboots of the server.
  3. Launch the installer directly from install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\Out of Band Management\IntelSCS\AMTConfServer.exe
  4. Follow the onscreen prompts. In the next part we'll discuss a scripted install should this install fail. The scripted install allows greater visibility to the process and shows any errors as they occur.

Oobprov.exe

This component is what is known as the Setup and Configuration Script, or Properties Script. Intel SCS requires a setup and configuration script in order to conduct Setup and Configuration, and as mentioned earlier this is provided as part of Out of Band Management.

When the AMTConfig Service receives an incoming hello message, it places the setup and configuration request in the queue, and then calls oobprov.exe. Any message stating 'Properties Script Failed' means that oobprov.exe did not successfully configure the AMT system.

AMTSCS Virtual Web-site

The web-site is generally invisible to the admin running the Console. It must exist, but otherwise the mechanism is pretty solid. The only exception to this rule is when TLS, or Transport Level Security, is involved or not configured completely.

Keep in mind the following:

  1. If you will be using TLS for AMT management, this virtual directory much be set with https for any functionality to work.
  2. If you will not be using TLS, https cannot be enabled on this virtual directory.
  3. If TLS is not implemented but https is enabled on the virtual directory, the Symantec Management Console nodes for Out of Band Management will fail.
  4. If TLS is enabled but https is disabled on the virtual directory, failure also occurs.
  5. The default is https enabled when running the SCS install manually, and this must be unchecked during the install, or later removed from the Sites.

Symantec_CMDB_IntelAMT database

Much like the Symantec_CMDB database is to NS, the Symantec_CMDB_IntelAMT database is the backbone of Intel SCS. While all functions in the console are automatically interconnected in the database, understanding some of the important tables can help in the troubleshooting process.

Important tables

The following is a list of some of the core tables used by Intel SCS:

  • csti_amts - This is the data on the actual AMT system. When looking in the Intel AMT Systems node in the Altiris Console, it is reflecting data from this table.
  • csti_configuration - This table holds the core configuration between Out of Band Management and Intel SCS.
  • csti_uuid_maps - This maps the UUID (Primary AMT ID) to the FQDN.

  • csti_pid_map - This table contains the security key information so that Intel SCS can authenticate to the AMT client systems, and the client systems can initially authenticate with Intel SCS.
  • csto_delayed_Policies - When Setup and Configuration requests have failed for whatever reason, the requests are moved to this table for later handling.

Return to Part 1/Index

Read Part 3: Setup and Configuration Console Troubleshooting

Statistics
0 Favorited
0 Views
5 Files
0 Shares
0 Downloads
Attachment(s)
Download All
jpg file
OOBM_2-1.jpg   54 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
OOBM_2-2.jpg   39 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
OOBM_2-3.jpg   78 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
OOBM_2-4.jpg   30 KB   1 version
Uploaded - Feb 25, 2020
 
Download
doc file
Troubleshooting Out of Band Management and Real-Time Syst....doc   2.44 MB   1 version
Uploaded - Feb 25, 2020
 
Download

Tags and Keywords

Related Entries and Links

No Related Resource entered.