English next chapter after below:
Suite à une tentative d'installation d'une passerelle CEM, malgrés une réinstallation "from scratch" du serveur (mais avec reprise de la database bien entendu), le CEM ne fonctionne pas, et pour le moment, ce n'est pas l'urgence, par contre, le serveur devient quai inutilisable car nous avons les problèmes suivants :
Le compte de service utilisé par le serveur Altiris, se verrouille en permanence. Et non: Le mot de passe n'a pas été changé, et même, nous n'avons pas de "bad password" dans les logs du domaine ! De plus, dans des moments courts (30 secondes...) avant de se re-verrouiller, l'agent se connecte et arrive à fonctionner... Par contre, il faut faire "unlock" du compte dans l'AD, toutes les 30 secondes...
Constat: Les agents installés fonctionnent à 90% semble-t-il.
Les agents en erreur, n'affichent plus leur task serveur: le NS est connecté mais impossible de connecter son task serveur (lequel fonctionne pour 80% des postes...)
<event date="08/30/2016 14:01:23.1390000 +02:00" severity="2" hostName="CLT3099" source="ConfigServer" module="AeXNSAgent.exe" process="AeXNSAgent.exe" pid="18548" thread="5560" tickCount="22067995"><![CDATA[WARNING: Unexpected response from URL 'https://altiris.domain.ch:443/altiris/NS/Agent/GetClientCertificateMig.aspx?Encrypted=1': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]></event>
Et du côté du serveur
Processed registration from Host=[CLT3099], MAC=[F0-4D-A2-XX-XX-XX], IP=[172.30.1.2], Domain=[DOMAIN], User=[ll04292] with ID 3d5bf428-b488-4944-a325-fff70d34312f updated in registration queue.
Le diagnostic est clair, c'est l'utilisation d'un alias, associé précédemment avec un certificat utilisant le nom 'alias' (altiris.domain.ch), car pour les agents réinstallés, en utilisant le "vrai" nom du serveur altiris, cela passe mieux... Ce qui est étonnant, c'est le verrouillage du compte de service, peut-être associable avec les erreurs loggé sur les DC dans events security
A Kerberos service ticket was requested.,Account Information:, Account Name: SRVALT01@DOMAIN.CH, Account Domain: DOMAIN.CH, Logon GUID: {00000000-0000-0000-0000-000000000000},Service Information:, Service Name: cifs/fs_PackagesData_ge3, Service ID: NULL SID,Network Information:, Client Address: ::ffff:172.30.7.4, Client Port: 59538,Additional Information:, Ticket Options: 0x40810000, Ticket Encryption Type: 0xffffffff, Failure Code: 0x12, Transited Services: -,This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.,This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.,Ticket options, encryption types, and failure codes are defined in RFC 4120.
Et donc, cela pourrait bien être cette erreur qui provoque un verrouillage "indirectement" de la part des agents, via l'Altiris serveur (172.30.7.4)
A part passer sur chaque agent; forcer la suppression et réinstallation, vous avez une idée.
Le support Symantec nous a bien proposé
(1) on client machines stop Symantec Management Agent service;
(2) on client machine delete complete "Ldb" folder located at "C:\ProgramData\Symantec\Symantec Agent";
(3) start Symantec Management Agent Service on the client machines.
Mais après avoir essayé cela sur qq agents, ce n'était plus uniquement le task serveur qui était perdu, mais le serveur NS aussi !-(
Le /clean et réinstallation de l'agent remets en service correctement les deux éléments. Mais c'est galère de tout nettoyer à la main les agents sur tous les sites... Si vous avez une meilleure idée ?
Et surtout; avez-vous une idée de ce qu'il se passe; et avez-vous réussit à installer un CEM et associer un certificat NS en utilisant un alias, sans mettre tout par terre ???
[Juste pour info; ce n'est pas moi qui ai fait la précédente installation CEM ;)]
English:
Afer a try to install a CEM, we got a global issue and reinstall from scratch and reconnect previous CMDB.
Altiris service account locked continuously... We must "unlock" all minutes.
About 20% clients agent are faulting to connect Task server.
After investigating AD logs, we do not have a clear 'invalid password' a usual, but we were able to found following log on DC:
A Kerberos service ticket was requested.,Account Information:, Account Name: SRVALT01@DOMAIN.CH, Account Domain: DOMAIN.CH, Logon GUID: {00000000-0000-0000-0000-000000000000},Service Information:, Service Name: cifs/fs_PackagesData_ge3, Service ID: NULL SID,Network Information:, Client Address: ::ffff:172.30.7.4, Client Port: 59538,Additional Information:, Ticket Options: 0x40810000, Ticket Encryption Type: 0xffffffff, Failure Code: 0x12, Transited Services: -,This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.,This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.,Ticket options, encryption types, and failure codes are defined in RFC 4120.
Agent client CLT3099 are recording following error
<event date="08/30/2016 14:01:23.1390000 +02:00" severity="2" hostName="CLT3099" source="ConfigServer" module="AeXNSAgent.exe" process="AeXNSAgent.exe" pid="18548" thread="5560" tickCount="22067995"><![CDATA[WARNING: Unexpected response from URL 'https://altiris.domain.ch:443/altiris/NS/Agent/GetClientCertificateMig.aspx?Encrypted=1': Unable to get the client certificate response XML associated with the specified request (Exception: The caller is unauthorized to request a new client certificate.)]]></event>
But Altiris server logs
Processed registration from Host=[CLT3099], MAC=[F0-4D-A2-XX-XX-XX], IP=[172.30.1.2], Domain=[DOMAIN], User=[ll04292] with ID 3d5bf428-b488-4944-a325-fff70d34312f updated in registration queue.
OK, altiris.domain.ch was the alias the NS server associated a certificate, to connect using CEM... We put all that away, because all internal services down, don't care any more about connecting "internet" clients, just wanted to recover a normal NS.
Symantec support ask for us to proceed the following
(1) on client machines stop Symantec Management Agent service;
(2) on client machine delete complete "Ldb" folder located at "C:\ProgramData\Symantec\Symantec Agent";
(3) start Symantec Management Agent Service on the client machines.
But after trying a few agents, we loss also the NS connexion in addition the Task server... So reinstall /clean to recover is OK.
Except a mess to recover all sites, all agents... We still have a few 'locking' the server, difficult to clean remaining, if any suggest, are welcome !!
In addition, any body was able to make a CEM working well using an alias ? Nice to know.
[I must say I am not responsible the CEM previous install ;)]
NEWS: we also detect a duplicate GUID for the NS: one with the complete
SRVALT01.DOMAIN.CH, and another one
SRVALT01 with DNS suffix, in the CMDB. The second is the GUID of the altiris agent on ths NS, the 1st is the GUID of the Altiris server in the CMDB, I do not verify yet, but I guess the task server probably the 2nd (Altiris agent)... 1st time I see an altiris server with an agent a different GUID the Notification server !!!
What best to do ?
1. before 'get update' of the altiris agent on the notification server, delete the GUID with short name (2nd above) corresponding the altiris agent (and Task server?)
2. Run AexNSutil /ResetGUID on the Altiris server to recover the GUID of the NS from th eCMDB (&st above) hopefully ?