Altiris recovery solution and safeboot disk encryption
Updated: 21 May 2010 | 3 comments
I am evaluating Altiris recovery solution and have run into an issue. I am unable to successfully recover a workstation that is using safeboot disk encryption. I have found articles stating the safeboot and local recovery agent do not work, is it the same for safeboot and Server-only RS agent?
discussion Filed Under:
Comments
May be problematic
mmurph:
There are several articles concerning using RS with SafeBoot and other full-disk encryption products:
https://kb.altiris.com/article.asp?article=24817&p=1 (general disk encryption notes)
https://kb.altiris.com/article.asp?article=35484&p=1 (more general known issues with full disk encryption)
https://kb.altiris.com/article.asp?article=35395&p=1 (SafeBoot specific - rolling back to unencrypted state)
Can you be more specific to any error messages, etc you receive?
Thanks,
Kyle
Symantec Trusted Advisor
For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Hi kyle, Safeboot was
Hi kyle,
Safeboot was installed before recovery solution.
Recovery solution (server-only) was installed and a full snapshot taken.
I created the image and restored the workstation using a different disk (to simulate a drive failure), ran pclean first. The restore appears to work and windows boots up, we log in and it appears windows is still trying to finish the configuration.
The workstation restarts and we get the safeboot prompt - but the computer is now identified to the safeboot console as xzy001 instead of the xyz
We have to use the recovery code to get a temporary safeboot passcode, type it in and we get a blue screen
On the reboot a message "Invalid LBAI" appears on the black screen, and Windows will not boot afterward
this error is a identified issue using local recovery, but not when using server-only.???
Should I be doing something different?
Thanks,
Mike
Just so we're clear...
when you say "the restore appears to work", both phases of Full System Recovery run successfully, i.e. the first phase is loading the "mini OS" from the CD image that will allow you to boot to a basic Windows installation, then the second phase, after logging in, is that the machine connects to the RS server and downloads the backed up files. I would guess if that is the case (and based on your other information) that RS is either a) not backing up some file that SB needs (maybe some locked file) or b) RS is backing up and restoring some configuration file that it shouldn't be, which causes it to become desynchronized with the SB console. I haven't seen the "invalid LBAI" warning before (we don't use Local Recovery either, and in any case it has been EOL'd), but at the point that RS has completed reinstalling it shouldn't matter.
Maybe some file for SafeBoot needs to be included in the miniOS image so that the mini OS can properly interact with the SafeBoot console. You can adjust the content of this when creating the FSR ISO; try adding the \Program Files\SafeBoot (or whereever it lives on the disk) and any known configuration files. Does the machine's account seem "normal" in the SB console at the point that the full restore begins (which means that the machine has network connectivity)? One of those LR articles suggested disabling the encryption policy then re-enabling it while working with LR or other Altiris-related tasks; maybe the same would apply here? We have a file-based encryption tool we use and haven't run into a similar issue (so far).
Also I might talk to SafeBoot support and see what they say would cause the "xyz001" issue you've seen; I'm guessing a duplicate domain/name combo of some sort...
Thanks,
Kyle
Symantec Trusted Advisor
For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Would you like to reply?
Login or Register to post your comment.