CMS 7.6 Deployment Solution

View Only

Back to discussions

Expand all | Collapse all

Jump to Best Answer

1. CMS 7.6 Deployment Solution

0 Recommend
Migration User
Posted Aug 04, 2015 03:28 PM

Reply Reply Privately
We are currently running 7.1 in production and the last time I played with the product was a 7.5 SP1test system. I don't really remember having many issues in 7.5 SP1

There have, of course, been some minor tweaks in 7.6, making it different from 7.1/7.5 so I am having trouble troubleshooting my issue. Basically, my site server does not seem to be responding to PXE boot. Both Symantec Network Boot Services are running under the local service account. According to:

https://support.symantec.com/en_US/article.DOC6770.html

and my netstat (generalized to protect the dummy who posted everything the first time; DNS_NAME is the site server and XXX IP is the site server's IP address):

C:\Windows\system32>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:80 DNS_NAME:0 LISTENING
TCP 0.0.0.0:111 DNS_NAME:0 LISTENING
TCP 0.0.0.0:135 DNS_NAME:0 LISTENING
TCP 0.0.0.0:445 DNS_NAME:0 LISTENING
TCP 0.0.0.0:3389 DNS_NAME:0 LISTENING
TCP 0.0.0.0:5985 DNS_NAME:0 LISTENING
TCP 0.0.0.0:47001 DNS_NAME:0 LISTENING
TCP 0.0.0.0:49152 DNS_NAME:0 LISTENING
TCP 0.0.0.0:49153 DNS_NAME:0 LISTENING
TCP 0.0.0.0:49154 DNS_NAME:0 LISTENING
TCP 0.0.0.0:49155 DNS_NAME:0 LISTENING
TCP 0.0.0.0:49166 DNS_NAME:0 LISTENING
TCP 0.0.0.0:49203 DNS_NAME:0 LISTENING
TCP 0.0.0.0:49204 DNS_NAME:0 LISTENING
TCP 0.0.0.0:50124 DNS_NAME:0 LISTENING
TCP 127.0.0.1:2049 DNS_NAME:0 LISTENING
TCP XXX.XXX.XXX.XXX:139 DNS_NAME:0 LISTENING
TCP XXX.XXX.XXX.XXX:2049 DNS_NAME:0 LISTENING
TCP XXX.XXX.XXX.XXX:3389 MY_WORKSTATION:58348 ESTABLISHED
TCP XXX.XXX.XXX.XXX:49254 DNS_NAME:50124 ESTABLISHED
TCP XXX.XXX.XXX.XXX:50124 DNS_NAME:49254 ESTABLISHED
TCP XXX.XXX.XXX.XXX:56566 DNS_NAME:50123 ESTABLISHED
TCP XXX.XXX.XXX.XXX:56568 INTERNAL_IP:microsoft-ds ESTABLISHED
TCP XXX.XXX.XXX.XXX:56569 DNS_NAME:microsoft-ds ESTABLISHED
TCP XXX.XXX.XXX.XXX:56885 DFS_SERVERNAME:microsoft-ds ESTABLISHED
TCP XXX.XXX.XXX.XXX:56897 DNS_NAME:http TIME_WAIT
TCP XXX.XXX.XXX.XXX:56898 64.4.54.253:https ESTABLISHED
TCP [::]:80 DNS_NAME:0 LISTENING
TCP [::]:111 DNS_NAME:0 LISTENING
TCP [::]:135 DNS_NAME:0 LISTENING
TCP [::]:445 DNS_NAME:0 LISTENING
TCP [::]:3389 DNS_NAME:0 LISTENING
TCP [::]:5985 DNS_NAME:0 LISTENING
TCP [::]:47001 DNS_NAME:0 LISTENING
TCP [::]:49152 DNS_NAME:0 LISTENING
TCP [::]:49153 DNS_NAME:0 LISTENING
TCP [::]:49154 DNS_NAME:0 LISTENING
TCP [::]:49155 DNS_NAME:0 LISTENING
TCP [::]:49166 DNS_NAME:0 LISTENING
TCP [::]:49203 DNS_NAME:0 LISTENING
TCP [::]:49204 DNS_NAME:0 LISTENING
TCP [::1]:2049 DNS_NAME:0 LISTENING
TCP [fe80::400:92b6:7de0:a4fe%12]:2049 DNS_NAME:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:3389 *:*
UDP 0.0.0.0:5355 *:*
UDP 127.0.0.1:111 *:*
UDP 127.0.0.1:2049 *:*
UDP 127.0.0.1:49805 *:*
UDP 127.0.0.1:58914 *:*
UDP 127.0.0.1:59232 *:*
UDP 127.0.0.1:59233 *:*
UDP 127.0.0.1:59686 *:*
UDP 127.0.0.1:65045 *:*
UDP XXX.XXX.XXX.XXX:67 *:*
UDP XXX.XXX.XXX.XXX:69 *:*
UDP XXX.XXX.XXX.XXX:111 *:*
UDP XXX.XXX.XXX.XXX:137 *:*
UDP XXX.XXX.XXX.XXX:138 *:*
UDP XXX.XXX.XXX.XXX:2049 *:*
UDP XXX.XXX.XXX.XXX:4011 *:*
UDP XXX.XXX.XXX.XXX:64296 *:*
UDP [::]:123 *:*
UDP [::]:3389 *:*
UDP [::]:5355 *:*
UDP [::1]:111 *:*
UDP [::1]:2049 *:*
UDP [fe80::400:92b6:7de0:a4fe%12]:111 *:*
UDP [fe80::400:92b6:7de0:a4fe%12]:2049 *:*

I think everything is listening on the right ports, unless I am reading something wrong? When I PXE boot I get an error:

PXE-E53 No boot filename received

According to the Package Server list, I have the BDC, Imaging, DriverDB, Automation Folders, and Deployment Plug-ins on the server. In 7.5, the actual PE image name used to show up, but it's not there now. However, from the NS, I can see the PE image shows a status of being on both site servers. Agent-wise, I have Deployment NBS Plug-in, Deplyment Package Server, Deplyment Task Server Handler installed. In Initial Deployment, I have both options set to run the Boot to PE task, with the Task configured and pointing to the only PE image I have.

I don't remember how things were shared out on previous versions, but if I go to my site servers, I only see:

PkgSvrHostE$

print$

So I am wondering if my shares aren't correctly created/configured, maybe firewall on the server itself (Server 2012r2 comes closed down these days)? OH, I also turned logging to full, and I see that SbsLog_* report errors. These are tested, initially, across VLANs with an iphelper, but to avoid those pitfalls, I still have the issue when on the same subnet as the server. Also, full disclosure, I did not install XML core services, as nothing came up for Server 2012r2, but I did download it incase it became an issue. Also, the account this is running on, is a domain user account with local admin priveleges on all Altiris servers.

Any help appreciated. Thanks
2. RE: CMS 7.6 Deployment Solution
Best Answer

0 Recommend
Migration User
Posted Aug 05, 2015 08:00 PM

Reply Reply Privately
OK, I think I have it figured out. I think netstat will only show you inside the firewall. I ran an nmap today, and got:

$ sudo nmap -sS -sU -PN -p 1-65535 XXX.XXX.XXX.XXX
Password:

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-05 15:15 PDT
Nmap scan report for DNS_name (XXX.XXX.XXX.XXX)
Host is up (0.00044s latency).
Not shown: 65533 open|filtered ports, 65524 filtered ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
3389/tcp open ms-wbt-server
5985/tcp open wsman
49154/tcp open unknown
49166/tcp open unknown
50124/tcp open unknown
137/udp open netbios-ns
2049/udp open nfs
MAC Address: XX:XX:XX:XX:XX:XX (VMware)

Nmap done: 1 IP address (1 host up) scanned in 212.31 seconds

which did not map to the expected ports seen in netstat. So, I ran the following to open relevant ports mentioned in the link in my orginal post:

netsh advfirewall firewall add rule name="PXE Requests" dir=in action=allow protocol=UDP localport=67
netsh advfirewall firewall add rule name="PXE Response" dir=out action=allow protocol=UDP localport=67
netsh advfirewall firewall add rule name="PXE Requests 2" dir=in action=allow protocol=UDP localport=4011
netsh advfirewall firewall add rule name="PXE Response 2" dir=out action=allow protocol=UDP localport=4011

netsh advfirewall firewall add rule name="TFTP Requests" dir=in action=allow protocol=UDP localport=69

I can now PXE boot successfully across VLANs with the iphelper already in place. My issue is basically resolved, but before I close it, was this a fluke problem with the 7.6 HF3 install, where a repair would fix this, or is this a bug and others should open these ports manually on Server 2012 r2?
3. RE: CMS 7.6 Deployment Solution

0 Recommend
Migration User
Posted Aug 06, 2015 11:30 AM

Reply Reply Privately
I think I have also figured out why I didn't see this last time: SEP. Our SEP configs have the needed ports open and I had not installed it yet on the server. Long story short, if you don't have an AV product configuring your OS firewall - at least on Server 2012 r2 - you will need to open, or at least look into, the above ports for Deployment Solution.

Client Management Suite

CMS 7.6 Deployment Solution

Migration UserAug 04, 2015 03:28 PM

Migration UserAug 05, 2015 08:00 PMBest Answer

Migration UserAug 06, 2015 11:30 AM

1. CMS 7.6 Deployment Solution

2. RE: CMS 7.6 Deployment Solution Best Answer

3. RE: CMS 7.6 Deployment Solution

2. RE: CMS 7.6 Deployment Solution
Best Answer