Video Screencast Help

ITMS 7.1 SP2 MP1 SQL Prerequisites

Created: 31 Oct 2012 | 11 comments

The following is an excerpt from TECH197966 (http://www.symantec.com/business/support/index?page=content&id=TECH197966)...

Before starting the new installation/upgrade, Please do the following steps
A) either
a. Grant the Altiris Service account the View Server State permission in SQL

GRANT view server state TO AltirisServiceLoginNameHere --Usually the AppID account name

b. Or, add the Altiris Service account to the SQL processadmin Server Role.

B) After the installation completes, apply the updated Stored Procedure mentioned on TECH198556
C) Revert the change made in step A, if desired:

REVOKE view server state TO AltirisServiceLoginNameHere

Is granting this SQL permission and applying the Stored Procedure still required if I'm using a Domain Admin account for the Application Identity on my NS?

Comments 11 CommentsJump to latest comment

andykn101's picture

Domain Admin rights doesn't necessarily give you any rights on the SQL Server at all. They have to be assigned seperately.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Clint's picture

I'm thinking the second option to "add the Altiris Service account to the SQL processadmin Server Role" is probably the easier one to do (via SQL Server Management Studio?).  So even if the account I'm using is a sysadmin in SQL, I still have to assign it to processadmin?  Sorry...I'm not really familiar with SQL so have to make sure that I'm only modifying what's absolutely necessary.

Also, TECH197966 says to apply the updated stored procedure after the (MP1) upgrade install completes after which it says you can optionally remove the previously-assigned SQL permissions.  Will it be a huge security risk if I just left it?  Just curious.  Thanks in advance!

Clint

andykn101's picture

I'm not a SQL expert either but I think the "sa" role or sysadmin rights has everything, including processadmin.

Leaving the Altiris Service Account ("Application Identity") with "sa" rights isn't a huge security risk, just not best practice of always assigning the most restrictive rights possible.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Clint's picture

FYI: I was told that Symantec devs are working on an ITMS 7.1 SP2 MP1.1 that is supposed to eliminate these pre-install SQL permission changes.  No exact timeframe was given beyond MP1.1 being available in a matter of "days".

Clint

rjbonilla's picture

Well looks like the MP1.1 has already been released, when I went to finish upgrading my last server to MP1, I know have an option on MP1.1 in SIM. Cannot seem to find and release notes on this version to see if what is included on this update.

andykn101's picture

"Upgrading to ITMS 7.1 SP2 – MP1.1 – Best Practices":

http://www.symantec.com/docs/TECH197966

Apat from the usual stuff about emptying queues and backing up everything there's point 5:

"Backup the Copyfiles folder in the Deployment Share under Task Handlers"

And point 7 post implementation:

"Move FIRM.EXE into the correct location per TECH198111"

http://www.symantec.com/docs/TECH198111

Personally I always use xcopy instead of FIRM outside of DOS.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

andykn101's picture

Actually they appear to be the release note for a post MP1.1 hotfix:

"This Symantec Management Platform 7.1 SP2 MP1 Rollup version 1 contains point fixes that were not part of the regular SMP 7.1 SP2 MP1 release."

"If you are in 7.1 SP2 MP1, you should upgrade to 7.1 SP2 MP1.1 and then install this Rollup."

There is a link there to the MP1.1 release doc but it's the wrong link.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Clint's picture

It appears the MP1.1 link in HOWTO81832 should NOT have been HOWTO5955 since the following documentation URL points to DOC5955 instead for the ITMS 7.1 SP2 MP1.1 Release Notes.

http://www.symantec.com/business/support/index?page=content&key=55274&channel=DOCUMENTATION

However, the link seems to be down at the moment although I did get to it once.  As things would have it, I just saved the URL (http://www.symantec.com/docs/DOC5955) but didn't do the same for the pdf itself thinking I'd look at it again later.  As Homer Simpson would say..."DOH!"

Clint

md investigate's picture

I don't know why, but with IE the link is not working. Just pasted in firefox et voila:

The  IT Management Suite 7.1 SP2 MP1.1 release notes contain the following information:

- Known issues
- Fixed issues
- Upgrade information

Important: If you already installed version MP1, MP1.1 will install only the fix described in TECH198556.

 

 

AttachmentSize
ITMS 7 1 SP2 MP1 1 Release Notes.pdf 275.5 KB
Clint's picture

FYI: Link is now working reliably via IE.

Clint