Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Management Community Blog
Showing posts tagged with 7.x
Showing posts in English
Ludovic Ferre | 20 Dec 2012 | 0 comments

I was asked today to help on a long running hierarchy replication task. I pointed my customer to the default report whilst I was searching a hand crafted SQL to do the same, with a slightly friendlier look to it.

I found it, so I sent it to them and I share it with the Community now:

select
		rs._eventTime as 'Event time',
		replace (src.name, '.15-cloud.fr', '') + ' --> ' +
		replace (dst.name, '.15-cloud.fr', '') + 
		case src.name when 'vbox-atrs5.15-cloud.fr' then ' (Down)' else ' (Up)' end as 'Details',
		cast(rs.TotalReplicationCount as varchar) as 'Objects (total)',
		cast (rs.FailedReplicationCount as varchar) as 'Failed',
		cast (rs.DataTransferred as varchar) as 'Size in KiB',
		cast (DATEDIFF(mi, rs.[StartTime], rs.[FinishTime] ) as varchar)AS 'Duration (mins)'
  from...
Tim.Jing | 19 Dec 2012 | 0 comments

If you can imaging a picture of Mount Ranier on a cloudy day. The towering structure is only partialy revealed, clouds camouflage the snow covered cap. leaving one a guess at what could be under the blanket.

We have alot of items to migrate ahead, including:

  1. A DS structure with about 300 packages vendor command lines and MSI built from Wise.
  2. An HII image in Windwos XP that has not changed since 2009.
  3. Wise to Admin Studio conversion.
  4. Windows 7 image.
  5. App Metering to block apps(If the header reading is better than version 6)
  6. Exploring virtual applications with Workspace Streaming.
  7. Mac OS image and software deployment.
  8. Symantec MDM.
  9. Customize console and training for the Desktop and service desk groups.

 

Should be a...

Ludovic Ferre | 17 Dec 2012 | 0 comments

I completed some refactoring and aggregated the 2 related Patch Automation projects [1][2] in the last week and so I can call the 2 programs a toolkit :D.

Some features from the changes are only code related (sharing code between the projects) but there's a major addition to both project: custom patch exclusion.

This is implemented via the database, and it leaves plenty of room for you to choose which bulletins are excluded. The code is written to exclude bulletin by name, from the content of a table or view named "PatchAutomation_Excluded".

And here is a sample implementation, that will prevent duplicate entries in the table and will give some added information (a timestamp when a new exclusion is added):

if exists (select name from sys.objects where type = 'U' and name = 'PatchAutomation_Excluded')
	drop table PatchAutomation_Excluded

create table PatchAutomation_Excluded (
	_id int...
Tim.Jing | 13 Dec 2012 | 10 comments

This will be to document our migration from Symantec Client Managment 6 to SMP CMP 7.1. It is scheduled to be set in motion sometime Jan 2013 with the help of Xcend consulting services which also implemented our 6.x environment.

Our environment:

We are a school district with 80+ remote sites. 25,000+ Windows XP machines, a few Win 7, 300+ Mac's, 6,000+ iPads. We have a centralized datacenter, with fiber connections to each site. We have Cisco networking gear with gigbit connections at most ports, along with Cisco Aironet access points at some campuses.

We use Altiris for all new and existing SO and software automation except for the Apple equipment. The suites used in Altiris are:

Depoyment solution, we have 10 DS 6.9 SP2 servers divided up amoung the sites.

Inventory via NS, we have 3 client facing NS with a report server. Lots of custom reports for compliance and inventory questions.

Patch managment, for desktop and servers.

...

Michael Grueber | 11 Dec 2012 | 6 comments

It is essential to understand how the reports in the Patch Management Solution calculate compliance.  For example, the Compliance by Computer report calculates compliance based on all bulletins applicable to that computer. 

If you download the applicability/detection rules for a particular bulletin and the Patch Management Solution finds that an update associated with that bulletin is applicable to a particular computer but not installed on that computer, that computer is considered to not be in compliance with respect to that bulletin.  This is true even if you have not created any policies to distribute the updates associated with the bulletin to that computer.

While the Patch Management Solution reports provide you with an "absolute" measure of compliance, there may be occasions in which you want to see another view of compliance.  For example, you may want to see the compliance status of a particular computer with...

Ludovic Ferre | 10 Dec 2012 | 1 comment

I was on a Webex with a customer a few week ago because they had a serious issue with the SMP console being very slow.

It's one of my customer, so I was a little surprised given we implemented quite a few fixes. Anyhow, we double check and we could see that the Application Pool was correctly split, and the Task Server workload was nicely off the SMP.

I opened the task manager. It showed the Altiris-NS-Agent w3wp process running at a high CPU

A glance at the Altiris Log Viewer showed the poor thing almost all red (bleeding to death???).

A quick inspection on the error all pointed to the Client Policy request and problems with patch management (SqlDeadlock and exceptions). So I asked the customer (and their partner who was on-site) if they had changed the patch management or if they were doing something.

As it happened they were running the PMImport after having removing unnecessary languages and platforms. As I remembered from past .Net...

Ludovic Ferre | 07 Dec 2012 | 0 comments

A customer of mine called in yesterday with a package replication issue.

After re-installing CMS afresh on a server they had they package server estate out of synch and not getting packages replicated, with varying numbers but on average 75~90% of the packages retrying download.

We started the troubleshooting following the usual avenues - from the Package Server logs to the SMP itself.

But the error came back at us on a couple of occasions - during a direct (from IE) hit to GetPackageInfo.aspx (using the download url from the PS verbose logging) and during profiling.

The error stack trace was pointing to a root cause outside of the Altiris realm:

Exception...
 at System.Net.Dns.GetAddrInfo(String name)
 at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
 at System.Net.Dns.GetHostEntry(String hostNameOrAddress)
 at Altiris.NS.Server...

This pointed to an environment issue and I dived straight into the code (...

Michael Grueber | 03 Dec 2012 | 0 comments

For a recording of an excellent webcast on "Effective Patch Management for Clients and Servers", please see:  https://www.brighttalk.com/webcast/5691/60201

The presentation was given by Joseph Carson and Santana Villa from Symantec.  Joseph is a Senior Manager of Product Management.  Santana is a Regional Product Manager.

The webcast covers the following topics:

  • Challenges, Potential threats and risks
  • Symantec's approach to patching
  • The Symantec advantage
  • Coming soon from Symantec

 

 

 

Ludovic Ferre | 21 Nov 2012 | 1 comment

I just wrote an article in French regarding recommanded application pool configuration for the SMP and IIS.

It's available [1] but I won't tease you too much. Here is the most interesting part from it, a batch script to automate the pool creation, "straight off the bat" as a British friend of mine would put it. Please note that some web-applications work nicely in their own pools, but other need to remain in the /Altiris application domain. So if you feel like trying to craft your own, keep this in mind and be ready to revert.

 

@echo off
set appcmd=%comspec%\..\inetsrv\appcmd

%appcmd% add apppool -name:Altiris-NS-Agent
%appcmd% set apppool Altiris-NS-Agent -managedPipelineMode:Classic
%appcmd% set app "Default Web Site/Altiris/NS/Agent" -applicationPool:Altiris-NS-Agent

%appcmd% add apppool -name:TaskManagement
%appcmd% set apppool TaskManagement -managedPipelineMode:Classic
%appcmd% set app "Default Web Site/Altiris/...
Ludovic Ferre | 21 Nov 2012 | 0 comments

This evening I was asked whether I would recommand disabling IIS log file to make sure the SMP console runs as fast as possible.

My answer was (and remains) a big NO. Do _not_ disable IIS logging. It contains a lot of good information on it (that I am a big consumer of, but the value is there to anyone).

So, first lets dispell this nonsense about improving performances.

IIS logging is done on the http.sys driver, so it run in the Windows Kernel. You can verify this using procexp as per the image below. This means logging requests once they are completed (as this is when it) does not cost any context switching (as it would if it was in living user space). Besides, each entry is normal less than 1024 bytes, which means the "cost" of logging entries is fractional: push the information already held in memory to disk.

If you compare the cost of doing this tiny little task with what happens in user mode in the w3wp.exe (handling the request in ISAPI...