Wednesday, 21 December 2011

Nice to know: 'Devices' view in Altiris Activity Center still shows a client in the (IsManaged='1') search filter even after uninstalling the Symantec Management Agent (AexNSAgent.exe)

After manually uninstalling the ‘AexNSAgent.exe’ from a discovered and previously manageable client system, the computer is still viewed in the Altiris 'Activity Center' under devices with an 'Installed Agent'
The filter, (IsManaged='1') is used to filter computers and as seen on the attached screenshots, the computers with the AexNSAgent uninstalled are still listed.  However, the icon is not active (grayed out).
Creating a filter set to, (IsActive='1') will NOT show the clients that have had their AexNSAgent.exe files uninstalled.
If the AexNSAgent.exe file is uninstalled from the managed client, an (IsManaged='0') switch should be sent to the Notification Server to indicate it is no longer being managed. This should be reflected in both Altiris Activity Center and First Time Setup.
Known Issue. Altiris Symantec Management Agent (SMA or Altiris Agent) does not send any inventory information while uninstall of the agent itself. Only sub-agents (plug-ins) send the inventory information, using the agent which is still exist.
This is actually a design restriction, since the client-side uninstall could be performed when no NS connection is available. In that case we can't send the inventory neither postpone the uninstall process.
This issue has been reported to the Symantec Development team. They are working in providing a solution for this in a future release.

pls click on an AD if you found this information useful.



Monday, 19 December 2011

Beware : Altiris enhanced console views and updating to Altiris ITMS 7.1 SP2

To update to enhanced console views 7.1 SP2 from a 7.1 SP1 environment
  1. Start Symantec Installation Manager.
  2. On the Installed Products page, click View and install updates.
  3. On the Product Updates page, search for Altiris Deployment Solution Complete Suite 7.1 SP1a MR1a and take one of the following actions:

    Option 1:
    If you find Altiris Deployment Solution Complete Suite 7.1SP1aMR1a in the list of updates on the Product Updates page, then you have an environment that does not include installed hot fixes.
    You must use the View and install updates option in Symantec Installation Manager to update to enhanced console views 7.1 SP2. You must select the Altiris Deployment Solution Complete Suite 7.1 SP1a MR1a update.

    Option 2:
    If you do not find Altiris Deployment Solution Complete Suite 7.1SP1aMR1a in the list of updates on the Product Updates page, then you have an environment that includes installed hot fixes.
    You must use the Install new products option in Symantec Installation Manager to update to enhanced console views 7.1 SP2. This option lets you install the 7.2 version of your product on top of the 7.1 version of your product.

    How to install New Products in SIM:

    1. On the Installed Products page, click Install new products.
    2. On the Install New Products page, select the 7.1 SP2 version of your Suite or individual Solution. For example, if you have IT Management Suite 7.1 SP1, select IT Management Suite 7.1 SP2.
    3. Click Next, and continue with the installation process.
Don't forget to click on an AD if you found this information useful.



    Altiris SQL Database growth issue : InvHist_Policy_Compliance_Status table


    You are facing a database growth issue due to the InvHist_Policy_Compliance_Status table within your Altiris SQL environment.
    Every time a compliance check is ran for a Managed Software Delivery policy a compliance status update is submitted.
    When the new status is updated into Inv_Policy_Compliance_Status a copy of all the existing compliance statuses for that client is added to the InvHist_Policy_Compliance_Status table.
    How large the table grows all depends on how many MSD policies each client has ran, number of clients running MSD policies, and how often the compliance check is scheduled to occur for each policy.
    Solution -
    Possible approaches:

    1. Change configuration so this table grows more slowly.
      This can be done by modifying MSD policies, so the policy compliance checks are run less often. If the policy check schedule to occur during a time range, the check may occur multiple times during that time range. So, changing the policy to check at certain times will reduce the number of times the check is perfomed, while accomplishing the desired results. If checks are peformed at specific times, consider how often these checks need to be performed. Perhaps daily or weekly will be sufficient.
      Slowing the growth will reduce the work which is done on the various managed computers, and the amount of data they forward to the SMP server, which the SMP server has to process.
      To see which policy are contributing the most to the recent growth of this table, use first attached SQL; the second query show the computers that are the largest recent contributors.
    2. Disable the saving of this historical information.
      If you have slowed the growth of this table, and it is still growing to rapidly, then you may want to disable the saving of the history for this data class. Note that this table is used by some reports.
      The history settings can be found in Settings\Notification Server\Resource and Data Class Settings\Resource History.
      Disable check box for this data class in history settings. Note that existing table is renamed to InvHist_Policy_Compliance_Status_Backup_1 (or similar). This table is no longer in use and can be deleted/moved to regain space.
    3. Slowing the growth of this table, will not reduce the size of this table immediately. The table should eventually shrink through the normal data class purge processes. But if want to free up this space immediately, then if appropriate precautions are taken, this table can be truncated.
      First perform a complete database backup, prior to implementing the following change.
      Second, the query can be used to truncate the table.
      TRUNCATE TABLE InvHist_Policy_Compliance_Status

    Following SQL queries can used to identify the problem
    Don't forget to click on an AD if you found this information useful.



      Changing the package codebase of your Altiris Symantec Management Platform

      This can become handy when your clients can’t resolve the Full Qualified Domain Name (FQDN)
      By default, during the installation of the Symantec Altiris Notification Server, SIM (Symantec Installation Manager) populates this regkey with whatever server name you selected during the configuration page during the initial installation, which usually is the Full Qualified Domain Name (FQDN). So, in order to modify the preferred Notification Server hostname for SWD codebase and snapshot URLs, you need to do the following:
      • Open the Registry Editor (Open the RUN prompt and type regedit and click OK)
      • Go to HKLM>Software>Altiris>eXpress>Notification Server and open the PreferredNSHost regkey.
      • Modify the PreferredNSHost regkey by adding the NetBIOS, FQDN, or IP Address that you want to use for SWD codebases and snapshot URLs.
      • Restart the Altiris Service
      • Then go to Control Panel>Scheduled Tasks and run the NS.Package Refresh schedule (by default it runs everyday at 3:30am). By running this schedule, the SWD codebases and snapshot URLs should be updated.
      Note: If for some reason the PreferredNSHost regkey is not present but there is the reference of it on the coreSettings.config, just recreate the regkey. Create a String Value and call it 'PreferredNSHost'.
      Additional Note: Do not add ports to the PreferredNSHost setting (such as nsServer:5814 or 10.x.x.x:5484). Adding a port will cause the NS.PackageRefresh to FAIL

      Altiris ITMS 7.1 SP2 release notes available
      A short overview of some changes in regards to ITMS
      • Symantec Management Console supports Internet Explorer 9 (in IE 8 compatibility mode)
      • Support for additional OS's
        • o Mac OS X 10.7
        • o RHEL 6
        • o RHEL 6.1
        • o Solaris 10 U9 (includes Zones Inventory)
        • o SUSE 11 SP1
      • All documentation is now available under Symantec Help Center
      • ESX/ESXi 4.1 & v5 support for Server Management Suite
      • Several reliabiltiy and performance enhancements
      • Some changes around Software Products within Software Management

      Thursday, 26 May 2011

      Running IE6, IE7 and IE8 Side-by-Side on Windows XP Using Symantec Workspace Virtualization

      More Information and a detailed how-to can be found on this page

      Symantec Workspace Virtualization is the successor of the Altiris Software Virtualization Solution ( SVS )

      If you find the information usefull please leave a comment and don't forget to click on an AD, thx !

      Tuesday, 8 March 2011

      Friday, 11 February 2011

      Symantec Altiris PcAnywhere Solution fix 31/1/2011 - The Domain drop-down list is empty, multiple domains are not listed, or "No Data" is displayed– Fix


      In the Symantec Management Console (SMC) under the Authentication tab of the pcAnywhere Settings policy for Windows, the Domain drop-down list is empty.  Or, if multiple domains should be listed, they are not.  In addition, "No data" may be displayed in the grid where Active Directory users and groups should be present.
      Also, on a managed client computer with the pcAnywhere Solution plug-in installed, the following error may appear at startup:

      "The pcAnywhere host you are attempting to run is configured for caller authentication, but no caller items could be found.
      You must define at least one caller before you can use this host item."


      pcAnywhere Solution 12.5 in an Active Directory (AD) environment


      There are multiple causes for this behavior.  Here is a list, presented in the recommended order for troubleshooting:

      1. There was a defect in pcAnywhere Solution which results in a delay in populating the active directory information, or a timeout, or an error, when the Add button is clicked within the Authentication tab of the "pcAnywhere Settings - Windows" policy or a clone of it.
      2. The SMP server is not properly joined to an Active Directory domain.  A possible contributing factor is that the server has been recently rebuilt without first deleting the computer account from AD.
      3. You are attempting to add callers from a different domain than the one to which the Symantec Management Platform (SMP) server belongs, and a proper trust relationship is missing.
      4. NetBIOS over TCP/IP is disabled on the Symantec Management Platform server.
      5. The Notification Server cannot fully communicate with the domain.
      6. During installation of the SMP, the Application Identity specified was a local account rather than a domain account.
      1. Attached to this article is the latest patch for pcAnywhere Solution 12.5 SP2 (  Inside the zip file is Symantec.pcA.Web.dll.  This latest patch contains a fix to a memory exception error, plus the latest optimizations in the code for browsing AD.  Please apply this latest patch over previous versions of the patch.

        Before copying the new Symantec.pcA.Web.dll to the Symantec Management Platform server, close all instances of the Symantec Management Console.  Copy the original file from C:\Program Files\Altiris\pcA\Web\Bin into a completely separate folder (do not paste the copy into the original folder). Then overwrite the existing file with the new file. Ensure that there are no extra copies of the file in the C:\Program Files\Altiris\pcA\Web\Bin folder.  Finally, open a Command Prompt and run the command "iisreset".  The command should return "Internet services successfully restarted".
        Note that with this new file, the "Add Users or Groups" console page will initially display the first 100 AD user objects, while the thread which queries AD is still running. Eventually, once all of the AD user and group objects have been returned to the console, it will be possible to scroll down and to search for the object. The number of AD objects will affect the duration of the query.  Clicking the scroll bar to the right of the window will show the number of user and group objects that have been retrieved to that point.

      2. To test for the second Cause listed above, verify domain membership of the SMP server.  One method of verification is to open My Network Places and check that the expected domain(s) are visible and available for browsing.  A blank Domain entry in the SMC has been reported when the expected domain(s) were not browsable from My Network Places. 
        To resolve this, it may be necessary to temporarily configure the server to be a member of a workgroup, reboot the server, delete the computer account from AD, and then join the server to AD.
      3. To resolve the third Cause listed above, ensure that a proper trust relationship exists from the domain containing the SMP server to any other domains that you plan to specify for caller authentication.  As noted immediately above, a simple test that the domains trusts are properly configured is to open My Network Places on the SMP server and check that the expected domains are visible and available for browsing.  Also, see the article "Cross-forest (or cross domain) authentication issues when accessing the Altiris Console", TECH133262, for information about issues found with the SMP core in case they impact pcAnywhere Solution.
      4. You will need to enable NetBIOS on the server ("Enable NetBIOS over TCP/IP" under Advanced TCP/IP Settings).
      5. This does not indicate a product issue.  As a test,  try to add a domain user or group to the local administrators group directly on the NS server.  If unable to find the user/group, there may be a problem related to Active Directory (browsing, domain membership of the NS, trusts, etc.). Resolve communication, trust, and permissions issues between the NS and the domain controller.
      6. To check that the last Cause listed above is the problem, open the SMC and click Settings > All Settings > Notification Server > Notification Server Settings.  The Processing tab has an Application Identity section.  If the User shown is not in the form of DOMAINNAME\username, then a local account was provided during the initial installation of the SMP.  The pcAnywhere Solution browses the Active Directory using the context of the Application Identity, so the Application Identity must be an Active Directory account in order to browse Active Directory.
        The following steps are based on Method 3 from the following Knowledge Base article:
        How to change Application Identity in NS7.
        WARNING: There are several places to check when changing the Application Identity, and mistakes can result in failures of services to start and failures accessing the SQL database!  Symantec recommends a full server and database backup before proceeding with the steps below.  Please contact Symantec Technical Support with any questions prior to proceeding with these steps...

        A.  In Active Directory Users and Computers, create the account that you plan to use as the new Application Identity and leave it a member of the Domain Users group.
        B.  On the SMP server, add the new domain account to the local Administrators group.
        Verify that the domain account can login to the SMP server, and can login to the SMC.

      C.  Open the SMC and click Settings > All Settings > Notification Server > Notification Server Settings
      Change the Application Identity to your domain account in the format DOMMAINNAME\username, provided the password twice, and click OK (the OK button is located in the lower-right corner of the page).

      D.  In the SMC click Settings > All Settings > Database Settings.  Verify that "Use application credentials" is selected (this is the default). If it is not selected then ensure that the database credentials are valid. 

      E.  In the SMC, click Settings > Security > Roles > Symantec Administrators > Membership tab.  Verify that the domain account specified as the new Application Identity appears here.

      F.  In the Service management console on your SMP server, look at the Log On As column.  If any of the services listed show the old local account under this column, right-click service, click the Log on tab, and set the "This account" value to the domain account you specified for the Application Identity in the format DOMMAINNAME\username.  Also, set the correct Password and Confirm Password values.  Click OK.
      Following is a list of services to check:  Altiris Client Message Dispatcher, Altiris Client Task Data Loader, Altiris Event Engine, Altiris Event Receiver, Altiris File Receiver, Altiris Object Host Service, Altiris Service, Altiris Support Service.

      G.  On your SMP server (or your SQL server if this is an off-box implementation), check whether the following services are configured to run as the old local Application Identify account:  SQL Server (MSSQLSERVER), SQL Server Agent (MSSQLSERVER), SQL Server Browser, SQL Server Full Text Search (MSSQLSERVER).  If they are, similar to the step above, configure those services to run as the new domain Application Identity.
      H.  On your SMP server (or your SQL server if this is an off-box implementation), open Microsoft SQL Server Management Studio and click SERVERNAME > Security > Logins.  Add the domain account used for the new Application Identity.   Under Server Roles for that user, add both "public" and "sysadmin" roles and click OK.
      Once you have made these changes, reboot your SMP server and verify that all of the services you changed have started.  If a service fails to start, then correct the account and password used to start the service as shown above.  Finally, verify within the SMC that you can now add users and groups from the Active Directory to the Authentication tab for the pcAnywhere host configuration policy.

      Fix can be downloaded on

      SQL Server 2008 R2 officially supported with Altiris CMS/SMS 7.1

      SQL Server 2008 R2 will be officially supported with CMS/SMS 7.1