Software Management Solution 7.0 SP1 MR1 Release Notes

Today a MR1 has being released for SWM 7.0

More details can be found at KB

Make SD work on x64 platform

Whenevr you install a new win2003 x64 server and enable the IIS then you might need to enable the ASP.NET still after install .NET 35
do this by running this command:
C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -iru -enable


In order to avoid the system check to fail "Microsoft SQL Server Management Objects Collection patch is not installed" run these 3 programs:
http://download.microsoft.com/download/3/1/6/316FADB2-E703-4351-8E9C-E0B36D9D697E/sqlncli_x64.msi
http://download.microsoft.com/download/3/1/6/316FADB2-E703-4351-8E9C-E0B36D9D697E/SQLServer2005_XMO_x64.msi
http://download.microsoft.com/download/3/1/6/316FADB2-E703-4351-8E9C-E0B36D9D697E/SQLServer2005_ADOMD_x64.msi

Then download the install file from the NS and run it...it will take some time to install.

Wise Package Studio 8.0 Shipped October 29, 2009

Wise Package Studio provides advanced software packaging functionality including creating and customizing packages, virtualizing software, and identifying and remediating issues that prevent software from properly functioning in a customer’s environment.  Major enhancements include support for additional platforms including Windows 7.

Companies moving to Windows 7 will find Wise Package Studio a key tool for successfully migrating legacy applications to the newest Microsoft OS. Utilizing application repackaging in OS migrations means quicker and more reliable rollouts with fewer errors and helpdesk calls.

Custom Inventory Samples

The KB https://kb.altiris.com/article.asp?article=4237&p=1 has been updated and contains some example scripts for NS6 AND NS7.

There are also some Links to other KB’s on how to use the customer inventory

Scheduled tasks Disabled: Danger of installing additional components and hotfixes

In some cases the Altiris Object Host Service ATRShost.exe is not stopped properly and times out at the beginning or at the end of an installation or upgrade. The reason is not know yet (by me). If it happens it will leave the Scheduled tasks DISABLED even after a reboot.

There is a quick way to fix: delete all (NS) scheduled tasks except the NS.Weekly.GUID.

Enable this task and run it. It will recreate all schedules.

To prevent it I open the Task Manager and the services.msc.

If the services is not stopped after a minute or so during install then I kill it.

Symantec Mobile Management 7.0

Symantec Mobile Management 7.0 is a new product built on the Symantec Management Platform 7.0 SP2 that provides rich management capabilities complimentary with the Altiris Client Management Suite. Symantec Mobile Management also integrates with Symantec Endpoint Protection Mobile Edition thereby providing rich management and security from a single console.

Symantec Workspace Profiles 6.1

Symantec Workspace Profiles (SWP) is a new software product from Symantec’s Endpoint Virtualization Group. SWP separates (virtualizes) the user’s personality (user data, settings and policies) from the underlying operating system allowing users to easily roam from device to device, work on two sessions simultaneously, or access their profile in the context of VDI. SWP give you the benefits of Roaming/Mandatory profiles at the speed of local profiles.

SWP works with other Endpoint Virtualization products such as Symantec Workspace Streaming and Symantec Workspace Virtualization. It is sold both standalone and in the Symantec Endpoint Virtualization Suite.

Symantec Workspace Virtualization 6.1 SP1

Symantec Workspace Virtualization (SWV) virtualizes 6.1 SP1 now supports Microsoft Windows 7, improves streaming performance, and is easier to use with Symantec Workspace Profiles (SWP) through the use of the new Profile Exclude.

Emerson to Acquire Avocent (parent company to LANDesk)

On October 6^th, Emerson (EMR) announced an agreement to acquire Avocent in an all cash tender offer of $25/sh (~22% premium to last closing price of $20.52). Avocent provides technology that “simplifies monitoring, managing and problem solving in any size data center.” EMR believes that the business will be complementary to its Network Power segment’s energy management and cooling solutions. The transaction is expected to close around January 1, 2010.

Symantec Deepsight screensaver

http://www.symantec.com/business/theme.jsp?themeid=deepsight-screensaver

Inventory and Throttling

Inventory is a disk and can be a CPU intensive task and this has nothing to do with full or differential Inventory, both scan the complete disk (is no extra exclusions are made)

There there are some techniques to take off the load.

CPU throttling

For software/file inventory task you can choose between Low, Normal, High and Very High priority under “Set inventory process priority” (Run Options tab of Advanced settings). Priorities correspond to the following settings (“nice” options for UNIX/Linux/Mac):

Priority	Windows	Linux	Unix	Macintosh
Low	25%	10	30	10
Normal	50%	0	20	0
High	75%	-10	10	-10
Very High	100%	-20	0	-20

This can be overridden (Windows only) using the “Override inventory process priority” option

If you select to override a good comparison for Windows would be :

Priority	Files	Wait for (ms)
Low	150	60
Normal	250	50
High	350	40
Very High	450	20

Bandwidth Throttling or Fuzzy Logic (Windows Only)

The AeXRunContol does no longer exist, but there is a setting called “Evenly distribute sending inventory over X hours” (aka fuzzy logic). It is located on Run Options tab of Advanced settings.

How to clone a VDI for Sun VirtualBox using Mac

1) Shut down the virtual machine you would like to copy
2) In File > Virtualdiskmanager, select the virtual machine disk image you would like to copy, and press the Release button
3) In a terminal window, issue following command (see virtualbox user manual):
vboxmanage clonevdi /directory/image1.vdi /directory/image2.vdi
4) In File > Virtualdiskmanager, add the new disk image you've created in step 3.
5) In the main virtualbox window, press the New button to create a new virtual machine, and link it to the new disk image you've created.

Ref : Here

Software Managed Delivery Tasks

To test some of the features of Managed Software Delivery (MSD) and not to create be afraid the job is scheduled then you can create a MSD using a scheduled time, leave it on 00:00 with no repeat. Then you can launch the MSD using the agent. It will appear in the Policy Pane of the agent as being “Not Scheduled”.

When Using “Depends On” it will install the depended package if it is not detected (Not Compliant)
“Supersedes” will (if checked) uninstall the “old” packages before it installs the depended package and then the actual one.

When you have installed CMDB and activated the Flash player Active X you can see a Resource Association Diagram of this packages

CMS and SMS SP1 released today (21/09)

Article ID: 48420 : Altiris™ Client Management Suite 7.0 SP1 Release Notes

Changes in Client Management Suite from 6.x to 7.0 SP1

• The functions of Software Delivery Solution and Application Management Solution are combined in the new Software Management Solution.
• The functions of Application Metering Solution are now included in Inventory Solution.
• Inclusion of SVS application technology in Software Management Solution.
• Deployment Solution for Clients is integrated into the Symantec Management Platform.
• Real-Time System Management Solution is included in Client Management Suite.
• Carbon Copy is replaced with pcAnywhere Solution.
• Addition of Ghost Imaging Foundation (both DS 6.9, and 7.0)

Changes in Client Management Suite from 7.0 to 7.0 SP1

Except for Deployment Solution for Clients 7.0, all components of Client Management Suite SP1 have been updated. For information about the new features of the solutions and components, see the individual release notes. To access the solution release notes, use the links that are in the Components of Client Management Suite section.

Article ID: 48733 : Altiris™ Server Management Suite 7.0 SP1 Release Notes

Changes in Server Management Suite from 6.x to 7.0 SP1

• The functions of Software Delivery Solution and Application Management Solution are combined in the new Software Management Solution.
• The functions of Application Metering Solution are now included in Inventory Solution.
• Inclusion of SVS application technology in Software Management Solution.
• Deployment Solution for Clients is integrated into the Symantec Management Platform.
• Real-Time System Management Solution is included in Server Management Suite.
• Addition of Ghost Imaging Foundation (both DS 6.9, and 7.0)

Changes in Server Management Suite from 7.0 to 7.0 SP1

All components of Server Management Suite SP1 have been updated. For information about the new features of the solutions and components, see the individual release notes. To access the solution release notes, use the links that are in the Components of Server Management Suite section.

NS7 SP2 HF2 Available

NS7 SP2 HF2 Available as of today

as well as a hotfix for Agent Unix, Linux, Mac – Network discovery – PLugable Protocol Architecure

Release notes not yet public available

How do I create a new database or change the database being used by Symantec Management Platform 7.0?

NSSetup is no longer supported in SMP / Notification Server 7.

There are two supported methods to alter database settings.

1. Within the console: If you are able to access the Symantec Management Console, go to Settings - Notification Server Settings - Database Settings. Use the options on this page to create a new database or to change the database currently being used by Notification Server.
2. Using AeXConfig.exe: When you don't have access to the SMC, Run AeXConfig.exe /db from a command prompt. It is found in the directory \Program Files\Altiris\Notification Server\bin.  Syntax examples are shown below:
   1. To connect to the SQL Server using Windows Integrated Security, under the account credentials of the current cmd.exe process:
      AeXConfig.exe /db dbserver:<SQLServerName> dbname:<DBName> dbusername: dbpassword: dbtimeout:<DBTimeout>
   2. To connect to the SQL Server using a SQL Login:
      AeXConfig.exe /db dbserver:<SQLServerName> dbname:<DBName> dbusername:<SQLLoginName> dbpassword:<SQLLoginPassword> dbtimeout:<DBTimeout>

NOTE: You must use all of the parameters for the command to work, but for Integrated Security to work using the account credentials of the currently executing cmd.exe process, do not put the user name or password after the dbusername: and dbpassword: parameters.

Altiris PC Transplant 6.8 SP3 from Symantec Release Notes

Introduction

PC Transplant Solution uses its wizard-driven interface to capture a computer's personality—user accounts; desktop, network, and application settings; files; folders; and personal data. The solution then transplants the personality to another computer. You can transplant a personality through a self-extracting executable file called a Personality Package, or you can perform a real-time migration from one computer to another.

PC Transplant Solution simplifies the deployment and migration of new computers or Windows operating systems by facilitating the migration of data and settings. It complements existing desktop management tools, meeting an easily identified need that none of these tools currently address. With PC Transplant Solution, you can not only migrate to a new computer quickly and efficiently, but you can also transfer key aspects of a computer's personality on an on-going basis. PC Transplant Solution is an ideal solution for IT administrators, consultants, VARs, resellers, computer vendors, and configuration centers.

PC Transplant Solution is part of the following suites:

• Altiris™ Client Management Suite from Symantec
  For release notes, see Knowledge Base article 40929.
• Altiris™ Server Management Suite from Symantec
  For release notes, see Knowledge Base article 45893.

Features in this Release

This version includes the following features:

• Support for Windows 7.
• Support for EFS RAW. Added the -efsraw command-line switch to enable the RAW migration of EFS encryption.
• Support for Microsoft Internet Explorer 8.
• Support for PC Transplant Web Store installation on Windows Vista and Windows 7 computers.
• Support for migration of power setting from Windows Vista to Windows Vista, Windows Vista to Windows 7, and Windows 7 to Windows 7.

What are the new features in Patch Management Solution 7

Maintenance windows

By default, Software Update agents will respect Maintenance Windows if one is configured and applies to the agent computer. This is controlled by the ‘Override Maintenance Window’ setting on the Agent Configuration Policy.  If this setting is not enabled, and a Maintenance Window applies to the agent computer, it will only install updates and trigger required reboots when that Window is Open. If the Window is not Open, the installations and reboots are deferred until the Window next opens. If the setting is enabled, the agent will ignore Maintenance Windows and use the installation and reboot options defined in the configuration policy. Software Update policies set to run ASAP or at a Custom time can be set to override Maintenance Windows.

Reporting Changes in 7.0

The number of reports and reporting infrastructure has improved with Notification Server 7.0, resulting in fewer reports and an improved dashboard user interface. Patch Management Solution 7.0 for Windows includes the following default reports:

• Microsoft Compliance by Bulletin
• Microsoft Compliance by Computer
• Microsoft Compliance by Update
• Microsoft Compliance Summary
• Microsoft Vulnerability Analysis Summary 
• Software Bulletin Details
• Superseded Bulletins
• Windows Software Update Agent Rollout Status
• Reboot Status
• Software Update Delivery Summary

All other existing reports, including custom reports, will not be included or upgraded to 7.0.

Retired managed computers no longer consume a license nor do they appear in vulnerability reports

Managed computers with a “Retired” status will release their license, freeing it up for new computers coming online. These computers will also no longer appear in the Compliance and vulnerability reports.

Notification Server 7.0 hierarchy and organizational view features are supported

Notification Server 7.0 has new hierarchy features that let you manage a group of Notification Servers by simply configuring a parent that passes all configuration settings and resources to child Notification Servers. This functionality is supported in Patch Management Solution for Windows through two separate replication rules: one to allow the replication of Patch Management Import data based on the managed languages of the child Notification Server and one to allow the selection of Software Update policies to replicate to the child. Summary compliance information is also sent up the hierarchy daily and can be viewed in the Microsoft Compliance Summary report.

Distribute software updates across multiple time zones

You can now simultaneously distribute software updates to managed computers across multiple time zones, at a time specified on a single Notification Server. Previously, software updates were installed according to the time on managed computers’ clocks. The new user interface control is found in the Software Update Policy Wizard scheduling options, with the choice to distribute packages at server time, client time, or UTC time.

Offline Microsoft Patch Management Import files are now supported

Notification Servers without Internet access can now download Microsoft Patch Management Import files from a local caching server. Taking advantage of new Notification Server 7.0 hierarchy features, enabling software bulletins on a child Notification Server (without Internet access) will download the relevant files from a parent Notification Server, where the files are cached.

Disable superseded software updates

The field, Disable all Advertisements for Superseded Software Updates, on the Microsoft Patch Management Import task lets you disable any Software Update policies with superseded software updates. You can also control this function and set a schedule for it in the Disable Superseded Software Update Advertisements server task. After PMImport has run, any Software Update policies with superseded software updates are disabled and the administrator is notified by the Disabled Advertisements Notification Server policy (which must be enabled). An obsolete Software Update policy is disabled only if you created a new one from the superseding software update.

Inventory rules only run against applicable inventory and have increased performance

To reduce bandwidth use, inventory rules that run on managed computers only run against applicable inventory items. For example, if a managed computer has Windows XP SP2 installed, the Software Update Agent will run inventory against and report on items only applicable to Windows XP SP2. The inventory rules are now contained in an SQLite database increasing the speed of the inventory process of reading of the xml file used previously.

New task 'Check Software Update Package Integrity'

This is a Task server task and has 3 functions it can perform; Delete physical packages for discovered orphaned software packages, Delete physical files for packages with no associated advertisements and Relocate existing packages if default software update package location has changed

Notification can be sent when new Bulletins are available 

Administrators can configure the Microsoft Patch Management Import task to send a customized message to specified recipients at the completion of Microsoft Patch Management Import downloads.

Quicker distribution of software updates

Behind-the-scenes modifications have increased the distribution time of updates being rolled out to computers.  Resource targeting has been modified to be more efficient, it is only looking at the applicable dataclass now.  The inventory rule process has been streamlined.

NOTE: This information was taken from the release notes and modified slightly to remove entries that were not new features and clarify the information.

From the beta site : CMS 7.0 SP1 New Feature Highlights

 

Canned commercial software application definitions are included to more accurately identify installed software in the environment.

Inventory policies are greatly simplified.

Collection of detailed file inventory has been optimized

Inventory policy management and status monitoring has been added to the improved Inventory Portal.

Patch Admins can use a consolidated “worker view” (page or portal) from which they can accomplish or access primary Patch functions; similar views are also provided for software delivery functions and monitoring functions (via Altiris Server Management Suite).

Software packages and software data can be imported from Wise Package Studio into the library and catalog, respectively.

Patch Admins can identify missing software updates on Mac OS X and can use the console to distribute and install the missing updates.

Automated patching is added for Adobe applications: Reader, Acrobat and Flash.

pcAnywhere solution adds custom port configuration for console and client and expanded approve connection control with a super user that can bypass approval

Important change: How is the Software Management Framework Software Discovery task utilized by Inventory Solution in 7.0 SP1?

Question
	In 7.0 GA for CMS, the Software Discovery component that captures Add/Remove Program data was only included as part of the Software Management Framework.  In Inventory Solution 7.0 SP1 this component will now be launched by Inventory Solution as part of the Inventory Solution Policies or Tasks.  The following information will help provide understanding to how Inventory uses this component.

Answer

Software Discovery will be executed by the Inventory Solution Policies or Tasks in SP1.  The option is labeled 'Software - Windows Add/Remove Programs and UNIX/Linux/Mac software packages' when an Inventory Policy or Task is edited or created.  When this is checked, we'll run the Software Discovery as part of the Policy or Task, with the following intelligence as far as if we will send all data or only delta data.  We've built in logic to look to see if the Resource GUID of the system has changed or not:   Machine GUID Send Delta Only flag Result Same True Don’t Delete SMF Cache Same False Delete SMF Cache Changed True Delete SMF Cache Changed False Delete SMF Cache   The SMF cache holds all Add/Remove Program data, and leaving the cache means only a small subset of changed data will be sent up.  It's important to delete this cache if the server, for whatever reason (the record was deleted, the agent was directed to a new NS, etc...) no longer has the data for the system.

Altiris™ Deployment Solution 6.9 SP3 from Symantec Release Notes

In SP3, support for Windows 7 and Windows Server 2008 R2 was added. See also added the Features in this Release section.

To see the Release Notes for the Deployment Solution 6.9 SP1 and SP2 releases, see Knowledge Base articles 42696 and 46383.

Deployment Solution is part of the following suites:

• Altiris™ Client Management Suite from Symantec
  For release notes, see Knowledge Base article 48420.
• Altiris™ Server Management Suite from Symantec
  For release notes, see Knowledge Base article 48733.

Features in this Release

The following are features of this release:

• We added support for the Windows 7 and Windows Server 2008 R2 operating platforms. For detailed information on supported platforms, please see Knowledgebase article 47794
• PC Transplant (included with Deployment Solution) was updated to support Windows 7 migrations from Windows XP and Vista. For more information, see the PC Transplant Release Notes article 48704.
• DAgent can now be uninstalled from the DS Console. To access the uninstall option, right-click the client in the DS Console.
• DAgent supports the customdata.ini file.
• The DS Linux preboot automation environment now uses the openSUSE 11.1 Linux kernel, which is the kernel 2.6.27.7 version.
• The Deployment Solution installation adds the Ghost Walker tool that you can use manually. There are no integrated tasks or jobs in Deployment Solution for Ghost Walker, however.
• New options were added to the evaluation mode DeployAnywhere. You can now specify a file name for the report and log files, so that multiple computers write to separate files. The logPath option and the logId option can be used together or individually. logPath contains the fully qualified path to where the DeployAnywhere log files are written. logId is a string that is prepended to the log file names. For example, Ghdplyaw32.exe /target=c: /eval /logPath=z:\logs /logId=zzz.

When scheduling jobs in Deployment Server, certain jobs will not run

When scheduling jobs in the Deployment Server console, the job will not run. Sample jobs that are included with Deployment Server run but the user-created jobs do not.

Cause

When the job is created, a command is processed to insert a record into a task table. A trigger in that table fires to create a record in the task table and then the task table has a trigger that is supposed to insert a record into the event_condition table if none is found. This last step is what is not occurring. This can be a result of a SQL setting "Nested Triggers".

Resolution

Ensure that SQL server is configure to allow nested triggers. This setting can be found in SQL Enterprise manager by right clicking on the server node and choosing properties. On the Server Settings tab, there is a checkmark that reads "Allow triggers to be fired which fire other triggers (nested triggers)."
Once nested triggers are allowed, the job(s) in question will need to be re-created and should run when scheduled.

KNOWN ISSUE: NS 7.0 Altiris Agents are unable to get Client Configuration Policy updates after CMDB 7.0 solution is installed.

Article ID: 48612

Altiris Agents are unable to get Client Configuration Policy updates.

Multiple errors in Agent log file from when an Update Configuration is requested:

Process: aexnsagent.exe (1540)
Thread ID: 1628
Module: aexnsagent.exe
Source: ConfigServer
Description: RequestPolicies failed: Invalid XML response from URL http://<SERVERNAME>/Altiris/NS/Agent/GetClientPolicies.aspx (-2147467259)

*~*~*~*~*~*~*~*~*~*~*~~*~*~*~*~*~*~*~*~*~*~*~*~*

Process: aexnsagent.exe (1912)
Thread ID: 2016
Module: aexnsagent.exe
Source: ConfigServer
Description: RequestPolicies failed: HTTP error: (-2147209951)

---

Environment

Symantec Management Platform 7.0.5201 (7.0 SP2)
Software Management Solution 7.01291 (7.0)

CMDB Solution 7.0

---

Cause

New policies created after installing CMDB Solution 7.0 do not have a closing policy tag - </policy> - when added to the client policy as delivered from the server to the client.

---

Resolution

If you are experiencing this issue, please contact support and reference KB48690.

This issue has been forwarded to development.

How to manually retrieve the Client Policy for a computer using a browser in NS7

In NS 7, the Altiris Agent uses an HTTP POST call to retrieve the Client Policy, but there are times when it's necessary to retrieve it manually when troubleshooting Policy issues.  How can this be done?

---

Answer

In a web browser, the following URL can be used to retrieve the client config for a computer.  In NS7, Client Policies are requested compressed by default, but this can be turned off:

1. Replace "localhost" with the server name if not being loaded on the NS.
2. Change compress="0" to compress="1" to use compression (the file will be displayed in binary in certain browsers, or downloaded in others).
3. Change the guid to the resource guid for the computer.

'>http://localhost/Altiris/NS/Agent/GetClientPolicies.aspx?xml=<request configVersion="2" compress="0"><resources><resource required="true" host="true" guid="{7074B73F-B143-4CB6-B44B-A6D38AA6733D}"/></resources></request>

Ref : KB article click here

How soon after Microsoft releases a bulletin will the new PMImport.cab file be released?

 

The PMImport.cab file with English support should be available within 24 hours of "Patch Tuesday".  The PMImport.cab file with non-English support should be released within 48 hours.

KB21895

Task Server 7.0 Agent does not install on site servers

After selecting a site server to have the task service installed it stays in the pending installation.  After checking the run status of the task server package install it has a status code of 0.

Cause

This is most likely caused by a missing prerequisite.  Ensure that you have at least the following items for the Task Server install

.NET 2.0
Windows 2000 sp4
IIS

Windows 7 and Rdeploy (My story…)

What did I do….

I installed my Windows 7 in a virtual environment …Just a next, next, finish setup.
I then then run sysprep (c:\windows\systems32\sysprep). I chose OOBE with the Generalize option.
I did not create a sysprep.XML to continue…(I was still downloading the WAIK to create an XML).

So after the sysprep was finished my PC was shutdown. I took an image using Ghost and one with Rdeploy.

It will take about 10 min (in my virtual setup).

When I boot the PC it will return an error like this.

When I start my WINPE again and I run bcdedit then my drive looks like this:

I now run these commands in a script in the WIN PE environment (same as Ghost and Rdeploy):

BCDEDIT /set {bootmgr} device partition:c:
BCDEDIT /set {default} device partition:d:
BCDEDIT /set {default} osdevice partition:d:

Running these command will fix the error you get. Making the image boot again.

Automating the completion of the Contact Information page in Symantec Installation Manager

Complete the following steps to create a config.xml file that contains the contact information and to populate the Contact Information page with this data when Symantec Installation Manager runs:

1. Use the following XML to create a config.xml file that contains your data:
   <?xml version="1.0"?>
   <simConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
          <downloadConfig>
                 <tradeComplianceConfig>
                       <!--The personal information required for trade compliance (required for tradeComplianceConfig)-->
                          <personalInformation>
                              <organization>company Name</organization>
                              <firstName>first name</firstName>
                              <lastName>last name</lastName>
                              <email>email address</email>
                              <address1>company address</address1>
                              <address2 />
                              <country>country</country>
                              <city>city</city>
                              <stateProvince>state or province</stateProvince>
                              <zipCode>zip code</zipCode>
                              <phone>phone number</phone>
                          </personalInformation>
                 </tradeComplianceConfig>
          </downloadConfig>
   </simConfig>
2. Copy the config.xml file to each Notification Server.
3. Launch Symantec Installation Manager with the following command line:

SymantecInstallationManager.exe /configfile <filepath> where <filepath> is the path to the config.xml file that you created.

When Symantec Installation Manager runs, it automatically populates the Contact Information page with the data you entered in the config.xml file.

NS6.0 Common problems for very large environments

 

Applies To

• Application Metering Solution 6.1
• Asset Control and Contract Management Solution 6.1, 6.2
• Inventory Solution for Windows 6.1
• Notification Server 6.0
• Patch Management Solution for Windows

Recovery Solution

• Default configuration of the RS database is configured to grow in 1MB increments.  Database can easily grow to 50+ GB.  All environments can safely change the growth rate to 10% of prior DB size.  Because the database file growth occurred in very tiny increments, the disk will be heavily fragmented.  Use traditional disk defragmentation tools to defrag the database (after temporarily stopping the SQL service). 
• New RS implementations should strongly consider increasing the allocated database file size to 30GB.  This minimizes the file fragmentation issue, and avoids a performance hit that occurs each time the database file size is automatically increased.  Rule of thumb for RS database size is 2-5% of the space used to store the backed-up files.  Smaller environments will be closer to the 5% end of the range.  Large environments will be closer to 2%.

Patch Management

• New PMimport.cab releases cause a large temporary spike of Inventory Rule retrieval and uploading of new scanning data. This load spike can overwhelm IIS to the point that the NS console is unavailable for 4–8 hours.

  Patch Management 6.2 supports the ability to move the Inventory Rule Web service to a separate application pool. This technique isolates the rest of the Notification Server from the load spike that was overwhelming standard agent and console communications. See article 25655 for implementation instructions.

• Patch Inventory Rule scanning is too frequent. Avoid using intervals less than the default of 4 hours in production environments. 

Application Metering

• Enabling monitoring of start and stop events for .exe files can overwhelm the server with event traffic. This is not recommended for any customer, but particularly painful for large environments. 
  The newest version of Application Metering includes some batch upload capabilities that may resolve this concern.
• Disable the "All Applications" Monitor Policy as it will enable all the clients to send summary data for every .EXE.

Inventory Solution

• Using the default of running all Inventory scanning on all computers at the same time each day or week will temporarily flood the NS queues until all NSEs have been processed. To alleviate, break-up inventory scanning into multiple collections which run on different days or utilize aexruncontrol.exe to randomize the scan times.
  For implementation details, see article 32175, "How to scale Inventory Solution in very large environments."

Asset Management

• Client facing Notification Servers with 10,000 plus nodes do not respond quickly (on a consistent basis) due to the inevitable spikes in agent communication and data uploading. The real time interaction for Asset Management functions involves lots of data entry. To avoid console performance delays, implement a secondary Notification Server and forward the inventory to the dedicated Reporting/AMS server.

Notification Server

• Collection update intervals are too frequent. The Notification Server and SQL will spend too much processing time rebuilding collections which could be better spent replying to agent requests, processing NSEs, and rendering the Notification Server console. 
  To avoid problems, stagger the delta and collection update schedules, and increase to 4+ hours.
• Agent check-in intervals are too frequent. Agent configuration request processing is usually the highest source of load on the Notification Server. Agent policies (Tasks) aren't frequently modified due to change control procedures (in very large environments). Checking in too frequently results in the agents retrieving no new configuration data. The Notification Server must still review all enabled policies that apply to the agent.
  To avoid problems, increase the Altiris Agent check-in interval to a more reasonable setting such as 4–6 hours.
• Report rendering hurts server performance. By default, the display row count is remembered for all future reports. Customers will frequently set the display row count to "All", which is fine for some smaller reports, but will cause 50,000 rows to returned for others.
  To avoid performance problems, update a SQL stored procedure (article 22542) This will reset the display row count before running each report.
• Resource Data History tab: In large environments (10,000 plus nodes), the query behind the History tab within the Resource Manager can cause severe CPU/Memory and SQL utilization spikes. 
  To avoid the issue, implement a reporting Notification Server (forward the inventory to it), and avoid viewing the Resource History data on the client facing Notification Server.
• Improving IIS and Notification Server response times by disabling debug mode: This is a common configuration that can (and should) be safely disabled on any Notification Server. High traffic environments with multiple Notification Server console users are the most heavily impacted. Follow the instructions as provided in article 33499.

DMC and DCM with SMP7 SP2 (or NS 7 SP2)

Please DO NOT apply the upgrade when using Dell Management Console or Dell Client Manager.
A new version of DMC 1.1 will be available around september that will work with SMP7 SP2 (or NS7 SP2).

New Releases

As Symantec is releasing more and more components I will try to summerize them each month.

New in July 2009:

1. SMP70.SP2 Hotfix1: performnace and bugfixes
2. Connector Solution 7.0: New in SMP7.0, NO more vendor conector solutions provided like HP Openview, SMS connector etc.
3. Workflow 7.0: New in NS7.0 and base for ServiceDesk 7.0 (target end august 2009)

Forecast (no commitments):

• Service Desk : end august 2009
• CMS SP1 : september 2009

Symantec Management Platform 7.0 SP2 Hotfix 1 Release Notes

After aplying the SP2 upgrade you should return to the SIM to apply the hotfix update.

This is described in article KB48033

Symantec™ Management Platform 7.0 SP2 Release Notes

The FULL release notes of SP2 are to be found in this following KB 46035.
Click Here to read all about the following upgrades:

• Core NS7
• Sofware Management framework (with Data Provider)
• Event Console
• Task Server
• Network Discovery
• Credential Manager

A BIG Performance improvement is noticed after applying this upgrade.

Upgrade / Install for Notification Server NS7 Sp2 via Symantec Installation Manager

There is no option to install SP2 for Notification Server via installing updates. It needs to be done through the "Install new products" option.
Example:- Start the the Symantec Installation Manager. This will update Symantec Installation Manager to update as well as the product listing.- Select install new products. SP2 will not display if you just select to install updates.- Choose to Filter on Platform- Install the Symantec Management Platform SP2 and Symantec Management Platform SP2 Hotfix 1- Review the selections and hit next to continue.- Follow the prompts to continue the installation.

What to know more on Workflow?

Check out this site as it a very good consolidated site for Workflow: http://www.workflowswat.com/

Is there a way to skip the install readiness checks during the install?

Yes.  Of course skipping the pre-req checks can result in undefined behavior of the product.  But there may be a case, for example, where the CPU speed does not meet the minimum specs even though you have multiple processors.

To disable the check for SIM prerequisites:
Add the key HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\AIM to the registry.
Create a DWord called IgnoreInstallPrerequisites and set the value to 1.
To enable the Next button if any of the install Readiness checks fail:
Add the key HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\AIM\InstallReadinessCheck\ to the registry. Create a DWord called EnableNextbutton and set the value to 1.

All known GUIDs from the Class table

https://kb.altiris.com/article.asp?article=24352&p=1

Nice article if you are troubleshooting GUID’s

Resolving the Certificate Revocation List (CRL) lookup performance issue

The symptoms of the Certificate Revocation List (CRL) lookup performance issue on the Symantec Management Platform computer are:

• Windows services on the Platform computer sometimes fail during startup.
• Some Symantec Management Console pages take a very long time to load.

---

Environment

This problem typically happens if the Symantec Management Platform computer is not connected to the internet, or is unable to resolve the Microsoft CRL server address. However, the problem may also arise if the Symantec Management Platform computer goes offline for an extended period. The computer will start exhibiting these performance issues after being offline for 15 days, as the CRL data is cached for 15 days.

---

Cause

This problem is caused by the Certificate Revocation List (CRL) lookup.  
If the Symantec Management Platform computer does not have internet access, the .NET runtime cannot access the Microsoft Certificate Revocation List servers to verify the Authenticode assembly. Although none of the applications that comprise the Symantec Management Platform make use of Authenticode assembly signing evidence, the standard Microsoft assemblies that are included with the .NET framework are all Authenticode signed. When the computer has no internet connection, .NET will try for up to 15 seconds to access the CRL before timing out as a failure.
This delay can lead to Windows services failing during startup, as some services take a long time to start and may time out. This delay also causes some Symantec Management Console pages to take a very long time to load.

---

Resolution

To resolve this problem, we recommend that you disable CRL lookups if the Symantec Management Platform computer is offline, or is likely to be offline for an extended period of time. You can re-enable CRL lookups later, if necessary.

Disabling CRL lookups

To disable CRL lookups on the Symantec Management Platform computer, you need to edit the machine.config file on the computer, as follows:

1. Open the machine.config file in a text editor.
   The machine.config file is located at %runtime install path%\Config\machine.config, where the runtime install path is usually C:\Windows\Microsoft.NET\Framework\v2.0.50727\.
2. Add the following XML element to the machine.config file:
   <configuration>
      <runtime>
   <generatePublisherEvidence enabled="false"/>
      </runtime>
   </configuration>
3. Save the machine.config file.

Re-enabling CRL lookups

If the Symantec Management Platform computer is later given internet access, you may need to re-enable CRL lookups. The Symantec Management Platform does not detect when access to the CRL server is restored, so will not make any changes to the machine.config file automatically. You only need to reverse the change to the machine.config file if applications or .NET security policies that require publisher evidence are installed on the computer. This is not common.
To re-enable CRL lookups manually, do the following:

1. Open the machine.config file in a text editor.
2. Delete the following XML element from the machine.config file:
   <generatePublisherEvidence enabled="false"/ >
   Ensure that you delete only this line from the machine.config file. Do not delete any other XML elements (such as the surrounding <configuration> and <runtime> elements), as they could be required for other customized options specified in the file.
3. Save the machine.config file.

Disabling CRL lookups for individual applications

In some circumstances you may not want to disable CRL lookups computer-wide, but need to disable them for individual applications. To disable CRL lookups for a particular application, open the appropriate application .config file (the naming convention is application name.config), and add the required XML element as specified for the machine.config file. If the necessary .config file does not exist for the application, you can create it.

The same applies to web.config files for web applications.

Note

When you install the Symantec Management Platform, the Install Readiness Check now includes a check for CRL access. If the computer does not have the necessary access, the check recommends that you disable CRL lookups for all .NET applications on the computer. You can do this automatically by accepting the "Fix" prompt displayed in the Symantec Installation Manager.

For more information, refer to the following KB article: About the Install Readiness Check for Certificate Revocation List access.

Best Practice references for Symantec Management Platform 7.0 (Article ID: 47816)

Planning and Documentation Symantec Management Platform 7.0 SP1 Release Notes  KB45229 Symantec Management Platform Support Matrix  KB46349 Symantec Management Platform Capacity Planning  KB45597 Planning & Design Considerations for Hierarchy & Site Management  KB47298     Installation and Migration Altiris 7 Planning & Implementation Guide  KB45803 Symantec Management Platform 7.0 Installation Guide  KB47819 Upgrading to Symantec Management Platform 7.0 on a different computer  KB45569     Backup and Recovery Backing up the Notification Server database  KB25600 Restoring Notification Server from a backup or upgrading it to new hardware  KB45606     Performance Tuning Creating a SQL maintenance plan to optimize database performance  KB40488 Understanding the /3GB and /USERVA switches, and Free System Page Table Entries  KB25079 How to create a Performance Monitor counter set for Altiris support  KB32258 Common Performance Monitor counter thresholds  KB45425     Troubleshooting What information should I collect when troubleshooting Symantec Installation Manager 7.0?  KB43175

Support for SQL 2005 SP3 for NS6

Notification Server 6.0 SP3 R10 now supports SQL 2005 SP3.

Currently Deployment Solution 6.9 SP1 MP1 (and earlier) and Notification Server 7.0 and 7.0 sp1 are not supported on SQL 2005 SP3.
Support for SQL 2005 SP3 is planned for a future release.

How to allow Deployment Console access without granting access to SQL Server.

 

Is it possible to provide users with access the the Deployment Server Windows Console without granting access to SQL Server?

---

Answer

The Deployment Server Windows Console can be configured to use encrypted credentials to access SQL Server. These credentials will not be available to the windows user and can only be used by the console. This is the most secure way to provide access to the console.
1. If you have not already done so, create a SQL-only account on SQL Server.
2. Make that account a member of the DBO role of the Deployment (eXpress) Database.
3. On your Deployment Server, open the “Altiris Deployment Server” control panel applet.
a. Click “Options…”
b. Select the “Authentication” tab.
c. Enable the option to “Use SQL Server account authentication”
d. Type in the SQL-only account user name and password.
e. Click “OK” to close the Options dialog.
f. Click “OK” to close the applet.
4. On your Deployment Server, click Start > Run, type “regedit”, and click OK.
5. In the registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris eXpress\Options
6. Double-click on the registry value “SqlPassword”.
7. Copy the content of that registry value into the clipboard.
8. Open Notepad.
9. Enter the following into Notepad, replacing **USER** and **PASSWORD** with the user name of your SQL-only account and the value you copied into your clipboard.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris eXpress\Options]
"SqlUsername"="**USER**"
"SqlPassword"="**PASSWORD**"
"UseSql"=dword:00000001
10. Save the file as “DS_Auth.reg”
11. Import “DS_Auth.reg” onto every computer that the Deployment Windows Console is installed to.

Windows 7 Release Candidate Announcement

On April 30th, the RC became available to MSDN subscribers and TechNet Plus subscribers.

On Tuesday, May 5 (PST), the RC will be available to everyone via our Customer Preview Program. As with the Beta, the Windows 7 RC Customer Preview Program is a broad public program that offers the RC free to anyone who wants to download it. It will be available at least through June 30, 2009, with no limits on the number of downloads or product keys available.

So you don’t need rush to make sure you get your copy. When you’re ready to download the RC, it’ll be waiting for you.

Notification Server 6.0 SP3 R10 Release Notes

Rollup 10 (R10) for Notification Server 6.0 is a rollup of fixes to the core product since the release of Service Pack 3. It includes R1 (KB22690), R2 (KB23784), R3 (KB25133), R4 (KB27859), R5 (KB31946), R6 (KB34317), R7 (KB35803),  R8 (KB39159), and R9 (KB39160)

Fixes and enhancements:

• Software Delivery Tasks that are set to run only at the scheduled time do not run after a deferral window
• Altiris Agent Support for Vista SP2
  
• Support for SQL 2005 SP3
  

Is Internet Explorer 8.0 supported with Notification Server?

Internet Explorer 8.0 is not supported at this time with NS 6 or 7.

However, as IE 8 offers an IE 7 compatibility mode, you may be able to use IE 8 with Notification Server 6.0 by putting the hostname of your NS into the Intranet Sites Security Zone.

Sites in the Intranet Zone are rendered in IE 7 compatibility view by default in IE 8. You can also click the compatibility view icon, located to the right of the address bar, to force IE 8 to render a given site in IE 7 mode.

How can I remove .NET 3.5 SP1 and / or .NET 2.0 SP2 and reinstall .NET 3.5?

Please first make a complete backup of the Notification Server before proceeding with the below steps.
If you have only installed .NET 3.5 and .NET 2.0 SP2, use the following steps:

1. Uninstall .NET 2.0 SP2 from Add or Remove Programs

If you have installed .NET 3.5 SP1 (which includes .NET 2.0 SP2 and .NET 3.0 SP2), use the following steps:

1. Uninstall .NET 3.5 SP1 from Add or Remove Programs
2. Uninstall .NET 3.0 SP2
3. Uninstall .NET 2.0 SP2
4. Reinstall .NET 3.5

After you have reinstalled .NET 3.5 (which includes .NET 2.0 SP1 and .NET 3.0 SP1) please make sure that the Default Web Site in IIS is set to use .NET 2.0.

After the re-installation IIS will prohibit .NET 2.0 usage by default and will result in the following errors:

Log File Name: a.log
Priority: 2
Date: 4/7/2009 11:52:19 AM
Tick Count: 1868671
Host Name: *********
Process: AtrsHost (1528)
Thread ID: 4
Module: AtrsHost.exe
Source: Altiris.TaskManagement.ClientTask.*
Description: System.Net.WebException: The remote server returned an error: (404) Not Found.
   at System.Net.HttpWebRequest.GetResponse()
   at Altiris.ClientTask.Server.ClientTaskServer.RegisterTaskServer(TaskServerGroupGuid serverGuid, Guid serverSecret)

Log File Name: Agent.log
Priority: 1
Date: 4/7/2009 4:30:02 PM
Tick Count: 6996453
Host Name: ********
Process: aexnsagent.exe (1152)
Thread ID: 1180
Module: aexnsagent.exe
Source: ConfigServer
Description: RequestPolicies failed: HTTP error: 404 Not Found (-2147209951)

Allow .NET 2.0 usage in the IIS Web Extensions and reload the console.

Which thin client modles from HP/Neoware qualify as a free managed node?

HP models starting with the characters t5, gt7, vc4, and the 2533t and 6720t models qualify as a free managed node and do not require any Deployment Server licensing. 

Neoware thin clients are not support as free nodes. There are some legacy models of Neoware thin clients that DS will recognize as free.

Dell Client Manager Table

Hope this helps

Component	DMC	DCM Standard	DCM Plus	DCM Suite
Altiris Agent Linux, Unix and Mac	X		X	X
Altiris Inventory for Network Devices	X			X
Altiris Monitor Solution for Servers	X
Altiris Patch Management for Dell Servers	X
Symantec Management Platform 7	X
Altiris Event Console	X	X	X	X
Altiris Pluggable Protocol Architecture	X	X	X	X
Altiris Network Discovery	X	X	X	X
Altiris Real Time Console Infrastructure		X	X	X
Out Of Band Management		X	X	X
Power Scheme task		X	X	X
Altiris Software Management			X	X
Altiris Inventory			X	X
Altiris Deployment Solution 7			X	X
Altiris Patch Management For Linux				X
Altiris Patch Management For Windows				X
PC AnyWhere				X
Altiris Real Time System Manager				X

Nice juice (now Connect) Articles

 

Migrating from Inventory Solution 6.x to 7.0
http://www.symantec.com/connect/articles/migrating-inventory-solution-6x-70

Best Practices for Configuring an Intel vPro Capable System within Out of Band Management 7.0
http://www.symantec.com/connect/articles/best-practices-configuring-intel-vpro-capable-system-within-out-band-management-70

Running Inventory to Capture All Information, Including Details File Inventory, Using a Task Server Job
http://www.symantec.com/connect/articles/running-inventory-capture-all-information-including-details-file-inventory-using-task-serve

Remote Configuration Certificate Best Practices in Out of Band Management 7 for Intel vPro Systems
http://www.symantec.com/connect/articles/remote-configuration-certificate-best-practices-out-band-management-7-intel-vpro-systems

DS 6.9 SP1 and SQL Express 2005SP2

To be able to install DS6.9SP1 you need a SQL Server.
For testing, demo only we can use the SQL Express edition. I used SQL Express 2005SP2.
Just installed out of the box with SP2.
Before you start installing the DS you need to enable the TCP IP protocol using the Server Configuration Manager

Second you need to enable the SQL Browser service

Then you need to start the SQL Browser Service

Either reboot the server or restart the SQL Server Service. See above, just right click and restart.
Now you are able the run the DS Setup

 

First steps with DS7.0

As soon as you install the Deployment Agent you also install an automation partition on the C: drive. (C:\Boot)

Client actions (prepare)

Create a directory called Sysprep on the source machine. (c:\sysprep) copy the Support\tools\deploy.cab file from your WindowsXPinstallation disk or service pack to the
c:\sysprep\deploy.cab file on the source computer.

Using VMWare please use the E1000 Nic see KB40812 and use IDE not SCSI (using SCSI the C:\ will not be detected)

Notification server actions

Before starting to create the capture Task you need to enter your license key for windows under Settings, Deployment and Migration, OS Licenses.
No create the task to get the image.