This document contains information, which is the proprietary property of LANDesk Software, Ltd. and its affiliates. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of LANDesk Software Ltd., and its affiliated companies ("LANDesk"). Nothing in this document constitutes a guaranty, warranty, or license, express or implied. LANDesk disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of LANDesk; indemnity; and all others. LANDesk products are not intended for use in medical, life saving, or life sustaining applications. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of LANDesk. LANDesk retains the right to make changes to this document or related product specifications and descriptions at any time, without notice. LANDesk makes no warranty for the use of this document and assume no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright 2004, LANDesk Software Ltd., or its affiliated companies. All rights reserved. LANDesk is either a registered trademark or trademark of LANDesk Software, Ltd. or its controlled subsidiaries in the United States and/or other countries. *Other brands and names are the property of their respective owners
Contents
LANDesk Management Suite overview ............................................................ 9 What's new in LANDesk Management Suite 8.................................................10 Management Suite basics............................................................................12 How does Management Suite fit into my network?........................................12 Important concepts..................................................................................12 Management Suite terms ..........................................................................12 Installation and deployment strategies..........................................................13 Rapid versus phased deployment ...............................................................13 Overview of installation and deployment .......................................................14 Rapid deployment strategy .............................................................................17 Overview of rapid deployment .....................................................................18 Step 1: Design your domain ........................................................................19 Estimate the number of clients ..................................................................19 Select the core server ..............................................................................19 Select the console computer .....................................................................20 Plan the placement of program files ...........................................................20 Step 2: Prepare your database ....................................................................21 Step 3: Install the core server and console ....................................................22 About the Core Server Activation utility ......................................................23 Verifying a successful installation ...............................................................24 Step 4: Deploy Management Suite ...............................................................25 Deploying to servers ................................................................................25 Deploying to clients .................................................................................26 Congratulations! ........................................................................................28 Phase 1: Designing your management domain ..................................................29 Gathering network information ....................................................................30 Determining number of sites .....................................................................30 Estimating number of clients at each location ..............................................30 Selecting your core server and consoles......................................................31 Planning placement of program files ...........................................................31 Selecting a database ................................................................................31 Selecting service centers ..........................................................................32 Determining number of management domains .............................................32
iii
TABLE OF CONTENTS
Planning your security and organization model...............................................33 Planning your core server structure ............................................................33 Planning a scope .....................................................................................33 Using a rollup core database .....................................................................35 Selecting components to implement ...........................................................36 Functionality available by client OS ............................................................38 Compatibility with previous versions of Management Suite ............................39 System requirements .................................................................................40 Core and database servers........................................................................40 Supported router configurations...................................................................44 Upgrading to LANDesk Management Suite 8 ..................................................46 Before you begin .....................................................................................46 Upgrade tools .........................................................................................47 Upgrade methods ....................................................................................48 Upgrade procedures.................................................................................48 Understanding component upgrade/migration..............................................53 Migration at a glance................................................................................56 Phase 2: Preparing your databases ..................................................................59 Before you begin .......................................................................................60 Microsoft SQL Server 2000 configuration .......................................................61 SQL maintenance ....................................................................................61 Oracle database configuration......................................................................63 Oracle performance tuning suggestions and scripts.......................................63 LANDesk Software support and DBMS issues .................................................65 Phase 3: Installing the core, console, and rollup core .........................................67 Selecting components to install....................................................................68 Installing the core server and console ...........................................................69 Activating the core server ...........................................................................71 About the Core Server Activation utility ......................................................72 Logging in to the console ..........................................................................74 Installing additional consoles .......................................................................75 Setting additional console permissions........................................................76 Verifying a successful installation ...............................................................76 Managing databases after installation ...........................................................77 Installing a rollup core..............................................................................77 Using the database Rollup Utility................................................................77
iv
TABLE OF CONTENTS
Increasing the rollup database timeout .......................................................79 Running CoreDbUtil to reset, rebuild, or update a database ...........................80 Phase 4: Deploying the primary agents to clients...............................................81 The phased deployment strategy .................................................................82 Checklist for configuring clients....................................................................82 Deploying to Windows NT/2000/2003/XP clients.............................................84 Deploying to Windows XP clients using local accounts ...................................84 Upgrading clients that use older Management Suite agents............................85 Using a service center to deploy Remote Control, Inventory, and CBA to clients..86 Setting up a Client Deployment service center .............................................86 Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server...............................................................................88 Deploying Remote Control, Inventory, and CBA to clients of a NetWare server .90 Deploying clients from the command line ......................................................93 Deploying to clients using Enhanced Software Distribution packages .................94 Understanding the client configuration architecture.........................................95 Configuring Windows clients......................................................................95 Understanding WSCFG32.EXE....................................................................95 Reversing the client configuration process .....................................................98 Phase 5: Deploying other agents to clients .......................................................99 Creating a client setup configuration........................................................... 100 Deploying Application Healing.................................................................. 100 Deploying Application Policy Management ................................................. 100 Deploying Bandwidth Detection ............................................................... 102 Deploying the Common Base Agent.......................................................... 102 Deploying Custom Data Forms................................................................. 103 Enabling Migration Tasks ........................................................................ 103 Deploying Enhanced Software Distribution ................................................ 103 Deploying the Inventory Scanner ............................................................. 103 Deploying the Local Scheduler ................................................................. 104 Deploying Remote Control ...................................................................... 104 Deploying Software Monitoring ................................................................ 105 Deploying Targeted Multicast................................................................... 105 Deploying Task Completion ..................................................................... 106
TABLE OF CONTENTS
Chapter 6: Installing the Web console ............................................................ 107 Extending network management to the Web................................................ 108 Installation requirements .......................................................................... 109 Management Suite requirements ............................................................. 109 Web server requirements........................................................................ 109 Computer requirements for accessing the Web console ............................... 109 Installing the Web console ........................................................................ 110 Accessing multiple databases .................................................................... 112 Configuring domain-level software distribution and Windows 2003 servers..... 112 Configuring the Web console for multiple cores .......................................... 113 Setting up Web console security ................................................................ 115 Setting up role-based administration in the Web console ............................. 115 Setting up feature-level security for rollup core databases ........................... 116 Changing the default IIS session timeout .................................................. 117 Setting up the indexing service................................................................ 117 Configuring rights for the Web console...................................................... 118 Changing the Web console location .......................................................... 118 Chapter 7: Installing OS deployment and profile migration................................ 119 Installing OS deployment and profile migration ............................................ 120 Configuring your OS deployment and profile migration environment................ 122 Step 1: Configuring an image server ........................................................ 122 Step 2: Verifying name resolution ............................................................ 123 Step 3: Configuring your network for Multicast OS deployment .................... 123 Step 4: Configuring PXE ......................................................................... 124 OS deployment phases ............................................................................. 127 Chapter 8: Installing add-ons ....................................................................... 129 Activating Management Suite 8 add-on products .......................................... 130 Installing LANDesk Patch Manager 8 ........................................................... 131 Installing LANDesk Asset Manager 8 ........................................................... 132 Installing LANDesk Handheld Manager 8 ..................................................... 133 Installing Handheld Manager ................................................................... 133 Deploying to host computers and their mobile devices ................................ 133 Using Afaria with 32-bit Windows clients ................................................... 134 How Handheld Manager works................................................................. 135 Viewing mobile inventory information ....................................................... 135
vi
TABLE OF CONTENTS
Chapter 9: Installing LANDesk Inventory Manager ........................................... 137 Installing clients manually......................................................................... 138 Installing clients using a service center ....................................................... 139 Setting up a Client Deployment service center ........................................... 139 Deploying to clients of a Windows NT/2000/2003 server ............................. 140 Deploying to clients of a NetWare server ................................................... 142 Deploying clients from the command line .................................................... 144 Chapter 10: Deploying to Macintosh, Linux, and UNIX clients ............................ 145 Deploying to Macintosh clients ................................................................... 146 Deploying the Mac OS X agents ................................................................. 147 Locking Macintosh client options .............................................................. 147 Updating the Mac OS X agents ................................................................ 147 Uninstalling the Mac OS X agents............................................................. 148 Deploying the Mac OS 8 and 9.2.2 agents ................................................... 149 Updating Mac OS 8 and 9.2.2 agents........................................................ 150 Changing Mac OS 8 and 9.2.2 agent options via the .INI files....................... 150 Deploying to Linux and UNIX clients ........................................................... 154 System requirements ............................................................................. 154 Installing the Linux/UNIX agents.............................................................. 154 Linux/UNIX inventory scanner command-line parameters ............................ 155 Linux/UNIX inventory scanner files........................................................... 156 Web console/Management Suite console integration ................................... 157 Miscellaneous issues .............................................................................. 157 Chapter 11: Uninstalling LANDesk Management Suite....................................... 159 Uninstalling Management Suite .................................................................. 160 Uninstalling LANDesk agents from clients .................................................. 160 Uninstalling the service centers ............................................................... 160 Uninstalling the consoles ........................................................................ 161 Uninstalling the core server..................................................................... 161 Uninstalling the Web console ................................................................... 161 Appendix A: Troubleshooting ........................................................................ 163
vii
TABLE OF CONTENTS
viii
LANDesk Management Suite 8.1 adds these enhancements: Enhanced inventory: Launch an immediate inventory scan on a client by right-clicking the client and clicking Inventory. Also, the inventory scanner now collects the operating system language on clients. Improved software distribution: Software distribution now works better through firewalls, and you can now disable task completion on software distribution jobs, so if the job fails it isn't automatically retried. Improved Web console: Generate basic client configuration packages and use software license monitoring from the Web. Enhanced application policy management reliability: Whenever a client checks with the core server for tasks or policies, the core server updates that client's IP address in the core database, avoiding problems with outdated IP addresses that may be part of an old inventory scan. Improved scheduled task support: Provide multiple logins for the scheduler service to authenticate with when running tasks on clients that don't have Management Suite agents. This is especially useful for managing clients in multiple Windows domains.
10
New custom local scheduler tasks: Use the Management Suite local scheduler on clients to remotely schedule a recurring task. Enhanced remote control: Store detailed remote control logs in the database. Log information includes who initiated the remote control session and the remote control tasks (file transfers, chat, and so on) they did on the client. Also, remote control sessions now pass 3rd mouse button/wheel movement to clients. Enhanced unmanaged device discovery: Generate reports on the unmanaged devices on your network. For more flexibility, you can now use an Unmanaged Device Discovery task to rediscover managed clients. This is useful if you've reset your database. New LANDesk Asset Manager 8 Add-on: Manage physical assets and perform inventory audits. Track business contracts, invoices, and projects information. Configure data entry forms, enter items into the database with those forms, and collect and analyze that data with custom asset reports. Improved Patch Manager 8 Add-on: Create user-defined vulnerabilities so you can detect problems before a patch is available. Now you can scan for vulnerabilities on Mac OS* X 10.2.x and 10.3.x clients.
11
Important concepts
The most important concept that you need to understand before installing and deploying the software is the Management Suite management domain. Each management domain consists of a core server and the clients that core server manages. Depending on the server speed, each core server can manage up to 10,000 clients. You can have multiple core servers on your network. You can view the data from multiple core servers by using the Management Suite Web console to view a rollup core server, which gathers data from individual core servers you configure.
12
Before choosing a deployment strategy, you need to briefly characterize your management needs.
Rapid deployment Uses the default settings and database. Installs on networks with 1,000 clients or fewer.
Installs to a test lab so that you can evaluate Installs to a complex network that has multiple the product before a wide-scale deployment locations with WAN connections. to your production network. If you meet any of the rapid deployment criteria, refer to the next chapter, "Rapid deployment strategy. " If you meet any of the phased deployment criteria, refer to "Phase 1: Designing your management domain" later in this guide. You should then continue sequentially through each phase.
13
Phase 1 summary
During phase 1 of the installation, you design your management domain by completing these tasks: Gather network information Confirm that your network meets system requirements
For details, refer to "Phase 1: Designing your management domain" later in this guide.
Phase 2 summary
During phase 2 of the installation, you prepare your databases by completing these tasks: Install and configure your databases Conduct basic database maintenance
For details, refer to "Phase 2: Preparing your databases" later in this guide.
Phase 3 summary
During phase 3, you install Management Suite by completing these tasks: Install the core server Install additional management consoles Configure a rollup core server (optional) Maintain the database
For details, refer to "Phase 3: Installing the core, console, and rollup core" later in this guide.
14
Phase 4 summary
During phase 4 of the installation, you deploy the basic Management Suite agents by completing these tasks: Deploy Remote Control and Inventory to servers Deploy Remote Control, Inventory, and CBA to clients Deploy clients from the command line
For details, refer to "Phase 4: Deploying the primary agents to clients" later in this guide.
Phase 5 summary
During phase 5 of the installation, you complete the task of deploying the remaining Management Suite agents: Application Healing Application Policy Management Bandwidth Detection Common Base Agent Custom Data Forms Enable Migration Tasks Enhanced Software Distribution Inventory Scanner Local Scheduler Remote Control Software Monitoring Targeted Multicasting Task Completion
For details, refer to "Phase 5: Deploying other agents to clients" later in this guide.
15
17
Use the step-by-step instructions on the following pages to complete the rapid installation and deployment of Management Suite.
18
19
A dedicated core server is strongly recommended Because of the traffic that must pass through the core server to manage your domain, we strongly recommend that each core server, database server, or service center is dedicated to hosting Management Suite. If you install other products on the same server, you may experience short- and long-term resource issues. Don't install the core server components on a primary domain controller, backup domain controller, or active directory controller.
20
21
22
Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. If your core server doesn't have an Internet connection, see "Manually activating a core or verifying the node count data" later in this section. Each core server must have a unique authorized certificate. Multiple core servers can't share the same authorization certificate, though they can verify node counts to the same LANDesk account. Periodically, the core server generates node count verification information in the "\Program Files\LANDesk\Authorization Files\LANDesk.usage" file. This file gets sent periodically to the LANDesk Software licensing server. This file is in XML format and is digitally signed and encrypted. Any changes manually made to this file will invalidate the contents and the next usage report to the LANDesk Software licensing server. The core communicates with the LANDesk Software licensing server via HTTP. If you use a proxy server, click the utility's Proxy tab and enter your proxy information. If your core has an Internet connection, communication with the license server is automatic and won't require any intervention by you. Note that the Core Server Activation utility won't automatically launch a dial-up Internet connection, but if you launch the dial-up connection manually and run the activation utility, the utility can use the dial-up connection to report usage data. If your core server doesn't have an Internet connection, you can verify and send the node count manually, as described later in this section. For more information on the Core Server Activation utility, see "Activating the core server" in Phase 3.
23
2. Start the console by clicking Start | Programs | LANDesk | LANDesk Management Suite 8. 3. You'll be prompted to log in to the console. Log in with the Windows user credentials you used when installing the core server. 4. Once the console starts, you're asked to supply license information. If you're evaluating LANDesk Management Suite 8, you can use a 45-day evaluation license for 100 clients and one server. Otherwise, click Add to add your license information. 5. In the network view, click Devices > All Devices, select the core server, and from its shortcut menu click Inventory. Confirm that the core server has been scanned into the core database.
24
Deploying to servers
There are three parts to a rapid server deployment: Creating a default remote control and inventory client setup configuration Installing Remote Control and Inventory on servers Deploying to clients
Note that when you deploy Management Suite agents to servers, you use a server license. Server and client licenses for Management Suite are sold separately. For more information on purchasing licenses, see http://www.landesk.com/contactus/.
Creating a remote control and inventory client setup configuration for servers
The default client setup configuration Management Suite installs with includes all components except for Application Healing. You should create a separate client configuration for servers that includes only the components you want, particularly the Common Base Agent (CBA), remote control, and inventory. Servers generally don't need all of the Management Suite components. To create a remote control and inventory client setup configuration for servers Click Tools | Client Setup. Double-click the Add client Configuration icon. Enter a Configuration name. Under Components to install, click Common Base Agent, Inventory Scanner, and Remote Control. 5. Proceed through the wizard, making any changes you want. When you get to the scope page, enter the scope you decided on earlier. Click Help if you need more information on Scope and the wizard pages. 6. Finish the wizard, and make the configuration default. 1. 2. 3. 4.
25
To install Remote Control and Inventory on a Windows NT/2000/2003 server At the server you're installing to: 1. Log in with administrator rights. 2. Map a drive to the core server's LDLogon share. 3. Run IPSETUP.BAT to configure the server with LANDesk agents.
Deploying to clients
There are three ways to configure clients: Manual configuration: Map a drive to the core server's LDLogon share and run WSCFG32.EXE, the client configuration program. The components that are deployed to the client must be selected interactively. Push-based configuration: Use the Client Setup wizard to define a client configuration. Use the Scheduled Tasks window to push the configuration to clients. In the case of Windows 95/98 clients, CBA must already be present on the client. Logon script-based configuration: Use the Client Setup wizard to define a client configuration (with the default option set to Yes). This configuration will be applied to clients as they log in. In the case of Windows NT/2000/2003/XP clients, end users need administrative rights to their computers.
Obviously, manual configuration is not practical in a large environment where many clients must be configured. In this initial phase of the client deployment, with no agents present on the clients, login script-based configuration is the only option for Windows 95/98 clients. For Windows NT/2000/2003/XP clients, either login scriptbased or push-based configuration will work, but login script-based configuration is often impractical because it requires end users to have administrative rights to their computers.
26
To configure a client manually 1. 2. 3. 4. Go to the client you want to configure. Log in with administrator rights. Map a drive to the core server's LDLogon share. Run IPSETUP.BAT to configure the client with LANDesk agents.
IPSETUP.BAT installs the configuration marked as default in the Client Setup window. Once IPSETUP.BAT finishes, the newly-configured client will be visible in the console's network view.
27
Congratulations!
You've completed the rapid deployment of Management Suite. For help using this application, consult the LANDesk Management Suite User's Guide or online help. If you want to roll out Management Suite to a larger management domain than this rapid deployment model can handle, see "Phase 2: Preparing your databases" later in this guide.
28
29
30
Selecting a database
Management Suite 6.6 and later replaces the old Access default database with the Microsoft SQL Server Data Engine 2000 (MSDE) database. The new MSDE database can handle more clients and doesn't have many of the performance limitations the Access database had. Each MSDE database has a 2 GB database size limit. The number of clients this database supports depends on your network's inventory scan file size. In larger environments with many management consoles, you should use the supported Microsoft SQL or Oracle8i* databases to keep Management Suite performing optimally. In these larger environments, the MSDE database won't perform as well as a true enterprise-level database.
31
You'll likely see performance issues with MSDE when the database has more than five concurrent things to do. If you want to use MSDE, consider how often you might have more than five people accessing the database at exactly the same time. If it's likely more than five people will be accessing the database, what will those people be doing? For example, if they're all running software-related queries against the core database, use SQL Server or Oracle, since software-related queries can take a while to complete because of the amount of data involved. If they're all querying the core database for a set of clients with a certain hard drive size, you can probably stay with MSDE, since that type of query usually takes less than a second to complete. If you want or need to use your own database, you can select either: Microsoft SQL Server 2000 SP 3 Oracle8i* (8.1.7) Oracle9i*
For detailed information about databases, refer to "Phase 2: Preparing your databases" later in this guide.
32
Planning a scope
Role-based administration is a powerful new feature with Management Suite 8. Access the role-based administration tools in the console by clicking Users in the Tools menu or on the Toolbox. You must be logged in with administrative rights. Role-based administration provides advanced network management capability by letting you add users to your Management Suite system and assign those users rights and a scope. Rights determine the tools and features a user can see and use (see "Understanding rights" in chapter 1 of the User's Guide). Scope determines the range of devices a user can see and manage (see "Creating scopes" in chapter 1 of the User's Guide). You can create roles based on users' responsibilities, the management tasks you want them to perform, and the devices you want them to see, access, and manage. Access to devices can be restricted to a geographic location such as a country, region, state, city, or even a single office or department. For example, you can have one or more users in charge of software distribution, another user responsible for remote control operations, another user who runs reports, and so on. To implement and enforce this type of role-based administration across your network, simply set up current users, or create and add new users as Management Suite users, and then assign the necessary rights (to Management Suite features) and scope (to managed devices).
33
The core server uses scopes to limit the clients that console users can see. Only one scope can be assigned to a User, but the same scope can be used by multiple users. You can base scopes on one of these methods: Default All Machines Scope: The assigned default scope for all users allows them to see all clients on the network. Default No Machines Scope: Users are unable to see any clients on the network. Based on a Query: Users can see the clients that fit the selected criteria of a specific query assigned to them by the Administrator. Based on LDAP or custom directory: Users can see the clients from the selected level down within a LDAP or customer directory. The scope page in the Client Setup wizard: If you don't have an LDAPcompliant directory or you want to categorize clients differently, enter a scope on this scope page. This scope page provides a convenient field you can deploy via Client Setup configurations and do queries on.
The inventory scanner on each client reports that client's scope in a "location" database field. If you entered a scope in that client's Client Setup configuration, that's the scope the scanner returns. If you left the scope blank in that client's Client Setup configuration, the scanner tries to populate the scope from an LDAP-compliant directory. If the scope isn't available from the Client Setup configuration or an LDAPcompliant directory, the location field will be blank. You can still assign scopes for clients with a blank location field, but you'll have to do it through queries. The Client Setup wizard scope page uses a path format that's similar to a file path, but with forward slashes as separators. When deciding on a scope, decide how you want to categorize your clients for management. You might do it by geography or by organization. Console users can manage clients belonging to multiple scopes through query-based scopes. For more information on scopes, see chapter 1 in the User's Guide.
34
Understanding certificates
With Management Suite 8, the certificate based authentication model has been simplified. Client agents still authenticate to authorized core servers, preventing unauthorized cores from accessing clients. However, Management Suite 8 doesn't require a separate certificate authority to manage certificates for the core, console and each client. Instead, each core server has a unique certificate and private key that Management Suite Setup creates when you first install the core or rollup core server. Clients will only communicate with core and rollup core servers that the client has a matching trusted certificate file for. Each core server has its own certificate and private keys, and by default, the client agents you deploy from each core server will only talk to the core server from which the client software is deployed. However, you can configure clients to talk to multiple cores. If you will have multiple core servers or a rollup core on your network, make sure you read "Client agent security and trusted certificates" in chapter 2 of the User's Guide.
The rollup core database should be on a separate server from the core and requires a supported Microsoft SQL or Oracle database. Before installing a rollup core from Management Suite Setup, you need to install and configure the rollup database. Once you've installed your core servers and the rollup core, you can configure periodic data rollups from the core databases to the rollup core database.
35
Lets you take control of a client from Provide remote management of across the network. Minimizes the computers across the LAN/WAN. time it takes to resolve customer issues from a centralized help desk. Gathers software and hardware information for clients that you can view through database queries. Monitors and reports on application license usage and denied applications. Doesn't limit access to applications. Automates the process of installing software applications or distributing files to clients. Allows clients to receive multicast software distributions. Record detailed inventory information about all clients. Provide reports on all software and hardware. Track installed software and software usage.
Inventory scanner
Software monitoring
Install applications simultaneously to multiple clients. Update files or drivers for multiple clients. Install applications simultaneously to multiple clients. Update files or drivers for multiple clients. Reduce consumed network bandwidth. Protect critical or commonly-used applications on clients. Manage groups of clients that have common software needs.
Targeted Multicasting
Automatically keeps configured applications running on clients. Automatically installs a set of applications on groups of clients.
Presents a form to users for them to Retrieve customized information complete. You can query the from users directly. database for the data that users enter. Enables bandwidth detection Detect remote clients or clients between clients and the core server. that connect to the network via a You can limit Management Suite slow link. actions such as Software Distribution based on available bandwidth.
Bandwidth detection
36
Local scheduler
Enables Management Suite to launch client tasks based on a time of day or bandwidth availability. For example, you can use the Local Scheduler to allow mobile client package distribution only when those clients are on the WAN.
You have computers that may not always be on the network or may connect to the network via a dialup connection.
The base client agent that enables client discovery, alert reporting, and other basic features. Required by many other agents.
Most clients need CBA. Many agents in this table require CBA to work.
Task completion
Checks with the core server to see if You have mobile or other users there are any scheduled jobs the who aren't always connected to client needs to run. the network and tend to miss scheduled jobs.
37
Application healing Application policy management Bandwidth detection Common Base Agent Custom data forms Enhanced software distribution Inventory scanner Local scheduler Migration tasks Remote control Software monitoring Targeted Multicasting Task completion
Yes Yes
No No
No No
No No No No
No No No Yes
No No No No
No No No No
No No No No
Yes No No Yes No No No
Yes No No Yes No No No
Yes No No No No No No
Yes No No No No No No
In addition, Management Suite supports these directory services: Microsoft Active Directory* Novell eDirectory* Novell NDS
38
39
System requirements
Make sure that you meet the following system requirements before you install Management Suite.
Core server requirements The Windows 2000 pagefile should be at least 12 + N (where N is the number of megabytes of RAM on the core server. Otherwise, Management Suite applications may generate memory errors.
40
Core database on a second server Dual Pentium III 1000 MHz or faster processors 2 GB or more of RAM Supported database Two ultra-wide I20 controllers with RAID 5 20 GB of free space on SCSI drives with a rotational rate of 15K RPM or faster Two full-duplex 100+ MB network interface cards in teaming mode
41
Core database on a second server Quad Pentium Xeon* 1000 MHz or faster processors 2 GB or more of RAM Supported database Two ultra-wide I20 controllers with RAID 5 20 GB of free space on SCSI drives with a rotational rate of 15K RPM or faster Two full-duplex 100+ MB network interface cards in teaming mode
PDCs and Windows NT/2000 Client Deployment service centers If you're installing a Client Deployment service on a Windows NT/2000 server, you should install to a Primary Domain Controller (PDC), Backup Domain Controller (BDC), or Windows 2000 Domain Controller. Only the PDC, BDC, or Domain Controller can run the domain-level logon scripts that are created by a Windows NT/2000 Client Deployment service center.
42
NetWare Pentium II processor (Pentium III recommended) 16 MB of free disk space 64 MB of RAM TCP/IP or IPX* protocol stack. The service center and the core server both must use the same protocol in order to communicate with one another. SNMP servers aren't supported, except for the SNMP trap functionality within the Server Management component Network interface card NetWare 5.1 or 6.0
Console
Windows XP Professional with SP 1 Windows Server 2003 Standard Edition and Enterprise Edition Windows 2000 Professional, Server, and Advanced Server with SP 4 Pentium III processor (Pentium 4 processor recommended) 256 MB of RAM 180 MB of free disk space Internet Explorer 5.5 or 6.x Novell Client 32* is required to browse a Novell NDS environment
Client computers
Management Suite supports these client operating systems (not all operating systems are supported equally): Windows XP Professional with SP 1 Windows Server 2003 Standard Edition and Enterprise Edition Windows 2000 Professional, Server, and Advanced Server with SP 4 Microsoft Windows NT 4 Workstation with SP 6a Windows Server 2003 Windows 95B (requires Winsock2) and 98SE NetWare 5.1 and 6.0 Mac OS 8, 9.2.2, 10.2.x, and 10.3.x Red Hat Linux 7.3, 8.0, and 9.0 UNIX IBM (AIX 5.1) UNIX Intel Architecture (Solaris 8) UNIX Hewlett Packard (HP-UX 11.0) UNIX Sun Sparc (Solaris 8)
Dial-up support
Modems down to 28.8 where applicable RAS connections
43
44
QIP services TCP 12175, client to core server. For clients, change this port in the Client Setup wizards Client Status TCP Port page. For the core server, change the port at: HKLM\Software\Intel\LANDesk\LDWM\QIPSrvr\TCPPort. Application Policy Management and Task Completion TCP 12176, client to core server. Wake On LAN UDP 0, core to client. Wake On LAN packets are sent as subnet-directed broadcasts. Using port 0 ensures that no clients IP stack will process the packet. To allow Wake On LAN packets to cross routers, configure the routers to allow subnet directed broadcasts. You may also need to change the port. Any port will work for the client. Because Wake On LAN packets are recognized by the network adapter hardware, no configuration is needed on the client side. LANDesk System Manager and LANDesk Server Manager LANDesk System Manager and LANDesk Server Manager use port 9535 for remote control. They also use port 9595 for broadcast discovery. IPMI discovery requires port 623. Important non-Management Suite ports Microsoft SQL Server, TCP 1433, console/core to SQL server. NetBIOS over TCP, TCP 139. This port is used by the console's network view for pushing client configurations, for UNC-based software distributions, and so on. SMB over TCP, TCP 445 (Windows 2000 only).
45
46
Assumptions
You need to consider a number of issues before performing a Management Suite upgrade: All core servers and databases should be backed up or imaged prior to upgrading any LANDesk software. Due to the new security model of Management Suite 8, once a client has been upgraded to the Management Suite 8 agents, it cannot be remote controlled by older version core servers. Several add-on tools and enhancements exist that can be used in conjunction with Management Suite, including some tools developed by third-party vendors. The upgrade/migration process documented in this guide does not take these tools into consideration. Upgrading assumes a working knowledge of Management Suite.
Upgrade tools
The Management Suite migration process relies on the following executables that are included on your LANDesk Management Suite CD.
MIGRATECORE.EXE
This tool gathers and restores core server files and settings.
DBUPGRADE.EXE
This tool transfers most of the data stored on a previous core database to a new Management Suite 8 core database. For component-specific details, see "Understanding component upgrade/migration" later in this phase. Note: The database upgrade tool can also be manually executed as a stand-alone process in order to migrate data from a previous core database to a Management Suite 8 core database. In order for this type of migration to work properly, the Management Suite 8 core database must be empty. To ensure an empty database, run COREDBUTIL.EXE (in the LANDesk\ManagementSuite directory) and select Reset database.
47
Upgrade methods
There are two methods to upgrade to Management Suite 8: In-place upgrade: Upgrades an existing core server and database as a new Management Suite 8 core server (preserving the core's settings), with the option of also migrating existing data from a previous core database. Note that if you are doing an in-place upgrade, LANDesk recommends that you do NOT upgrade the OS of the core server. Side-by-side upgrade: Installs a new Management Suite 8 core server and database, with the option of migrating settings from a previous core server, and the option of also migrating data from a previous core database. Use the side-by-side method if you want to upgrade the hardware or OS of the core server.
Upgrade procedures
Follow the procedures below for the upgrade method you've chosen.
In-place upgrade
To perform an in-place upgrade On an existing core server: 1. Insert the LANDesk Management Suite CD into the server's CD-ROM drive or run AUTORUN.EXE from your installation image. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want to install, and click OK. 5. Setup detects an existing installation of Management Suite and prompts whether you want to continue or exit. Click Ignore to have Setup continue with the migration process. 6. The MIGRATECORE.EXE tool runs (with the /gather parameter) and gathers core server files and settings. 7. Uninstall runs automatically and removes the previous version of Management Suite. Status messages provide information about the processes as they run. 8. Setup now runs the Management Suite 8 installation. At the Management Suite Welcome page, click Next. 9. Click Yes to accept the license agreement. 10. Accept the default destination location by clicking Next.
48
11. Accept the default selected features by clicking Next. 12. Select Create New Database to install the default MSDE database, or select User-supplied Database to install a different database (such as Oracle or SQL 2000), and then click Next. (For more information on database installation and maintenance, see "Phase 2: Preparing your databases.") 13. Enter a database password, and then click Next. 14. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows NT 4 files, and then click Next. 15. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows 98 files, and then click Next. 16. Enter an organization and certificate name, and then click Next. 17. Review the summary page, and then click Next to start copying files. The Setup Status page provides information on the various processes as they run. 18. When the file copy process is complete, the MIGRATECORE.EXE tool runs again (this time with the /restore parameter) and restores the gathered files and settings from the previous core server to the new Management Suite 8 core server. 19. The DBUPGRADE.EXE tool runs and opens the Database Upgrade Settings dialog. 20. In the Database Upgrade Settings dialog, enter the data source name, logon name and password, and the core server where you want the data migrated. Data is exported from the database identified by the data source name (DSN) and imported to the new Management Suite 8 core database. (If you are installing on a new core, you need to create a DSN to the old database. Click New DSN to open the ODBC Data Source Administrator dialog. This dialog includes its own online Help, or you can refer to your previous Management Suite's Installation and Deployment Guide for information on setting up DSNs.) 21. Click Start. 22. When the data migration is finished, the Setup is Complete page appears. 23. Click Finish to complete Setup. Restart the computer to finish Setup and load the Management Suite services. You'll notice after you reboot and log in that Setup will run for a few more minutes while it finishes the installation.
49
Side-by-side upgrade
To perform a side-by-side upgrade On a server that meets the Management Suite core server requirements (see System requirements above): 1. Insert the LANDesk Management Suite CD into the server's CD-ROM drive or run AUTORUN.EXE from your installation image. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want Setup to install, and click OK. 5. At the Management Suite Welcome page, click Next. 6. Click Yes to accept the license agreement. 7. Accept the default destination location by clicking Next. 8. Accept the default selected features by clicking Next. 9. Select Create New Database to install the default MSDE database, or select User-supplied Database to install a different database (such as Oracle or SQL 2000), and then click Next. (For more information on database installation and maintenance, see "Phase 2: Preparing your databases.") 10. Enter an MSDE database password, and then click Next. 11. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows NT 4 files, and then click Next. 12. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows 98 files, and then click Next. 13. Enter an organization and certificate name, and then click Next. 14. Review the summary page, and then click Next to start copying files. The Setup Status page provides information on the various processes as they run. 15. When the file copy process is complete, check the Migrate settings... option, and then click Finish. 16. The MIGRATECORE.EXE tool runs and opens the Migration dialog. In the Migration dialog, fill in the following fields: Capture data from: Core name: Check the box and enter the name of the core server whose data you want to migrate. Web console path: If you want to migrate Web console data, check the box and enter the UNC path, or browse, to the remote folder for the Web console (default location is: C:\Inetpub\wwwroot\remote). This folder must be shared. Select the intermediate file location: Enter or browse to the location where you want the captured data saved. The default location is the local hard drive. Restore data to: Core name: Make sure the box is checked and that the new Management Suite 8 core server name is correct. This should be the name of the server where you are currently running the upgrade installation. Transfer data to specified core: Check the box to automatically launch the database upgrade tool after the server data saved in the file location specified above is migrated to the new core server.
50
18. Click OK. 19. The DBUPGRADE.EXE tool runs and opens the Database Upgrade Settings dialog. 20. In the Database Upgrade Settings dialog, enter the data source name, logon name and password, and the core server where you want the data migrated. Data is exported from the database identified by the data source name (DSN) and imported to the new Management Suite 8 core database. (If you are installing on a new core, you need to create a DSN to the old database. Click New DSN to open the ODBC Data Source Administrator dialog. This dialog includes its own online Help, or you can refer to your previous Management Suite's Installation and Deployment Guide for information on setting up DSNs.) 21. Click Start. 22. When the data migration is finished, the Setup is Complete page appears. 23. Click Finish to complete Setup. Restart the computer to finish Setup and load the Management Suite services. You'll notice after you reboot and log in that Setup will run for a few more minutes while it finishes the installation.
51
Upgrade/migration diagram
52
Client configuration
Client configuration data Client configuration data is not migrated because the previous versions of the LANDesk agents are not compatible with Management Suite 8. An administrator must reconfigure clients with new Management Suite 8 agents via the Client Setup wizard in the console. For more information, see the "Deploying the primary agents to clients" chapter in the Installation and Deployment Guide, as well as the "Configuring clients" chapter in the User's Guide. XXSTACFG.INI files These files are not migrated because of incompatibility with new functionality.
Inventory
Alias files Alias files and their contents are migrated to the Public Devices group in the new console's network view. LDAPPL3.INI template file The template file is not migrated during the upgrade/migration process. However, if the template file has been modified, and you want to maintain those custom changes, it can be manually copied into the LDLogon directory of the new Management Suite 8 core server. Saved and stored queries Saved queries (.QRY files saved on the core server) are moved into the LegacyQueryFiles directory on the new core server (under LANDesk\ManagementSuite). To import these saved queries into your new console, right-click either the Public Queries or My Queries group, click Import, and navigate to the directory where the queries are saved. Stored queries (queries stored in the core database) are migrated as part of the database migration and appear in the Public Queries group in the network view. Database groups Database groups are migrated into the new Management Suite console. Scheduled tasks Scheduled tasks are migrated into the new Management Suite console. Local Scheduler static settings Scheduler settings are saved in the client registry. When a client is configured with a new Management Suite 8 client setup configuration package, Scheduler settings remain in place and function as normal.
53
Custom data forms Custom data forms are migrated into the new Management Suite console.
Software Distribution
Custjob scripts Software distribution scripts (CustJob scripts), and other custom scripts, that are stored in the Scripts directory are migrated as part of the upgrade/migration. Note that scripts containing references to the old core server must be modified/updated so that they reference the new Management Suite 8 core server. You can do this by simply opening a script in its script wizard (in the new console) and proceeding through the wizard. Software distribution log files Software distribution log files are stored in the Logs directory on the old core server. These files are not automatically migrated. However, you can manually copy log files to the new Management Suite 8 core server if you want to preserve this information. APM data Application Policy Management (APM) data is migrated to the new core server as part of the upgrade process. Database queries Database queries are "stored" in the database. Stored queries are migrated as part of the database migration and appear in the Public Queries group in the network view. APM LDAP queries The settings from the Directory Manager tool (including LDAP directory connections) are migrated to the new core server along with any queries. Application Healing ARL files and packages Application Repair Lists (ARL files) are migrated. Application Healing files are moved, along with any executables found in the [PKG] section of the ARL files. Executables are placed in the same directory as the ARL file. The administrator is responsible for editing the ARLs with the new location of the package executables. The Application Healing packages are not included in the LDMSDATA.DAT file, but are copied to the \\Program Files\LANDesk\ManagementSuite\LDLogon\packages directory. If the Application Healing packages location is a URL, the file is not copied but the URL address remains in the ARL file. Multicast Domain Representatives Multicast Domain Representatives are represented by Alias files (.STA) in previous versions of Management Suite and are migrated as part of the upgrade process. (Note that this happens as part of the Alias file migration mentioned earlier.)
Software license data License data is part of the Software Configuration data and is not migrated. An administrator should export this data from the Software Configuration console by using the Export tool in the Software Configuration console before upgrading. This data can then be imported the Management Suite 8 Software License Monitoring window in the new console. Application usage data Application usage data is part of the inventory data and is migrated with the database. Client registry settings Client registry settings remain intact in the registry of the client when upgrading.
Web console
Custom queries Custom queries in the Web console are not migrated. They are stored in the database so you must manually export the queries as .XML files, and then import them.
55
Migration at a glance
The following table provides a quick reference of Management Suite components and whether they are migrated by the migration tools. Component Client configuration Client configuration data XXSTACFG.INI files Inventory Alias files LDAPPL3 template file Saved queries (.QRY) Stored queries Database groups Scheduled tasks Custom data forms Custom application information Software Distribution Custjob scripts Log files APM data APM database queries APM LDAP queries ARL files and packages Multicast Domain Representatives Migrated Not migrated, but can be copied to the new core server Migrated Migrated to the Public Queries group Migrated Migrated Migrated Migrated to the Public Devices group Not migrated, but can be copied to the new core server Moved to the LegacyQueryFiles directory, can then be imported Migrated to the Public Queries group Migrated Migrated Migrated Migrated Not migrated Not migrated Migration status
56
Software License Monitoring Aliases Licensing data Product groups Licenses Files Denied applications Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1)
OS Deployment and Profile Migration OSD/PM scripts Profile data DOS boot menu PXE proxies SYSPREP.INF files Collections File rules Migrated, must be reset to the new core server Migrated Migrated Migrated, must be updated (*2) Migrated Migrated Migrated
User-initiated PM packages Migrated Web console Custom queries Not migrated, but can be saved as .XML and imported
Footnotes: 1. Software License Monitoring data must be exported (from the SLM toolbar) to an .XML file, copied to the new core server, and then imported into the new console. 2. PXE proxy data is migrated with the database; however, the Deploy PXE Representative script must also be redeployed on all PXE proxies in order to update the proxies to the new core server.
57
59
All database servers need to have MDAC 2.8 on them. With Management Suite 8, you no longer need to create a database DSN for ODBC. The deciding factor in selecting a DBMS for your database is the number of managed clients and consoles in your Management Suite domain. In "Phase 1: Designing your management domain," you determined the number of clients in your management domains. Based on that number of clients, you can select the default database (MSDE) or a supported ODBC-compliant DBMS for a larger management domain. The steps below are for installing the core database. In Oracle, Management Suite uses public synonyms. For detailed database installation steps You can view detailed installation steps for each database on the LANDesk Software support Web site: http://www.landesk.com/go.php?go=ldmsdbwp. If you have a preexisting Windows NT/2000/2003 master domain Don't install the DBMS to the primary domain controller (PDC). The DBMS should be installed only on a standalone server. You can install the DBMS on the backup domain controller (BDC) in a small Windows NT/2000/2003 domain, but we don't recommend it.
60
Other settings Use "sa" or another user aliased into the database as DBO when creating the database. Set up database maintenance.
To install Management Suite so that it uses your SQL 2000 database 1. Install Management Suite to the point where you need to choose a database. 2. In the Choose a Database page, click User-supplied database and then click Next. 3. Enter the Server and Database names, and enter the User and Password that Management Suite should use to authenticate to the database. You MUST use a user who is aliased into the database as DBO. Don't use "sa" for the login name. Don't use any other user to create or reset the database. If another user attempts to connect to the database and the tables aren't owned by DBO, the user won't be able to see the tables. If you're using an Oracle database, check This is an Oracle database. 4. Click Next and finish the Management Suite install.
SQL maintenance
You must regularly perform maintenance on a Microsoft SQL Server database. Over time, the indexes become very inefficient. If your database has 10,000+ clients and queries seem to be running more slowly than normal, updating statistics on all tables within the database can substantially improve query performance. On very large databases, you might want to update statistics daily. Microsoft SQL maintenance requires the SQLServerAgent service to be running on the SQL server. You may need to set the service to Automatic in the Control Panel Services applet. SQL maintenance won't run unless the SQLServerAgent service is started.
61
To set up a maintenance task 1. Click Start | Programs | Microsoft SQL Server | Enterprise Manager. 2. Click the + next to these folders: Microsoft SQL Servers, SQL Server Group, the name of your server, and Management. 3. Right-click Database Maintenance and click New Maintenance Plan. 4. In the Database Maintenance Plan dialog, click Next. 5. In the Select Databases dialog, select These databases and select the checkbox for your database. Click Next. 6. In the Update Data Optimization Information dialog, click Reorganize data and index pages. 7. Set the Change free space per page percentage to option to 10. 8. Click the Change button next to the Schedule window. 9. In the Edit Recurring Job Schedule dialog, select the schedule you want for maintenance. We suggest you perform the maintenance at least weekly at a time when there will be minimal database activity. 10. Click OK. 11. In the Database Integrity Check dialog, select these options: Check database integrity and Include indexes, and click Next. 12. In the Specify the Database Backup Plan dialog, specify your own backup schedule and click Next. 13. In the Specify the Transaction Log Backup Plan dialog, specify your own backup schedule and click Next. 14. In the Reports to Generate dialog, select the Write report to a text file in directory option and click Next. 15. In the Maintenance Plan History dialog, select the Write history to the msdb.dbo.sysdbmaintplain_history table on this server option. 16. Set the Limit rows in the table to option to 1000. 17. Click Next. 18. In the Completing the Database Maintenance Plan dialog, enter a Plan name and click Finish.
62
3. Set the user's default tablespace to the tablespace created for Management Suite use. 4. On the core server, create a TNS entry for the Oracle instance.
63
You must create an Oracle TNS name entry on the console If you don't create an Oracle TNS name entry on the console computer, the console won't be able to communicate with the database. If services fail to start using Oracle If the LANDesk services are failing to start and checking the event log shows errors about Adapter initialization failures or Adapter Authentication failures, change the following file: $ORACLE_HOME/network/admin/sqlnet.ora Change: SQLNET.AUTHENTICATION_SERVICES = (NTS) To: SQLNET.AUTHENTICATION_SERVICES = (NONE) Using Oracle 9.2.0.1 with the Web console If you use an Oracle 9.2.0.1, there is an Oracle install bug that doesn't set the proper permissions for authenticated users (which IIS uses). Follow these steps to fix it. 1. Log in to Windows as a user with administrator privileges. 2. Launch Windows Explorer from the Start menu and navigate to the ORACLE_HOME folder. This is typically the "Ora92" folder under the "Oracle" folder (i.e. D:\Oracle\Ora92). 3. From the ORACLE_HOME folder's shortcut menu, click Properties. 4. Click the Security tab. 5. In the Name list, click Authenticated Users. On Windows XP, the Name list is called Group or user names. 6. In the Permissions list under the Allow column, clear the Read and Execute option. On Windows XP, the Permissions list is called Permissions for Authenticated Users. 7. Re-check the Read and Execute option under the Allow column (this is the box you just cleared). 8. Click Advanced and, in the Permission Entries list, make sure you see the Authenticated Users listed there with Permission = Read & Execute and Apply To = This folder, subfolders and files. If this isn't the case, edit that line and make sure the Apply onto box is set to This folder, subfolders and files. This should already be set properly, but it's important that you verify this. 9. Click the OK until you close out all of the security properties windows. 10. Reboot your server to make sure that these changes have taken effect.
64
If you call LANDesk Software customer support, support personnel will attempt to do the following: Isolate the problem Verify that the specified DBMS parameters are correct Verify that Management Suite is working correctly Verify that Management Suite works with MSDE
If, at this point, the DBMS still doesn't work, you may need to either reinstall the DBMS or resolve the issue through other means.
65
The installation of the components outlined in this phase requires about 1-3 hours. If you're creating multiple domains, we recommend that you successfully complete the installation and deployment of one management domain before creating another. Make sure you review the system requirements described in "Phase 1: Designing your management domain."
67
68
69
When installing an MSDE core database on a Windows 2003 Server, Windows may interrupt Management Suite Setup and ask if it's OK to open Setup.exe. If you see this prompt, click Open or Management Suite won't be installed correctly.
70
No other data is collected or generated by the activation. The hardware key code is generated on the core server using non-personal hardware configuration factors, such as the size of the hard drive, the processing speed of the computer, and so on. The hardware key code is sent to LANDesk in an encrypted format, and the private key for the encryption resides only on the core server. The hardware key code is then used by LANDesk Software to create a portion of the authorized certificate. After installing a core server, use the Core Server Activation utility (Start | All Programs | LANDesk | Core Server Activation) to either activate it with a LANDesk account associated with the licenses you've purchased or with a 45-day evaluation license. The 45-day evaluation license is for 100 nodes. There are two types of licenses, client and server. Any time you install Management Suite agents on a server operating system, such as Windows 2000 Server or Windows 2003 Server, that installation consumes a Management Suite license for a server. Rollup core servers don't need to be activated. You can switch from a 45-day evaluation to a paid license at any time by running the Core Server Activation utility and entering your LANDesk Software username and password. Each time the node count data is generated by the activation software on a core server, you need to send the node count data to LANDesk Software, either automatically by the Internet or manually by e-mail. If you fail to provide node count data within a 30-day grace period after the initial node count verification attempt, the core server may become inoperative until you provide LANDesk with the node count data. Once you send the node count data, LANDesk Software will provide you with an authorized certificate that will allow the core server to work normally once again. Once you've activated a core server, use the Management Suite console's Configure | Product Licensing dialog to view the products and the number of authorized nodes purchased for the account the core server authenticates with. You can also see the date the core server will verify node count data with the central licensing server. The core server doesn't limit you to the number of authorized nodes you purchased.
71
You can view information about the licenses you're using by visiting the LANDesk Software licensing site at www.landesk.com/contactus.
Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. If your core server doesn't have an Internet connection, see "Manually activating a core or verifying the node count data" later in this section. Each core server must have a unique authorized certificate. Multiple core servers can't share the same authorization certificate, though they can verify node counts to the same LANDesk account. Periodically, the core server generates node count verification information in the "\Program Files\LANDesk\Authorization Files\LANDesk.usage" file. This file gets sent periodically to the LANDesk Software licensing server. This file is in XML format and is digitally signed and encrypted. Any changes manually made to this file will invalidate the contents and the next usage report to the LANDesk Software licensing server. The core communicates with the LANDesk Software licensing server via HTTP. If you use a proxy server, click the utility's Proxy tab and enter your proxy information. If your core has an Internet connection, communication with the license server is automatic and won't require any intervention by you. Note that the Core Server Activation utility won't automatically launch a dial-up Internet connection, but if you launch the dial-up connection manually and run the activation utility, the utility can use the dial-up connection to report usage data. If your core server doesn't have an Internet connection, you can verify and send the node count manually, as described later in this section.
73
To manually activate a core or verify the node count data 1. When the core prompts you to manually verify the node count data, it creates a data file called activate.xml in the "\Program Files\LANDesk\ManagementSuite" folder. Attach this file to an e-mail message and send it to licensing@landesk.com. The message subject and body don't matter. 2. LANDesk Software will process the message attachment and reply to the mail address you sent the message from. The LANDesk Software message provides instructions and a new attached authorization file. 3. Save the attached authorization file to the "\Program Files\LANDesk\Authorization Files" folder. The core server immediately processes the file and updates its activation status. If the manual activation fails or the core can't process the attached activation file, the authorization file you copied is renamed with a .rejected extension and the utility logs an event with more details in the Windows Event Viewer's Application Log.
74
If you install from a mapped drive You must make it a permanent mapping that will reconnect when you reboot. To install additional consoles At the computer you're installing the console files on: 1. Log in to the computer you're installing to with an account that has administrator rights. 2. Map a drive to the LDMAIN share on the core server. 3. From the Install\Console folder, run SETUP.EXE. 4. Complete Setup. This runs the console installation program from the core server. Either accept the default installation folder, or browse for an acceptable location. You should always install additional consoles directly from the core server, rather than using your original LANDesk Management Suite 8 installation source. If you apply any patches to Management Suite that require console updates, those patches will automatically update the console installation files on the core server. On additional consoles attaching to an Oracle database, an entry for the core database needs to be created in the TNSNAMES.ORA. If you don't do this, an Oracle TNS error will occur indicating the connection was not made. You can create these entries with Oracle's Net Configuration Assistant tool. The definition in TNSNAMES.ORA must exactly match the name stored in this registry key on the core server: HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local
75
2. Start the console by clicking Start | Programs | LANDesk | Management Suite. 3. Log in and view inventory to confirm that the core server has been scanned into the core database.
76
77
The Rollup Utility checks with a registry key on the core server for database and connection information (HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local) and uses that key's information to access the database associated with each core you add to the Rollup Utility. For Oracle databases, the TNS definition on the server you're running the Rollup Utility from must match the TNS definition on the core server the utility is accessing. You can use the rollup utility to select the attributes you want rolled up from the cores. The attribute selections you make apply to all cores. Limiting the number of attributes shortens the rollup time and reduces the amount of data transferred during rollups. If you know you won't be querying on certain attributes, you can remove them. The Rollup Utility always rolls up the selected attribute data and Software License Monitoring data. You can't customize the Software License Monitoring rollup. Rollup also doesn't include any queries or scopes you've defined. Any console users with rights to the rollup database have access to all data within that database. You can use feature-level security to limit access to Web console features. Once you've added the core servers you want to roll up and the attribute list for those servers, you can click Schedule to add a scheduled rollup script for each core server. From a Web console, you can then schedule these rollup scripts to run at the time and interval you want. Rollup scripts are only visible from the Web console and reside on the rollup core. To launch the Rollup Utility 1. On a rollup core, run the Rollup Utility (\Program Files\LANDesk\ManagementSuite\dbrollup.exe). 2. Select an existing rollup core server to manage from the list, or click New to enter the name of a new rollup core. 3. Once you select a rollup core, the Source cores list shows cores you've configured to roll up to the selected rollup core. To configure the attributes that you want to roll up 1. From the Rollup Utility, select the rollup core you want to configure. 2. Click Attributes. 3. By default, all database attributes are rolled up. Move attributes from the Selected Attributes column to the Available Attributes column that you don't want to roll up. 4. Click OK when you're done. Moving attributes to the Available Attributes column deletes associated data from the rollup database. To configure the source core servers for a rollup core 1. From the Rollup Utility, select the rollup core you want to configure. 2. Once you select a rollup core, the Source cores list shows cores you've configured to roll up to the selected rollup core. Click Add to add more cores or select a core and click Delete to remove one. Clicking delete immediately removes the selected core and all of that core's data from the rollup core database.
78
To schedule database rollup jobs from the Web console 1. From the Rollup Utility, select the Rollup core you want to configure. 2. In the Source cores list, select the core you want to schedule for rollup and click Schedule. If you don't select any cores, by default all cores in the list will be scheduled when you click Schedule. Clicking Schedule adds a rollup script for the selected core to the selected rollup core. 3. From a Web console, connect to the rollup core server. 4. In the left navigation pane, click Schedule rollup jobs. 5. Click the rollup script you want to schedule. The script names begin with the source core name followed by the destination rollup core name in parentheses. Click Schedule roll up. 6. Select when you want the roll up to happen and whether it should automatically reschedule or not. Click Continue to next step. 7. Verify the script schedule and click Finish.
data when you click OK. Data from other core servers remains in the rollup database. Schedule: Click to add a rollup script for the selected core. If you don't have a core selected in the Source Cores box, this option creates rollup scripts for all cores in the Source Cores box. Rollup: Click to do an immediate rollup from the selected core. If you don't have a core selected in the Source Cores box, this button rolls up all cores immediately. Close: Click to close the Rollup Utility.
To run CoreDbUtil 1. On the core server, run CoreDbUtil.exe 2. After CoreDbUtil connects to the database, select the option you want. 3. Wait until the Status is finished. Depending on the database size and the task you chose, this could take a few minutes or several hours.
80
81
Obviously, manual configuration is not practical in a large environment where many clients must be configured. In this initial phase of the client deployment, with no agents present on the clients, login script-based configuration is the only option for Windows 95/98 clients. For Windows NT/2000/2003/XP clients, either login scriptbased or push-based configuration will work, but login script-based configuration is often impractical because it requires end users to have administrative rights to their computers. Regardless of the way you're configuring clients, make sure you've used the Client Setup wizard to create the client configuration you want to deploy. Particularly in bandwidth-sensitive environments, you should deploy the most important or most heavily used agents first, then gradually adding the other software as you verify that your system is stable with the new additions.
82
For the initial deployment, we recommend that you first deploy the primary agents: Common Base Agent Enhanced Software Distribution Inventory Scanner Remote Control
To create the primary agent client configuration Click Tools | Client Setup. Double-click the Add client Configuration icon. Enter a Configuration name. Under Components to install, we recommend at a minimum that you click Common Base Agent, Enhanced Software Distribution, Inventory Scanner, and Remote Control. 5. Click Next and proceed through the wizard, customizing the options you selected. Click Help for more information if you have questions about a page. 6. Make the configuration default by selecting that option at the end of the wizard or by clicking your configuration in the Client Setup window, and from its shortcut menu clicking Set as Default. For more information about deploying to clients, see "Understanding the client configuration architecture" at the end of this chapter. 1. 2. 3. 4.
83
84
To change the default Windows XP security model for local accounts 1. On the Windows XP target client, click Start | Control Panel | Administrative Tools | Local Security Policy. 2. Click Local Policies > Security Options. 3. In the right hand pane, double-click Network Access: Sharing and Security Model for local accounts. Select Classic - Local users authenticate as themselves and click OK.
85
Using a service center to deploy Remote Control, Inventory, and CBA to clients
This section includes background information about setting up Client Deployment services and instructions for completing the deployment of Remote Control, Inventory, and CBA. These instructions are organized based on the type of server you're deploying to. These are the categories: Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server Deploying Remote Control, Inventory, and CBA to clients of a NetWare server
If you'll be using service centers, there are two steps to deploying Remote Control, Inventory, and CBA to clients: 1. Set up a Client Deployment service center. 2. Assign the login scripts created by the Client Deployment service to the users you want to configure with these components.
86
The first recommended client configuration is Remote Control, Inventory, and CBA. Other configurations are created using a Client Deployment service as you progress through this final phase.
87
Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server
You can deploy Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server by creating a service center. To set up the Client Deployment service on a Windows NT/2000/2003 server PDCs and Windows 2000 Client Deployment service centers If you're installing a Client Deployment service on a Windows 2000 server, you must install to a primary domain controller (PDC) or backup domain controller (BDC). Only the PDC or BDC can run the domain-level login scripts that are created by a Windows 2000 Client Deployment service center. 1. Obtain Administrator rights on the target server. 2. At the console, select the Windows NT/2000/2003 server on which you'll install the Client Deployment service. 3. From the server's shortcut menu, click Service Center. 4. Click Next on the Service Center wizard welcome page. 5. Select the Client Deployment service and click Next. 6. Enter the Core server name and click Next. 7. Select Remote Control, Inventory, and Common Base Agent. Click Next. 8. Specify a directory on this server where you will install Management Suite files. Click Next. 9. Finish the wizard, customizing any options you want. The wizard creates batch files that must be assigned to users before their computers can be configured for manageability. For details, refer to the next section, "Using the Windows NT/2000/2003 login scripts."
Assign the appropriate login script to a user according to the computer's network protocol. Some other scripts are installed to allow backward compatibility with earlier LANDesk products.
88
If the client is running Windows NT/2000/2003/XP Users must have administrator privileges on their computers to install components with a login script. If users don't have administrative rights, consider using the pushbased configuration method. These are the actions that each batch file performs: Determines the name of the client Determines the operating system of the client Downloads the configuration for that operating system to the client(1-2 minutes) Updates the startup procedure for the client to load the components Notifies the user to restart the client
To assign a Windows NT logon script 1. On the domain server, click Start | Programs | Administrative Tools | User Manager. 2. Select the users to be configured for manageability. From the User drop-down list, click Properties. 3. Click Profile. 4. In the Logon Script Name field, type the name of the logon script you want to use (don't include a path), then click OK. To assign a Windows 2000 logon script 1. 2. 3. 4. 5. Open the Windows 2000 MMC Group Policy snap-in. In the console tree, click Scripts. In the Details pane, double-click Logon. Click Add. Type the name of the logon script you want to use, then click OK.
This assigns the batch file to be the user's login script. On next log on, the batch file will: Scan the client into the Inventory database (if Inventory is selected) Configure the client with the LANDesk agents so that you can manage it
To assign a Windows NT/2000/2003 logon script to a user with a preexisting logon script At the client that you want to receive the login script: 1. Open a DOS box and run Edit. 2. Edit the existing login script to include this line: @call ipsetup.bat (for IP environments) When the user authenticates to the Windows NT/2000/2003 server, the assigned login script configures the client for manageability.
89
90
LANDESKIPXGROUP Clients using the IPX/SPX network protocol. LANDesk Management Suite 8 doesn't support this. If you're administering a NetWare network, you can use a single login script to configure all of the clients on the network by adding users to the NetWare LANDESKIPGROUP group. To assign a NetWare login script Use your Novell network administrator tools to populate the LANDESKIPGROUP with the users you want to manage.
When you add a user to this group, on next login the client is: Scanned into the core database (if Inventory is selected) Configured with the LANDesk agents so that you can manage it
The Management Suite login scripts are appended to the system or container login script.
91
Inventory Perform an inventory query. Select a client, then view the inventory data for that client, as well as its configuration files. Configure the software scanning frequency. Modify a client's WIN.INI file, rescan the client, then verify that changes were recorded within the CHANGES.LOG.
CBA In the network view, right-click a client, then click Properties to confirm that CBA installed correctly.
92
93
94
Understanding WSCFG32.EXE
WSCFG32.EXE is LANDesk Software's client configuration utility. It configures Windows 95/98 and Windows NT/2000/2003/XP clients for management in four steps: 1. WSCFG32 determines whether the computer has been previously configured by another LANDesk product, such as older versions of Management Suite. If it has, WSCFG32 removes the older files and reverses any other changes. 2. WSCFG32 looks for a hidden file called CCDRIVER.TXT to decide whether the client needs to be (re)configured. (The decision process WSCFG32 goes through is covered below.) If the client doesn't need to be (re)configured, WSCFG32 exits. 3. If the client does need to be (re)configured, WSCFG32 loads the appropriate initialization file (95STACFG.INI or NTSTACFG.INI) and executes the instructions contained in it. 4. WSCFG32 creates a hidden CCDRIVER.TXT file, both at the root of the C: drive and in the Windows directory. This file indicates that the client has been configured, and the date is stored in the file. WSCFG32 doesn't configure the client with every login. Remember that WSCFG32 often runs from a login script. WSCFG32 will (re)configure the client only when one of the following is true: The CCDRIVER.TXT file exists neither in C:\ nor in the Windows directory. The date stored in CCDRIVER.TXT is older than the Configured On date in NTSTACFG.INI or 95STACFG.INI. A /f (force) command-line parameter was specified.
95
Using the dates as a mechanism for reconfiguration is very convenient. If you set the Configured On parameter to today's date, clients using the Management Suite login scripts will automatically be reconfigured at their next login. The Client Setup wizard sets the Configured On parameter in NTSTACFG.INI or in 95STACFG.INI to today's date when you define a new default configuration. The following command-line parameters are available for WSCFG32.EXE: Parameter /F /I= Description Force execution, ignoring the dates in CCDRIVER.TXT Components to include: CBA (Common Base Agent) RC (Remote Control) INV (Inventory Scanner) DCF (Data Collection Forms) ESD (Enhanced Software Distribution) LS (Local Scheduler) APM (Application Policy Management) TC (Task Completion) AH (Application Healing) MC (Targeted Multicasting) BW (Bandwidth Detection) SWM (Software Monitoring) EMT (Enable Migration Tasks)
Example: WSCFG32.EXE /I=CBA /IP /L or /Log= /LOGON /N or /NOUI /NOREBOOT /NOCERT /P /REBOOT /TCPIP Configure using IP Path to the CFG_YES and CFG_NO log files that log which clients were and were not configured Execute [LOGON] prefixed commands Do not display the user interface Don't reboot client when done Undo the need for digital certificate authentication, the older security method available as an option in earlier Management Suite versions. Ask for user permission to execute Force reboot after running Same as IP (see above)
96
/U /X= /CONFIG=
Remove client agents Components to exclude Example: WSCFG32.EXE /X=SD /C[ONFIG]= Specifies a client configuration file to use in place of the default 95STACFG.INI or NTSTACFG.INI files. For example, if you've created configuration files called NTTEST.INI or 95TEST.INI (depending on the operating system), then use this syntax: WSCFG32.EXE /CONFIG=TEST.INI The custom .INI files should be in the same directory as WSCFG32.EXE and note that the /config parameter uses the filename without the 95 or NT prefix.
/? or /H
CCDRIVER.TXT
CCDRIVER.TXT is a hidden file created by WSCFG32.EXE. WSCFG32 creates it both at the root of the C: drive and in the Windows directory. The file stores the date on which the client was configured. The purpose of CCDRIVER.TXT is to allow the client setup program (WSCFG32) to decide whether the client needs to be (re)configured. This decision is based on whether or not CCDRIVER.TXT exists, and, if it does exist, the date stored in it.
97
98
To learn more about the functionality of these agents before deploying them to clients, see the User's Guide.
99
100
You can configure policies to enable applications to be pulled by clients, based either on client name or logged-in users. You can set required policies to install or reinstall applications automatically whenever a user logs in or whenever the client boots. APM provides policy support for pull-based software distribution. An example might be pulling software programs from a central location. Users can view the packages available for pulling, then download those packages to their individual computer. APM provides limited integration with directory managers, such as Microsofts Active Directory and Novells NDS. In order for clients to receive policies that are targeted through Active Directory or NetWare Directory Services, they have to be configured to log in to the directory. This means that they need to have all the correct client software installed, and they need to actually log in to the correct directory so that their fully distinguished name will match the name that was targeted through Directory Manager and Application Policy Manager. Windows 95/98 clients need to be configured to log in to the domain where the Active Directory resides. Windows NT and Windows 95/98 don't include Active Directory support. You must install Active Directory support on clients that log in to a directory and require Application Policy Management. As of this printing, more information on installing Active Directory client support was available here: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextensi on.asp
The Application Policy Management Options dialog has a Run APM client periodically option. This option tells the Local Scheduler agent to rerun the task at the interval you select. If you don't select this option, APM will only be scheduled to run once. When you select the Run APM client periodically option, you must also specify a Run every interval to run the task daily, weekly, or monthly. This interval starts the first time the Local Scheduler runs the task. For example, if you select weekly, the first chance Local Scheduler gets, it will run the task. If it runs the task on Tuesday the first time, generally the Scheduler will run the task every Tuesday. To configure in detail when the task will run, use the Time Filter Options dialog. You can set as many as three filters that define when the task will run: Time-of-day filter Day-of-week filter Day-of-month filter
101
These filters further define the Run every interval you specify (daily, weekly, or monthly). For example, if you set the Run every interval to "monthly," then specify a day-of-month filter for the "21st" to the "22nd," the Local Scheduler will run the task once a month, sometime during the period between the 21st and 22nd. You can set one or multiple filters on the Run every interval, but ensure that the filters make sense for the interval you've chosen. For example, if you set the Run every interval to "daily," and then add a time-of-day filter of "8 p.m." to "11 p.m." and a day-of-week filter of "Monday," the task won't run daily, but rather each Monday between the times of 8-11 p.m. If you use a bandwidth filter in the Client Setup: Application Policy Management Options dialog, the bandwidth filter also determines when the Local Scheduler runs the job. Both the time and bandwidth filters must pass for the Local Scheduler to run the task. For example, perhaps you've configured a job to run on Wednesday every week and you've also specified the high-speed network connection bandwidth filter. If a client connects via dialup on Wednesday, the task won't run, even though the time filter criteria were met.
You can specify how often the Local Scheduler checks for sufficient bandwidth to run the specified task. The default is 120 seconds.
102
103
LANDesk Management Suite 8 introduces a new on-demand secure remote control that you can use. This new remote control improves on the prior version in these ways: Remote consoles authenticate with the core server. The remote control agent on a client loads on-demand once a remote control session is authorized by the core. All remote control authentication and traffic is encrypted over an SSL connection. Once a remote control session is over, the remote control agent unloads from the client.
104
For mobile clients disconnected from the network, the Software Monitoring agent continues to record data and caches it in the client's registry. After the client reconnects to the network, the next scan detects which of the cached data is being monitored and sends that data to the core server. The Software License Monitoring window is then updated with the latest license compliance, usage, and denial data for those mobile clients. Software Monitoring requires the Inventory Scanner component.
105
106
107
You can install the Web console, including Web pages and management tools, on a Web server you specify, or on your core server. With the Web console installed, the server then has access to the data in your core database, and any additional core and rollup core databases you configure. The Web console uses the same inventory and remote control agents as the Management Suite console. If you want to restrict access to the Web console tasks, you can set up role-based administration. For more information, see "Setting up role-based administration in the Web console" later in this chapter.
108
Installation requirements
Here are the system requirements for installing and using the Web console.
109
Database drivers are the client components of whatever database you use with your core server. You need to install these drivers on your Web server so that the Web console can access your database. The type of drivers you install, if you install any at all, depends on the type of database you're using. Management Suite 8 supports these databases: Microsoft MSDE 2000 SP3 Microsoft SQL Server 2000 with SP4 Oracle8i (8.1.7) and Oracle9i
See your database application documentation for details about installing the database client drivers. With Management Suite 8, you no longer have to create a DSN to the core and rollup core databases. By default, Setup places the Web console files in the \Intepub\wwwroot\remote folder. Setup also creates these file shares with the necessary permissions on your core server. The Web console and clients require these shares and permissions to work correctly: ldmain: Server applications ("..\ManagementSuite"). The Administrators group must have Full Control. For Windows 2000, the IWAM_<ServerName> user must have Read & Execute, List Folder Contents, and Read. For Windows 2003, the Network Service group must have Read & Execute, List Folder Contents, and Read. ldlog: Logs ("..\ManagementSuite\log"). ldlogon: Client applications ("..\ManagementSuite\ldlogon"). The Administrators group must have Full Control and the Everyone group must have Read Only. scripts: Software distribution scripts ("..\ManagementSuite").
If you're installing the Web console on a server other than the core server, ensure that you're logged in as a domain administrator, and that the domain administrator account is in the core server's LANDesk Management Suite user group. The core and Web console servers must be in the same domain, and any users you want to use the Web console need to be added to the LANDesk Management Suite group on both the core and Web console servers.
110
Don't run the Management Suite 8 Web console on an older core server or console You should use only the version 8 Web console on a Management Suite 8 core server or console computer. Earlier versions of Management Suite will not work. To install the Web console on a server other than the core server 1. On the server that will host your Web console, map a drive to the LDMAIN share on your core server. 2. In the LDMAIN\Install\Web Console folder, double-click Web Console. 3. Select the language you want Setup to install. 4. A Welcome screen for LANDesk Management Suite Setup appears. Click Next to continue. 5. On the License Agreement screen, click Yes to accept and continue. 6. Accept the default destination folder by clicking Next. 7. Select the Web Console feature and any other features you want. 8. If Setup prompts you for your core server name, enter it and click Next. If Setup then prompts you for a username and password, enter credentials with administrative privileges on the core server. 9. Reboot the server when Setup finishes and prompts you to. If you're installing to a Windows 2003 server, IIS disables active server pages by default. You must enable them for the Web console to work correctly. To enable active server pages on Windows 2003 servers 1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. 2. Under the root tree item, click Web Service Extension. 3. Click Active Server Pages, then click Allow. To verify the installation, open a Web browser, then enter the Web server URL, which by default is: http://webservername/remote The installation was successful if the browser prompts you for login information and, after you enter it, the Web console opens. If you get a permission denied error when you try to access the Web console, make sure Integrated Windows authentication is enabled as the authentication method for the Web console's site. To verify the authentication method 1. In the Internet Information Services manager, from the remote folder's shortcut menu, click Properties. On the Directory Security tab, click Edit in the Anonymous access and authentication control box. Clear the Anonymous access option and check Integrated Windows authentication. 2. Click OK to exit the dialogs.
111
112
server=
113
To add databases to core.asp 1. Locate core.asp on the Web server in the directory where the Web console is installed (by default c:\Inetpub\wwwroot\remote\xml). 2. Open core.asp in a text editor, such as Notepad. 3. Copy the lines of the file (similar to the example above), then paste them under the existing text. Change the lines to reflect the information for the additional database(s). 4. Save the core.asp file as a text file.
114
Reports A user assigned this right can: View and print reports.
115
Remote control A user assigned this right can: Remote control, file transfer, chat, remote execute, and reboot. Wake up/shut down. Use a local console link for LANDesk System Manager (if installed).
Public query management A user assigned this right can: Create, modify, copy, delete, and move queries. This applies to the private and public queries. Without this right, users have access to private queries only.
LANDesk Administrator A user assigned this right has access to all rights, including those mentioned above.
NOTE: When assigning users to the sd_user group, ensure that you also give them access rights to the distribution logs directory ([c:\inetpub\wwwroot]\remote\log by default). When assigning users to the report_user group, ensure that you also give them access rights to the images subdirectory under report ([c:\inetpub\wwwroot]\remote\report\images by default). These groups are based on Windows NT and Windows 2000/2003 groups. By default, they're set up as local groups on the Web server, though you can set them up on the domain controller as global groups.
116
Assigning users
You can only assign domain users to these groups; if you assign users that are local to the Web server, they won't authenticate. Local users can't log in to a remote client (in this case to access the Web console) as a local user on a Web server.
Setting up authentication
To take advantage of feature-level security, you must set up authentication by disabling Anonymous Authentication on the Web server, but leave Windows NT/2000 Security enabled (this is Challenge and Response on Windows NT and Integrated Windows Authentication on Windows 2000). If Anonymous Authentication is left enabled, the Web console will resort back to the database authentication used in previous releases.
To start the indexing service on Windows 2000 1. Click Start | Programs | Administrative Tools | Services. 2. Double-click Indexing Service and click Start. 3. Click OK to exit out of the dialogs.
117
118
In this chapter you'll learn about: Installing OS deployment and profile migration Step 1: Configuring an image server Step 2: Verifying name resolution Step 3: Configuring your network for multicast OS deployment Step 4: Configuring PXE
WARNING: The OS deployment functionality must be used with caution. Operating system deployment involves wiping all existing data off of a computer and installing a new operating system. There is substantial risk of loss of data if the OS deployment function is not performed precisely as described herein or if poorly implemented images are used. Before performing any operating system deployment, all data must be backed-up in such a manner that any lost data may be restored.
119
During the install, you'll be prompted for: Access to a Windows NT 4 Server CD. OS deployment uses Microsoft Windows NT 4 client networking files. A Windows 98 CD. OS deployment uses Microsoft boot and network files on the CD.
Installing OS deployment and profile migration on your core server also updates the additional console install image. You should reinstall your additional consoles so they are also updated. OS deployment and profile migration don't need extra system requirements beyond those already specified for additional consoles. If you installed OS deployment when you installed the core server, you can ignore the installation steps below. To install OS deployment and profile migration on an existing core At the Windows 2000/2003 core server: 1. From your LANDesk Management Suite 8 installation image, double-click autorun.exe. The Autorun feature will display a Welcome screen. 2. Click Install LANDesk Management Suite. 3. Select the language that matches the core you are installing to, then click OK. 4. Click Modify, then click Next. 5. On the Select Features page, leave the existing options checked, and check OS Deployment / Profile Migration. 6. Click Previous Management Suite Database, then click Next. 7. Finish the Setup wizard. 8. Reinstall any additional consoles that you installed before you added OS deployment and profile migration to your core server.
120
Once you've installed OS deployment and profile migration, you need to plan how you'll structure OS imaging and deployments on your network. You also need to decide whether you'll be using OS deployment PXE proxies to facilitate deployments: If you don't use PXE, you can only image computers running a supported Windows OS and the Management Suite agents, specifically the Enhanced Software Distribution agent. OS deployment uses the Enhanced Software Distribution agent to transfer OS deployment files and images to clients. If you use PXE, you can image any computer that supports PXE booting, regardless of what is installed on it. For more information, see "Using PXE services" in the User's Guide.
121
122
123
To manually specify which computers will be multicast domain representatives 1. In the network view, click Configuration > Multicast Domain Representatives. 2. Add domain representatives by dragging the computers you want to be representatives from the network view into this category.
You don't have to use PXE to deploy OS deployment images, but if your clients support PXE, PXE can be the easiest and most flexible way to get images to clients. PXE service files are simply copied to the core server as part of the normal OS deployment installation. To enable PXE services, you must first deploy a PXE representative (or proxy) computer on each segment of your network where you want PXE services available. You need to deploy at least one PXE proxy on your network and at least one additional PXE proxy on each subnet where you want to provide PXE boot services. You set up a PXE proxy by running the PXE Representative Deployment script on the selected computer. This script installs as part of OS deployment, and is available in the Scheduled Tasks window. Each PXE proxy forwards via HTTP any PXE boot requests on its subnet to the core server. The core server then checks to see if there are any pending jobs for that computer. If not, the computer boots normally. You can have multiple PXE proxies on a subnet to help with load balancing. If this is the case, the first PXE proxy to respond to a client's request is the one that will be used to communicate with the core server.
124
There are no special hardware requirements for the computer you select, but it must meet the following software requirements: Operating system: Windows NT 4, Windows 2000/2003, or Windows XP Professional. For Windows NT and 2000, ensure that the Microsoft MSI service is running (XP includes MSI by default). If you've installed the latest service pack for either OS, MSI service should be running. Otherwise, you can deploy it to the target PXE proxy from the console by following these steps: Click Tools | Scheduled Tasks, click the Schedule Script toolbar icon, select the MSI Service Deployment task, click OK, drag the target computer(s) to the window, and click the Set Start Time icon to schedule the MSI service deployment. Installed agents: Enhanced Software Distribution agent and Inventory Scanner agent.
To deploy a PXE proxy 1. In the console, click Tools | Scheduled Tasks, then click the Schedule Script toolbar icon. 2. Select the PXE Representative Deployment script from the list, then click OK. 3. In the console's network view, select the target computer on which you want to install PXE services (in this case the core server). 4. Drag and drop the selected computer to the Machine list in the Scheduled Tasks window. 5. Click the Set Start Time toolbar icon and schedule to run the script now. This script installs the PXE services software on the target computer. If you modify the PXE boot option settings (on the Configure | Services | OS deployment dialog), you need to update a PXE proxy by re-running the PXE Representative Deployment script to apply those changes. This procedure of rerunning the script is not necessary if you simply move PXE proxies from the Available proxies list to the Holding queue proxies list. To update or remove a PXE proxy 1. Click Tools | Scheduled Tasks, then click the Schedule Script toolbar icon. 2. To update a PXE proxy, select the PXE Representative Deployment script from the list, then click OK. Or, to remove a PXE proxy, select the PXE Representative Removal script, then click OK. 3. Drag and drop the target computer(s) to the Scheduled Tasks window and schedule a time for the task to occur (for details, click the Help button or press F1 to view the online help).
125
126
OS deployment phases
After you've created your images and run Sysprep on them, there are three OS deployment phases: 1. Run the OS Deployment/Migration Tasks wizard (select Deploy image) to create a script that defines how OS Deployment will handle that image. 2. Drag the script and the target computers to the Scheduled Tasks window and schedule a time for the deployment to happen. Watch the Custom Job Status window updates for success/failure. 3. Computers running Windows and Management Suite agents will begin the job when scheduled. PXE-enabled computers will begin the job next time they boot. For more information on using OS deployment and profile migration, see the User's Guide.
127
129
130
You can now use Patch Manager in the Management Suite console.
Additional consoles
To use Patch Manager from any of your additional consoles, you must reinstall the additional consoles after installing Patch Manager on a Management Suite 8.1 core server. Once Patch Manager is installed on your core server, any new additional consoles will include Patch Manager functionality. For detailed information on installing additional consoles, refer to "Installing additional consoles" in the Installation and Deployment Guide.
131
Furthermore, if you're running the Web console on a different server than the core server, you must perform the following procedure in order to install required Asset Manager files on the Web console server. This procedure is NOT necessary if your Web console is installed on the core server. To install Asset Manager files on the Web console server 1. From the Web console server, map a drive to the LDMAIN share on the core server. 2. From the Install\WebConsole folder, run SETUP.EXE. 3. Complete Setup. You can now access the Web console and use Asset Manager.
132
133
First you need to create an Afaria client communication schedule. This schedule defines how often the Afaria agent on mobile devices connects to the core server. To configure the client communication schedule 1. Shortcuts to the Afaria components are on your core server desktop. If the Afaria Menu isnt running, double-click the Afaria icon on your desktop. 2. Open the Afaria Channel Administrator. 3. From the tree view, select the LANDeskInv channel. 4. On the Properties page, click Define Schedules. 5. Finish the wizard by entering a schedule name and defining the communication schedule you want. 6. On the Properties page, select the Client Schedule you created. 7. Activate your schedule by clicking File | Unpublish and then File | Publish. 8. Follow the same process for the LANDeskSW channel. You can create a new client schedule or you can use the schedule you created for the LANDeskInv channel. After creating the client schedule, youll need to create a client installation package. This package will be a single-file executable that host computers need to execute to install both the host computer and mobile client software. To create a host computer and mobile client installation package 1. Shortcuts to the Afaria components are on your core server desktop. If the Afaria Menu isnt running, double-click the Afaria icon on your desktop. 2. Click Create Client Installation. 3. Pick the client type you want to configure. Make sure you use the LANDesk Integration channel if it's selectable for the client type you chose. 4. In the wizard, make sure the mobile device will connect with the core server after agent installation. 5. Finish the wizard. Once youve created the client installation package for each mobile device type you will be managing, you need to install the package on the host computer so that computer can install the client software on the mobile device. You can put the client installation package on a share and have users run it manually, or you can use software distribution to distribute the installation package. Mobile devices won't display in Desktop Manager's Network View until they send an inventory scan. Assuming you configured the client installation package to connect immediately after agent installation, you will need to resynchronize your handheld a second time after the Afaria agent installs. For more information on client synchronization issues, see the release notes.
134
The Management Suite agents provide: Bandwidth detection--stops distribution over slow links. Targeted multicasting--low network bandwidth software distribution to multiple computers. On-demand distributions--distribute software immediately.
The Afaria agent provides: Bandwidth throttling--Limits software distribution use of network bandwidth. Client agent scheduling--Clients receive distributions only when the mobile agent connects to the core server.
135
The Inventory Manager installation on a core server contains all LANDesk Management Suite 8 components, but when you activate a core server with an account that is licensed for Inventory Manager, the non-Inventory Manager features aren't applicable or visible in the Management Suite and Web consoles. Because Inventory Manager doesn't include client setup or scheduled tasks, you can only install clients manually or through a login script.
137
138
If you'll be using service centers, there are two steps to deploying client agents: 1. Set up a Client Deployment service center. 2. Assign the login scripts created by the Client Deployment service to the users you want to configure with these components.
Necessary rights for configuring Windows NT/2000/2003/XP clients For users running Windows NT/2000/2003/XP, you must add their domain login name to the local Administrator Group on their own computers. This grants the necessary rights to users so that the Windows NT/2000/2003/XP login scripts will run. You can also use the Client Setup wizard and Scheduled Tasks window to enable Windows NT/2000/2003/XP clients for management. For more information on the Client Setup wizard, see chapter 2 of the User's Guide.
139
Assign the appropriate login script to a user according to the computer's network protocol. Some other scripts are installed to allow backward compatibility with earlier LANDesk products.
140
If the client is running Windows NT/2000/2003/XP Users must have administrator privileges on their computers to install components with a login script. If users don't have administrative rights, consider using the manual configuration method. These are the actions that each batch file performs: Determines the name of the client Determines the operating system of the client Downloads the configuration for that operating system to the client(1-2 minutes) Updates the startup procedure for the client to load the components Notifies the user to restart the client
To assign a Windows NT logon script 1. On the domain server, click Start | Programs | Administrative Tools | User Manager. 2. Select the users to be configured for manageability. From the User drop-down list, click Properties. 3. Click Profile. 4. In the Logon Script Name field, type the name of the logon script you want to use (don't include a path), then click OK. To assign a Windows 2000 logon script 1. 2. 3. 4. 5. Open the Windows 2000 MMC Group Policy snap-in. In the console tree, click Scripts. In the Details pane, double-click Logon. Click Add. Type the name of the logon script you want to use, then click OK.
This assigns the batch file to be the user's login script. On next log on, the batch file will: Scan the client into the Inventory database (if Inventory is selected) Configure the client with the LANDesk agents so that you can manage it
To assign a Windows NT/2000/2003 logon script to a user with a preexisting logon script At the client that you want to receive the login script: 1. Open a DOS box and run Edit. 2. Edit the existing login script to include this line: @call ipsetup.bat (for IP environments) When the user authenticates to the Windows NT/2000/2003 server, the assigned login script configures the client for manageability.
141
142
LANDESKIPXGROUP Clients using the IPX/SPX network protocol. LANDesk Management Suite 8 doesn't support this. If you're administering a NetWare network, you can use a single login script to configure all of the clients on the network by adding users to the NetWare LANDESKIPGROUP group. To assign a NetWare login script Use your Novell network administrator tools to populate the LANDESKIPGROUP with the users you want to manage.
When you add a user to this group, on next login the client is: Scanned into the core database (if Inventory is selected) Configured with the LANDesk agents so that you can manage it
The Management Suite login scripts are appended to the system or container login script.
143
144
145
Supported Mac OS 8 and 9.2.2 agent features: Remote file transfer. Remote program execution. No reliance on Apple System Profiler.
Management Suite 8 adds these features to the Mac OS X agents: Software License Monitoring: Application usage monitoring, license compliance tracking/reporting, and application denial/reporting Remote Control Enhancements: Render rate improvements, client-side icon to terminate session, remote login/out Software Distribution: Macintosh clients can receive Targeted Multicast files Application Policy Management: Macintosh clients can automatically receive software packages (required, recommended, and optional packages) if they match query criteria you set Additional base agent support: Mac OS X agents also support chat, remote reboot, and CBA discovery
146
147
148
149
Changing Mac OS 8 and 9.2.2 agent options via the .INI files
This section only applies if you want to manually customize the agent .INI files. The Macintosh agents are on the core server in the \Program Files\Intel\DTM\LDLogon\Mac directory. The MACINIT.SIT file contains the Inventory and Remote Control agents, and the .INI files that configure these agents. RCMAC.INI: Specifies the client Remote Control settings. INVMAC.INI: Specifies client Inventory settings.
You can customize these files the way you want them before configuring Macintosh clients. If you don't customize them beforehand, the agents will use the defaults. If you want to change the settings in the future, you can distribute these files to clients later via the Scheduler. On the client, these .INI files are in the Preferences folder. If you want to add comments to the .INI files, you can use the semicolon (;) character. The only setting you must configure is the ServerAddress option in INVMAC.INI. The defaults in these files will work otherwise. In the following tables, you can see a list of possible options and the default values.
150
To change inventory preferences on the client 1. From Applications (MacOS9):LANDesk, double-click Inventory Scanner. 2. Change the settings you want. The Macintosh Inventory client can have these options in INVMAC.INI: Option ServerAddress= Description You must specify the core server name or IP address here. This is the server the agent sends scan information to. No scan information goes to the core database unless this server address is correct. Here's an example: ServerAddress=mycoreserver Sends the scan results to the core server. You should leave this enabled. Saves the scan results to a file called "scan" in the directory the agent ran from. Enabled by default, but disabling this option won't cause problems. If enabled, forces the client to do a software scan regardless of whether the core server says one is due. Specifies which software items to scan. Add together these bitfield values that you're interested in: 1 Applications 2 Desk Accessories 4 Drivers 8 Fonts 16 INITS HardwareScanItems=127 Specifies which hardware items to scan. Add together these bitfield values that you're interested in: 1 I/O devices 2 CPU 4 Monitors 8 NuBus/PCI cards 16 SCSI devices 32 Volumes 64 System (network and system info) LastScanTime= ServerGUID= Don't change this option. Value managed by agent. Don't change this option. Value managed by agent.
SendToServer=1 CreateFile=1
ForceScan=0 SoftwareScanItems=31
151
You need to have system key pass-through enabled in the Remote Control Viewer window for the Alt keys to pass their Macintosh mappings. To change Remote Control preferences on the client 1. With the Remote Control Viewer window displayed, press the Command, Option, and P keys simultaneously. 2. Change the settings you want. If you want to change the Remote Control agent preferences on a client via a remote control session, enable system key pass-through and hold down both Alt keys and the P key to display the Preferences dialog. Note that Macintosh remote control doesn't support 1-bit or 2-bit color depths. Unless you want to change the default Remote Control options for security or policy reasons, there aren't any values in RCMAC.INI file that you have to edit.
152
You can set several Remote Control options in the Client Setup wizard. Doing this modifies the RCMAC.INI file. The Macintosh Remote Control agent has these options in RCMAC.INI that you can also manually edit: Option Allow Takeover=1 Allow Reboot=0 Permission Required=0 Permission Box Timeout=12 Visible Signal=0 Description If enabled, allows others to remote control the client. If enabled, allows others to remotely reboot the client. If this option is disabled, it doesn't prevent an administrator from remote controlling a client and selecting Restart from the Finder's Special menu. If enabled, displays an Accept/Reject dialog on the client that the client must accept before remote control begins. If Permission Required is enabled, this specifies how long before the Permission Required dialog times out and disappears. If the dialog times out, that denies remote control permission. This option isn't configurable via the Remote Control agent interface. If enabled, briefly displays a message box on the client for three seconds indicating that it's being remote controlled.
Allow Remote If enabled, allows administrators to remotely execute programs on the client Execute=1 computer. This feature must be enabled for auto-update to work. Allow File Transfer=1 Scan Lines Per Second=4 If enabled, allows administrators to transfer files to the computer. This feature must be enabled for auto-update to work. Don't change this option. This option isn't configurable via the Remote Control agent interface.
153
The Linux/UNIX inventory scanner provides scanning for hardware and software. The scanner will find these attributes of a Linux/UNIX computer: Environment variables Memory Network OS type/kernel version Processor Bound adapters Mounted devices Software
System requirements
Linux runs on a variety of architectures, but the Linux inventory scanner will only run on Intel architecture. TCP is the only supported protocol for the inventory scanner. Supported Linux and UNIX distributions: Red Hat Linux 7.3, 8.0, and 9.0 IBM AIX 5.1 Intel Architecture Solaris 8 Sun Sparc (Solaris 8) HP-UX 11.0
aix: IBM AIX 5.1 common: Common man and configuration files used by all supported distributions hpux: HP-UX 11.0 linux: RedHat Linux 7.3, 8.0, and 9.0 solia: Intel Architecture Solaris 8 solsparc: Sun Sparc Solaris 8
To install the inventory scanner on Linux/UNIX 1. Copy ldiscnux.conf and ldappl.conf to /etc. Give ldiscnux.conf read/write access for users. Give ldappl.conf read access for users. Use the UNIX chmod command to assign rights to the files. 2. Edit ldappl.conf to customize the software scanning if desired. See the sample entries in ldappl.conf for more information. 3. Copy ldiscnux.8 to /usr/man/man8. 4. Copy ldiscnux to a directory that is accessible by the individuals who will be running the application. Usually this is /usr/sbin. 5. If needed, make ldiscnux executable using the chmod command.
155
Examples
To output data to a text file, type: ldiscnux -o=data.out -v To send data to the core server, type: ldiscnux -ntt=ServerIPName -v
All users who run the scanner need read and write attributes for this file. The unique ID in /etc/ldiscnux.conf is a unique number assigned to a computer the first time the inventory scanner runs. This number is used to identify the computer. If it ever changes, the core server will treat it as a different computer, which could result in a duplicate entry in the database. Warning: Do not change the unique ID number or remove the ldiscnux.conf file after it has been created. /etc/ldappl.conf This file is where you customize the list of executables that the inventory scanner will report when running a software scan. The file includes some examples, and you'll need to add entries for software packages that you use. The search criteria are based on filename and file size. Though this file will typically reside in /etc, the scanner can use an alternative file by using the -i= command-line parameter. ldiscnux.8 Man page for ldiscnux.
156
Miscellaneous issues
Queries on "System Uptime" sort alphabetically, returning unexpected results If you want to do a query to find out how many computers have been running longer than a certain number of days (for example, 10 days), query on "System Start" rather than "System Uptime." Queries on System Uptime may return unexpected results, because the system uptime is simply a string formatted as "x days, y hours, z minutes, and j seconds." Sorting is done alphabetically and not on time intervals. Path to config files referenced in ldappl.conf doesn't appear in console ConfFile entries in ldappl.conf file need to include a path.
157
159
To uninstall agents from clients on a Windows 2000/2003 network In the batch file you originally used as the login script to configure the client, change the /IP parameter in WSCFG32.EXE to /u. For more information, see "Phase 4: Deploying the primary agents to clients" earlier in this guide.
160
161
To uninstall the Remote Control Viewer from client computers 1. Shut down all instances of your browser. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. Click Remote Control Viewer, then click Add/Remove. 4. Click Yes to remove the application. 5. Click OK when the uninstall is completed.
162
Appendix A: Troubleshooting
You can reach LANDesk Software's online support services on the Web (available in English only). The services contain the most up-to-date information about LANDesk Software products. You can also find installation notes, troubleshooting tips, software updates, and customer support information. Visit the Web site below, then access the Management Suite page: http://www.landesk.com/support/index.php You can also download the latest versions of the Management Suite Release Notes and documentation, which may include information that wasn't available at the time the product was shipped. If you can't resolve your issue using this guide or by consulting the LANDesk Software support Web site, LANDesk Software offers a range of paid support, consulting, and partner services. For more information, see the customer support page at: http://www.landesk.com/wheretobuy/ Before calling for customer support issues, have this information ready: Your name, the name of your company, and the version of Management Suite you're using. The network operating system you're using (name and version). Any patches or service packs you've installed. Detailed steps to reproduce the problem. Steps you've already taken to troubleshoot the problem. Any information unique to your system that may help the Customer Support engineer understand the problem, such as what kind of database application you're using, the brand of video card you've installed, or the make and model of the computer you're using.
163