Deploy 81
Content
LANDesk Management Suite 8
®
Installation and Deployment Guide
This document contains information, which is the proprietary property of LANDesk Software, Ltd. and its affiliates. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of LANDesk Software Ltd., and its affiliated companies ("LANDesk"). Nothing in this document constitutes a guaranty, warranty, or license, express or implied. LANDesk disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of LANDesk; indemnity; and all others. LANDesk products are not intended for use in medical, life saving, or life sustaining applications. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of LANDesk. LANDesk retains the right to make changes to this document or related product specifications and descriptions at any time, without notice. LANDesk makes no warranty for the use of this document and assume no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright © 2004, LANDesk Software Ltd., or its affiliated companies. All rights reserved. LANDesk is either a registered trademark or trademark of LANDesk Software, Ltd. or its controlled subsidiaries in the United States and/or other countries. *Other brands and names are the property of their respective owners
Contents
LANDesk® Management Suite overview ............................................................ 9 What's new in LANDesk Management Suite 8.................................................10 Management Suite basics............................................................................12 How does Management Suite fit into my network?........................................12 Important concepts..................................................................................12 Management Suite terms ..........................................................................12 Installation and deployment strategies..........................................................13 Rapid versus phased deployment ...............................................................13 Overview of installation and deployment .......................................................14 Rapid deployment strategy .............................................................................17 Overview of rapid deployment .....................................................................18 Step 1: Design your domain ........................................................................19 Estimate the number of clients ..................................................................19 Select the core server ..............................................................................19 Select the console computer .....................................................................20 Plan the placement of program files ...........................................................20 Step 2: Prepare your database ....................................................................21 Step 3: Install the core server and console ....................................................22 About the Core Server Activation utility ......................................................23 Verifying a successful installation ...............................................................24 Step 4: Deploy Management Suite ...............................................................25 Deploying to servers ................................................................................25 Deploying to clients .................................................................................26 Congratulations! ........................................................................................28 Phase 1: Designing your management domain ..................................................29 Gathering network information ....................................................................30 Determining number of sites .....................................................................30 Estimating number of clients at each location ..............................................30 Selecting your core server and consoles......................................................31 Planning placement of program files ...........................................................31 Selecting a database ................................................................................31 Selecting service centers ..........................................................................32 Determining number of management domains .............................................32
iii
TABLE OF CONTENTS
Planning your security and organization model...............................................33 Planning your core server structure ............................................................33 Planning a scope .....................................................................................33 Using a rollup core database .....................................................................35 Selecting components to implement ...........................................................36 Functionality available by client OS ............................................................38 Compatibility with previous versions of Management Suite ............................39 System requirements .................................................................................40 Core and database servers........................................................................40 Supported router configurations...................................................................44 Upgrading to LANDesk Management Suite 8 ..................................................46 Before you begin .....................................................................................46 Upgrade tools .........................................................................................47 Upgrade methods ....................................................................................48 Upgrade procedures.................................................................................48 Understanding component upgrade/migration..............................................53 Migration at a glance................................................................................56 Phase 2: Preparing your databases ..................................................................59 Before you begin .......................................................................................60 Microsoft SQL Server 2000 configuration .......................................................61 SQL maintenance ....................................................................................61 Oracle database configuration......................................................................63 Oracle performance tuning suggestions and scripts.......................................63 LANDesk Software support and DBMS issues .................................................65 Phase 3: Installing the core, console, and rollup core .........................................67 Selecting components to install....................................................................68 Installing the core server and console ...........................................................69 Activating the core server ...........................................................................71 About the Core Server Activation utility ......................................................72 Logging in to the console ..........................................................................74 Installing additional consoles .......................................................................75 Setting additional console permissions........................................................76 Verifying a successful installation ...............................................................76 Managing databases after installation ...........................................................77 Installing a rollup core..............................................................................77 Using the database Rollup Utility................................................................77
iv
TABLE OF CONTENTS
Increasing the rollup database timeout .......................................................79 Running CoreDbUtil to reset, rebuild, or update a database ...........................80 Phase 4: Deploying the primary agents to clients...............................................81 The phased deployment strategy .................................................................82 Checklist for configuring clients....................................................................82 Deploying to Windows NT/2000/2003/XP clients.............................................84 Deploying to Windows XP clients using local accounts ...................................84 Upgrading clients that use older Management Suite agents............................85 Using a service center to deploy Remote Control, Inventory, and CBA to clients..86 Setting up a Client Deployment service center .............................................86 Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server...............................................................................88 Deploying Remote Control, Inventory, and CBA to clients of a NetWare server .90 Deploying clients from the command line ......................................................93 Deploying to clients using Enhanced Software Distribution packages .................94 Understanding the client configuration architecture.........................................95 Configuring Windows clients......................................................................95 Understanding WSCFG32.EXE....................................................................95 Reversing the client configuration process .....................................................98 Phase 5: Deploying other agents to clients .......................................................99 Creating a client setup configuration........................................................... 100 Deploying Application Healing.................................................................. 100 Deploying Application Policy Management ................................................. 100 Deploying Bandwidth Detection ............................................................... 102 Deploying the Common Base Agent.......................................................... 102 Deploying Custom Data Forms................................................................. 103 Enabling Migration Tasks ........................................................................ 103 Deploying Enhanced Software Distribution ................................................ 103 Deploying the Inventory Scanner ............................................................. 103 Deploying the Local Scheduler ................................................................. 104 Deploying Remote Control ...................................................................... 104 Deploying Software Monitoring ................................................................ 105 Deploying Targeted Multicast................................................................... 105 Deploying Task Completion ..................................................................... 106
v
TABLE OF CONTENTS
Chapter 6: Installing the Web console ............................................................ 107 Extending network management to the Web................................................ 108 Installation requirements .......................................................................... 109 Management Suite requirements ............................................................. 109 Web server requirements........................................................................ 109 Computer requirements for accessing the Web console ............................... 109 Installing the Web console ........................................................................ 110 Accessing multiple databases .................................................................... 112 Configuring domain-level software distribution and Windows 2003 servers..... 112 Configuring the Web console for multiple cores .......................................... 113 Setting up Web console security ................................................................ 115 Setting up role-based administration in the Web console ............................. 115 Setting up feature-level security for rollup core databases ........................... 116 Changing the default IIS session timeout .................................................. 117 Setting up the indexing service................................................................ 117 Configuring rights for the Web console...................................................... 118 Changing the Web console location .......................................................... 118 Chapter 7: Installing OS deployment and profile migration................................ 119 Installing OS deployment and profile migration ............................................ 120 Configuring your OS deployment and profile migration environment................ 122 Step 1: Configuring an image server ........................................................ 122 Step 2: Verifying name resolution ............................................................ 123 Step 3: Configuring your network for Multicast OS deployment .................... 123 Step 4: Configuring PXE ......................................................................... 124 OS deployment phases ............................................................................. 127 Chapter 8: Installing add-ons ....................................................................... 129 Activating Management Suite 8 add-on products .......................................... 130 Installing LANDesk Patch Manager 8 ........................................................... 131 Installing LANDesk Asset Manager 8 ........................................................... 132 Installing LANDesk Handheld Manager 8 ..................................................... 133 Installing Handheld Manager ................................................................... 133 Deploying to host computers and their mobile devices ................................ 133 Using Afaria with 32-bit Windows clients ................................................... 134 How Handheld Manager works................................................................. 135 Viewing mobile inventory information ....................................................... 135
vi
TABLE OF CONTENTS
Chapter 9: Installing LANDesk Inventory Manager ........................................... 137 Installing clients manually......................................................................... 138 Installing clients using a service center ....................................................... 139 Setting up a Client Deployment service center ........................................... 139 Deploying to clients of a Windows NT/2000/2003 server ............................. 140 Deploying to clients of a NetWare server ................................................... 142 Deploying clients from the command line .................................................... 144 Chapter 10: Deploying to Macintosh, Linux, and UNIX clients ............................ 145 Deploying to Macintosh clients ................................................................... 146 Deploying the Mac OS X agents ................................................................. 147 Locking Macintosh client options .............................................................. 147 Updating the Mac OS X agents ................................................................ 147 Uninstalling the Mac OS X agents............................................................. 148 Deploying the Mac OS 8 and 9.2.2 agents ................................................... 149 Updating Mac OS 8 and 9.2.2 agents........................................................ 150 Changing Mac OS 8 and 9.2.2 agent options via the .INI files....................... 150 Deploying to Linux and UNIX clients ........................................................... 154 System requirements ............................................................................. 154 Installing the Linux/UNIX agents.............................................................. 154 Linux/UNIX inventory scanner command-line parameters ............................ 155 Linux/UNIX inventory scanner files........................................................... 156 Web console/Management Suite console integration ................................... 157 Miscellaneous issues .............................................................................. 157 Chapter 11: Uninstalling LANDesk Management Suite....................................... 159 Uninstalling Management Suite .................................................................. 160 Uninstalling LANDesk agents from clients .................................................. 160 Uninstalling the service centers ............................................................... 160 Uninstalling the consoles ........................................................................ 161 Uninstalling the core server..................................................................... 161 Uninstalling the Web console ................................................................... 161 Appendix A: Troubleshooting ........................................................................ 163
vii
TABLE OF CONTENTS
viii
LANDesk® Management Suite overview
This guide walks you through the process of installing and deploying one of the most comprehensive network management tools available LANDesk® Management Suite 8. Here's what you'll learn about in this overview: • • • • What's new in this release Management Suite basics (includes Management Suite terms) Installation and deployment strategies Overview of installation and deployment
9
INSTALLATION AND DEPLOYMENT GUIDE
What's new in LANDesk Management Suite 8
These are the primary new and improved features in Management Suite 8: • • Improved database: New single database schema with improved data integrity and scalability. Role-based administration: Add Management Suite users and configure their access to Management Suite tools and network devices based on their administrative role in your network. With role-based administration, you assign scope to determine the devices a user can view and manage, and rights to determine the tasks they can perform. Enhanced Software Distribution improvements: Enhancements include byte-level checkpoint restart for interrupted downloads, peer download, dynamic bandwidth throttling that limits distribution bandwidth when clients need network bandwidth, and multi-file MSI multicast package support. New Unmanaged Device Discovery feature: Discover unknown and unmanaged devices on your network though a directory service, domain discovery, or layer 3 ping sweep. Alerts notify you of newly discovered devices. Schedule device discovery so you can constantly be aware of new devices. Enhanced client security: Certificate-based model allows clients to only communicate with authorized core servers and consoles. New on-demand remote control: Optional and highly secure on-demand remote control model only loads the remote control agent on clients for the duration of an authorized remote control. New reports: Over 50 new predefined Management Suite service reports for planning and strategic analysis. New console interface: New console with dockable windows, network view, custom layouts, and more. Additional Macintosh computer feature support: Targeted Multicast, Application Policy Management, and Software License Monitoring for Mac OS 10.2 clients.
•
•
• • • • •
LANDesk Management Suite 8.1 adds these enhancements: • • • • Enhanced inventory: Launch an immediate inventory scan on a client by right-clicking the client and clicking Inventory. Also, the inventory scanner now collects the operating system language on clients. Improved software distribution: Software distribution now works better through firewalls, and you can now disable task completion on software distribution jobs, so if the job fails it isn't automatically retried. Improved Web console: Generate basic client configuration packages and use software license monitoring from the Web. Enhanced application policy management reliability: Whenever a client checks with the core server for tasks or policies, the core server updates that client's IP address in the core database, avoiding problems with outdated IP addresses that may be part of an old inventory scan. Improved scheduled task support: Provide multiple logins for the scheduler service to authenticate with when running tasks on clients that don't have Management Suite agents. This is especially useful for managing clients in multiple Windows domains.
•
10
LANDESK® MANAGEMENT SUITE OVERVIEW
• •
•
•
•
New custom local scheduler tasks: Use the Management Suite local scheduler on clients to remotely schedule a recurring task. Enhanced remote control: Store detailed remote control logs in the database. Log information includes who initiated the remote control session and the remote control tasks (file transfers, chat, and so on) they did on the client. Also, remote control sessions now pass 3rd mouse button/wheel movement to clients. Enhanced unmanaged device discovery: Generate reports on the unmanaged devices on your network. For more flexibility, you can now use an Unmanaged Device Discovery task to rediscover managed clients. This is useful if you've reset your database. New LANDesk Asset Manager 8 Add-on: Manage physical assets and perform inventory audits. Track business contracts, invoices, and projects information. Configure data entry forms, enter items into the database with those forms, and collect and analyze that data with custom asset reports. Improved Patch Manager 8 Add-on: Create user-defined vulnerabilities so you can detect problems before a patch is available. Now you can scan for vulnerabilities on Mac OS* X 10.2.x and 10.3.x clients.
11
INSTALLATION AND DEPLOYMENT GUIDE
Management Suite basics
Management Suite supports NetWare* servers and Windows* 2000/2003 servers, and it provides a common interface for managing the clients of these network operating systems. On the client side, Management Suite supports to varying degrees Windows NT/2000/2003/XP, Windows 95/98, Macintosh*, UNIX*, and Linux* clients.
How does Management Suite fit into my network?
Management Suite uses the infrastructure of your existing network to establish connections with the devices it manages. With Management Suite, the job of managing your existing network is greatly simplified, whether you manage a small network or a large enterprise environment.
Important concepts
The most important concept that you need to understand before installing and deploying the software is the Management Suite management domain. Each management domain consists of a core server and the clients that core server manages. Depending on the server speed, each core server can manage up to 10,000 clients. You can have multiple core servers on your network. You can view the data from multiple core servers by using the Management Suite Web console to view a rollup core server, which gathers data from individual core servers you configure.
Management Suite terms
• • • • • • Core server: The center of a management domain. All the key files and services for Management Suite are on the core server. A management domain has only one core server. Console: The main LANDesk Management Suite interface. Web console: The browser-based Management Suite console that offers a subset of the features available in the main console. Core database: Management Suite requires one database for each core server, and if you have multiple core servers, you can use a core rollup database that summarizes data from the core servers. Core rollup database: A database that is optimized for querying. Core rollup databases summarize data from multiple core servers. Only the Web console can access the core rollup database. Clients: Desktop computers, servers, laptops, or handheld devices, in your network that have LANDesk agents installed. A core server can manage as many as 10,000 clients. Larger environments require multiple core servers.
12
LANDESK® MANAGEMENT SUITE OVERVIEW
Installation and deployment strategies
Installing and deploying a system-wide application like Management Suite to a heterogeneous network requires a deliberate methodology and significant planning before you run the setup program. This guide includes two strategies for setting up Management Suite: • • Rapid deployment Phased deployment
Before choosing a deployment strategy, you need to briefly characterize your management needs.
Rapid versus phased deployment
Deployment is the process of expanding your management capabilities to clients that you want to include in the domain. Deployment is simplified when you load agents and services on clients and servers so that you can manage them from a central location. The rapid deployment strategy assumes that the default settings and database used during install are sufficient for your management needs. The phased deployment strategy offers you a more structured approach to enabling management on servers and clients. This approach is based on two simple principles: • • First, deploy those Management Suite components that have the least impact on your existing network and progress to those components that have the most impact. Second, deploy Management Suite in well-planned stages, rather than deploying all services at once, which may complicate any required troubleshooting. Phased deployment Uses custom settings. Installs on networks with any number of clients.
Rapid deployment Uses the default settings and database. Installs on networks with 1,000 clients or fewer.
Installs to a test lab so that you can evaluate Installs to a complex network that has multiple the product before a wide-scale deployment locations with WAN connections. to your production network. If you meet any of the rapid deployment criteria, refer to the next chapter, "Rapid deployment strategy. " If you meet any of the phased deployment criteria, refer to "Phase 1: Designing your management domain" later in this guide. You should then continue sequentially through each phase.
13
INSTALLATION AND DEPLOYMENT GUIDE
Overview of installation and deployment
This guide groups installation and deployment tasks into the following phases. Each phase has a corresponding section in this guide that walks you through that part of the installation. If you're using the rapid deployment strategy, you'll complete these tasks in the same order, but you won't need to plan or prepare as thoroughly as you would if you were following the phased deployment strategy.
Phase 1 summary
During phase 1 of the installation, you design your management domain by completing these tasks: • • Gather network information Confirm that your network meets system requirements
For details, refer to "Phase 1: Designing your management domain" later in this guide.
Phase 2 summary
During phase 2 of the installation, you prepare your databases by completing these tasks: • • Install and configure your databases Conduct basic database maintenance
For details, refer to "Phase 2: Preparing your databases" later in this guide.
Phase 3 summary
During phase 3, you install Management Suite by completing these tasks: • • • • Install the core server Install additional management consoles Configure a rollup core server (optional) Maintain the database
For details, refer to "Phase 3: Installing the core, console, and rollup core" later in this guide.
14
LANDESK® MANAGEMENT SUITE OVERVIEW
Phase 4 summary
During phase 4 of the installation, you deploy the basic Management Suite agents by completing these tasks: • • • Deploy Remote Control and Inventory to servers Deploy Remote Control, Inventory, and CBA to clients Deploy clients from the command line
For details, refer to "Phase 4: Deploying the primary agents to clients" later in this guide.
Phase 5 summary
During phase 5 of the installation, you complete the task of deploying the remaining Management Suite agents: • • • • • • • • • • • • • Application Healing Application Policy Management Bandwidth Detection Common Base Agent Custom Data Forms Enable Migration Tasks Enhanced Software Distribution Inventory Scanner Local Scheduler Remote Control Software Monitoring Targeted Multicasting Task Completion
For details, refer to "Phase 5: Deploying other agents to clients" later in this guide.
15
Rapid deployment strategy
Rapid deployment is the fastest method for setting up LANDesk Management Suite. It assumes that the domain you're setting up consists of 1,000 clients or fewer, or that you're setting up a test network to evaluate Management Suite before launching a full-scale rollout. If you need to manage more than 1,000 clients or you don't want to first set up a test network, go directly to "Phase 1: Designing your management domain" later in this guide.
17
INSTALLATION AND DEPLOYMENT GUIDE
Overview of rapid deployment
The rapid deployment strategy follows the same sequence prescribed in the phased approach. The difference is that you'll accept Management Suite's default settings rather than create customized databases and configurations. There are four major steps in rapid deployment: • • • • Step Step Step Step 1: 2: 3: 4: Design your management domain Prepare your database Install the core server and console Deploy Management Suite
Use the step-by-step instructions on the following pages to complete the rapid installation and deployment of Management Suite.
18
RAPID DEPLOYMENT STRATEGY
Step 1: Design your domain
There are four tasks necessary to design your domain in preparation for rapid deployment: • • • • Estimate the number of clients Select the core server Select the console computer Plan the placement of program files
Estimate the number of clients
A client is any computer that has LANDesk agents installed on it. Though this includes all servers with agents installed, the majority of clients in a domain are typically desktop computers, laptops, and handheld devices. By choosing rapid deployment, you've already indicated that you'll support 1,000 nodes or fewer.
Select the core server
The core server is the center of a management domain. All of the key Management Suite files and services are contained on the core server. A management domain can have only one core server.
Core server system requirements
As you consider which server you'll set up as your core server, review these system requirements and confirm that your server meets or exceeds them: • • • • • • • • Windows 2000 Server or Advanced Server with SP 4, or Windows Server 2003 Standard or Enterprise edition 500 MB of free disk space Intel Pentium III* processor minimum; Pentium 4 processor recommended 256 MB of RAM minimum An account with administrator rights Windows NTFS file system Microsoft Internet Explorer 5.5 or 6.x SCSI disk(s) recommended
19
INSTALLATION AND DEPLOYMENT GUIDE
A dedicated core server is strongly recommended Because of the traffic that must pass through the core server to manage your domain, we strongly recommend that each core server, database server, or service center is dedicated to hosting Management Suite. If you install other products on the same server, you may experience short- and long-term resource issues. Don't install the core server components on a primary domain controller, backup domain controller, or active directory controller.
Select the console computer
The console computer runs the main UI where you conduct management activities such as taking remote control of a client, monitoring the core database, or scheduling a software package distribution. The default settings install a console to the core server. You can install the console to a separate computer if you don't want to manage your domain from the core server. Management Suite 6.6 and later have replaced the old Access* default database with the Microsoft SQL* Server Data Engine 2000 (MSDE) database. The new MSDE database can handle more clients and doesn't have many of the performance limitations the Access database had. You'll likely see performance issues with MSDE when the database has more than five concurrent things to do. You should limit the number of consoles that will use the database simultaneously when using MSDE.
Console system requirements
If you plan to install a Management Suite console on a separate computer, review these system requirements and confirm that it meets these criteria: • • • • • Windows 2000 Professional or Advanced Server with SP 4, or Windows XP Professional with SP 1 Pentium III processor minimum; Pentium 4 processor recommended 256 MB of RAM 180 MB of free disk space Microsoft Internet Explorer 5.5 or 6.x
Plan the placement of program files
During installation, you can specify where you want to install the Management Suite program files. You should accept the default destination directory unless you have a compelling reason (such as insufficient disk space) to change them. The default directory is: C:\Program Files\LANDesk\ManagementSuite
20
RAPID DEPLOYMENT STRATEGY
Step 2: Prepare your database
Management Suite requires a database to store general management information. You need a database management system (DBMS) to interact with this database. For rapid deployment, use the default DBMS, Microsoft MSDE. MSDE is set up and configured for you if you accept the default data source during Management Suite installation. The only preparation necessary is to confirm that your core server meets the system requirements necessary to run the databases.
21
INSTALLATION AND DEPLOYMENT GUIDE
Step 3: Install the core server and console
This step focuses on installing the core components of Management Suite. The core server is the center of a management domain. It contains all the key files and, in the case of a rapid deployment, the databases required for Management Suite. If you've reviewed the pre-installation considerations, you're ready to install the core server. To install the core server and console At the computer you've selected to be your core server and console: 1. Insert the LANDesk Management Suite CD into the CD-ROM drive or run AUTORUN.EXE from your installation image. The Autorun feature will display a Welcome screen. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want Setup to install. 5. A Welcome screen for LANDesk Management Suite Setup appears. Click Next to continue. 6. On the License Agreement screen, if you agree click I accept the terms in the license agreement to continue. 7. Accept the default destination folder by clicking Next. 8. Select the components you want and click Next to continue. For most core servers we recommend all components except the Rollup core, which must be installed on a different server. 9. Select the database you want to use, either a new MSDE database, a usersupplied database that you've already configured, or a previous existing Management Suite database. 10. On the Management Database: MSDE settings page, enter an MSDE database password. Remember this password or write it down. You'll need it later. Click Next to continue. 11. If you selected OS Deployment & Profile Migration, click next on the Windows 98 and Windows NT 4 CD prompts. You'll need to browse to the directory the browse dialog prompts you for. 12. Enter an organization and certificate name for the core server's security certificate. This information helps name and describe the certificate. Click Next. 13. On the Ready to Install the Program page, click Install. Management Suite will start installing. 14. The Installation Wizard Complete dialog appears when Setup is done. 15. If you want to import settings from a previous version of Management Suite, select that option to launch the migration process when you click Finish. 16. Click Finish. 17. Setup will prompt you to restart the server. You must click Yes to finish Setup. When the server restarts, you'll notice after you log in that Setup will run for a few more minutes while it finishes the installation. Setup won't prompt you for any more information during the first reboot.
22
RAPID DEPLOYMENT STRATEGY
About the Core Server Activation utility
Use the Core Server Activation utility to: • • • Activate a new server for the first time Update an existing core server or switch from a trial-use license to a full-use license Activate a new server with a 45-day trial-use license
Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. If your core server doesn't have an Internet connection, see "Manually activating a core or verifying the node count data" later in this section. Each core server must have a unique authorized certificate. Multiple core servers can't share the same authorization certificate, though they can verify node counts to the same LANDesk account. Periodically, the core server generates node count verification information in the "\Program Files\LANDesk\Authorization Files\LANDesk.usage" file. This file gets sent periodically to the LANDesk Software licensing server. This file is in XML format and is digitally signed and encrypted. Any changes manually made to this file will invalidate the contents and the next usage report to the LANDesk Software licensing server. The core communicates with the LANDesk Software licensing server via HTTP. If you use a proxy server, click the utility's Proxy tab and enter your proxy information. If your core has an Internet connection, communication with the license server is automatic and won't require any intervention by you. Note that the Core Server Activation utility won't automatically launch a dial-up Internet connection, but if you launch the dial-up connection manually and run the activation utility, the utility can use the dial-up connection to report usage data. If your core server doesn't have an Internet connection, you can verify and send the node count manually, as described later in this section. For more information on the Core Server Activation utility, see "Activating the core server" in Phase 3.
Activating a server with a LANDesk Software account
Before you can activate a new server with a full-use license, you must have an account set up with LANDesk Software that licenses you for the LANDesk Software products and number of nodes you purchased. You will need the account information (contact name and password) to activate your server. If you don't have this information, contact your LANDesk Software sales representative. To activate a server 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core server using your LANDesk contact name and password. 3. Enter the Contact name and Password you want the core to use. 4. Click Activate.
23
INSTALLATION AND DEPLOYMENT GUIDE
Activating a server with a trial-use license
The 45-day trial-use license activates your server with the LANDesk Software licensing server. Once the 45-day evaluation period expires, you won't be able to log in to the core server, and it will stop accepting inventory scans, but you won't lose any existing data in the software or database. During or after the 45-day trial use license, you can rerun the Core Server Activation utility and switch to a full activation that uses a LANDesk Software account. If the trial-use license has expired, switching to a full-use license will reactivate the core. To activate a 45-day evaluation 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core for a 45-day evaluation. 3. Click Evaluate.
Verifying a successful installation
With the installation of the core server and console complete, you can now use the console component of Management Suite. To verify successful installation 1. Click Start | Settings | Administrative Tools | Services, then confirm that these services have started on the core server: • • • • • • • • • • • Intel Alert Handler Intel Alert Originator Intel PDS Intel QIP Server Service Intel Scheduler LANDesk Device Monitor LANDesk Activation Service LANDesk Management Agent LANDesk Usage Service LANDesk Inventory Server LANDesk Management Agent
2. Start the console by clicking Start | Programs | LANDesk | LANDesk Management Suite 8. 3. You'll be prompted to log in to the console. Log in with the Windows user credentials you used when installing the core server. 4. Once the console starts, you're asked to supply license information. If you're evaluating LANDesk Management Suite 8, you can use a 45-day evaluation license for 100 clients and one server. Otherwise, click Add to add your license information. 5. In the network view, click Devices > All Devices, select the core server, and from its shortcut menu click Inventory. Confirm that the core server has been scanned into the core database.
24
RAPID DEPLOYMENT STRATEGY
Step 4: Deploy Management Suite
With the core server and console installations complete, you're ready to deploy Management Suite to your management domain. To do so, you'll need to complete these tasks: • • Deploy to servers Deploy to clients
Deploying to servers
There are three parts to a rapid server deployment: • • • Creating a default remote control and inventory client setup configuration Installing Remote Control and Inventory on servers Deploying to clients
Note that when you deploy Management Suite agents to servers, you use a server license. Server and client licenses for Management Suite are sold separately. For more information on purchasing licenses, see http://www.landesk.com/contactus/.
Creating a remote control and inventory client setup configuration for servers
The default client setup configuration Management Suite installs with includes all components except for Application Healing. You should create a separate client configuration for servers that includes only the components you want, particularly the Common Base Agent (CBA), remote control, and inventory. Servers generally don't need all of the Management Suite components. To create a remote control and inventory client setup configuration for servers Click Tools | Client Setup. Double-click the Add client Configuration icon. Enter a Configuration name. Under Components to install, click Common Base Agent, Inventory Scanner, and Remote Control. 5. Proceed through the wizard, making any changes you want. When you get to the scope page, enter the scope you decided on earlier. Click Help if you need more information on Scope and the wizard pages. 6. Finish the wizard, and make the configuration default. 1. 2. 3. 4.
Installing Remote Control and Inventory on servers
Installing Remote Control and Inventory on a server lets you manage that server the same way you manage a client workstation. You can install Remote Control and Inventory on Windows NT/2000/2003 servers and NetWare servers.
25
INSTALLATION AND DEPLOYMENT GUIDE
To install Remote Control and Inventory on a Windows NT/2000/2003 server At the server you're installing to: 1. Log in with administrator rights. 2. Map a drive to the core server's LDLogon share. 3. Run IPSETUP.BAT to configure the server with LANDesk agents.
Deploying to clients
There are three ways to configure clients: • • Manual configuration: Map a drive to the core server's LDLogon share and run WSCFG32.EXE, the client configuration program. The components that are deployed to the client must be selected interactively. Push-based configuration: Use the Client Setup wizard to define a client configuration. Use the Scheduled Tasks window to push the configuration to clients. In the case of Windows 95/98 clients, CBA must already be present on the client. Logon script-based configuration: Use the Client Setup wizard to define a client configuration (with the default option set to Yes). This configuration will be applied to clients as they log in. In the case of Windows NT/2000/2003/XP clients, end users need administrative rights to their computers.
•
Obviously, manual configuration is not practical in a large environment where many clients must be configured. In this initial phase of the client deployment, with no agents present on the clients, login script-based configuration is the only option for Windows 95/98 clients. For Windows NT/2000/2003/XP clients, either login scriptbased or push-based configuration will work, but login script-based configuration is often impractical because it requires end users to have administrative rights to their computers.
Creating a default configuration for clients
Management Suite installs with a default configuration that includes all components except Application Healing. Application Healing isn't enabled by default, because it requires extra configuration. You can use the default configuration or you can create your own. If you do create your own, make sure you make your configuration the default. The default configuration has a checkmark on the icon. The default configuration is important if you are using manual configuration, because it's the one IPSETUP.BAT installs.
Deploying clients manually
Manual client deployment is adequate for small networks, but because you have to go to each computer, it isn't practical on a larger scale. If you're having problems configuring clients, manual configuration is usually trouble-free.
26
RAPID DEPLOYMENT STRATEGY
To configure a client manually 1. 2. 3. 4. Go to the client you want to configure. Log in with administrator rights. Map a drive to the core server's LDLogon share. Run IPSETUP.BAT to configure the client with LANDesk agents.
IPSETUP.BAT installs the configuration marked as default in the Client Setup window. Once IPSETUP.BAT finishes, the newly-configured client will be visible in the console's network view.
Deploying clients with a push-based configuration
Management Suite also supports a scheduled, push-based configuration method. In the case of a Windows NT/2000/2003/XP client, the push-based method does not require CBA to be already present on the client. To enable a push-based configuration of Windows NT/2000/2003/XP clients not already running CBA, the Management Suite Scheduler service that runs on the core server must be set up as follows: 1. In the console, click Configure | Services, then click the Scheduler tab. 2. Click Change login. 3. In the Username and Password fields, specify a domain administrator account (in the format domain\username). 4. Stop and restart the Scheduler service. 5. Schedule the configurations. You can specify the domain administrator when configuring Windows NT/2000/2003/XP members that belong to the same domain as the core server. To configure Windows NT/2000/2003/XP clients in other domains, you must set up trust relationships. Remember that the account identified in step 3 above is also the account under which the Scheduler service will run on the core server. Make sure the account has the Log on as a service right. For Windows XP, "Simple file sharing" must be disabled on the client. You can turn off this option by selecting a share and clicking Tools | Folder Options. If a push configuration of a Windows NT/2000/2003/XP client fails and displays a message that says "Cannot Find Agent," try the steps listed below to identify the problem. These steps mimic the Scheduler's actions during a push configuration. 1. Find the username under which the Intel Scheduler service is running. 2. On the core server, log in with the username you found in step 1. 3. Map a drive to \\client name\C$. (This step is the one most likely to fail. It may fail for two reasons. Most likely, you don't have administrative rights to the client. If you do have administrative rights, it is possible that the client's administrative share (C$) is disabled.) 4. Create a directory \\client name\C$\$ldtemp$ and copy a file into it. 5. Use the Windows NT/2000/2003/XP Service Manager and try starting and stopping services on the client.
27
INSTALLATION AND DEPLOYMENT GUIDE
Deploying clients with a login script
Though the login script-based configuration is usually the method of choice for Windows 95/98 clients, this method is often impractical for Windows NT/2000/2003/XP clients, because it requires end users to have administrative rights to their computers. In most companies, end users do not have such rights. If you want to deploy clients by using a client deployment service center and login scripts, see "Phase 4: Deploying the primary agents to clients."
Congratulations!
You've completed the rapid deployment of Management Suite. For help using this application, consult the LANDesk Management Suite User's Guide or online help. If you want to roll out Management Suite to a larger management domain than this rapid deployment model can handle, see "Phase 2: Preparing your databases" later in this guide.
28
Phase 1: Designing your management domain
In phase 1, you gather information about your network infrastructure and make decisions that help you customize your management domain. In this phase you'll learn about: • • • • • • • • • • Gathering network information Selecting your core server and console Selecting a database Selecting service centers Planning your security and organization model Select components to implement Functionality available by client OS System requirements Supported router configurations Upgrading to LANDesk Management Suite 8
29
INSTALLATION AND DEPLOYMENT GUIDE
Gathering network information
Identify and collect all critical information about your network as it relates to Management Suite. Specifically, you need to: • • • • • • • • Determine the number of sites Estimate the number of clients at each location Select your core server and consoles Plan placement of program files Select a database Select service centers Determine the number of domains Understand the functionality available by client OS
Determining number of sites
First, identify all site locations where you want to deploy Management Suite. You'll use this information to determine the size and reach of each management domain, as well as the placement of core servers, service centers, and database servers. To get this information, refer to your corporate WAN or LAN topology charts and server configuration charts.
Estimating number of clients at each location
You need to identify how many clients per site will be managed by Management Suite and gather preliminary information about those clients. The number of clients is equivalent to the number of desktop computers, laptops, servers, and handheld devices. You'll use this information to determine domain size, select a database, and compare with the Management Suite system requirements. The more information you can gather about the type of clients you'll manage, the better you can plan. Even rough estimates can help.
Determining server configurations
Gather configuration information on each server that you plan to manage. You'll use this information later in the domain design process to help determine if the servers you've selected meet the system requirements for a core server, database server, and service center. Identify this information for each server that will be managed by Management Suite: • • • • • Type of processor Network operating system version, plus applied service packs or patches Approximate available disk space Hard disk type (for example, ultra-wide SCSI, disk arrays, and so on) RAM
30
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Selecting your core server and consoles
The core server is the center of a management domain. All the key Management Suite files and services are contained on the core server. A management domain can have only one core server. Console computers run the main Management Suite console where you conduct management activities such as taking remote control of a client, querying the core database, or distributing a software package. Refer to the "Overview of rapid deployment" section earlier in this guide for more information about the core server and consoles. Consoles and management domains Although a management domain can have only one core server, it can have as many as 25 consoles. This limit isn't hardcoded, but it's the largest configuration characterized in Management Suite. A larger number of consoles may be reasonable in some environments, based on core server and database server hardware capability. Make sure that the computers you select for your core server and consoles meet the system requirements. Refer to system requirements later in this phase.
Planning placement of program files
During installation, you can specify where you want to install the Management Suite program files. Accept the default destination directories unless you have compelling reasons to change them. The default destination directory for core servers and consoles is: C:\Program Files\LANDesk\ManagementSuite
Selecting a database
Management Suite 6.6 and later replaces the old Access default database with the Microsoft SQL Server Data Engine 2000 (MSDE) database. The new MSDE database can handle more clients and doesn't have many of the performance limitations the Access database had. Each MSDE database has a 2 GB database size limit. The number of clients this database supports depends on your network's inventory scan file size. In larger environments with many management consoles, you should use the supported Microsoft SQL or Oracle8i* databases to keep Management Suite performing optimally. In these larger environments, the MSDE database won't perform as well as a true enterprise-level database.
31
INSTALLATION AND DEPLOYMENT GUIDE
You'll likely see performance issues with MSDE when the database has more than five concurrent things to do. If you want to use MSDE, consider how often you might have more than five people accessing the database at exactly the same time. If it's likely more than five people will be accessing the database, what will those people be doing? For example, if they're all running software-related queries against the core database, use SQL Server or Oracle, since software-related queries can take a while to complete because of the amount of data involved. If they're all querying the core database for a set of clients with a certain hard drive size, you can probably stay with MSDE, since that type of query usually takes less than a second to complete. If you want or need to use your own database, you can select either: • • • Microsoft SQL Server 2000 SP 3 Oracle8i* (8.1.7) Oracle9i*
For detailed information about databases, refer to "Phase 2: Preparing your databases" later in this guide.
Selecting service centers
Use client deployment service centers to off-load the demands on the core server. Each service center helps distribute the work throughout the network. Client deployment service centers provide login services to configure clients. Install the client deployment service center on a Windows NT/2000/2003 PDC, BDC, Domain Controller, NetWare NDS* server, or NetWare bindery server to configure clients.
Determining number of management domains
Before you determine whether you need more than one domain, you need to understand the particulars of having multiple management domains. A single management domain has been tested to support as many as 10,000 clients. However, the number of clients isn't the only factor to consider when determining whether you need more than one management domain. If you have sites separated by slow WAN links, for example, you may want to have a core server near those clients. You can use the Web console and a rollup core to manage multiple core servers and their clients. Creating multiple management domains If you're creating multiple management domains, we recommend that you successfully complete the installation and deployment of one management domain before creating another.
32
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Planning your security and organization model
LANDesk Management Suite 8 introduces a new security model. Clients now authenticate to their authorized core server before communicating with the core, and role-based administration allows Management Suite administrators to control the rights Management Suite console users have and which clients they can work with (scope). You should decide how you want to handle security before deploying Management Suite, because changing security and scopes requires you to redeploy client agents or security certificates.
Planning your core server structure
Management Suite 8 uses a certificate-based authentication system. During the core installation, Setup creates a certificate for that core. Clients look for that certificate when communicating with the core, and clients won't communicate with a core they don't have a certificate for. You can include certificates from multiple core servers in your client configurations if you want clients to be manageable from multiple cores.
Planning a scope
Role-based administration is a powerful new feature with Management Suite 8. Access the role-based administration tools in the console by clicking Users in the Tools menu or on the Toolbox. You must be logged in with administrative rights. Role-based administration provides advanced network management capability by letting you add users to your Management Suite system and assign those users rights and a scope. Rights determine the tools and features a user can see and use (see "Understanding rights" in chapter 1 of the User's Guide). Scope determines the range of devices a user can see and manage (see "Creating scopes" in chapter 1 of the User's Guide). You can create roles based on users' responsibilities, the management tasks you want them to perform, and the devices you want them to see, access, and manage. Access to devices can be restricted to a geographic location such as a country, region, state, city, or even a single office or department. For example, you can have one or more users in charge of software distribution, another user responsible for remote control operations, another user who runs reports, and so on. To implement and enforce this type of role-based administration across your network, simply set up current users, or create and add new users as Management Suite users, and then assign the necessary rights (to Management Suite features) and scope (to managed devices).
33
INSTALLATION AND DEPLOYMENT GUIDE
The core server uses scopes to limit the clients that console users can see. Only one scope can be assigned to a User, but the same scope can be used by multiple users. You can base scopes on one of these methods: • • • • • Default All Machines Scope: The assigned default scope for all users allows them to see all clients on the network. Default No Machines Scope: Users are unable to see any clients on the network. Based on a Query: Users can see the clients that fit the selected criteria of a specific query assigned to them by the Administrator. Based on LDAP or custom directory: Users can see the clients from the selected level down within a LDAP or customer directory. The scope page in the Client Setup wizard: If you don't have an LDAPcompliant directory or you want to categorize clients differently, enter a scope on this scope page. This scope page provides a convenient field you can deploy via Client Setup configurations and do queries on.
The inventory scanner on each client reports that client's scope in a "location" database field. If you entered a scope in that client's Client Setup configuration, that's the scope the scanner returns. If you left the scope blank in that client's Client Setup configuration, the scanner tries to populate the scope from an LDAP-compliant directory. If the scope isn't available from the Client Setup configuration or an LDAPcompliant directory, the location field will be blank. You can still assign scopes for clients with a blank location field, but you'll have to do it through queries. The Client Setup wizard scope page uses a path format that's similar to a file path, but with forward slashes as separators. When deciding on a scope, decide how you want to categorize your clients for management. You might do it by geography or by organization. Console users can manage clients belonging to multiple scopes through query-based scopes. For more information on scopes, see chapter 1 in the User's Guide.
Configuring Windows 9x/NT clients for LDAP scopes
In order for clients to be part of a scope that is targeted through Active Directory or NetWare Directory Services, they have to be configured to log in to the directory. This means that they need to have all the correct client software installed, and they need to actually log in to the correct directory so that their fully distinguished name will match the name that was targeted through Management Suite's Directory Manager. Windows 9x/NT doesn't ship with Active Directory support. You must install Active Directory support on clients that log in to a directory. More information on installing Active Directory client support is available here: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextensi on.asp
34
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Understanding certificates
With Management Suite 8, the certificate based authentication model has been simplified. Client agents still authenticate to authorized core servers, preventing unauthorized cores from accessing clients. However, Management Suite 8 doesn't require a separate certificate authority to manage certificates for the core, console and each client. Instead, each core server has a unique certificate and private key that Management Suite Setup creates when you first install the core or rollup core server. Clients will only communicate with core and rollup core servers that the client has a matching trusted certificate file for. Each core server has its own certificate and private keys, and by default, the client agents you deploy from each core server will only talk to the core server from which the client software is deployed. However, you can configure clients to talk to multiple cores. If you will have multiple core servers or a rollup core on your network, make sure you read "Client agent security and trusted certificates" in chapter 2 of the User's Guide.
Using a rollup core database
A rollup core database summarizes data from multiple core servers and doesn't have the 10,000 client limit that a core database has. The rollup core database allows you to use the Web console to do the following across core servers: • • • • Remote control Inventory queries Reports Software distribution
The rollup core database should be on a separate server from the core and requires a supported Microsoft SQL or Oracle database. Before installing a rollup core from Management Suite Setup, you need to install and configure the rollup database. Once you've installed your core servers and the rollup core, you can configure periodic data rollups from the core databases to the rollup core database.
35
INSTALLATION AND DEPLOYMENT GUIDE
Selecting components to implement
Use this table to identify the types of components you want to implement. Component type Remote control Description Decision criteria
Lets you take control of a client from Provide remote management of across the network. Minimizes the computers across the LAN/WAN. time it takes to resolve customer issues from a centralized help desk. Gathers software and hardware information for clients that you can view through database queries. Monitors and reports on application license usage and denied applications. Doesn't limit access to applications. Automates the process of installing software applications or distributing files to clients. Allows clients to receive multicast software distributions. Record detailed inventory information about all clients. Provide reports on all software and hardware. Track installed software and software usage.
Inventory scanner
Software monitoring
Enhanced software distribution
Install applications simultaneously to multiple clients. Update files or drivers for multiple clients. Install applications simultaneously to multiple clients. Update files or drivers for multiple clients. Reduce consumed network bandwidth. Protect critical or commonly-used applications on clients. Manage groups of clients that have common software needs.
Targeted Multicasting
Application healing Application policy management Custom data forms
Automatically keeps configured applications running on clients. Automatically installs a set of applications on groups of clients.
Presents a form to users for them to Retrieve customized information complete. You can query the from users directly. database for the data that users enter. Enables bandwidth detection Detect remote clients or clients between clients and the core server. that connect to the network via a You can limit Management Suite slow link. actions such as Software Distribution based on available bandwidth.
Bandwidth detection
36
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Local scheduler
Enables Management Suite to launch client tasks based on a time of day or bandwidth availability. For example, you can use the Local Scheduler to allow mobile client package distribution only when those clients are on the WAN.
You have computers that may not always be on the network or may connect to the network via a dialup connection.
Common Base Agent (CBA)
The base client agent that enables client discovery, alert reporting, and other basic features. Required by many other agents.
Most clients need CBA. Many agents in this table require CBA to work.
Task completion
Checks with the core server to see if You have mobile or other users there are any scheduled jobs the who aren't always connected to client needs to run. the network and tend to miss scheduled jobs.
37
INSTALLATION AND DEPLOYMENT GUIDE
Functionality available by client OS
This table identifies the supported operating systems and available features. Supported Windows Mac OS 8, 9.2.2 No No Mac OS X 10.2.x, 10.3.x No Yes NetWare 5.1, 6.0 RedHat 7.3, 8.0, 9.0 No No Supported UNIX
Application healing Application policy management Bandwidth detection Common Base Agent Custom data forms Enhanced software distribution Inventory scanner Local scheduler Migration tasks Remote control Software monitoring Targeted Multicasting Task completion
Yes Yes
No No
No No
Yes Yes Yes Yes
No No No No
No No No Yes
No No No No
No No No No
No No No No
Yes Yes Yes Yes Yes Yes Yes
Yes No No Yes No No No
Yes No No Yes Yes Yes No
Yes No No Yes No No No
Yes No No No No No No
Yes No No No No No No
In addition, Management Suite supports these directory services: • • • Microsoft Active Directory* Novell eDirectory* Novell NDS
38
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Compatibility with previous versions of Management Suite
Management Suite 8 consoles can communicate with clients running Management Suite 6.62 and later. With older clients, you won't have access to the new Management Suite 8 features. However, beginning with Management Suite 8, the Management Suite 8 client agents authenticate to authorized core servers, preventing unauthorized cores/consoles from accessing Management Suite 8 clients. Each core server has a unique certificate that Management Suite Setup creates when you first install the core. The Client Setup: Authentication dialog lets you pick the core server trusted certificates you want clients to accept. For more information on certificates and security, see the next section and chapter 2, "Configuring clients" in the User's Guide.
39
INSTALLATION AND DEPLOYMENT GUIDE
System requirements
Make sure that you meet the following system requirements before you install Management Suite.
Core and database servers
Make sure that all of your core and database servers meet these requirements: • • • • • • • • Windows 2000 Server or Advanced Server with SP 4 Windows Server 2003 Standard or Enterprise edition Microsoft Data Access Components (MDAC) 2.8 Microsoft .NET Framework 1.1 Internet Explorer 5.5 or 6.x Microsoft NT File System (NTFS) The Windows 2000 server you use for your core server must be installed as a standalone server, not as a primary domain controller (PDC), backup domain controller (BDC), or Active Directory controller. The servers should be dedicated to hosting Management Suite
Core server requirements The Windows 2000 pagefile should be at least 12 + N (where N is the number of megabytes of RAM on the core server. Otherwise, Management Suite applications may generate memory errors.
All Management Suite services hosted on one server (1-1,000 clients)
For Management Suite management domains with 1,000 clients or fewer, you can install the core server, console, Web console server, and the core database on one server. For these networks, you may want to consider using the default Microsoft MSDE database, which is generally easier to maintain. Limitation considerations Your server should at least meet these system requirements before you install Management Suite in a 1-1,000 client configuration: • • • Pentium 4 processor 4 GB of free disk space on 10K RPM or faster drives 768 MB+ of RAM
40
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Management Suite services hosted on one server (1,000-3,000 clients)
If your Management Suite management domain consists of 1,000-3,000 clients, you can still use one server. Your servers should at least meet the following system requirements before you install Management Suite: Management Suite core server and Web console software on one server • • • • Dual Pentium III 1000 MHz or faster processors 6 GB of free disk space on 15K RPM or faster drives 1 GB or more of RAM One fast, full-duplex 100 Mb network interface card
Multi-server configuration (3,000-6,000 clients)
If your Management Suite management domain consists of 3,000-6,000 clients, you can still use one server. we recommend that you divide your Management Suite components between two servers for improved database performance. Your servers should at least meet the following system requirements before you install Management Suite: Management Suite core server and Web console software on one server • • • • Dual Pentium III 1000 MHz or faster processors 6 GB of free disk space on 15K RPM or faster drives (mirrored) 1 GB or more of RAM One fast, full-duplex 100 Mb network interface card
Core database on a second server • • • • • • Dual Pentium III 1000 MHz or faster processors 2 GB or more of RAM Supported database Two ultra-wide I20 controllers with RAID 5 20 GB of free space on SCSI drives with a rotational rate of 15K RPM or faster Two full-duplex 100+ MB network interface cards in teaming mode
41
INSTALLATION AND DEPLOYMENT GUIDE
Multi-server configuration (6,000-10,000 clients)
For optimum performance, we recommend that you install Management Suite on at least two separate servers for management domains with between 6,000 and 10,000 clients. Your servers should at least meet the following system requirements before you install Management Suite: Management Suite core server and Web console software on one server • • • • Dual Pentium III 1000 MHz or faster processors 6 GB of free disk space on 15K RPM or faster drives (mirrored) 1 GB or more of RAM One fast, full-duplex 100 Mb network interface card
Core database on a second server • • • • • • Quad Pentium Xeon* 1000 MHz or faster processors 2 GB or more of RAM Supported database Two ultra-wide I20 controllers with RAID 5 20 GB of free space on SCSI drives with a rotational rate of 15K RPM or faster Two full-duplex 100+ MB network interface cards in teaming mode
Service center requirements
These server requirements are for Management Suite service centers. Windows NT/2000/2003 Server • • • • Dual Pentium II processors (dual Pentium III or Pentium 4 processors recommended) 16 MB of free disk space 256-512 MB of RAM Network interface card
PDCs and Windows NT/2000 Client Deployment service centers If you're installing a Client Deployment service on a Windows NT/2000 server, you should install to a Primary Domain Controller (PDC), Backup Domain Controller (BDC), or Windows 2000 Domain Controller. Only the PDC, BDC, or Domain Controller can run the domain-level logon scripts that are created by a Windows NT/2000 Client Deployment service center.
42
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
NetWare • • • • • • • Pentium II processor (Pentium III recommended) 16 MB of free disk space 64 MB of RAM TCP/IP or IPX* protocol stack. The service center and the core server both must use the same protocol in order to communicate with one another. SNMP servers aren't supported, except for the SNMP trap functionality within the Server Management component Network interface card NetWare 5.1 or 6.0
Console
• • • • • • • • Windows XP Professional with SP 1 Windows Server 2003 Standard Edition and Enterprise Edition Windows 2000 Professional, Server, and Advanced Server with SP 4 Pentium III processor (Pentium 4 processor recommended) 256 MB of RAM 180 MB of free disk space Internet Explorer 5.5 or 6.x Novell Client 32* is required to browse a Novell NDS environment
Client computers
Management Suite supports these client operating systems (not all operating systems are supported equally): • • • • • • • • • • • • • Windows XP Professional with SP 1 Windows Server 2003 Standard Edition and Enterprise Edition Windows 2000 Professional, Server, and Advanced Server with SP 4 Microsoft Windows NT 4 Workstation with SP 6a Windows Server 2003 Windows 95B (requires Winsock2) and 98SE NetWare 5.1 and 6.0 Mac OS 8, 9.2.2, 10.2.x, and 10.3.x Red Hat Linux 7.3, 8.0, and 9.0 UNIX IBM (AIX 5.1) UNIX Intel Architecture (Solaris 8) UNIX Hewlett Packard (HP-UX 11.0) UNIX Sun Sparc (Solaris 8)
Dial-up support
• • Modems down to 28.8 where applicable RAS connections
43
INSTALLATION AND DEPLOYMENT GUIDE
Supported router configurations
This section documents the various ports Management Suite components use. In some cases we list where you can change the port. You should use the default ports unless you have a compelling reason to change them. Remote Control TCP 1761-1762, console to client. Inventory TCP 5007, client to core server. Multicast UDP 33354, client and core server to subnet representative. TCP 33354, core server to subnet representative. UDP 33355, subnet representative to client. This is the actual multicast-based communication within the subnet. There is no need to open this port on routers. PDS2 UDP 9595, all clients to all clients. This port must be open for communication in both directions. Management Suite versions prior to 8 used PDS on UDP port 38293. CBA 8 TCP 9594, all clients to all clients. This port must be open for communication in both directions. Management Suite versions prior to 8 used MSGSYS on TCP port 38292. TCP remote execute TCP 12174, core server to clients. Change this port from the console, Configure | Services | Custom Jobs | Remote Execute Port. On clients, change this key to match the port on the core server: HKLM\Software\Intel\LANDesk\Xfer\RmtExePort
44
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
QIP services TCP 12175, client to core server. For clients, change this port in the Client Setup wizards Client Status TCP Port page. For the core server, change the port at: HKLM\Software\Intel\LANDesk\LDWM\QIPSrvr\TCPPort. Application Policy Management and Task Completion TCP 12176, client to core server. Wake On LAN UDP 0, core to client. Wake On LAN packets are sent as subnet-directed broadcasts. Using port 0 ensures that no clients IP stack will process the packet. To allow Wake On LAN packets to cross routers, configure the routers to allow subnet directed broadcasts. You may also need to change the port. Any port will work for the client. Because Wake On LAN packets are recognized by the network adapter hardware, no configuration is needed on the client side. LANDesk System Manager and LANDesk Server Manager LANDesk System Manager and LANDesk Server Manager use port 9535 for remote control. They also use port 9595 for broadcast discovery. IPMI discovery requires port 623. Important non-Management Suite ports Microsoft SQL Server, TCP 1433, console/core to SQL server. NetBIOS over TCP, TCP 139. This port is used by the console's network view for pushing client configurations, for UNC-based software distributions, and so on. SMB over TCP, TCP 445 (Windows 2000 only).
45
INSTALLATION AND DEPLOYMENT GUIDE
Upgrading to LANDesk Management Suite 8
This section provides detailed information and step-by-step instructions for upgrading to LANDesk Management Suite 8. You can upgrade to Management Suite 8 from the previous versions 6.62 and 7.0. You can directly install Management Suite 8.1 over Management Suite 8 on both the core server and clients. You don't need to uninstall Management Suite 8 first. Read this section to learn about: • • • • • • Before you begin Upgrade tools Upgrade methods Upgrade procedures Understanding component upgrade/migration Migration at a glance
Before you begin
Upgrading to Management Suite 8 can be a complex process that requires careful planning. You should already be familiar with fundamental Management Suite concepts and deployment considerations covered thoroughly in this guide, though you may want to review some of the planning overview sections. We recommend that you read this section in its entirety before performing an upgrade installation of Management Suite 8. An upgrade installation uses custom tools that automate most of the upgrade process (see "Upgrade tools"). However, there are some core server settings and files that need to be moved manually (saved or exported, and then imported) from the old environment to the new one. In the case of an in-place upgrade, these settings and files must be copied before beginning the upgrade/migration process. Note that clients should be reconfigured with the Management Suite 8 agents as soon as possible after upgrading the core server and database to Management Suite 8 in order to take advantage of improved security and other enhanced features. For more information on the new authentication and security model, see chapter 2, "Configuring clients" in the User's Guide. Also, if your clients are currently running LANDesk Software Metering, you should remove this program (with the predefined Uninstall Metering Client script located in the Manage Scripts tool) before upgrading or soon after in order to avoid memory problems on the clients.
46
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Assumptions
You need to consider a number of issues before performing a Management Suite upgrade: • • • All core servers and databases should be backed up or imaged prior to upgrading any LANDesk software. Due to the new security model of Management Suite 8, once a client has been upgraded to the Management Suite 8 agents, it cannot be remote controlled by older version core servers. Several add-on tools and enhancements exist that can be used in conjunction with Management Suite, including some tools developed by third-party vendors. The upgrade/migration process documented in this guide does not take these tools into consideration. Upgrading assumes a working knowledge of Management Suite.
•
Upgrade tools
The Management Suite migration process relies on the following executables that are included on your LANDesk Management Suite CD.
LANDesk Management Suite Setup
The Management Suite Setup program launches the normal installation process and prompts the administrator for necessary network and configuration information. Setup also automatically calls the tools that implement the migration process, MIGRATECORE.EXE and DBUPGRADE.EXE.
MIGRATECORE.EXE
This tool gathers and restores core server files and settings.
DBUPGRADE.EXE
This tool transfers most of the data stored on a previous core database to a new Management Suite 8 core database. For component-specific details, see "Understanding component upgrade/migration" later in this phase. Note: The database upgrade tool can also be manually executed as a stand-alone process in order to migrate data from a previous core database to a Management Suite 8 core database. In order for this type of migration to work properly, the Management Suite 8 core database must be empty. To ensure an empty database, run COREDBUTIL.EXE (in the LANDesk\ManagementSuite directory) and select Reset database.
47
INSTALLATION AND DEPLOYMENT GUIDE
Software License Monitoring Export and Import Tools
This export tool exports all of the Software License Monitoring data from a Management Suite 7.0 core server to an .XML file that can then be imported with the import tool. Both of these tools appear on the Software License Monitoring toolbar.
Upgrade methods
There are two methods to upgrade to Management Suite 8: • In-place upgrade: Upgrades an existing core server and database as a new Management Suite 8 core server (preserving the core's settings), with the option of also migrating existing data from a previous core database. Note that if you are doing an in-place upgrade, LANDesk recommends that you do NOT upgrade the OS of the core server. Side-by-side upgrade: Installs a new Management Suite 8 core server and database, with the option of migrating settings from a previous core server, and the option of also migrating data from a previous core database. Use the side-by-side method if you want to upgrade the hardware or OS of the core server.
•
Upgrade procedures
Follow the procedures below for the upgrade method you've chosen.
In-place upgrade
To perform an in-place upgrade On an existing core server: 1. Insert the LANDesk Management Suite CD into the server's CD-ROM drive or run AUTORUN.EXE from your installation image. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want to install, and click OK. 5. Setup detects an existing installation of Management Suite and prompts whether you want to continue or exit. Click Ignore to have Setup continue with the migration process. 6. The MIGRATECORE.EXE tool runs (with the /gather parameter) and gathers core server files and settings. 7. Uninstall runs automatically and removes the previous version of Management Suite. Status messages provide information about the processes as they run. 8. Setup now runs the Management Suite 8 installation. At the Management Suite Welcome page, click Next. 9. Click Yes to accept the license agreement. 10. Accept the default destination location by clicking Next.
48
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
11. Accept the default selected features by clicking Next. 12. Select Create New Database to install the default MSDE database, or select User-supplied Database to install a different database (such as Oracle or SQL 2000), and then click Next. (For more information on database installation and maintenance, see "Phase 2: Preparing your databases.") 13. Enter a database password, and then click Next. 14. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows NT 4 files, and then click Next. 15. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows 98 files, and then click Next. 16. Enter an organization and certificate name, and then click Next. 17. Review the summary page, and then click Next to start copying files. The Setup Status page provides information on the various processes as they run. 18. When the file copy process is complete, the MIGRATECORE.EXE tool runs again (this time with the /restore parameter) and restores the gathered files and settings from the previous core server to the new Management Suite 8 core server. 19. The DBUPGRADE.EXE tool runs and opens the Database Upgrade Settings dialog. 20. In the Database Upgrade Settings dialog, enter the data source name, logon name and password, and the core server where you want the data migrated. Data is exported from the database identified by the data source name (DSN) and imported to the new Management Suite 8 core database. (If you are installing on a new core, you need to create a DSN to the old database. Click New DSN to open the ODBC Data Source Administrator dialog. This dialog includes its own online Help, or you can refer to your previous Management Suite's Installation and Deployment Guide for information on setting up DSNs.) 21. Click Start. 22. When the data migration is finished, the Setup is Complete page appears. 23. Click Finish to complete Setup. Restart the computer to finish Setup and load the Management Suite services. You'll notice after you reboot and log in that Setup will run for a few more minutes while it finishes the installation.
49
INSTALLATION AND DEPLOYMENT GUIDE
Side-by-side upgrade
To perform a side-by-side upgrade On a server that meets the Management Suite core server requirements (see System requirements above): 1. Insert the LANDesk Management Suite CD into the server's CD-ROM drive or run AUTORUN.EXE from your installation image. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want Setup to install, and click OK. 5. At the Management Suite Welcome page, click Next. 6. Click Yes to accept the license agreement. 7. Accept the default destination location by clicking Next. 8. Accept the default selected features by clicking Next. 9. Select Create New Database to install the default MSDE database, or select User-supplied Database to install a different database (such as Oracle or SQL 2000), and then click Next. (For more information on database installation and maintenance, see "Phase 2: Preparing your databases.") 10. Enter an MSDE database password, and then click Next. 11. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows NT 4 files, and then click Next. 12. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows 98 files, and then click Next. 13. Enter an organization and certificate name, and then click Next. 14. Review the summary page, and then click Next to start copying files. The Setup Status page provides information on the various processes as they run. 15. When the file copy process is complete, check the Migrate settings... option, and then click Finish. 16. The MIGRATECORE.EXE tool runs and opens the Migration dialog. In the Migration dialog, fill in the following fields: • Capture data from: • Core name: Check the box and enter the name of the core server whose data you want to migrate. • Web console path: If you want to migrate Web console data, check the box and enter the UNC path, or browse, to the remote folder for the Web console (default location is: C:\Inetpub\wwwroot\remote). This folder must be shared. • Select the intermediate file location: Enter or browse to the location where you want the captured data saved. The default location is the local hard drive. • Restore data to: • Core name: Make sure the box is checked and that the new Management Suite 8 core server name is correct. This should be the name of the server where you are currently running the upgrade installation. • Transfer data to specified core: Check the box to automatically launch the database upgrade tool after the server data saved in the file location specified above is migrated to the new core server.
50
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
18. Click OK. 19. The DBUPGRADE.EXE tool runs and opens the Database Upgrade Settings dialog. 20. In the Database Upgrade Settings dialog, enter the data source name, logon name and password, and the core server where you want the data migrated. Data is exported from the database identified by the data source name (DSN) and imported to the new Management Suite 8 core database. (If you are installing on a new core, you need to create a DSN to the old database. Click New DSN to open the ODBC Data Source Administrator dialog. This dialog includes its own online Help, or you can refer to your previous Management Suite's Installation and Deployment Guide for information on setting up DSNs.) 21. Click Start. 22. When the data migration is finished, the Setup is Complete page appears. 23. Click Finish to complete Setup. Restart the computer to finish Setup and load the Management Suite services. You'll notice after you reboot and log in that Setup will run for a few more minutes while it finishes the installation.
51
INSTALLATION AND DEPLOYMENT GUIDE
Upgrade/migration diagram
52
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Understanding component upgrade/migration
This section looks at the files, settings, and registry keys associated with the Management Suite components. Much of this data is migrated as part of the new Management Suite 8 upgrade installation. However, some of the data is not migrated because of compatibility issues with the new replacement features and functionality. Read about each component below for details.
Client configuration
Client configuration data Client configuration data is not migrated because the previous versions of the LANDesk agents are not compatible with Management Suite 8. An administrator must reconfigure clients with new Management Suite 8 agents via the Client Setup wizard in the console. For more information, see the "Deploying the primary agents to clients" chapter in the Installation and Deployment Guide, as well as the "Configuring clients" chapter in the User's Guide. XXSTACFG.INI files These files are not migrated because of incompatibility with new functionality.
Inventory
Alias files Alias files and their contents are migrated to the Public Devices group in the new console's network view. LDAPPL3.INI template file The template file is not migrated during the upgrade/migration process. However, if the template file has been modified, and you want to maintain those custom changes, it can be manually copied into the LDLogon directory of the new Management Suite 8 core server. Saved and stored queries Saved queries (.QRY files saved on the core server) are moved into the LegacyQueryFiles directory on the new core server (under LANDesk\ManagementSuite). To import these saved queries into your new console, right-click either the Public Queries or My Queries group, click Import, and navigate to the directory where the queries are saved. Stored queries (queries stored in the core database) are migrated as part of the database migration and appear in the Public Queries group in the network view. Database groups Database groups are migrated into the new Management Suite console. Scheduled tasks Scheduled tasks are migrated into the new Management Suite console. Local Scheduler static settings Scheduler settings are saved in the client registry. When a client is configured with a new Management Suite 8 client setup configuration package, Scheduler settings remain in place and function as normal.
53
INSTALLATION AND DEPLOYMENT GUIDE
Custom data forms Custom data forms are migrated into the new Management Suite console.
Software Distribution
Custjob scripts Software distribution scripts (CustJob scripts), and other custom scripts, that are stored in the Scripts directory are migrated as part of the upgrade/migration. Note that scripts containing references to the old core server must be modified/updated so that they reference the new Management Suite 8 core server. You can do this by simply opening a script in its script wizard (in the new console) and proceeding through the wizard. Software distribution log files Software distribution log files are stored in the Logs directory on the old core server. These files are not automatically migrated. However, you can manually copy log files to the new Management Suite 8 core server if you want to preserve this information. APM data Application Policy Management (APM) data is migrated to the new core server as part of the upgrade process. Database queries Database queries are "stored" in the database. Stored queries are migrated as part of the database migration and appear in the Public Queries group in the network view. APM LDAP queries The settings from the Directory Manager tool (including LDAP directory connections) are migrated to the new core server along with any queries. Application Healing ARL files and packages Application Repair Lists (ARL files) are migrated. Application Healing files are moved, along with any executables found in the [PKG] section of the ARL files. Executables are placed in the same directory as the ARL file. The administrator is responsible for editing the ARLs with the new location of the package executables. The Application Healing packages are not included in the LDMSDATA.DAT file, but are copied to the \\Program Files\LANDesk\ManagementSuite\LDLogon\packages directory. If the Application Healing packages location is a URL, the file is not copied but the URL address remains in the ARL file. Multicast Domain Representatives Multicast Domain Representatives are represented by Alias files (.STA) in previous versions of Management Suite and are migrated as part of the upgrade process. (Note that this happens as part of the Alias file migration mentioned earlier.)
Software License Monitoring
Aliases Aliases are part of the Software Configuration data and are not migrated. Before upgrading, an administrator should export this data from the Software Configuration window by using the Export tool. This data can then be imported into the Management Suite 8 Software License Monitoring window in the new console.
54
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Software license data License data is part of the Software Configuration data and is not migrated. An administrator should export this data from the Software Configuration console by using the Export tool in the Software Configuration console before upgrading. This data can then be imported the Management Suite 8 Software License Monitoring window in the new console. Application usage data Application usage data is part of the inventory data and is migrated with the database. Client registry settings Client registry settings remain intact in the registry of the client when upgrading.
OS Deployment and Profile Migration
OSD/PM scripts OS deployment and profile migration scripts are migrated to the All OSD/Profile Migration Scripts group in the Manage Scripts tool in the new console. Note that even though scripts are migrated, you need to reset them to the new core server by "editing" them in the script wizard (right-click the script and select Edit, click Next until the last page of the wizard, and then click Finish). DOS boot menu The DOS boot menu is migrated during the upgrade process. However, in order for PXE clients to see the menu when they boot, you must click the Update button in the new console's PXE Boot Menu toolbar before booting the PXE clients. PXE proxies PXE proxies (or PXE representatives) must be updated when you upgrade to Management Suite 8. Inventory data identifies a client as a PXE proxy and is migrated as part of the database migration. However, after upgrading the core server to Management Suite 8, you must redeploy the PXE Representative script on all of your PXE proxies in order for them to communicate with the new core server. SYSPREP.INF files SYSPREP.INF files are part of the OS deployment component and are migrated to the new core server along with OSD scripts. Profile migration collections Collections are migrated. Profile migration file rules File rules are migrated. User-initiated profile migration packages Profile migration packages are migrated.
Web console
Custom queries Custom queries in the Web console are not migrated. They are stored in the database so you must manually export the queries as .XML files, and then import them.
55
INSTALLATION AND DEPLOYMENT GUIDE
Migration at a glance
The following table provides a quick reference of Management Suite components and whether they are migrated by the migration tools. Component Client configuration Client configuration data XXSTACFG.INI files Inventory Alias files LDAPPL3 template file Saved queries (.QRY) Stored queries Database groups Scheduled tasks Custom data forms Custom application information Software Distribution Custjob scripts Log files APM data APM database queries APM LDAP queries ARL files and packages Multicast Domain Representatives Migrated Not migrated, but can be copied to the new core server Migrated Migrated to the Public Queries group Migrated Migrated Migrated Migrated to the Public Devices group Not migrated, but can be copied to the new core server Moved to the LegacyQueryFiles directory, can then be imported Migrated to the Public Queries group Migrated Migrated Migrated Migrated Not migrated Not migrated Migration status
56
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Software License Monitoring Aliases Licensing data Product groups Licenses Files Denied applications Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1)
OS Deployment and Profile Migration OSD/PM scripts Profile data DOS boot menu PXE proxies SYSPREP.INF files Collections File rules Migrated, must be reset to the new core server Migrated Migrated Migrated, must be updated (*2) Migrated Migrated Migrated
User-initiated PM packages Migrated Web console Custom queries Not migrated, but can be saved as .XML and imported
Footnotes: 1. Software License Monitoring data must be exported (from the SLM toolbar) to an .XML file, copied to the new core server, and then imported into the new console. 2. PXE proxy data is migrated with the database; however, the Deploy PXE Representative script must also be redeployed on all PXE proxies in order to update the proxies to the new core server.
57
Phase 2: Preparing your databases
This phase focuses on preparing the core and core rollup databases. In phase 2, you'll learn about: • • • Microsoft SQL Server 2000 configuration Oracle database configuration LANDesk Software support and DBMS issues
59
INSTALLATION AND DEPLOYMENT GUIDE
Before you begin
LANDesk Management Suite requires interaction with a database management system (DBMS). Your DBMS server is an integral part of the management domain infrastructure. It handles all of the information Management Suite needs to manage clients in your domains. The Management Suite default installation uses a Microsoft MSDE database on your core server. If you aren't planning on using a default MSDE database on your core server, you need to set up a database before running Management Suite Setup. During Setup, you'll point to the database that will hold your data. The database schema also supports these ODBC-compliant DBMSes: • • • Microsoft SQL Server 2000 with SP 3 Oracle8i (8.1.7). Requires Oracle's OLE DB version 8.1.7.3 update. Oracle9i
All database servers need to have MDAC 2.8 on them. With Management Suite 8, you no longer need to create a database DSN for ODBC. The deciding factor in selecting a DBMS for your database is the number of managed clients and consoles in your Management Suite domain. In "Phase 1: Designing your management domain," you determined the number of clients in your management domains. Based on that number of clients, you can select the default database (MSDE) or a supported ODBC-compliant DBMS for a larger management domain. The steps below are for installing the core database. In Oracle, Management Suite uses public synonyms. For detailed database installation steps You can view detailed installation steps for each database on the LANDesk Software support Web site: http://www.landesk.com/go.php?go=ldmsdbwp. If you have a preexisting Windows NT/2000/2003 master domain Don't install the DBMS to the primary domain controller (PDC). The DBMS should be installed only on a standalone server. You can install the DBMS on the backup domain controller (BDC) in a small Windows NT/2000/2003 domain, but we don't recommend it.
60
PHASE 2: PREPARING YOUR DATABASES
Microsoft SQL Server 2000 configuration
Management Suite needs the following parameters. These parameters will be set by default if you use a typical install for SQL 2000: SQL server configuration parameters • Microsoft SQL 2000 performs self-tuning. You shouldn't need to tune any parameters manually.
Database parameters • Use the defaults.
Other settings • • Use "sa" or another user aliased into the database as DBO when creating the database. Set up database maintenance.
To install Management Suite so that it uses your SQL 2000 database 1. Install Management Suite to the point where you need to choose a database. 2. In the Choose a Database page, click User-supplied database and then click Next. 3. Enter the Server and Database names, and enter the User and Password that Management Suite should use to authenticate to the database. You MUST use a user who is aliased into the database as DBO. Don't use "sa" for the login name. Don't use any other user to create or reset the database. If another user attempts to connect to the database and the tables aren't owned by DBO, the user won't be able to see the tables. If you're using an Oracle database, check This is an Oracle database. 4. Click Next and finish the Management Suite install.
SQL maintenance
You must regularly perform maintenance on a Microsoft SQL Server database. Over time, the indexes become very inefficient. If your database has 10,000+ clients and queries seem to be running more slowly than normal, updating statistics on all tables within the database can substantially improve query performance. On very large databases, you might want to update statistics daily. Microsoft SQL maintenance requires the SQLServerAgent service to be running on the SQL server. You may need to set the service to Automatic in the Control Panel Services applet. SQL maintenance won't run unless the SQLServerAgent service is started.
61
INSTALLATION AND DEPLOYMENT GUIDE
To set up a maintenance task 1. Click Start | Programs | Microsoft SQL Server | Enterprise Manager. 2. Click the + next to these folders: Microsoft SQL Servers, SQL Server Group, the name of your server, and Management. 3. Right-click Database Maintenance and click New Maintenance Plan. 4. In the Database Maintenance Plan dialog, click Next. 5. In the Select Databases dialog, select These databases and select the checkbox for your database. Click Next. 6. In the Update Data Optimization Information dialog, click Reorganize data and index pages. 7. Set the Change free space per page percentage to option to 10. 8. Click the Change button next to the Schedule window. 9. In the Edit Recurring Job Schedule dialog, select the schedule you want for maintenance. We suggest you perform the maintenance at least weekly at a time when there will be minimal database activity. 10. Click OK. 11. In the Database Integrity Check dialog, select these options: Check database integrity and Include indexes, and click Next. 12. In the Specify the Database Backup Plan dialog, specify your own backup schedule and click Next. 13. In the Specify the Transaction Log Backup Plan dialog, specify your own backup schedule and click Next. 14. In the Reports to Generate dialog, select the Write report to a text file in directory option and click Next. 15. In the Maintenance Plan History dialog, select the Write history to the msdb.dbo.sysdbmaintplain_history table on this server option. 16. Set the Limit rows in the table to option to 1000. 17. Click Next. 18. In the Completing the Database Maintenance Plan dialog, enter a Plan name and click Finish.
62
PHASE 2: PREPARING YOUR DATABASES
Oracle database configuration
After installing an Oracle database, do the following: 1. Create a tablespace for LANDesk Management Suite Setup to use. 2. Create a user with the following system rights for the LANDesk Management Suite Setup to use: • • • • • • • • • Create Procedure Create Sequence Create Session Create Table Create Trigger Create Type Create View Force Transaction Unlimited Tablespace
3. Set the user's default tablespace to the tablespace created for Management Suite use. 4. On the core server, create a TNS entry for the Oracle instance.
Oracle performance tuning suggestions and scripts
Like any DBMS, Oracle should be tuned to help increase performance. The first step in increasing performance is to make sure sufficient hardware is allocated for the Oracle instance. If your database has 10,000+ clients and queries seem to be running more slowly than normal, updating statistics on the all tables and indexes in the database can substantially improve query performance. On very large databases, you might want to update statistics daily.
Miscellaneous Oracle issues
The following sections contain specific issues that you should review to get optimal performance when using an Oracle database with Management Suite. TNS Names Use Oracle's SQL Net Easy Configuration tool to create a TNS entry on the core server that points to the physical location of the Oracle database. The configuration tool adds an entry into $ORACLE_HOME/Network/ADMIN/TNSNames.ora file. Because each console relies on the core server to provide a database connection string, and because Oracle uses TNS names, each console must have the Oracle client installed with an identically named TNS name that exists on the core server. You must run the SQL Net Easy Configuration tool on each console to set up a TNS name.
63
INSTALLATION AND DEPLOYMENT GUIDE
You must create an Oracle TNS name entry on the console If you don't create an Oracle TNS name entry on the console computer, the console won't be able to communicate with the database. If services fail to start using Oracle If the LANDesk services are failing to start and checking the event log shows errors about “Adapter initialization failures” or “Adapter Authentication failures,” change the following file: $ORACLE_HOME/network/admin/sqlnet.ora Change: SQLNET.AUTHENTICATION_SERVICES = (NTS) To: SQLNET.AUTHENTICATION_SERVICES = (NONE) Using Oracle 9.2.0.1 with the Web console If you use an Oracle 9.2.0.1, there is an Oracle install bug that doesn't set the proper permissions for authenticated users (which IIS uses). Follow these steps to fix it. 1. Log in to Windows as a user with administrator privileges. 2. Launch Windows Explorer from the Start menu and navigate to the ORACLE_HOME folder. This is typically the "Ora92" folder under the "Oracle" folder (i.e. D:\Oracle\Ora92). 3. From the ORACLE_HOME folder's shortcut menu, click Properties. 4. Click the Security tab. 5. In the Name list, click Authenticated Users. On Windows XP, the Name list is called Group or user names. 6. In the Permissions list under the Allow column, clear the Read and Execute option. On Windows XP, the Permissions list is called Permissions for Authenticated Users. 7. Re-check the Read and Execute option under the Allow column (this is the box you just cleared). 8. Click Advanced and, in the Permission Entries list, make sure you see the Authenticated Users listed there with Permission = Read & Execute and Apply To = This folder, subfolders and files. If this isn't the case, edit that line and make sure the Apply onto box is set to This folder, subfolders and files. This should already be set properly, but it's important that you verify this. 9. Click the OK until you close out all of the security properties windows. 10. Reboot your server to make sure that these changes have taken effect.
64
PHASE 2: PREPARING YOUR DATABASES
LANDesk Software support and DBMS issues
LANDesk Software customer support is committed to helping you resolve database issues for LANDesk Management Suite. Some issues may require additional assistance from the database vendor or through an approved third party. The database support that LANDesk Software customer support won't provide includes, but is not limited to, the following: • • • • • • Configuring the DBMS with additional parameters for performance or other reasons Creating scripts Configuring an existing DBMS installation to work with Management Suite Restricting rights or perform other user maintenance Backing up the databases Repairing corrupt databases
If you call LANDesk Software customer support, support personnel will attempt to do the following: • • • • Isolate the problem Verify that the specified DBMS parameters are correct Verify that Management Suite is working correctly Verify that Management Suite works with MSDE
If, at this point, the DBMS still doesn't work, you may need to either reinstall the DBMS or resolve the issue through other means.
65
Phase 3: Installing the core, console, and rollup core
This phase focuses on installing the core server, console, and core rollup. During this installation, you'll use the information you recorded in "Phase 1: Designing your management domain." If you haven't completed all the tasks in the preceding phases, do so before beginning this phase. In phase 3, you'll learn about: • • • • • Selecting components to install Installing the core server and console Installing additional consoles Managing databases after installation Using the database Rollup Utility
The installation of the components outlined in this phase requires about 1-3 hours. If you're creating multiple domains, we recommend that you successfully complete the installation and deployment of one management domain before creating another. Make sure you review the system requirements described in "Phase 1: Designing your management domain."
67
INSTALLATION AND DEPLOYMENT GUIDE
Selecting components to install
During LANDesk Management Suite Setup, you'll need to select which components you want to install. • • Core: The server that acts as the central location for Management Suite software. Console: The primary interface for Management Suite. By default, this is installed on the core. To install consoles on other computers, you should install the console from your core server as described in "Installing additional consoles" in Phase 3. OS Deployment and Profile Migration: Deploys operating systems and migrates operating system profiles. Web console: Web-based interface for Management Suite. Not all features are available from the Web console. Rollup core: A database separate from the core server that summarizes information from multiple core servers. Rollup cores allow you to exceed the core limit of approximately 10,000 clients. You must schedule rollup core updates to synchronize the rollup core database with each core server's core database.
• • •
68
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Installing the core server and console
To install the core server and console At the Windows 2000/2003 server you've selected to be your core server and console: 1. Insert the LANDesk Management Suite CD into the CD-ROM drive or run AUTORUN.EXE from your installation image. The Autorun feature will display a Welcome screen. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want Setup to install. 5. A Welcome screen for LANDesk Management Suite Setup appears. Click Next to continue. 6. On the License Agreement screen, if you agree click I accept the terms in the license agreement to continue. 7. Accept the default destination folder by clicking Next. 8. Select the components you want and click Next to continue. For most core servers we recommend all components except the Rollup core, which must be installed on a different server. 9. Select the database you want to use, either a new MSDE database, a usersupplied database that you've already configured, or a previous existing Management Suite database. 10. If you're using a user-supplied database: on the User-supplied Database Configuration page, enter the database information. If the database is Oracle, select that option. Enter the Server and Database names, and the User and Password that Management Suite should use to authenticate to the database. In the case of SQL Server, Management Suite uses SQL server authentication and a requires credentials for a user with db_owner privileges. OR If you're using the default database: on the Management Database: MSDE settings page, enter an MSDE database password. Remember this password or write it down. You'll need it later. Click Next to continue. 11. If you selected OS Deployment & Profile Migration, click next on the Windows 98 and Windows NT 4 CD prompts. You'll need to browse to the directory the browse dialog prompts you for. 12. Enter an organization and certificate name for the core server's security certificate. This information helps name and describe the certificate. Click Next. 13. On the Ready to Install the Program page, click Install. Management Suite will start installing. 14. The Installation Wizard Complete dialog appears when Setup is done. 15. If you want to import settings from a previous version of Management Suite, select that option to launch the migration process when you click Finish. 16. Click Finish. 17. Setup will prompt you to restart the server. You must click Yes to finish Setup. When the server restarts, you'll notice after you log in that Setup will run for a few more minutes while it finishes the installation. Setup won't prompt you for any more information during the first reboot.
69
INSTALLATION AND DEPLOYMENT GUIDE
When installing an MSDE core database on a Windows 2003 Server, Windows may interrupt Management Suite Setup and ask if it's OK to open Setup.exe. If you see this prompt, click Open or Management Suite won't be installed correctly.
70
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Activating the core server
LANDesk Software uses a central licensing server at LANDesk Software to help you manage your core server's product and node licenses. To use the LANDesk products, you must obtain from LANDesk a user name and password that will activate the core server with an authorized certificate. Activation is required on each core server before you can use LANDesk products on that server. You can activate each core server either automatically by the Internet or manually by e-mail. You may need to reactivate a core server in the event that you significantly modify its hardware configuration. On a periodic basis, the activation component on each core server will generate data regarding: • • • The precise number of nodes you're using The non-personal encrypted hardware configuration The specific LANDesk Software programs you're using (collectively, the "node count data”)
No other data is collected or generated by the activation. The hardware key code is generated on the core server using non-personal hardware configuration factors, such as the size of the hard drive, the processing speed of the computer, and so on. The hardware key code is sent to LANDesk in an encrypted format, and the private key for the encryption resides only on the core server. The hardware key code is then used by LANDesk Software to create a portion of the authorized certificate. After installing a core server, use the Core Server Activation utility (Start | All Programs | LANDesk | Core Server Activation) to either activate it with a LANDesk account associated with the licenses you've purchased or with a 45-day evaluation license. The 45-day evaluation license is for 100 nodes. There are two types of licenses, client and server. Any time you install Management Suite agents on a server operating system, such as Windows 2000 Server or Windows 2003 Server, that installation consumes a Management Suite license for a server. Rollup core servers don't need to be activated. You can switch from a 45-day evaluation to a paid license at any time by running the Core Server Activation utility and entering your LANDesk Software username and password. Each time the node count data is generated by the activation software on a core server, you need to send the node count data to LANDesk Software, either automatically by the Internet or manually by e-mail. If you fail to provide node count data within a 30-day grace period after the initial node count verification attempt, the core server may become inoperative until you provide LANDesk with the node count data. Once you send the node count data, LANDesk Software will provide you with an authorized certificate that will allow the core server to work normally once again. Once you've activated a core server, use the Management Suite console's Configure | Product Licensing dialog to view the products and the number of authorized nodes purchased for the account the core server authenticates with. You can also see the date the core server will verify node count data with the central licensing server. The core server doesn't limit you to the number of authorized nodes you purchased.
71
INSTALLATION AND DEPLOYMENT GUIDE
You can view information about the licenses you're using by visiting the LANDesk Software licensing site at www.landesk.com/contactus.
About the Core Server Activation utility
Use the Core Server Activation utility to: • • • Activate a new server for the first time Update an existing core server or switch from a trial-use license to a full-use license Activate a new server with a 45-day trial-use license
Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. If your core server doesn't have an Internet connection, see "Manually activating a core or verifying the node count data" later in this section. Each core server must have a unique authorized certificate. Multiple core servers can't share the same authorization certificate, though they can verify node counts to the same LANDesk account. Periodically, the core server generates node count verification information in the "\Program Files\LANDesk\Authorization Files\LANDesk.usage" file. This file gets sent periodically to the LANDesk Software licensing server. This file is in XML format and is digitally signed and encrypted. Any changes manually made to this file will invalidate the contents and the next usage report to the LANDesk Software licensing server. The core communicates with the LANDesk Software licensing server via HTTP. If you use a proxy server, click the utility's Proxy tab and enter your proxy information. If your core has an Internet connection, communication with the license server is automatic and won't require any intervention by you. Note that the Core Server Activation utility won't automatically launch a dial-up Internet connection, but if you launch the dial-up connection manually and run the activation utility, the utility can use the dial-up connection to report usage data. If your core server doesn't have an Internet connection, you can verify and send the node count manually, as described later in this section.
Activating a server with a LANDesk Software account
Before you can activate a new server with a full-use license, you must have an account set up with LANDesk Software that licenses you for the LANDesk Software products and number of nodes you purchased. You will need the account information (contact name and password) to activate your server. If you don't have this information, contact your LANDesk Software sales representative. To activate a server 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core server using your LANDesk contact name and password. 3. Enter the Contact name and Password you want the core to use. 4. Click Activate.
72
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Activating a server with a trial-use license
The 45-day trial-use license activates your server with the LANDesk Software licensing server. Once the 45-day evaluation period expires, you won't be able to log in to the core server, and it will stop accepting inventory scans, but you won't lose any existing data in the software or database. During or after the 45-day trial use license, you can rerun the Core Server Activation utility and switch to a full activation that uses a LANDesk Software account. If the trial-use license has expired, switching to a full-use license will reactivate the core. To activate a 45-day evaluation 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core for a 45-day evaluation. 3. Click Evaluate.
Updating an existing account
The update option sends usage information to the LANDesk Software licensing server. Usage data is sent automatically if you have an Internet connection, so you normally shouldn't need to use this option to send node count verification. You can also use this option to change the LANDesk Software account the core server belongs to. This option can also change a core server from a trial-use license to a full-use license. To update an existing account 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Update this core server using your LANDesk contact name and password. 3. Enter the Contact name and Password you want the core to use. If you enter a name and password that's different than the one used to originally activate the core, this switches the core to the new account. 4. Click Update.
Manually activating a core or verifying the node count data
If the core server doesn't have an Internet connection, the Core Server Activation utility won't be able to send node count data. You'll then see a message prompting you to send activation and node count verification data manually through e-mail. Email activation is a simple and quick process. When you see the manual activation message on the core, or if you use the Core Server Activation utility and see the manual activation message, follow these steps.
73
INSTALLATION AND DEPLOYMENT GUIDE
To manually activate a core or verify the node count data 1. When the core prompts you to manually verify the node count data, it creates a data file called activate.xml in the "\Program Files\LANDesk\ManagementSuite" folder. Attach this file to an e-mail message and send it to [email protected]. The message subject and body don't matter. 2. LANDesk Software will process the message attachment and reply to the mail address you sent the message from. The LANDesk Software message provides instructions and a new attached authorization file. 3. Save the attached authorization file to the "\Program Files\LANDesk\Authorization Files" folder. The core server immediately processes the file and updates its activation status. If the manual activation fails or the core can't process the attached activation file, the authorization file you copied is renamed with a .rejected extension and the utility logs an event with more details in the Windows Event Viewer's Application Log.
Logging in to the console
After you've rebooted the core server and Setup has finished, start the console by clicking Start | Programs | LANDesk | LANDesk Management Suite 8. Once the console starts, you'll see the console login window. Management Suite 8 uses Windows authentication to permit access to the console. Only members of the Windows LANDesk Management Suite group on the core server can log on to the console. By default, Setup added the user you were logged in as when you installed the core to the LANDesk Management Suite group. If you want other users to be able to access the console, add them to this group. Management Suite 8 also introduces role-based administration, where you can configure what clients and features other Management Suite console users have access to. For more information, see "Role-based administration" in chapter 1 of the User's Guide.
74
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Installing additional consoles
By default, the core server is set up as a console (unless you cleared the console option during installation). If you want additional consoles, read the system requirements below and follow the instructions. • • • • • • Windows 2000 Professional or Advanced Server with SP 4 Windows XP Professional with SP 1 Pentium III processor minimum; Pentium 4 processor recommended 256 MB of RAM 180 MB of free disk space Microsoft Internet Explorer 5.5 or 6.x
If you install from a mapped drive You must make it a permanent mapping that will reconnect when you reboot. To install additional consoles At the computer you're installing the console files on: 1. Log in to the computer you're installing to with an account that has administrator rights. 2. Map a drive to the LDMAIN share on the core server. 3. From the Install\Console folder, run SETUP.EXE. 4. Complete Setup. This runs the console installation program from the core server. Either accept the default installation folder, or browse for an acceptable location. You should always install additional consoles directly from the core server, rather than using your original LANDesk Management Suite 8 installation source. If you apply any patches to Management Suite that require console updates, those patches will automatically update the console installation files on the core server. On additional consoles attaching to an Oracle database, an entry for the core database needs to be created in the TNSNAMES.ORA. If you don't do this, an Oracle TNS error will occur indicating the connection was not made. You can create these entries with Oracle's Net Configuration Assistant tool. The definition in TNSNAMES.ORA must exactly match the name stored in this registry key on the core server: HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local
75
INSTALLATION AND DEPLOYMENT GUIDE
Setting additional console permissions
By default, Management Suite Setup creates the LANDesk Management Suite group and gives it read, read/execute, and list files rights on the LDMAIN (C:\Program Files\LANDesk\ManagementSuite) share. You should add users needing additional console access to this group. Setup also creates these shares: • • • LDLOGON: The main file share clients use. Contains the client setup files and inventory scanner files, among other things. LDLOG: The results of all scheduled tasks. SCRIPTS: All scripts available from the Manage Scripts window.
Verifying a successful installation
With the installation of the core server and consoles complete, you can now use the Management Suite console. To verify successful installation 1. Click Start | Settings | Control Panel | Administrative Tools | Services and confirm that these services have started on the Windows NT/2000 core server: • • • • • • • • • • • Intel Alert Handler Intel Alert Originator Intel PDS Intel QIP Server Service Intel Scheduler LANDesk Device Monitor LANDesk Activation Service LANDesk Management Agent LANDesk Usage Service LANDesk Inventory Server LANDesk Management Agent
2. Start the console by clicking Start | Programs | LANDesk | Management Suite. 3. Log in and view inventory to confirm that the core server has been scanned into the core database.
76
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Managing databases after installation
If you've installed more than one core server, you can: • • Install a rollup core Use the database Rollup Utility
Installing a rollup core
You can use a rollup core to to combine the data from multiple core servers. Rollup cores allow you to exceed the core limit of approximately 10,000 clients. You must schedule rollup core updates to synchronize the rollup core database with each core server's core database. Using the Management Suite Web console, you can then manage clients in the rollup core using queries, software distribution, remote control, and the other features the Web console supports. Before installing a rollup core, you need to have configured an additional Oracle or SQL Server rollup database server as described in "Phase 2: Preparing your databases." Management Suite Setup's rollup option will prompt you for information about the database you've set up. To install a rollup core 1. Set up a rollup core server and database. Install the database as described in Phase 2: Preparing your databases. 2. Log in to the rollup core server with an account that has administrator rights. 3. Map a drive to the LDMAIN share on the core server. 4. From the Install\Rollup Core folder, run the Rollup Core shortcut. 5. Proceed through Setup, and make sure you select the Rollup core component. 6. Finish Setup.
Using the database Rollup Utility
The database Rollup Utility (DBROLLUP.EXE) enables you to take multiple source core databases and combine them into a single destination core rollup database. A core server database can support about 10,000 clients, and the rollup core client limit depends on your hardware and acceptable performance levels. The source database can be either a core server or a rollup core server. The system requirements for a destination database may be substantially greater than the system requirements for a standard database. These requirements can vary considerably depending on your network environment. If you need more information about hardware and software requirements for your destination database, contact your LANDesk Software support representative. Setup installs the database Rollup Utility automatically with the rollup core. The Rollup Utility uses a pull mechanism to access data from cores you select. For database rollups to work, you must already have a drive mapped to each core you want the Rollup Utility to get data from. The account you connect with must have rights to read the core server's registry.
77
INSTALLATION AND DEPLOYMENT GUIDE
The Rollup Utility checks with a registry key on the core server for database and connection information (HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local) and uses that key's information to access the database associated with each core you add to the Rollup Utility. For Oracle databases, the TNS definition on the server you're running the Rollup Utility from must match the TNS definition on the core server the utility is accessing. You can use the rollup utility to select the attributes you want rolled up from the cores. The attribute selections you make apply to all cores. Limiting the number of attributes shortens the rollup time and reduces the amount of data transferred during rollups. If you know you won't be querying on certain attributes, you can remove them. The Rollup Utility always rolls up the selected attribute data and Software License Monitoring data. You can't customize the Software License Monitoring rollup. Rollup also doesn't include any queries or scopes you've defined. Any console users with rights to the rollup database have access to all data within that database. You can use feature-level security to limit access to Web console features. Once you've added the core servers you want to roll up and the attribute list for those servers, you can click Schedule to add a scheduled rollup script for each core server. From a Web console, you can then schedule these rollup scripts to run at the time and interval you want. Rollup scripts are only visible from the Web console and reside on the rollup core. To launch the Rollup Utility 1. On a rollup core, run the Rollup Utility (\Program Files\LANDesk\ManagementSuite\dbrollup.exe). 2. Select an existing rollup core server to manage from the list, or click New to enter the name of a new rollup core. 3. Once you select a rollup core, the Source cores list shows cores you've configured to roll up to the selected rollup core. To configure the attributes that you want to roll up 1. From the Rollup Utility, select the rollup core you want to configure. 2. Click Attributes. 3. By default, all database attributes are rolled up. Move attributes from the Selected Attributes column to the Available Attributes column that you don't want to roll up. 4. Click OK when you're done. Moving attributes to the Available Attributes column deletes associated data from the rollup database. To configure the source core servers for a rollup core 1. From the Rollup Utility, select the rollup core you want to configure. 2. Once you select a rollup core, the Source cores list shows cores you've configured to roll up to the selected rollup core. Click Add to add more cores or select a core and click Delete to remove one. Clicking delete immediately removes the selected core and all of that core's data from the rollup core database.
78
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
To schedule database rollup jobs from the Web console 1. From the Rollup Utility, select the Rollup core you want to configure. 2. In the Source cores list, select the core you want to schedule for rollup and click Schedule. If you don't select any cores, by default all cores in the list will be scheduled when you click Schedule. Clicking Schedule adds a rollup script for the selected core to the selected rollup core. 3. From a Web console, connect to the rollup core server. 4. In the left navigation pane, click Schedule rollup jobs. 5. Click the rollup script you want to schedule. The script names begin with the source core name followed by the destination rollup core name in parentheses. Click Schedule roll up. 6. Select when you want the roll up to happen and whether it should automatically reschedule or not. Click Continue to next step. 7. Verify the script schedule and click Finish.
Increasing the rollup database timeout
With large rollup databases, the Web console's query editor may time out when it tries to display a large list, such as the Software Package Name list. When this happens, the list you are trying to display won't show any data. If you experience timeouts you need to increase the database timeout value. This needs to be done wherever the IIS service or the Web console server is being installed. At the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\Core Add a new DWORD, Timeout, with a decimal value of 1800. This value is in seconds. You can adjust this value based on your query types and database performance. Stop and restart IIS for the change to take effect.
About the Rollup Utility
Use the database Rollup Utility (run from the rollup core) to manage data rollups from core servers. • • • Rollup core: You can manage multiple rollup cores from the Rollup Utility. Select the core you want to manage. You first must have a drive mapped to each rollup core. New: Click to add a new rollup core that you want to manage. You first must have a drive mapped to the rollup core you're adding. Enter the rollup core's computer name and click OK. Attributes: Click to select the attributes you want rolled up. The attributes list is global for all core servers the selected rollup core uses. Move individual attributes or attribute trees from the Selected Attributes column (these attributes will be rolled up) to the Available Attributes column (these attributes won't be rolled up). Reset database: Click to reset the selected rollup database. This deletes all data and rebuilds all tables. Add: Click to add a core that you want to include data from in the selected rollup core. Delete: Click to remove the selected core and its data from the selected rollup core's database. WARNING: This option deletes the selected core's
79
• • •
INSTALLATION AND DEPLOYMENT GUIDE
• •
data when you click OK. Data from other core servers remains in the rollup database. Schedule: Click to add a rollup script for the selected core. If you don't have a core selected in the Source Cores box, this option creates rollup scripts for all cores in the Source Cores box. Rollup: Click to do an immediate rollup from the selected core. If you don't have a core selected in the Source Cores box, this button rolls up all cores immediately. Close: Click to close the Rollup Utility.
•
Running CoreDbUtil to reset, rebuild, or update a database
The CoreDbUtil.exe utility, in the core server's \Program Files\LANDesk\ManagementSuite folder, creates all the tables, indexes, and constraints needed to use the core database. Before running CoreDbUtil.exe, you must install your database as described in "Phase 2: Preparing your databases" or the table creation may fail. CoreDbUtil.exe looks for registry keys on the core server to determine the core database connection information. CoreDbUtil doesn't work on core rollup databases. Use CoreDbUtil to: • • • Reset database: Drops all tables and rebuilds an existing core database from scratch using metadata.xml. Warning: all existing data will be lost. Build Components: Updates the schema (specifically to include column additions) in an existing core database from metadata.xml. This isn't destructive to existing data. Update Display Names: Updates the Display Name field in an existing core database for all devices in that database. This isn't destructive to existing data.
To run CoreDbUtil 1. On the core server, run CoreDbUtil.exe 2. After CoreDbUtil connects to the database, select the option you want. 3. Wait until the Status is finished. Depending on the database size and the task you chose, this could take a few minutes or several hours.
80
Phase 4: Deploying the primary agents to clients
In phase 4, you'll learn about the phased deployment of LANDesk Management Suite. Deployment is the process of expanding your management capabilities to the clients you want to include in your management domain. You deploy Management Suite by loading LANDesk agents and services onto clients. This allows you to manage them from a single, central location. In Phase 4 you'll learn about: • • • • • The phased deployment strategy Checklist for configuring clients Using a service center to deploy Remote Control, Inventory, and CBA to clients Understanding the client configuration architecture Reversing the client configuration process
81
INSTALLATION AND DEPLOYMENT GUIDE
The phased deployment strategy
Phased deployment is based on three principles: 1. Deploy the Management Suite components that have the least impact on your existing network first; then progress to the components that have the most impact. 2. Confirm that the functionality of each deployed component is stable on all client types before continuing to the next stage. 3. Proceed through the deployment of Management Suite in well-planned phases, rather than deploying all components at once, which may complicate any required troubleshooting. If you've completed the first three phases, you're ready to begin this final phase of deploying Management Suite to your servers, laptops, and desktop computers.
Checklist for configuring clients
There are three ways to configure clients: • • Manual configuration: Map a drive to the core server's LDLogon share and run WSCFG32.EXE, the client configuration program. The components that are deployed to the client must be selected interactively. Login script-based configuration: Use the Client Setup wizard to define a client configuration (with the default option set to Yes). This configuration will be applied to clients as they log in. In the case of Windows NT/2000/2003/XP clients, end users need administrative rights to their computers. Push-based configuration: Use the Client Setup wizard to define a client configuration. Use the Scheduled Tasks window to push the configuration to the clients. In the case of Windows 95/98 clients, the Management Suite CBA agent must already be present.
•
Obviously, manual configuration is not practical in a large environment where many clients must be configured. In this initial phase of the client deployment, with no agents present on the clients, login script-based configuration is the only option for Windows 95/98 clients. For Windows NT/2000/2003/XP clients, either login scriptbased or push-based configuration will work, but login script-based configuration is often impractical because it requires end users to have administrative rights to their computers. Regardless of the way you're configuring clients, make sure you've used the Client Setup wizard to create the client configuration you want to deploy. Particularly in bandwidth-sensitive environments, you should deploy the most important or most heavily used agents first, then gradually adding the other software as you verify that your system is stable with the new additions.
82
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
For the initial deployment, we recommend that you first deploy the primary agents: • • • • Common Base Agent Enhanced Software Distribution Inventory Scanner Remote Control
To create the primary agent client configuration Click Tools | Client Setup. Double-click the Add client Configuration icon. Enter a Configuration name. Under Components to install, we recommend at a minimum that you click Common Base Agent, Enhanced Software Distribution, Inventory Scanner, and Remote Control. 5. Click Next and proceed through the wizard, customizing the options you selected. Click Help for more information if you have questions about a page. 6. Make the configuration default by selecting that option at the end of the wizard or by clicking your configuration in the Client Setup window, and from its shortcut menu clicking Set as Default. For more information about deploying to clients, see "Understanding the client configuration architecture" at the end of this chapter. 1. 2. 3. 4.
83
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to Windows NT/2000/2003/XP clients
Though the login script-based configuration is usually the method of choice for Windows 95/98 clients, this method is often impractical for Windows NT/2000/2003/XP clients, because it requires end users to have administrative rights to their computers. In most companies, end users do not have such rights. Fortunately, Management Suite also supports a scheduled, push-based configuration method. In the case of a Windows NT/2000/2003/XP client, the push-based method does not require CBA to be already present on the client. To enable a push-based configuration of Windows NT/2000/2003/XP clients not already running CBA, the Scheduler service that runs on the core server must be set up as follows: 1. In the console, click Configure | Services, then click the Scheduler tab. 2. Click Change login. 3. In the Username and Password field, specify a domain administrator account (in the format domain\username). 4. Stop and restart the Scheduler service. 5. Schedule the configurations. You can specify the domain administrator when configuring Windows NT/2000/2003/XP members that belong to the same domain as the core server. To configure Windows NT/2000/2003/XP clients in other domains, you must set up trust relationships. Remember that the account identified in step 3 above is also the account under which the Scheduler service will run on the core server. Make sure the account has the Log on as a service right. If a push configuration of a Windows NT/2000/2003/XP client fails and displays a message that says "Cannot Find Agent," try the steps listed below to identify the problem. These steps mimic the Scheduler's actions during a push configuration. 1. Find the username under which the Intel Scheduler service is running. 2. On the core server, log in with the username you found in step 1. 3. Map a drive to \\client name\C$. (This step is the one most likely to fail. It may fail for two reasons. Most likely, you don't have administrative rights to the client. If you do have administrative rights, it's possible that the client's administrative share (C$) is disabled.) 4. Create a directory \\client name\C$\$ldtemp$ and copy a file into it. 5. Use the Windows NT/2000/2003/XP Service Manager and try starting and stopping services on the client.
Deploying to Windows XP clients using local accounts
Windows XP's default setting forces network logins that use a local account to log in using the guest account instead. If you aren't using a domain-level administrative account and are using a local account for the Scheduler service, scheduled tasks will fail because the Scheduler service won't be able to authenticate. You can work around this by using the following procedure:
84
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
To change the default Windows XP security model for local accounts 1. On the Windows XP target client, click Start | Control Panel | Administrative Tools | Local Security Policy. 2. Click Local Policies > Security Options. 3. In the right hand pane, double-click Network Access: Sharing and Security Model for local accounts. Select Classic - Local users authenticate as themselves and click OK.
Upgrading clients that use older Management Suite agents
LANDesk Management Suite 8 can communicate with Management Suite 6.62 and 7 client agents, but these older clients won't be able to benefit from the new features, including Targeted Multicast, peer download, and dynamic bandwidth throttling. Older clients also won't be able to use Management Suite 8's new certificate-based security model. To upgrade clients that aren't in your version 8 database, you can use Unmanaged Device Discovery with the CBA option. Once clients are in the database, you can use the Scheduled Tasks window to deploy a new version 8 client configuration. You don't need to uninstall the previous 6.62+ client agents first.
85
INSTALLATION AND DEPLOYMENT GUIDE
Using a service center to deploy Remote Control, Inventory, and CBA to clients
This section includes background information about setting up Client Deployment services and instructions for completing the deployment of Remote Control, Inventory, and CBA. These instructions are organized based on the type of server you're deploying to. These are the categories: • • Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server Deploying Remote Control, Inventory, and CBA to clients of a NetWare server
If you'll be using service centers, there are two steps to deploying Remote Control, Inventory, and CBA to clients: 1. Set up a Client Deployment service center. 2. Assign the login scripts created by the Client Deployment service to the users you want to configure with these components.
Setting up a Client Deployment service center
A Client Deployment service center provides an easy method for deploying Management Suite agents to Windows clients. When you set up a Client Deployment service, login scripts are automatically created. You then need to assign clients the appropriate script in order for them to be configured. In accordance with the phased deployment strategy, you should initially limit the agents deployed to the clients. For the initial rollout, we recommended that you create a client configuration that includes CBA (the agent that provides communication with the core server), the Remote Control agent, and the Inventory agent. The Service Center wizard uses the settings for each component that you establish in the Client Setup wizard. The Client Setup wizard lets you specify the settings for each component you deploy. If you don't establish these settings in the Client Setup wizard before running the Service Center wizard, the default settings will be used. To create a client configuration 1. In the console, click Tools | Client Setup. 2. Double-click the Add new client configuration icon. 3. In the Client Setup wizard's Install components page, select the Common Base Agent, Inventory Scanner, and Remote Control components. 4. Proceed though the pages, making changes as necessary and clicking Next. Click Help for information on each page. 5. At the end of the wizard, click Set as default configuration. 6. Click Finish to complete the wizard.
86
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Creating configurations with a Client Deployment service center
Each time you create a Client Deployment service center, you also create a client configuration that consists of a unique combination of components. These are the components you can deploy to clients: • • • • • • • • • • • • • Application Healing Application Policy Management Bandwidth Detection Common Base Agent Custom Data Forms Enable Migration Tasks Enhanced Software Distribution Inventory Scanner Local Scheduler Remote Control Software Monitoring Targeted Multicasting Task Completion
The first recommended client configuration is Remote Control, Inventory, and CBA. Other configurations are created using a Client Deployment service as you progress through this final phase.
Estimated completion time
You should deploy Remote Control, Inventory, and CBA to clients gradually. Be sure that your sampling of users is representative of the types of computers, configurations, and operating systems used in your environment. You should plan on taking a few days to complete this process, depending on how many Client Deployment services you create and how many clients you're deploying to. Necessary rights for configuring Windows NT/2000/2003/XP clients For users running Windows NT/2000/2003/XP, you must add their domain login name to the local Administrator Group on their own computers. This grants the necessary rights to users so that the Windows NT/2000/2003/XP login scripts will run. You can also use the Client Setup wizard and Scheduled Tasks window to enable Windows NT/2000/2003/XP clients for management. For more information on the Client Setup wizard, see chapter 2 of the User's Guide.
87
INSTALLATION AND DEPLOYMENT GUIDE
Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server
You can deploy Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server by creating a service center. To set up the Client Deployment service on a Windows NT/2000/2003 server PDCs and Windows 2000 Client Deployment service centers If you're installing a Client Deployment service on a Windows 2000 server, you must install to a primary domain controller (PDC) or backup domain controller (BDC). Only the PDC or BDC can run the domain-level login scripts that are created by a Windows 2000 Client Deployment service center. 1. Obtain Administrator rights on the target server. 2. At the console, select the Windows NT/2000/2003 server on which you'll install the Client Deployment service. 3. From the server's shortcut menu, click Service Center. 4. Click Next on the Service Center wizard welcome page. 5. Select the Client Deployment service and click Next. 6. Enter the Core server name and click Next. 7. Select Remote Control, Inventory, and Common Base Agent. Click Next. 8. Specify a directory on this server where you will install Management Suite files. Click Next. 9. Finish the wizard, customizing any options you want. The wizard creates batch files that must be assigned to users before their computers can be configured for manageability. For details, refer to the next section, "Using the Windows NT/2000/2003 login scripts."
Using the Windows NT/2000/2003 login scripts
A Windows NT/2000/2003 Client Deployment service creates an IPSETUP.BAT batch file that must be added to the profile login script of each user you want to manage. This batch file is copied to %system root\system32\repl\import\scripts on the core server. On Windows 2000 Client Deployment service centers, this batch file is stored in %system root\SYSVOL\Sysvol\Scripts\LANDesk. You must also copy these files from the core's LDLogon directory to the client deployment server's scripts directory: • • ISDOSBOX.EXE NBPSHPOP.EXE
Assign the appropriate login script to a user according to the computer's network protocol. Some other scripts are installed to allow backward compatibility with earlier LANDesk products.
88
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
If the client is running Windows NT/2000/2003/XP Users must have administrator privileges on their computers to install components with a login script. If users don't have administrative rights, consider using the pushbased configuration method. These are the actions that each batch file performs: • • • • • Determines the name of the client Determines the operating system of the client Downloads the configuration for that operating system to the client(1-2 minutes) Updates the startup procedure for the client to load the components Notifies the user to restart the client
To assign a Windows NT logon script 1. On the domain server, click Start | Programs | Administrative Tools | User Manager. 2. Select the users to be configured for manageability. From the User drop-down list, click Properties. 3. Click Profile. 4. In the Logon Script Name field, type the name of the logon script you want to use (don't include a path), then click OK. To assign a Windows 2000 logon script 1. 2. 3. 4. 5. Open the Windows 2000 MMC Group Policy snap-in. In the console tree, click Scripts. In the Details pane, double-click Logon. Click Add. Type the name of the logon script you want to use, then click OK.
This assigns the batch file to be the user's login script. On next log on, the batch file will: • • Scan the client into the Inventory database (if Inventory is selected) Configure the client with the LANDesk agents so that you can manage it
To assign a Windows NT/2000/2003 logon script to a user with a preexisting logon script At the client that you want to receive the login script: 1. Open a DOS box and run Edit. 2. Edit the existing login script to include this line: @call ipsetup.bat (for IP environments) When the user authenticates to the Windows NT/2000/2003 server, the assigned login script configures the client for manageability.
89
INSTALLATION AND DEPLOYMENT GUIDE
Deploying Remote Control, Inventory, and CBA to clients of a NetWare server
You can deploy Remote Control, Inventory, and CBA to clients of a NetWare server by creating a service center. Before you can make a NetWare server a service center, you need to run a utility on it so the server appears in the network view. To add a NetWare server to the network view 1. Connect to the target server with administrative rights 2. Open a command prompt from your core server's LDMAIN share. 3. At the command prompt, enter: AddNetWareSC <NetWare_Servername> Where <NetWare_Servername> is the name of your NetWare server. 4. Refresh the console's network view to verify the NetWare server is there. To set up the Client Deployment service on a NetWare server You must be logged in with administrator rights on the target server and have the NetWare Client 32 installed. 1. At any console, use the network view to select the NetWare server on which you want to install the Client Deployment service. 2. From the server's shortcut menu, click Service Center. 3. Click Next on the Service Center wizard welcome page. 4. Select the Client Deployment service and click Next. 5. Select Remote Control, Inventory, and Common Base Agent. Click Next. 6. If you've selected an NDS server, enter the name of the NDS container for the users you want to configure. 7. In the Service center name field, type the name of the service center you want to use for the clients of this server. (If the selected server doesn't already have management services installed, the core server is your default service center.) Click Next. 8. Click Yes to add the inventory scanner to your Windows Startup group; then you can verify the options you selected. 9. Use the Edit Startup Script page to edit the startup script if necessary. 10. Click Next to complete the wizard. 11. The wizard creates two NetWare groups that have corresponding login scripts. Users must be placed in a group before their computers can be configured for manageability. For details, refer to the next section, "Using the NetWare login scripts."
90
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Using the NetWare login scripts
The Service Center wizard creates these groups when you set up Client Deployment on a NetWare server: Group LANDESKIPGROUP Use to configure. . . Clients using the TCP/IP network protocol.
LANDESKIPXGROUP Clients using the IPX/SPX network protocol. LANDesk Management Suite 8 doesn't support this. If you're administering a NetWare network, you can use a single login script to configure all of the clients on the network by adding users to the NetWare LANDESKIPGROUP group. To assign a NetWare login script • Use your Novell network administrator tools to populate the LANDESKIPGROUP with the users you want to manage.
When you add a user to this group, on next login the client is: • • Scanned into the core database (if Inventory is selected) Configured with the LANDesk agents so that you can manage it
The Management Suite login scripts are appended to the system or container login script.
Verifying successful completion of Remote Control, Inventory, and CBA deployment
To verify that you've successfully deployed Remote Control, Inventory, and CBA to clients, confirm that you can do the following tasks from within the console. If you need additional information to complete these tasks, refer to the chapters in the User's Guide that correspond to the respective features. Remote Control • • • Select a user and remote control his or her computer. Do this for a sampling of users. Perform all realtime access features: chat, file transfer, run program, and reboot for a sampling of users. Use the Client Setup wizard to create a customized configuration. Make any minor modifications to the Remote Control settings for testing purposes, then drag and drop the new configuration onto a user or group. After the clients have been re-configured, remote control a sampling of the newly configured clients and look at their version of the Remote Control settings to confirm that the changes from your customized configuration are included.
91
INSTALLATION AND DEPLOYMENT GUIDE
Inventory • • • • Perform an inventory query. Select a client, then view the inventory data for that client, as well as its configuration files. Configure the software scanning frequency. Modify a client's WIN.INI file, rescan the client, then verify that changes were recorded within the CHANGES.LOG.
CBA • In the network view, right-click a client, then click Properties to confirm that CBA installed correctly.
92
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Deploying clients from the command line
You can control what components are installed on clients by using command-line parameters to override the default settings of batch files and login scripts. One way to do this is to use command-line parameters with the configuration program that is used by the batch files and login scripts, WSCFG32.EXE. You can launch WSCFG32.EXE in standalone mode. It's located in this directory on all Client Deployment service centers: (system drive)\Program Files\LANDesk\ManagementSuite\LDLogon. WSCFG32.EXE can also be found in the \\coreservername\LDLogon share, which is readable from any Windows 95/98 or Windows NT/2000/2003/XP client. WSCFG32.EXE uses one of two files to configure clients. NTSTACFG.INI is used for clients running Windows NT/2000/XP; 95STACFG.INI is used for clients running Windows 95/98. These files contain the unique client configuration you specified using the Client Deployment service. If you want to manually edit the configuration settings in these files, you can choose from these methods: • • Running the Client Setup wizard with the Set as default configuration option checked. Adding command-line parameters to WSCFG32.EXE and running it manually. For more information, see "Understanding WSFG32.EXE" later in this chapter.
93
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to clients using Enhanced Software Distribution packages
You can use an Enhanced Software Distribution (ESWD) self-extracting package to install components onto clients. Clients need to have the Enhanced Software Distribution agent on them for this feature to work. To create a Client Setup configuration package 1. 2. 3. 4. Create a client configuration. In the Client Setup wizard's Finished page, check Create ESWD Package. Click Finish. Type a filename and select a location to store the package. Note that the default directory is the LDMain directory. Clients don't have access to this directory. Select the directory you're using to store packages and that clients have access to. 5. Click Save. The wizard creates the self-extracting .EXE package.
94
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Understanding the client configuration architecture
Management Suite has logic in the client configuration files that works with 32-bit clients. Here is a simple view of the process that is used to configure Windows 95/98 and Windows NT/2000/2003/XP clients.
Configuring Windows clients
When you assign a Windows NT/2000/2003 login script (that is, IPSETUP.BAT) to a user, the batch file launches an executable called LDLogon\WSCFG32.EXE. This executable takes all instructions for how to configure clients from either the 95STACFG.INI file or the NTSTACFG.INI file. You will typically want to use the Client Setup wizard to change the settings in 95STACFG.INI and NTSTACFG.INI. When you create a client configuration using the wizard and click the Set as default configuration option, the settings are saved to the 95STACFG.INI and NTSTACFG.INI files.
Understanding WSCFG32.EXE
WSCFG32.EXE is LANDesk Software's client configuration utility. It configures Windows 95/98 and Windows NT/2000/2003/XP clients for management in four steps: 1. WSCFG32 determines whether the computer has been previously configured by another LANDesk product, such as older versions of Management Suite. If it has, WSCFG32 removes the older files and reverses any other changes. 2. WSCFG32 looks for a hidden file called CCDRIVER.TXT to decide whether the client needs to be (re)configured. (The decision process WSCFG32 goes through is covered below.) If the client doesn't need to be (re)configured, WSCFG32 exits. 3. If the client does need to be (re)configured, WSCFG32 loads the appropriate initialization file (95STACFG.INI or NTSTACFG.INI) and executes the instructions contained in it. 4. WSCFG32 creates a hidden CCDRIVER.TXT file, both at the root of the C: drive and in the Windows directory. This file indicates that the client has been configured, and the date is stored in the file. WSCFG32 doesn't configure the client with every login. Remember that WSCFG32 often runs from a login script. WSCFG32 will (re)configure the client only when one of the following is true: • • • The CCDRIVER.TXT file exists neither in C:\ nor in the Windows directory. The date stored in CCDRIVER.TXT is older than the Configured On date in NTSTACFG.INI or 95STACFG.INI. A /f (force) command-line parameter was specified.
95
INSTALLATION AND DEPLOYMENT GUIDE
Using the dates as a mechanism for reconfiguration is very convenient. If you set the Configured On parameter to today's date, clients using the Management Suite login scripts will automatically be reconfigured at their next login. The Client Setup wizard sets the Configured On parameter in NTSTACFG.INI or in 95STACFG.INI to today's date when you define a new default configuration. The following command-line parameters are available for WSCFG32.EXE: Parameter /F /I= Description Force execution, ignoring the dates in CCDRIVER.TXT Components to include: CBA (Common Base Agent) RC (Remote Control) INV (Inventory Scanner) DCF (Data Collection Forms) ESD (Enhanced Software Distribution) LS (Local Scheduler) APM (Application Policy Management) TC (Task Completion) AH (Application Healing) MC (Targeted Multicasting) BW (Bandwidth Detection) SWM (Software Monitoring) EMT (Enable Migration Tasks)
Example: WSCFG32.EXE /I=CBA /IP /L or /Log= /LOGON /N or /NOUI /NOREBOOT /NOCERT /P /REBOOT /TCPIP Configure using IP Path to the CFG_YES and CFG_NO log files that log which clients were and were not configured Execute [LOGON] prefixed commands Do not display the user interface Don't reboot client when done Undo the need for digital certificate authentication, the older security method available as an option in earlier Management Suite versions. Ask for user permission to execute Force reboot after running Same as IP (see above)
96
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
/U /X= /CONFIG=
Remove client agents Components to exclude Example: WSCFG32.EXE /X=SD /C[ONFIG]= Specifies a client configuration file to use in place of the default 95STACFG.INI or NTSTACFG.INI files. For example, if you've created configuration files called NTTEST.INI or 95TEST.INI (depending on the operating system), then use this syntax: WSCFG32.EXE /CONFIG=TEST.INI The custom .INI files should be in the same directory as WSCFG32.EXE and note that the /config parameter uses the filename without the 95 or NT prefix.
/? or /H
Display help menu
CCDRIVER.TXT
CCDRIVER.TXT is a hidden file created by WSCFG32.EXE. WSCFG32 creates it both at the root of the C: drive and in the Windows directory. The file stores the date on which the client was configured. The purpose of CCDRIVER.TXT is to allow the client setup program (WSCFG32) to decide whether the client needs to be (re)configured. This decision is based on whether or not CCDRIVER.TXT exists, and, if it does exist, the date stored in it.
97
INSTALLATION AND DEPLOYMENT GUIDE
Reversing the client configuration process
Executing WSCFG32 with the /U command-line parameter reverses the effects of client configuration. Adding users to the NetWare LANDESKEXCLUDEGROUP automatically reverses the client configuration when group members log in. For clients of Windows NT/2000/2003 server domains, you can edit the relevant batch file (SETUP.BAT) or the login script to manually add the /F and /U parameters. You also may want to add a /N parameter to prevent the WSCFG32 UI from displaying during the uninstall. To modify a Windows NT/2000/2003 batch file 1. Switch to the scripts path of the Windows NT/2000/2003 domain server, usually: \winnt\system32\repl\import\scripts 2. In a text editor, open the batch file you want to edit. 3. Modify the batch file as needed and save your changes. To modify the NetWare login script in NetWare 6 1. 2. 3. 4. 5. Use NetWare Administrator to edit the NetWare login script. Select the container that was set up as a Client Deployment service. Right-click on the Container, then select Details. Select Login Script to edit the container login script. Modify the login script as needed, then save your changes.
98
Phase 5: Deploying other agents to clients
In phase 5, you'll learn about deploying additional Management Suite agents. As described earlier, phased deployment is based on three principles: 1. Deploy the Management Suite agents that have the least impact on your existing network first; then progress to the components that have the most impact. 2. Confirm that the functionality of each deployed agent is stable on all client types before continuing to the next stage. 3. Proceed through the deployment of Management Suite in well-planned phases, rather than deploying all components at once, which may complicate any required troubleshooting. At this point, you should have completed phase 4 and verified that Remote Control, Inventory, and CBA are working on the clients you deployed. If so, you can gradually start deploying the other Management Suite agents you want to use. These are the additional agents you can deploy: • • • • • • • • • • • • • Application Healing Application Policy Management Bandwidth Detection Common Base Agent Custom Data Forms Enable Migration Tasks Enhanced Software Distribution Inventory Scanner Local Scheduler Remote Control Software Monitoring Targeted Multicasting Task Completion
To learn more about the functionality of these agents before deploying them to clients, see the User's Guide.
99
INSTALLATION AND DEPLOYMENT GUIDE
Creating a client setup configuration
Use the Client Setup wizard to create and update client and server configurations (such as what components are installed on clients and what network protocols the client agents use). You can create different configurations for groups' specific needs. For example, you could create configurations for the clients in your accounting department or for clients using a particular operating system. For more information about each page in the Client Setup wizard, click the Help button. To create a client configuration 1. In the console, click Tools | Client Setup. 2. Double-click the Add new client configuration icon. 3. In the Client Setup wizard's Install Components page, select the components you want to deploy. 4. Proceed though the pages, making changes as necessary and clicking Next. 5. At the end of the wizard, if you want the configuration to be the default (the configuration LDLOGON\IPSETUP.BAT will install), click Set as default configuration. 6. Click Finish to complete the wizard.
Deploying Application Healing
Application Healing is an optional feature that can automatically repair files that might be damaged or missing from client applications. If you intend to use Application Healing, you must build a software distribution package for each piece of software you want the ability to heal. In the instances of damage that Application Healing can repair, the agent verifies that all of the necessary files exist on the client for any application it's healing. The Application Healing agent detects and restores the missing or damaged files, enabling the targeted application to execute and function properly again. Application Healing requires the Common Base Agent and Enhanced Software Distribution components. When you select the Application Policy Management or Application Healing agents, you'll also see a Client Status TCP Port page. This is the port clients use to communicate status to the core server. By default, this port is 12175.
Deploying Application Policy Management
The Application Policy Management (APM) agent enables you to automatically install sets of applications on groups of clients that have common software needs. Application Policy Management requires the CBA and Enhanced Software Distribution components.
100
PHASE 5: DEPLOYING OTHER AGENTS TO CLIENTS
You can configure policies to enable applications to be pulled by clients, based either on client name or logged-in users. You can set required policies to install or reinstall applications automatically whenever a user logs in or whenever the client boots. APM provides policy support for pull-based software distribution. An example might be pulling software programs from a central location. Users can view the packages available for pulling, then download those packages to their individual computer. APM provides limited integration with directory managers, such as Microsoft’s Active Directory and Novell’s NDS. In order for clients to receive policies that are targeted through Active Directory or NetWare Directory Services, they have to be configured to log in to the directory. This means that they need to have all the correct client software installed, and they need to actually log in to the correct directory so that their fully distinguished name will match the name that was targeted through Directory Manager and Application Policy Manager. Windows 95/98 clients need to be configured to log in to the domain where the Active Directory resides. Windows NT and Windows 95/98 don't include Active Directory support. You must install Active Directory support on clients that log in to a directory and require Application Policy Management. As of this printing, more information on installing Active Directory client support was available here: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextensi on.asp
Launching the APM client at specified intervals
There are two dialogs in the Client Setup wizard that control the APM client launch interval: • • Application Policy Management Options dialog: Access this dialog by clicking the Launch APM client at specified intervals option, then clicking the Configure button. Local Scheduler Time Filter Options dialog: Access this dialog by clicking the Time Filters button in the Application Policy Management Options dialog.
The Application Policy Management Options dialog has a Run APM client periodically option. This option tells the Local Scheduler agent to rerun the task at the interval you select. If you don't select this option, APM will only be scheduled to run once. When you select the Run APM client periodically option, you must also specify a Run every interval to run the task daily, weekly, or monthly. This interval starts the first time the Local Scheduler runs the task. For example, if you select weekly, the first chance Local Scheduler gets, it will run the task. If it runs the task on Tuesday the first time, generally the Scheduler will run the task every Tuesday. To configure in detail when the task will run, use the Time Filter Options dialog. You can set as many as three filters that define when the task will run: • • • Time-of-day filter Day-of-week filter Day-of-month filter
101
INSTALLATION AND DEPLOYMENT GUIDE
These filters further define the Run every interval you specify (daily, weekly, or monthly). For example, if you set the Run every interval to "monthly," then specify a day-of-month filter for the "21st" to the "22nd," the Local Scheduler will run the task once a month, sometime during the period between the 21st and 22nd. You can set one or multiple filters on the Run every interval, but ensure that the filters make sense for the interval you've chosen. For example, if you set the Run every interval to "daily," and then add a time-of-day filter of "8 p.m." to "11 p.m." and a day-of-week filter of "Monday," the task won't run daily, but rather each Monday between the times of 8-11 p.m. If you use a bandwidth filter in the Client Setup: Application Policy Management Options dialog, the bandwidth filter also determines when the Local Scheduler runs the job. Both the time and bandwidth filters must pass for the Local Scheduler to run the task. For example, perhaps you've configured a job to run on Wednesday every week and you've also specified the high-speed network connection bandwidth filter. If a client connects via dialup on Wednesday, the task won't run, even though the time filter criteria were met.
Deploying Bandwidth Detection
Bandwidth Detection enables bandwidth detection between clients and the core server. You can limit Management Suite actions such as software distribution, based on available bandwidth. Use this option if you have remote clients or clients that connect to the network via a slow link. Bandwidth detection enables you to specify that a certain bandwidth must be available between clients and the core server before the Software Distribution feature attempts to deploy a package. This is particularly important for mobile clients, because it ensures that scheduled tasks are executed only when the necessary bandwidth is available. This reduces the network congestion that could result if a remote client tried to download a large application over a slow connection. The Bandwidth Detection agent must be installed on the client in order to take advantage of the bandwidth detection capabilities. Management Suite supports two bandwidth detection algorithms: • • ICMP Sonar Algorithm PDS/RAS Bandwidth Check
You can specify how often the Local Scheduler checks for sufficient bandwidth to run the specified task. The default is 120 seconds.
Deploying the Common Base Agent
Common Base Agent (CBA) is the underlying protocol of Management Suite, and it's required by most components.
102
PHASE 5: DEPLOYING OTHER AGENTS TO CLIENTS
Deploying Custom Data Forms
You can create and distribute Custom Data Forms to collect client information that will supplement the standard information available in the core database. The forms you create using the Form Designer can be distributed by a Client Deployment service or by using the Client Setup wizard. Custom Data Forms requires the Inventory Scanner component. Customize the forms that are distributed to clients in your management domain using the Form Designer. For more information, see chapter 4 in the User's Guide.
Enabling Migration Tasks
The Migration Tasks Client Setup option selects the components necessary for OS deployment and profile migration. The only thing selecting the Migration Tasks option does is to provide a fast way of selecting the Bandwidth Detection, Common Base Agent, and Enhanced Software Distribution components. If you've already selected these components, selecting the Migration Tasks option doesn't make a difference.
Deploying Enhanced Software Distribution
Enhanced Software Distribution automates the process of installing software applications and distributing files to clients. Use this agent to install applications simultaneously to multiple clients or to update files or drivers on multiple clients. Enhanced Software Distribution uses a Web or file server to store packages. Clients access this package server when downloading a package. You'll need to configure a package server as described in chapter 6 in the User's Guide. You can deploy the Enhanced Software Distribution agent to clients before you set up a package server. Enhanced Software Distribution requires the Bandwidth Detection and Common Base Agent components.
Deploying the Inventory Scanner
The inventory scanner is a powerful tool that scans and catalogs the hardware and software on your clients. The inventory scanner runs on the client and sends this information to the core server. The information is processed by the inventory service and saved to the core database. Once the inventory information is saved to the database, you can view it with the console on the core server, an additional console on another computer, or through a browser with the Web console. The information appears in an inventory tree that you can browse to view the hardware and software on the client. The Inventory Scanner requires the Common Base Agent component.
103
INSTALLATION AND DEPLOYMENT GUIDE
Deploying the Local Scheduler
The Local Scheduler agent enables Management Suite to launch client tasks based on a time of day or bandwidth availability. The Local Scheduler agent is most useful for mobile computers that may not always be on the network or may connect to the network via a dialup connection. For example, you can use the Local Scheduler to allow mobile computer package distribution only when those clients are on the WAN. When you schedule Enhanced Software Distribution packages for distribution, or when you create application policies, you can specify which bandwidth the packages or policies require before they are applied. The Local Scheduler runs as a service on Windows NT/2000/2003/XP, or as a pseudo-service on Windows 95/98. The Local Scheduler requires the Bandwidth Detection component.
Deploying Remote Control
The Remote Control feature enables you to view and take control of a remote client anywhere on your network. Once the remote control agents are in place, you can use any console to initiate a remote control session, where you can view, manipulate, and interact with the client as if you were logged into it locally. You can also send files to or retrieve files from the remote client, chat with the remote user, launch applications, perform maintenance, and even reboot the remote client. Remote control supports multiple security models for you to select from to prevent unauthorized access and to allow the level of end-user control you want. • • • Local template: This is the most basic security. Windows NT security/local template: This security model uses a Windows NT Remote Control Operators group. Members of this group are allowed to remote control clients. Certificate-based/local template: This is the most secure option and is new to Management Suite 8. It's also known as on-demand secure remote control.
LANDesk Management Suite 8 introduces a new on-demand secure remote control that you can use. This new remote control improves on the prior version in these ways: • • • • Remote consoles authenticate with the core server. The remote control agent on a client loads on-demand once a remote control session is authorized by the core. All remote control authentication and traffic is encrypted over an SSL connection. Once a remote control session is over, the remote control agent unloads from the client.
Remote Control requires the Common Base Agent component.
104
PHASE 5: DEPLOYING OTHER AGENTS TO CLIENTS
Deploying Software Monitoring
The Software Monitoring agent enables you to monitor license compliance and product usage and denial trends on clients across your network. The agent records data about all installed applications on a client and stores this data in the client's registry. Using the Software License Monitoring window, you can choose to monitor the most important of these installed applications. Application usage data that you don't monitor is ignored and eventually overwritten with newer data in the client's registry. After you indicate the product files and licenses that you want to monitor, the following occurs: • Management Suite detects clients that are running the applications you want to monitor and imports this list into the Software License Monitoring window. The client list is static until the next software scan occurs. During the next scan, the scanner reads the client data collected by the Software Monitoring agents and sends this data up to the core server. Management Suite then updates the Software License Monitoring window with information for the specific licenses and products you're monitoring.
•
For mobile clients disconnected from the network, the Software Monitoring agent continues to record data and caches it in the client's registry. After the client reconnects to the network, the next scan detects which of the cached data is being monitored and sends that data to the core server. The Software License Monitoring window is then updated with the latest license compliance, usage, and denial data for those mobile clients. Software Monitoring requires the Inventory Scanner component.
Deploying Targeted Multicast
Targeted Multicast enables you to transmit software packages to multiple clients without modifying your router configuration. It's designed to work with your existing software distribution packages. When you use Targeted Multicast, you can easily distribute software, even in WAN environments with multiple hops and low connection speeds (56k). Targeted Multicast uses HTTP for delivery from a Web site to a subnet representative. Management Suite's inventory service provides all of the subnet information to the Targeted Multicasting service. Targeted Multicast provides unique benefits that standard methods of "multicast" don't provide. Inventory-based targeting of clients enables you to send a package to a selected group of computers that fit specific criteria via a multicast. Targeted Multicast is also simplified because there's no need to configure routers to handle deliveries. You can turn on Targeted Multicast by checking the Use Multicast to distribute this package option on the Create Script dialog that you'll see when creating a distribution package script. Targeted Multicasting requires the Bandwidth Detection, Common Base Agent, and Enhanced Software Distribution components.
105
INSTALLATION AND DEPLOYMENT GUIDE
Deploying Task Completion
The Task Completion agent checks with the core server to see if there are any scheduled jobs that clients need to run. Task Completion is especially useful for mobile users who aren't always connected to the network and tend to miss scheduled jobs. When the Task Completion agent runs, it launches a status window on clients while it checks with the core server. This window disappears after 15 seconds by default. You can specify that the Task Completion agent only run periodically or only between certain times/days/weeks/months. If the Task Completion agent runs and the computer isn't connected to the network or it can't talk to the core server, the Task Completion agent will exit. Task Completion requires the Bandwidth Detection, Common Base Agent, and Enhanced Software Distribution components. For more information on scheduling Task Completion, see "Launching the APM client at specified intervals" earlier in this chapter. The information in that section also applies to the Task Completion agent.
106
Chapter 6: Installing the Web console
In phase 6, you'll learn about installing the Web console. The Web console enables you to remote control, query, and report on inventory data in the core and rollup databases; distribute software; and execute Wake on LAN* technology from any computer that has a supported Web browser installed. In this chapter you'll learn about: • • • • • • • Extending network management to the Web Installation requirements Installing the Web console Accessing multiple databases Setting up Web console security Setting up role-based administration in the Web console Setting up feature-level security for rollup core databases
107
INSTALLATION AND DEPLOYMENT GUIDE
Extending network management to the Web
The Web console is a series of predefined Web pages containing links to HTML-based Management Suite tools. With the Web console files installed on a Web server, you can turn any computer on the network into a console with very little overhead. Management tools that were once only available from specific, dedicated console computers can be accessed by any computer with Internet Explorer 5.5 or 6.x. Installing the Web console is optional. While the Web console does not replace the more fully-featured Management Suite console, you can use it to perform these management tasks: • • • • • Remote control a computer Run inventory queries on the core and rollup core databases Run predefined reports from inventory information Schedule and deploy software packages Execute Wake on LAN technology
You can install the Web console, including Web pages and management tools, on a Web server you specify, or on your core server. With the Web console installed, the server then has access to the data in your core database, and any additional core and rollup core databases you configure. The Web console uses the same inventory and remote control agents as the Management Suite console. If you want to restrict access to the Web console tasks, you can set up role-based administration. For more information, see "Setting up role-based administration in the Web console" later in this chapter.
108
CHAPTER 6: INSTALLING THE WEB CONSOLE
Installation requirements
Here are the system requirements for installing and using the Web console.
Management Suite requirements
Before installing the Web console, make sure you've performed these installation and deployment steps for Management Suite: • Set up a Management Suite 8 core server and database: The Web console uses the existing core database infrastructure to perform management tasks. For more information about setting up databases, see "Phase 2: Preparing your databases." Set up a rollup core if you want to use data from multiple core servers: The Web console can use a rollup core database that combines data from multiple core servers. For more information, see "Phase3: Installing the console and rollup core." Installed Management Suite agents: The Web console uses the same client agents that the Management Suite console uses for management tasks.
•
•
Web server requirements
The Web server has the same software system requirements as the core server. Verify your Web server's system requirements by running AUTORUN.EXE at the root of your Management Suite installation image and clicking Verify Core Server System Requirements.
Computer requirements for accessing the Web console
Any Windows-based computer running Internet Explorer 5.5 or later can access the Web console without requiring additional configuration. In order to view the installation autorun screen and the interactive bar and pie charts displayed in many reports, you must have Macromedia Flash Player* 7 installed. If you have an Internet connection, your browser will download this automatically. If you use remote control, the Web console automatically installs the Remote Control Viewer application locally. You can manually remove the viewer with Control Panel's Add/Remove Programs applet by selecting "Remote Control Viewer."
109
INSTALLATION AND DEPLOYMENT GUIDE
Installing the Web console
Before you install the Web server, review this list of tasks you should have completed: • • • Installed a Management Suite 8 core server and optionally, a rollup core server: See "Phase 2: Preparing your databases" earlier in this guide. Installed Management Suite agents: Your clients need the Remote Control and Inventory agents. For more information, see "Phase 4: Deploying the primary agents to clients" earlier in this guide. Installed a DBMS client on the Web server: See the section below.
Database drivers are the client components of whatever database you use with your core server. You need to install these drivers on your Web server so that the Web console can access your database. The type of drivers you install, if you install any at all, depends on the type of database you're using. Management Suite 8 supports these databases: • • • Microsoft MSDE 2000 SP3 Microsoft SQL Server 2000 with SP4 Oracle8i (8.1.7) and Oracle9i
See your database application documentation for details about installing the database client drivers. With Management Suite 8, you no longer have to create a DSN to the core and rollup core databases. By default, Setup places the Web console files in the \Intepub\wwwroot\remote folder. Setup also creates these file shares with the necessary permissions on your core server. The Web console and clients require these shares and permissions to work correctly: • ldmain: Server applications ("..\ManagementSuite"). The Administrators group must have Full Control. For Windows 2000, the IWAM_<ServerName> user must have Read & Execute, List Folder Contents, and Read. For Windows 2003, the Network Service group must have Read & Execute, List Folder Contents, and Read. ldlog: Logs ("..\ManagementSuite\log"). ldlogon: Client applications ("..\ManagementSuite\ldlogon"). The Administrators group must have Full Control and the Everyone group must have Read Only. scripts: Software distribution scripts ("..\ManagementSuite").
• • •
If you're installing the Web console on a server other than the core server, ensure that you're logged in as a domain administrator, and that the domain administrator account is in the core server's LANDesk Management Suite user group. The core and Web console servers must be in the same domain, and any users you want to use the Web console need to be added to the LANDesk Management Suite group on both the core and Web console servers.
110
CHAPTER 6: INSTALLING THE WEB CONSOLE
Don't run the Management Suite 8 Web console on an older core server or console You should use only the version 8 Web console on a Management Suite 8 core server or console computer. Earlier versions of Management Suite will not work. To install the Web console on a server other than the core server 1. On the server that will host your Web console, map a drive to the LDMAIN share on your core server. 2. In the LDMAIN\Install\Web Console folder, double-click Web Console. 3. Select the language you want Setup to install. 4. A Welcome screen for LANDesk Management Suite Setup appears. Click Next to continue. 5. On the License Agreement screen, click Yes to accept and continue. 6. Accept the default destination folder by clicking Next. 7. Select the Web Console feature and any other features you want. 8. If Setup prompts you for your core server name, enter it and click Next. If Setup then prompts you for a username and password, enter credentials with administrative privileges on the core server. 9. Reboot the server when Setup finishes and prompts you to. If you're installing to a Windows 2003 server, IIS disables active server pages by default. You must enable them for the Web console to work correctly. To enable active server pages on Windows 2003 servers 1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. 2. Under the root tree item, click Web Service Extension. 3. Click Active Server Pages, then click Allow. To verify the installation, open a Web browser, then enter the Web server URL, which by default is: http://webservername/remote The installation was successful if the browser prompts you for login information and, after you enter it, the Web console opens. If you get a permission denied error when you try to access the Web console, make sure Integrated Windows authentication is enabled as the authentication method for the Web console's site. To verify the authentication method 1. In the Internet Information Services manager, from the remote folder's shortcut menu, click Properties. On the Directory Security tab, click Edit in the Anonymous access and authentication control box. Clear the Anonymous access option and check Integrated Windows authentication. 2. Click OK to exit the dialogs.
111
INSTALLATION AND DEPLOYMENT GUIDE
Accessing multiple databases
If the Web server you've installed the Web console on will be accessing databases on other servers, you must also: • • Configure domain-level software distribution Configure the Web console for multiple cores
Configuring domain-level software distribution and Windows 2003 servers
If you're going to distribute software from the Web console, the Web server you installed the Web console on must be able to access and change software distribution files on the core server. This is an issue if your Web server and core server are on different computers, or if your Web server is running Windows 2003 Server. To allow this, you need to register a component on the Web server. To configure domain-level software distribution 1. Go to the Web server you installed the Web console on. 2. From the Windows Control Panel's Administrative Tools, double-click Component Services. 3. Click Component Services > Computers > My Computer > COM+ Applications. 4. From the COM+ Applications shortcut menu, click New | Application. 5. On the wizard welcome page, click Next. 6. Click Create an empty application and click Next. 7. Enter a name for the new application. "LANDesk" is fine. Click Server application and click Next. 8. Click This user. You must enter a domain-level account with administrative privileges on the core server. If the account isn't domain-level, software distribution from the Web console won't work. Click Next. 9. Click Finish to close the wizard. You'll see a new COM+ Application tree node named "LANDesk" or whatever you chose. 10. Click Component Services > Computers > My Computer > COM+ Applications > LANDesk > Components. 11. From the Components shortcut menu, click New | Component. 12. On the Wizard welcome page, click Next. 13. Click Import component(s) that are already registered. 14. From the component list, click Schcom.Schint.1, then click Next. 15. Click Finish to close the wizard. You should see Schcom.Schint.1 as a registered component. 16. Click Component Services > Computers > My Computer > COM+ Applications > LANDesk > Roles. 17. From the Roles shortcut menu, click New | Role, enter "Everyone" as the name for the new item. 18. Click Roles > Everyone > Users. From the Users shortcut menu, click New | User, enter "Everyone" as the object name, and click OK. 19. Restart IIS or reboot.
112
CHAPTER 6: INSTALLING THE WEB CONSOLE
Configuring the Web console for multiple cores
After you've installed the Web console on a Web server, you can edit the configuration file \Inetpub\wwwroot\remote\xml\core.asp to connect to additional databases. By default, this file points to the core server only. Once you add more servers to it, you'll be able to connect to additional databases with a drop-down list box in the Web console. If you ever change the information referenced in core.asp, you'll need to update the file with the new information. Note that all entries in core.asp must be single-line entries. Multiple-line entries will cause an error to occur. Here's a sample core.asp: <?xml version="1.0" ?> <core> <cores> <item name="CORE-TEST" server="CORE-TEST\LDMSData" database="lddb" user="sa" password="" isoracle="0" software="0" rollup="0"/> <item name="ROLLUP-TEST" server="ROLLUP-TEST" database="ldms" user="sa" password="" isoracle="0" software="0" rollup="1"/> </cores> </core> Entry item name= Description The server name you want the Web console to connect to. This also is the text string that appears in the drop-down list of databases in the Web console's Login page. For SQL Server, this is the database servername\database instance name. If your database is in SQL's default instance, don't specify a database instance name. For Oracle, this is the Oracle host string (the service\instance name). The SQL database name you created on the Web server. This option is blank for Oracle databases. The default user ID for the database. The password associated with the default user ID. Whether the database is Oracle (1) or not (0). For future use. Leave blank. Whether the database is a core rollup database (1) or not (0).
server=
database= user= password= isoracle= software= rollup=
113
INSTALLATION AND DEPLOYMENT GUIDE
To add databases to core.asp 1. Locate core.asp on the Web server in the directory where the Web console is installed (by default c:\Inetpub\wwwroot\remote\xml). 2. Open core.asp in a text editor, such as Notepad. 3. Copy the lines of the file (similar to the example above), then paste them under the existing text. Change the lines to reflect the information for the additional database(s). 4. Save the core.asp file as a text file.
114
CHAPTER 6: INSTALLING THE WEB CONSOLE
Setting up Web console security
If you're using the Web console with a core database, the Web console uses the rolebased administration settings you've made in the Management Suite console to control access to features and clients. If you're using the Web console with a rollup core database and want to control access to features for that rollup database, you need to set up feature-level security. For more information, read the following sections: • • Setting up role-based administration in the Web console Setting up feature-level security for rollup core databases
Setting up role-based administration in the Web console
When accessing a core database (not a rollup core), the Web console uses the same role-based security as the Management Suite console. Use the Management Suite console to manage what features and scopes you want Web console users to be able to access. For more information on role-based administration, see chapter 1, "Using the LANDesk Management Suite console" in the User's Guide. To configure Web Console role-based administration 1. Add domain-level accounts for Web console users to the LANDesk Management Suite group on the core server. 2. In the Management Suite console, click Tools | Users. 3. In the All Users group, double-click the user whose rights you want to change. 4. After making changes, click OK. These are the role-based administration rights and what they do in the Web console: Software distribution A user assigned this right can: • • • • • See all software distribution scripts but not the OS deployment and profile migration scripts. Choose Targeted Multicast options in the Software Distribution dialog. Send a Wake on LAN packet to a client to turn it on (the client must support Wake on LAN). Schedule and view scheduled tasks (no PXE or OS deployment scripts). Use local console links for LANDesk Server Manager and LANDesk System Manager (if installed).
Reports A user assigned this right can: • View and print reports.
115
INSTALLATION AND DEPLOYMENT GUIDE
Remote control A user assigned this right can: • • • Remote control, file transfer, chat, remote execute, and reboot. Wake up/shut down. Use a local console link for LANDesk System Manager (if installed).
Public query management A user assigned this right can: • Create, modify, copy, delete, and move queries. This applies to the private and public queries. Without this right, users have access to private queries only.
LANDesk Administrator A user assigned this right has access to all rights, including those mentioned above.
Setting up feature-level security for rollup core databases
If you're using the Web console with a rollup core database, and you want to control access to features for that rollup database, you need to set up feature-level security as described below. The Web console administrator can set feature-level security by assigning users to any of four groups created during installation. By default, anyone with administrator privileges automatically has access to all Web console features. All other users must be assigned to these groups, or they're denied access to the features. The groups are: • • • • rc_user for using Remote Control. A user with administrator privileges has to actually download the Remote Control Viewer onto the computer before users in this group can remote control a client. sd_user for viewing Software Distribution logs, scheduled jobs, and scripts. To further restrict security, these users can only configure settings and distribute packages if they have administrator privileges. inv_user for creating and running custom queries. report_user for viewing reports and configuring how they look.
NOTE: When assigning users to the sd_user group, ensure that you also give them access rights to the distribution logs directory ([c:\inetpub\wwwroot]\remote\log by default). When assigning users to the report_user group, ensure that you also give them access rights to the images subdirectory under report ([c:\inetpub\wwwroot]\remote\report\images by default). These groups are based on Windows NT and Windows 2000/2003 groups. By default, they're set up as local groups on the Web server, though you can set them up on the domain controller as global groups.
116
CHAPTER 6: INSTALLING THE WEB CONSOLE
Assigning users
You can only assign domain users to these groups; if you assign users that are local to the Web server, they won't authenticate. Local users can't log in to a remote client (in this case to access the Web console) as a local user on a Web server.
Setting up authentication
To take advantage of feature-level security, you must set up authentication by disabling Anonymous Authentication on the Web server, but leave Windows NT/2000 Security enabled (this is Challenge and Response on Windows NT and Integrated Windows Authentication on Windows 2000). If Anonymous Authentication is left enabled, the Web console will resort back to the database authentication used in previous releases.
Changing the default IIS session timeout
You can change the default session timeout for the Web console's Web pages. The IIS default is 20 minutes of inactivity before a login expires. To change the IIS session timeout 1. 2. 3. 4. 5. On the Web server, open the IIS Internet Service Manager. Expand the default Web site. Right-click the Remote folder, then click Properties. Under the Directory tab, click Configuration. Click the Application Options tab, then change the session timeout to the value you want.
Setting up the indexing service
The Web console's HTML online help has a search feature that you can enable to do full-text searches. Normally, this feature is enabled by default. If you need to enable indexing on your Web server, do the following: To configure your IIS server to run the Web console as an application 1. 2. 3. 4. 5. Open the IIS Internet Service Manager. Expand the default Web site. Right-click the Remote folder, then click Properties. In the Application section, click Create. Click OK.
To start the indexing service on Windows 2000 1. Click Start | Programs | Administrative Tools | Services. 2. Double-click Indexing Service and click Start. 3. Click OK to exit out of the dialogs.
117
INSTALLATION AND DEPLOYMENT GUIDE
Configuring rights for the Web console
The following rights should be configured automatically. If you're having problems with the Web console, you can verify that these rights have been set correctly. Update the following areas with the appropriate information. To configure database authentication 1. Grant Modify rights for the IUSR_[MACHINE NAME] (IIS Internet Guest account) for the following directories: inetpub\wwwroot\remote\queries inetpub\wwwroot\remote\reports\images 2. Grant Modify rights to IWAM_[MACHINE NAME] (IIS Web Application Manager account) for the following directory: inetpub\wwwroot\remote\reports\images
Changing the Web console location
If you move the location of the Web console files or the Remote Control Viewer after installation, you will need to modify the CONFIG.ASP file to designate the new location of the Remote Control Viewer. To update CONFIG.ASP 1. Locate CONFIG.ASP on the Web server in the directory where the Web console is installed. 2. Open CONFIG.ASP in a text editor, such as Notepad. 3. Edit this line with the new URL where the Remote Control Viewer files are located: URL="http://yourwebserver.com/remote" 4. Save CONFIG.ASP as a text file.
118
Chapter 7: Installing OS deployment and profile migration
The OS deployment and profile migration component adds automated remote image deployment and profile migration capabilities to LANDesk Management Suite. OS deployment and profile migration streamline new computer provisioning and existing computer migration without requiring additional end-user or technician input once the process starts. You can schedule deployments and migrations to occur after hours, and by using Targeted Multicast technology to distribute images, you don't have to saturate network bandwidth by deploying the same image to multiple computers. If you use Microsoft Sysprep with your images, OS deployment creates customized SYSPREP.INF files and injects them into each computer's image on a per computer basis, customizing computer names, domain information, and so on from the core database. OS deployment includes a built-in imaging tool, or you can use imaging tools that you provide. Your investments in Symantec Ghost*, PowerQuest*, and existing images won't be wasted with OS deployment. OS deployment supports two types of OS deployments--Management Suite agentbased and PXE-based: • • Agent-based deployments use the client's existing Windows OS and Management Suite agents to deploy images. PXE-based deployments allow you to image computers with blank hard drives or unusable OSes. Lightweight .NET PXE proxies eliminate the need for a dedicated PXE server on each subnet.
In this chapter you'll learn about: • • • • • Installing OS deployment and profile migration Step 1: Configuring an image server Step 2: Verifying name resolution Step 3: Configuring your network for multicast OS deployment Step 4: Configuring PXE
WARNING: The OS deployment functionality must be used with caution. Operating system deployment involves wiping all existing data off of a computer and installing a new operating system. There is substantial risk of loss of data if the OS deployment function is not performed precisely as described herein or if poorly implemented images are used. Before performing any operating system deployment, all data must be backed-up in such a manner that any lost data may be restored.
119
INSTALLATION AND DEPLOYMENT GUIDE
Installing OS deployment and profile migration
To install OS deployment and profile migration on your core server, you must have: • • Windows 2000 Server SP 4 or later with IIS 5. The OS deployment .NET Web Service isn't compatible with Windows NT 4 or IIS 4. Microsoft .NET Framework 1.1 or later (latest service pack recommended) on the core server. You can download the .NET Framework from Windows Update or from www.microsoft.com.
During the install, you'll be prompted for: • • Access to a Windows NT 4 Server CD. OS deployment uses Microsoft Windows NT 4 client networking files. A Windows 98 CD. OS deployment uses Microsoft boot and network files on the CD.
Installing OS deployment and profile migration on your core server also updates the additional console install image. You should reinstall your additional consoles so they are also updated. OS deployment and profile migration don't need extra system requirements beyond those already specified for additional consoles. If you installed OS deployment when you installed the core server, you can ignore the installation steps below. To install OS deployment and profile migration on an existing core At the Windows 2000/2003 core server: 1. From your LANDesk Management Suite 8 installation image, double-click autorun.exe. The Autorun feature will display a Welcome screen. 2. Click Install LANDesk Management Suite. 3. Select the language that matches the core you are installing to, then click OK. 4. Click Modify, then click Next. 5. On the Select Features page, leave the existing options checked, and check OS Deployment / Profile Migration. 6. Click Previous Management Suite Database, then click Next. 7. Finish the Setup wizard. 8. Reinstall any additional consoles that you installed before you added OS deployment and profile migration to your core server.
120
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
Once you've installed OS deployment and profile migration, you need to plan how you'll structure OS imaging and deployments on your network. You also need to decide whether you'll be using OS deployment PXE proxies to facilitate deployments: • If you don't use PXE, you can only image computers running a supported Windows OS and the Management Suite agents, specifically the Enhanced Software Distribution agent. OS deployment uses the Enhanced Software Distribution agent to transfer OS deployment files and images to clients. If you use PXE, you can image any computer that supports PXE booting, regardless of what is installed on it. For more information, see "Using PXE services" in the User's Guide.
•
121
INSTALLATION AND DEPLOYMENT GUIDE
Configuring your OS deployment and profile migration environment
Before you can use OS deployment and profile migration, you'll need to configure your environment. OS deployment requires the following: 1. A share for images that clients can access from DOS 2. A working DHCP and DNS/WINS server 3. A multicast domain representative if you're doing Targeted Multicast deployments 4. A PXE proxy if you are using PXE for deployments
Step 1: Configuring an image server
You need to put OS images and your imaging tool on a network server. Clients will need to access this server via the credentials you provide in the OS Deployment/Migration Tasks wizard. Make sure the share name you use for your images follows 8.3 DOS naming conventions and doesn't have any spaces. The share must be reachable from DOS. IMPORTANT: DOS can authenticate to network resources with only one set of credentials. For this reason, we recommend having your images and imaging tool executable on one share. You can use multiple shares if the authentication credentials are exactly the same. IMPORTANT: For Targeted Multicast OS deployments, you must make the image share a null-session share as described in the next section. Multicast clients can't access the image share unless it is null-session.
Making your image share null-session
You use the SYSSHRS.EXE utility to make your image share a null-session share folder. A null-session share is a shared folder that doesn't require a username or password for access. Multicast deployments require null-session shares. To make a share null-session 1. In Explorer, right-click the folder that will be your images share and then click Sharing. 2. Click Share this folder and click Permissions. 3. Add the Everyone and the Guest groups, but grant them only read permissions. Click Apply. 4. Click Start | Run and browse to the LDMAIN\Utilities directory on your core server. 5. Run the SYSSHRS.EXE utility. 6. Check the shared folder you set up and click Apply and then Close.
122
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
Step 2: Verifying name resolution
In an environment where WINS and/or DNS name resolution isn't available or doesn't work properly, it may be necessary to implement a static IP address for the core server and hard-code the IP address into the PXE and virtual boot images for OS deployment. To test if WINS is working on your network • From a DOS 6.22 environment (with Microsoft NDIS/DHCP stack) command prompt, try a NET USE command to map a drive to the server that stores your images. You must do this from native DOS and not a Windows command prompt. Management Suite will use WINS/LMHOSTS resolution to map drives to your image server: NET USE G: \\imageserver\share To test if DNS is working for your environment 1. From any Windows 2000/XP computer that has a DHCP address, type the following from a command prompt: NSLOOKUP 2. At the NSLOOKUP prompt (>), type the name of your core server. OS deployment uses DNS to resolve the name of the core server when deploying operating systems. For OS deployment to work properly, your DNS server needs to be able to resolve both the NETBIOS (root servername) and fully-qualified domain name (FQDN, servername.mycompany.com) of the core server. Management Suite 8 also requires reverse DNS lookup support. If clients are taking several minutes to reboot and start an OS Deployment job, reverse lookup probably isn't enabled.
Step 3: Configuring your network for Multicast OS deployment
Before using Targeted Multicast with OS deployment, you need to make sure the Targeted Multicast components are in place on the subnet you're distributing to. Each subnet must have a multicast domain representative. If you try to multicast to a subnet that doesn't have a domain representative, the deployment will start, but it won't be able to finish. You don't have to use Targeted Multicast to distribute OS deployment images, but Targeted Multicast will save a lot of network bandwidth if you distribute the same image to multiple clients. Make sure you don't image any Targeted Multicast representatives in a subnet, because you could end up imaging your Multicast domain representative and the imaging will fail, leaving the computers in an unusable state.
123
INSTALLATION AND DEPLOYMENT GUIDE
To manually specify which computers will be multicast domain representatives 1. In the network view, click Configuration > Multicast Domain Representatives. 2. Add domain representatives by dragging the computers you want to be representatives from the network view into this category.
Step 4: Configuring PXE
PXE services software is installed as part of OS deployment and provides another method—in addition to agent-based deployment—of automated remote imaging of computers on a single LAN or routed network environment. With PXE services implemented, you can boot both new and existing PXE-enabled computers and either: • • Run an OS deployment script at the computer from an image menu you configure. Add the computer to your core database, then schedule an image deployment job from the console.
You don't have to use PXE to deploy OS deployment images, but if your clients support PXE, PXE can be the easiest and most flexible way to get images to clients. PXE service files are simply copied to the core server as part of the normal OS deployment installation. To enable PXE services, you must first deploy a PXE representative (or proxy) computer on each segment of your network where you want PXE services available. You need to deploy at least one PXE proxy on your network and at least one additional PXE proxy on each subnet where you want to provide PXE boot services. You set up a PXE proxy by running the PXE Representative Deployment script on the selected computer. This script installs as part of OS deployment, and is available in the Scheduled Tasks window. Each PXE proxy forwards via HTTP any PXE boot requests on its subnet to the core server. The core server then checks to see if there are any pending jobs for that computer. If not, the computer boots normally. You can have multiple PXE proxies on a subnet to help with load balancing. If this is the case, the first PXE proxy to respond to a client's request is the one that will be used to communicate with the core server.
124
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
There are no special hardware requirements for the computer you select, but it must meet the following software requirements: • Operating system: Windows NT 4, Windows 2000/2003, or Windows XP Professional. For Windows NT and 2000, ensure that the Microsoft MSI service is running (XP includes MSI by default). If you've installed the latest service pack for either OS, MSI service should be running. Otherwise, you can deploy it to the target PXE proxy from the console by following these steps: Click Tools | Scheduled Tasks, click the Schedule Script toolbar icon, select the MSI Service Deployment task, click OK, drag the target computer(s) to the window, and click the Set Start Time icon to schedule the MSI service deployment. • Installed agents: Enhanced Software Distribution agent and Inventory Scanner agent.
To deploy a PXE proxy 1. In the console, click Tools | Scheduled Tasks, then click the Schedule Script toolbar icon. 2. Select the PXE Representative Deployment script from the list, then click OK. 3. In the console's network view, select the target computer on which you want to install PXE services (in this case the core server). 4. Drag and drop the selected computer to the Machine list in the Scheduled Tasks window. 5. Click the Set Start Time toolbar icon and schedule to run the script now. This script installs the PXE services software on the target computer. If you modify the PXE boot option settings (on the Configure | Services | OS deployment dialog), you need to update a PXE proxy by re-running the PXE Representative Deployment script to apply those changes. This procedure of rerunning the script is not necessary if you simply move PXE proxies from the Available proxies list to the Holding queue proxies list. To update or remove a PXE proxy 1. Click Tools | Scheduled Tasks, then click the Schedule Script toolbar icon. 2. To update a PXE proxy, select the PXE Representative Deployment script from the list, then click OK. Or, to remove a PXE proxy, select the PXE Representative Removal script, then click OK. 3. Drag and drop the target computer(s) to the Scheduled Tasks window and schedule a time for the task to occur (for details, click the Help button or press F1 to view the online help).
125
INSTALLATION AND DEPLOYMENT GUIDE
Verifying that the core server accepts PXE proxy communication
Each PXE proxy communicates with the core server via HTTP. You should verify that the core server is accepting this communication by trying to connect to the core with this URL: http://<coreservername>/landesk/managementsuite/core/core.webservices/pxe.as mx You should see a Web page titled "PXE Web Service." If a Web page doesn't come up, you may need to reinstall the .NET Framework and OS deployment.
Configuring PXE clients
You must configure your clients to boot PXE before using OS deployment's PXE support.
126
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
OS deployment phases
After you've created your images and run Sysprep on them, there are three OS deployment phases: 1. Run the OS Deployment/Migration Tasks wizard (select Deploy image) to create a script that defines how OS Deployment will handle that image. 2. Drag the script and the target computers to the Scheduled Tasks window and schedule a time for the deployment to happen. Watch the Custom Job Status window updates for success/failure. 3. Computers running Windows and Management Suite agents will begin the job when scheduled. PXE-enabled computers will begin the job next time they boot. For more information on using OS deployment and profile migration, see the User's Guide.
127
Chapter 8: Installing add-ons
Add-ons extend the power of LANDesk® Management Suite 8 and leverage core technologies to enable more effective and efficient management for desktops, servers and mobile devices. These add-ons are purchased separately. For information on installing the Patch Manager or Asset Manager add-ons, read the appropriate section in this chapter.
129
INSTALLATION AND DEPLOYMENT GUIDE
Activating Management Suite 8 add-on products
With Management Suite 8, version 8.1, after you install any of the LANDesk add-on products described in this chapter, you need to run the Core Server Activation utility to update your existing account and activate the add-on product with a trial-use or full-use license. To update your account 1. Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. 2. Click Update this core server using your LANDesk contact name and password. 3. Enter your Contact name and Password. 4. Click Update. For more information about LANDesk product activation and licensing, see "Activating the core server" in Phase 3.
130
CHAPTER 8: INSTALLING ADD-ONS
Installing LANDesk Patch Manager 8
Patch Manager version 8.1 requires the full version of LANDesk Management Suite version 8.1 is installed on your core server. If you're currently running Management Suite 8.0, you must first upgrade to version 8.1 before installing Patch Manager. To install Patch Manager on your core server 1. 2. 3. 4. 5. Insert the product CD, or run AUTORUN.EXE from your installation image. Click Install LANDesk Patch Manager 8 to run the Setup program. Select the language you want Setup to install. At the Welcome screen, click Next. On the License Agreement screen, click Yes to accept and to start copying files. 6. At the Setup is Complete screen, click Finish.
You can now use Patch Manager in the Management Suite console.
Additional consoles
To use Patch Manager from any of your additional consoles, you must reinstall the additional consoles after installing Patch Manager on a Management Suite 8.1 core server. Once Patch Manager is installed on your core server, any new additional consoles will include Patch Manager functionality. For detailed information on installing additional consoles, refer to "Installing additional consoles" in the Installation and Deployment Guide.
131
INSTALLATION AND DEPLOYMENT GUIDE
Installing LANDesk Asset Manager 8
Asset Manager version 8.1 requires the full version of LANDesk Management Suite version 8.1 is installed on your core server. If you're currently running Management Suite 8.0, you must first upgrade to version 8.1 before installing Asset Manager. Because Asset Manager runs in the Management Suite version 8.1 Web console, you must also have the Web console software installed on either your core server or another compatible Web server. If you need to install and configure the Web console, see "Installing the Web console" in the Installation and Deployment Guide. To install Asset Manager on your core server 1. 2. 3. 4. 5. Insert the product CD, or run AUTORUN.EXE from your installation image. Click Install LANDesk Asset Manager to run the Setup program. Select the language you want Setup to install. At the Welcome screen, click Next. On the License Agreement screen, click Yes to accept and to start copying files. 6. At the Setup is Complete screen, click Finish.
Furthermore, if you're running the Web console on a different server than the core server, you must perform the following procedure in order to install required Asset Manager files on the Web console server. This procedure is NOT necessary if your Web console is installed on the core server. To install Asset Manager files on the Web console server 1. From the Web console server, map a drive to the LDMAIN share on the core server. 2. From the Install\WebConsole folder, run SETUP.EXE. 3. Complete Setup. You can now access the Web console and use Asset Manager.
132
CHAPTER 8: INSTALLING ADD-ONS
Installing LANDesk Handheld Manager 8
LANDesk Handheld Manager is an add-on to LANDesk Management Suite 8 that helps you manage mobile devices. LANDesk Software has partnered with XcelleNet Afaria* to provide mobile management support. With Handheld Manager, your mobile devices send inventory data to the Management Suite database. Handheld Manager also allows you to distribute single files or single-file packages (32-bit Windows* platforms only) to your mobile devices. You can distribute these file types to mobile devices: • • • For Palm* OS devices, you can distribute these file types: PRC, PDB, PQA, WCA, QSH, PNC, SCP. For Windows CE/Pocket PC* devices, you can distribute CAB files. For 32-bit Windows package distributions via the Afaria agent, you can distribute EXE and MSI files.
Installing Handheld Manager
Handheld Manager must be installed on your Management Suite 8 core server. See the Afaria documentation for the supported mobile platforms. Your core server will need about 300 MB of space for the Handheld Manager and Afaria files. Since the share holding the files you are distributing to your mobile devices is in the LDMAIN\handheld directory, you also need to have space for these files. If you have questions about installing the Afaria portions of Handheld Manager, refer to the Afaria documentation. The documentation is in the XcelleNet Documents directory. Follow these steps to install Handheld Manager on your core server. Each step generally requires a reboot. After your server reboots, relaunch AUTORUN.EXE from your CD or Handheld Manager installation image. To install Handheld Manager on your core server 1. In the autorun, click Install Afaria Server and complete the wizard. In this wizard you will point to the database that will hold the Afaria data. After the server setup finishes, reboot if necessary and relaunch AUTORUN.EXE from your CD or installation image. Don’t make any changes to the Afaria Menu yet. 2. In the autorun, click Install Afaria Connector and complete the wizard. The connector enables scan files generated by the Afaria clients to get into the Management Suite database. Reboot if necessary.
Deploying to host computers and their mobile devices
Once you’ve configured the core server, you can deploy the Afaria agent to host computers and their clients. Host computers are the computers that mobile clients synchronize with.
133
INSTALLATION AND DEPLOYMENT GUIDE
First you need to create an Afaria client communication schedule. This schedule defines how often the Afaria agent on mobile devices connects to the core server. To configure the client communication schedule 1. Shortcuts to the Afaria components are on your core server desktop. If the Afaria Menu isn’t running, double-click the Afaria icon on your desktop. 2. Open the Afaria Channel Administrator. 3. From the tree view, select the LANDeskInv channel. 4. On the Properties page, click Define Schedules. 5. Finish the wizard by entering a schedule name and defining the communication schedule you want. 6. On the Properties page, select the Client Schedule you created. 7. Activate your schedule by clicking File | Unpublish and then File | Publish. 8. Follow the same process for the LANDeskSW channel. You can create a new client schedule or you can use the schedule you created for the LANDeskInv channel. After creating the client schedule, you’ll need to create a client installation package. This package will be a single-file executable that host computers need to execute to install both the host computer and mobile client software. To create a host computer and mobile client installation package 1. Shortcuts to the Afaria components are on your core server desktop. If the Afaria Menu isn’t running, double-click the Afaria icon on your desktop. 2. Click Create Client Installation. 3. Pick the client type you want to configure. Make sure you use the LANDesk Integration channel if it's selectable for the client type you chose. 4. In the wizard, make sure the mobile device will connect with the core server after agent installation. 5. Finish the wizard. Once you’ve created the client installation package for each mobile device type you will be managing, you need to install the package on the host computer so that computer can install the client software on the mobile device. You can put the client installation package on a share and have users run it manually, or you can use software distribution to distribute the installation package. Mobile devices won't display in Desktop Manager's Network View until they send an inventory scan. Assuming you configured the client installation package to connect immediately after agent installation, you will need to resynchronize your handheld a second time after the Afaria agent installs. For more information on client synchronization issues, see the release notes.
Using Afaria with 32-bit Windows clients
Both Management Suite and Afaria support 32-bit Windows software distribution. You can choose which management agent you want on these clients.
134
CHAPTER 8: INSTALLING ADD-ONS
The Management Suite agents provide: • • • Bandwidth detection--stops distribution over slow links. Targeted multicasting--low network bandwidth software distribution to multiple computers. On-demand distributions--distribute software immediately.
The Afaria agent provides: • • Bandwidth throttling--Limits software distribution use of network bandwidth. Client agent scheduling--Clients receive distributions only when the mobile agent connects to the core server.
How Handheld Manager works
Once you’ve installed Handheld Manager, you can schedule tasks from Desktop Manager to distribute files to mobile devices. Here’s the taskflow: 1. Create the package you want to distribute. Click Tools | Manage Scripts, and click the New Distribution Script button. Select the file you are deploying, and in the Deploy Package wizard click Deploy the package using mobile deployment. Finish the wizard. 2. From Desktop Manager, schedule a job to distribute the package to the mobile devices you want. 3. When the scheduled time arrives, the Scheduler will launch the mobile task processor (LDHTASK.EXE) to process the task. 4. Once launched, LDHTASK.EXE will transfer the file from the original location you specified to the handheld files directory on the core server. 5. Once the file is in the directory, the mobile devices that are part of the scheduled task will be marked as ready for processing in the production database. This task will remain in the Scheduler until the target clients have completed the task. 6. The next time a mobile device contacts the core server via the Afaria agent, the device will check to see if its unique device ID is scheduled for any tasks. If the device is scheduled for a task, the Afaria agent will retrieve and install the scheduled file. Desktop Manager receives job status from the Afaria agent. You can see status messages in the Scheduler window.
Viewing mobile inventory information
Mobile devices appear in the console's Network View as standard nodes. The devices are dimmed because they don’t have the normal Management Suite client agent. The Afaria agent provides inventory information to the Management Suite database by sending an inventory scan after your client schedule criteria are met and the device synchronizes with the host computer. The inventory view categories are different depending on the mobile device type.
135
Chapter 9: Installing LANDesk Inventory Manager
LANDesk Inventory Manager is a version of LANDesk Management Suite 8 that contains only these inventory-related features: • • • • • Inventory scanning and inventory-related console features Custom data forms Software license monitoring Unmanaged device discovery Reports for the above features
The Inventory Manager installation on a core server contains all LANDesk Management Suite 8 components, but when you activate a core server with an account that is licensed for Inventory Manager, the non-Inventory Manager features aren't applicable or visible in the Management Suite and Web consoles. Because Inventory Manager doesn't include client setup or scheduled tasks, you can only install clients manually or through a login script.
137
INSTALLATION AND DEPLOYMENT GUIDE
Installing clients manually
Map a drive to the core server's LDLogon share and run WSCFG32.EXE, the client configuration program. The components that are deployed to the client must be selected interactively. You can also run IPSETUP.BAT in the LDLogon share. IPSETUP.BAT installs the default configuration specified in the ntstacfg.ini file automatically without interaction.
138
CHAPTER 9: INSTALLING LANDESK INVENTORY MANAGER
Installing clients using a service center
Service centers help you deploy clients via login scripts, in addition to reducing the load on the core server. These instructions are organized based on the type of server you're deploying to. These are the categories: • • Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server Deploying Remote Control, Inventory, and CBA to clients of a NetWare server
If you'll be using service centers, there are two steps to deploying client agents: 1. Set up a Client Deployment service center. 2. Assign the login scripts created by the Client Deployment service to the users you want to configure with these components.
Setting up a Client Deployment service center
A Client Deployment service center provides an easy method for deploying Management Suite agents to Windows clients. When you set up a Client Deployment service, login scripts are automatically created. You then need to assign clients the appropriate script in order for them to be configured.
Creating configurations with a Client Deployment service center
Each time you create a Client Deployment service center, you also create a client configuration that consists of a unique combination of components. These are the components you can deploy to clients: • • • • Common Base Agent Custom Data Forms Inventory Scanner Software Monitoring
Necessary rights for configuring Windows NT/2000/2003/XP clients For users running Windows NT/2000/2003/XP, you must add their domain login name to the local Administrator Group on their own computers. This grants the necessary rights to users so that the Windows NT/2000/2003/XP login scripts will run. You can also use the Client Setup wizard and Scheduled Tasks window to enable Windows NT/2000/2003/XP clients for management. For more information on the Client Setup wizard, see chapter 2 of the User's Guide.
139
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to clients of a Windows NT/2000/2003 server
You can deploy to clients of a Windows NT/2000/2003 server by creating a service center. To set up the Client Deployment service on a Windows NT/2000/2003 server PDCs and Windows 2000/2003 Client Deployment service centers If you're installing a Client Deployment service on a Windows 2000 server, you must install to a primary domain controller (PDC) or backup domain controller (BDC). Only the PDC or BDC can run the domain-level login scripts that are created by a Windows 2000 Client Deployment service center. 1. Obtain Administrator rights on the target server. 2. At the console, select the Windows NT/2000/2003 server on which you'll install the Client Deployment service. 3. From the server's shortcut menu, click Service Center. 4. Click Next on the Service Center wizard welcome page. 5. Select the Client Deployment service and click Next. 6. Enter the Core server name and click Next. 7. Select Remote Control, Inventory, and Common Base Agent. Click Next. 8. Specify a directory on this server where you will install Management Suite files. Click Next. 9. Finish the wizard, customizing any options you want. The wizard creates batch files that must be assigned to users before their computers can be configured for manageability. For details, refer to the next section, "Using the Windows NT/2000/2003 login scripts."
Using the Windows NT/2000/2003 login scripts
A Windows NT/2000/2003 Client Deployment service creates an IPSETUP.BAT batch file that must be added to the profile login script of each user you want to manage. This batch file is copied to %system root\system32\repl\import\scripts on the core server. On Windows 2000 Client Deployment service centers, this batch file is stored in %system root\SYSVOL\Sysvol\Scripts\LANDesk. You must also copy these files from the core's LDLogon directory to the client deployment server's scripts directory: • • ISDOSBOX.EXE NBPSHPOP.EXE
Assign the appropriate login script to a user according to the computer's network protocol. Some other scripts are installed to allow backward compatibility with earlier LANDesk products.
140
CHAPTER 9: INSTALLING LANDESK INVENTORY MANAGER
If the client is running Windows NT/2000/2003/XP Users must have administrator privileges on their computers to install components with a login script. If users don't have administrative rights, consider using the manual configuration method. These are the actions that each batch file performs: • • • • • Determines the name of the client Determines the operating system of the client Downloads the configuration for that operating system to the client(1-2 minutes) Updates the startup procedure for the client to load the components Notifies the user to restart the client
To assign a Windows NT logon script 1. On the domain server, click Start | Programs | Administrative Tools | User Manager. 2. Select the users to be configured for manageability. From the User drop-down list, click Properties. 3. Click Profile. 4. In the Logon Script Name field, type the name of the logon script you want to use (don't include a path), then click OK. To assign a Windows 2000 logon script 1. 2. 3. 4. 5. Open the Windows 2000 MMC Group Policy snap-in. In the console tree, click Scripts. In the Details pane, double-click Logon. Click Add. Type the name of the logon script you want to use, then click OK.
This assigns the batch file to be the user's login script. On next log on, the batch file will: • • Scan the client into the Inventory database (if Inventory is selected) Configure the client with the LANDesk agents so that you can manage it
To assign a Windows NT/2000/2003 logon script to a user with a preexisting logon script At the client that you want to receive the login script: 1. Open a DOS box and run Edit. 2. Edit the existing login script to include this line: @call ipsetup.bat (for IP environments) When the user authenticates to the Windows NT/2000/2003 server, the assigned login script configures the client for manageability.
141
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to clients of a NetWare server
You can deploy to clients of a NetWare server by creating a service center. Before you can make a NetWare server a service center, you need to run a utility on it so the server appears in the network view. To add a NetWare server to the network view 1. Connect to the target server with administrative rights 2. Open a command prompt from your core server's LDMAIN share. 3. At the command prompt, enter: AddNetWareSC <NetWare_Servername> Where <NetWare_Servername> is the name of your NetWare server. 4. Refresh the console's network view to verify the NetWare server is there. To set up the Client Deployment service on a NetWare server You must be logged in with administrator rights on the target server and have the NetWare Client 32 installed. 1. At any console, use the network view to select the NetWare server on which you want to install the Client Deployment service. 2. From the server's shortcut menu, click Service Center. 3. Click Next on the Service Center wizard welcome page. 4. Select the Client Deployment service and click Next. 5. Select Remote Control, Inventory, and Common Base Agent. Click Next. 6. If you've selected an NDS server, enter the name of the NDS container for the users you want to configure. 7. In the Service center name field, type the name of the service center you want to use for the clients of this server. (If the selected server doesn't already have management services installed, the core server is your default service center.) Click Next. 8. Click Yes to add the inventory scanner to your Windows Startup group; then you can verify the options you selected. 9. Use the Edit Startup Script page to edit the startup script if necessary. 10. Click Next to complete the wizard. 11. The wizard creates two NetWare groups that have corresponding login scripts. Users must be placed in a group before their computers can be configured for manageability. For details, refer to the next section, "Using the NetWare login scripts."
142
CHAPTER 9: INSTALLING LANDESK INVENTORY MANAGER
Using the NetWare login scripts
The Service Center wizard creates these groups when you set up Client Deployment on a NetWare server: Group LANDESKIPGROUP Use to configure. . . Clients using the TCP/IP network protocol.
LANDESKIPXGROUP Clients using the IPX/SPX network protocol. LANDesk Management Suite 8 doesn't support this. If you're administering a NetWare network, you can use a single login script to configure all of the clients on the network by adding users to the NetWare LANDESKIPGROUP group. To assign a NetWare login script • Use your Novell network administrator tools to populate the LANDESKIPGROUP with the users you want to manage.
When you add a user to this group, on next login the client is: • • Scanned into the core database (if Inventory is selected) Configured with the LANDesk agents so that you can manage it
The Management Suite login scripts are appended to the system or container login script.
143
INSTALLATION AND DEPLOYMENT GUIDE
Deploying clients from the command line
You can control what components are installed on clients by using command-line parameters to override the default settings of batch files and login scripts. One way to do this is to use command-line parameters with the configuration program that is used by the batch files and login scripts, WSCFG32.EXE. You can launch WSCFG32.EXE in standalone mode. It's located in this directory on all Client Deployment service centers: (system drive)\Program Files\LANDesk\ManagementSuite\LDLogon. WSCFG32.EXE can also be found in the \\coreservername\LDLogon share, which is readable from any Windows 95/98 or Windows NT/2000/2003/XP client. WSCFG32.EXE uses one of two files to configure clients. NTSTACFG.INI is used for clients running Windows NT/2000/2003/XP; 95STACFG.INI is used for clients running Windows 95/98. These files contain the unique client configuration you specified using the Client Deployment service. If you want to manually edit the configuration settings in these files, you can choose from these methods: • • Running the Client Setup wizard with the Set as default configuration option checked. Adding command-line parameters to WSCFG32.EXE and running it manually. For more information, see "Understanding WSFG32.EXE" in Phase 4.
144
Chapter 10: Deploying to Macintosh, Linux, and UNIX clients
This chapter explains how to deploy agents to Macintosh, Linux, and UNIX clients. LANDesk Management Suite has limited support for these clients—at a minimum, you can do inventory scans, and depending on the operating system and version, you can do more. In this chapter you'll learn about: • • Deploying to Macintosh clients Deploying to Linux and UNIX clients
145
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to Macintosh clients
The Macintosh agents support these operating systems: • • • Mac OS X 10.2.x and 10.3.x Mac OS 8 and 9.2.2 All clients must have TCP/IP installed.
Supported Mac OS 8 and 9.2.2 agent features: • • • Remote file transfer. Remote program execution. No reliance on Apple System Profiler.
Management Suite 8 adds these features to the Mac OS X agents: • • • • • Software License Monitoring: Application usage monitoring, license compliance tracking/reporting, and application denial/reporting Remote Control Enhancements: Render rate improvements, client-side icon to terminate session, remote login/out Software Distribution: Macintosh clients can receive Targeted Multicast files Application Policy Management: Macintosh clients can automatically receive software packages (required, recommended, and optional packages) if they match query criteria you set Additional base agent support: Mac OS X agents also support chat, remote reboot, and CBA discovery
146
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
Deploying the Mac OS X agents
The Macintosh client install files are stored on the core server in the \Program Files\LANDesk\ManagementSuite\LDLogon\Mac folder. The LDMSClient.pkg.zip file contains the compressed package that installs the agents. The Mac OS X agent installer installs files to the root volume and requires root authorization. On each Mac OS X computer you install the agents on, you'll need to configure the scanner preferences. At a minimum, you must enter the core server address that the scanner should send scans to. To install the Mac OS X agents 1. 2. 3. 4. 5. 6. Connect to the core server's LDLOGON share. From \LDLogon\Mac\LDMSClient.pkg.zip, extract LANDeskOSXClient.pkg. Double-click LANDeskOSXClient.pkg to run it. Enter an administrator/root password when prompted. Finish the wizard to install the client agents. When the wizard finishes, open the OS X System Preferences and select the LANDesk Client panel. 7. Click the Inventory Scanner tab. 8. Enter the server's IP address or resolvable name into the LDMS server address box. 9. Select the components you want to scan. 10. Make any other changes you want in the Inventory or Remote Control tabs. 11. Reboot to load the agents.
Locking Macintosh client options
By default, the Management Suite preference pane options are locked for users without root-level access. Non-root users can see the preferences, but they can't change them. To unlock a Macintosh client configuration 1. Open the Mac OS X System Preferences and select the LANDesk Client panel. 2. Click the lock icon in the panel's lower left-hand portion. The panel prompts you for a root-level password to unlock the panel.
Updating the Mac OS X agents
To update the Mac OS X agents using a Client Setup wizard script, the agent installation file must be on a Web server. By default, the LDLogon share is a Web share. You can verify that this share is working by accessing http://<core_server>/ldlogon. Regardless of the options you select in the Client Setup wizard or the way you deploy the agents, the OS X agent package will install all of the agents with default options. The Client Setup wizard's remote control options don't affect the default OS X agent preferences.
147
INSTALLATION AND DEPLOYMENT GUIDE
Uninstalling the Mac OS X agents
If you want to uninstall the Mac OS X agents, run the uninstall script, lduninstall.command, located on each client in the /Library/Application Support/LANDesk folder.
148
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
Deploying the Mac OS 8 and 9.2.2 agents
The Macintosh client install files are stored on the core server in the \Program Files\LANDesk\ManagementSuite\LDLogon\Mac folder. The LANDesk_Classic_Client.sit file contains the Setup files and agents. You will need version 5.5 or greater of StuffIt* Expander to extract files from the MACINIT.SIT file. If you don't have the correct version, you can download it from http://www.aladdinsys.com. To deploy the Mac OS 8 and 9.22 agents 1. Extract the files in \Program Files\LANDesk\ManagementSuite\LDLogon\Mac\LANDesk_Classic_Client.sit to a location where your Macintosh computers can run the installation script. This location can be a shared folder on a Macintosh volume, CD-ROM, Web server, and so on. You can also e-mail these files to clients. 2. At the location you extracted the MACINIT.SIT file to, edit the INVMAC.INI file's ServerAddress option so that it points to your core server. If you don't do this, scan information won't be added to the core database. You can use the core server's Windows NT server name or its IP address. For more information about the .INI files, see "Changing agent options via the .INI files" later in this chapter. 3. From each Macintosh you want configured, run the Macintosh Client Install script from the location where you copied the MACINIT.SIT files. 4. Reboot each Macintosh client when you are done.
Installing non-English language support on clients
The client agents use English by default. If you want to install support for one of the other supported languages, follow the procedure below. To install non-English language support on clients 1. From the \Program Files\Intel\DTM\LDLogon\MAC directory, extract the language file you want to install from: MACISLNG.SIT (Inventory agent language files) and MACRCLNG.SIT (Remote Control agent language files). 2. Copy these files to the Applications\Intel folder on each Macintosh client.
149
INSTALLATION AND DEPLOYMENT GUIDE
Updating Mac OS 8 and 9.2.2 agents
Once a Macintosh computer has the Remote Control agent on it, you can use the Client Setup wizard to configure and update the agents and settings on that client. The Allow Remote Execute and Allow File Transfer options must be enabled for this to work. You can use the Client Setup wizard for Macintosh client updates only—don't use it during initial client deployment. When you schedule a client configuration that's going to a Macintosh computer, this happens: 1. Client Setup automatically generates an RCMAC.INI file based on your selections in the Client Setup wizard. 2. Client Setup looks in the \Program Files\Intel\DTM\Install\Mac directory for the INVMAC.INI file to send out to clients. Make sure you've updated the INVMAC.INI ServerAddress option to point to your core server. 3. Client Setup copies all the files to a temporary directory on the Macintosh and runs the Macintosh Client Install script from there.
Changing Mac OS 8 and 9.2.2 agent options via the .INI files
This section only applies if you want to manually customize the agent .INI files. The Macintosh agents are on the core server in the \Program Files\Intel\DTM\LDLogon\Mac directory. The MACINIT.SIT file contains the Inventory and Remote Control agents, and the .INI files that configure these agents. • • RCMAC.INI: Specifies the client Remote Control settings. INVMAC.INI: Specifies client Inventory settings.
You can customize these files the way you want them before configuring Macintosh clients. If you don't customize them beforehand, the agents will use the defaults. If you want to change the settings in the future, you can distribute these files to clients later via the Scheduler. On the client, these .INI files are in the Preferences folder. If you want to add comments to the .INI files, you can use the semicolon (;) character. The only setting you must configure is the ServerAddress option in INVMAC.INI. The defaults in these files will work otherwise. In the following tables, you can see a list of possible options and the default values.
Inventory client options
The only Inventory client option you must configure is ServerAddress, which specifies where the client should send its inventory scans. This option is set to "Your server name here" by default. You can launch the inventory scanner manually from the Applications\Intel folder.
150
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
To change inventory preferences on the client 1. From Applications (MacOS9):LANDesk, double-click Inventory Scanner. 2. Change the settings you want. The Macintosh Inventory client can have these options in INVMAC.INI: Option ServerAddress= Description You must specify the core server name or IP address here. This is the server the agent sends scan information to. No scan information goes to the core database unless this server address is correct. Here's an example: ServerAddress=mycoreserver Sends the scan results to the core server. You should leave this enabled. Saves the scan results to a file called "scan" in the directory the agent ran from. Enabled by default, but disabling this option won't cause problems. If enabled, forces the client to do a software scan regardless of whether the core server says one is due. Specifies which software items to scan. Add together these bitfield values that you're interested in: 1 Applications 2 Desk Accessories 4 Drivers 8 Fonts 16 INITS HardwareScanItems=127 Specifies which hardware items to scan. Add together these bitfield values that you're interested in: 1 I/O devices 2 CPU 4 Monitors 8 NuBus/PCI cards 16 SCSI devices 32 Volumes 64 System (network and system info) LastScanTime= ServerGUID= Don't change this option. Value managed by agent. Don't change this option. Value managed by agent.
SendToServer=1 CreateFile=1
ForceScan=0 SoftwareScanItems=31
151
INSTALLATION AND DEPLOYMENT GUIDE
Remote Control client options
The Macintosh client install script adds an alias to the Startup Items folder that launches the Remote Control agent when the computer boots. Macintosh keyboards have some keys that PC keyboards don't. When remote controlling a Macintosh, use these keys on your PC keyboard to emulate a Macintosh keyboard: • • The left Alt key maps to the Option key. The right Alt key maps to the Apple key.
You need to have system key pass-through enabled in the Remote Control Viewer window for the Alt keys to pass their Macintosh mappings. To change Remote Control preferences on the client 1. With the Remote Control Viewer window displayed, press the Command, Option, and P keys simultaneously. 2. Change the settings you want. If you want to change the Remote Control agent preferences on a client via a remote control session, enable system key pass-through and hold down both Alt keys and the P key to display the Preferences dialog. Note that Macintosh remote control doesn't support 1-bit or 2-bit color depths. Unless you want to change the default Remote Control options for security or policy reasons, there aren't any values in RCMAC.INI file that you have to edit.
152
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
You can set several Remote Control options in the Client Setup wizard. Doing this modifies the RCMAC.INI file. The Macintosh Remote Control agent has these options in RCMAC.INI that you can also manually edit: Option Allow Takeover=1 Allow Reboot=0 Permission Required=0 Permission Box Timeout=12 Visible Signal=0 Description If enabled, allows others to remote control the client. If enabled, allows others to remotely reboot the client. If this option is disabled, it doesn't prevent an administrator from remote controlling a client and selecting Restart from the Finder's Special menu. If enabled, displays an Accept/Reject dialog on the client that the client must accept before remote control begins. If Permission Required is enabled, this specifies how long before the Permission Required dialog times out and disappears. If the dialog times out, that denies remote control permission. This option isn't configurable via the Remote Control agent interface. If enabled, briefly displays a message box on the client for three seconds indicating that it's being remote controlled.
Allow Remote If enabled, allows administrators to remotely execute programs on the client Execute=1 computer. This feature must be enabled for auto-update to work. Allow File Transfer=1 Scan Lines Per Second=4 If enabled, allows administrators to transfer files to the computer. This feature must be enabled for auto-update to work. Don't change this option. This option isn't configurable via the Remote Control agent interface.
153
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to Linux and UNIX clients
Management Suite works with some versions of Linux and UNIX. These features of Management Suite are supported for Linux and UNIX computers: • • Inventory scanning for hardware and software. Queries from the management console on any attribute that the inventory scanner reports to the core database.
The Linux/UNIX inventory scanner provides scanning for hardware and software. The scanner will find these attributes of a Linux/UNIX computer: • • • • • • • • Environment variables Memory Network OS type/kernel version Processor Bound adapters Mounted devices Software
System requirements
Linux runs on a variety of architectures, but the Linux inventory scanner will only run on Intel architecture. TCP is the only supported protocol for the inventory scanner. Supported Linux and UNIX distributions: • • • • • Red Hat Linux 7.3, 8.0, and 9.0 IBM AIX 5.1 Intel Architecture Solaris 8 Sun Sparc (Solaris 8) HP-UX 11.0
Installing the Linux/UNIX agents
You'll need to install the Linux/UNIX agents manually. The Linux/UNIX agents include only the Inventory Scanner agent. Copy the ldiscnux agent files from the appropriate directory under \Program Files\LANDesk\ManagementSuite\LDLogon\unix\ that matches your Linux/UNIX distribution. Copy all the files from the \common directory. • • • • • •
154
aix: IBM AIX 5.1 common: Common man and configuration files used by all supported distributions hpux: HP-UX 11.0 linux: RedHat Linux 7.3, 8.0, and 9.0 solia: Intel Architecture Solaris 8 solsparc: Sun Sparc Solaris 8
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
To install the inventory scanner on Linux/UNIX 1. Copy ldiscnux.conf and ldappl.conf to /etc. Give ldiscnux.conf read/write access for users. Give ldappl.conf read access for users. Use the UNIX chmod command to assign rights to the files. 2. Edit ldappl.conf to customize the software scanning if desired. See the sample entries in ldappl.conf for more information. 3. Copy ldiscnux.8 to /usr/man/man8. 4. Copy ldiscnux to a directory that is accessible by the individuals who will be running the application. Usually this is /usr/sbin. 5. If needed, make ldiscnux executable using the chmod command.
Linux/UNIX inventory scanner command-line parameters
The Linux/UNIX inventory scanner, ldiscnux, has several command-line parameters that specify how it should run. See "ldiscnux -h" or "man ldiscnux" for a detailed description of each. Each option can be preceded by either '-' or '/'. These commandline parameters are available in Management Suite: -d=Dir Starts the software scan in the Dir directory instead of the root. By default, the scan starts in the root directory. -f Forces a software scan. If you don't specify -f, the scanner does software scans on the day interval (every day by default) specified in the console under Configure | Services | Inventory | Scanner Settings. -fDisables the software scan. -i=ConfName Specifies the configuration filename. Default is /etc/ldappl.conf. -ntt=address:port Host name or IP address of core server. Port is optional. -o=File Writes inventory information to the specified output file. -s=Server Specifies the core server. This command is optional, and only exists for backward compatibility. -stdout Writes inventory information to the standard output. -v Enables verbose status messages during the scan. -h or -? Displays the help screen.
155
INSTALLATION AND DEPLOYMENT GUIDE
Examples
To output data to a text file, type: ldiscnux -o=data.out -v To send data to the core server, type: ldiscnux -ntt=ServerIPName -v
Linux/UNIX inventory scanner files
ldiscnux This is the executable that is run with command-line parameters to indicate the action to take. All users that will run the scanner need sufficient rights to execute the file. There is a different version of this file for each platform supported above. /etc/ldiscnux.conf This file always resides in /etc and contains the following information: • • • Inventory assigned unique ID Last hardware scan Last software scan
All users who run the scanner need read and write attributes for this file. The unique ID in /etc/ldiscnux.conf is a unique number assigned to a computer the first time the inventory scanner runs. This number is used to identify the computer. If it ever changes, the core server will treat it as a different computer, which could result in a duplicate entry in the database. Warning: Do not change the unique ID number or remove the ldiscnux.conf file after it has been created. /etc/ldappl.conf This file is where you customize the list of executables that the inventory scanner will report when running a software scan. The file includes some examples, and you'll need to add entries for software packages that you use. The search criteria are based on filename and file size. Though this file will typically reside in /etc, the scanner can use an alternative file by using the -i= command-line parameter. ldiscnux.8 Man page for ldiscnux.
156
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
Web console/Management Suite console integration
Once a Linux/UNIX computer is scanned into the core database, you can: • • • • Query on any of the attributes returned by the Linux/UNIX inventory scanner to the core database. Use Management Suite's reporting features to generate reports that include information that the Linux/UNIX scanner gathers. For example, Linux/UNIX will appear as an OS type in the Operating Systems Summary Report. Use the Inventory Summary dialog to view information for Linux/UNIX computers. Use Management Suite's inventory change history to track changes on items that the Linux/UNIX Inventory scanner inserts into the core database. The inventory service sends alerts when inventory data changes.
Miscellaneous issues
Queries on "System Uptime" sort alphabetically, returning unexpected results If you want to do a query to find out how many computers have been running longer than a certain number of days (for example, 10 days), query on "System Start" rather than "System Uptime." Queries on System Uptime may return unexpected results, because the system uptime is simply a string formatted as "x days, y hours, z minutes, and j seconds." Sorting is done alphabetically and not on time intervals. Path to config files referenced in ldappl.conf doesn't appear in console ConfFile entries in ldappl.conf file need to include a path.
157
Chapter 11: Uninstalling LANDesk Management Suite
Just as there's a specific strategy you should follow to deploy the different LANDesk Management Suite components, there's a corresponding strategy for uninstalling the components. In this chapter you'll learn about: • • Uninstalling Management Suite Uninstalling the Web console
159
INSTALLATION AND DEPLOYMENT GUIDE
Uninstalling Management Suite
The following sections show you how to properly uninstall each Management Suite component. You must uninstall the components in this order: 1. 2. 3. 4. Uninstall Uninstall Uninstall Uninstall LANDesk agents from clients the service centers the consoles the core server
Uninstalling LANDesk agents from clients
The first step to uninstall LANDesk software from your network is to uninstall its agents from your clients. To uninstall agents from clients on a NetWare network • Use your network administrator tool to move users to the LANDESKEXCLUDE group. The next time the user logs in, Management Suite removes the agents from the computer.
To uninstall agents from clients on a Windows 2000/2003 network • In the batch file you originally used as the login script to configure the client, change the /IP parameter in WSCFG32.EXE to /u. For more information, see "Phase 4: Deploying the primary agents to clients" earlier in this guide.
Uninstalling the service centers
After you uninstall LANDesk agents from your clients, you can uninstall software from your service centers. To uninstall your service centers 1. Go to your core server. 2. In the console's network view, select the computer where the service center is running. 3. From that server's shortcut menu, click Service Center. 4. To remove all services from the selected server, click Remove All | Finish.
160
CHAPTER 11: UNINSTALLING LANDESK MANAGEMENT SUITE
Uninstalling the consoles
After you uninstall LANDesk agents from your clients and the software from your service centers, you're ready to uninstall the software from your consoles. To uninstall your consoles 1. Go to the console computer where you want to remove the software. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. Select LANDesk Management Suite. 4. Click Add/Remove.
Uninstalling the core server
The final step in uninstalling Management Suite from your network is to uninstall the software on the core server. Before you do so, make sure you've uninstalled the LANDesk software from your clients, service centers, and consoles. To uninstall the core server 1. Go to the core server. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. To uninstall Management Suite software, select LANDesk Management Suite and any other LANDesk products you installed. 4. Click Add/Remove. Uninstalling the core and core rollup databases You need to manually uninstall the core and core rollup databases. For more information, refer to your database manual.
Uninstalling the Web console
Because Microsoft IIS loads the Web console into memory and keeps it loaded, you must reboot the server before doing an uninstall. Make sure you don't reconnect to the Web console after you reboot. To uninstall the Web console 1. Reboot the Web server. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. Click LANDesk Management Suite, then click Add/Remove. 4. Click Yes to remove the application. 5. Click OK when the uninstall is completed.
161
INSTALLATION AND DEPLOYMENT GUIDE
To uninstall the Remote Control Viewer from client computers 1. Shut down all instances of your browser. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. Click Remote Control Viewer, then click Add/Remove. 4. Click Yes to remove the application. 5. Click OK when the uninstall is completed.
162
Appendix A: Troubleshooting
You can reach LANDesk Software's online support services on the Web (available in English only). The services contain the most up-to-date information about LANDesk Software products. You can also find installation notes, troubleshooting tips, software updates, and customer support information. Visit the Web site below, then access the Management Suite page: http://www.landesk.com/support/index.php You can also download the latest versions of the Management Suite Release Notes and documentation, which may include information that wasn't available at the time the product was shipped. If you can't resolve your issue using this guide or by consulting the LANDesk Software support Web site, LANDesk Software offers a range of paid support, consulting, and partner services. For more information, see the customer support page at: http://www.landesk.com/wheretobuy/ Before calling for customer support issues, have this information ready: • • • • • • Your name, the name of your company, and the version of Management Suite you're using. The network operating system you're using (name and version). Any patches or service packs you've installed. Detailed steps to reproduce the problem. Steps you've already taken to troubleshoot the problem. Any information unique to your system that may help the Customer Support engineer understand the problem, such as what kind of database application you're using, the brand of video card you've installed, or the make and model of the computer you're using.
163
®
Installation and Deployment Guide
This document contains information, which is the proprietary property of LANDesk Software, Ltd. and its affiliates. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of LANDesk Software Ltd., and its affiliated companies ("LANDesk"). Nothing in this document constitutes a guaranty, warranty, or license, express or implied. LANDesk disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of LANDesk; indemnity; and all others. LANDesk products are not intended for use in medical, life saving, or life sustaining applications. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of LANDesk. LANDesk retains the right to make changes to this document or related product specifications and descriptions at any time, without notice. LANDesk makes no warranty for the use of this document and assume no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright © 2004, LANDesk Software Ltd., or its affiliated companies. All rights reserved. LANDesk is either a registered trademark or trademark of LANDesk Software, Ltd. or its controlled subsidiaries in the United States and/or other countries. *Other brands and names are the property of their respective owners
Contents
LANDesk® Management Suite overview ............................................................ 9 What's new in LANDesk Management Suite 8.................................................10 Management Suite basics............................................................................12 How does Management Suite fit into my network?........................................12 Important concepts..................................................................................12 Management Suite terms ..........................................................................12 Installation and deployment strategies..........................................................13 Rapid versus phased deployment ...............................................................13 Overview of installation and deployment .......................................................14 Rapid deployment strategy .............................................................................17 Overview of rapid deployment .....................................................................18 Step 1: Design your domain ........................................................................19 Estimate the number of clients ..................................................................19 Select the core server ..............................................................................19 Select the console computer .....................................................................20 Plan the placement of program files ...........................................................20 Step 2: Prepare your database ....................................................................21 Step 3: Install the core server and console ....................................................22 About the Core Server Activation utility ......................................................23 Verifying a successful installation ...............................................................24 Step 4: Deploy Management Suite ...............................................................25 Deploying to servers ................................................................................25 Deploying to clients .................................................................................26 Congratulations! ........................................................................................28 Phase 1: Designing your management domain ..................................................29 Gathering network information ....................................................................30 Determining number of sites .....................................................................30 Estimating number of clients at each location ..............................................30 Selecting your core server and consoles......................................................31 Planning placement of program files ...........................................................31 Selecting a database ................................................................................31 Selecting service centers ..........................................................................32 Determining number of management domains .............................................32
iii
TABLE OF CONTENTS
Planning your security and organization model...............................................33 Planning your core server structure ............................................................33 Planning a scope .....................................................................................33 Using a rollup core database .....................................................................35 Selecting components to implement ...........................................................36 Functionality available by client OS ............................................................38 Compatibility with previous versions of Management Suite ............................39 System requirements .................................................................................40 Core and database servers........................................................................40 Supported router configurations...................................................................44 Upgrading to LANDesk Management Suite 8 ..................................................46 Before you begin .....................................................................................46 Upgrade tools .........................................................................................47 Upgrade methods ....................................................................................48 Upgrade procedures.................................................................................48 Understanding component upgrade/migration..............................................53 Migration at a glance................................................................................56 Phase 2: Preparing your databases ..................................................................59 Before you begin .......................................................................................60 Microsoft SQL Server 2000 configuration .......................................................61 SQL maintenance ....................................................................................61 Oracle database configuration......................................................................63 Oracle performance tuning suggestions and scripts.......................................63 LANDesk Software support and DBMS issues .................................................65 Phase 3: Installing the core, console, and rollup core .........................................67 Selecting components to install....................................................................68 Installing the core server and console ...........................................................69 Activating the core server ...........................................................................71 About the Core Server Activation utility ......................................................72 Logging in to the console ..........................................................................74 Installing additional consoles .......................................................................75 Setting additional console permissions........................................................76 Verifying a successful installation ...............................................................76 Managing databases after installation ...........................................................77 Installing a rollup core..............................................................................77 Using the database Rollup Utility................................................................77
iv
TABLE OF CONTENTS
Increasing the rollup database timeout .......................................................79 Running CoreDbUtil to reset, rebuild, or update a database ...........................80 Phase 4: Deploying the primary agents to clients...............................................81 The phased deployment strategy .................................................................82 Checklist for configuring clients....................................................................82 Deploying to Windows NT/2000/2003/XP clients.............................................84 Deploying to Windows XP clients using local accounts ...................................84 Upgrading clients that use older Management Suite agents............................85 Using a service center to deploy Remote Control, Inventory, and CBA to clients..86 Setting up a Client Deployment service center .............................................86 Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server...............................................................................88 Deploying Remote Control, Inventory, and CBA to clients of a NetWare server .90 Deploying clients from the command line ......................................................93 Deploying to clients using Enhanced Software Distribution packages .................94 Understanding the client configuration architecture.........................................95 Configuring Windows clients......................................................................95 Understanding WSCFG32.EXE....................................................................95 Reversing the client configuration process .....................................................98 Phase 5: Deploying other agents to clients .......................................................99 Creating a client setup configuration........................................................... 100 Deploying Application Healing.................................................................. 100 Deploying Application Policy Management ................................................. 100 Deploying Bandwidth Detection ............................................................... 102 Deploying the Common Base Agent.......................................................... 102 Deploying Custom Data Forms................................................................. 103 Enabling Migration Tasks ........................................................................ 103 Deploying Enhanced Software Distribution ................................................ 103 Deploying the Inventory Scanner ............................................................. 103 Deploying the Local Scheduler ................................................................. 104 Deploying Remote Control ...................................................................... 104 Deploying Software Monitoring ................................................................ 105 Deploying Targeted Multicast................................................................... 105 Deploying Task Completion ..................................................................... 106
v
TABLE OF CONTENTS
Chapter 6: Installing the Web console ............................................................ 107 Extending network management to the Web................................................ 108 Installation requirements .......................................................................... 109 Management Suite requirements ............................................................. 109 Web server requirements........................................................................ 109 Computer requirements for accessing the Web console ............................... 109 Installing the Web console ........................................................................ 110 Accessing multiple databases .................................................................... 112 Configuring domain-level software distribution and Windows 2003 servers..... 112 Configuring the Web console for multiple cores .......................................... 113 Setting up Web console security ................................................................ 115 Setting up role-based administration in the Web console ............................. 115 Setting up feature-level security for rollup core databases ........................... 116 Changing the default IIS session timeout .................................................. 117 Setting up the indexing service................................................................ 117 Configuring rights for the Web console...................................................... 118 Changing the Web console location .......................................................... 118 Chapter 7: Installing OS deployment and profile migration................................ 119 Installing OS deployment and profile migration ............................................ 120 Configuring your OS deployment and profile migration environment................ 122 Step 1: Configuring an image server ........................................................ 122 Step 2: Verifying name resolution ............................................................ 123 Step 3: Configuring your network for Multicast OS deployment .................... 123 Step 4: Configuring PXE ......................................................................... 124 OS deployment phases ............................................................................. 127 Chapter 8: Installing add-ons ....................................................................... 129 Activating Management Suite 8 add-on products .......................................... 130 Installing LANDesk Patch Manager 8 ........................................................... 131 Installing LANDesk Asset Manager 8 ........................................................... 132 Installing LANDesk Handheld Manager 8 ..................................................... 133 Installing Handheld Manager ................................................................... 133 Deploying to host computers and their mobile devices ................................ 133 Using Afaria with 32-bit Windows clients ................................................... 134 How Handheld Manager works................................................................. 135 Viewing mobile inventory information ....................................................... 135
vi
TABLE OF CONTENTS
Chapter 9: Installing LANDesk Inventory Manager ........................................... 137 Installing clients manually......................................................................... 138 Installing clients using a service center ....................................................... 139 Setting up a Client Deployment service center ........................................... 139 Deploying to clients of a Windows NT/2000/2003 server ............................. 140 Deploying to clients of a NetWare server ................................................... 142 Deploying clients from the command line .................................................... 144 Chapter 10: Deploying to Macintosh, Linux, and UNIX clients ............................ 145 Deploying to Macintosh clients ................................................................... 146 Deploying the Mac OS X agents ................................................................. 147 Locking Macintosh client options .............................................................. 147 Updating the Mac OS X agents ................................................................ 147 Uninstalling the Mac OS X agents............................................................. 148 Deploying the Mac OS 8 and 9.2.2 agents ................................................... 149 Updating Mac OS 8 and 9.2.2 agents........................................................ 150 Changing Mac OS 8 and 9.2.2 agent options via the .INI files....................... 150 Deploying to Linux and UNIX clients ........................................................... 154 System requirements ............................................................................. 154 Installing the Linux/UNIX agents.............................................................. 154 Linux/UNIX inventory scanner command-line parameters ............................ 155 Linux/UNIX inventory scanner files........................................................... 156 Web console/Management Suite console integration ................................... 157 Miscellaneous issues .............................................................................. 157 Chapter 11: Uninstalling LANDesk Management Suite....................................... 159 Uninstalling Management Suite .................................................................. 160 Uninstalling LANDesk agents from clients .................................................. 160 Uninstalling the service centers ............................................................... 160 Uninstalling the consoles ........................................................................ 161 Uninstalling the core server..................................................................... 161 Uninstalling the Web console ................................................................... 161 Appendix A: Troubleshooting ........................................................................ 163
vii
TABLE OF CONTENTS
viii
LANDesk® Management Suite overview
This guide walks you through the process of installing and deploying one of the most comprehensive network management tools available LANDesk® Management Suite 8. Here's what you'll learn about in this overview: • • • • What's new in this release Management Suite basics (includes Management Suite terms) Installation and deployment strategies Overview of installation and deployment
9
INSTALLATION AND DEPLOYMENT GUIDE
What's new in LANDesk Management Suite 8
These are the primary new and improved features in Management Suite 8: • • Improved database: New single database schema with improved data integrity and scalability. Role-based administration: Add Management Suite users and configure their access to Management Suite tools and network devices based on their administrative role in your network. With role-based administration, you assign scope to determine the devices a user can view and manage, and rights to determine the tasks they can perform. Enhanced Software Distribution improvements: Enhancements include byte-level checkpoint restart for interrupted downloads, peer download, dynamic bandwidth throttling that limits distribution bandwidth when clients need network bandwidth, and multi-file MSI multicast package support. New Unmanaged Device Discovery feature: Discover unknown and unmanaged devices on your network though a directory service, domain discovery, or layer 3 ping sweep. Alerts notify you of newly discovered devices. Schedule device discovery so you can constantly be aware of new devices. Enhanced client security: Certificate-based model allows clients to only communicate with authorized core servers and consoles. New on-demand remote control: Optional and highly secure on-demand remote control model only loads the remote control agent on clients for the duration of an authorized remote control. New reports: Over 50 new predefined Management Suite service reports for planning and strategic analysis. New console interface: New console with dockable windows, network view, custom layouts, and more. Additional Macintosh computer feature support: Targeted Multicast, Application Policy Management, and Software License Monitoring for Mac OS 10.2 clients.
•
•
• • • • •
LANDesk Management Suite 8.1 adds these enhancements: • • • • Enhanced inventory: Launch an immediate inventory scan on a client by right-clicking the client and clicking Inventory. Also, the inventory scanner now collects the operating system language on clients. Improved software distribution: Software distribution now works better through firewalls, and you can now disable task completion on software distribution jobs, so if the job fails it isn't automatically retried. Improved Web console: Generate basic client configuration packages and use software license monitoring from the Web. Enhanced application policy management reliability: Whenever a client checks with the core server for tasks or policies, the core server updates that client's IP address in the core database, avoiding problems with outdated IP addresses that may be part of an old inventory scan. Improved scheduled task support: Provide multiple logins for the scheduler service to authenticate with when running tasks on clients that don't have Management Suite agents. This is especially useful for managing clients in multiple Windows domains.
•
10
LANDESK® MANAGEMENT SUITE OVERVIEW
• •
•
•
•
New custom local scheduler tasks: Use the Management Suite local scheduler on clients to remotely schedule a recurring task. Enhanced remote control: Store detailed remote control logs in the database. Log information includes who initiated the remote control session and the remote control tasks (file transfers, chat, and so on) they did on the client. Also, remote control sessions now pass 3rd mouse button/wheel movement to clients. Enhanced unmanaged device discovery: Generate reports on the unmanaged devices on your network. For more flexibility, you can now use an Unmanaged Device Discovery task to rediscover managed clients. This is useful if you've reset your database. New LANDesk Asset Manager 8 Add-on: Manage physical assets and perform inventory audits. Track business contracts, invoices, and projects information. Configure data entry forms, enter items into the database with those forms, and collect and analyze that data with custom asset reports. Improved Patch Manager 8 Add-on: Create user-defined vulnerabilities so you can detect problems before a patch is available. Now you can scan for vulnerabilities on Mac OS* X 10.2.x and 10.3.x clients.
11
INSTALLATION AND DEPLOYMENT GUIDE
Management Suite basics
Management Suite supports NetWare* servers and Windows* 2000/2003 servers, and it provides a common interface for managing the clients of these network operating systems. On the client side, Management Suite supports to varying degrees Windows NT/2000/2003/XP, Windows 95/98, Macintosh*, UNIX*, and Linux* clients.
How does Management Suite fit into my network?
Management Suite uses the infrastructure of your existing network to establish connections with the devices it manages. With Management Suite, the job of managing your existing network is greatly simplified, whether you manage a small network or a large enterprise environment.
Important concepts
The most important concept that you need to understand before installing and deploying the software is the Management Suite management domain. Each management domain consists of a core server and the clients that core server manages. Depending on the server speed, each core server can manage up to 10,000 clients. You can have multiple core servers on your network. You can view the data from multiple core servers by using the Management Suite Web console to view a rollup core server, which gathers data from individual core servers you configure.
Management Suite terms
• • • • • • Core server: The center of a management domain. All the key files and services for Management Suite are on the core server. A management domain has only one core server. Console: The main LANDesk Management Suite interface. Web console: The browser-based Management Suite console that offers a subset of the features available in the main console. Core database: Management Suite requires one database for each core server, and if you have multiple core servers, you can use a core rollup database that summarizes data from the core servers. Core rollup database: A database that is optimized for querying. Core rollup databases summarize data from multiple core servers. Only the Web console can access the core rollup database. Clients: Desktop computers, servers, laptops, or handheld devices, in your network that have LANDesk agents installed. A core server can manage as many as 10,000 clients. Larger environments require multiple core servers.
12
LANDESK® MANAGEMENT SUITE OVERVIEW
Installation and deployment strategies
Installing and deploying a system-wide application like Management Suite to a heterogeneous network requires a deliberate methodology and significant planning before you run the setup program. This guide includes two strategies for setting up Management Suite: • • Rapid deployment Phased deployment
Before choosing a deployment strategy, you need to briefly characterize your management needs.
Rapid versus phased deployment
Deployment is the process of expanding your management capabilities to clients that you want to include in the domain. Deployment is simplified when you load agents and services on clients and servers so that you can manage them from a central location. The rapid deployment strategy assumes that the default settings and database used during install are sufficient for your management needs. The phased deployment strategy offers you a more structured approach to enabling management on servers and clients. This approach is based on two simple principles: • • First, deploy those Management Suite components that have the least impact on your existing network and progress to those components that have the most impact. Second, deploy Management Suite in well-planned stages, rather than deploying all services at once, which may complicate any required troubleshooting. Phased deployment Uses custom settings. Installs on networks with any number of clients.
Rapid deployment Uses the default settings and database. Installs on networks with 1,000 clients or fewer.
Installs to a test lab so that you can evaluate Installs to a complex network that has multiple the product before a wide-scale deployment locations with WAN connections. to your production network. If you meet any of the rapid deployment criteria, refer to the next chapter, "Rapid deployment strategy. " If you meet any of the phased deployment criteria, refer to "Phase 1: Designing your management domain" later in this guide. You should then continue sequentially through each phase.
13
INSTALLATION AND DEPLOYMENT GUIDE
Overview of installation and deployment
This guide groups installation and deployment tasks into the following phases. Each phase has a corresponding section in this guide that walks you through that part of the installation. If you're using the rapid deployment strategy, you'll complete these tasks in the same order, but you won't need to plan or prepare as thoroughly as you would if you were following the phased deployment strategy.
Phase 1 summary
During phase 1 of the installation, you design your management domain by completing these tasks: • • Gather network information Confirm that your network meets system requirements
For details, refer to "Phase 1: Designing your management domain" later in this guide.
Phase 2 summary
During phase 2 of the installation, you prepare your databases by completing these tasks: • • Install and configure your databases Conduct basic database maintenance
For details, refer to "Phase 2: Preparing your databases" later in this guide.
Phase 3 summary
During phase 3, you install Management Suite by completing these tasks: • • • • Install the core server Install additional management consoles Configure a rollup core server (optional) Maintain the database
For details, refer to "Phase 3: Installing the core, console, and rollup core" later in this guide.
14
LANDESK® MANAGEMENT SUITE OVERVIEW
Phase 4 summary
During phase 4 of the installation, you deploy the basic Management Suite agents by completing these tasks: • • • Deploy Remote Control and Inventory to servers Deploy Remote Control, Inventory, and CBA to clients Deploy clients from the command line
For details, refer to "Phase 4: Deploying the primary agents to clients" later in this guide.
Phase 5 summary
During phase 5 of the installation, you complete the task of deploying the remaining Management Suite agents: • • • • • • • • • • • • • Application Healing Application Policy Management Bandwidth Detection Common Base Agent Custom Data Forms Enable Migration Tasks Enhanced Software Distribution Inventory Scanner Local Scheduler Remote Control Software Monitoring Targeted Multicasting Task Completion
For details, refer to "Phase 5: Deploying other agents to clients" later in this guide.
15
Rapid deployment strategy
Rapid deployment is the fastest method for setting up LANDesk Management Suite. It assumes that the domain you're setting up consists of 1,000 clients or fewer, or that you're setting up a test network to evaluate Management Suite before launching a full-scale rollout. If you need to manage more than 1,000 clients or you don't want to first set up a test network, go directly to "Phase 1: Designing your management domain" later in this guide.
17
INSTALLATION AND DEPLOYMENT GUIDE
Overview of rapid deployment
The rapid deployment strategy follows the same sequence prescribed in the phased approach. The difference is that you'll accept Management Suite's default settings rather than create customized databases and configurations. There are four major steps in rapid deployment: • • • • Step Step Step Step 1: 2: 3: 4: Design your management domain Prepare your database Install the core server and console Deploy Management Suite
Use the step-by-step instructions on the following pages to complete the rapid installation and deployment of Management Suite.
18
RAPID DEPLOYMENT STRATEGY
Step 1: Design your domain
There are four tasks necessary to design your domain in preparation for rapid deployment: • • • • Estimate the number of clients Select the core server Select the console computer Plan the placement of program files
Estimate the number of clients
A client is any computer that has LANDesk agents installed on it. Though this includes all servers with agents installed, the majority of clients in a domain are typically desktop computers, laptops, and handheld devices. By choosing rapid deployment, you've already indicated that you'll support 1,000 nodes or fewer.
Select the core server
The core server is the center of a management domain. All of the key Management Suite files and services are contained on the core server. A management domain can have only one core server.
Core server system requirements
As you consider which server you'll set up as your core server, review these system requirements and confirm that your server meets or exceeds them: • • • • • • • • Windows 2000 Server or Advanced Server with SP 4, or Windows Server 2003 Standard or Enterprise edition 500 MB of free disk space Intel Pentium III* processor minimum; Pentium 4 processor recommended 256 MB of RAM minimum An account with administrator rights Windows NTFS file system Microsoft Internet Explorer 5.5 or 6.x SCSI disk(s) recommended
19
INSTALLATION AND DEPLOYMENT GUIDE
A dedicated core server is strongly recommended Because of the traffic that must pass through the core server to manage your domain, we strongly recommend that each core server, database server, or service center is dedicated to hosting Management Suite. If you install other products on the same server, you may experience short- and long-term resource issues. Don't install the core server components on a primary domain controller, backup domain controller, or active directory controller.
Select the console computer
The console computer runs the main UI where you conduct management activities such as taking remote control of a client, monitoring the core database, or scheduling a software package distribution. The default settings install a console to the core server. You can install the console to a separate computer if you don't want to manage your domain from the core server. Management Suite 6.6 and later have replaced the old Access* default database with the Microsoft SQL* Server Data Engine 2000 (MSDE) database. The new MSDE database can handle more clients and doesn't have many of the performance limitations the Access database had. You'll likely see performance issues with MSDE when the database has more than five concurrent things to do. You should limit the number of consoles that will use the database simultaneously when using MSDE.
Console system requirements
If you plan to install a Management Suite console on a separate computer, review these system requirements and confirm that it meets these criteria: • • • • • Windows 2000 Professional or Advanced Server with SP 4, or Windows XP Professional with SP 1 Pentium III processor minimum; Pentium 4 processor recommended 256 MB of RAM 180 MB of free disk space Microsoft Internet Explorer 5.5 or 6.x
Plan the placement of program files
During installation, you can specify where you want to install the Management Suite program files. You should accept the default destination directory unless you have a compelling reason (such as insufficient disk space) to change them. The default directory is: C:\Program Files\LANDesk\ManagementSuite
20
RAPID DEPLOYMENT STRATEGY
Step 2: Prepare your database
Management Suite requires a database to store general management information. You need a database management system (DBMS) to interact with this database. For rapid deployment, use the default DBMS, Microsoft MSDE. MSDE is set up and configured for you if you accept the default data source during Management Suite installation. The only preparation necessary is to confirm that your core server meets the system requirements necessary to run the databases.
21
INSTALLATION AND DEPLOYMENT GUIDE
Step 3: Install the core server and console
This step focuses on installing the core components of Management Suite. The core server is the center of a management domain. It contains all the key files and, in the case of a rapid deployment, the databases required for Management Suite. If you've reviewed the pre-installation considerations, you're ready to install the core server. To install the core server and console At the computer you've selected to be your core server and console: 1. Insert the LANDesk Management Suite CD into the CD-ROM drive or run AUTORUN.EXE from your installation image. The Autorun feature will display a Welcome screen. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want Setup to install. 5. A Welcome screen for LANDesk Management Suite Setup appears. Click Next to continue. 6. On the License Agreement screen, if you agree click I accept the terms in the license agreement to continue. 7. Accept the default destination folder by clicking Next. 8. Select the components you want and click Next to continue. For most core servers we recommend all components except the Rollup core, which must be installed on a different server. 9. Select the database you want to use, either a new MSDE database, a usersupplied database that you've already configured, or a previous existing Management Suite database. 10. On the Management Database: MSDE settings page, enter an MSDE database password. Remember this password or write it down. You'll need it later. Click Next to continue. 11. If you selected OS Deployment & Profile Migration, click next on the Windows 98 and Windows NT 4 CD prompts. You'll need to browse to the directory the browse dialog prompts you for. 12. Enter an organization and certificate name for the core server's security certificate. This information helps name and describe the certificate. Click Next. 13. On the Ready to Install the Program page, click Install. Management Suite will start installing. 14. The Installation Wizard Complete dialog appears when Setup is done. 15. If you want to import settings from a previous version of Management Suite, select that option to launch the migration process when you click Finish. 16. Click Finish. 17. Setup will prompt you to restart the server. You must click Yes to finish Setup. When the server restarts, you'll notice after you log in that Setup will run for a few more minutes while it finishes the installation. Setup won't prompt you for any more information during the first reboot.
22
RAPID DEPLOYMENT STRATEGY
About the Core Server Activation utility
Use the Core Server Activation utility to: • • • Activate a new server for the first time Update an existing core server or switch from a trial-use license to a full-use license Activate a new server with a 45-day trial-use license
Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. If your core server doesn't have an Internet connection, see "Manually activating a core or verifying the node count data" later in this section. Each core server must have a unique authorized certificate. Multiple core servers can't share the same authorization certificate, though they can verify node counts to the same LANDesk account. Periodically, the core server generates node count verification information in the "\Program Files\LANDesk\Authorization Files\LANDesk.usage" file. This file gets sent periodically to the LANDesk Software licensing server. This file is in XML format and is digitally signed and encrypted. Any changes manually made to this file will invalidate the contents and the next usage report to the LANDesk Software licensing server. The core communicates with the LANDesk Software licensing server via HTTP. If you use a proxy server, click the utility's Proxy tab and enter your proxy information. If your core has an Internet connection, communication with the license server is automatic and won't require any intervention by you. Note that the Core Server Activation utility won't automatically launch a dial-up Internet connection, but if you launch the dial-up connection manually and run the activation utility, the utility can use the dial-up connection to report usage data. If your core server doesn't have an Internet connection, you can verify and send the node count manually, as described later in this section. For more information on the Core Server Activation utility, see "Activating the core server" in Phase 3.
Activating a server with a LANDesk Software account
Before you can activate a new server with a full-use license, you must have an account set up with LANDesk Software that licenses you for the LANDesk Software products and number of nodes you purchased. You will need the account information (contact name and password) to activate your server. If you don't have this information, contact your LANDesk Software sales representative. To activate a server 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core server using your LANDesk contact name and password. 3. Enter the Contact name and Password you want the core to use. 4. Click Activate.
23
INSTALLATION AND DEPLOYMENT GUIDE
Activating a server with a trial-use license
The 45-day trial-use license activates your server with the LANDesk Software licensing server. Once the 45-day evaluation period expires, you won't be able to log in to the core server, and it will stop accepting inventory scans, but you won't lose any existing data in the software or database. During or after the 45-day trial use license, you can rerun the Core Server Activation utility and switch to a full activation that uses a LANDesk Software account. If the trial-use license has expired, switching to a full-use license will reactivate the core. To activate a 45-day evaluation 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core for a 45-day evaluation. 3. Click Evaluate.
Verifying a successful installation
With the installation of the core server and console complete, you can now use the console component of Management Suite. To verify successful installation 1. Click Start | Settings | Administrative Tools | Services, then confirm that these services have started on the core server: • • • • • • • • • • • Intel Alert Handler Intel Alert Originator Intel PDS Intel QIP Server Service Intel Scheduler LANDesk Device Monitor LANDesk Activation Service LANDesk Management Agent LANDesk Usage Service LANDesk Inventory Server LANDesk Management Agent
2. Start the console by clicking Start | Programs | LANDesk | LANDesk Management Suite 8. 3. You'll be prompted to log in to the console. Log in with the Windows user credentials you used when installing the core server. 4. Once the console starts, you're asked to supply license information. If you're evaluating LANDesk Management Suite 8, you can use a 45-day evaluation license for 100 clients and one server. Otherwise, click Add to add your license information. 5. In the network view, click Devices > All Devices, select the core server, and from its shortcut menu click Inventory. Confirm that the core server has been scanned into the core database.
24
RAPID DEPLOYMENT STRATEGY
Step 4: Deploy Management Suite
With the core server and console installations complete, you're ready to deploy Management Suite to your management domain. To do so, you'll need to complete these tasks: • • Deploy to servers Deploy to clients
Deploying to servers
There are three parts to a rapid server deployment: • • • Creating a default remote control and inventory client setup configuration Installing Remote Control and Inventory on servers Deploying to clients
Note that when you deploy Management Suite agents to servers, you use a server license. Server and client licenses for Management Suite are sold separately. For more information on purchasing licenses, see http://www.landesk.com/contactus/.
Creating a remote control and inventory client setup configuration for servers
The default client setup configuration Management Suite installs with includes all components except for Application Healing. You should create a separate client configuration for servers that includes only the components you want, particularly the Common Base Agent (CBA), remote control, and inventory. Servers generally don't need all of the Management Suite components. To create a remote control and inventory client setup configuration for servers Click Tools | Client Setup. Double-click the Add client Configuration icon. Enter a Configuration name. Under Components to install, click Common Base Agent, Inventory Scanner, and Remote Control. 5. Proceed through the wizard, making any changes you want. When you get to the scope page, enter the scope you decided on earlier. Click Help if you need more information on Scope and the wizard pages. 6. Finish the wizard, and make the configuration default. 1. 2. 3. 4.
Installing Remote Control and Inventory on servers
Installing Remote Control and Inventory on a server lets you manage that server the same way you manage a client workstation. You can install Remote Control and Inventory on Windows NT/2000/2003 servers and NetWare servers.
25
INSTALLATION AND DEPLOYMENT GUIDE
To install Remote Control and Inventory on a Windows NT/2000/2003 server At the server you're installing to: 1. Log in with administrator rights. 2. Map a drive to the core server's LDLogon share. 3. Run IPSETUP.BAT to configure the server with LANDesk agents.
Deploying to clients
There are three ways to configure clients: • • Manual configuration: Map a drive to the core server's LDLogon share and run WSCFG32.EXE, the client configuration program. The components that are deployed to the client must be selected interactively. Push-based configuration: Use the Client Setup wizard to define a client configuration. Use the Scheduled Tasks window to push the configuration to clients. In the case of Windows 95/98 clients, CBA must already be present on the client. Logon script-based configuration: Use the Client Setup wizard to define a client configuration (with the default option set to Yes). This configuration will be applied to clients as they log in. In the case of Windows NT/2000/2003/XP clients, end users need administrative rights to their computers.
•
Obviously, manual configuration is not practical in a large environment where many clients must be configured. In this initial phase of the client deployment, with no agents present on the clients, login script-based configuration is the only option for Windows 95/98 clients. For Windows NT/2000/2003/XP clients, either login scriptbased or push-based configuration will work, but login script-based configuration is often impractical because it requires end users to have administrative rights to their computers.
Creating a default configuration for clients
Management Suite installs with a default configuration that includes all components except Application Healing. Application Healing isn't enabled by default, because it requires extra configuration. You can use the default configuration or you can create your own. If you do create your own, make sure you make your configuration the default. The default configuration has a checkmark on the icon. The default configuration is important if you are using manual configuration, because it's the one IPSETUP.BAT installs.
Deploying clients manually
Manual client deployment is adequate for small networks, but because you have to go to each computer, it isn't practical on a larger scale. If you're having problems configuring clients, manual configuration is usually trouble-free.
26
RAPID DEPLOYMENT STRATEGY
To configure a client manually 1. 2. 3. 4. Go to the client you want to configure. Log in with administrator rights. Map a drive to the core server's LDLogon share. Run IPSETUP.BAT to configure the client with LANDesk agents.
IPSETUP.BAT installs the configuration marked as default in the Client Setup window. Once IPSETUP.BAT finishes, the newly-configured client will be visible in the console's network view.
Deploying clients with a push-based configuration
Management Suite also supports a scheduled, push-based configuration method. In the case of a Windows NT/2000/2003/XP client, the push-based method does not require CBA to be already present on the client. To enable a push-based configuration of Windows NT/2000/2003/XP clients not already running CBA, the Management Suite Scheduler service that runs on the core server must be set up as follows: 1. In the console, click Configure | Services, then click the Scheduler tab. 2. Click Change login. 3. In the Username and Password fields, specify a domain administrator account (in the format domain\username). 4. Stop and restart the Scheduler service. 5. Schedule the configurations. You can specify the domain administrator when configuring Windows NT/2000/2003/XP members that belong to the same domain as the core server. To configure Windows NT/2000/2003/XP clients in other domains, you must set up trust relationships. Remember that the account identified in step 3 above is also the account under which the Scheduler service will run on the core server. Make sure the account has the Log on as a service right. For Windows XP, "Simple file sharing" must be disabled on the client. You can turn off this option by selecting a share and clicking Tools | Folder Options. If a push configuration of a Windows NT/2000/2003/XP client fails and displays a message that says "Cannot Find Agent," try the steps listed below to identify the problem. These steps mimic the Scheduler's actions during a push configuration. 1. Find the username under which the Intel Scheduler service is running. 2. On the core server, log in with the username you found in step 1. 3. Map a drive to \\client name\C$. (This step is the one most likely to fail. It may fail for two reasons. Most likely, you don't have administrative rights to the client. If you do have administrative rights, it is possible that the client's administrative share (C$) is disabled.) 4. Create a directory \\client name\C$\$ldtemp$ and copy a file into it. 5. Use the Windows NT/2000/2003/XP Service Manager and try starting and stopping services on the client.
27
INSTALLATION AND DEPLOYMENT GUIDE
Deploying clients with a login script
Though the login script-based configuration is usually the method of choice for Windows 95/98 clients, this method is often impractical for Windows NT/2000/2003/XP clients, because it requires end users to have administrative rights to their computers. In most companies, end users do not have such rights. If you want to deploy clients by using a client deployment service center and login scripts, see "Phase 4: Deploying the primary agents to clients."
Congratulations!
You've completed the rapid deployment of Management Suite. For help using this application, consult the LANDesk Management Suite User's Guide or online help. If you want to roll out Management Suite to a larger management domain than this rapid deployment model can handle, see "Phase 2: Preparing your databases" later in this guide.
28
Phase 1: Designing your management domain
In phase 1, you gather information about your network infrastructure and make decisions that help you customize your management domain. In this phase you'll learn about: • • • • • • • • • • Gathering network information Selecting your core server and console Selecting a database Selecting service centers Planning your security and organization model Select components to implement Functionality available by client OS System requirements Supported router configurations Upgrading to LANDesk Management Suite 8
29
INSTALLATION AND DEPLOYMENT GUIDE
Gathering network information
Identify and collect all critical information about your network as it relates to Management Suite. Specifically, you need to: • • • • • • • • Determine the number of sites Estimate the number of clients at each location Select your core server and consoles Plan placement of program files Select a database Select service centers Determine the number of domains Understand the functionality available by client OS
Determining number of sites
First, identify all site locations where you want to deploy Management Suite. You'll use this information to determine the size and reach of each management domain, as well as the placement of core servers, service centers, and database servers. To get this information, refer to your corporate WAN or LAN topology charts and server configuration charts.
Estimating number of clients at each location
You need to identify how many clients per site will be managed by Management Suite and gather preliminary information about those clients. The number of clients is equivalent to the number of desktop computers, laptops, servers, and handheld devices. You'll use this information to determine domain size, select a database, and compare with the Management Suite system requirements. The more information you can gather about the type of clients you'll manage, the better you can plan. Even rough estimates can help.
Determining server configurations
Gather configuration information on each server that you plan to manage. You'll use this information later in the domain design process to help determine if the servers you've selected meet the system requirements for a core server, database server, and service center. Identify this information for each server that will be managed by Management Suite: • • • • • Type of processor Network operating system version, plus applied service packs or patches Approximate available disk space Hard disk type (for example, ultra-wide SCSI, disk arrays, and so on) RAM
30
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Selecting your core server and consoles
The core server is the center of a management domain. All the key Management Suite files and services are contained on the core server. A management domain can have only one core server. Console computers run the main Management Suite console where you conduct management activities such as taking remote control of a client, querying the core database, or distributing a software package. Refer to the "Overview of rapid deployment" section earlier in this guide for more information about the core server and consoles. Consoles and management domains Although a management domain can have only one core server, it can have as many as 25 consoles. This limit isn't hardcoded, but it's the largest configuration characterized in Management Suite. A larger number of consoles may be reasonable in some environments, based on core server and database server hardware capability. Make sure that the computers you select for your core server and consoles meet the system requirements. Refer to system requirements later in this phase.
Planning placement of program files
During installation, you can specify where you want to install the Management Suite program files. Accept the default destination directories unless you have compelling reasons to change them. The default destination directory for core servers and consoles is: C:\Program Files\LANDesk\ManagementSuite
Selecting a database
Management Suite 6.6 and later replaces the old Access default database with the Microsoft SQL Server Data Engine 2000 (MSDE) database. The new MSDE database can handle more clients and doesn't have many of the performance limitations the Access database had. Each MSDE database has a 2 GB database size limit. The number of clients this database supports depends on your network's inventory scan file size. In larger environments with many management consoles, you should use the supported Microsoft SQL or Oracle8i* databases to keep Management Suite performing optimally. In these larger environments, the MSDE database won't perform as well as a true enterprise-level database.
31
INSTALLATION AND DEPLOYMENT GUIDE
You'll likely see performance issues with MSDE when the database has more than five concurrent things to do. If you want to use MSDE, consider how often you might have more than five people accessing the database at exactly the same time. If it's likely more than five people will be accessing the database, what will those people be doing? For example, if they're all running software-related queries against the core database, use SQL Server or Oracle, since software-related queries can take a while to complete because of the amount of data involved. If they're all querying the core database for a set of clients with a certain hard drive size, you can probably stay with MSDE, since that type of query usually takes less than a second to complete. If you want or need to use your own database, you can select either: • • • Microsoft SQL Server 2000 SP 3 Oracle8i* (8.1.7) Oracle9i*
For detailed information about databases, refer to "Phase 2: Preparing your databases" later in this guide.
Selecting service centers
Use client deployment service centers to off-load the demands on the core server. Each service center helps distribute the work throughout the network. Client deployment service centers provide login services to configure clients. Install the client deployment service center on a Windows NT/2000/2003 PDC, BDC, Domain Controller, NetWare NDS* server, or NetWare bindery server to configure clients.
Determining number of management domains
Before you determine whether you need more than one domain, you need to understand the particulars of having multiple management domains. A single management domain has been tested to support as many as 10,000 clients. However, the number of clients isn't the only factor to consider when determining whether you need more than one management domain. If you have sites separated by slow WAN links, for example, you may want to have a core server near those clients. You can use the Web console and a rollup core to manage multiple core servers and their clients. Creating multiple management domains If you're creating multiple management domains, we recommend that you successfully complete the installation and deployment of one management domain before creating another.
32
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Planning your security and organization model
LANDesk Management Suite 8 introduces a new security model. Clients now authenticate to their authorized core server before communicating with the core, and role-based administration allows Management Suite administrators to control the rights Management Suite console users have and which clients they can work with (scope). You should decide how you want to handle security before deploying Management Suite, because changing security and scopes requires you to redeploy client agents or security certificates.
Planning your core server structure
Management Suite 8 uses a certificate-based authentication system. During the core installation, Setup creates a certificate for that core. Clients look for that certificate when communicating with the core, and clients won't communicate with a core they don't have a certificate for. You can include certificates from multiple core servers in your client configurations if you want clients to be manageable from multiple cores.
Planning a scope
Role-based administration is a powerful new feature with Management Suite 8. Access the role-based administration tools in the console by clicking Users in the Tools menu or on the Toolbox. You must be logged in with administrative rights. Role-based administration provides advanced network management capability by letting you add users to your Management Suite system and assign those users rights and a scope. Rights determine the tools and features a user can see and use (see "Understanding rights" in chapter 1 of the User's Guide). Scope determines the range of devices a user can see and manage (see "Creating scopes" in chapter 1 of the User's Guide). You can create roles based on users' responsibilities, the management tasks you want them to perform, and the devices you want them to see, access, and manage. Access to devices can be restricted to a geographic location such as a country, region, state, city, or even a single office or department. For example, you can have one or more users in charge of software distribution, another user responsible for remote control operations, another user who runs reports, and so on. To implement and enforce this type of role-based administration across your network, simply set up current users, or create and add new users as Management Suite users, and then assign the necessary rights (to Management Suite features) and scope (to managed devices).
33
INSTALLATION AND DEPLOYMENT GUIDE
The core server uses scopes to limit the clients that console users can see. Only one scope can be assigned to a User, but the same scope can be used by multiple users. You can base scopes on one of these methods: • • • • • Default All Machines Scope: The assigned default scope for all users allows them to see all clients on the network. Default No Machines Scope: Users are unable to see any clients on the network. Based on a Query: Users can see the clients that fit the selected criteria of a specific query assigned to them by the Administrator. Based on LDAP or custom directory: Users can see the clients from the selected level down within a LDAP or customer directory. The scope page in the Client Setup wizard: If you don't have an LDAPcompliant directory or you want to categorize clients differently, enter a scope on this scope page. This scope page provides a convenient field you can deploy via Client Setup configurations and do queries on.
The inventory scanner on each client reports that client's scope in a "location" database field. If you entered a scope in that client's Client Setup configuration, that's the scope the scanner returns. If you left the scope blank in that client's Client Setup configuration, the scanner tries to populate the scope from an LDAP-compliant directory. If the scope isn't available from the Client Setup configuration or an LDAPcompliant directory, the location field will be blank. You can still assign scopes for clients with a blank location field, but you'll have to do it through queries. The Client Setup wizard scope page uses a path format that's similar to a file path, but with forward slashes as separators. When deciding on a scope, decide how you want to categorize your clients for management. You might do it by geography or by organization. Console users can manage clients belonging to multiple scopes through query-based scopes. For more information on scopes, see chapter 1 in the User's Guide.
Configuring Windows 9x/NT clients for LDAP scopes
In order for clients to be part of a scope that is targeted through Active Directory or NetWare Directory Services, they have to be configured to log in to the directory. This means that they need to have all the correct client software installed, and they need to actually log in to the correct directory so that their fully distinguished name will match the name that was targeted through Management Suite's Directory Manager. Windows 9x/NT doesn't ship with Active Directory support. You must install Active Directory support on clients that log in to a directory. More information on installing Active Directory client support is available here: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextensi on.asp
34
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Understanding certificates
With Management Suite 8, the certificate based authentication model has been simplified. Client agents still authenticate to authorized core servers, preventing unauthorized cores from accessing clients. However, Management Suite 8 doesn't require a separate certificate authority to manage certificates for the core, console and each client. Instead, each core server has a unique certificate and private key that Management Suite Setup creates when you first install the core or rollup core server. Clients will only communicate with core and rollup core servers that the client has a matching trusted certificate file for. Each core server has its own certificate and private keys, and by default, the client agents you deploy from each core server will only talk to the core server from which the client software is deployed. However, you can configure clients to talk to multiple cores. If you will have multiple core servers or a rollup core on your network, make sure you read "Client agent security and trusted certificates" in chapter 2 of the User's Guide.
Using a rollup core database
A rollup core database summarizes data from multiple core servers and doesn't have the 10,000 client limit that a core database has. The rollup core database allows you to use the Web console to do the following across core servers: • • • • Remote control Inventory queries Reports Software distribution
The rollup core database should be on a separate server from the core and requires a supported Microsoft SQL or Oracle database. Before installing a rollup core from Management Suite Setup, you need to install and configure the rollup database. Once you've installed your core servers and the rollup core, you can configure periodic data rollups from the core databases to the rollup core database.
35
INSTALLATION AND DEPLOYMENT GUIDE
Selecting components to implement
Use this table to identify the types of components you want to implement. Component type Remote control Description Decision criteria
Lets you take control of a client from Provide remote management of across the network. Minimizes the computers across the LAN/WAN. time it takes to resolve customer issues from a centralized help desk. Gathers software and hardware information for clients that you can view through database queries. Monitors and reports on application license usage and denied applications. Doesn't limit access to applications. Automates the process of installing software applications or distributing files to clients. Allows clients to receive multicast software distributions. Record detailed inventory information about all clients. Provide reports on all software and hardware. Track installed software and software usage.
Inventory scanner
Software monitoring
Enhanced software distribution
Install applications simultaneously to multiple clients. Update files or drivers for multiple clients. Install applications simultaneously to multiple clients. Update files or drivers for multiple clients. Reduce consumed network bandwidth. Protect critical or commonly-used applications on clients. Manage groups of clients that have common software needs.
Targeted Multicasting
Application healing Application policy management Custom data forms
Automatically keeps configured applications running on clients. Automatically installs a set of applications on groups of clients.
Presents a form to users for them to Retrieve customized information complete. You can query the from users directly. database for the data that users enter. Enables bandwidth detection Detect remote clients or clients between clients and the core server. that connect to the network via a You can limit Management Suite slow link. actions such as Software Distribution based on available bandwidth.
Bandwidth detection
36
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Local scheduler
Enables Management Suite to launch client tasks based on a time of day or bandwidth availability. For example, you can use the Local Scheduler to allow mobile client package distribution only when those clients are on the WAN.
You have computers that may not always be on the network or may connect to the network via a dialup connection.
Common Base Agent (CBA)
The base client agent that enables client discovery, alert reporting, and other basic features. Required by many other agents.
Most clients need CBA. Many agents in this table require CBA to work.
Task completion
Checks with the core server to see if You have mobile or other users there are any scheduled jobs the who aren't always connected to client needs to run. the network and tend to miss scheduled jobs.
37
INSTALLATION AND DEPLOYMENT GUIDE
Functionality available by client OS
This table identifies the supported operating systems and available features. Supported Windows Mac OS 8, 9.2.2 No No Mac OS X 10.2.x, 10.3.x No Yes NetWare 5.1, 6.0 RedHat 7.3, 8.0, 9.0 No No Supported UNIX
Application healing Application policy management Bandwidth detection Common Base Agent Custom data forms Enhanced software distribution Inventory scanner Local scheduler Migration tasks Remote control Software monitoring Targeted Multicasting Task completion
Yes Yes
No No
No No
Yes Yes Yes Yes
No No No No
No No No Yes
No No No No
No No No No
No No No No
Yes Yes Yes Yes Yes Yes Yes
Yes No No Yes No No No
Yes No No Yes Yes Yes No
Yes No No Yes No No No
Yes No No No No No No
Yes No No No No No No
In addition, Management Suite supports these directory services: • • • Microsoft Active Directory* Novell eDirectory* Novell NDS
38
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Compatibility with previous versions of Management Suite
Management Suite 8 consoles can communicate with clients running Management Suite 6.62 and later. With older clients, you won't have access to the new Management Suite 8 features. However, beginning with Management Suite 8, the Management Suite 8 client agents authenticate to authorized core servers, preventing unauthorized cores/consoles from accessing Management Suite 8 clients. Each core server has a unique certificate that Management Suite Setup creates when you first install the core. The Client Setup: Authentication dialog lets you pick the core server trusted certificates you want clients to accept. For more information on certificates and security, see the next section and chapter 2, "Configuring clients" in the User's Guide.
39
INSTALLATION AND DEPLOYMENT GUIDE
System requirements
Make sure that you meet the following system requirements before you install Management Suite.
Core and database servers
Make sure that all of your core and database servers meet these requirements: • • • • • • • • Windows 2000 Server or Advanced Server with SP 4 Windows Server 2003 Standard or Enterprise edition Microsoft Data Access Components (MDAC) 2.8 Microsoft .NET Framework 1.1 Internet Explorer 5.5 or 6.x Microsoft NT File System (NTFS) The Windows 2000 server you use for your core server must be installed as a standalone server, not as a primary domain controller (PDC), backup domain controller (BDC), or Active Directory controller. The servers should be dedicated to hosting Management Suite
Core server requirements The Windows 2000 pagefile should be at least 12 + N (where N is the number of megabytes of RAM on the core server. Otherwise, Management Suite applications may generate memory errors.
All Management Suite services hosted on one server (1-1,000 clients)
For Management Suite management domains with 1,000 clients or fewer, you can install the core server, console, Web console server, and the core database on one server. For these networks, you may want to consider using the default Microsoft MSDE database, which is generally easier to maintain. Limitation considerations Your server should at least meet these system requirements before you install Management Suite in a 1-1,000 client configuration: • • • Pentium 4 processor 4 GB of free disk space on 10K RPM or faster drives 768 MB+ of RAM
40
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Management Suite services hosted on one server (1,000-3,000 clients)
If your Management Suite management domain consists of 1,000-3,000 clients, you can still use one server. Your servers should at least meet the following system requirements before you install Management Suite: Management Suite core server and Web console software on one server • • • • Dual Pentium III 1000 MHz or faster processors 6 GB of free disk space on 15K RPM or faster drives 1 GB or more of RAM One fast, full-duplex 100 Mb network interface card
Multi-server configuration (3,000-6,000 clients)
If your Management Suite management domain consists of 3,000-6,000 clients, you can still use one server. we recommend that you divide your Management Suite components between two servers for improved database performance. Your servers should at least meet the following system requirements before you install Management Suite: Management Suite core server and Web console software on one server • • • • Dual Pentium III 1000 MHz or faster processors 6 GB of free disk space on 15K RPM or faster drives (mirrored) 1 GB or more of RAM One fast, full-duplex 100 Mb network interface card
Core database on a second server • • • • • • Dual Pentium III 1000 MHz or faster processors 2 GB or more of RAM Supported database Two ultra-wide I20 controllers with RAID 5 20 GB of free space on SCSI drives with a rotational rate of 15K RPM or faster Two full-duplex 100+ MB network interface cards in teaming mode
41
INSTALLATION AND DEPLOYMENT GUIDE
Multi-server configuration (6,000-10,000 clients)
For optimum performance, we recommend that you install Management Suite on at least two separate servers for management domains with between 6,000 and 10,000 clients. Your servers should at least meet the following system requirements before you install Management Suite: Management Suite core server and Web console software on one server • • • • Dual Pentium III 1000 MHz or faster processors 6 GB of free disk space on 15K RPM or faster drives (mirrored) 1 GB or more of RAM One fast, full-duplex 100 Mb network interface card
Core database on a second server • • • • • • Quad Pentium Xeon* 1000 MHz or faster processors 2 GB or more of RAM Supported database Two ultra-wide I20 controllers with RAID 5 20 GB of free space on SCSI drives with a rotational rate of 15K RPM or faster Two full-duplex 100+ MB network interface cards in teaming mode
Service center requirements
These server requirements are for Management Suite service centers. Windows NT/2000/2003 Server • • • • Dual Pentium II processors (dual Pentium III or Pentium 4 processors recommended) 16 MB of free disk space 256-512 MB of RAM Network interface card
PDCs and Windows NT/2000 Client Deployment service centers If you're installing a Client Deployment service on a Windows NT/2000 server, you should install to a Primary Domain Controller (PDC), Backup Domain Controller (BDC), or Windows 2000 Domain Controller. Only the PDC, BDC, or Domain Controller can run the domain-level logon scripts that are created by a Windows NT/2000 Client Deployment service center.
42
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
NetWare • • • • • • • Pentium II processor (Pentium III recommended) 16 MB of free disk space 64 MB of RAM TCP/IP or IPX* protocol stack. The service center and the core server both must use the same protocol in order to communicate with one another. SNMP servers aren't supported, except for the SNMP trap functionality within the Server Management component Network interface card NetWare 5.1 or 6.0
Console
• • • • • • • • Windows XP Professional with SP 1 Windows Server 2003 Standard Edition and Enterprise Edition Windows 2000 Professional, Server, and Advanced Server with SP 4 Pentium III processor (Pentium 4 processor recommended) 256 MB of RAM 180 MB of free disk space Internet Explorer 5.5 or 6.x Novell Client 32* is required to browse a Novell NDS environment
Client computers
Management Suite supports these client operating systems (not all operating systems are supported equally): • • • • • • • • • • • • • Windows XP Professional with SP 1 Windows Server 2003 Standard Edition and Enterprise Edition Windows 2000 Professional, Server, and Advanced Server with SP 4 Microsoft Windows NT 4 Workstation with SP 6a Windows Server 2003 Windows 95B (requires Winsock2) and 98SE NetWare 5.1 and 6.0 Mac OS 8, 9.2.2, 10.2.x, and 10.3.x Red Hat Linux 7.3, 8.0, and 9.0 UNIX IBM (AIX 5.1) UNIX Intel Architecture (Solaris 8) UNIX Hewlett Packard (HP-UX 11.0) UNIX Sun Sparc (Solaris 8)
Dial-up support
• • Modems down to 28.8 where applicable RAS connections
43
INSTALLATION AND DEPLOYMENT GUIDE
Supported router configurations
This section documents the various ports Management Suite components use. In some cases we list where you can change the port. You should use the default ports unless you have a compelling reason to change them. Remote Control TCP 1761-1762, console to client. Inventory TCP 5007, client to core server. Multicast UDP 33354, client and core server to subnet representative. TCP 33354, core server to subnet representative. UDP 33355, subnet representative to client. This is the actual multicast-based communication within the subnet. There is no need to open this port on routers. PDS2 UDP 9595, all clients to all clients. This port must be open for communication in both directions. Management Suite versions prior to 8 used PDS on UDP port 38293. CBA 8 TCP 9594, all clients to all clients. This port must be open for communication in both directions. Management Suite versions prior to 8 used MSGSYS on TCP port 38292. TCP remote execute TCP 12174, core server to clients. Change this port from the console, Configure | Services | Custom Jobs | Remote Execute Port. On clients, change this key to match the port on the core server: HKLM\Software\Intel\LANDesk\Xfer\RmtExePort
44
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
QIP services TCP 12175, client to core server. For clients, change this port in the Client Setup wizards Client Status TCP Port page. For the core server, change the port at: HKLM\Software\Intel\LANDesk\LDWM\QIPSrvr\TCPPort. Application Policy Management and Task Completion TCP 12176, client to core server. Wake On LAN UDP 0, core to client. Wake On LAN packets are sent as subnet-directed broadcasts. Using port 0 ensures that no clients IP stack will process the packet. To allow Wake On LAN packets to cross routers, configure the routers to allow subnet directed broadcasts. You may also need to change the port. Any port will work for the client. Because Wake On LAN packets are recognized by the network adapter hardware, no configuration is needed on the client side. LANDesk System Manager and LANDesk Server Manager LANDesk System Manager and LANDesk Server Manager use port 9535 for remote control. They also use port 9595 for broadcast discovery. IPMI discovery requires port 623. Important non-Management Suite ports Microsoft SQL Server, TCP 1433, console/core to SQL server. NetBIOS over TCP, TCP 139. This port is used by the console's network view for pushing client configurations, for UNC-based software distributions, and so on. SMB over TCP, TCP 445 (Windows 2000 only).
45
INSTALLATION AND DEPLOYMENT GUIDE
Upgrading to LANDesk Management Suite 8
This section provides detailed information and step-by-step instructions for upgrading to LANDesk Management Suite 8. You can upgrade to Management Suite 8 from the previous versions 6.62 and 7.0. You can directly install Management Suite 8.1 over Management Suite 8 on both the core server and clients. You don't need to uninstall Management Suite 8 first. Read this section to learn about: • • • • • • Before you begin Upgrade tools Upgrade methods Upgrade procedures Understanding component upgrade/migration Migration at a glance
Before you begin
Upgrading to Management Suite 8 can be a complex process that requires careful planning. You should already be familiar with fundamental Management Suite concepts and deployment considerations covered thoroughly in this guide, though you may want to review some of the planning overview sections. We recommend that you read this section in its entirety before performing an upgrade installation of Management Suite 8. An upgrade installation uses custom tools that automate most of the upgrade process (see "Upgrade tools"). However, there are some core server settings and files that need to be moved manually (saved or exported, and then imported) from the old environment to the new one. In the case of an in-place upgrade, these settings and files must be copied before beginning the upgrade/migration process. Note that clients should be reconfigured with the Management Suite 8 agents as soon as possible after upgrading the core server and database to Management Suite 8 in order to take advantage of improved security and other enhanced features. For more information on the new authentication and security model, see chapter 2, "Configuring clients" in the User's Guide. Also, if your clients are currently running LANDesk Software Metering, you should remove this program (with the predefined Uninstall Metering Client script located in the Manage Scripts tool) before upgrading or soon after in order to avoid memory problems on the clients.
46
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Assumptions
You need to consider a number of issues before performing a Management Suite upgrade: • • • All core servers and databases should be backed up or imaged prior to upgrading any LANDesk software. Due to the new security model of Management Suite 8, once a client has been upgraded to the Management Suite 8 agents, it cannot be remote controlled by older version core servers. Several add-on tools and enhancements exist that can be used in conjunction with Management Suite, including some tools developed by third-party vendors. The upgrade/migration process documented in this guide does not take these tools into consideration. Upgrading assumes a working knowledge of Management Suite.
•
Upgrade tools
The Management Suite migration process relies on the following executables that are included on your LANDesk Management Suite CD.
LANDesk Management Suite Setup
The Management Suite Setup program launches the normal installation process and prompts the administrator for necessary network and configuration information. Setup also automatically calls the tools that implement the migration process, MIGRATECORE.EXE and DBUPGRADE.EXE.
MIGRATECORE.EXE
This tool gathers and restores core server files and settings.
DBUPGRADE.EXE
This tool transfers most of the data stored on a previous core database to a new Management Suite 8 core database. For component-specific details, see "Understanding component upgrade/migration" later in this phase. Note: The database upgrade tool can also be manually executed as a stand-alone process in order to migrate data from a previous core database to a Management Suite 8 core database. In order for this type of migration to work properly, the Management Suite 8 core database must be empty. To ensure an empty database, run COREDBUTIL.EXE (in the LANDesk\ManagementSuite directory) and select Reset database.
47
INSTALLATION AND DEPLOYMENT GUIDE
Software License Monitoring Export and Import Tools
This export tool exports all of the Software License Monitoring data from a Management Suite 7.0 core server to an .XML file that can then be imported with the import tool. Both of these tools appear on the Software License Monitoring toolbar.
Upgrade methods
There are two methods to upgrade to Management Suite 8: • In-place upgrade: Upgrades an existing core server and database as a new Management Suite 8 core server (preserving the core's settings), with the option of also migrating existing data from a previous core database. Note that if you are doing an in-place upgrade, LANDesk recommends that you do NOT upgrade the OS of the core server. Side-by-side upgrade: Installs a new Management Suite 8 core server and database, with the option of migrating settings from a previous core server, and the option of also migrating data from a previous core database. Use the side-by-side method if you want to upgrade the hardware or OS of the core server.
•
Upgrade procedures
Follow the procedures below for the upgrade method you've chosen.
In-place upgrade
To perform an in-place upgrade On an existing core server: 1. Insert the LANDesk Management Suite CD into the server's CD-ROM drive or run AUTORUN.EXE from your installation image. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want to install, and click OK. 5. Setup detects an existing installation of Management Suite and prompts whether you want to continue or exit. Click Ignore to have Setup continue with the migration process. 6. The MIGRATECORE.EXE tool runs (with the /gather parameter) and gathers core server files and settings. 7. Uninstall runs automatically and removes the previous version of Management Suite. Status messages provide information about the processes as they run. 8. Setup now runs the Management Suite 8 installation. At the Management Suite Welcome page, click Next. 9. Click Yes to accept the license agreement. 10. Accept the default destination location by clicking Next.
48
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
11. Accept the default selected features by clicking Next. 12. Select Create New Database to install the default MSDE database, or select User-supplied Database to install a different database (such as Oracle or SQL 2000), and then click Next. (For more information on database installation and maintenance, see "Phase 2: Preparing your databases.") 13. Enter a database password, and then click Next. 14. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows NT 4 files, and then click Next. 15. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows 98 files, and then click Next. 16. Enter an organization and certificate name, and then click Next. 17. Review the summary page, and then click Next to start copying files. The Setup Status page provides information on the various processes as they run. 18. When the file copy process is complete, the MIGRATECORE.EXE tool runs again (this time with the /restore parameter) and restores the gathered files and settings from the previous core server to the new Management Suite 8 core server. 19. The DBUPGRADE.EXE tool runs and opens the Database Upgrade Settings dialog. 20. In the Database Upgrade Settings dialog, enter the data source name, logon name and password, and the core server where you want the data migrated. Data is exported from the database identified by the data source name (DSN) and imported to the new Management Suite 8 core database. (If you are installing on a new core, you need to create a DSN to the old database. Click New DSN to open the ODBC Data Source Administrator dialog. This dialog includes its own online Help, or you can refer to your previous Management Suite's Installation and Deployment Guide for information on setting up DSNs.) 21. Click Start. 22. When the data migration is finished, the Setup is Complete page appears. 23. Click Finish to complete Setup. Restart the computer to finish Setup and load the Management Suite services. You'll notice after you reboot and log in that Setup will run for a few more minutes while it finishes the installation.
49
INSTALLATION AND DEPLOYMENT GUIDE
Side-by-side upgrade
To perform a side-by-side upgrade On a server that meets the Management Suite core server requirements (see System requirements above): 1. Insert the LANDesk Management Suite CD into the server's CD-ROM drive or run AUTORUN.EXE from your installation image. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want Setup to install, and click OK. 5. At the Management Suite Welcome page, click Next. 6. Click Yes to accept the license agreement. 7. Accept the default destination location by clicking Next. 8. Accept the default selected features by clicking Next. 9. Select Create New Database to install the default MSDE database, or select User-supplied Database to install a different database (such as Oracle or SQL 2000), and then click Next. (For more information on database installation and maintenance, see "Phase 2: Preparing your databases.") 10. Enter an MSDE database password, and then click Next. 11. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows NT 4 files, and then click Next. 12. If you selected to install OS Deployment and Profile Migration, specify a location for the required Windows 98 files, and then click Next. 13. Enter an organization and certificate name, and then click Next. 14. Review the summary page, and then click Next to start copying files. The Setup Status page provides information on the various processes as they run. 15. When the file copy process is complete, check the Migrate settings... option, and then click Finish. 16. The MIGRATECORE.EXE tool runs and opens the Migration dialog. In the Migration dialog, fill in the following fields: • Capture data from: • Core name: Check the box and enter the name of the core server whose data you want to migrate. • Web console path: If you want to migrate Web console data, check the box and enter the UNC path, or browse, to the remote folder for the Web console (default location is: C:\Inetpub\wwwroot\remote). This folder must be shared. • Select the intermediate file location: Enter or browse to the location where you want the captured data saved. The default location is the local hard drive. • Restore data to: • Core name: Make sure the box is checked and that the new Management Suite 8 core server name is correct. This should be the name of the server where you are currently running the upgrade installation. • Transfer data to specified core: Check the box to automatically launch the database upgrade tool after the server data saved in the file location specified above is migrated to the new core server.
50
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
18. Click OK. 19. The DBUPGRADE.EXE tool runs and opens the Database Upgrade Settings dialog. 20. In the Database Upgrade Settings dialog, enter the data source name, logon name and password, and the core server where you want the data migrated. Data is exported from the database identified by the data source name (DSN) and imported to the new Management Suite 8 core database. (If you are installing on a new core, you need to create a DSN to the old database. Click New DSN to open the ODBC Data Source Administrator dialog. This dialog includes its own online Help, or you can refer to your previous Management Suite's Installation and Deployment Guide for information on setting up DSNs.) 21. Click Start. 22. When the data migration is finished, the Setup is Complete page appears. 23. Click Finish to complete Setup. Restart the computer to finish Setup and load the Management Suite services. You'll notice after you reboot and log in that Setup will run for a few more minutes while it finishes the installation.
51
INSTALLATION AND DEPLOYMENT GUIDE
Upgrade/migration diagram
52
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Understanding component upgrade/migration
This section looks at the files, settings, and registry keys associated with the Management Suite components. Much of this data is migrated as part of the new Management Suite 8 upgrade installation. However, some of the data is not migrated because of compatibility issues with the new replacement features and functionality. Read about each component below for details.
Client configuration
Client configuration data Client configuration data is not migrated because the previous versions of the LANDesk agents are not compatible with Management Suite 8. An administrator must reconfigure clients with new Management Suite 8 agents via the Client Setup wizard in the console. For more information, see the "Deploying the primary agents to clients" chapter in the Installation and Deployment Guide, as well as the "Configuring clients" chapter in the User's Guide. XXSTACFG.INI files These files are not migrated because of incompatibility with new functionality.
Inventory
Alias files Alias files and their contents are migrated to the Public Devices group in the new console's network view. LDAPPL3.INI template file The template file is not migrated during the upgrade/migration process. However, if the template file has been modified, and you want to maintain those custom changes, it can be manually copied into the LDLogon directory of the new Management Suite 8 core server. Saved and stored queries Saved queries (.QRY files saved on the core server) are moved into the LegacyQueryFiles directory on the new core server (under LANDesk\ManagementSuite). To import these saved queries into your new console, right-click either the Public Queries or My Queries group, click Import, and navigate to the directory where the queries are saved. Stored queries (queries stored in the core database) are migrated as part of the database migration and appear in the Public Queries group in the network view. Database groups Database groups are migrated into the new Management Suite console. Scheduled tasks Scheduled tasks are migrated into the new Management Suite console. Local Scheduler static settings Scheduler settings are saved in the client registry. When a client is configured with a new Management Suite 8 client setup configuration package, Scheduler settings remain in place and function as normal.
53
INSTALLATION AND DEPLOYMENT GUIDE
Custom data forms Custom data forms are migrated into the new Management Suite console.
Software Distribution
Custjob scripts Software distribution scripts (CustJob scripts), and other custom scripts, that are stored in the Scripts directory are migrated as part of the upgrade/migration. Note that scripts containing references to the old core server must be modified/updated so that they reference the new Management Suite 8 core server. You can do this by simply opening a script in its script wizard (in the new console) and proceeding through the wizard. Software distribution log files Software distribution log files are stored in the Logs directory on the old core server. These files are not automatically migrated. However, you can manually copy log files to the new Management Suite 8 core server if you want to preserve this information. APM data Application Policy Management (APM) data is migrated to the new core server as part of the upgrade process. Database queries Database queries are "stored" in the database. Stored queries are migrated as part of the database migration and appear in the Public Queries group in the network view. APM LDAP queries The settings from the Directory Manager tool (including LDAP directory connections) are migrated to the new core server along with any queries. Application Healing ARL files and packages Application Repair Lists (ARL files) are migrated. Application Healing files are moved, along with any executables found in the [PKG] section of the ARL files. Executables are placed in the same directory as the ARL file. The administrator is responsible for editing the ARLs with the new location of the package executables. The Application Healing packages are not included in the LDMSDATA.DAT file, but are copied to the \\Program Files\LANDesk\ManagementSuite\LDLogon\packages directory. If the Application Healing packages location is a URL, the file is not copied but the URL address remains in the ARL file. Multicast Domain Representatives Multicast Domain Representatives are represented by Alias files (.STA) in previous versions of Management Suite and are migrated as part of the upgrade process. (Note that this happens as part of the Alias file migration mentioned earlier.)
Software License Monitoring
Aliases Aliases are part of the Software Configuration data and are not migrated. Before upgrading, an administrator should export this data from the Software Configuration window by using the Export tool. This data can then be imported into the Management Suite 8 Software License Monitoring window in the new console.
54
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Software license data License data is part of the Software Configuration data and is not migrated. An administrator should export this data from the Software Configuration console by using the Export tool in the Software Configuration console before upgrading. This data can then be imported the Management Suite 8 Software License Monitoring window in the new console. Application usage data Application usage data is part of the inventory data and is migrated with the database. Client registry settings Client registry settings remain intact in the registry of the client when upgrading.
OS Deployment and Profile Migration
OSD/PM scripts OS deployment and profile migration scripts are migrated to the All OSD/Profile Migration Scripts group in the Manage Scripts tool in the new console. Note that even though scripts are migrated, you need to reset them to the new core server by "editing" them in the script wizard (right-click the script and select Edit, click Next until the last page of the wizard, and then click Finish). DOS boot menu The DOS boot menu is migrated during the upgrade process. However, in order for PXE clients to see the menu when they boot, you must click the Update button in the new console's PXE Boot Menu toolbar before booting the PXE clients. PXE proxies PXE proxies (or PXE representatives) must be updated when you upgrade to Management Suite 8. Inventory data identifies a client as a PXE proxy and is migrated as part of the database migration. However, after upgrading the core server to Management Suite 8, you must redeploy the PXE Representative script on all of your PXE proxies in order for them to communicate with the new core server. SYSPREP.INF files SYSPREP.INF files are part of the OS deployment component and are migrated to the new core server along with OSD scripts. Profile migration collections Collections are migrated. Profile migration file rules File rules are migrated. User-initiated profile migration packages Profile migration packages are migrated.
Web console
Custom queries Custom queries in the Web console are not migrated. They are stored in the database so you must manually export the queries as .XML files, and then import them.
55
INSTALLATION AND DEPLOYMENT GUIDE
Migration at a glance
The following table provides a quick reference of Management Suite components and whether they are migrated by the migration tools. Component Client configuration Client configuration data XXSTACFG.INI files Inventory Alias files LDAPPL3 template file Saved queries (.QRY) Stored queries Database groups Scheduled tasks Custom data forms Custom application information Software Distribution Custjob scripts Log files APM data APM database queries APM LDAP queries ARL files and packages Multicast Domain Representatives Migrated Not migrated, but can be copied to the new core server Migrated Migrated to the Public Queries group Migrated Migrated Migrated Migrated to the Public Devices group Not migrated, but can be copied to the new core server Moved to the LegacyQueryFiles directory, can then be imported Migrated to the Public Queries group Migrated Migrated Migrated Migrated Not migrated Not migrated Migration status
56
PHASE 1: DESIGNING YOUR MANAGEMENT DOMAIN
Software License Monitoring Aliases Licensing data Product groups Licenses Files Denied applications Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1) Not migrated, but can be exported/imported (*1)
OS Deployment and Profile Migration OSD/PM scripts Profile data DOS boot menu PXE proxies SYSPREP.INF files Collections File rules Migrated, must be reset to the new core server Migrated Migrated Migrated, must be updated (*2) Migrated Migrated Migrated
User-initiated PM packages Migrated Web console Custom queries Not migrated, but can be saved as .XML and imported
Footnotes: 1. Software License Monitoring data must be exported (from the SLM toolbar) to an .XML file, copied to the new core server, and then imported into the new console. 2. PXE proxy data is migrated with the database; however, the Deploy PXE Representative script must also be redeployed on all PXE proxies in order to update the proxies to the new core server.
57
Phase 2: Preparing your databases
This phase focuses on preparing the core and core rollup databases. In phase 2, you'll learn about: • • • Microsoft SQL Server 2000 configuration Oracle database configuration LANDesk Software support and DBMS issues
59
INSTALLATION AND DEPLOYMENT GUIDE
Before you begin
LANDesk Management Suite requires interaction with a database management system (DBMS). Your DBMS server is an integral part of the management domain infrastructure. It handles all of the information Management Suite needs to manage clients in your domains. The Management Suite default installation uses a Microsoft MSDE database on your core server. If you aren't planning on using a default MSDE database on your core server, you need to set up a database before running Management Suite Setup. During Setup, you'll point to the database that will hold your data. The database schema also supports these ODBC-compliant DBMSes: • • • Microsoft SQL Server 2000 with SP 3 Oracle8i (8.1.7). Requires Oracle's OLE DB version 8.1.7.3 update. Oracle9i
All database servers need to have MDAC 2.8 on them. With Management Suite 8, you no longer need to create a database DSN for ODBC. The deciding factor in selecting a DBMS for your database is the number of managed clients and consoles in your Management Suite domain. In "Phase 1: Designing your management domain," you determined the number of clients in your management domains. Based on that number of clients, you can select the default database (MSDE) or a supported ODBC-compliant DBMS for a larger management domain. The steps below are for installing the core database. In Oracle, Management Suite uses public synonyms. For detailed database installation steps You can view detailed installation steps for each database on the LANDesk Software support Web site: http://www.landesk.com/go.php?go=ldmsdbwp. If you have a preexisting Windows NT/2000/2003 master domain Don't install the DBMS to the primary domain controller (PDC). The DBMS should be installed only on a standalone server. You can install the DBMS on the backup domain controller (BDC) in a small Windows NT/2000/2003 domain, but we don't recommend it.
60
PHASE 2: PREPARING YOUR DATABASES
Microsoft SQL Server 2000 configuration
Management Suite needs the following parameters. These parameters will be set by default if you use a typical install for SQL 2000: SQL server configuration parameters • Microsoft SQL 2000 performs self-tuning. You shouldn't need to tune any parameters manually.
Database parameters • Use the defaults.
Other settings • • Use "sa" or another user aliased into the database as DBO when creating the database. Set up database maintenance.
To install Management Suite so that it uses your SQL 2000 database 1. Install Management Suite to the point where you need to choose a database. 2. In the Choose a Database page, click User-supplied database and then click Next. 3. Enter the Server and Database names, and enter the User and Password that Management Suite should use to authenticate to the database. You MUST use a user who is aliased into the database as DBO. Don't use "sa" for the login name. Don't use any other user to create or reset the database. If another user attempts to connect to the database and the tables aren't owned by DBO, the user won't be able to see the tables. If you're using an Oracle database, check This is an Oracle database. 4. Click Next and finish the Management Suite install.
SQL maintenance
You must regularly perform maintenance on a Microsoft SQL Server database. Over time, the indexes become very inefficient. If your database has 10,000+ clients and queries seem to be running more slowly than normal, updating statistics on all tables within the database can substantially improve query performance. On very large databases, you might want to update statistics daily. Microsoft SQL maintenance requires the SQLServerAgent service to be running on the SQL server. You may need to set the service to Automatic in the Control Panel Services applet. SQL maintenance won't run unless the SQLServerAgent service is started.
61
INSTALLATION AND DEPLOYMENT GUIDE
To set up a maintenance task 1. Click Start | Programs | Microsoft SQL Server | Enterprise Manager. 2. Click the + next to these folders: Microsoft SQL Servers, SQL Server Group, the name of your server, and Management. 3. Right-click Database Maintenance and click New Maintenance Plan. 4. In the Database Maintenance Plan dialog, click Next. 5. In the Select Databases dialog, select These databases and select the checkbox for your database. Click Next. 6. In the Update Data Optimization Information dialog, click Reorganize data and index pages. 7. Set the Change free space per page percentage to option to 10. 8. Click the Change button next to the Schedule window. 9. In the Edit Recurring Job Schedule dialog, select the schedule you want for maintenance. We suggest you perform the maintenance at least weekly at a time when there will be minimal database activity. 10. Click OK. 11. In the Database Integrity Check dialog, select these options: Check database integrity and Include indexes, and click Next. 12. In the Specify the Database Backup Plan dialog, specify your own backup schedule and click Next. 13. In the Specify the Transaction Log Backup Plan dialog, specify your own backup schedule and click Next. 14. In the Reports to Generate dialog, select the Write report to a text file in directory option and click Next. 15. In the Maintenance Plan History dialog, select the Write history to the msdb.dbo.sysdbmaintplain_history table on this server option. 16. Set the Limit rows in the table to option to 1000. 17. Click Next. 18. In the Completing the Database Maintenance Plan dialog, enter a Plan name and click Finish.
62
PHASE 2: PREPARING YOUR DATABASES
Oracle database configuration
After installing an Oracle database, do the following: 1. Create a tablespace for LANDesk Management Suite Setup to use. 2. Create a user with the following system rights for the LANDesk Management Suite Setup to use: • • • • • • • • • Create Procedure Create Sequence Create Session Create Table Create Trigger Create Type Create View Force Transaction Unlimited Tablespace
3. Set the user's default tablespace to the tablespace created for Management Suite use. 4. On the core server, create a TNS entry for the Oracle instance.
Oracle performance tuning suggestions and scripts
Like any DBMS, Oracle should be tuned to help increase performance. The first step in increasing performance is to make sure sufficient hardware is allocated for the Oracle instance. If your database has 10,000+ clients and queries seem to be running more slowly than normal, updating statistics on the all tables and indexes in the database can substantially improve query performance. On very large databases, you might want to update statistics daily.
Miscellaneous Oracle issues
The following sections contain specific issues that you should review to get optimal performance when using an Oracle database with Management Suite. TNS Names Use Oracle's SQL Net Easy Configuration tool to create a TNS entry on the core server that points to the physical location of the Oracle database. The configuration tool adds an entry into $ORACLE_HOME/Network/ADMIN/TNSNames.ora file. Because each console relies on the core server to provide a database connection string, and because Oracle uses TNS names, each console must have the Oracle client installed with an identically named TNS name that exists on the core server. You must run the SQL Net Easy Configuration tool on each console to set up a TNS name.
63
INSTALLATION AND DEPLOYMENT GUIDE
You must create an Oracle TNS name entry on the console If you don't create an Oracle TNS name entry on the console computer, the console won't be able to communicate with the database. If services fail to start using Oracle If the LANDesk services are failing to start and checking the event log shows errors about “Adapter initialization failures” or “Adapter Authentication failures,” change the following file: $ORACLE_HOME/network/admin/sqlnet.ora Change: SQLNET.AUTHENTICATION_SERVICES = (NTS) To: SQLNET.AUTHENTICATION_SERVICES = (NONE) Using Oracle 9.2.0.1 with the Web console If you use an Oracle 9.2.0.1, there is an Oracle install bug that doesn't set the proper permissions for authenticated users (which IIS uses). Follow these steps to fix it. 1. Log in to Windows as a user with administrator privileges. 2. Launch Windows Explorer from the Start menu and navigate to the ORACLE_HOME folder. This is typically the "Ora92" folder under the "Oracle" folder (i.e. D:\Oracle\Ora92). 3. From the ORACLE_HOME folder's shortcut menu, click Properties. 4. Click the Security tab. 5. In the Name list, click Authenticated Users. On Windows XP, the Name list is called Group or user names. 6. In the Permissions list under the Allow column, clear the Read and Execute option. On Windows XP, the Permissions list is called Permissions for Authenticated Users. 7. Re-check the Read and Execute option under the Allow column (this is the box you just cleared). 8. Click Advanced and, in the Permission Entries list, make sure you see the Authenticated Users listed there with Permission = Read & Execute and Apply To = This folder, subfolders and files. If this isn't the case, edit that line and make sure the Apply onto box is set to This folder, subfolders and files. This should already be set properly, but it's important that you verify this. 9. Click the OK until you close out all of the security properties windows. 10. Reboot your server to make sure that these changes have taken effect.
64
PHASE 2: PREPARING YOUR DATABASES
LANDesk Software support and DBMS issues
LANDesk Software customer support is committed to helping you resolve database issues for LANDesk Management Suite. Some issues may require additional assistance from the database vendor or through an approved third party. The database support that LANDesk Software customer support won't provide includes, but is not limited to, the following: • • • • • • Configuring the DBMS with additional parameters for performance or other reasons Creating scripts Configuring an existing DBMS installation to work with Management Suite Restricting rights or perform other user maintenance Backing up the databases Repairing corrupt databases
If you call LANDesk Software customer support, support personnel will attempt to do the following: • • • • Isolate the problem Verify that the specified DBMS parameters are correct Verify that Management Suite is working correctly Verify that Management Suite works with MSDE
If, at this point, the DBMS still doesn't work, you may need to either reinstall the DBMS or resolve the issue through other means.
65
Phase 3: Installing the core, console, and rollup core
This phase focuses on installing the core server, console, and core rollup. During this installation, you'll use the information you recorded in "Phase 1: Designing your management domain." If you haven't completed all the tasks in the preceding phases, do so before beginning this phase. In phase 3, you'll learn about: • • • • • Selecting components to install Installing the core server and console Installing additional consoles Managing databases after installation Using the database Rollup Utility
The installation of the components outlined in this phase requires about 1-3 hours. If you're creating multiple domains, we recommend that you successfully complete the installation and deployment of one management domain before creating another. Make sure you review the system requirements described in "Phase 1: Designing your management domain."
67
INSTALLATION AND DEPLOYMENT GUIDE
Selecting components to install
During LANDesk Management Suite Setup, you'll need to select which components you want to install. • • Core: The server that acts as the central location for Management Suite software. Console: The primary interface for Management Suite. By default, this is installed on the core. To install consoles on other computers, you should install the console from your core server as described in "Installing additional consoles" in Phase 3. OS Deployment and Profile Migration: Deploys operating systems and migrates operating system profiles. Web console: Web-based interface for Management Suite. Not all features are available from the Web console. Rollup core: A database separate from the core server that summarizes information from multiple core servers. Rollup cores allow you to exceed the core limit of approximately 10,000 clients. You must schedule rollup core updates to synchronize the rollup core database with each core server's core database.
• • •
68
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Installing the core server and console
To install the core server and console At the Windows 2000/2003 server you've selected to be your core server and console: 1. Insert the LANDesk Management Suite CD into the CD-ROM drive or run AUTORUN.EXE from your installation image. The Autorun feature will display a Welcome screen. 2. Click Verify Core System Requirements to run the system requirements checker. Make sure all requirements pass. 3. Click Install LANDesk Management Suite to run the Setup program. 4. Select the language you want Setup to install. 5. A Welcome screen for LANDesk Management Suite Setup appears. Click Next to continue. 6. On the License Agreement screen, if you agree click I accept the terms in the license agreement to continue. 7. Accept the default destination folder by clicking Next. 8. Select the components you want and click Next to continue. For most core servers we recommend all components except the Rollup core, which must be installed on a different server. 9. Select the database you want to use, either a new MSDE database, a usersupplied database that you've already configured, or a previous existing Management Suite database. 10. If you're using a user-supplied database: on the User-supplied Database Configuration page, enter the database information. If the database is Oracle, select that option. Enter the Server and Database names, and the User and Password that Management Suite should use to authenticate to the database. In the case of SQL Server, Management Suite uses SQL server authentication and a requires credentials for a user with db_owner privileges. OR If you're using the default database: on the Management Database: MSDE settings page, enter an MSDE database password. Remember this password or write it down. You'll need it later. Click Next to continue. 11. If you selected OS Deployment & Profile Migration, click next on the Windows 98 and Windows NT 4 CD prompts. You'll need to browse to the directory the browse dialog prompts you for. 12. Enter an organization and certificate name for the core server's security certificate. This information helps name and describe the certificate. Click Next. 13. On the Ready to Install the Program page, click Install. Management Suite will start installing. 14. The Installation Wizard Complete dialog appears when Setup is done. 15. If you want to import settings from a previous version of Management Suite, select that option to launch the migration process when you click Finish. 16. Click Finish. 17. Setup will prompt you to restart the server. You must click Yes to finish Setup. When the server restarts, you'll notice after you log in that Setup will run for a few more minutes while it finishes the installation. Setup won't prompt you for any more information during the first reboot.
69
INSTALLATION AND DEPLOYMENT GUIDE
When installing an MSDE core database on a Windows 2003 Server, Windows may interrupt Management Suite Setup and ask if it's OK to open Setup.exe. If you see this prompt, click Open or Management Suite won't be installed correctly.
70
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Activating the core server
LANDesk Software uses a central licensing server at LANDesk Software to help you manage your core server's product and node licenses. To use the LANDesk products, you must obtain from LANDesk a user name and password that will activate the core server with an authorized certificate. Activation is required on each core server before you can use LANDesk products on that server. You can activate each core server either automatically by the Internet or manually by e-mail. You may need to reactivate a core server in the event that you significantly modify its hardware configuration. On a periodic basis, the activation component on each core server will generate data regarding: • • • The precise number of nodes you're using The non-personal encrypted hardware configuration The specific LANDesk Software programs you're using (collectively, the "node count data”)
No other data is collected or generated by the activation. The hardware key code is generated on the core server using non-personal hardware configuration factors, such as the size of the hard drive, the processing speed of the computer, and so on. The hardware key code is sent to LANDesk in an encrypted format, and the private key for the encryption resides only on the core server. The hardware key code is then used by LANDesk Software to create a portion of the authorized certificate. After installing a core server, use the Core Server Activation utility (Start | All Programs | LANDesk | Core Server Activation) to either activate it with a LANDesk account associated with the licenses you've purchased or with a 45-day evaluation license. The 45-day evaluation license is for 100 nodes. There are two types of licenses, client and server. Any time you install Management Suite agents on a server operating system, such as Windows 2000 Server or Windows 2003 Server, that installation consumes a Management Suite license for a server. Rollup core servers don't need to be activated. You can switch from a 45-day evaluation to a paid license at any time by running the Core Server Activation utility and entering your LANDesk Software username and password. Each time the node count data is generated by the activation software on a core server, you need to send the node count data to LANDesk Software, either automatically by the Internet or manually by e-mail. If you fail to provide node count data within a 30-day grace period after the initial node count verification attempt, the core server may become inoperative until you provide LANDesk with the node count data. Once you send the node count data, LANDesk Software will provide you with an authorized certificate that will allow the core server to work normally once again. Once you've activated a core server, use the Management Suite console's Configure | Product Licensing dialog to view the products and the number of authorized nodes purchased for the account the core server authenticates with. You can also see the date the core server will verify node count data with the central licensing server. The core server doesn't limit you to the number of authorized nodes you purchased.
71
INSTALLATION AND DEPLOYMENT GUIDE
You can view information about the licenses you're using by visiting the LANDesk Software licensing site at www.landesk.com/contactus.
About the Core Server Activation utility
Use the Core Server Activation utility to: • • • Activate a new server for the first time Update an existing core server or switch from a trial-use license to a full-use license Activate a new server with a 45-day trial-use license
Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. If your core server doesn't have an Internet connection, see "Manually activating a core or verifying the node count data" later in this section. Each core server must have a unique authorized certificate. Multiple core servers can't share the same authorization certificate, though they can verify node counts to the same LANDesk account. Periodically, the core server generates node count verification information in the "\Program Files\LANDesk\Authorization Files\LANDesk.usage" file. This file gets sent periodically to the LANDesk Software licensing server. This file is in XML format and is digitally signed and encrypted. Any changes manually made to this file will invalidate the contents and the next usage report to the LANDesk Software licensing server. The core communicates with the LANDesk Software licensing server via HTTP. If you use a proxy server, click the utility's Proxy tab and enter your proxy information. If your core has an Internet connection, communication with the license server is automatic and won't require any intervention by you. Note that the Core Server Activation utility won't automatically launch a dial-up Internet connection, but if you launch the dial-up connection manually and run the activation utility, the utility can use the dial-up connection to report usage data. If your core server doesn't have an Internet connection, you can verify and send the node count manually, as described later in this section.
Activating a server with a LANDesk Software account
Before you can activate a new server with a full-use license, you must have an account set up with LANDesk Software that licenses you for the LANDesk Software products and number of nodes you purchased. You will need the account information (contact name and password) to activate your server. If you don't have this information, contact your LANDesk Software sales representative. To activate a server 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core server using your LANDesk contact name and password. 3. Enter the Contact name and Password you want the core to use. 4. Click Activate.
72
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Activating a server with a trial-use license
The 45-day trial-use license activates your server with the LANDesk Software licensing server. Once the 45-day evaluation period expires, you won't be able to log in to the core server, and it will stop accepting inventory scans, but you won't lose any existing data in the software or database. During or after the 45-day trial use license, you can rerun the Core Server Activation utility and switch to a full activation that uses a LANDesk Software account. If the trial-use license has expired, switching to a full-use license will reactivate the core. To activate a 45-day evaluation 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Activate this core for a 45-day evaluation. 3. Click Evaluate.
Updating an existing account
The update option sends usage information to the LANDesk Software licensing server. Usage data is sent automatically if you have an Internet connection, so you normally shouldn't need to use this option to send node count verification. You can also use this option to change the LANDesk Software account the core server belongs to. This option can also change a core server from a trial-use license to a full-use license. To update an existing account 1. Click Start | All Programs | LANDesk | Core Server Activation. 2. Click Update this core server using your LANDesk contact name and password. 3. Enter the Contact name and Password you want the core to use. If you enter a name and password that's different than the one used to originally activate the core, this switches the core to the new account. 4. Click Update.
Manually activating a core or verifying the node count data
If the core server doesn't have an Internet connection, the Core Server Activation utility won't be able to send node count data. You'll then see a message prompting you to send activation and node count verification data manually through e-mail. Email activation is a simple and quick process. When you see the manual activation message on the core, or if you use the Core Server Activation utility and see the manual activation message, follow these steps.
73
INSTALLATION AND DEPLOYMENT GUIDE
To manually activate a core or verify the node count data 1. When the core prompts you to manually verify the node count data, it creates a data file called activate.xml in the "\Program Files\LANDesk\ManagementSuite" folder. Attach this file to an e-mail message and send it to [email protected]. The message subject and body don't matter. 2. LANDesk Software will process the message attachment and reply to the mail address you sent the message from. The LANDesk Software message provides instructions and a new attached authorization file. 3. Save the attached authorization file to the "\Program Files\LANDesk\Authorization Files" folder. The core server immediately processes the file and updates its activation status. If the manual activation fails or the core can't process the attached activation file, the authorization file you copied is renamed with a .rejected extension and the utility logs an event with more details in the Windows Event Viewer's Application Log.
Logging in to the console
After you've rebooted the core server and Setup has finished, start the console by clicking Start | Programs | LANDesk | LANDesk Management Suite 8. Once the console starts, you'll see the console login window. Management Suite 8 uses Windows authentication to permit access to the console. Only members of the Windows LANDesk Management Suite group on the core server can log on to the console. By default, Setup added the user you were logged in as when you installed the core to the LANDesk Management Suite group. If you want other users to be able to access the console, add them to this group. Management Suite 8 also introduces role-based administration, where you can configure what clients and features other Management Suite console users have access to. For more information, see "Role-based administration" in chapter 1 of the User's Guide.
74
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Installing additional consoles
By default, the core server is set up as a console (unless you cleared the console option during installation). If you want additional consoles, read the system requirements below and follow the instructions. • • • • • • Windows 2000 Professional or Advanced Server with SP 4 Windows XP Professional with SP 1 Pentium III processor minimum; Pentium 4 processor recommended 256 MB of RAM 180 MB of free disk space Microsoft Internet Explorer 5.5 or 6.x
If you install from a mapped drive You must make it a permanent mapping that will reconnect when you reboot. To install additional consoles At the computer you're installing the console files on: 1. Log in to the computer you're installing to with an account that has administrator rights. 2. Map a drive to the LDMAIN share on the core server. 3. From the Install\Console folder, run SETUP.EXE. 4. Complete Setup. This runs the console installation program from the core server. Either accept the default installation folder, or browse for an acceptable location. You should always install additional consoles directly from the core server, rather than using your original LANDesk Management Suite 8 installation source. If you apply any patches to Management Suite that require console updates, those patches will automatically update the console installation files on the core server. On additional consoles attaching to an Oracle database, an entry for the core database needs to be created in the TNSNAMES.ORA. If you don't do this, an Oracle TNS error will occur indicating the connection was not made. You can create these entries with Oracle's Net Configuration Assistant tool. The definition in TNSNAMES.ORA must exactly match the name stored in this registry key on the core server: HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local
75
INSTALLATION AND DEPLOYMENT GUIDE
Setting additional console permissions
By default, Management Suite Setup creates the LANDesk Management Suite group and gives it read, read/execute, and list files rights on the LDMAIN (C:\Program Files\LANDesk\ManagementSuite) share. You should add users needing additional console access to this group. Setup also creates these shares: • • • LDLOGON: The main file share clients use. Contains the client setup files and inventory scanner files, among other things. LDLOG: The results of all scheduled tasks. SCRIPTS: All scripts available from the Manage Scripts window.
Verifying a successful installation
With the installation of the core server and consoles complete, you can now use the Management Suite console. To verify successful installation 1. Click Start | Settings | Control Panel | Administrative Tools | Services and confirm that these services have started on the Windows NT/2000 core server: • • • • • • • • • • • Intel Alert Handler Intel Alert Originator Intel PDS Intel QIP Server Service Intel Scheduler LANDesk Device Monitor LANDesk Activation Service LANDesk Management Agent LANDesk Usage Service LANDesk Inventory Server LANDesk Management Agent
2. Start the console by clicking Start | Programs | LANDesk | Management Suite. 3. Log in and view inventory to confirm that the core server has been scanned into the core database.
76
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
Managing databases after installation
If you've installed more than one core server, you can: • • Install a rollup core Use the database Rollup Utility
Installing a rollup core
You can use a rollup core to to combine the data from multiple core servers. Rollup cores allow you to exceed the core limit of approximately 10,000 clients. You must schedule rollup core updates to synchronize the rollup core database with each core server's core database. Using the Management Suite Web console, you can then manage clients in the rollup core using queries, software distribution, remote control, and the other features the Web console supports. Before installing a rollup core, you need to have configured an additional Oracle or SQL Server rollup database server as described in "Phase 2: Preparing your databases." Management Suite Setup's rollup option will prompt you for information about the database you've set up. To install a rollup core 1. Set up a rollup core server and database. Install the database as described in Phase 2: Preparing your databases. 2. Log in to the rollup core server with an account that has administrator rights. 3. Map a drive to the LDMAIN share on the core server. 4. From the Install\Rollup Core folder, run the Rollup Core shortcut. 5. Proceed through Setup, and make sure you select the Rollup core component. 6. Finish Setup.
Using the database Rollup Utility
The database Rollup Utility (DBROLLUP.EXE) enables you to take multiple source core databases and combine them into a single destination core rollup database. A core server database can support about 10,000 clients, and the rollup core client limit depends on your hardware and acceptable performance levels. The source database can be either a core server or a rollup core server. The system requirements for a destination database may be substantially greater than the system requirements for a standard database. These requirements can vary considerably depending on your network environment. If you need more information about hardware and software requirements for your destination database, contact your LANDesk Software support representative. Setup installs the database Rollup Utility automatically with the rollup core. The Rollup Utility uses a pull mechanism to access data from cores you select. For database rollups to work, you must already have a drive mapped to each core you want the Rollup Utility to get data from. The account you connect with must have rights to read the core server's registry.
77
INSTALLATION AND DEPLOYMENT GUIDE
The Rollup Utility checks with a registry key on the core server for database and connection information (HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local) and uses that key's information to access the database associated with each core you add to the Rollup Utility. For Oracle databases, the TNS definition on the server you're running the Rollup Utility from must match the TNS definition on the core server the utility is accessing. You can use the rollup utility to select the attributes you want rolled up from the cores. The attribute selections you make apply to all cores. Limiting the number of attributes shortens the rollup time and reduces the amount of data transferred during rollups. If you know you won't be querying on certain attributes, you can remove them. The Rollup Utility always rolls up the selected attribute data and Software License Monitoring data. You can't customize the Software License Monitoring rollup. Rollup also doesn't include any queries or scopes you've defined. Any console users with rights to the rollup database have access to all data within that database. You can use feature-level security to limit access to Web console features. Once you've added the core servers you want to roll up and the attribute list for those servers, you can click Schedule to add a scheduled rollup script for each core server. From a Web console, you can then schedule these rollup scripts to run at the time and interval you want. Rollup scripts are only visible from the Web console and reside on the rollup core. To launch the Rollup Utility 1. On a rollup core, run the Rollup Utility (\Program Files\LANDesk\ManagementSuite\dbrollup.exe). 2. Select an existing rollup core server to manage from the list, or click New to enter the name of a new rollup core. 3. Once you select a rollup core, the Source cores list shows cores you've configured to roll up to the selected rollup core. To configure the attributes that you want to roll up 1. From the Rollup Utility, select the rollup core you want to configure. 2. Click Attributes. 3. By default, all database attributes are rolled up. Move attributes from the Selected Attributes column to the Available Attributes column that you don't want to roll up. 4. Click OK when you're done. Moving attributes to the Available Attributes column deletes associated data from the rollup database. To configure the source core servers for a rollup core 1. From the Rollup Utility, select the rollup core you want to configure. 2. Once you select a rollup core, the Source cores list shows cores you've configured to roll up to the selected rollup core. Click Add to add more cores or select a core and click Delete to remove one. Clicking delete immediately removes the selected core and all of that core's data from the rollup core database.
78
PHASE 3: INSTALLING THE CORE, CONSOLE, AND ROLLUP CORE
To schedule database rollup jobs from the Web console 1. From the Rollup Utility, select the Rollup core you want to configure. 2. In the Source cores list, select the core you want to schedule for rollup and click Schedule. If you don't select any cores, by default all cores in the list will be scheduled when you click Schedule. Clicking Schedule adds a rollup script for the selected core to the selected rollup core. 3. From a Web console, connect to the rollup core server. 4. In the left navigation pane, click Schedule rollup jobs. 5. Click the rollup script you want to schedule. The script names begin with the source core name followed by the destination rollup core name in parentheses. Click Schedule roll up. 6. Select when you want the roll up to happen and whether it should automatically reschedule or not. Click Continue to next step. 7. Verify the script schedule and click Finish.
Increasing the rollup database timeout
With large rollup databases, the Web console's query editor may time out when it tries to display a large list, such as the Software Package Name list. When this happens, the list you are trying to display won't show any data. If you experience timeouts you need to increase the database timeout value. This needs to be done wherever the IIS service or the Web console server is being installed. At the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\Core Add a new DWORD, Timeout, with a decimal value of 1800. This value is in seconds. You can adjust this value based on your query types and database performance. Stop and restart IIS for the change to take effect.
About the Rollup Utility
Use the database Rollup Utility (run from the rollup core) to manage data rollups from core servers. • • • Rollup core: You can manage multiple rollup cores from the Rollup Utility. Select the core you want to manage. You first must have a drive mapped to each rollup core. New: Click to add a new rollup core that you want to manage. You first must have a drive mapped to the rollup core you're adding. Enter the rollup core's computer name and click OK. Attributes: Click to select the attributes you want rolled up. The attributes list is global for all core servers the selected rollup core uses. Move individual attributes or attribute trees from the Selected Attributes column (these attributes will be rolled up) to the Available Attributes column (these attributes won't be rolled up). Reset database: Click to reset the selected rollup database. This deletes all data and rebuilds all tables. Add: Click to add a core that you want to include data from in the selected rollup core. Delete: Click to remove the selected core and its data from the selected rollup core's database. WARNING: This option deletes the selected core's
79
• • •
INSTALLATION AND DEPLOYMENT GUIDE
• •
data when you click OK. Data from other core servers remains in the rollup database. Schedule: Click to add a rollup script for the selected core. If you don't have a core selected in the Source Cores box, this option creates rollup scripts for all cores in the Source Cores box. Rollup: Click to do an immediate rollup from the selected core. If you don't have a core selected in the Source Cores box, this button rolls up all cores immediately. Close: Click to close the Rollup Utility.
•
Running CoreDbUtil to reset, rebuild, or update a database
The CoreDbUtil.exe utility, in the core server's \Program Files\LANDesk\ManagementSuite folder, creates all the tables, indexes, and constraints needed to use the core database. Before running CoreDbUtil.exe, you must install your database as described in "Phase 2: Preparing your databases" or the table creation may fail. CoreDbUtil.exe looks for registry keys on the core server to determine the core database connection information. CoreDbUtil doesn't work on core rollup databases. Use CoreDbUtil to: • • • Reset database: Drops all tables and rebuilds an existing core database from scratch using metadata.xml. Warning: all existing data will be lost. Build Components: Updates the schema (specifically to include column additions) in an existing core database from metadata.xml. This isn't destructive to existing data. Update Display Names: Updates the Display Name field in an existing core database for all devices in that database. This isn't destructive to existing data.
To run CoreDbUtil 1. On the core server, run CoreDbUtil.exe 2. After CoreDbUtil connects to the database, select the option you want. 3. Wait until the Status is finished. Depending on the database size and the task you chose, this could take a few minutes or several hours.
80
Phase 4: Deploying the primary agents to clients
In phase 4, you'll learn about the phased deployment of LANDesk Management Suite. Deployment is the process of expanding your management capabilities to the clients you want to include in your management domain. You deploy Management Suite by loading LANDesk agents and services onto clients. This allows you to manage them from a single, central location. In Phase 4 you'll learn about: • • • • • The phased deployment strategy Checklist for configuring clients Using a service center to deploy Remote Control, Inventory, and CBA to clients Understanding the client configuration architecture Reversing the client configuration process
81
INSTALLATION AND DEPLOYMENT GUIDE
The phased deployment strategy
Phased deployment is based on three principles: 1. Deploy the Management Suite components that have the least impact on your existing network first; then progress to the components that have the most impact. 2. Confirm that the functionality of each deployed component is stable on all client types before continuing to the next stage. 3. Proceed through the deployment of Management Suite in well-planned phases, rather than deploying all components at once, which may complicate any required troubleshooting. If you've completed the first three phases, you're ready to begin this final phase of deploying Management Suite to your servers, laptops, and desktop computers.
Checklist for configuring clients
There are three ways to configure clients: • • Manual configuration: Map a drive to the core server's LDLogon share and run WSCFG32.EXE, the client configuration program. The components that are deployed to the client must be selected interactively. Login script-based configuration: Use the Client Setup wizard to define a client configuration (with the default option set to Yes). This configuration will be applied to clients as they log in. In the case of Windows NT/2000/2003/XP clients, end users need administrative rights to their computers. Push-based configuration: Use the Client Setup wizard to define a client configuration. Use the Scheduled Tasks window to push the configuration to the clients. In the case of Windows 95/98 clients, the Management Suite CBA agent must already be present.
•
Obviously, manual configuration is not practical in a large environment where many clients must be configured. In this initial phase of the client deployment, with no agents present on the clients, login script-based configuration is the only option for Windows 95/98 clients. For Windows NT/2000/2003/XP clients, either login scriptbased or push-based configuration will work, but login script-based configuration is often impractical because it requires end users to have administrative rights to their computers. Regardless of the way you're configuring clients, make sure you've used the Client Setup wizard to create the client configuration you want to deploy. Particularly in bandwidth-sensitive environments, you should deploy the most important or most heavily used agents first, then gradually adding the other software as you verify that your system is stable with the new additions.
82
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
For the initial deployment, we recommend that you first deploy the primary agents: • • • • Common Base Agent Enhanced Software Distribution Inventory Scanner Remote Control
To create the primary agent client configuration Click Tools | Client Setup. Double-click the Add client Configuration icon. Enter a Configuration name. Under Components to install, we recommend at a minimum that you click Common Base Agent, Enhanced Software Distribution, Inventory Scanner, and Remote Control. 5. Click Next and proceed through the wizard, customizing the options you selected. Click Help for more information if you have questions about a page. 6. Make the configuration default by selecting that option at the end of the wizard or by clicking your configuration in the Client Setup window, and from its shortcut menu clicking Set as Default. For more information about deploying to clients, see "Understanding the client configuration architecture" at the end of this chapter. 1. 2. 3. 4.
83
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to Windows NT/2000/2003/XP clients
Though the login script-based configuration is usually the method of choice for Windows 95/98 clients, this method is often impractical for Windows NT/2000/2003/XP clients, because it requires end users to have administrative rights to their computers. In most companies, end users do not have such rights. Fortunately, Management Suite also supports a scheduled, push-based configuration method. In the case of a Windows NT/2000/2003/XP client, the push-based method does not require CBA to be already present on the client. To enable a push-based configuration of Windows NT/2000/2003/XP clients not already running CBA, the Scheduler service that runs on the core server must be set up as follows: 1. In the console, click Configure | Services, then click the Scheduler tab. 2. Click Change login. 3. In the Username and Password field, specify a domain administrator account (in the format domain\username). 4. Stop and restart the Scheduler service. 5. Schedule the configurations. You can specify the domain administrator when configuring Windows NT/2000/2003/XP members that belong to the same domain as the core server. To configure Windows NT/2000/2003/XP clients in other domains, you must set up trust relationships. Remember that the account identified in step 3 above is also the account under which the Scheduler service will run on the core server. Make sure the account has the Log on as a service right. If a push configuration of a Windows NT/2000/2003/XP client fails and displays a message that says "Cannot Find Agent," try the steps listed below to identify the problem. These steps mimic the Scheduler's actions during a push configuration. 1. Find the username under which the Intel Scheduler service is running. 2. On the core server, log in with the username you found in step 1. 3. Map a drive to \\client name\C$. (This step is the one most likely to fail. It may fail for two reasons. Most likely, you don't have administrative rights to the client. If you do have administrative rights, it's possible that the client's administrative share (C$) is disabled.) 4. Create a directory \\client name\C$\$ldtemp$ and copy a file into it. 5. Use the Windows NT/2000/2003/XP Service Manager and try starting and stopping services on the client.
Deploying to Windows XP clients using local accounts
Windows XP's default setting forces network logins that use a local account to log in using the guest account instead. If you aren't using a domain-level administrative account and are using a local account for the Scheduler service, scheduled tasks will fail because the Scheduler service won't be able to authenticate. You can work around this by using the following procedure:
84
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
To change the default Windows XP security model for local accounts 1. On the Windows XP target client, click Start | Control Panel | Administrative Tools | Local Security Policy. 2. Click Local Policies > Security Options. 3. In the right hand pane, double-click Network Access: Sharing and Security Model for local accounts. Select Classic - Local users authenticate as themselves and click OK.
Upgrading clients that use older Management Suite agents
LANDesk Management Suite 8 can communicate with Management Suite 6.62 and 7 client agents, but these older clients won't be able to benefit from the new features, including Targeted Multicast, peer download, and dynamic bandwidth throttling. Older clients also won't be able to use Management Suite 8's new certificate-based security model. To upgrade clients that aren't in your version 8 database, you can use Unmanaged Device Discovery with the CBA option. Once clients are in the database, you can use the Scheduled Tasks window to deploy a new version 8 client configuration. You don't need to uninstall the previous 6.62+ client agents first.
85
INSTALLATION AND DEPLOYMENT GUIDE
Using a service center to deploy Remote Control, Inventory, and CBA to clients
This section includes background information about setting up Client Deployment services and instructions for completing the deployment of Remote Control, Inventory, and CBA. These instructions are organized based on the type of server you're deploying to. These are the categories: • • Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server Deploying Remote Control, Inventory, and CBA to clients of a NetWare server
If you'll be using service centers, there are two steps to deploying Remote Control, Inventory, and CBA to clients: 1. Set up a Client Deployment service center. 2. Assign the login scripts created by the Client Deployment service to the users you want to configure with these components.
Setting up a Client Deployment service center
A Client Deployment service center provides an easy method for deploying Management Suite agents to Windows clients. When you set up a Client Deployment service, login scripts are automatically created. You then need to assign clients the appropriate script in order for them to be configured. In accordance with the phased deployment strategy, you should initially limit the agents deployed to the clients. For the initial rollout, we recommended that you create a client configuration that includes CBA (the agent that provides communication with the core server), the Remote Control agent, and the Inventory agent. The Service Center wizard uses the settings for each component that you establish in the Client Setup wizard. The Client Setup wizard lets you specify the settings for each component you deploy. If you don't establish these settings in the Client Setup wizard before running the Service Center wizard, the default settings will be used. To create a client configuration 1. In the console, click Tools | Client Setup. 2. Double-click the Add new client configuration icon. 3. In the Client Setup wizard's Install components page, select the Common Base Agent, Inventory Scanner, and Remote Control components. 4. Proceed though the pages, making changes as necessary and clicking Next. Click Help for information on each page. 5. At the end of the wizard, click Set as default configuration. 6. Click Finish to complete the wizard.
86
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Creating configurations with a Client Deployment service center
Each time you create a Client Deployment service center, you also create a client configuration that consists of a unique combination of components. These are the components you can deploy to clients: • • • • • • • • • • • • • Application Healing Application Policy Management Bandwidth Detection Common Base Agent Custom Data Forms Enable Migration Tasks Enhanced Software Distribution Inventory Scanner Local Scheduler Remote Control Software Monitoring Targeted Multicasting Task Completion
The first recommended client configuration is Remote Control, Inventory, and CBA. Other configurations are created using a Client Deployment service as you progress through this final phase.
Estimated completion time
You should deploy Remote Control, Inventory, and CBA to clients gradually. Be sure that your sampling of users is representative of the types of computers, configurations, and operating systems used in your environment. You should plan on taking a few days to complete this process, depending on how many Client Deployment services you create and how many clients you're deploying to. Necessary rights for configuring Windows NT/2000/2003/XP clients For users running Windows NT/2000/2003/XP, you must add their domain login name to the local Administrator Group on their own computers. This grants the necessary rights to users so that the Windows NT/2000/2003/XP login scripts will run. You can also use the Client Setup wizard and Scheduled Tasks window to enable Windows NT/2000/2003/XP clients for management. For more information on the Client Setup wizard, see chapter 2 of the User's Guide.
87
INSTALLATION AND DEPLOYMENT GUIDE
Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server
You can deploy Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server by creating a service center. To set up the Client Deployment service on a Windows NT/2000/2003 server PDCs and Windows 2000 Client Deployment service centers If you're installing a Client Deployment service on a Windows 2000 server, you must install to a primary domain controller (PDC) or backup domain controller (BDC). Only the PDC or BDC can run the domain-level login scripts that are created by a Windows 2000 Client Deployment service center. 1. Obtain Administrator rights on the target server. 2. At the console, select the Windows NT/2000/2003 server on which you'll install the Client Deployment service. 3. From the server's shortcut menu, click Service Center. 4. Click Next on the Service Center wizard welcome page. 5. Select the Client Deployment service and click Next. 6. Enter the Core server name and click Next. 7. Select Remote Control, Inventory, and Common Base Agent. Click Next. 8. Specify a directory on this server where you will install Management Suite files. Click Next. 9. Finish the wizard, customizing any options you want. The wizard creates batch files that must be assigned to users before their computers can be configured for manageability. For details, refer to the next section, "Using the Windows NT/2000/2003 login scripts."
Using the Windows NT/2000/2003 login scripts
A Windows NT/2000/2003 Client Deployment service creates an IPSETUP.BAT batch file that must be added to the profile login script of each user you want to manage. This batch file is copied to %system root\system32\repl\import\scripts on the core server. On Windows 2000 Client Deployment service centers, this batch file is stored in %system root\SYSVOL\Sysvol\Scripts\LANDesk. You must also copy these files from the core's LDLogon directory to the client deployment server's scripts directory: • • ISDOSBOX.EXE NBPSHPOP.EXE
Assign the appropriate login script to a user according to the computer's network protocol. Some other scripts are installed to allow backward compatibility with earlier LANDesk products.
88
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
If the client is running Windows NT/2000/2003/XP Users must have administrator privileges on their computers to install components with a login script. If users don't have administrative rights, consider using the pushbased configuration method. These are the actions that each batch file performs: • • • • • Determines the name of the client Determines the operating system of the client Downloads the configuration for that operating system to the client(1-2 minutes) Updates the startup procedure for the client to load the components Notifies the user to restart the client
To assign a Windows NT logon script 1. On the domain server, click Start | Programs | Administrative Tools | User Manager. 2. Select the users to be configured for manageability. From the User drop-down list, click Properties. 3. Click Profile. 4. In the Logon Script Name field, type the name of the logon script you want to use (don't include a path), then click OK. To assign a Windows 2000 logon script 1. 2. 3. 4. 5. Open the Windows 2000 MMC Group Policy snap-in. In the console tree, click Scripts. In the Details pane, double-click Logon. Click Add. Type the name of the logon script you want to use, then click OK.
This assigns the batch file to be the user's login script. On next log on, the batch file will: • • Scan the client into the Inventory database (if Inventory is selected) Configure the client with the LANDesk agents so that you can manage it
To assign a Windows NT/2000/2003 logon script to a user with a preexisting logon script At the client that you want to receive the login script: 1. Open a DOS box and run Edit. 2. Edit the existing login script to include this line: @call ipsetup.bat (for IP environments) When the user authenticates to the Windows NT/2000/2003 server, the assigned login script configures the client for manageability.
89
INSTALLATION AND DEPLOYMENT GUIDE
Deploying Remote Control, Inventory, and CBA to clients of a NetWare server
You can deploy Remote Control, Inventory, and CBA to clients of a NetWare server by creating a service center. Before you can make a NetWare server a service center, you need to run a utility on it so the server appears in the network view. To add a NetWare server to the network view 1. Connect to the target server with administrative rights 2. Open a command prompt from your core server's LDMAIN share. 3. At the command prompt, enter: AddNetWareSC <NetWare_Servername> Where <NetWare_Servername> is the name of your NetWare server. 4. Refresh the console's network view to verify the NetWare server is there. To set up the Client Deployment service on a NetWare server You must be logged in with administrator rights on the target server and have the NetWare Client 32 installed. 1. At any console, use the network view to select the NetWare server on which you want to install the Client Deployment service. 2. From the server's shortcut menu, click Service Center. 3. Click Next on the Service Center wizard welcome page. 4. Select the Client Deployment service and click Next. 5. Select Remote Control, Inventory, and Common Base Agent. Click Next. 6. If you've selected an NDS server, enter the name of the NDS container for the users you want to configure. 7. In the Service center name field, type the name of the service center you want to use for the clients of this server. (If the selected server doesn't already have management services installed, the core server is your default service center.) Click Next. 8. Click Yes to add the inventory scanner to your Windows Startup group; then you can verify the options you selected. 9. Use the Edit Startup Script page to edit the startup script if necessary. 10. Click Next to complete the wizard. 11. The wizard creates two NetWare groups that have corresponding login scripts. Users must be placed in a group before their computers can be configured for manageability. For details, refer to the next section, "Using the NetWare login scripts."
90
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Using the NetWare login scripts
The Service Center wizard creates these groups when you set up Client Deployment on a NetWare server: Group LANDESKIPGROUP Use to configure. . . Clients using the TCP/IP network protocol.
LANDESKIPXGROUP Clients using the IPX/SPX network protocol. LANDesk Management Suite 8 doesn't support this. If you're administering a NetWare network, you can use a single login script to configure all of the clients on the network by adding users to the NetWare LANDESKIPGROUP group. To assign a NetWare login script • Use your Novell network administrator tools to populate the LANDESKIPGROUP with the users you want to manage.
When you add a user to this group, on next login the client is: • • Scanned into the core database (if Inventory is selected) Configured with the LANDesk agents so that you can manage it
The Management Suite login scripts are appended to the system or container login script.
Verifying successful completion of Remote Control, Inventory, and CBA deployment
To verify that you've successfully deployed Remote Control, Inventory, and CBA to clients, confirm that you can do the following tasks from within the console. If you need additional information to complete these tasks, refer to the chapters in the User's Guide that correspond to the respective features. Remote Control • • • Select a user and remote control his or her computer. Do this for a sampling of users. Perform all realtime access features: chat, file transfer, run program, and reboot for a sampling of users. Use the Client Setup wizard to create a customized configuration. Make any minor modifications to the Remote Control settings for testing purposes, then drag and drop the new configuration onto a user or group. After the clients have been re-configured, remote control a sampling of the newly configured clients and look at their version of the Remote Control settings to confirm that the changes from your customized configuration are included.
91
INSTALLATION AND DEPLOYMENT GUIDE
Inventory • • • • Perform an inventory query. Select a client, then view the inventory data for that client, as well as its configuration files. Configure the software scanning frequency. Modify a client's WIN.INI file, rescan the client, then verify that changes were recorded within the CHANGES.LOG.
CBA • In the network view, right-click a client, then click Properties to confirm that CBA installed correctly.
92
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Deploying clients from the command line
You can control what components are installed on clients by using command-line parameters to override the default settings of batch files and login scripts. One way to do this is to use command-line parameters with the configuration program that is used by the batch files and login scripts, WSCFG32.EXE. You can launch WSCFG32.EXE in standalone mode. It's located in this directory on all Client Deployment service centers: (system drive)\Program Files\LANDesk\ManagementSuite\LDLogon. WSCFG32.EXE can also be found in the \\coreservername\LDLogon share, which is readable from any Windows 95/98 or Windows NT/2000/2003/XP client. WSCFG32.EXE uses one of two files to configure clients. NTSTACFG.INI is used for clients running Windows NT/2000/XP; 95STACFG.INI is used for clients running Windows 95/98. These files contain the unique client configuration you specified using the Client Deployment service. If you want to manually edit the configuration settings in these files, you can choose from these methods: • • Running the Client Setup wizard with the Set as default configuration option checked. Adding command-line parameters to WSCFG32.EXE and running it manually. For more information, see "Understanding WSFG32.EXE" later in this chapter.
93
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to clients using Enhanced Software Distribution packages
You can use an Enhanced Software Distribution (ESWD) self-extracting package to install components onto clients. Clients need to have the Enhanced Software Distribution agent on them for this feature to work. To create a Client Setup configuration package 1. 2. 3. 4. Create a client configuration. In the Client Setup wizard's Finished page, check Create ESWD Package. Click Finish. Type a filename and select a location to store the package. Note that the default directory is the LDMain directory. Clients don't have access to this directory. Select the directory you're using to store packages and that clients have access to. 5. Click Save. The wizard creates the self-extracting .EXE package.
94
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
Understanding the client configuration architecture
Management Suite has logic in the client configuration files that works with 32-bit clients. Here is a simple view of the process that is used to configure Windows 95/98 and Windows NT/2000/2003/XP clients.
Configuring Windows clients
When you assign a Windows NT/2000/2003 login script (that is, IPSETUP.BAT) to a user, the batch file launches an executable called LDLogon\WSCFG32.EXE. This executable takes all instructions for how to configure clients from either the 95STACFG.INI file or the NTSTACFG.INI file. You will typically want to use the Client Setup wizard to change the settings in 95STACFG.INI and NTSTACFG.INI. When you create a client configuration using the wizard and click the Set as default configuration option, the settings are saved to the 95STACFG.INI and NTSTACFG.INI files.
Understanding WSCFG32.EXE
WSCFG32.EXE is LANDesk Software's client configuration utility. It configures Windows 95/98 and Windows NT/2000/2003/XP clients for management in four steps: 1. WSCFG32 determines whether the computer has been previously configured by another LANDesk product, such as older versions of Management Suite. If it has, WSCFG32 removes the older files and reverses any other changes. 2. WSCFG32 looks for a hidden file called CCDRIVER.TXT to decide whether the client needs to be (re)configured. (The decision process WSCFG32 goes through is covered below.) If the client doesn't need to be (re)configured, WSCFG32 exits. 3. If the client does need to be (re)configured, WSCFG32 loads the appropriate initialization file (95STACFG.INI or NTSTACFG.INI) and executes the instructions contained in it. 4. WSCFG32 creates a hidden CCDRIVER.TXT file, both at the root of the C: drive and in the Windows directory. This file indicates that the client has been configured, and the date is stored in the file. WSCFG32 doesn't configure the client with every login. Remember that WSCFG32 often runs from a login script. WSCFG32 will (re)configure the client only when one of the following is true: • • • The CCDRIVER.TXT file exists neither in C:\ nor in the Windows directory. The date stored in CCDRIVER.TXT is older than the Configured On date in NTSTACFG.INI or 95STACFG.INI. A /f (force) command-line parameter was specified.
95
INSTALLATION AND DEPLOYMENT GUIDE
Using the dates as a mechanism for reconfiguration is very convenient. If you set the Configured On parameter to today's date, clients using the Management Suite login scripts will automatically be reconfigured at their next login. The Client Setup wizard sets the Configured On parameter in NTSTACFG.INI or in 95STACFG.INI to today's date when you define a new default configuration. The following command-line parameters are available for WSCFG32.EXE: Parameter /F /I= Description Force execution, ignoring the dates in CCDRIVER.TXT Components to include: CBA (Common Base Agent) RC (Remote Control) INV (Inventory Scanner) DCF (Data Collection Forms) ESD (Enhanced Software Distribution) LS (Local Scheduler) APM (Application Policy Management) TC (Task Completion) AH (Application Healing) MC (Targeted Multicasting) BW (Bandwidth Detection) SWM (Software Monitoring) EMT (Enable Migration Tasks)
Example: WSCFG32.EXE /I=CBA /IP /L or /Log= /LOGON /N or /NOUI /NOREBOOT /NOCERT /P /REBOOT /TCPIP Configure using IP Path to the CFG_YES and CFG_NO log files that log which clients were and were not configured Execute [LOGON] prefixed commands Do not display the user interface Don't reboot client when done Undo the need for digital certificate authentication, the older security method available as an option in earlier Management Suite versions. Ask for user permission to execute Force reboot after running Same as IP (see above)
96
PHASE 4: DEPLOYING THE PRIMARY AGENTS TO CLIENTS
/U /X= /CONFIG=
Remove client agents Components to exclude Example: WSCFG32.EXE /X=SD /C[ONFIG]= Specifies a client configuration file to use in place of the default 95STACFG.INI or NTSTACFG.INI files. For example, if you've created configuration files called NTTEST.INI or 95TEST.INI (depending on the operating system), then use this syntax: WSCFG32.EXE /CONFIG=TEST.INI The custom .INI files should be in the same directory as WSCFG32.EXE and note that the /config parameter uses the filename without the 95 or NT prefix.
/? or /H
Display help menu
CCDRIVER.TXT
CCDRIVER.TXT is a hidden file created by WSCFG32.EXE. WSCFG32 creates it both at the root of the C: drive and in the Windows directory. The file stores the date on which the client was configured. The purpose of CCDRIVER.TXT is to allow the client setup program (WSCFG32) to decide whether the client needs to be (re)configured. This decision is based on whether or not CCDRIVER.TXT exists, and, if it does exist, the date stored in it.
97
INSTALLATION AND DEPLOYMENT GUIDE
Reversing the client configuration process
Executing WSCFG32 with the /U command-line parameter reverses the effects of client configuration. Adding users to the NetWare LANDESKEXCLUDEGROUP automatically reverses the client configuration when group members log in. For clients of Windows NT/2000/2003 server domains, you can edit the relevant batch file (SETUP.BAT) or the login script to manually add the /F and /U parameters. You also may want to add a /N parameter to prevent the WSCFG32 UI from displaying during the uninstall. To modify a Windows NT/2000/2003 batch file 1. Switch to the scripts path of the Windows NT/2000/2003 domain server, usually: \winnt\system32\repl\import\scripts 2. In a text editor, open the batch file you want to edit. 3. Modify the batch file as needed and save your changes. To modify the NetWare login script in NetWare 6 1. 2. 3. 4. 5. Use NetWare Administrator to edit the NetWare login script. Select the container that was set up as a Client Deployment service. Right-click on the Container, then select Details. Select Login Script to edit the container login script. Modify the login script as needed, then save your changes.
98
Phase 5: Deploying other agents to clients
In phase 5, you'll learn about deploying additional Management Suite agents. As described earlier, phased deployment is based on three principles: 1. Deploy the Management Suite agents that have the least impact on your existing network first; then progress to the components that have the most impact. 2. Confirm that the functionality of each deployed agent is stable on all client types before continuing to the next stage. 3. Proceed through the deployment of Management Suite in well-planned phases, rather than deploying all components at once, which may complicate any required troubleshooting. At this point, you should have completed phase 4 and verified that Remote Control, Inventory, and CBA are working on the clients you deployed. If so, you can gradually start deploying the other Management Suite agents you want to use. These are the additional agents you can deploy: • • • • • • • • • • • • • Application Healing Application Policy Management Bandwidth Detection Common Base Agent Custom Data Forms Enable Migration Tasks Enhanced Software Distribution Inventory Scanner Local Scheduler Remote Control Software Monitoring Targeted Multicasting Task Completion
To learn more about the functionality of these agents before deploying them to clients, see the User's Guide.
99
INSTALLATION AND DEPLOYMENT GUIDE
Creating a client setup configuration
Use the Client Setup wizard to create and update client and server configurations (such as what components are installed on clients and what network protocols the client agents use). You can create different configurations for groups' specific needs. For example, you could create configurations for the clients in your accounting department or for clients using a particular operating system. For more information about each page in the Client Setup wizard, click the Help button. To create a client configuration 1. In the console, click Tools | Client Setup. 2. Double-click the Add new client configuration icon. 3. In the Client Setup wizard's Install Components page, select the components you want to deploy. 4. Proceed though the pages, making changes as necessary and clicking Next. 5. At the end of the wizard, if you want the configuration to be the default (the configuration LDLOGON\IPSETUP.BAT will install), click Set as default configuration. 6. Click Finish to complete the wizard.
Deploying Application Healing
Application Healing is an optional feature that can automatically repair files that might be damaged or missing from client applications. If you intend to use Application Healing, you must build a software distribution package for each piece of software you want the ability to heal. In the instances of damage that Application Healing can repair, the agent verifies that all of the necessary files exist on the client for any application it's healing. The Application Healing agent detects and restores the missing or damaged files, enabling the targeted application to execute and function properly again. Application Healing requires the Common Base Agent and Enhanced Software Distribution components. When you select the Application Policy Management or Application Healing agents, you'll also see a Client Status TCP Port page. This is the port clients use to communicate status to the core server. By default, this port is 12175.
Deploying Application Policy Management
The Application Policy Management (APM) agent enables you to automatically install sets of applications on groups of clients that have common software needs. Application Policy Management requires the CBA and Enhanced Software Distribution components.
100
PHASE 5: DEPLOYING OTHER AGENTS TO CLIENTS
You can configure policies to enable applications to be pulled by clients, based either on client name or logged-in users. You can set required policies to install or reinstall applications automatically whenever a user logs in or whenever the client boots. APM provides policy support for pull-based software distribution. An example might be pulling software programs from a central location. Users can view the packages available for pulling, then download those packages to their individual computer. APM provides limited integration with directory managers, such as Microsoft’s Active Directory and Novell’s NDS. In order for clients to receive policies that are targeted through Active Directory or NetWare Directory Services, they have to be configured to log in to the directory. This means that they need to have all the correct client software installed, and they need to actually log in to the correct directory so that their fully distinguished name will match the name that was targeted through Directory Manager and Application Policy Manager. Windows 95/98 clients need to be configured to log in to the domain where the Active Directory resides. Windows NT and Windows 95/98 don't include Active Directory support. You must install Active Directory support on clients that log in to a directory and require Application Policy Management. As of this printing, more information on installing Active Directory client support was available here: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextensi on.asp
Launching the APM client at specified intervals
There are two dialogs in the Client Setup wizard that control the APM client launch interval: • • Application Policy Management Options dialog: Access this dialog by clicking the Launch APM client at specified intervals option, then clicking the Configure button. Local Scheduler Time Filter Options dialog: Access this dialog by clicking the Time Filters button in the Application Policy Management Options dialog.
The Application Policy Management Options dialog has a Run APM client periodically option. This option tells the Local Scheduler agent to rerun the task at the interval you select. If you don't select this option, APM will only be scheduled to run once. When you select the Run APM client periodically option, you must also specify a Run every interval to run the task daily, weekly, or monthly. This interval starts the first time the Local Scheduler runs the task. For example, if you select weekly, the first chance Local Scheduler gets, it will run the task. If it runs the task on Tuesday the first time, generally the Scheduler will run the task every Tuesday. To configure in detail when the task will run, use the Time Filter Options dialog. You can set as many as three filters that define when the task will run: • • • Time-of-day filter Day-of-week filter Day-of-month filter
101
INSTALLATION AND DEPLOYMENT GUIDE
These filters further define the Run every interval you specify (daily, weekly, or monthly). For example, if you set the Run every interval to "monthly," then specify a day-of-month filter for the "21st" to the "22nd," the Local Scheduler will run the task once a month, sometime during the period between the 21st and 22nd. You can set one or multiple filters on the Run every interval, but ensure that the filters make sense for the interval you've chosen. For example, if you set the Run every interval to "daily," and then add a time-of-day filter of "8 p.m." to "11 p.m." and a day-of-week filter of "Monday," the task won't run daily, but rather each Monday between the times of 8-11 p.m. If you use a bandwidth filter in the Client Setup: Application Policy Management Options dialog, the bandwidth filter also determines when the Local Scheduler runs the job. Both the time and bandwidth filters must pass for the Local Scheduler to run the task. For example, perhaps you've configured a job to run on Wednesday every week and you've also specified the high-speed network connection bandwidth filter. If a client connects via dialup on Wednesday, the task won't run, even though the time filter criteria were met.
Deploying Bandwidth Detection
Bandwidth Detection enables bandwidth detection between clients and the core server. You can limit Management Suite actions such as software distribution, based on available bandwidth. Use this option if you have remote clients or clients that connect to the network via a slow link. Bandwidth detection enables you to specify that a certain bandwidth must be available between clients and the core server before the Software Distribution feature attempts to deploy a package. This is particularly important for mobile clients, because it ensures that scheduled tasks are executed only when the necessary bandwidth is available. This reduces the network congestion that could result if a remote client tried to download a large application over a slow connection. The Bandwidth Detection agent must be installed on the client in order to take advantage of the bandwidth detection capabilities. Management Suite supports two bandwidth detection algorithms: • • ICMP Sonar Algorithm PDS/RAS Bandwidth Check
You can specify how often the Local Scheduler checks for sufficient bandwidth to run the specified task. The default is 120 seconds.
Deploying the Common Base Agent
Common Base Agent (CBA) is the underlying protocol of Management Suite, and it's required by most components.
102
PHASE 5: DEPLOYING OTHER AGENTS TO CLIENTS
Deploying Custom Data Forms
You can create and distribute Custom Data Forms to collect client information that will supplement the standard information available in the core database. The forms you create using the Form Designer can be distributed by a Client Deployment service or by using the Client Setup wizard. Custom Data Forms requires the Inventory Scanner component. Customize the forms that are distributed to clients in your management domain using the Form Designer. For more information, see chapter 4 in the User's Guide.
Enabling Migration Tasks
The Migration Tasks Client Setup option selects the components necessary for OS deployment and profile migration. The only thing selecting the Migration Tasks option does is to provide a fast way of selecting the Bandwidth Detection, Common Base Agent, and Enhanced Software Distribution components. If you've already selected these components, selecting the Migration Tasks option doesn't make a difference.
Deploying Enhanced Software Distribution
Enhanced Software Distribution automates the process of installing software applications and distributing files to clients. Use this agent to install applications simultaneously to multiple clients or to update files or drivers on multiple clients. Enhanced Software Distribution uses a Web or file server to store packages. Clients access this package server when downloading a package. You'll need to configure a package server as described in chapter 6 in the User's Guide. You can deploy the Enhanced Software Distribution agent to clients before you set up a package server. Enhanced Software Distribution requires the Bandwidth Detection and Common Base Agent components.
Deploying the Inventory Scanner
The inventory scanner is a powerful tool that scans and catalogs the hardware and software on your clients. The inventory scanner runs on the client and sends this information to the core server. The information is processed by the inventory service and saved to the core database. Once the inventory information is saved to the database, you can view it with the console on the core server, an additional console on another computer, or through a browser with the Web console. The information appears in an inventory tree that you can browse to view the hardware and software on the client. The Inventory Scanner requires the Common Base Agent component.
103
INSTALLATION AND DEPLOYMENT GUIDE
Deploying the Local Scheduler
The Local Scheduler agent enables Management Suite to launch client tasks based on a time of day or bandwidth availability. The Local Scheduler agent is most useful for mobile computers that may not always be on the network or may connect to the network via a dialup connection. For example, you can use the Local Scheduler to allow mobile computer package distribution only when those clients are on the WAN. When you schedule Enhanced Software Distribution packages for distribution, or when you create application policies, you can specify which bandwidth the packages or policies require before they are applied. The Local Scheduler runs as a service on Windows NT/2000/2003/XP, or as a pseudo-service on Windows 95/98. The Local Scheduler requires the Bandwidth Detection component.
Deploying Remote Control
The Remote Control feature enables you to view and take control of a remote client anywhere on your network. Once the remote control agents are in place, you can use any console to initiate a remote control session, where you can view, manipulate, and interact with the client as if you were logged into it locally. You can also send files to or retrieve files from the remote client, chat with the remote user, launch applications, perform maintenance, and even reboot the remote client. Remote control supports multiple security models for you to select from to prevent unauthorized access and to allow the level of end-user control you want. • • • Local template: This is the most basic security. Windows NT security/local template: This security model uses a Windows NT Remote Control Operators group. Members of this group are allowed to remote control clients. Certificate-based/local template: This is the most secure option and is new to Management Suite 8. It's also known as on-demand secure remote control.
LANDesk Management Suite 8 introduces a new on-demand secure remote control that you can use. This new remote control improves on the prior version in these ways: • • • • Remote consoles authenticate with the core server. The remote control agent on a client loads on-demand once a remote control session is authorized by the core. All remote control authentication and traffic is encrypted over an SSL connection. Once a remote control session is over, the remote control agent unloads from the client.
Remote Control requires the Common Base Agent component.
104
PHASE 5: DEPLOYING OTHER AGENTS TO CLIENTS
Deploying Software Monitoring
The Software Monitoring agent enables you to monitor license compliance and product usage and denial trends on clients across your network. The agent records data about all installed applications on a client and stores this data in the client's registry. Using the Software License Monitoring window, you can choose to monitor the most important of these installed applications. Application usage data that you don't monitor is ignored and eventually overwritten with newer data in the client's registry. After you indicate the product files and licenses that you want to monitor, the following occurs: • Management Suite detects clients that are running the applications you want to monitor and imports this list into the Software License Monitoring window. The client list is static until the next software scan occurs. During the next scan, the scanner reads the client data collected by the Software Monitoring agents and sends this data up to the core server. Management Suite then updates the Software License Monitoring window with information for the specific licenses and products you're monitoring.
•
For mobile clients disconnected from the network, the Software Monitoring agent continues to record data and caches it in the client's registry. After the client reconnects to the network, the next scan detects which of the cached data is being monitored and sends that data to the core server. The Software License Monitoring window is then updated with the latest license compliance, usage, and denial data for those mobile clients. Software Monitoring requires the Inventory Scanner component.
Deploying Targeted Multicast
Targeted Multicast enables you to transmit software packages to multiple clients without modifying your router configuration. It's designed to work with your existing software distribution packages. When you use Targeted Multicast, you can easily distribute software, even in WAN environments with multiple hops and low connection speeds (56k). Targeted Multicast uses HTTP for delivery from a Web site to a subnet representative. Management Suite's inventory service provides all of the subnet information to the Targeted Multicasting service. Targeted Multicast provides unique benefits that standard methods of "multicast" don't provide. Inventory-based targeting of clients enables you to send a package to a selected group of computers that fit specific criteria via a multicast. Targeted Multicast is also simplified because there's no need to configure routers to handle deliveries. You can turn on Targeted Multicast by checking the Use Multicast to distribute this package option on the Create Script dialog that you'll see when creating a distribution package script. Targeted Multicasting requires the Bandwidth Detection, Common Base Agent, and Enhanced Software Distribution components.
105
INSTALLATION AND DEPLOYMENT GUIDE
Deploying Task Completion
The Task Completion agent checks with the core server to see if there are any scheduled jobs that clients need to run. Task Completion is especially useful for mobile users who aren't always connected to the network and tend to miss scheduled jobs. When the Task Completion agent runs, it launches a status window on clients while it checks with the core server. This window disappears after 15 seconds by default. You can specify that the Task Completion agent only run periodically or only between certain times/days/weeks/months. If the Task Completion agent runs and the computer isn't connected to the network or it can't talk to the core server, the Task Completion agent will exit. Task Completion requires the Bandwidth Detection, Common Base Agent, and Enhanced Software Distribution components. For more information on scheduling Task Completion, see "Launching the APM client at specified intervals" earlier in this chapter. The information in that section also applies to the Task Completion agent.
106
Chapter 6: Installing the Web console
In phase 6, you'll learn about installing the Web console. The Web console enables you to remote control, query, and report on inventory data in the core and rollup databases; distribute software; and execute Wake on LAN* technology from any computer that has a supported Web browser installed. In this chapter you'll learn about: • • • • • • • Extending network management to the Web Installation requirements Installing the Web console Accessing multiple databases Setting up Web console security Setting up role-based administration in the Web console Setting up feature-level security for rollup core databases
107
INSTALLATION AND DEPLOYMENT GUIDE
Extending network management to the Web
The Web console is a series of predefined Web pages containing links to HTML-based Management Suite tools. With the Web console files installed on a Web server, you can turn any computer on the network into a console with very little overhead. Management tools that were once only available from specific, dedicated console computers can be accessed by any computer with Internet Explorer 5.5 or 6.x. Installing the Web console is optional. While the Web console does not replace the more fully-featured Management Suite console, you can use it to perform these management tasks: • • • • • Remote control a computer Run inventory queries on the core and rollup core databases Run predefined reports from inventory information Schedule and deploy software packages Execute Wake on LAN technology
You can install the Web console, including Web pages and management tools, on a Web server you specify, or on your core server. With the Web console installed, the server then has access to the data in your core database, and any additional core and rollup core databases you configure. The Web console uses the same inventory and remote control agents as the Management Suite console. If you want to restrict access to the Web console tasks, you can set up role-based administration. For more information, see "Setting up role-based administration in the Web console" later in this chapter.
108
CHAPTER 6: INSTALLING THE WEB CONSOLE
Installation requirements
Here are the system requirements for installing and using the Web console.
Management Suite requirements
Before installing the Web console, make sure you've performed these installation and deployment steps for Management Suite: • Set up a Management Suite 8 core server and database: The Web console uses the existing core database infrastructure to perform management tasks. For more information about setting up databases, see "Phase 2: Preparing your databases." Set up a rollup core if you want to use data from multiple core servers: The Web console can use a rollup core database that combines data from multiple core servers. For more information, see "Phase3: Installing the console and rollup core." Installed Management Suite agents: The Web console uses the same client agents that the Management Suite console uses for management tasks.
•
•
Web server requirements
The Web server has the same software system requirements as the core server. Verify your Web server's system requirements by running AUTORUN.EXE at the root of your Management Suite installation image and clicking Verify Core Server System Requirements.
Computer requirements for accessing the Web console
Any Windows-based computer running Internet Explorer 5.5 or later can access the Web console without requiring additional configuration. In order to view the installation autorun screen and the interactive bar and pie charts displayed in many reports, you must have Macromedia Flash Player* 7 installed. If you have an Internet connection, your browser will download this automatically. If you use remote control, the Web console automatically installs the Remote Control Viewer application locally. You can manually remove the viewer with Control Panel's Add/Remove Programs applet by selecting "Remote Control Viewer."
109
INSTALLATION AND DEPLOYMENT GUIDE
Installing the Web console
Before you install the Web server, review this list of tasks you should have completed: • • • Installed a Management Suite 8 core server and optionally, a rollup core server: See "Phase 2: Preparing your databases" earlier in this guide. Installed Management Suite agents: Your clients need the Remote Control and Inventory agents. For more information, see "Phase 4: Deploying the primary agents to clients" earlier in this guide. Installed a DBMS client on the Web server: See the section below.
Database drivers are the client components of whatever database you use with your core server. You need to install these drivers on your Web server so that the Web console can access your database. The type of drivers you install, if you install any at all, depends on the type of database you're using. Management Suite 8 supports these databases: • • • Microsoft MSDE 2000 SP3 Microsoft SQL Server 2000 with SP4 Oracle8i (8.1.7) and Oracle9i
See your database application documentation for details about installing the database client drivers. With Management Suite 8, you no longer have to create a DSN to the core and rollup core databases. By default, Setup places the Web console files in the \Intepub\wwwroot\remote folder. Setup also creates these file shares with the necessary permissions on your core server. The Web console and clients require these shares and permissions to work correctly: • ldmain: Server applications ("..\ManagementSuite"). The Administrators group must have Full Control. For Windows 2000, the IWAM_<ServerName> user must have Read & Execute, List Folder Contents, and Read. For Windows 2003, the Network Service group must have Read & Execute, List Folder Contents, and Read. ldlog: Logs ("..\ManagementSuite\log"). ldlogon: Client applications ("..\ManagementSuite\ldlogon"). The Administrators group must have Full Control and the Everyone group must have Read Only. scripts: Software distribution scripts ("..\ManagementSuite").
• • •
If you're installing the Web console on a server other than the core server, ensure that you're logged in as a domain administrator, and that the domain administrator account is in the core server's LANDesk Management Suite user group. The core and Web console servers must be in the same domain, and any users you want to use the Web console need to be added to the LANDesk Management Suite group on both the core and Web console servers.
110
CHAPTER 6: INSTALLING THE WEB CONSOLE
Don't run the Management Suite 8 Web console on an older core server or console You should use only the version 8 Web console on a Management Suite 8 core server or console computer. Earlier versions of Management Suite will not work. To install the Web console on a server other than the core server 1. On the server that will host your Web console, map a drive to the LDMAIN share on your core server. 2. In the LDMAIN\Install\Web Console folder, double-click Web Console. 3. Select the language you want Setup to install. 4. A Welcome screen for LANDesk Management Suite Setup appears. Click Next to continue. 5. On the License Agreement screen, click Yes to accept and continue. 6. Accept the default destination folder by clicking Next. 7. Select the Web Console feature and any other features you want. 8. If Setup prompts you for your core server name, enter it and click Next. If Setup then prompts you for a username and password, enter credentials with administrative privileges on the core server. 9. Reboot the server when Setup finishes and prompts you to. If you're installing to a Windows 2003 server, IIS disables active server pages by default. You must enable them for the Web console to work correctly. To enable active server pages on Windows 2003 servers 1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. 2. Under the root tree item, click Web Service Extension. 3. Click Active Server Pages, then click Allow. To verify the installation, open a Web browser, then enter the Web server URL, which by default is: http://webservername/remote The installation was successful if the browser prompts you for login information and, after you enter it, the Web console opens. If you get a permission denied error when you try to access the Web console, make sure Integrated Windows authentication is enabled as the authentication method for the Web console's site. To verify the authentication method 1. In the Internet Information Services manager, from the remote folder's shortcut menu, click Properties. On the Directory Security tab, click Edit in the Anonymous access and authentication control box. Clear the Anonymous access option and check Integrated Windows authentication. 2. Click OK to exit the dialogs.
111
INSTALLATION AND DEPLOYMENT GUIDE
Accessing multiple databases
If the Web server you've installed the Web console on will be accessing databases on other servers, you must also: • • Configure domain-level software distribution Configure the Web console for multiple cores
Configuring domain-level software distribution and Windows 2003 servers
If you're going to distribute software from the Web console, the Web server you installed the Web console on must be able to access and change software distribution files on the core server. This is an issue if your Web server and core server are on different computers, or if your Web server is running Windows 2003 Server. To allow this, you need to register a component on the Web server. To configure domain-level software distribution 1. Go to the Web server you installed the Web console on. 2. From the Windows Control Panel's Administrative Tools, double-click Component Services. 3. Click Component Services > Computers > My Computer > COM+ Applications. 4. From the COM+ Applications shortcut menu, click New | Application. 5. On the wizard welcome page, click Next. 6. Click Create an empty application and click Next. 7. Enter a name for the new application. "LANDesk" is fine. Click Server application and click Next. 8. Click This user. You must enter a domain-level account with administrative privileges on the core server. If the account isn't domain-level, software distribution from the Web console won't work. Click Next. 9. Click Finish to close the wizard. You'll see a new COM+ Application tree node named "LANDesk" or whatever you chose. 10. Click Component Services > Computers > My Computer > COM+ Applications > LANDesk > Components. 11. From the Components shortcut menu, click New | Component. 12. On the Wizard welcome page, click Next. 13. Click Import component(s) that are already registered. 14. From the component list, click Schcom.Schint.1, then click Next. 15. Click Finish to close the wizard. You should see Schcom.Schint.1 as a registered component. 16. Click Component Services > Computers > My Computer > COM+ Applications > LANDesk > Roles. 17. From the Roles shortcut menu, click New | Role, enter "Everyone" as the name for the new item. 18. Click Roles > Everyone > Users. From the Users shortcut menu, click New | User, enter "Everyone" as the object name, and click OK. 19. Restart IIS or reboot.
112
CHAPTER 6: INSTALLING THE WEB CONSOLE
Configuring the Web console for multiple cores
After you've installed the Web console on a Web server, you can edit the configuration file \Inetpub\wwwroot\remote\xml\core.asp to connect to additional databases. By default, this file points to the core server only. Once you add more servers to it, you'll be able to connect to additional databases with a drop-down list box in the Web console. If you ever change the information referenced in core.asp, you'll need to update the file with the new information. Note that all entries in core.asp must be single-line entries. Multiple-line entries will cause an error to occur. Here's a sample core.asp: <?xml version="1.0" ?> <core> <cores> <item name="CORE-TEST" server="CORE-TEST\LDMSData" database="lddb" user="sa" password="" isoracle="0" software="0" rollup="0"/> <item name="ROLLUP-TEST" server="ROLLUP-TEST" database="ldms" user="sa" password="" isoracle="0" software="0" rollup="1"/> </cores> </core> Entry item name= Description The server name you want the Web console to connect to. This also is the text string that appears in the drop-down list of databases in the Web console's Login page. For SQL Server, this is the database servername\database instance name. If your database is in SQL's default instance, don't specify a database instance name. For Oracle, this is the Oracle host string (the service\instance name). The SQL database name you created on the Web server. This option is blank for Oracle databases. The default user ID for the database. The password associated with the default user ID. Whether the database is Oracle (1) or not (0). For future use. Leave blank. Whether the database is a core rollup database (1) or not (0).
server=
database= user= password= isoracle= software= rollup=
113
INSTALLATION AND DEPLOYMENT GUIDE
To add databases to core.asp 1. Locate core.asp on the Web server in the directory where the Web console is installed (by default c:\Inetpub\wwwroot\remote\xml). 2. Open core.asp in a text editor, such as Notepad. 3. Copy the lines of the file (similar to the example above), then paste them under the existing text. Change the lines to reflect the information for the additional database(s). 4. Save the core.asp file as a text file.
114
CHAPTER 6: INSTALLING THE WEB CONSOLE
Setting up Web console security
If you're using the Web console with a core database, the Web console uses the rolebased administration settings you've made in the Management Suite console to control access to features and clients. If you're using the Web console with a rollup core database and want to control access to features for that rollup database, you need to set up feature-level security. For more information, read the following sections: • • Setting up role-based administration in the Web console Setting up feature-level security for rollup core databases
Setting up role-based administration in the Web console
When accessing a core database (not a rollup core), the Web console uses the same role-based security as the Management Suite console. Use the Management Suite console to manage what features and scopes you want Web console users to be able to access. For more information on role-based administration, see chapter 1, "Using the LANDesk Management Suite console" in the User's Guide. To configure Web Console role-based administration 1. Add domain-level accounts for Web console users to the LANDesk Management Suite group on the core server. 2. In the Management Suite console, click Tools | Users. 3. In the All Users group, double-click the user whose rights you want to change. 4. After making changes, click OK. These are the role-based administration rights and what they do in the Web console: Software distribution A user assigned this right can: • • • • • See all software distribution scripts but not the OS deployment and profile migration scripts. Choose Targeted Multicast options in the Software Distribution dialog. Send a Wake on LAN packet to a client to turn it on (the client must support Wake on LAN). Schedule and view scheduled tasks (no PXE or OS deployment scripts). Use local console links for LANDesk Server Manager and LANDesk System Manager (if installed).
Reports A user assigned this right can: • View and print reports.
115
INSTALLATION AND DEPLOYMENT GUIDE
Remote control A user assigned this right can: • • • Remote control, file transfer, chat, remote execute, and reboot. Wake up/shut down. Use a local console link for LANDesk System Manager (if installed).
Public query management A user assigned this right can: • Create, modify, copy, delete, and move queries. This applies to the private and public queries. Without this right, users have access to private queries only.
LANDesk Administrator A user assigned this right has access to all rights, including those mentioned above.
Setting up feature-level security for rollup core databases
If you're using the Web console with a rollup core database, and you want to control access to features for that rollup database, you need to set up feature-level security as described below. The Web console administrator can set feature-level security by assigning users to any of four groups created during installation. By default, anyone with administrator privileges automatically has access to all Web console features. All other users must be assigned to these groups, or they're denied access to the features. The groups are: • • • • rc_user for using Remote Control. A user with administrator privileges has to actually download the Remote Control Viewer onto the computer before users in this group can remote control a client. sd_user for viewing Software Distribution logs, scheduled jobs, and scripts. To further restrict security, these users can only configure settings and distribute packages if they have administrator privileges. inv_user for creating and running custom queries. report_user for viewing reports and configuring how they look.
NOTE: When assigning users to the sd_user group, ensure that you also give them access rights to the distribution logs directory ([c:\inetpub\wwwroot]\remote\log by default). When assigning users to the report_user group, ensure that you also give them access rights to the images subdirectory under report ([c:\inetpub\wwwroot]\remote\report\images by default). These groups are based on Windows NT and Windows 2000/2003 groups. By default, they're set up as local groups on the Web server, though you can set them up on the domain controller as global groups.
116
CHAPTER 6: INSTALLING THE WEB CONSOLE
Assigning users
You can only assign domain users to these groups; if you assign users that are local to the Web server, they won't authenticate. Local users can't log in to a remote client (in this case to access the Web console) as a local user on a Web server.
Setting up authentication
To take advantage of feature-level security, you must set up authentication by disabling Anonymous Authentication on the Web server, but leave Windows NT/2000 Security enabled (this is Challenge and Response on Windows NT and Integrated Windows Authentication on Windows 2000). If Anonymous Authentication is left enabled, the Web console will resort back to the database authentication used in previous releases.
Changing the default IIS session timeout
You can change the default session timeout for the Web console's Web pages. The IIS default is 20 minutes of inactivity before a login expires. To change the IIS session timeout 1. 2. 3. 4. 5. On the Web server, open the IIS Internet Service Manager. Expand the default Web site. Right-click the Remote folder, then click Properties. Under the Directory tab, click Configuration. Click the Application Options tab, then change the session timeout to the value you want.
Setting up the indexing service
The Web console's HTML online help has a search feature that you can enable to do full-text searches. Normally, this feature is enabled by default. If you need to enable indexing on your Web server, do the following: To configure your IIS server to run the Web console as an application 1. 2. 3. 4. 5. Open the IIS Internet Service Manager. Expand the default Web site. Right-click the Remote folder, then click Properties. In the Application section, click Create. Click OK.
To start the indexing service on Windows 2000 1. Click Start | Programs | Administrative Tools | Services. 2. Double-click Indexing Service and click Start. 3. Click OK to exit out of the dialogs.
117
INSTALLATION AND DEPLOYMENT GUIDE
Configuring rights for the Web console
The following rights should be configured automatically. If you're having problems with the Web console, you can verify that these rights have been set correctly. Update the following areas with the appropriate information. To configure database authentication 1. Grant Modify rights for the IUSR_[MACHINE NAME] (IIS Internet Guest account) for the following directories: inetpub\wwwroot\remote\queries inetpub\wwwroot\remote\reports\images 2. Grant Modify rights to IWAM_[MACHINE NAME] (IIS Web Application Manager account) for the following directory: inetpub\wwwroot\remote\reports\images
Changing the Web console location
If you move the location of the Web console files or the Remote Control Viewer after installation, you will need to modify the CONFIG.ASP file to designate the new location of the Remote Control Viewer. To update CONFIG.ASP 1. Locate CONFIG.ASP on the Web server in the directory where the Web console is installed. 2. Open CONFIG.ASP in a text editor, such as Notepad. 3. Edit this line with the new URL where the Remote Control Viewer files are located: URL="http://yourwebserver.com/remote" 4. Save CONFIG.ASP as a text file.
118
Chapter 7: Installing OS deployment and profile migration
The OS deployment and profile migration component adds automated remote image deployment and profile migration capabilities to LANDesk Management Suite. OS deployment and profile migration streamline new computer provisioning and existing computer migration without requiring additional end-user or technician input once the process starts. You can schedule deployments and migrations to occur after hours, and by using Targeted Multicast technology to distribute images, you don't have to saturate network bandwidth by deploying the same image to multiple computers. If you use Microsoft Sysprep with your images, OS deployment creates customized SYSPREP.INF files and injects them into each computer's image on a per computer basis, customizing computer names, domain information, and so on from the core database. OS deployment includes a built-in imaging tool, or you can use imaging tools that you provide. Your investments in Symantec Ghost*, PowerQuest*, and existing images won't be wasted with OS deployment. OS deployment supports two types of OS deployments--Management Suite agentbased and PXE-based: • • Agent-based deployments use the client's existing Windows OS and Management Suite agents to deploy images. PXE-based deployments allow you to image computers with blank hard drives or unusable OSes. Lightweight .NET PXE proxies eliminate the need for a dedicated PXE server on each subnet.
In this chapter you'll learn about: • • • • • Installing OS deployment and profile migration Step 1: Configuring an image server Step 2: Verifying name resolution Step 3: Configuring your network for multicast OS deployment Step 4: Configuring PXE
WARNING: The OS deployment functionality must be used with caution. Operating system deployment involves wiping all existing data off of a computer and installing a new operating system. There is substantial risk of loss of data if the OS deployment function is not performed precisely as described herein or if poorly implemented images are used. Before performing any operating system deployment, all data must be backed-up in such a manner that any lost data may be restored.
119
INSTALLATION AND DEPLOYMENT GUIDE
Installing OS deployment and profile migration
To install OS deployment and profile migration on your core server, you must have: • • Windows 2000 Server SP 4 or later with IIS 5. The OS deployment .NET Web Service isn't compatible with Windows NT 4 or IIS 4. Microsoft .NET Framework 1.1 or later (latest service pack recommended) on the core server. You can download the .NET Framework from Windows Update or from www.microsoft.com.
During the install, you'll be prompted for: • • Access to a Windows NT 4 Server CD. OS deployment uses Microsoft Windows NT 4 client networking files. A Windows 98 CD. OS deployment uses Microsoft boot and network files on the CD.
Installing OS deployment and profile migration on your core server also updates the additional console install image. You should reinstall your additional consoles so they are also updated. OS deployment and profile migration don't need extra system requirements beyond those already specified for additional consoles. If you installed OS deployment when you installed the core server, you can ignore the installation steps below. To install OS deployment and profile migration on an existing core At the Windows 2000/2003 core server: 1. From your LANDesk Management Suite 8 installation image, double-click autorun.exe. The Autorun feature will display a Welcome screen. 2. Click Install LANDesk Management Suite. 3. Select the language that matches the core you are installing to, then click OK. 4. Click Modify, then click Next. 5. On the Select Features page, leave the existing options checked, and check OS Deployment / Profile Migration. 6. Click Previous Management Suite Database, then click Next. 7. Finish the Setup wizard. 8. Reinstall any additional consoles that you installed before you added OS deployment and profile migration to your core server.
120
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
Once you've installed OS deployment and profile migration, you need to plan how you'll structure OS imaging and deployments on your network. You also need to decide whether you'll be using OS deployment PXE proxies to facilitate deployments: • If you don't use PXE, you can only image computers running a supported Windows OS and the Management Suite agents, specifically the Enhanced Software Distribution agent. OS deployment uses the Enhanced Software Distribution agent to transfer OS deployment files and images to clients. If you use PXE, you can image any computer that supports PXE booting, regardless of what is installed on it. For more information, see "Using PXE services" in the User's Guide.
•
121
INSTALLATION AND DEPLOYMENT GUIDE
Configuring your OS deployment and profile migration environment
Before you can use OS deployment and profile migration, you'll need to configure your environment. OS deployment requires the following: 1. A share for images that clients can access from DOS 2. A working DHCP and DNS/WINS server 3. A multicast domain representative if you're doing Targeted Multicast deployments 4. A PXE proxy if you are using PXE for deployments
Step 1: Configuring an image server
You need to put OS images and your imaging tool on a network server. Clients will need to access this server via the credentials you provide in the OS Deployment/Migration Tasks wizard. Make sure the share name you use for your images follows 8.3 DOS naming conventions and doesn't have any spaces. The share must be reachable from DOS. IMPORTANT: DOS can authenticate to network resources with only one set of credentials. For this reason, we recommend having your images and imaging tool executable on one share. You can use multiple shares if the authentication credentials are exactly the same. IMPORTANT: For Targeted Multicast OS deployments, you must make the image share a null-session share as described in the next section. Multicast clients can't access the image share unless it is null-session.
Making your image share null-session
You use the SYSSHRS.EXE utility to make your image share a null-session share folder. A null-session share is a shared folder that doesn't require a username or password for access. Multicast deployments require null-session shares. To make a share null-session 1. In Explorer, right-click the folder that will be your images share and then click Sharing. 2. Click Share this folder and click Permissions. 3. Add the Everyone and the Guest groups, but grant them only read permissions. Click Apply. 4. Click Start | Run and browse to the LDMAIN\Utilities directory on your core server. 5. Run the SYSSHRS.EXE utility. 6. Check the shared folder you set up and click Apply and then Close.
122
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
Step 2: Verifying name resolution
In an environment where WINS and/or DNS name resolution isn't available or doesn't work properly, it may be necessary to implement a static IP address for the core server and hard-code the IP address into the PXE and virtual boot images for OS deployment. To test if WINS is working on your network • From a DOS 6.22 environment (with Microsoft NDIS/DHCP stack) command prompt, try a NET USE command to map a drive to the server that stores your images. You must do this from native DOS and not a Windows command prompt. Management Suite will use WINS/LMHOSTS resolution to map drives to your image server: NET USE G: \\imageserver\share To test if DNS is working for your environment 1. From any Windows 2000/XP computer that has a DHCP address, type the following from a command prompt: NSLOOKUP 2. At the NSLOOKUP prompt (>), type the name of your core server. OS deployment uses DNS to resolve the name of the core server when deploying operating systems. For OS deployment to work properly, your DNS server needs to be able to resolve both the NETBIOS (root servername) and fully-qualified domain name (FQDN, servername.mycompany.com) of the core server. Management Suite 8 also requires reverse DNS lookup support. If clients are taking several minutes to reboot and start an OS Deployment job, reverse lookup probably isn't enabled.
Step 3: Configuring your network for Multicast OS deployment
Before using Targeted Multicast with OS deployment, you need to make sure the Targeted Multicast components are in place on the subnet you're distributing to. Each subnet must have a multicast domain representative. If you try to multicast to a subnet that doesn't have a domain representative, the deployment will start, but it won't be able to finish. You don't have to use Targeted Multicast to distribute OS deployment images, but Targeted Multicast will save a lot of network bandwidth if you distribute the same image to multiple clients. Make sure you don't image any Targeted Multicast representatives in a subnet, because you could end up imaging your Multicast domain representative and the imaging will fail, leaving the computers in an unusable state.
123
INSTALLATION AND DEPLOYMENT GUIDE
To manually specify which computers will be multicast domain representatives 1. In the network view, click Configuration > Multicast Domain Representatives. 2. Add domain representatives by dragging the computers you want to be representatives from the network view into this category.
Step 4: Configuring PXE
PXE services software is installed as part of OS deployment and provides another method—in addition to agent-based deployment—of automated remote imaging of computers on a single LAN or routed network environment. With PXE services implemented, you can boot both new and existing PXE-enabled computers and either: • • Run an OS deployment script at the computer from an image menu you configure. Add the computer to your core database, then schedule an image deployment job from the console.
You don't have to use PXE to deploy OS deployment images, but if your clients support PXE, PXE can be the easiest and most flexible way to get images to clients. PXE service files are simply copied to the core server as part of the normal OS deployment installation. To enable PXE services, you must first deploy a PXE representative (or proxy) computer on each segment of your network where you want PXE services available. You need to deploy at least one PXE proxy on your network and at least one additional PXE proxy on each subnet where you want to provide PXE boot services. You set up a PXE proxy by running the PXE Representative Deployment script on the selected computer. This script installs as part of OS deployment, and is available in the Scheduled Tasks window. Each PXE proxy forwards via HTTP any PXE boot requests on its subnet to the core server. The core server then checks to see if there are any pending jobs for that computer. If not, the computer boots normally. You can have multiple PXE proxies on a subnet to help with load balancing. If this is the case, the first PXE proxy to respond to a client's request is the one that will be used to communicate with the core server.
124
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
There are no special hardware requirements for the computer you select, but it must meet the following software requirements: • Operating system: Windows NT 4, Windows 2000/2003, or Windows XP Professional. For Windows NT and 2000, ensure that the Microsoft MSI service is running (XP includes MSI by default). If you've installed the latest service pack for either OS, MSI service should be running. Otherwise, you can deploy it to the target PXE proxy from the console by following these steps: Click Tools | Scheduled Tasks, click the Schedule Script toolbar icon, select the MSI Service Deployment task, click OK, drag the target computer(s) to the window, and click the Set Start Time icon to schedule the MSI service deployment. • Installed agents: Enhanced Software Distribution agent and Inventory Scanner agent.
To deploy a PXE proxy 1. In the console, click Tools | Scheduled Tasks, then click the Schedule Script toolbar icon. 2. Select the PXE Representative Deployment script from the list, then click OK. 3. In the console's network view, select the target computer on which you want to install PXE services (in this case the core server). 4. Drag and drop the selected computer to the Machine list in the Scheduled Tasks window. 5. Click the Set Start Time toolbar icon and schedule to run the script now. This script installs the PXE services software on the target computer. If you modify the PXE boot option settings (on the Configure | Services | OS deployment dialog), you need to update a PXE proxy by re-running the PXE Representative Deployment script to apply those changes. This procedure of rerunning the script is not necessary if you simply move PXE proxies from the Available proxies list to the Holding queue proxies list. To update or remove a PXE proxy 1. Click Tools | Scheduled Tasks, then click the Schedule Script toolbar icon. 2. To update a PXE proxy, select the PXE Representative Deployment script from the list, then click OK. Or, to remove a PXE proxy, select the PXE Representative Removal script, then click OK. 3. Drag and drop the target computer(s) to the Scheduled Tasks window and schedule a time for the task to occur (for details, click the Help button or press F1 to view the online help).
125
INSTALLATION AND DEPLOYMENT GUIDE
Verifying that the core server accepts PXE proxy communication
Each PXE proxy communicates with the core server via HTTP. You should verify that the core server is accepting this communication by trying to connect to the core with this URL: http://<coreservername>/landesk/managementsuite/core/core.webservices/pxe.as mx You should see a Web page titled "PXE Web Service." If a Web page doesn't come up, you may need to reinstall the .NET Framework and OS deployment.
Configuring PXE clients
You must configure your clients to boot PXE before using OS deployment's PXE support.
126
CHAPTER 7: INSTALLING OS DEPLOYMENT AND PROFILE MIGRATION
OS deployment phases
After you've created your images and run Sysprep on them, there are three OS deployment phases: 1. Run the OS Deployment/Migration Tasks wizard (select Deploy image) to create a script that defines how OS Deployment will handle that image. 2. Drag the script and the target computers to the Scheduled Tasks window and schedule a time for the deployment to happen. Watch the Custom Job Status window updates for success/failure. 3. Computers running Windows and Management Suite agents will begin the job when scheduled. PXE-enabled computers will begin the job next time they boot. For more information on using OS deployment and profile migration, see the User's Guide.
127
Chapter 8: Installing add-ons
Add-ons extend the power of LANDesk® Management Suite 8 and leverage core technologies to enable more effective and efficient management for desktops, servers and mobile devices. These add-ons are purchased separately. For information on installing the Patch Manager or Asset Manager add-ons, read the appropriate section in this chapter.
129
INSTALLATION AND DEPLOYMENT GUIDE
Activating Management Suite 8 add-on products
With Management Suite 8, version 8.1, after you install any of the LANDesk add-on products described in this chapter, you need to run the Core Server Activation utility to update your existing account and activate the add-on product with a trial-use or full-use license. To update your account 1. Start the utility by clicking Start | All Programs | LANDesk | Core Server Activation. 2. Click Update this core server using your LANDesk contact name and password. 3. Enter your Contact name and Password. 4. Click Update. For more information about LANDesk product activation and licensing, see "Activating the core server" in Phase 3.
130
CHAPTER 8: INSTALLING ADD-ONS
Installing LANDesk Patch Manager 8
Patch Manager version 8.1 requires the full version of LANDesk Management Suite version 8.1 is installed on your core server. If you're currently running Management Suite 8.0, you must first upgrade to version 8.1 before installing Patch Manager. To install Patch Manager on your core server 1. 2. 3. 4. 5. Insert the product CD, or run AUTORUN.EXE from your installation image. Click Install LANDesk Patch Manager 8 to run the Setup program. Select the language you want Setup to install. At the Welcome screen, click Next. On the License Agreement screen, click Yes to accept and to start copying files. 6. At the Setup is Complete screen, click Finish.
You can now use Patch Manager in the Management Suite console.
Additional consoles
To use Patch Manager from any of your additional consoles, you must reinstall the additional consoles after installing Patch Manager on a Management Suite 8.1 core server. Once Patch Manager is installed on your core server, any new additional consoles will include Patch Manager functionality. For detailed information on installing additional consoles, refer to "Installing additional consoles" in the Installation and Deployment Guide.
131
INSTALLATION AND DEPLOYMENT GUIDE
Installing LANDesk Asset Manager 8
Asset Manager version 8.1 requires the full version of LANDesk Management Suite version 8.1 is installed on your core server. If you're currently running Management Suite 8.0, you must first upgrade to version 8.1 before installing Asset Manager. Because Asset Manager runs in the Management Suite version 8.1 Web console, you must also have the Web console software installed on either your core server or another compatible Web server. If you need to install and configure the Web console, see "Installing the Web console" in the Installation and Deployment Guide. To install Asset Manager on your core server 1. 2. 3. 4. 5. Insert the product CD, or run AUTORUN.EXE from your installation image. Click Install LANDesk Asset Manager to run the Setup program. Select the language you want Setup to install. At the Welcome screen, click Next. On the License Agreement screen, click Yes to accept and to start copying files. 6. At the Setup is Complete screen, click Finish.
Furthermore, if you're running the Web console on a different server than the core server, you must perform the following procedure in order to install required Asset Manager files on the Web console server. This procedure is NOT necessary if your Web console is installed on the core server. To install Asset Manager files on the Web console server 1. From the Web console server, map a drive to the LDMAIN share on the core server. 2. From the Install\WebConsole folder, run SETUP.EXE. 3. Complete Setup. You can now access the Web console and use Asset Manager.
132
CHAPTER 8: INSTALLING ADD-ONS
Installing LANDesk Handheld Manager 8
LANDesk Handheld Manager is an add-on to LANDesk Management Suite 8 that helps you manage mobile devices. LANDesk Software has partnered with XcelleNet Afaria* to provide mobile management support. With Handheld Manager, your mobile devices send inventory data to the Management Suite database. Handheld Manager also allows you to distribute single files or single-file packages (32-bit Windows* platforms only) to your mobile devices. You can distribute these file types to mobile devices: • • • For Palm* OS devices, you can distribute these file types: PRC, PDB, PQA, WCA, QSH, PNC, SCP. For Windows CE/Pocket PC* devices, you can distribute CAB files. For 32-bit Windows package distributions via the Afaria agent, you can distribute EXE and MSI files.
Installing Handheld Manager
Handheld Manager must be installed on your Management Suite 8 core server. See the Afaria documentation for the supported mobile platforms. Your core server will need about 300 MB of space for the Handheld Manager and Afaria files. Since the share holding the files you are distributing to your mobile devices is in the LDMAIN\handheld directory, you also need to have space for these files. If you have questions about installing the Afaria portions of Handheld Manager, refer to the Afaria documentation. The documentation is in the XcelleNet Documents directory. Follow these steps to install Handheld Manager on your core server. Each step generally requires a reboot. After your server reboots, relaunch AUTORUN.EXE from your CD or Handheld Manager installation image. To install Handheld Manager on your core server 1. In the autorun, click Install Afaria Server and complete the wizard. In this wizard you will point to the database that will hold the Afaria data. After the server setup finishes, reboot if necessary and relaunch AUTORUN.EXE from your CD or installation image. Don’t make any changes to the Afaria Menu yet. 2. In the autorun, click Install Afaria Connector and complete the wizard. The connector enables scan files generated by the Afaria clients to get into the Management Suite database. Reboot if necessary.
Deploying to host computers and their mobile devices
Once you’ve configured the core server, you can deploy the Afaria agent to host computers and their clients. Host computers are the computers that mobile clients synchronize with.
133
INSTALLATION AND DEPLOYMENT GUIDE
First you need to create an Afaria client communication schedule. This schedule defines how often the Afaria agent on mobile devices connects to the core server. To configure the client communication schedule 1. Shortcuts to the Afaria components are on your core server desktop. If the Afaria Menu isn’t running, double-click the Afaria icon on your desktop. 2. Open the Afaria Channel Administrator. 3. From the tree view, select the LANDeskInv channel. 4. On the Properties page, click Define Schedules. 5. Finish the wizard by entering a schedule name and defining the communication schedule you want. 6. On the Properties page, select the Client Schedule you created. 7. Activate your schedule by clicking File | Unpublish and then File | Publish. 8. Follow the same process for the LANDeskSW channel. You can create a new client schedule or you can use the schedule you created for the LANDeskInv channel. After creating the client schedule, you’ll need to create a client installation package. This package will be a single-file executable that host computers need to execute to install both the host computer and mobile client software. To create a host computer and mobile client installation package 1. Shortcuts to the Afaria components are on your core server desktop. If the Afaria Menu isn’t running, double-click the Afaria icon on your desktop. 2. Click Create Client Installation. 3. Pick the client type you want to configure. Make sure you use the LANDesk Integration channel if it's selectable for the client type you chose. 4. In the wizard, make sure the mobile device will connect with the core server after agent installation. 5. Finish the wizard. Once you’ve created the client installation package for each mobile device type you will be managing, you need to install the package on the host computer so that computer can install the client software on the mobile device. You can put the client installation package on a share and have users run it manually, or you can use software distribution to distribute the installation package. Mobile devices won't display in Desktop Manager's Network View until they send an inventory scan. Assuming you configured the client installation package to connect immediately after agent installation, you will need to resynchronize your handheld a second time after the Afaria agent installs. For more information on client synchronization issues, see the release notes.
Using Afaria with 32-bit Windows clients
Both Management Suite and Afaria support 32-bit Windows software distribution. You can choose which management agent you want on these clients.
134
CHAPTER 8: INSTALLING ADD-ONS
The Management Suite agents provide: • • • Bandwidth detection--stops distribution over slow links. Targeted multicasting--low network bandwidth software distribution to multiple computers. On-demand distributions--distribute software immediately.
The Afaria agent provides: • • Bandwidth throttling--Limits software distribution use of network bandwidth. Client agent scheduling--Clients receive distributions only when the mobile agent connects to the core server.
How Handheld Manager works
Once you’ve installed Handheld Manager, you can schedule tasks from Desktop Manager to distribute files to mobile devices. Here’s the taskflow: 1. Create the package you want to distribute. Click Tools | Manage Scripts, and click the New Distribution Script button. Select the file you are deploying, and in the Deploy Package wizard click Deploy the package using mobile deployment. Finish the wizard. 2. From Desktop Manager, schedule a job to distribute the package to the mobile devices you want. 3. When the scheduled time arrives, the Scheduler will launch the mobile task processor (LDHTASK.EXE) to process the task. 4. Once launched, LDHTASK.EXE will transfer the file from the original location you specified to the handheld files directory on the core server. 5. Once the file is in the directory, the mobile devices that are part of the scheduled task will be marked as ready for processing in the production database. This task will remain in the Scheduler until the target clients have completed the task. 6. The next time a mobile device contacts the core server via the Afaria agent, the device will check to see if its unique device ID is scheduled for any tasks. If the device is scheduled for a task, the Afaria agent will retrieve and install the scheduled file. Desktop Manager receives job status from the Afaria agent. You can see status messages in the Scheduler window.
Viewing mobile inventory information
Mobile devices appear in the console's Network View as standard nodes. The devices are dimmed because they don’t have the normal Management Suite client agent. The Afaria agent provides inventory information to the Management Suite database by sending an inventory scan after your client schedule criteria are met and the device synchronizes with the host computer. The inventory view categories are different depending on the mobile device type.
135
Chapter 9: Installing LANDesk Inventory Manager
LANDesk Inventory Manager is a version of LANDesk Management Suite 8 that contains only these inventory-related features: • • • • • Inventory scanning and inventory-related console features Custom data forms Software license monitoring Unmanaged device discovery Reports for the above features
The Inventory Manager installation on a core server contains all LANDesk Management Suite 8 components, but when you activate a core server with an account that is licensed for Inventory Manager, the non-Inventory Manager features aren't applicable or visible in the Management Suite and Web consoles. Because Inventory Manager doesn't include client setup or scheduled tasks, you can only install clients manually or through a login script.
137
INSTALLATION AND DEPLOYMENT GUIDE
Installing clients manually
Map a drive to the core server's LDLogon share and run WSCFG32.EXE, the client configuration program. The components that are deployed to the client must be selected interactively. You can also run IPSETUP.BAT in the LDLogon share. IPSETUP.BAT installs the default configuration specified in the ntstacfg.ini file automatically without interaction.
138
CHAPTER 9: INSTALLING LANDESK INVENTORY MANAGER
Installing clients using a service center
Service centers help you deploy clients via login scripts, in addition to reducing the load on the core server. These instructions are organized based on the type of server you're deploying to. These are the categories: • • Deploying Remote Control, Inventory, and CBA to clients of a Windows NT/2000/2003 server Deploying Remote Control, Inventory, and CBA to clients of a NetWare server
If you'll be using service centers, there are two steps to deploying client agents: 1. Set up a Client Deployment service center. 2. Assign the login scripts created by the Client Deployment service to the users you want to configure with these components.
Setting up a Client Deployment service center
A Client Deployment service center provides an easy method for deploying Management Suite agents to Windows clients. When you set up a Client Deployment service, login scripts are automatically created. You then need to assign clients the appropriate script in order for them to be configured.
Creating configurations with a Client Deployment service center
Each time you create a Client Deployment service center, you also create a client configuration that consists of a unique combination of components. These are the components you can deploy to clients: • • • • Common Base Agent Custom Data Forms Inventory Scanner Software Monitoring
Necessary rights for configuring Windows NT/2000/2003/XP clients For users running Windows NT/2000/2003/XP, you must add their domain login name to the local Administrator Group on their own computers. This grants the necessary rights to users so that the Windows NT/2000/2003/XP login scripts will run. You can also use the Client Setup wizard and Scheduled Tasks window to enable Windows NT/2000/2003/XP clients for management. For more information on the Client Setup wizard, see chapter 2 of the User's Guide.
139
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to clients of a Windows NT/2000/2003 server
You can deploy to clients of a Windows NT/2000/2003 server by creating a service center. To set up the Client Deployment service on a Windows NT/2000/2003 server PDCs and Windows 2000/2003 Client Deployment service centers If you're installing a Client Deployment service on a Windows 2000 server, you must install to a primary domain controller (PDC) or backup domain controller (BDC). Only the PDC or BDC can run the domain-level login scripts that are created by a Windows 2000 Client Deployment service center. 1. Obtain Administrator rights on the target server. 2. At the console, select the Windows NT/2000/2003 server on which you'll install the Client Deployment service. 3. From the server's shortcut menu, click Service Center. 4. Click Next on the Service Center wizard welcome page. 5. Select the Client Deployment service and click Next. 6. Enter the Core server name and click Next. 7. Select Remote Control, Inventory, and Common Base Agent. Click Next. 8. Specify a directory on this server where you will install Management Suite files. Click Next. 9. Finish the wizard, customizing any options you want. The wizard creates batch files that must be assigned to users before their computers can be configured for manageability. For details, refer to the next section, "Using the Windows NT/2000/2003 login scripts."
Using the Windows NT/2000/2003 login scripts
A Windows NT/2000/2003 Client Deployment service creates an IPSETUP.BAT batch file that must be added to the profile login script of each user you want to manage. This batch file is copied to %system root\system32\repl\import\scripts on the core server. On Windows 2000 Client Deployment service centers, this batch file is stored in %system root\SYSVOL\Sysvol\Scripts\LANDesk. You must also copy these files from the core's LDLogon directory to the client deployment server's scripts directory: • • ISDOSBOX.EXE NBPSHPOP.EXE
Assign the appropriate login script to a user according to the computer's network protocol. Some other scripts are installed to allow backward compatibility with earlier LANDesk products.
140
CHAPTER 9: INSTALLING LANDESK INVENTORY MANAGER
If the client is running Windows NT/2000/2003/XP Users must have administrator privileges on their computers to install components with a login script. If users don't have administrative rights, consider using the manual configuration method. These are the actions that each batch file performs: • • • • • Determines the name of the client Determines the operating system of the client Downloads the configuration for that operating system to the client(1-2 minutes) Updates the startup procedure for the client to load the components Notifies the user to restart the client
To assign a Windows NT logon script 1. On the domain server, click Start | Programs | Administrative Tools | User Manager. 2. Select the users to be configured for manageability. From the User drop-down list, click Properties. 3. Click Profile. 4. In the Logon Script Name field, type the name of the logon script you want to use (don't include a path), then click OK. To assign a Windows 2000 logon script 1. 2. 3. 4. 5. Open the Windows 2000 MMC Group Policy snap-in. In the console tree, click Scripts. In the Details pane, double-click Logon. Click Add. Type the name of the logon script you want to use, then click OK.
This assigns the batch file to be the user's login script. On next log on, the batch file will: • • Scan the client into the Inventory database (if Inventory is selected) Configure the client with the LANDesk agents so that you can manage it
To assign a Windows NT/2000/2003 logon script to a user with a preexisting logon script At the client that you want to receive the login script: 1. Open a DOS box and run Edit. 2. Edit the existing login script to include this line: @call ipsetup.bat (for IP environments) When the user authenticates to the Windows NT/2000/2003 server, the assigned login script configures the client for manageability.
141
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to clients of a NetWare server
You can deploy to clients of a NetWare server by creating a service center. Before you can make a NetWare server a service center, you need to run a utility on it so the server appears in the network view. To add a NetWare server to the network view 1. Connect to the target server with administrative rights 2. Open a command prompt from your core server's LDMAIN share. 3. At the command prompt, enter: AddNetWareSC <NetWare_Servername> Where <NetWare_Servername> is the name of your NetWare server. 4. Refresh the console's network view to verify the NetWare server is there. To set up the Client Deployment service on a NetWare server You must be logged in with administrator rights on the target server and have the NetWare Client 32 installed. 1. At any console, use the network view to select the NetWare server on which you want to install the Client Deployment service. 2. From the server's shortcut menu, click Service Center. 3. Click Next on the Service Center wizard welcome page. 4. Select the Client Deployment service and click Next. 5. Select Remote Control, Inventory, and Common Base Agent. Click Next. 6. If you've selected an NDS server, enter the name of the NDS container for the users you want to configure. 7. In the Service center name field, type the name of the service center you want to use for the clients of this server. (If the selected server doesn't already have management services installed, the core server is your default service center.) Click Next. 8. Click Yes to add the inventory scanner to your Windows Startup group; then you can verify the options you selected. 9. Use the Edit Startup Script page to edit the startup script if necessary. 10. Click Next to complete the wizard. 11. The wizard creates two NetWare groups that have corresponding login scripts. Users must be placed in a group before their computers can be configured for manageability. For details, refer to the next section, "Using the NetWare login scripts."
142
CHAPTER 9: INSTALLING LANDESK INVENTORY MANAGER
Using the NetWare login scripts
The Service Center wizard creates these groups when you set up Client Deployment on a NetWare server: Group LANDESKIPGROUP Use to configure. . . Clients using the TCP/IP network protocol.
LANDESKIPXGROUP Clients using the IPX/SPX network protocol. LANDesk Management Suite 8 doesn't support this. If you're administering a NetWare network, you can use a single login script to configure all of the clients on the network by adding users to the NetWare LANDESKIPGROUP group. To assign a NetWare login script • Use your Novell network administrator tools to populate the LANDESKIPGROUP with the users you want to manage.
When you add a user to this group, on next login the client is: • • Scanned into the core database (if Inventory is selected) Configured with the LANDesk agents so that you can manage it
The Management Suite login scripts are appended to the system or container login script.
143
INSTALLATION AND DEPLOYMENT GUIDE
Deploying clients from the command line
You can control what components are installed on clients by using command-line parameters to override the default settings of batch files and login scripts. One way to do this is to use command-line parameters with the configuration program that is used by the batch files and login scripts, WSCFG32.EXE. You can launch WSCFG32.EXE in standalone mode. It's located in this directory on all Client Deployment service centers: (system drive)\Program Files\LANDesk\ManagementSuite\LDLogon. WSCFG32.EXE can also be found in the \\coreservername\LDLogon share, which is readable from any Windows 95/98 or Windows NT/2000/2003/XP client. WSCFG32.EXE uses one of two files to configure clients. NTSTACFG.INI is used for clients running Windows NT/2000/2003/XP; 95STACFG.INI is used for clients running Windows 95/98. These files contain the unique client configuration you specified using the Client Deployment service. If you want to manually edit the configuration settings in these files, you can choose from these methods: • • Running the Client Setup wizard with the Set as default configuration option checked. Adding command-line parameters to WSCFG32.EXE and running it manually. For more information, see "Understanding WSFG32.EXE" in Phase 4.
144
Chapter 10: Deploying to Macintosh, Linux, and UNIX clients
This chapter explains how to deploy agents to Macintosh, Linux, and UNIX clients. LANDesk Management Suite has limited support for these clients—at a minimum, you can do inventory scans, and depending on the operating system and version, you can do more. In this chapter you'll learn about: • • Deploying to Macintosh clients Deploying to Linux and UNIX clients
145
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to Macintosh clients
The Macintosh agents support these operating systems: • • • Mac OS X 10.2.x and 10.3.x Mac OS 8 and 9.2.2 All clients must have TCP/IP installed.
Supported Mac OS 8 and 9.2.2 agent features: • • • Remote file transfer. Remote program execution. No reliance on Apple System Profiler.
Management Suite 8 adds these features to the Mac OS X agents: • • • • • Software License Monitoring: Application usage monitoring, license compliance tracking/reporting, and application denial/reporting Remote Control Enhancements: Render rate improvements, client-side icon to terminate session, remote login/out Software Distribution: Macintosh clients can receive Targeted Multicast files Application Policy Management: Macintosh clients can automatically receive software packages (required, recommended, and optional packages) if they match query criteria you set Additional base agent support: Mac OS X agents also support chat, remote reboot, and CBA discovery
146
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
Deploying the Mac OS X agents
The Macintosh client install files are stored on the core server in the \Program Files\LANDesk\ManagementSuite\LDLogon\Mac folder. The LDMSClient.pkg.zip file contains the compressed package that installs the agents. The Mac OS X agent installer installs files to the root volume and requires root authorization. On each Mac OS X computer you install the agents on, you'll need to configure the scanner preferences. At a minimum, you must enter the core server address that the scanner should send scans to. To install the Mac OS X agents 1. 2. 3. 4. 5. 6. Connect to the core server's LDLOGON share. From \LDLogon\Mac\LDMSClient.pkg.zip, extract LANDeskOSXClient.pkg. Double-click LANDeskOSXClient.pkg to run it. Enter an administrator/root password when prompted. Finish the wizard to install the client agents. When the wizard finishes, open the OS X System Preferences and select the LANDesk Client panel. 7. Click the Inventory Scanner tab. 8. Enter the server's IP address or resolvable name into the LDMS server address box. 9. Select the components you want to scan. 10. Make any other changes you want in the Inventory or Remote Control tabs. 11. Reboot to load the agents.
Locking Macintosh client options
By default, the Management Suite preference pane options are locked for users without root-level access. Non-root users can see the preferences, but they can't change them. To unlock a Macintosh client configuration 1. Open the Mac OS X System Preferences and select the LANDesk Client panel. 2. Click the lock icon in the panel's lower left-hand portion. The panel prompts you for a root-level password to unlock the panel.
Updating the Mac OS X agents
To update the Mac OS X agents using a Client Setup wizard script, the agent installation file must be on a Web server. By default, the LDLogon share is a Web share. You can verify that this share is working by accessing http://<core_server>/ldlogon. Regardless of the options you select in the Client Setup wizard or the way you deploy the agents, the OS X agent package will install all of the agents with default options. The Client Setup wizard's remote control options don't affect the default OS X agent preferences.
147
INSTALLATION AND DEPLOYMENT GUIDE
Uninstalling the Mac OS X agents
If you want to uninstall the Mac OS X agents, run the uninstall script, lduninstall.command, located on each client in the /Library/Application Support/LANDesk folder.
148
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
Deploying the Mac OS 8 and 9.2.2 agents
The Macintosh client install files are stored on the core server in the \Program Files\LANDesk\ManagementSuite\LDLogon\Mac folder. The LANDesk_Classic_Client.sit file contains the Setup files and agents. You will need version 5.5 or greater of StuffIt* Expander to extract files from the MACINIT.SIT file. If you don't have the correct version, you can download it from http://www.aladdinsys.com. To deploy the Mac OS 8 and 9.22 agents 1. Extract the files in \Program Files\LANDesk\ManagementSuite\LDLogon\Mac\LANDesk_Classic_Client.sit to a location where your Macintosh computers can run the installation script. This location can be a shared folder on a Macintosh volume, CD-ROM, Web server, and so on. You can also e-mail these files to clients. 2. At the location you extracted the MACINIT.SIT file to, edit the INVMAC.INI file's ServerAddress option so that it points to your core server. If you don't do this, scan information won't be added to the core database. You can use the core server's Windows NT server name or its IP address. For more information about the .INI files, see "Changing agent options via the .INI files" later in this chapter. 3. From each Macintosh you want configured, run the Macintosh Client Install script from the location where you copied the MACINIT.SIT files. 4. Reboot each Macintosh client when you are done.
Installing non-English language support on clients
The client agents use English by default. If you want to install support for one of the other supported languages, follow the procedure below. To install non-English language support on clients 1. From the \Program Files\Intel\DTM\LDLogon\MAC directory, extract the language file you want to install from: MACISLNG.SIT (Inventory agent language files) and MACRCLNG.SIT (Remote Control agent language files). 2. Copy these files to the Applications\Intel folder on each Macintosh client.
149
INSTALLATION AND DEPLOYMENT GUIDE
Updating Mac OS 8 and 9.2.2 agents
Once a Macintosh computer has the Remote Control agent on it, you can use the Client Setup wizard to configure and update the agents and settings on that client. The Allow Remote Execute and Allow File Transfer options must be enabled for this to work. You can use the Client Setup wizard for Macintosh client updates only—don't use it during initial client deployment. When you schedule a client configuration that's going to a Macintosh computer, this happens: 1. Client Setup automatically generates an RCMAC.INI file based on your selections in the Client Setup wizard. 2. Client Setup looks in the \Program Files\Intel\DTM\Install\Mac directory for the INVMAC.INI file to send out to clients. Make sure you've updated the INVMAC.INI ServerAddress option to point to your core server. 3. Client Setup copies all the files to a temporary directory on the Macintosh and runs the Macintosh Client Install script from there.
Changing Mac OS 8 and 9.2.2 agent options via the .INI files
This section only applies if you want to manually customize the agent .INI files. The Macintosh agents are on the core server in the \Program Files\Intel\DTM\LDLogon\Mac directory. The MACINIT.SIT file contains the Inventory and Remote Control agents, and the .INI files that configure these agents. • • RCMAC.INI: Specifies the client Remote Control settings. INVMAC.INI: Specifies client Inventory settings.
You can customize these files the way you want them before configuring Macintosh clients. If you don't customize them beforehand, the agents will use the defaults. If you want to change the settings in the future, you can distribute these files to clients later via the Scheduler. On the client, these .INI files are in the Preferences folder. If you want to add comments to the .INI files, you can use the semicolon (;) character. The only setting you must configure is the ServerAddress option in INVMAC.INI. The defaults in these files will work otherwise. In the following tables, you can see a list of possible options and the default values.
Inventory client options
The only Inventory client option you must configure is ServerAddress, which specifies where the client should send its inventory scans. This option is set to "Your server name here" by default. You can launch the inventory scanner manually from the Applications\Intel folder.
150
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
To change inventory preferences on the client 1. From Applications (MacOS9):LANDesk, double-click Inventory Scanner. 2. Change the settings you want. The Macintosh Inventory client can have these options in INVMAC.INI: Option ServerAddress= Description You must specify the core server name or IP address here. This is the server the agent sends scan information to. No scan information goes to the core database unless this server address is correct. Here's an example: ServerAddress=mycoreserver Sends the scan results to the core server. You should leave this enabled. Saves the scan results to a file called "scan" in the directory the agent ran from. Enabled by default, but disabling this option won't cause problems. If enabled, forces the client to do a software scan regardless of whether the core server says one is due. Specifies which software items to scan. Add together these bitfield values that you're interested in: 1 Applications 2 Desk Accessories 4 Drivers 8 Fonts 16 INITS HardwareScanItems=127 Specifies which hardware items to scan. Add together these bitfield values that you're interested in: 1 I/O devices 2 CPU 4 Monitors 8 NuBus/PCI cards 16 SCSI devices 32 Volumes 64 System (network and system info) LastScanTime= ServerGUID= Don't change this option. Value managed by agent. Don't change this option. Value managed by agent.
SendToServer=1 CreateFile=1
ForceScan=0 SoftwareScanItems=31
151
INSTALLATION AND DEPLOYMENT GUIDE
Remote Control client options
The Macintosh client install script adds an alias to the Startup Items folder that launches the Remote Control agent when the computer boots. Macintosh keyboards have some keys that PC keyboards don't. When remote controlling a Macintosh, use these keys on your PC keyboard to emulate a Macintosh keyboard: • • The left Alt key maps to the Option key. The right Alt key maps to the Apple key.
You need to have system key pass-through enabled in the Remote Control Viewer window for the Alt keys to pass their Macintosh mappings. To change Remote Control preferences on the client 1. With the Remote Control Viewer window displayed, press the Command, Option, and P keys simultaneously. 2. Change the settings you want. If you want to change the Remote Control agent preferences on a client via a remote control session, enable system key pass-through and hold down both Alt keys and the P key to display the Preferences dialog. Note that Macintosh remote control doesn't support 1-bit or 2-bit color depths. Unless you want to change the default Remote Control options for security or policy reasons, there aren't any values in RCMAC.INI file that you have to edit.
152
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
You can set several Remote Control options in the Client Setup wizard. Doing this modifies the RCMAC.INI file. The Macintosh Remote Control agent has these options in RCMAC.INI that you can also manually edit: Option Allow Takeover=1 Allow Reboot=0 Permission Required=0 Permission Box Timeout=12 Visible Signal=0 Description If enabled, allows others to remote control the client. If enabled, allows others to remotely reboot the client. If this option is disabled, it doesn't prevent an administrator from remote controlling a client and selecting Restart from the Finder's Special menu. If enabled, displays an Accept/Reject dialog on the client that the client must accept before remote control begins. If Permission Required is enabled, this specifies how long before the Permission Required dialog times out and disappears. If the dialog times out, that denies remote control permission. This option isn't configurable via the Remote Control agent interface. If enabled, briefly displays a message box on the client for three seconds indicating that it's being remote controlled.
Allow Remote If enabled, allows administrators to remotely execute programs on the client Execute=1 computer. This feature must be enabled for auto-update to work. Allow File Transfer=1 Scan Lines Per Second=4 If enabled, allows administrators to transfer files to the computer. This feature must be enabled for auto-update to work. Don't change this option. This option isn't configurable via the Remote Control agent interface.
153
INSTALLATION AND DEPLOYMENT GUIDE
Deploying to Linux and UNIX clients
Management Suite works with some versions of Linux and UNIX. These features of Management Suite are supported for Linux and UNIX computers: • • Inventory scanning for hardware and software. Queries from the management console on any attribute that the inventory scanner reports to the core database.
The Linux/UNIX inventory scanner provides scanning for hardware and software. The scanner will find these attributes of a Linux/UNIX computer: • • • • • • • • Environment variables Memory Network OS type/kernel version Processor Bound adapters Mounted devices Software
System requirements
Linux runs on a variety of architectures, but the Linux inventory scanner will only run on Intel architecture. TCP is the only supported protocol for the inventory scanner. Supported Linux and UNIX distributions: • • • • • Red Hat Linux 7.3, 8.0, and 9.0 IBM AIX 5.1 Intel Architecture Solaris 8 Sun Sparc (Solaris 8) HP-UX 11.0
Installing the Linux/UNIX agents
You'll need to install the Linux/UNIX agents manually. The Linux/UNIX agents include only the Inventory Scanner agent. Copy the ldiscnux agent files from the appropriate directory under \Program Files\LANDesk\ManagementSuite\LDLogon\unix\ that matches your Linux/UNIX distribution. Copy all the files from the \common directory. • • • • • •
154
aix: IBM AIX 5.1 common: Common man and configuration files used by all supported distributions hpux: HP-UX 11.0 linux: RedHat Linux 7.3, 8.0, and 9.0 solia: Intel Architecture Solaris 8 solsparc: Sun Sparc Solaris 8
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
To install the inventory scanner on Linux/UNIX 1. Copy ldiscnux.conf and ldappl.conf to /etc. Give ldiscnux.conf read/write access for users. Give ldappl.conf read access for users. Use the UNIX chmod command to assign rights to the files. 2. Edit ldappl.conf to customize the software scanning if desired. See the sample entries in ldappl.conf for more information. 3. Copy ldiscnux.8 to /usr/man/man8. 4. Copy ldiscnux to a directory that is accessible by the individuals who will be running the application. Usually this is /usr/sbin. 5. If needed, make ldiscnux executable using the chmod command.
Linux/UNIX inventory scanner command-line parameters
The Linux/UNIX inventory scanner, ldiscnux, has several command-line parameters that specify how it should run. See "ldiscnux -h" or "man ldiscnux" for a detailed description of each. Each option can be preceded by either '-' or '/'. These commandline parameters are available in Management Suite: -d=Dir Starts the software scan in the Dir directory instead of the root. By default, the scan starts in the root directory. -f Forces a software scan. If you don't specify -f, the scanner does software scans on the day interval (every day by default) specified in the console under Configure | Services | Inventory | Scanner Settings. -fDisables the software scan. -i=ConfName Specifies the configuration filename. Default is /etc/ldappl.conf. -ntt=address:port Host name or IP address of core server. Port is optional. -o=File Writes inventory information to the specified output file. -s=Server Specifies the core server. This command is optional, and only exists for backward compatibility. -stdout Writes inventory information to the standard output. -v Enables verbose status messages during the scan. -h or -? Displays the help screen.
155
INSTALLATION AND DEPLOYMENT GUIDE
Examples
To output data to a text file, type: ldiscnux -o=data.out -v To send data to the core server, type: ldiscnux -ntt=ServerIPName -v
Linux/UNIX inventory scanner files
ldiscnux This is the executable that is run with command-line parameters to indicate the action to take. All users that will run the scanner need sufficient rights to execute the file. There is a different version of this file for each platform supported above. /etc/ldiscnux.conf This file always resides in /etc and contains the following information: • • • Inventory assigned unique ID Last hardware scan Last software scan
All users who run the scanner need read and write attributes for this file. The unique ID in /etc/ldiscnux.conf is a unique number assigned to a computer the first time the inventory scanner runs. This number is used to identify the computer. If it ever changes, the core server will treat it as a different computer, which could result in a duplicate entry in the database. Warning: Do not change the unique ID number or remove the ldiscnux.conf file after it has been created. /etc/ldappl.conf This file is where you customize the list of executables that the inventory scanner will report when running a software scan. The file includes some examples, and you'll need to add entries for software packages that you use. The search criteria are based on filename and file size. Though this file will typically reside in /etc, the scanner can use an alternative file by using the -i= command-line parameter. ldiscnux.8 Man page for ldiscnux.
156
CHAPTER 10: DEPLOYING TO MACINTOSH, LINUX, AND UNIX CLIENTS
Web console/Management Suite console integration
Once a Linux/UNIX computer is scanned into the core database, you can: • • • • Query on any of the attributes returned by the Linux/UNIX inventory scanner to the core database. Use Management Suite's reporting features to generate reports that include information that the Linux/UNIX scanner gathers. For example, Linux/UNIX will appear as an OS type in the Operating Systems Summary Report. Use the Inventory Summary dialog to view information for Linux/UNIX computers. Use Management Suite's inventory change history to track changes on items that the Linux/UNIX Inventory scanner inserts into the core database. The inventory service sends alerts when inventory data changes.
Miscellaneous issues
Queries on "System Uptime" sort alphabetically, returning unexpected results If you want to do a query to find out how many computers have been running longer than a certain number of days (for example, 10 days), query on "System Start" rather than "System Uptime." Queries on System Uptime may return unexpected results, because the system uptime is simply a string formatted as "x days, y hours, z minutes, and j seconds." Sorting is done alphabetically and not on time intervals. Path to config files referenced in ldappl.conf doesn't appear in console ConfFile entries in ldappl.conf file need to include a path.
157
Chapter 11: Uninstalling LANDesk Management Suite
Just as there's a specific strategy you should follow to deploy the different LANDesk Management Suite components, there's a corresponding strategy for uninstalling the components. In this chapter you'll learn about: • • Uninstalling Management Suite Uninstalling the Web console
159
INSTALLATION AND DEPLOYMENT GUIDE
Uninstalling Management Suite
The following sections show you how to properly uninstall each Management Suite component. You must uninstall the components in this order: 1. 2. 3. 4. Uninstall Uninstall Uninstall Uninstall LANDesk agents from clients the service centers the consoles the core server
Uninstalling LANDesk agents from clients
The first step to uninstall LANDesk software from your network is to uninstall its agents from your clients. To uninstall agents from clients on a NetWare network • Use your network administrator tool to move users to the LANDESKEXCLUDE group. The next time the user logs in, Management Suite removes the agents from the computer.
To uninstall agents from clients on a Windows 2000/2003 network • In the batch file you originally used as the login script to configure the client, change the /IP parameter in WSCFG32.EXE to /u. For more information, see "Phase 4: Deploying the primary agents to clients" earlier in this guide.
Uninstalling the service centers
After you uninstall LANDesk agents from your clients, you can uninstall software from your service centers. To uninstall your service centers 1. Go to your core server. 2. In the console's network view, select the computer where the service center is running. 3. From that server's shortcut menu, click Service Center. 4. To remove all services from the selected server, click Remove All | Finish.
160
CHAPTER 11: UNINSTALLING LANDESK MANAGEMENT SUITE
Uninstalling the consoles
After you uninstall LANDesk agents from your clients and the software from your service centers, you're ready to uninstall the software from your consoles. To uninstall your consoles 1. Go to the console computer where you want to remove the software. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. Select LANDesk Management Suite. 4. Click Add/Remove.
Uninstalling the core server
The final step in uninstalling Management Suite from your network is to uninstall the software on the core server. Before you do so, make sure you've uninstalled the LANDesk software from your clients, service centers, and consoles. To uninstall the core server 1. Go to the core server. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. To uninstall Management Suite software, select LANDesk Management Suite and any other LANDesk products you installed. 4. Click Add/Remove. Uninstalling the core and core rollup databases You need to manually uninstall the core and core rollup databases. For more information, refer to your database manual.
Uninstalling the Web console
Because Microsoft IIS loads the Web console into memory and keeps it loaded, you must reboot the server before doing an uninstall. Make sure you don't reconnect to the Web console after you reboot. To uninstall the Web console 1. Reboot the Web server. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. Click LANDesk Management Suite, then click Add/Remove. 4. Click Yes to remove the application. 5. Click OK when the uninstall is completed.
161
INSTALLATION AND DEPLOYMENT GUIDE
To uninstall the Remote Control Viewer from client computers 1. Shut down all instances of your browser. 2. Click Start | Settings | Control Panel, then double-click Add/Remove Programs. 3. Click Remote Control Viewer, then click Add/Remove. 4. Click Yes to remove the application. 5. Click OK when the uninstall is completed.
162
Appendix A: Troubleshooting
You can reach LANDesk Software's online support services on the Web (available in English only). The services contain the most up-to-date information about LANDesk Software products. You can also find installation notes, troubleshooting tips, software updates, and customer support information. Visit the Web site below, then access the Management Suite page: http://www.landesk.com/support/index.php You can also download the latest versions of the Management Suite Release Notes and documentation, which may include information that wasn't available at the time the product was shipped. If you can't resolve your issue using this guide or by consulting the LANDesk Software support Web site, LANDesk Software offers a range of paid support, consulting, and partner services. For more information, see the customer support page at: http://www.landesk.com/wheretobuy/ Before calling for customer support issues, have this information ready: • • • • • • Your name, the name of your company, and the version of Management Suite you're using. The network operating system you're using (name and version). Any patches or service packs you've installed. Detailed steps to reproduce the problem. Steps you've already taken to troubleshoot the problem. Any information unique to your system that may help the Customer Support engineer understand the problem, such as what kind of database application you're using, the brand of video card you've installed, or the make and model of the computer you're using.
163
