Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Jack Coates' Best Practice LDMS Doc – My two cents on how to do it

advertisement 
533576449
Jack Coates’ Best Practice LDMS Doc – My two cents on
how to do it in pilot or production
DAY ONE – Installation, Inventory, and Basic Security
This document is a supplement to the formally approved Best Known Method available
at: http://community.landesk.com/support/docs/DOC-1081 Differences from that
document are purely due to my personal opinions, preferences, ideas and tools. If there
are conflicting recommendations, please contact me at jack.coates@landesk.com.
MACHINE SETUP
There is now a nice set of recommendations at
http://community.landesk.com/support/docs/DOC-2502 -- it tends to run a bit heavier
than mine, but there’s also the difference between pilot and production to consider.
1. RAM: As much as possible, but 1GB for every 500 managed nodes is a decent
rule of thumb
2. CPU: As much as possible, but rules of thumb are harder to come by, as workload
varies. A single CPU box without multiple cores or hyper-threading will max out
by 1,000 users; quad dual cores should be able to comfortably handle 10,000
nodes.
3. Disk: The easiest setup is to put images and packages on the core, and provide
disk space appropriately. If you’re going to serve those large files from a NAS or
other pre-existing infrastructure, you can install the system on a mirrored pair,
with a second mirrored pair for the database if local. More and faster disks will of
course improve performance. Plan for 5 MB of database disk space per managed
node.
4. Database location: The decision to place the database on the core, on a nearby
server, or in a datacenter is politically fraught. Technically, the only thing that
matters is to make sure that you’re choosing the least bottlenecked path, whether
that’s local disk or local network. Additionally, access to the database for
performance monitoring can be crucial when troubleshooting.
Page 1 of 38
3/6/2016
533576449
WINDOWS (45 minutes)
1. Install Windows 2003 -- SP1 or R2 or SP2 will work. If you use R2 or SP2 and
you plan to download installation material from LANDesk rather than transferring
with physical media, you’ll need to add landesk.com to your Internet Explorer
trusted sites. See http://community.landesk.com/support/docs/DOC-1002 for more
information on this issue. Don’t run Windows Update yet! It will install .Net 3.5
and screw up your IIS. Getting IIS and ASP.Net free of .Net 3.5 and hooked back
up with .Net 2.0 SP1 will not be pleasant.
2. Join the domain, login as a domain user rather than local admin.
3. Install IIS and ASP.Net
Page 2 of 38
3/6/2016
533576449
4. Install SNMP (only necessary for System Manager or Server Manager).
5. Up to 100 users, you can just let the LANDesk installer install SQL Express.
Beyond that, you should provide SQL Server 2000 or Oracle 9. SQL 2005 is
supported, but is harder to configure than SQL 2000. Additionally, it is usually
significantly slower than SQL 2000, at least on the class of hardware typically
used in pilots, so I would skip it unless you have to use SQL 2005.
6. Remove Internet Explorer Enhanced Security Configuration. You don’t have to,
but it’s easier. Alternatively, install Firefox.
7. Now you can run Windows Update, if you like. Or, just let LANDesk handle the
patching later.
8. Reboot
Page 3 of 38
3/6/2016
533576449
LANDESK (4 hours, or 8 hours if explaining as we go)
1. Extract the LANDesk 8.8 installer files to a network share, they’ll be necessary
for your remote console installations (see
http://community.landesk.com/support/docs/DOC-2493 when you’re ready for
that). If you haven’t downloaded LANDesk yet, the Trial link is
http://landesk.avocent.com/Tools/Trial/Index.aspx
2. The installer will not run over Terminal Services unless you use the console
switch.
If you’re on XP SP3 or Vista,
that’s mstsc.exe /admin instead (does the same thing, but the old switch doesn’t
work).
Page 4 of 38
3/6/2016
533576449
3. Install 8.8, select LANDesk Management Suite and LANDesk Server Manager.
Security Suite will be installed automatically as part of Management Suite.
Activate the web console, but do not install System Manager unless it is necessary
for your environment.
4. If this is a pilot or your environment is smaller than 100 nodes, choose “Create a
new database” and it will install SQL 2005 Express (MSDE for versions older
than 8.8) on your core. You may want to use the Advanced button to move the
database files off of C:\. Remember the sa password you choose, it’ll come in
handy later. Alternatively, here’s how to set up an MS-SQL database for use with
LANDesk:
a. Whether you’re using SQL Server 2000 or SQL Server 2005, you’ll need
to ensure that Mixed Mode access is available. LANDesk must use a SQL
account rather than a Windows account to access the database.
Page 5 of 38
3/6/2016
533576449
b. If you’re installing SQL 2005, all access is disabled by default, even to
localhost. I don’t know what the minimum required is, but enabling TCP
and named pipes works.
c. If you’re creating a dedicated user rather than using SA, you should ensure
that this user is the database owner. The best way to do this is to login to
the SQL Server Management Studio or SQL Enterprise Manager as the
user you’ve created before creating the database. After you’ve created the
database, you might want to go back to the user’s properties and set their
default database to your LANDesk database, but this is purely a
convenience.
Page 6 of 38
3/6/2016
533576449
d. Default database settings are fine, as long as you make sure that it’s using
the correct drives for its data and log files.
Page 7 of 38
3/6/2016
533576449
Page 8 of 38
3/6/2016
533576449
Now you can point the install at your new database.
5. Name your certificate, do not create a reports user, and you’re free to sit back and
watch the progress bar.
Page 9 of 38
3/6/2016
533576449
6.
Reboot now.
7. If you’re going to use the Lenovo ThinkVantage version of LANDesk, you’ll
need the Toolkit version 3 from their support site and the Integration Kit
(download links are in the documentation and Autorun.exe prerequisite checker of
that LANDesk distribution); otherwise, you can skip this step.
http://www.pc.ibm.com/us/think/thinkvantagetech/landesk.html
8. Install Service Pack 2 Core Patch
http://community.landesk.com/support/docs/DOC-1001 and the new help files:
http://www.landesk.com/SolutionServices/documentation.aspx#ldms88
9. Activate the core
Page 10 of 38
3/6/2016
533576449
Page 11 of 38
3/6/2016
533576449
10. Right-click My Computer and add users/groups to the LANDesk Management
Suite and LANDesk Reports groups.
11. Log into the LANDesk Management Suite console
12. View > Toolbox. This toolbox is just an easier way to access the Tools menu, so
keep using that if you prefer. The Tools that you open will be in a series of tabs
along the bottom of the console window. Each tool that is open consumes
resources, of course, so it is good practice to keep them to a minimum. All visual
components of the console can be dragged and dropped to a different location,
making layouts; many LANDesk administrators will save several task-specific
layouts and switch between them as needed. Use the Layouts dropdown to access
this feature.
Page 12 of 38
3/6/2016
533576449
13. Security & Patch Manager > select your channels and configure your alerts
a. Schedule Update and set to run daily at a time in the past
Page 13 of 38
3/6/2016
533576449
14. Configure > Services > Inventory
a. Duplicates > When MAC matches > Restore Device ID. When LANDesk
OS Deployment is used to re-image an existing machine, the old Device
ID is restored transparently. This cannot be done for machines that are reimaged or rebuilt by hand, so those machines will create a new random
Device ID when the LANDesk Agent is installed, causing them to appear
as duplicate records. This option causes the Inventory Service to recognize
the machine and restore its old Device ID. A duplicate mini-scan may still
make it into the database; this can be deleted or left to automatically age
out.
Page 14 of 38
3/6/2016
533576449
15. Configure > Services > Scheduler
a. Enter domain and local admin accounts
16. Configure > Services > OSD Validation > Validate both if possible. The DOS
validation will request files from Windows NT 4.0 and Windows 98 distribution
media; the WindowsPE validation will request files from Windows PE and
Windows 2003 SP1 distribution media. This is done for licensing reasons and can
be skipped if you only intend to use LinuxPE for OSD; alternatively, production
environments can select to purchase a Windows PE license from LANDesk,
which simply requires re-activating the core.
17. Let the services restart
18. Use a domain admin account for your COM+ objects. This isn’t always strictly
necessary, but… sometimes it is. If you don’t want to do this, don’t do it and see
if you get weird problems like agents giving CBA8 errors when you send them
right-click commands.. The webservices use these accounts to do various things.
Start > Programs > Administrative Tools > Component Services > Computers >
Page 15 of 38
3/6/2016
533576449
My Computer > COM+ Applications. Change Identity of LANDesk and
LANDesk1 to a domain administrator.
Page 16 of 38
3/6/2016
533576449
19. Agent Configuration > Default Windows Configuration
a. Enable XDD
b. Enable LANDesk Antivirus
c. LANDesk Trust Agent is only necessary for doing Trusted Access
network compliance testing.
d. Use fully qualified domain name to locate the server, or even IP
e. Run the inventory scanner once a day and on IP change
Page 17 of 38
3/6/2016
533576449
f. Do not reboot after installing an agent. Note that this is different from the
global Never Reboot flag under Security and patch scan.
g. Run policies once a day, only when user logged in
h. Run security scan every day between 11 and 13, using Daily
i. Configure Daily agent behavior to
1. Scan AV, Custom, LANDesk, Drivers, Threats, Blocked
Apps
2. Show no repair or scan prompts
3. Repair if reboot is pending
4. Never reboot
Page 18 of 38
3/6/2016
533576449
ii. Configure Weekly agent behavior to
1. Scan Vulnerabilities & Spyware
2. Show no repair or scan prompts
3. Repair if reboot is pending
4. Reboot if necessary, prompt 2 hours 3 times
5. Snooze if prompt is ignored
Page 19 of 38
3/6/2016
533576449
i. Leave Custom Variables alone until you see the need, they’re confusing.
j. In a high-security environment, Frequent Security Scans have a place;
configure them to scan a blank group, then put things in the group when
you need rapid discovery and response. Most shops can leave it off
though.
k. Disable realtime spyware blocking unless your client machines have more
RAM than they know what to do with. Realtime causes the entire Ad
Aware database to be loaded into Softmon’s memory.
l. Application blocking is not a bad thing, turn it on and notify the end user
if you block something. That can be turned off when you roll out
production clients, but it’s useful in testing.
m. AV Settings
i. Enable Risky
Page 20 of 38
3/6/2016
533576449
ii. CPU util should be as low as possible
iii. Enable a scan every 7 days, between 22 and 4
iv. Allow real-time disabling up to 10 minutes
v. Realtime should scan infectable only
vi. exclude large files such as VMWare disks or ISO images.
n. Enable Agent Watcher
i. check every 8 hours for changes – this is a “phone home, update
my config, and report on janky users” schedule.
ii. check every 10 minutes for okay state – this is when the agent
wakes up to see if a user’s been janky.
iii. only monitor services and files that you actually use.
20. Create Advance Agent and set an Active Directory Group Policy Object (GPO) to
push it out.
a. Note that you may need to update this from time to time… it’s kind of a
bummer to patch a bunch of desktops with a new LANDesk agent and
Page 21 of 38
3/6/2016
533576449
then have the GPO restore your old agent. If you aren’t in charge of
setting GPOs, make sure that you’ve got a good working relationship with
whoever is, as you’ll probably be sending them an update every quarter or
so.
b. Here’s how to use Advance Agent if you can’t use a GPO… if you do
have a login script or a competing management tool that can do remote
execution, just give it this command: msiexec. exe /qn /install /package
"\\CORE\ldlogon\advanceagent\Default Windows
Configuration.msi". If you don’t have anything else, and you do have
remote execution rights (which is to say File & Print Sharing is on, Simple
File Sharing is off, and you know an administrative account/password set),
check out the lddiscover.exe program in \\CORE\LDMAIN\Utilities.
21. Column Configuration
a. Remove OS Name
b. Add Login Name, Primary Owner, Network>TCPIP, Last Updated by
Inventory Server, System>Chassis Type, System>Manufacturer,
System>Model, System>Serial Number
c. Set as Default. You’ll need to set as default for each user, or let each user
figure out their own column set. Column Sets are valid in the web
interface too, look under Administration.
Page 22 of 38
3/6/2016
533576449
22. Create queries:
a. All nodes (DeviceID exists and DeviceID <> Unassigned)
b. All windows clients (OS Name like Microsoft Windows XP or Vista)
23. Security and Patch Manager > Schedule a Security Scan
a. Policy
b. use Weekly Behavior
c. Target against All nodes query
d. Schedule to recur weekly
24. Security and Patch Manager > Schedule Gather Historical Information – This
causes your database to grow larger, but prevents loss of older data. Note that
growing larger is a Bad Thing™ where MSDE or SQL Express is concerned.
Page 23 of 38
3/6/2016
533576449
25. Configure > Inventory History Alerts
a. Primary Owner, Fixed Disk Model, Memory Physical Total, System Serial
Number
26. Configure > Alert
a. Inventory Server > Attribute Modified > Email
b. Unmanaged Node Detected > Message Box
27. Distribution Methods, change all to Never Reboot, except the two Emergency
ones
28. Configure > Agent Discovery Options
a. All visible items, refresh, uncheck DNS
Page 24 of 38
3/6/2016
533576449
29. Users tab
a. Configure the individual users' rights and email addresses
30. When the vulnerability information has all downloaded...
a. Security & Patch Manager > Type = Blocked Applications
i. Sort by Title, Drag apps from Unassigned to Block and Do Not
Block, per policy. “Potentially Malicious” apps should be
evaluated carefully before blocking.
Page 25 of 38
3/6/2016
533576449
b. Type = Antivirus
i. Set AV-101 and applicable Up-to-date vulns to autofix
c. Type = LANDesk Updates
i. Set all to Autofix
d. Type = Security Threats
i. Set the custom variables in each threat to match corporate policy
ii. Enable autofix
iii. There are some very useful compliance tests, there are some that
replicate Active Directory Group Policies (which is still useful if
you don’t have those or can’t control them), and then there’s the
outright dangerous ones. For instance, ST000052 (Disable Active
Scripting) or ST000060 (NSA’s Windows XP Guidelines). If
you’re held to this standard, repair those; if you’re not, you will be
unhappy with the results. The average user might as well nuke and
re-deploy a machine that’s had ST000060 applied to it. Drag
threats you don’t need to Do Not Scan.
Page 26 of 38
3/6/2016
533576449
31. Configure Inventory Service to support recovery – by default, it will stop after 10
database errors. If you’re using ldms_status.exe this is less important.
Page 27 of 38
3/6/2016
533576449
32. Additionally, the service should restart after stopping:
OTHER (30 minutes)
1. Install SQL Client Tools package if it was MSDE
2. Enterprise Manager, configure a maintenance plan
3. Make directories under ldlogon for images and packages
4. Backup everything, or at least the LANDesk\Shared Files\Keys directory. Read
the Post Install Backup Whitepaper at
http://community.landesk.com/support/docs/DOC-2343 for more details.
5. Install maintenance add-ons
a. If this is a production system, you’ll also want ldms_core from
http://www.droppedpackets.org/scripts/ldms_core/ -- run the installer and
configure it, then schedule a task to run the command.
Page 28 of 38
3/6/2016
533576449
i. Proper fingerprinting of discovered devices is very helpful. The
default UDD fingerprinting is hopelessly bad, and XDD doesn’t
even try. Download NMAP and install it, accepting all the defaults
unless you have good reason not to, then ldms_core will put it to
good use figuring out the real OS Names.
Page 29 of 38
3/6/2016
533576449
b. It’s not at all uncommon for new LANDesk administrators to run into
trouble with keeping the core services running. Changes in the service
account can prevent the Scheduler service from restarting properly, and
the flood of new information from a newly managed network can cause
problems with the Inventory service before the database is settled. To
prevent these problems from going unnoticed, use ldms_status from
http://www.droppedpackets.org/scripts/ldms_status -- this is a status tray
application, so copy it to Utilities and then drag a shortcut to
C:\Documents and Settings\All Users\Start Menu\Programs\Startup. It will
only allow a single copy to exist in the process table.
Page 30 of 38
3/6/2016
533576449
DAY TWO – Software Distribution, OS Deployment,
Connection Control Manager, Server Monitoring
Software Distribution (1 to 2 hours, depending on size and
complexity of package)
1. Select a package, copy it to ldogon/packages. If you can’t think of a package,
there are several Best Known Method documents on
http://community.landesk.com for common applications. For instance:
Adobe Reader 7
http://community.landesk.com/support/docs/DOC-2350
WinZip 10
http://community.landesk.com/support/docs/DOC-1210
MS Office 2003
http://community.landesk.com/support/docs/DOC-2161
a. Define it in the console
b. Set its command line per http://www.appdeploy.com – however, do not set
/qn or quiet interface options for msiexec, as these will be ignored. User
interface is handled by LANDesk’s Delivery Method.
c. Note that most Microsoft MSI packages are notoriously bad at defining
their package manifest; do not rely on the auto-detect button in the
additional files area, but rather select the entire directory. Auto-detect
works fine for non-Microsoft MSIs, such as Adobe Acrobat.
Page 31 of 38
3/6/2016
533576449
d. Further note that LANDesk’s default behavior is to copy all install files
locally, then run them from the local drive; this is done because Targeted
Multicast and Peer Download allow it to be more efficient and faster than
the run-from-source methods used by most other management tools.
However, run-from-source is an option for those with bandwidth to blow,
and can be selected in the Delivery Method.
Page 32 of 38
3/6/2016
533576449
e. Set a prerequisite query. Note that this is not the targeting query, deciding
which systems will receive the package; rather, it is a safety filter which is
checked after the target query resolves but before the push or policy
begins. For instance, one might set an XP Power Toy package’s
prerequisite query to only allow Windows XP nodes, in case someone
accidentally schedules the package to all Windows nodes. This
preqrequisite query would then prevent the package being installed on
servers or Windows 2000 workstations.
2. Distribute it
a. Schedule a Policy-supported Push of the package to machines that are on
and machines that are off
b. Turn on the machines that were off to observe how the policy kicks in.
c. Run full inventory scans on targeted machines to force updating of the
SLM information.
Page 33 of 38
3/6/2016
533576449
3. Find the package in Software License Monitoring
4. Assign a license to it
Page 34 of 38
3/6/2016
533576449
OS Deployment (2 hours if all goes well, 2 days if it doesn’t)
1. Create a capture script
a. Use WinPE or Linux, DOS performance is not as good. However, do note
that Linux and WinPE require at least 256 MB RAM on the machine
being captured or deployed.
2. Delete the UUID keys from one of the test machines
3. Push the capture job to that machine. If it doesn’t work, the problem may be DNS,
or it may be network drivers. Search http://community.landesk.com for
instructions to force name resolution and inject drivers.
4. Wipe the machine’s drive
5. Create a deploy script
6. Create a PXE menu
7. Push a PXE Representative to another test machine (assuming isolated network)
8. PXE boot the test machine and select the imaging job
Page 35 of 38
3/6/2016
533576449
Connection Control Manager (1 hour)
1. Build a new Device Control policy. Connection Control (network) policies are
harder to test, but essentially work in a similar manner.
2. Turn on Wireless blocking when Wired connection exists. For testing purposes,
it’s useful to block USB storage devices; however, blocking USB Keyboards and
Mice is never recommended.
Page 36 of 38
3/6/2016
533576449
3. Chances are good that unblocking of a specific device will be required – for
instance, most multi-function devices need to be unblocked, as do many
specialized pieces of hardware such as check printers or scanners. To unblock, use
usbmon.exe’s Advanced tab to find the identifying string, then add that string to
your configuration and repush it.
4. Finally, create an “Open” policy with nothing blocked, and push it to the test
machine to remove Device blocking.
Server Monitoring (2 hours)
1. Create a Server agent
2. Push it to a server
3. Observe the hardware monitors
4. Trigger an alert
Page 37 of 38
3/6/2016
533576449
5. Trigger a reboot and use the out of band console to check out the BIOS
configuration.
DAY THREE – Patch Manager Process, Management
Gateway
Patch Manager Process
The first thing to note is that setting up the Patch Manager Process requires access to the
database server’s SA account, so you might want to stop reading and just go get that. It’s
also always a good idea to check for the latest rollup, see
http://community.landesk.com/support/docs/DOC-2981 for links and more.
Now then, follow the instructions at http://community.landesk.com/support/docs/DOC2813 to configure the database connection (using the SA account), Domain connection,
and LDMS connection. If you’re not using a domain or also need local accounts, you’ll
want to configure local WinNT:// style access per that document.
After that’s all done, the Process Designer should be able to open and allow you to
configure things.
Management Gateway
Get a basic box: a desktop platform, use an old server, or use VMWare. The disk will be
wiped, so don’t use something you intend to keep. You’ll need at least 11 GB of disk
space and 256 MB RAM, and a CD drive. The application is CPU and NIC bound, so
spend resources there if you are concerned about load.
Burn the ISO to a CD, put it in the box, and boot to it. Follow the menu. Then go to the
core, select Configure > Management Gateway, and fill in the form. Go to the second tab
and post your certificate.
The biggest difficulty in using or testing the gateway is networking. If you want to really
test it or use it in production, you’ll need to install it in your company’s DMZ and assign
a real IP address to it; an externally resolvable DNS name is also handy, though not
strictly required. To test it internally without using the Internet, you can simply add a null
route or firewall rule to your test client, stopping it from reaching the core.
DAY FOUR – Provisioning, App Virtualization, LDAV,
HIPS, whipped cream and a cherry on top…
Page 38 of 38
3/6/2016
Related documents
LANDesk Software Distribution
LANDesk Software Distribution
Taipei-Wego-International-Program-Composition-Class
Taipei-Wego-International-Program-Composition-Class
Click here to add title
Click here to add title
Math 160A - Winter 2016 - Homework #4
Math 160A - Winter 2016 - Homework #4
Seminar Special Topics course Environmental Data Analysis W2016
Seminar Special Topics course Environmental Data Analysis W2016
Abstract Template
Abstract Template
Confirmation Gr. 9 & 10
Confirmation Gr. 9 & 10
SATURDAY, April 30, 2016
SATURDAY, April 30, 2016
Success Story: Kelly
Success Story: Kelly
Document
Document
Download
advertisement