CA Client Automation

Everyone,

My name is Chris Holmes and I work in several large environments that are running ITCM in many different ways. One of the environments I work in is a Secure with over 60,000 agents. I have written script after script to do everything from Deployments (I personally have too many issues with Deploy Wrapper and or Deployment wizard in secure areas.), to upgrading Agents, to Patching Agents, even login scripts to fix the CBB issues or migrate to 4 different sets of Domain Managers.. (I had over 30,000 agents with cbb issue because of the length of time it took to install SP1 and pointed to wrong Servers....)


Regardless I want to share some of those scripts with everyone, including CA. They are not pretty and all are batch. (I even wrote a replacement set of Scripts for DeployWrapper.exe), over the next several weeks I will upload those scripts here and see if others get use from them. I am not great at documenting the setup of the script but I will try my best to provide more information if requested. I currently work for 3 to 4 different Clients dealing with everything from ITCM to SCCM, Active Directory, Microsoft Exchange, Cohesion (CCA), Service Desk, ITAM, Scripting, Group Policy, Symantec Enterprise Vault, Aruba Wireless Networks, creating Deployable Images with almost any solution, and the list keeps going. Basically I ask for you to patient with me. I primarily only work in the Microsoft\Windows realm, but if I get time or requested I can dip back in to Linux and UNIX.

If anyone has any questions please feel free to let me know. Working as a consultant, I try to create reusable stuff, and a lot of it I do it on my own in free time. (For all the married people out there, this sometimes does not go over very well with the spouse...)

I look forward to the feedback, positive or negative. (I can honestly say I do not take negative feedback well, but I will do my best.)

Great stuff Charles,
Look forward to seeing the scripts.

This has not been tested completely, but here it goes.

Create Software Delivery
Extract the contents of Folder.7z
Go inside the extract folder to where you see the different batch files and etc.

Once Extracted, Copy the following Package(s):
CA DSM Explorer: 12.5.1000.767
CA DSM Agent + AM, RC, SD plugin(s) (NLS(ENU,DEU,FRA,JPN)) Win32:12.5.1000.767

Extract both of these packages to where the files are inside of the extracted package from earlier.
Overwrite any files as required, on the second extraction.
Now Delete the REGInfo Folder.
Inside this Folder Sort by Date Modified (Making newest files first)
There are several .cmd files. You can modify each cmdfile as required but if you want to use this as a package make sure that both Deployment.cmd and
itcmagents.cmd and itcmagentswExplorer have the same information inside of them. Anything with a "%2 or %1 or %3, leave alone."

Next Create a Package

Name: Custom CA Agents
Version 12.5.1000


Copy the Files from the Folder where all the files were extracted over to the Package. It should look identical to the files inside of the regular 12.5.1000 package
Next you will register Deployment.cmd twice


Register the Deployment Script with the following options:

Name it: All Agents
These Options: none "$rf" $#bg $#EC:0 $#EC:3010

Now Register the Deployment SCript again.
Name it: All Agents with DSM Explorer
These options: none "$rf" $csa $#bg $#EC:0 $#EC:3010


Seal the package and test from inside of DSM.
Next post will be how to use a ServerShare (created on Server with certain rights, and use Psexec to silently deploy all agents to machine without any agents or box that requires upgrade, without the user knowing it is happening...)

Do you have a cert issue and need to fix it? There are several methods you can use to resolve this problem. One of the easiest ways I have found is by reinstalling the Agents with the upgraded Agent.

If you follow the above steps and create the package, then extract out the contents to some folder.

If your network is not too complicated and everyone is in a single Domain or LDAP, you could create a folder on your ITCM Server. For Instance on Server 2008 Name it ITCMAgents

Give the Following Security Permissions: Authenticated Users - Read
Administraotrs (you): Full Control Strip all other permissions

Use the Advanced Sharing, give everyone full control.

(This will mean anyone cna hit the share but the security permissiosn will still work to isolate what a user can see and cant see.)

Next Create another folder Called LOGS
This Folder: Security Rights give authenticated users: Full Control


Next Copy the Extract package to the Shared ITCMAgents Folder

Now right click on itcmagents.cmd and click edit
Please do not use names with spaces. mkdir in batch files does not like this. This is the offical warning I forgot in the above post....

Modify the following section:
REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=
SET COPYLocation=
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%2
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want to.You have been warned..-------------------


REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=\\exampleserver.ca.com
SET COPYLocation=ITCMAgents
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%COPYSERVER%\LOGS\%COMPUTERNAME%-%RANDOM%.log
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want to.You have been warned..-------------------


I know this was not as intuitive as it should be but, I have used this quite a bit and it works.

Next Download SysinternalsSuite From Microsoft. (http://sysintnerals.com)
Extract out the Zip
Open a command prompt on yoru machine using a useraccount that has admin rights on teh machine you want to work on.
(To open up a command prompt as a different user on Windows 7 or Vista, just right click while holding down shift on cmd.exe)

Once the command prompt is open, verify you are who you say you are by running a whoami. You want to make sure your admin account is runnig and not you (as long as you follow best practices anyway)

now CD /d "place you extract sysinternals folder"
run the following: psexec -s \\newagentorbroken \\exampleserver.ca.com\ITCMAgents\ITCMAgents.cmd ScalabilityServer.ca.com


(If you do not pass a Scalability Server to the machine that is ok, as long as it is not a new install, remember on upgrades that field gets ignored and will not redirect from one SS to another....)

Now as long as everything is setup properly, you will see the following things happen on teh box, A directory will get created on the machine called C:\software\itcmagents
All the files will copy down.
Once they have copied down all teh agents will install one by one very similar to the way deploywrapper does it.
If a REinstall is detected in Software Delivery, it is going to run cacertutil repair -commit on the machine (yay the agent will be able to talk when done)

Notice that CAF is not started until the last part is executed. AM starts CAF. This is by design, you can change this if you want by modifying the script setting the CAF_START_SERVICE=0


If eveyrthing works as planned, a Log file will get copied up to your Server Share. If the agent fails the install process, please see the files in C:\windows\temp




Please note: All of these things are able to be used, I have used them by teh thousands, but that does not mean they will work for everyone. Please test everything. These scripts are provided as is and are free. I am only trying to assist others since I have seen so much recently on how agents get deployed in each enviroment...

cholmes2.2 wrote:

Do you have a cert issue and need to fix it? There are several methods you can use to resolve this problem. One of the easiest ways I have found is by reinstalling the Agents with the upgraded Agent.

If you follow the above steps and create the package, then extract out the contents to some folder.

If your network is not too complicated and everyone is in a single Domain or LDAP, you could create a folder on your ITCM Server. For Instance on Server 2008 Name it ITCMAgents

Give the Following Security Permissions: Authenticated Users - Read
Administraotrs (you): Full Control Strip all other permissions

Use the Advanced Sharing, give everyone full control.

(This will mean anyone cna hit the share but the security permissiosn will still work to isolate what a user can see and cant see.)

Next Create another folder Called LOGS
This Folder: Security Rights give authenticated users: Full Control


Next Copy the Extract package to the Shared ITCMAgents Folder

Now right click on itcmagents.cmd and click edit
Please do not use names with spaces. mkdir in batch files does not like this. This is the offical warning I forgot in the above post....

Modify the following section:
REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=
SET COPYLocation=
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%2
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want to.You have been warned..-------------------


REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=\\exampleserver.ca.com
SET COPYLocation=ITCMAgents
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%COPYSERVER%\LOGS\%COMPUTERNAME%-%RANDOM%.log
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want to.You have been warned..-------------------


I know this was not as intuitive as it should be but, I have used this quite a bit and it works.

Next Download SysinternalsSuite From Microsoft. (http://sysintnerals.com)
Extract out the Zip
Open a command prompt on yoru machine using a useraccount that has admin rights on teh machine you want to work on.
(To open up a command prompt as a different user on Windows 7 or Vista, just right click while holding down shift on cmd.exe)

Once the command prompt is open, verify you are who you say you are by running a whoami. You want to make sure your admin account is runnig and not you (as long as you follow best practices anyway)

now CD /d "place you extract sysinternals folder"
run the following: psexec -s \\newagentorbroken \\exampleserver.ca.com\ITCMAgents\ITCMAgents.cmd ScalabilityServer.ca.com


(If you do not pass a Scalability Server to the machine that is ok, as long as it is not a new install, remember on upgrades that field gets ignored and will not redirect from one SS to another....)

Now as long as everything is setup properly, you will see the following things happen on teh box, A directory will get created on the machine called C:\software\itcmagents
All the files will copy down.
Once they have copied down all teh agents will install one by one very similar to the way deploywrapper does it.
If a REinstall is detected in Software Delivery, it is going to run cacertutil repair -commit on the machine (yay the agent will be able to talk when done)

Notice that CAF is not started until the last part is executed. AM starts CAF. This is by design, you can change this if you want by modifying the script setting the CAF_START_SERVICE=0


If eveyrthing works as planned, a Log file will get copied up to your Server Share. If the agent fails the install process, please see the files in C:\windows\temp




Please note: All of these things are able to be used, I have used them by teh thousands, but that does not mean they will work for everyone. Please test everything. These scripts are provided as is and are free. I am only trying to assist others since I have seen so much recently on how agents get deployed in each enviroment...

OK, similar comments here. The one thing that sticks out is you seem to have a centralized directory for logs of successful installs, which would be useful. However, if done via ITCM natively, the GREEN/RED status can be used - further, the MSI details are captured in the tab of the deployment. Just want to see what your thought is here...

Reasons:

Deploywrapper installing all agents upgrades all agents and binaries but
software delivery. (Stays 12.5ga. This agent will never get a piece of
software again. You have to manually fix. This script will fix it. Thid has
happened to me a few thousand times because deploywrapper did not stop
sdagent.)

Deployment just fails. Reasons unknown. Could be the users machine has a
cert issue, communication took too long, maybe some of the communication
was blocked. This script will not only fix cert issues but install all
agents without the security flaws of dmprimer. (I work in secure
enviorments where you have over 3000 group policy settings set blocking
most functionality.)

Now whats other benefits, I have only 80 people who can login to dsm
explorer but 200 tier 2s and maybe 100 tier ones. 14 domains. If an admin
needs to remote control the machine and remote isnt there they have a
method to make it work almost instanitly. No deployment wizard no waiting.
I think of this as very similar to dameware just a bit fatter of a client.

Btw soon scripts I will be uploading can be put in ad. How do you find
boxes where there is no caf? No cam? Or disabled? This will resolve that.

How do you deploy agents inside your image? I have used osim (completely
custom..) to deploy over 15000 images in the last 2 years to about roughly
90 different models of laptops and desktops. (1 image).

This script slightly modified will make your agents functional immediately.
If you use deploywrapper as thier kb article says then it will not wait and
you have to write something to loop and keep open command until
deplowrapper closes for second time.

Regardless I understand where you are coming from. I do agree that you
could just use ca to do all these things. Most of these were only written
because so much of each enviroment broke. (Really hate that cert bug).

Thank you for the feedback. Have you looked at each script yet?

Vr
Chris
On Nov 21, 2012 5:48 AM, "CA Client Management Solutions Global User
Community" <CommunityAdmin@communities-mail.ca.com> wrote:

cholmes2.2:
Do you have a cert issue and need to fix it? There are several methods you
can use to resolve this problem. One of the easiest ways I have found is by
reinstalling the Agents with the upgraded Agent.

If you follow the above steps and create the package, then extract out the
contents to some folder.

If your network is not too complicated and everyone is in a single Domain
or LDAP, you could create a folder on your ITCM Server. For Instance on
Server 2008 Name it ITCMAgents

Give the Following Security Permissions: Authenticated Users - Read
Administraotrs (you): Full Control Strip all other permissions

Use the Advanced Sharing, give everyone full control.

(This will mean anyone cna hit the share but the security permissiosn will
still work to isolate what a user can see and cant see.)

Next Create another folder Called LOGS
This Folder: Security Rights give authenticated users: Full Control


Next Copy the Extract package to the Shared ITCMAgents Folder

Now right click on itcmagents.cmd and click edit
Please do not use names with spaces. mkdir in batch files does not like
this. This is the offical warning I forgot in the above post....

Modify the following section:
REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=
SET COPYLocation=
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%2
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want
to.You have been warned..-------------------


REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=\\exampleserver.ca.com
SET COPYLocation=ITCMAgents
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%COPYSERVER%\LOGS\%COMPUTERNAME%-%RANDOM%.log
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want
to.You have been warned..-------------------


I know this was not as intuitive as it should be but, I have used this
quite a bit and it works.

Next Download SysinternalsSuite From Microsoft. (http://sysintnerals.com)
Extract out the Zip
Open a command prompt on yoru machine using a useraccount that has admin
rights on teh machine you want to work on.
(To open up a command prompt as a different user on Windows 7 or Vista,
just right click while holding down shift on cmd.exe)

Once the command prompt is open, verify you are who you say you are by
running a whoami. You want to make sure your admin account is runnig and
not you (as long as you follow best practices anyway)

now CD /d "place you extract sysinternals folder"
run the following: psexec -s \\newagentorbroken \\exampleserver.ca.com\ITCMAgents\ITCMAgents.cmd
ScalabilityServer.ca.com


(If you do not pass a Scalability Server to the machine that is ok, as
long as it is not a new install, remember on upgrades that field gets
ignored and will not redirect from one SS to another....)

Now as long as everything is setup properly, you will see the following
things happen on teh box, A directory will get created on the machine
called C:\software\itcmagents
All the files will copy down.
Once they have copied down all teh agents will install one by one very
similar to the way deploywrapper does it.
If a REinstall is detected in Software Delivery, it is going to run
cacertutil repair -commit on the machine (yay the agent will be able to
talk when done)

Notice that CAF is not started until the last part is executed. AM starts
CAF. This is by design, you can change this if you want by modifying the
script setting the CAF_START_SERVICE=0


If eveyrthing works as planned, a Log file will get copied up to your
Server Share. If the agent fails the install process, please see the files
in C:\windows\temp




Please note: All of these things are able to be used, I have used them by
teh thousands, but that does not mean they will work for everyone. Please
test everything. These scripts are provided as is and are free. I am only
trying to assist others since I have seen so much recently on how agents
get deployed in each enviroment...


OK, similar comments here. The one thing that sticks out is you seem to
have a centralized directory for logs of successful installs, which would
be useful. However, if done via ITCM natively, the GREEN/RED status can be
used - further, the MSI details are captured in the tab of the deployment.
Just want to see what your thought is here...
Posted by:d.rose
--
CA Communities Message Boards

99697254
mb.2311054.99694714@myca-email.ca.com
https://communities.ca.com

--

------------------------------
The information contained in this e-mail and any attached documents may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient you may not read, copy, distribute or use this
information. If you have received this communication in error, please
notify the sender immediately by replying to this message and then delete
it from your system.
----------------------------

cholmes2.2 wrote:

Reasons:

Deploywrapper installing all agents upgrades all agents and binaries but
software delivery. (Stays 12.5ga. This agent will never get a piece of
software again. You have to manually fix. This script will fix it. Thid has
happened to me a few thousand times because deploywrapper did not stop
sdagent.)

Deployment just fails. Reasons unknown. Could be the users machine has a
cert issue, communication took too long, maybe some of the communication
was blocked. This script will not only fix cert issues but install all
agents without the security flaws of dmprimer. (I work in secure
enviorments where you have over 3000 group policy settings set blocking
most functionality.)

Now whats other benefits, I have only 80 people who can login to dsm
explorer but 200 tier 2s and maybe 100 tier ones. 14 domains. If an admin
needs to remote control the machine and remote isnt there they have a
method to make it work almost instanitly. No deployment wizard no waiting.
I think of this as very similar to dameware just a bit fatter of a client.

Btw soon scripts I will be uploading can be put in ad. How do you find
boxes where there is no caf? No cam? Or disabled? This will resolve that.

How do you deploy agents inside your image? I have used osim (completely
custom..) to deploy over 15000 images in the last 2 years to about roughly
90 different models of laptops and desktops. (1 image).

This script slightly modified will make your agents functional immediately.
If you use deploywrapper as thier kb article says then it will not wait and
you have to write something to loop and keep open command until
deplowrapper closes for second time.

Regardless I understand where you are coming from. I do agree that you
could just use ca to do all these things. Most of these were only written
because so much of each enviroment broke. (Really hate that cert bug).

Thank you for the feedback. Have you looked at each script yet?

Vr
Chris
On Nov 21, 2012 5:48 AM, "CA Client Management Solutions Global User
Community" <CommunityAdmin@communities-mail.ca.com> wrote:

cholmes2.2:
Do you have a cert issue and need to fix it? There are several methods you
can use to resolve this problem. One of the easiest ways I have found is by
reinstalling the Agents with the upgraded Agent.

If you follow the above steps and create the package, then extract out the
contents to some folder.

If your network is not too complicated and everyone is in a single Domain
or LDAP, you could create a folder on your ITCM Server. For Instance on
Server 2008 Name it ITCMAgents

Give the Following Security Permissions: Authenticated Users - Read
Administraotrs (you): Full Control Strip all other permissions

Use the Advanced Sharing, give everyone full control.

(This will mean anyone cna hit the share but the security permissiosn will
still work to isolate what a user can see and cant see.)

Next Create another folder Called LOGS
This Folder: Security Rights give authenticated users: Full Control


Next Copy the Extract package to the Shared ITCMAgents Folder

Now right click on itcmagents.cmd and click edit
Please do not use names with spaces. mkdir in batch files does not like
this. This is the offical warning I forgot in the above post....

Modify the following section:
REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=
SET COPYLocation=
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%2
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want
to.You have been warned..-------------------


REM EDIT Below this Line ----

SET AgentServer=
SET COPYServer=\\exampleserver.ca.com
SET COPYLocation=ITCMAgents
SET HOMEDIR=C:\software\ITCMAgents
SET SERVERLOG=%COPYSERVER%\LOGS\%COMPUTERNAME%-%RANDOM%.log
SET LOGFILE=%HOMEDIR%\Agents.log
SET SERVERFILELOCATION=C:\Windows\System32\updates
SET SERVERFILE=SDAgentServer.txt
SET TempFolder=%WINDIR%\TEMP
SET SDAGENTEC=%HOMEDIR%\SDAgentEC.log

REM EDIT Above This Line, do not edit below this line unless you want
to.You have been warned..-------------------


I know this was not as intuitive as it should be but, I have used this
quite a bit and it works.

Next Download SysinternalsSuite From Microsoft. (http://sysintnerals.com)
Extract out the Zip
Open a command prompt on yoru machine using a useraccount that has admin
rights on teh machine you want to work on.
(To open up a command prompt as a different user on Windows 7 or Vista,
just right click while holding down shift on cmd.exe)

Once the command prompt is open, verify you are who you say you are by
running a whoami. You want to make sure your admin account is runnig and
not you (as long as you follow best practices anyway)

now CD /d "place you extract sysinternals folder"
run the following: psexec -s \\newagentorbroken \\exampleserver.ca.com\ITCMAgents\ITCMAgents.cmd
ScalabilityServer.ca.com


(If you do not pass a Scalability Server to the machine that is ok, as
long as it is not a new install, remember on upgrades that field gets
ignored and will not redirect from one SS to another....)

Now as long as everything is setup properly, you will see the following
things happen on teh box, A directory will get created on the machine
called C:\software\itcmagents
All the files will copy down.
Once they have copied down all teh agents will install one by one very
similar to the way deploywrapper does it.
If a REinstall is detected in Software Delivery, it is going to run
cacertutil repair -commit on the machine (yay the agent will be able to
talk when done)

Notice that CAF is not started until the last part is executed. AM starts
CAF. This is by design, you can change this if you want by modifying the
script setting the CAF_START_SERVICE=0


If eveyrthing works as planned, a Log file will get copied up to your
Server Share. If the agent fails the install process, please see the files
in C:\windows\temp




Please note: All of these things are able to be used, I have used them by
teh thousands, but that does not mean they will work for everyone. Please
test everything. These scripts are provided as is and are free. I am only
trying to assist others since I have seen so much recently on how agents
get deployed in each enviroment...


OK, similar comments here. The one thing that sticks out is you seem to
have a centralized directory for logs of successful installs, which would
be useful. However, if done via ITCM natively, the GREEN/RED status can be
used - further, the MSI details are captured in the tab of the deployment.
Just want to see what your thought is here...
Posted by:d.rose
--
CA Communities Message Boards

99697254
mb.2311054.99694714@myca-email.ca.com
https://communities.ca.com

--

------------------------------
The information contained in this e-mail and any attached documents may be
privileged, confidential and protected from disclosure. If you are not the
intended recipient you may not read, copy, distribute or use this
information. If you have received this communication in error, please
notify the sender immediately by replying to this message and then delete
it from your system.
------------------------------

Thanks for your response, definitely sheds more light on the situation and will further dictate the value of your contributions.

Looking over your scripts, a few things come to mind.

1. We used 12.5GA from the beginning, and didn't have any previous versions. This alleviated a few of the key issues commented in your scripts.
2. We did experience the fact where endpoints had the 12.5GA for the Agents and for DSM - when we deployed the Agent Upgrade, DSM did not upgrade and would not function. We were able to address this by deploying DSM through SD
3. When we went from 12.5GA -> 12.5SP1, I built a query to look for machines on that version. Once found, we simply deployed the CA provided package to upgrade. We did not have any issues with the SD not upgrading. This may or may not have been due to the fact that we never had any underlying 11.x bits
4. The SD component not being upgraded may also have been resolved by the fact that we were hit HARD by the certificate issue, and addressed it via a patch before going from 12.5GA -> SP1. If we had tried to do that without the patch, our experience may have been different.
5. I don't believe we have experienced any deployment problems at all, although our environment(s) scale to smaller than yours do - haven't yet had a requirement to pursue something outside of what CA provides.
6. Your point about RC is valid, although we have had many more minor occurences of this issue and haven't been pressed with time where we cannot wait for remediation through DSM methods
7. I'm very interested in your approach of scripts for AD - I'd assume you use a combination of WMI filters to verify these are targeted to correct subnets or Operating systems, as applicable
8. As far as the image, we use post-deploy mechanisms to avoid UUID and other duplicated items. We have had to take this approach because our OSIM environment is in an isolated network, so the scalability server needs to point to that of the build until a certain point, at which it gets switched so it can automatically update when joining the production network.


Great stuff overall - in summary I have to be thankful for the fact we started at 12.5GA, and think a lot of our pain has been avoided as a result.

I understand. Several of my clients actually started off with 12.5 GA. I also had the benefit of starting them off with some of the patches built directly in to the Master Media.


In the Image, my agents load up right after Sysprep, so i too do not have the uuid problem. The only time I run in to the uuid issues, is when some takes my image, then recaptures. Bein ght eperson who built the image, I added checks in for this, and know when things are duplicated and have this wrriten to a Database, so I cna quickly query for this issue and have this corrected immediately before it gets out of control.


My login scripts are for all workstations\SERVER and I use different commands to detect differnet Challenegs for my different Agents.


Here are some examples

SC Query caf
IF %ERRORLEVEL% NEQ 0 GOTO :NOCAF

------

cacertutil repair -commit
IF %ERRORLEVEL% NEQ 0 GOTO :125GAUpdateREQ
------------------
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn serveraddress > %HOMEDIR%\SS.LOG
For /F %%i in ('type %HOMEDIR%\SS.LOG') Do Set AGENTSD=%%i

IF %AGENTSD% EQU OLDSERVER1 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU LOCALHOST GOTO :SSorDM
------------------

I wish I could isolate down my OSIM enviroment or Image enviroment, but that would be alot of shipping... We have 1200+ Scalability Servers for all agents and around 600+ BootServers that do nothing but PXE and Image. I have about 1700 subnets. When using Remote Control, our techs open up cmd.exe as thier Admin Smart Cards, then use gui_rclaunch.exe because not only is this the best way to pass Smart Cards creds over to the executeable, but it is also a great way to use Windows pass through authentication to not need the help of putting in a username or password. (Which our Admins do not have usernames or passwords because we only allow smart cards, and while this product supports smart cards, It does not allow intial communication to the machine to use smart card. There is not an option for that. Once REmote Control is up and running then you can pass a smart card over....) Further more you do not have to search one of the 14 domain to find the agent you are working on. (Can always use the Enterprise but it gets slow when you have to find the right machine)


Out of the 9000 times I have used the all Agent Deployment/Uprage, I have seen about 2000 of them upgrade all Components except Software Delivery. I probally should not use the ALL Agents, but each indivual package like Software Delivery.

I did just think of a potential problem though in my scripts I uploaded, inwhich I need to better test. (Can never test enough), When using my script, it will upgrade anything 12.x to 12.5SP1 no problem, bu I also added in a 11.x removal if detected then reinstall. There is a possibility that if you use one of the options as none that your SCalability Server will actually be set to none, so I am going to rethink this. I will provide more information when I get a chance.

Here is another Script Just wrote. What happens when you replace a SS but new one does not have the old name, maybe OLD one Crashed and you are not allow to have old name for some reason. How do you get back those agents. We use location awareness for this but for customers who do not have that as an option you could use something like:

@ECHO OFF
SET LOGSERVER=
SET LOGSDIR=LOGS
SET HOMEDIR=C:\Windows\Temp
IF NOT EXIST %HOMEDIR% MKDIR %HOMEDIR%
SET LOGFILE=%HOMEDIR%\CAFDetect.log
IF EXIST %LOGFILE% GOTO :EOF

cd /d %HOMEDIR%
SC QUERY CAF
SET NOTFOUND=%ERRORLEVEL%
IF %NOTFOUND% NEQ 0 GOTO :NOCAF
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn version > %LOGFILE%
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn version > %HOMEDIR%\Version.txt
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn serveraddress >> %LOGFILE%
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn serveraddress > %HOMEDIR%\SS.LOG
For /F %%i in ('type %HOMEDIR%\SS.LOG') Do Set AGENTSD=%%i
IF %AGENTSD% EQU OLDSERVER1 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER1.FQDN CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER2 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER2 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER3 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER3 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER4 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER4 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER5 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER5 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER6 CAF SETSERVERADDRESS NEWSERVER1....





IF %AGENTSD% EQU LOCALHOST ECHO Scalability Server or Manager Detected >> %LOGFILE%

cd /d %HOMEDIR%
"%SDROOT%\..\bin\cacertutil.exe" repair -commit
IF %ERRORLEVEL% NEQ 0 GOTO :UPDATEREQ
GOTO :UPDATED


:NOCAF
Echo No Agent Installed or the Agent is Broken >> %LOGFILE%
Copy "%LOGFILE%" "%LOGSERVER%\%LOGSDIR%\NOCAF\%COMPUTERNAME%-%RANDOM%.log" /y
GOTO :EOF

:UPDATEREQ
Echo This Agent Requires an Update >> %LOGFILE%
Copy "%LOGFILE%" "%LOGSERVER%\%LOGSDIR%\UPDATEREQ\%COMPUTERNAME%-%RANDOM%.log" /y
GOTO :EOF

:UPDATED
ECHO This Box has been updated with latest cacertutil command.
Copy "%LOGFILE%" "%LOGSERVER%\%LOGSDIR%\Completed\%COMPUTERNAME%-%RANDOM%.log" /y
GOTO :EOF

cholmes2.2 wrote:

I understand. Several of my clients actually started off with 12.5 GA. I also had the benefit of starting them off with some of the patches built directly in to the Master Media.


In the Image, my agents load up right after Sysprep, so i too do not have the uuid problem. The only time I run in to the uuid issues, is when some takes my image, then recaptures. Bein ght eperson who built the image, I added checks in for this, and know when things are duplicated and have this wrriten to a Database, so I cna quickly query for this issue and have this corrected immediately before it gets out of control.


My login scripts are for all workstations\SERVER and I use different commands to detect differnet Challenegs for my different Agents.


Here are some examples

SC Query caf
IF %ERRORLEVEL% NEQ 0 GOTO :NOCAF

------

cacertutil repair -commit
IF %ERRORLEVEL% NEQ 0 GOTO :125GAUpdateREQ
------------------
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn serveraddress > %HOMEDIR%\SS.LOG
For /F %%i in ('type %HOMEDIR%\SS.LOG') Do Set AGENTSD=%%i

IF %AGENTSD% EQU OLDSERVER1 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU LOCALHOST GOTO :SSorDM
------------------

I wish I could isolate down my OSIM enviroment or Image enviroment, but that would be alot of shipping... We have 1200+ Scalability Servers for all agents and around 600+ BootServers that do nothing but PXE and Image. I have about 1700 subnets. When using Remote Control, our techs open up cmd.exe as thier Admin Smart Cards, then use gui_rclaunch.exe because not only is this the best way to pass Smart Cards creds over to the executeable, but it is also a great way to use Windows pass through authentication to not need the help of putting in a username or password. (Which our Admins do not have usernames or passwords because we only allow smart cards, and while this product supports smart cards, It does not allow intial communication to the machine to use smart card. There is not an option for that. Once REmote Control is up and running then you can pass a smart card over....) Further more you do not have to search one of the 14 domain to find the agent you are working on. (Can always use the Enterprise but it gets slow when you have to find the right machine)


Out of the 9000 times I have used the all Agent Deployment/Uprage, I have seen about 2000 of them upgrade all Components except Software Delivery. I probally should not use the ALL Agents, but each indivual package like Software Delivery.

I did just think of a potential problem though in my scripts I uploaded, inwhich I need to better test. (Can never test enough), When using my script, it will upgrade anything 12.x to 12.5SP1 no problem, bu I also added in a 11.x removal if detected then reinstall. There is a possibility that if you use one of the options as none that your SCalability Server will actually be set to none, so I am going to rethink this. I will provide more information when I get a chance.

Here is another Script Just wrote. What happens when you replace a SS but new one does not have the old name, maybe OLD one Crashed and you are not allow to have old name for some reason. How do you get back those agents. We use location awareness for this but for customers who do not have that as an option you could use something like:

@ECHO OFF
SET LOGSERVER=
SET LOGSDIR=LOGS
SET HOMEDIR=C:\Windows\Temp
IF NOT EXIST %HOMEDIR% MKDIR %HOMEDIR%
SET LOGFILE=%HOMEDIR%\CAFDetect.log
IF EXIST %LOGFILE% GOTO :EOF

cd /d %HOMEDIR%
SC QUERY CAF
SET NOTFOUND=%ERRORLEVEL%
IF %NOTFOUND% NEQ 0 GOTO :NOCAF
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn version > %LOGFILE%
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn version > %HOMEDIR%\Version.txt
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn serveraddress >> %LOGFILE%
ccnfcmda -cmd GetParameterValue -ps itrm/agent/solutions/generic -pn serveraddress > %HOMEDIR%\SS.LOG
For /F %%i in ('type %HOMEDIR%\SS.LOG') Do Set AGENTSD=%%i
IF %AGENTSD% EQU OLDSERVER1 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER1.FQDN CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER2 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER2 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER3 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER3 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER4 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER4 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER5 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER5 CAF SETSERVERADDRESS NEWSERVER1....
IF %AGENTSD% EQU OLDSERVER6 CAF SETSERVERADDRESS NEWSERVER1....





IF %AGENTSD% EQU LOCALHOST ECHO Scalability Server or Manager Detected >> %LOGFILE%

cd /d %HOMEDIR%
"%SDROOT%\..\bin\cacertutil.exe" repair -commit
IF %ERRORLEVEL% NEQ 0 GOTO :UPDATEREQ
GOTO :UPDATED


:NOCAF
Echo No Agent Installed or the Agent is Broken >> %LOGFILE%
Copy "%LOGFILE%" "%LOGSERVER%\%LOGSDIR%\NOCAF\%COMPUTERNAME%-%RANDOM%.log" /y
GOTO :EOF

:UPDATEREQ
Echo This Agent Requires an Update >> %LOGFILE%
Copy "%LOGFILE%" "%LOGSERVER%\%LOGSDIR%\UPDATEREQ\%COMPUTERNAME%-%RANDOM%.log" /y
GOTO :EOF

:UPDATED
ECHO This Box has been updated with latest cacertutil command.
Copy "%LOGFILE%" "%LOGSERVER%\%LOGSDIR%\Completed\%COMPUTERNAME%-%RANDOM%.log" /y
GOTO :EOF

Good stuff. I'm jealous that you have the location awareness script, as it's my understanding that's only available through CA on-site services. We were able to address the problem that would have otherwise required it, so we don't have a need for it at this time. We were looking at adjusting the scalability server for agents as they roam, so I created queries based on the subnet of the agent and asset jobs to change the scalability server. Not perfect as some jobs are failing the asset job, but I'd say north of a 98 percent or so success rate. I don't want to circumvent what CA is trying to do, so please don't share the location awareness piece (unless someone from CA can vet it's OK, albeit unsupported).

I would love to share the Location awareness package/scripts, but I think that may be over stepping my bounds. We were given the information as a CA partner and only for this one customer. I had to rewrite a portion of it becuase it incorrectly detected IPv4 when IPv6 is disabled properly in Vista or Windows 7. The script does an output of IPconfig /all then does a line count...

It is a DMS Script, I thought about rewriting into batch, but the part of the script that detects your Network and subnet is pretty cool.


(For all those who want to disable IPv6 in thier enviorment, unchecking the bind on the network adapter does not stop IPv6, this will just put you in an unsupported configuration from Microsoft. If you truly want to disable all features of IPv6, use this registry key.) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters
Value:DisabledComponents
Type:DWORD
HEX:0xffffffff or DEC:4294967295



I hope others are able to look at some of these scripts and may be able to use them. I admit they need alot more upating and if I get time in the next few weeks I may post more.

v/r,
Chris

Hi

Unfortunatly we cannot share location awareness here. If you have a need for it please do log a support call or contact your accoutn team so we can get in touch with services for you and they can advise on the script. I do recommmend it as the query and config policy solution is not hte best approach. If you have a laptop that moves say from USA to UK the laptop will connect first to SS in USA, then the query has to run then config update and then the laptop gets configured to SS in UK.

If your server is busy there might be a considerable delay in this move. If in the meantime a job is sent it will go voa the USA SS which is not good.

With Location awareness the agent detects the IP address and reconfigures itself to the correct SS on startup so it immediatly registers with the UK SS and thus avoids this issue.
regards

Rich

Thanks for chiming in Rich - I assumed as such which is why I made the statement of not to do so.

With regards to disabling IPv6 - Microsoft has a FixIt available as an MSI you can deploy using ITCM as well - http://support.microsoft.com/kb/929852

cholmes2.2 wrote:

This has not been tested completely, but here it goes.

Create Software Delivery
Extract the contents of Folder.7z
Go inside the extract folder to where you see the different batch files and etc.

Once Extracted, Copy the following Package(s):
CA DSM Explorer: 12.5.1000.767
CA DSM Agent + AM, RC, SD plugin(s) (NLS(ENU,DEU,FRA,JPN)) Win32:12.5.1000.767

Extract both of these packages to where the files are inside of the extracted package from earlier.
Overwrite any files as required, on the second extraction.
Now Delete the REGInfo Folder.
Inside this Folder Sort by Date Modified (Making newest files first)
There are several .cmd files. You can modify each cmdfile as required but if you want to use this as a package make sure that both Deployment.cmd and
itcmagents.cmd and itcmagentswExplorer have the same information inside of them. Anything with a "%2 or %1 or %3, leave alone."

Next Create a Package

Name: Custom CA Agents
Version 12.5.1000


Copy the Files from the Folder where all the files were extracted over to the Package. It should look identical to the files inside of the regular 12.5.1000 package
Next you will register Deployment.cmd twice


Register the Deployment Script with the following options:

Name it: All Agents
These Options: none "$rf" $#bg $#EC:0 $#EC:3010

Now Register the Deployment SCript again.
Name it: All Agents with DSM Explorer
These options: none "$rf" $csa $#bg $#EC:0 $#EC:3010


Seal the package and test from inside of DSM.
Next post will be how to use a ServerShare (created on Server with certain rights, and use Psexec to silently deploy all agents to machine without any agents or box that requires upgrade, without the user knowing it is happening...)

While as a community member I appreciate your submission - I have to ask, what's the benefit of doing and having to support troubleshoot this, vs. simply deploying from DSM? The only advantage I can see is potentially being able to deploy DSM and the agents within a single procedure, but clicking two procedures within the very short list of CA packages is not bothersome.

With regards to the ServerShare and Psexec, this can also be done using the Infrastructure Deployment Wizard. In both cases, PSEXEC or the IDW, the Administrative Shares have to be open and the credentials used need to be privileged on the targeted workstation.

Once again let me stress I'm not trying to discourage your posts in any way, as there definitely is value - just looking to see if you can speak to advantages of doing your way vs. what I described.

Thanks Chris! I am sure the community appreciate this!

Mary