Configuration Management 10

From ZENWorks Wiki

Contents 1 WHAT IS ZCM 2 OVERVIEW 3 BASIC CONCEPTS 4 YOU MUST HAVE!!!! 4.1 Bundles 5 BASIC INSTALLATION 5.1 Migration Utility 5.2 Installing a Second ZCM Server 6 INFORMATION and NOTES 6.1 ZCM Agent (PreAgent) 6.1.1 Registry hacks 6.1.2 Registry strings for reference 6.1.3 Performance tweeks or possible issues 6.2 Bundles 6.3 ZCM User Sources|User Sources 6.3.1 Example Configuration files 6.3.2 Troubleshooting 6.4 Database Information 6.5 Imaging 6.5.1 Image Safe Data 6.5.2 Sitalite Servers Fail to Support Image. PXE Client Exists 6.5.3 Collected HWINFO information, Scripted Imaging Logic 6.6 File Locations of Useful Programs 6.6.1 Image Boot CD 6.6.2 ZEN Cache, Bundle Cache 6.7 Inventory 6.7.1 Collecting Information for Local Products 6.7.2 Custom Inventory Attributes 6.8 Server-Backend Configuration Options 6.8.1 You can control the address that the ZCM server listens on 6.9 Special novell-zenworks-configure Commands 6.10 zenupdater commands (Cool Commands for Failed Update Situations) 6.11 Workstation Registration 6.12 Deployment and Discovery 6.13 Deleting a server from a ZONE 7 LOGS and TROUBLESHOOTING 7.1 Testing that Services are running 7.2 ZCM System Updates 7.3 Server-Side Logs Loader Logs 7.4 Discovery and Deployment Tasks 7.5 Adaptive Agent 7.6 ZCM Agent Login Errors and problems 7.7 Troubleshooting Bundles 7.8 Inventory 7.9 Windows Installer Logs and Logging for MSI installations 8 FAQ and Technical Documents

WHAT IS ZCM

OVERVIEW

Package Types and Architectures

BASIC CONCEPTS

ZCM 10 comes with a new architecture design. This design is based on on a packaged concept. Meaning, there is an agent and a server. The agent communicates with the server and the server provides all the needed information. User information like login credentials can be provided to the server from Active Directory or eDirectory. The server only provides applications, policies, images, and remote control features. The server is not responsible for user accounts or groups. Users and groups are provided to the server by the LDAP connection from eDirectory or Active Directory. No synchronization happens either, so we do not need any type of Identity Management as before with the ZDM products.

Here is a basic diagram of the infrastructure.

What's happening in this picture!!

The workstation must have the ZCM Agent. The agent is responsible for the following

• Image Safe Data
• User Associated Bundles
• Workstation Associated Bundles
• Inventory
• Other workstation related tasks
• The agent communicates with the ZCM server, providing the above information. This is a two-way communication. Meaning, the server can initiate communication with the workstation. In previous version of ZENworks, only the workstation could initiate any type of communication with the server.

The ZCM Server handles the following:

• Manages all content, like bundles, images, policies, and configuration.
• All configuration is stored in a database
• All bundle files and images are stored in a "Content Repository", this a file system location.
• Manages user sources. User sources are LDAP connections with either eDirectory or Active Directory. User Sources provide user accounts and group objects. With these objects, associations can be made with ZCM content, like bundles and policies. The objects in the user source are never modified .

YOU MUST HAVE!!!!

• CONFIGURE DNS BEFORE INSTALLING ZCM
• Fully qualified DNS record. This means as an example, ping -a 172.16.1.1 and ping zcm_server.mydomain.com responds exactly the same.
• ZCM server must use the same DNS record as the workstations
• The CN of the certificate must match the DNS record.

Bundles

Application objects are now called bundles in ZCM 10. Or for those of us that are new to ZENworks, Bundles are a compilation of files, scripts, or actions that should be performed. These actions could be performed when a user authentications to a workstation, when a workstation boots, or when a user clicks a icon.

Troubleshooting information can be found later on this page at Configuration_Management_10#Troubleshooting_Bundles

BASIC INSTALLATION

Migration Utility

Migration Utility Piracy Detected

• See TID 3451081: Application migration fails "Could not locate MSI file"

From the Migration Utility Log

14:11:23 :

------------------------------------------------------------------------

14:11:23 : Microsoft Windows XP 

14:11:23 : Service Pack 2 (Build 2600)



14:11:23 :  C:\Program Files\Macrovision\AdminStudio\8.5\Converter for

ZENWorks\AxtAotConv.exe (Process Id: 3668, Thread Id: 2196)



14:11:23 :  User lang: English, System lang: English

14:11:23 :  Reportlevel: 4

14:11:23 :  Username: cfrazier (is local admin), Workstation: WCF-000382

14:11:23 :

------------------------------------------------------------------------

14:11:23 0 Debug: Piracy Detected! Shutting down
 

Installing a Second ZCM Server

Before starting the installation, verify that the SQL protocol configuration is correct.

Unable to install ZCM 10 to second server in the zone.
ERROR: "Unable to get zone informationappears when trying to add a second server to the same zone."
ERROR: "Unable to Contact the Database Server.  The database address specified by the parent primary server cannot be resolved by this server"

To check the enabled protocols for a server, follow these steps:

1. In SQL Server 2000, start the SQL Server Network Utility (svrnetcn.exe).
2. On the General tab, select the instance of Microsoft SQL Server on which to load an installed server network library.
3. Make sure that TCP/IP appears in the Enabled Protocols list.
4. To find the port number, in the Enabled Protocols list, click TCP/IP, and then click Properties.
5. The Properties dialog box displays the port number.
6. There is an known bug: SQL Server May Not Listen on TCP/IP Sockets When TCP/IP is the Only Protocol

See the following TID for complete infomration https://secure-support.novell.com/KanisaPlatform/Publishing/101/3386397_f.SAL_Public.html

INFORMATION and NOTES

ZCM Agent (PreAgent)

Registry hacks

• Completely disable the ZCM login

Logging in to a PC with the Novell Client and the ZCM agent installed "Workstation Only" box is checked Agent attempts to authenticate to ZCM

This is working as designed, as you may wish to authenticate to ZCM, but not authenticate to eDirectory.

Registry strings for reference

Performance tweeks or possible issues

Sometimes the following directory can grow large. This is supposed to be addressed in 10.1.1.2

C:\Program Files\Novell\ZENworks\work\collection\status\failed

Bundles

• Available Bundle Actions can be found in the Novell Documentation

Icon Editors'

Tip: As for icon editors, you can use Irfanview (free) or my favorite Microangelo. I'm sure that there are tons of others out there too.

ZCM User Sources|User Sources

Multiple LDAP servers can be configured for a single Directory. The directory would be Active Directory or eDirectory. Multiple LDAP servers allow for load balance and fault tolerance.

Example Configuration files

/etc/opt/novell/zenworks/datamodel/authsource/alt-servers.properties.sample

Troubleshooting

LDAP Referrals

• http://www.novell.com/coolsolutions/feature/5649.html
• Failed to query the user source because of a failed referral

Troubleshooting Login Failures

Troubleshooting authentication issues

Following LOG files can contain a lot of useful information:

c:\windows\system32\nwgina.log
c:\windows\system32\zenlgn.log
c:\windows\system32\zisd.log

The following registry settings must be enabled.

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZENworks\ZenLgn] "EnableDebugMessageLogging"=dword:00000001 "MaxLogFileSize"=dword:100000

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGina] "EnableDebugMessageLogging"=dword:00000001 "MaxLogFileSize"=dword:100000

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Authentication\Notify\ZenNotify] "Debug"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Authentication\ZenCredentialProvider] "Debug"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Authentication\Packages\ZenV1_0] "Debug"=dword:00000003

Generally pass-through authentication doesn't work because,

1. Because there is a problem with reverse DNS resolution.

• User Source Realm

/etc/CASA/authtoken/svc/iaRealms.xml

• User Source Stored Certs Location

/var/opt/novell/zenworks/datamodel/ldap-ssl-certs

• Other Useful CASA server-side logs

/srv/www/casaats/logs/

Database Information

Database authentication information can be found in the following places. This is the information that ZCM uses to authenticate to the external database.

Linux

/etc/opt/novell/zenworks/datamodel/dmaccounts.properties

Imaging

At times it would be nice to run the ZCM Image Explorer Utility on a workstation, a device that does not have all the other ZCM products installed.

You can run ZCM Image Explorer as a stand-alone application on any workstation that has java installed.

This could be very useful if your images are stored on a Linux box and you do have SMB access.

Overview

  1. Install Java JRE
  2. Install the Image Explorer MSI from the ZCM installation CD
  3. Create a simple batch file that launches the Image Explorer Java Utility

Installing Java JRE

I downloaded and installed jre1.6.0_03 from JavaSoft.com, Just about any 1.5 or 1.6+ version should work.

  1. Install JRE into the default location, nothing special about this step.

Installing Image Explorer Utility

  1. From the ZCM installation CD, browse to Disk1\InstData\msi, my CDROM drive letter was "d".
  2. Install D:\Disk1\InstData\msi\novell-zenworks-zmgexplorer-10.0.0.msi

This install is EXTREMELY quick. You will think it failed. No prompts, no confirmation. You can check in Windows Event Viewer for a status.

The Installation puts all the image files in c:\Novell\ZENWorks\Lib\java Creating a simple Bat file to launch the Utility

I created a simple .bat file that launched the required java processes. Please note that a path statement must exist in the .bat file, otherwise you will get java exceptions.

  1. Create launchImgExp.bat
  2. Put the following information into the bat file.

     set path=C:\Novell\ZENWorks\Lib;%PATH%
     cd C:\
     cd Novell\ZENWorks\Lib\java
     "C:\Program Files\Java\jre1.6.0_03\bin\javaw" -jar zmgexp.jar

!!!! That is a total of four lines !!!!

You may need to update the jre path accordingly and on my station it was not necessary to specify the whole path to javaw.exe

zmgexp.jar should exist in c:\Novell\ZENWorks\Lib\java, which is the main java executable for the Image Explorer Utility.

Image Safe Data

As in previous version of ZENWorks, utilies are provided both for the command-line and the Windows GUI to clear or edit the image safe data. Some of you may not know, so I will explain the Image safe Data. Image Safe Data, sometimes referred to as ZENworks Image Safe Data (ZISD), stores information about the device and it's location in eDirectory(ZFD7x and older) or ZCM management system. The information contains device name, IP address information, and GUID information.

In Windows, you can find the utility here on any workstation that has the PreAgent installed.

"Program Files\Novell\ZENworks\bin\preboot\ziswin.exe"

Sitalite Servers Fail to Support Image. PXE Client Exists

Steps: 01. Install a ZCM server on OES box with non default ports, i.e HTTP - 81 & HTPS - 444 02. Now add a agent box & promote it as a satellite server 03. Start proxydhcp on satellite server 04. Assign a Imaging action & reboot the agent system to pxe mode.

Observed Result: Agent exits from PXE mode & will not do any imaging task.

workaround:

zenimgweb.conf file of satellite server & primary server need to be updated with port numbers.

Collected HWINFO information, Scripted Imaging Logic

File Locations of Useful Programs

Image Boot CD

This CD Image can be used to boot into imaging instead of using PXE Boot.

• Windows

"\Program Files\Novell\ZENworks\bin\preboot\bootcd.iso"

The Boot CD ISO can also be found on the installation media in \Disk1\InstData\msi\novell-zmgbootcd-10.0.1.0.msi

ZEN Cache, Bundle Cache

The ZEN Cache holds information about bundles and settings. In the ZDM days, this was known as the NALCACHE. This directory exists on every managed device.

C:\Program Files\Novell\ZENworks\cache\zmd\ZenCache

Inventory

I cannot say enough about ZCM Inventory functionality

I suppose I should say something about it then, if it's sow great.

Collecting Information for Local Products

ZCM Inventory contains functionality to collect information about files and programs that Novell does not know about. With this information products can be created to better manage this information. These Local Products become inventory information like "Microsoft Office", "Microsoft Excel". ZCM has several different inventory collection settings for Files Not Identified. FNI(Files Not Identified) are files that ZCM inventory was not able to determine the owning product. Using FNI information, products can be created and this is referred as Local Products.

Be default, ZCM is configured to collect files with a ".EXE" extension, but the option to utilize this information is not enabled.

This option is known as Collect Software File Information.

This option can be specified in the First Scan, Scan Now, or Reoccurring Scan.

Scanning large hard drives for this file information can take a long time. Thus, setting {{ActionItem|First Scan{{ActionItem| to collect this information may not be the best idea. It may be more imprudent to set a Reoccurring Scan to collect this information instead.

• Open ZCC "https://zcm_server/zenworks"
• Select configuration from the Quick Tasks
• Select Inventory from the sections of administrative tasks

• Check the box Collect Software File Information

"Collect Software File Information" causes inventory to collect the required additional information.

How and where the information is collection can be controlled in "Software Files".

Software Files allows for additional modifications as follows.

• Include Specific Directories
• Include Specific Extensions
• Include directories of Software that has already been detected or is known to be associated with software.
• Exclude directories from scans.

Custom Inventory Attributes

Please view the following PDF which outlines how to customize and auto-fill some of the default attributes of workstations or users.

[Cool Solution ZCM custom inventory attribute]

Server-Backend Configuration Options

You can control the address that the ZCM server listens on

By Default, the ZCM server listens on all IP addresses bound to the server Host. By modifying the server.xml configuration file and adding an address="IP_address" option, the ZCM server will only listen to this address.

Locate the server.xml

On linux, this would be located in:

/opt/novell/zenworks/share/tomcat/conf/server.xml

On Windows, this location would be:

C:\Program Files\Novell\ZENworks\share\tomcat\conf

Find the following section. Notice that there is not address='xxx.xxx.xxx.xxx' section Add the address section as so.

<!-- Define a non-SSL HTTP/1.1 Connector on port 80 -->

   <Connector address='172.16.1.20' port="80" maxHttpHeaderSize="8192"
              maxThreads="200" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" redirectPort="443" acceptCount="100"
              connectionTimeout="20000" disableUploadTimeout="true" />

Note: This must be done for the 443 section also. "SSL"

   <!-- Define a SSL HTTP/1.1 Connector on port 443 -->

   <Connector address="172.16.1.217" port="443"

• After making the changes, either reboot or restart the following servers.

Linux

/etc/init.d/novell-zenserver restart

Windows

Administrative Tools -> Services -> Restart Novell ZENworks Server

Special novell-zenworks-configure Commands

This will re-create the agent packages that you see on the zenworks-setup page.

zenupdater commands (Cool Commands for Failed Update Situations)

In the event that a Windows managed device is restarted during the application of the 10.0.3.2 hotfix, the update will not restart automatically. In order to restart the update, open a command prompt on the managed device and run the following command:

This will restart the update process.

For Linux servers: run

Workstation Registration

OS Targets https://ZCM_SERVER/zenworks-registration/ostargets.xml

Deployment and Discovery

Troubleshooting section at the bottom of the page Configuration_Management_10#Discovery_and_Deployment_Tasks

Deleting a server from a ZONE

The zman command just retires the device...not delete it. So you can

actually delete the device by using the web services.

You can go to (https://<server.ip>/zenworks-zoneconfigadmin/?test) and

finding the link to the delete method [boolean delete(java.lang.String

arg0)] enter the server's guid in the parameter field and click

invoke.

Then go to (https://<server.ip>/zenworks-deviceadmin) and do the same

thing with the delete method listed there [boolean delete

(java.lang.String arg0)] that will remove the device from the zone

completely.

LOGS and TROUBLESHOOTING

Testing that Services are running

https://myzenserver:2645/CasaAuthTokenSvc/

should not return an error, but should return a file listing. If the proxycfg settings conflict with the IE settings, this will succeed but login will still fail, so check both.

ZCM System Updates

How to reapply 10.0.3 http://support.novell.com/Platform/Publishing/240/7000559_f.1.html

Individual Debug logs ZENworks\logs\system-update\xxxxx\novel-zenworks-usermanagement-10.0.3.2.msi.log

I updated my server to 10.1 but I had to back out of "deploying system updates".  
Now I have no available system updates.  

• Copy these files updates.xml and the update-10.1.0.xml files from the 10.1 installation CD in the \common subdirectory to c:\program files\novell\zenworks\install\downloads"
• Then Run: zman sui c:\program files\novell\zenworks\install\downloads
• Enter Creds when Prompted for the ZCC.

Server-Side Logs Loader Logs

The loader handles almost all messages and acts as the primary service for most all functions.

On Linux, the loader-messages.log is located here

/var/opt/novell/log/zenworks/loader-messages.log

ON Windows, The Loader-messages.log is located here

Program Files\Novell\Zenworks\logs\loader-messages.log

Explanation and Notes about Loader Message Logs

I thought I would compile a page with log entries and the resolution associated. Hopefully it would help with tracking issues and understand what's being logged.

Compiled ZCM errors from Logs

Discovery and Deployment Tasks

Component Name: Discovery Enable Debugging (self documenting xml file. Set to FINEST): Windows server: \Program Files\Novell\ZENworks\conf\loader\discovery.xml Linux server: /etc/opt/novell/zenworks/loader/discovery.xml

Restart loader service.

Note: Modify the existing xml file. A file called "copy of discovery.xml" in the same directory will be used if it exists.

Log Location: Windows server: C:\Program Files\Novell\ZENworks\logs\loader-messages.log Linux server: /var/opt/Novell/log/zenworks/loader-messages.log

Adaptive Agent

Installation Logging Information Windows workstation:

C:\windows\novell\zenworks\bin\ZENPreAgent.InstallErr
C:\windows\novell\zenworks\bin\ZENPreAgent.InstallLog
C:\windows\novell\zenworks\bin\ZENPreAgent.InstallState
C:\windows\novell\zenworks\bin\cmdline.txt (The command line executed when the managed agent package was launched)

Tip: Once the PreAgent service is installed, all logging goes to the system application event log.

Logs for the Adaptive Agent are located in C:\Program Files\Novell\ZENworks\logs\LocalStore\zmd-messages.log

Controls all communication between the workstation and server. In ZFD days, the agent was called zfdagent. Or ZENworks NAL Agent.

Logs for the Adaptive Agent are located in C:\Program Files\Novell\ZENworks\logs\LocalStore\zmd-messages.log

Use this log to find reasons for registration failure, slowness, and other communication issues with the ZCM server.

ZCM Agent Login Errors and problems

• Authentication Fails error CASA_STATUS_ERROR_INVALID_SERVER_CERTIFICATE 0xC7FF0023

CASA_STATUS_ERROR_INVALID_SERVER_CERTIFICATE 0xC7FF0023 When I try to re-login again, it says that the password is not the right one, that it might be a blank password (which is not allowed), or something about a certificate. Bug #287497

WinHttpTraceCfg.exe, a Trace Configuration Tool is a great troubleshooting utility. http://clipmarks.com/clipmark/17126C7D-C66B-4058-9F22-56603D47C805/

Troubleshooting Bundles

List all bundles first, so we can see the path to the bundle and the bundle name

zman bl --host ZCM_host -U admin_user -P admin_password

Export the Bundle to an XML file

zman bundle-export-to-file /Bundles/BUNDLE_NAME bundle_name.xml --host ZCM_host -U admin_user -P admin_password

Inventory

• [Adaptive Agent on NetWare Is Unable to Post Inventory]

Windows Installer Logs and Logging for MSI installations

This logs can be enabled by registry keys or by Group Policies.

By default, logs are placed into the windows temp directory %temp%

Please see Windows Installer Logs and Logging for MSI installations for more information

FAQ and Technical Documents

I usually hate these type of sections, FAQ are usually worthless, but I thought I would list TIDs in this section for a lot of common things. It will probably become long and useless also.

• 3633799: Cannot do text file or ini file updates as logged-in user

• TID: 3418069 Enable debug logging for ZENworks 10 Configuration Management

• [http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3407754&sliceId=SAL_Public&dialogID=55787161&stateId=1%200%205260572

Upgrading from ZENworks 10.0.0 to 10.0.2 (System Update 1)]

• zenloader service seems to load but fails to login to the datamodel

• Disable ZEN Login Prompt