While at MMS, we talked to two Service Integrators about Intel vPro technology with System Center 2007 - including the combination of Intel® vPro™ technology with System Center Configuration Manager 2007 for medium to large businesses and the combination of Intel® vPro™ Technology with System Center Essentials 2007 for small businesses.

To see more videos from MMS, go to http://www.intel.com/go/mms/

COMING UP: Don't miss out this week! You will be able to catch Josh Hilliker, Russ Pam, and Jeff Torello's live chat with Jason Davidson and Mike Ferron-Jones. The show will be on the spectrum of emerging compute models and recommendations for when to consider each model. Feel free to check out this slide deck, you can bring up any questions you have during the show: Slide Deck

Also, remember that there are THREE ways to listen to our show. Not only can you call in and participate live, but you can stream live online or download the show afterwards!

When: TUESDAY, May 20th @ 3:30 PM
Call-in Number: (347) 326-9831
http://www.blogtalkradio.com/openport

The primary key of identity for an AMT computer is its Fully Qualified Domain Name (FQDN). One of the essential parts of the setup and configuration process (Provisioning) is when Altiris attempts to map a valid FQDN inside the IntelAMT database. This article covers how to handle FQDN issues, including ways to correct invalid entries, the best method to avoid the issues, and how it all works. If you're using Altiris Out of Band Management for provisioning, this is a must read!

Introduction

The two key identity items for vPro are the UUID (Universally unique Identification) and the FQDN. The UUID is contained within the hello packet sent by AMT, but the FQDN is not held within AMT without Provisioning. This means it is up to Altiris to acquire the system's FQDN. While this may sound simple, the problems arise when the system is in its setup process, whether prepping or being imaged, having software and scripts rolled out to provision and join the system to the domain, including when its final identity on the Domain and network are established and it received a new IP Address.

Preferred Provisioning method

For specifics I'll refer to the Best Practices document, but for the general steps to be followed specifically for the FQDN I'll provide the steps below.

LINK: http://juice.altiris.com/article/2810/best-practices-configuring-intel-vpro-capable-system-within-symantecaltiris-vpro-toolki

1. Image the system with the Operating System, including any post-imaging work to get the system configured. This includes rolling out software or scripts.
2. Join the system to the Domain after it has its rightful identity. The computer name should be set. When the computer is joined to the domain, this will provide the valid operable FQDN.
3. Install the Altiris Agent on the system. This provides the information for the FQDN in the Inv_AeX_AC_Location table.
   NOTE: If the Altiris Agent was part of the image, make sure the system sends Basic Inventory again after the system has been joined to the network to ensure we have the valid FQDN within the Altiris database.
4. Ensure the Out of Band Discovery package is enabled and configured via the collection to go to all machines.
   NOTE: This step is essential because OOB Discovery will pick up the FQDN from the Basic Inventory and map it in the IntelAMT database. This screenshot shows where the data is located:
   
5. Now if the hello message was sent before the above steps were completed, normally it will recover as long as the process completes before 24 hours have passed. 24 hours is the period of time the hello packets will be sent from the client. AMT will continue to send hello packets throughout the period UNTIL it is fully provisioned. This helps reestablish connection if the IP Address changes in the middle of the Provisioning process and the Server can't connect back up to the remote AMT system.

Preferred Provisioning Settings

Not all settings within Out of Band are FQDN friendly. The following items affect how Out of Band Management approaches provisioning.

1. Resource Synchronization - Make certain this is enabled! A Disabled Resource Synch policy will halt Provisioning, greatly increasing the change for FQDN problems when it is finally enabled.
2. Use DNS IP resolution to find FQDN when assigning profiles - This option, under the Resource Synchronization policy, is typically unreliable. While this option allows for bare-metal provisioning or Agentless provisioning, it also is at the mercy of the DNS and DHCP environment. It is highly recommended NOT to use this option unless you fully trust your DHCP and DNS environment. Factors to consider are:
   1. IP Lease times - The lease times afforded systems may be short, increasing the possibility that when OOB fetches the FQDN via IP the lease will have expired and the wrong FQDN will be mapped.
   2. PXE or other auxiliary boots - Often these types of systems will obtain a different IP address from DHCP as their identity is not the same as when the system is booted to the OS.
      
3. Intel AMT 2.0+ to Profile - This option allows a default Profile to be setup for Provisioning. Make sure you've created a default profile and set it in the Resource Synchronization policy. Without a profile Provisioning will not occur.
4. Intel AMT requires authorization before provisioning - Under the General node within Provisioning, this option stops provisioning from occurring. The profile will not go down to the system until the system is selected, using the right-click to choose ‘authorize'. This can aggravate FQDN problems by delaying full provisioning.

FQDN Fixes

Invalid FQDN in IntelAMT

The first issue stems from a variety of causes. The issue is that in the IntelAMT database, shown under the Intel AMT Systems node under Provisioning for Out of Band Management, the FQDN is invalid. The causes vary, but here are a few we've seen:

1. Reverse DNS IP Lookup is enabled - Unless your DHCP and DNS environment are rock solid, often IP Address leases expire, and other systems pick up the IPs that the AMT systems originally sent the Hello message with. When this occurs, the wrong FQDN is mapped.
2. IP Leases short - Often the IP Lease length can create a problem acquiring the correct FQDN. This can especially have problems with TLS as the FQDN is part of authentication using certificates.
3. FQDN is incomplete - When a system is in setup mode, sometimes the mapped FQDN is not part of a domain, resulting in the Host Name only being set as the FQDN.

IMPORTANT! When the FQDN is invalid in the IntelAMT database, Resource Synchronization can have troubles matching resources with their correct counterparts in the Altiris database. Because of this, duplicates can emerge. If the checkbox in Resource Synchronization labeled: ‘Remove duplicate Intel AMT resources from Notification Server database' is checked, managed resources can get deleted from the Altiris database!

FQDN has Changed

Another not-uncommon occurrence is when a system changes identity. This can occur in a variety of ways, including:

• The system has been reimaged
• The computer name has been changed
• The computer has been migrated to a new Domain
• The system has switched subnets, resulting in a new FQDN

Regardless of the method, changing the FQDN on the system does not change it in the Intel ME or AMT firmware, and also does not change it within the Intel SCS component database (IntelAMT). When these are not synched up, it can cause problems when you need to manage the system via AMT when the computer is booted to the operating system. This particularly has problems when TLS is enabled and the provisioned certificate no longer matches the FQDN in Windows.

Issues Resolution

Since the Altiris Agent sends Basic Inventory daily by default, the Altiris database usually has a valid FQDN on record in the Inv_AeX_AC_location database table. We can run a query that will capture the correct FQDN from the Altiris database and insert it into the IntelAMT database, correcting any duplicate or invalid FQDN entries. This is the first step. The second step is to update the FQDN within AMT on the local systems. The following processes walk you through the resolution:

Update IntelAMT from Altiris

1. Open up SQL Query Analyzer or Microsoft SQL Server Management Studio.
2. Open a Query window within the database instance that contains both the Altiris database and the IntelAMT database.
3. Run the following query, though for testing purposes you can omit the line ‘COMMIT TRANSACTION until you can verify the operation completed as expected. Once validated, run COMMIT TRANSACTION to complete the process:
   BEGIN TRANSACTION
   UPDATE intelamt.dbo.csti_amts SET fqdn = b.fqdn FROM (SELECT il.Fully Qualified domain name AS 'fqdn',
   REPLACE(oob.uuid, '-', '') AS 'uuid' FROM
   altiris.dbo.Inv_AeX_AC_Location il JOIN altiris.dbo.Inv_OOB_Capability oob ON
   oob._ResourceGuid = il._Resourceguid) b WHERE intelamt.dbo.csti_amts.uuid = b.uuid
   COMMIT TRANSACTION
4. Done! The FQDNs now match between Altiris and IntelAMT.

Update FQDN on local AMT

1. It is recommended to follow these steps in batches so as to not overwhelm the Intel SCS component. Perhaps run this against 100 systems at any one time, or run it against those systems you know have been updated. While it doesn't hurt to run this against systems that didn't have the FQDN changed from the above process, it is unnecessary if you are able to target those systems with invalid FQDNs.
   Note: This process assumes that the system can be reached via the SCS using the new FQDN supplied by Altiris. For TLS there may be complications we have not foreseen.
2. In the Altiris Console browse under View > Solutions > Out of Band Management > Configuration > Intel AMT Systems > and select the Intel AMT Systems node.
3. Select one or more systems you need to update the local AMT FQDN on.
4. Right-click and choose the ‘Re-provision...' option.
   
5. Check the Action status node under Provisioning > Logs > Action Status for messages concerning the Re-provision attempts. You can also check the Log node for errors.
6. Done! The systems, when reprovisioned, should have the correct FQDN planted by the IntelAMT database entry that was updated from the Altiris database.

Conclusion

Use this article to resolve your FQDN issues to ensure ATM functionality is available when it is needed. The above process has been verified, though all environmental potential issues have not been explored. It is advised to test the process in your environment before implementing on a wide scale.

Introduction of the "Relevance of Manageability & Automation Architecture" topic: http://communities.intel.com/thread/1564

Observations

• The real benefits of Manageability & Automation (M&A) in the enterprise distill down to reducing overall operational costs and providing more responsive / agile computing services. Capabilities in the Manageability space have matured (some nominally, some dramatically). Examples include: the speed and cost of deploying patches, the autonomic restarting of stopped services, out-of-band remote control, etc. Unfortunately, many Automation capabilities have been very slow to mature. An example is providing an automated capacity response to a demand signal for an application. We need to understand the overall capacity of the "data center" (server, storage, network, facility) and provision or move workloads consistent with demand of those applications / services following defined IT policies (e.g. ERP gets priority over e-mail in the last week of the quarter). We have a long way to go to make this "utility data center" happen.

• The basic automation technologies are available, but the effort/expense to deploy them is too high (or at least perceived too high). We are still trying to solve many of the same TCO and agility problems from years ago. ROI or NPV deployment justifications do not show immediate benefit.

• The basic computing models have not substantially changed. There are two basic categories of application usage models. There are local "PC" applications that create/view content and enterprise applications that help execute business processes. Technologies like "application/OS streaming", PXE network boot, etc. are creative methods for packaging and delivering the needed bits to the destination for execution.

• The industry has complicated these two usage models by introducing multiple device form factors, multiple operating systems, network enclaves, roaming connectivity, restricted permissions, secure communications, virtualization, SOA, new delivery models (like streaming), etc.. All of this must be managed.

• For enterprise applications, instrumenting the components (clients, networks, servers, services and the application) provides value, but is incomplete. Manageability needs to consider all aspects of the "user experience" to provide major benefit. The whole is truly larger than the sum of the parts.

• Manageability vendors need to sell product, which requires differentiation. There is little vendor incentive to provide "standard" products, unless they can supplement those standard offerings with their specific differentiators. Although "adapters", scripting extensions, APIs, etc. are available, it is still very complicated and expensive to implement.

I have visited a number of customers recently. The discussions are usually straight forward where I provide them with a download of our current products, I tell them about things that we are doing in the future and along the way I ask them some questions about trends that they are seeing with their businesses. It will come as no surprise that enterprises are trying to keep up with their current requirements while also squeezing out increasingly flat or dwindling budgets to do something new. Many are turning to virtualization as a way to do more.

So who cares? CFO's care. I went out to visit a leading Fortune 500 company based on the West Coast of the US. Keep in mind I am planning to discuss our server platforms, why I believe they are leadership on performance and power and also all of the great new virtualization features we have recently introduced or will intro in the future. Before we get started they proudly walk me through their new datacenter and I stop in front of a rack that has two servers in it. Two 2U two processor servers. It is right next to another rack that has four servers in it. I inquire as to why both racks are only partially full and I receive a response that says one is owned by Finance, one is owned by a business unit. IT just manages them. You can look at this two ways. The glass half empty way would be that they are wasting an incredible amount of datacenter space and they are hopeless. The glass half full way would be that this is a great opportunity to really deliver value to this company's bottom line by first convincing them that physical consolidation (full up their racks) is important, then showing them a path toward application consolidation and finally sharing a vision of datacenter virtualization that includes compute, storage and networking. Their CFO will care.

IT employees care. One theme that seems to be coming through loud and clear is that people who drive some form of virtualization are usually considered as innovators or leading edge thinkers within their company. I have heard the term "IT Hero" to refer to someone who has delivered on a high ROI project, usually these days through the use of virtualization. I have met a number of IT folks at conferences and during visits and it is uncanny how many are trying to dig for more product information and how eager they are to hear about what new features we're putting into CPUs, chipsets, networking devices. A quick search of Youtube found this case study (here) that sums up the sorts of things I have heard.

It is also increasingly important that all of this stuff works well with the software, VMM and OS vendors product offerings. I know we are working closely with all of the ecosystem players because if we come out with an amazing new feature in our components it would be wasted if the VMM, OS or software didn't take advantage of it. There is some interesting banter here (here) about some of the pros and cons with virtualization. We are busy working on features that improve the performance and simplify the experience end users have when they virtualize. Why do you care about virtualization? What are you doing today that you couldn't do a year or two ago that has been made possible because of virtualization related technology?

While at MMS, Microsoft System Center Configuration Manager Program Manager Dave Randall demonstrated how Intel vPro Technology enhances Microsoft System Center Configuration Manager 2007 SP1. The video below includes demonstrations around secure remote power control, remote diagnosis and repair of troubled PCs, discovery of PC assets, and remote configuration.

To see more videos from MMS 2008, go to http://www.intel.com/go/mms/

At MMS, we had Brad Anderson, General Manager of Microsoft Management and Services Division, and Gregory Bryant, Intel VP and General Manager of the Digital Office Platform Division, answer some questions about the new capabilities in System Center Configuration Manager 2007 SP1 with Intel vPro technology. See their responses below.

1) How does Intel vPro Technology fit into System Center Configuration Manager 2007 SP1?

2) What can IT expect in terms of the level of integration of Intel vPro Technology into System Center Configuration Manager 2007 SP1?

3) Why should IT now take advantage of Intel vPro Technology and System Center Configuration Manager 2007 SP1?




4) When should enterprises activate Intel vPro Technology with System Center Configuration Manager 2007 SP1 in their PC infrastructure?




5) Last, we asked a series of questions about System Center Configuration Manager 2007 SP1 Support for the Current Generation of Intel vPro Technology with WS-MAN Support, as well as with Legacy Generations of Intel vPro technology.




To see more videos, demonstrations, interviews and more from MMS 2008, go to http://www.intel.com/go/mms/