Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.

Introduction

Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:

• Connection Issues
• Authentication Issues
• IDE Redirect (IDER)
• Network Filtering

Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.

Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:

In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.

NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation

Use these steps to see the FQDN is the issue:

1. Open the Real-Time tab for the AMT system you are managing.
2. Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.
3. Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.
4. Go to Start, Run, type in cmd, and click OK.
5. Type in nslookup <name displayed>. In the above example it would read:
   1. Nslookup dellvpro
6. Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.
7. FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: Fully Qualified Domain Name.
8. Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.
   
9. Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:
   1. 10.10.10.1 Dellvpro

Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:

Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.

The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:

1. Create an inclusion in the firewall properties.
2. Allow the following ports, based off your environment:
   1. 16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication
   2. 16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used
   3. 16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM
3. Another options is to disable the firewall when you need to manage the system via RTSM.
4. Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.

The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.

Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.

Authentication Methods

Runtime Profile - The Runtime profile contains he following information:

• All known good credentials used to connect via RTSM to a system
• The Intel SCS AMT password sent to systems when provisioning occurs
• Previously successfully used credentials from past RTSM sessions

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

• WMI digest or Domain account
• AMT digest or Kerberos-authenticated user
• ASF digest or Domain account
• SNMP community strings

Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.

Troubleshooting Authentication

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with RTSM.

1. In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.
2. Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.
3. Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
4. Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
5. Supply the admin user credentials set when the managed vPro systems were provisioned.
6. Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
7. Give the profile a name and then save it.
8. Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.
9. Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.
10. If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.
    
11. In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.
12. Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.

IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.

Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:

Power management operation failed.
Redirection session start has failed. See logs for more details.

The Notification Server log shows the following error:

Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log
Priority: 2
Date: 3/9/2007 2:51:05 PM
Tick Count: 10617218
Host Name: <>
Process: w3wp.exe (2436)
Thread ID: 5412
Module: AltirisNativeHelper.dll
Source: RTCI.Trace
Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER

This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.

IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:

1. Go to the Support site for the OEM for the systems.
2. Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).
3. Check the firmware updates for a new BIOS.
4. Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.
5. Contact your OEM if they have not and request a status!
6. The only other recourse is to develop an update yourself or manually update the settings by visiting the system.

Conclusion

This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

I have recently posted a resorce pertaining to SCCM SP1 and Out of Band Management.

1. SCCM SP1 Help file- This is the help file that ships with SCCM SP1 RC1. It is a great resource to used to get all of the details specific to SCCM as well as a section devoted to Out of Band Management