In part 1 of this series we covered troubleshooting the local AMT client system. In this part we'll discuss the server components as part of the provisioning process. Learn how the symptoms pinpoint each components, and what methods reveal the source of the problem. Learn how Out of Band Management handles the Hello Packets in conjunction with the Intel SCS Component.
Provisioning isn't a single road. There are two primary paths to reaching a provisioned state, not counting the simple ‘Small Business Mode'. Pre-shared Keys (TLS-PSK) and Remote Configuration (certificate-based TLS) provide two methods for authenticating with the Provision Server and receiving a Profile to set it into a Provisioned state. Understanding the server components is essential to properly diagnosing and troubleshooting problems with the process. Part 3 of this series will cover the symptoms and their likely causes, including troubleshooting details.
The following components integrate in the following manner:
Out of Band Management
Out of Band Management contains 3 main components, with further components broken down as shown here:
Out of Band Management Solution - This is the main NS installer
NS-based Tasks and Agents
Provisioning Console Nodes
Out of Band Setup and Configuration - This is a wrapper for the Intel SCS install
Creates the files used for the Intel SCS installation
Intel SCS Component - This is Intel code for interacting with AMT systems
Out of Band Management Solution
The installer for this Solution creates the Altiris Console pages and underlining code that intersect directly with the Intel SCS component. Consider those pages as hooks into Intel SCS. Intel SCS can install without Out of Band Management. Everything located in the Altiris Console at View > Solutions > Out of Band Management > Configuration > Provisioning ties directly through the AMTSCS web service to access the IntelAMT database (with the exception of DNS Configuration, Service Location, and Delayed Provisioning).
This installer also creates the Tasks, Packages, and Agents used for Out of Band Management, including:
Out of Band Discovery - This is an EXE that uses the standard NS Software Delivery to detect the presence of AMT and pull certain data out, including the UUID. This is used heavily for FQDN mapping and is an important part of the best provisioning method.
Out of Band Task Agent - This agent installs like any other Altiris Agent subagent. It's used to function with ASF, or to restart the Hello Packet sequence with Delayed Provisioning in Remote Configuration.
Delayed Provisioning Task - This restarts the Hello Packet sequence, and requires the Out of Band Task Agent.
Collections and Packages - Collections and Packages for the above items.
Oobprov.exe - This is the Provisioning agent that assists the SCS in provisioning AMT client systems.
Out of Band Management NS items will work without IntelSCS, but the Provisioning nodes require Intel SCS to be installed and properly configured.
Installed Alone most of the above nodes will not function. The default error shown here will show with ANY problem:
Error connecting to the Intel® AMT Setup and Configuration Server. Verify that Intel® AMT Setup and Configuration Service security settings are configured and AMTConfig service is running. See documentation for details on troubleshooting the Intel® Setup and Configuration Server Installation.
The error always has a second bullet point, with another warning box containing additional bullets. These usually give a more specific message concerning the problem. I've rarely found that the message above accurately points to the source of the problem. See this screenshot for an example:
Out of Band Setup and Configuration
This installer is truly just a wrapper for the Intel SCS installation. It does provide a crucial function. It lays down the following folder structure where the Intel SCS Component is installed from:
Install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS
The installer does make an automatic attempt to install Intel SCS using the script located at the above location named InstallWithDefaultSettings.cmd. This install makes the following assumptions:
The SQL database server and instance is the same one the Notification Server is using
The AMTConfig service account will run under the Altiris Application Identity credentials
The Database install and user will be the Altiris Application Identity Account
The Default Web Site is available for install of the AMTSCS virtual directory
Intel SCS Component
The Intel Setup and Configuration Service component is provided by Intel and supported by Altiris\Symantec. This includes the following components:
IntelAMT database - Like the Altiris database, the IntelAMT database is the backbone of the SCS component. The following items are included in the database:
Hello packet data
Queues for Provisioning and Maintenance actions
Settings for SCS
AMT machine data
AMTConfig Service - This service is the piece that talks to the AMT systems and processes items in the database queues. It also calls oobprov.exe to assist in provisioning, primary to obtain the FQDN for the system.
AMTSCS Virtual Directory - In IIS SCS creates a virtual directory that contains the interfaces Out of Band Management Console uses to connect to the IntelAMT database. It's simple structure belies the importance of this interface.
Keep in mind the following:
Failures to install are almost always security related. See the below ‘Install' section for more information.
The IntelAMT and Altiris databases are required to be installed to the same SQL instance for Resource Synchronization to work (Resource Synch is the process of importing AMT systems from SCS to NS. In cases where a system is already managed by NS, the data will be merged in the existing NS record)
Often when you install Out of Band Management Solution or the Altiris Manageability Toolkit for vPro Technology the assumptions cause the OOBSC component to fail, and a message is thrown giving basic instructions on how to install it manually. In some ways I prefer the manual installation so each setting can be directly controlled. When this happens, it's important to follow these steps to avoid issues:
Log onto the Notification Server with the Application Identity, or if not allowed, log on as the user that has rights to the Notification Server and the SQL Server.
Stop IIS on the Notification Server, shut down all Altiris Consoles, stop the AMTConfig service, and shut down any SQL consoles (SQL Enterprise Studio, Query Analyzer, etc). While this can be difficult to arrange, it ensures all necessary accesses and resources are available.
Launch the installer directly from install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\AMTConfServer.exe
Follow the onscreen prompts. In the next part we'll discuss a scripted install should this install fail. The scripted install allows greater visibility to the process and shows any errors as they occur.
This component is what is known as the Provisioning Script, or Properties Script. Intel SCS requires a provisioning script in order to conduct Provisioning, and as mentioned earlier this is provided as part of Out of Band Management.
When the AMTConfig Service receives an incoming hello message, it logs it in, places the provisioning request in the queue, and then calls oobprov.exe. Any message stating ‘Properties Script Failed' means that oobprov.exe did not successfully provision the AMT system.
AMTSCS Virtual Web-site
The web-site is generally invisible to the admin running the Console. It must exist, but otherwise the mechanism is pretty solid. The only exception to this rule is when TLS, or Transport Level Security, is involved or not.
Keep in mind the following:
If you will be using TLS for AMT management, this virtual directory much be set with https for any functionality.
If you will not be using TLS, https cannot be enabled on this virtual directory.
If TLS is not implemented but https is enabled on the virtual directory, the Altiris Console will fail.
If TLS is enabled but https is disabled on the virtual directory, the Altiris Console will fail.
The default is https enabled when running the SCS install manually.
Much like the Altiris database is to NS, the IntelAMT database is the backbone of Intel SCS. While all functions in the console are automatically interconnected in the database, understanding some of the important tables can help in the troubleshooting process.
The following is a list of some of the core tables used by Intel SCS:
csti_amts - This is the data on the actual AMT system. When looking in the Intel AMT Systems node in the Altiris Console, it is reflecting data from this table.
csti_configuration - This table holds the core configuration between Out of Band Management and Intel SCS.
csti_uuid_maps - This maps the UUID (Primary AMT ID) to the FQDN.
csti_pid_map - This table contains the security key information so that Intel SCS can authenticate to the AMT client systems, and the client systems can initially authenticate with Intel SCS.
csto_queue_entries - This is the queue wherein Intel SCS processes Provisioning and Maintenance requests.
csto_delayed_entries - For Provisioning requests that have failed for whatever reason, this queue is used.
This introduction to the Server Components will help provide understanding for the moving pieces, and will be heavily referred to in Part 3. Knowing how each component functions will greatly help when walking through the troubleshooting steps, especially on how to identify where the problem is originating from.