3 Replies Latest reply on Apr 7, 2008 7:44 AM by mveerama

    Problems with Intel SCS and Active Directory

    whgibbo

       

      Hi,

       

       

      Was wondering if somebody could help..  I've been having problems provisioning an AMT machine.  The problem is the once the machine has been configured it is coming back as "Limited Access".

       

      After investigating further, it appears that the problem is

      related to the active directory. The new machine was not added to the active

      directory!!

      So after signing on to the machine and joining the domain

      manually. I then deleted the AMT machine from the SCS and then re-provisioned

      the machine again. This time the machine was provisioned correctly.

       

      I

      then delete AMT machine from the SCS and then re-provisioned the machine again,

      but this time using a profile with TLS configured. The machine was provisioned

      correctly.

       

      I re-read the manual and from what I remember, we followed all

      the steps. I re-checked that the active directory schema had been updated. I ran

      the 'CheckSchemaExists.VBS' from 'C:\program

      files\Intel\AMTConfServer\AminScripts\Active Directory Schema'. It returned

      Schema Exists for

      CN=Schema,CN=Configuration,DC=amt,DC=sbdev,DC=net

       

      I went through the

      section 'Give the SCS User Permission to Create/Delete AMT Object' from the “Intel AMT SCS Installation and User Manual”. From what I can recall the

      user was SCSUser (but I can't be 100%, is there anyway to tell?). I then tried

      to provision another machine, but this resulted in the same problem, 'Limited

      Access'.

       

      Any ideas?

       

      Many thanks

       

      Gibbo

       

       

        • 1. Re: Problems with Intel SCS and Active Directory
          mveerama

           

          Hi Gibbo,

           

           

          The provisioning AMT does not add the machine to the AD,  You need to add the machine to AD and then provision AMT either with Kerberos support which will give you (single-signon) ability to manage AMT with the same usernames that you use to log into Windows or digest authentication (user name/passwords defined in the profile separately).  On the SCS tree on the left side navigate to "User" section and make sure the SCSUser or the account you used to install has Administrator access to the SCS.  If you had Enterprise Admin access it should be alright.  When you provision using Kerberos it will create an object with the machine name in the OU that is specified in the config properties for the machine (this is the second input item on the config properties window) but it will not automatically add the computer to AD.   The computer should be part of domain prior to initiating provision.  Hope this helps! 

           

           

          Mohan. 

           

           

          • 2. Re: Problems with Intel SCS and Active Directory
            whgibbo

             

            Hi Mohan,

             

             

            thanks for getting back to me.

            We are currently try to test Zero touch,  so the machine will not  have been added to the Active directory  before it is provisioned.

             

             

            The only user in the user tree is the Administrator, so they should have all the rights that are required.

             

             

            So still a little lost.

             

             

            Gibbo

             

             

            • 3. Re: Problems with Intel SCS and Active Directory
              mveerama

               

              Hi Gibbo,

               

               

              Zero touch refers to just the AMT provisioning in that a properly staged machine gets provisioned automatically once it is setup on a user's desk.  It does not have anything to do with what you normally do with respect to your OS build and prep work that you do with respect to getting the machine joined to your domain.  once you have the machine joined to your domain internally if you have one of the client setup certficates from the trusted roots built into AMT firmware then provisioning happens automatically whe the computer is turned on at user's desk without touching it when you turn it on.  In fact you need to make sure that the desktop/laptop gets provisioned properly with "hostname.domainname" in other words fully qualified name so it can be accessed later on for managing it.  Appropriate process changes are needed to make sure provisioning does not happen prior to joining the computers to the domain so thery can be managed with fully qualified name of the computer.

               

               

              Alternatively, there is a way to provision AMT prior to the OS build (Bare metal provisioning).  In that case you need to have a plan to figure out the FQDN for the machine when the OS build is complete and have an alternate database lookup to figure that name corresponding to the UUID and have  a script associate that FQDN for the UUID coming from the hello packets during provisioning.  This will be more process intensive and I have not had a chance to work with baremetal provision.  hope this helps!

               

               

              thanks, Mohan.