Clarifications on Kace Agent Kindly Requested
Good morning all,
We have just finished upgrading all our servers (K1, K2, RSA), running with new hostnames, and migrating them all to VM. In the process, we shed a lot of old baggage and are starting off semi-new. Before me migrated our K1, we sent an update script out to all connected agents with the new server address and that appears to be working fine now, as a majority of devices are still checking in.
I've been handling Kace for about 2 years now and have carried us through v6 and now onto v7. In my entire time, I have *always* had a hard time with agent provisioning. We didn't use a GPO before I took over, have been advised by our sysadmins it is (or has been) a real pain to use a GPO package, and so because of this and my existing provisioning issues, I have configured my K2 to add the agent while imaging so I can guarantee that all new machines that my IT department images/setups up get the agent installed. I'm sure there's other and better ways to do this, especially with labels, but this is our environment for the time being.
So I'm revisiting the provisioning again, am doing some testing, and need some clarification on a few things, as the documentation just doesn't seem to lay it out simply and/or specifically
1. In the K1 for Windows, I use local credentials to install the agent. Should my credentials be username & password or .\username & password? I seem to get mixed results with both, but would prefer not to use domain creds. *ALL* machines should have the same local creds.
2. In preparing for agent install, documentation indicates to open 139 & 445. Is this on my target PCs that these ports need to be open or on the K1 that the targetsĀ need to be able to communicate with the K1 on? If on my target, are they TCP or UDP?
In testing, I do have some provisioning schedules that are having very limited success. The significant majority of my schedules result in Failure with the following errors:
1. NETWORK/NT_STATUS_LOGON_FAILURE
2. NETWORK/NT_STATUS_IO_TIMEOUT
3. NETWORK/NT_STATUS_CONNECTION_REFUSED
4. NETWORK/NT_STATUS_BAD_NETWORK_NAME
5. NETWORK/CreateProcessAsUser
These are ALL listed as failed. However, if I go into my K1 inventory and pop in some of the associated IPs, I get back devices that have been checking in for some time. This has me wondering if Kace indicates in any meaningful language that a provisioning failed *because* the agent was already installed or is, perhaps, something wrong with my already installed agents?
In addition, on my successful provisions, my results page lists all my devices as disconnected. If I check a some of those IPs in my Inventory, I get back devices that haven't checked in for 5 days, or devices that checked in well over an hour ago, which is well before I ran the schedule, which is as I'm writing this. Oh, and they *are* online, not disconnected as the agent reports in the successful report of the schedule.
Thanks in advance.
We have just finished upgrading all our servers (K1, K2, RSA), running with new hostnames, and migrating them all to VM. In the process, we shed a lot of old baggage and are starting off semi-new. Before me migrated our K1, we sent an update script out to all connected agents with the new server address and that appears to be working fine now, as a majority of devices are still checking in.
I've been handling Kace for about 2 years now and have carried us through v6 and now onto v7. In my entire time, I have *always* had a hard time with agent provisioning. We didn't use a GPO before I took over, have been advised by our sysadmins it is (or has been) a real pain to use a GPO package, and so because of this and my existing provisioning issues, I have configured my K2 to add the agent while imaging so I can guarantee that all new machines that my IT department images/setups up get the agent installed. I'm sure there's other and better ways to do this, especially with labels, but this is our environment for the time being.
So I'm revisiting the provisioning again, am doing some testing, and need some clarification on a few things, as the documentation just doesn't seem to lay it out simply and/or specifically
1. In the K1 for Windows, I use local credentials to install the agent. Should my credentials be username & password or .\username & password? I seem to get mixed results with both, but would prefer not to use domain creds. *ALL* machines should have the same local creds.
2. In preparing for agent install, documentation indicates to open 139 & 445. Is this on my target PCs that these ports need to be open or on the K1 that the targetsĀ need to be able to communicate with the K1 on? If on my target, are they TCP or UDP?
In testing, I do have some provisioning schedules that are having very limited success. The significant majority of my schedules result in Failure with the following errors:
1. NETWORK/NT_STATUS_LOGON_FAILURE
2. NETWORK/NT_STATUS_IO_TIMEOUT
3. NETWORK/NT_STATUS_CONNECTION_REFUSED
4. NETWORK/NT_STATUS_BAD_NETWORK_NAME
5. NETWORK/CreateProcessAsUser
These are ALL listed as failed. However, if I go into my K1 inventory and pop in some of the associated IPs, I get back devices that have been checking in for some time. This has me wondering if Kace indicates in any meaningful language that a provisioning failed *because* the agent was already installed or is, perhaps, something wrong with my already installed agents?
In addition, on my successful provisions, my results page lists all my devices as disconnected. If I check a some of those IPs in my Inventory, I get back devices that haven't checked in for 5 days, or devices that checked in well over an hour ago, which is well before I ran the schedule, which is as I'm writing this. Oh, and they *are* online, not disconnected as the agent reports in the successful report of the schedule.
Thanks in advance.
0 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
Nico_K
7 years ago
if an agent has been installed, a provisioning fails. It should say so.
To update use the Agent Update (Settings | Provisioning | Update Agents)
The errors can be caused by many things. Always be sure that the user who is used to provision has the correct rights and does not run in admin approval mode, since you cannot click the UAC popup window while running non interactive.
GPO is the best way to provision the first time to already installed systems.
You can use the GPO tool for that: https://support.quest.com/kb/133776
To update use the Agent Update (Settings | Provisioning | Update Agents)
The errors can be caused by many things. Always be sure that the user who is used to provision has the correct rights and does not run in admin approval mode, since you cannot click the UAC popup window while running non interactive.
GPO is the best way to provision the first time to already installed systems.
You can use the GPO tool for that: https://support.quest.com/kb/133776
Comments:
-
If I do an individual provisioning, yes, it indicates the agent is already installed. If I'm using a schedule with an IP range, it's not always so clear, since all my ranges includes hundreds of PCs. Going through that lists individually much more time consuming that an individual device provisioning.
UAC is off on my Windows machines, and permissions are set at the domain level. e use local credentials for agent installation, but I don't know if I have to enter those in Windows indicated local credentials or not.
local admin vs .\localadmin
We will be looking into using GPO for future provisioning. - rskwire 7 years ago