Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 6607 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple domain environment: Push install via "Protect New Computers" is not working

heyheyash

We're new to Sophos. We took our test/trial server to production and are would like to fix some of the things that we hadn't had working during the trial. SEC 4.5.1.0 is installed on Windows Server 2003 SP2

When we right-click a computer in a group and go through the Protect Computers wizard, I'll enter in credentials (either domain\username or domain.full\username) and send it on its way. Unfortunately nothing happens... no green or orange arrows, etc.

On a target machine, I have verified the following:

  1. The following services must be started:
    • Task Scheduler Service
    • Remote Registry Service
    • Server Service
    • Computer Browsing service
    • Workstation Service
    These services are usually started by default. However, in certain environments, this may not be the case.
  2. An administrative C$ share must exist on the target computer.
  3. The account specified during when you run the 'Protect computers wizard' must have administrative rights over the target computer.
I disabled Simple File Sharing and verified that the File and Printer sharing component was enabled. Firewalls are disabled across the network but I made exceptions for 8192, 8193, and 8194 on the target machine anyway.

I've created packages using the Deployment Packager using the GUI and the CLI but I would still like the option of installing/uninstalling via SEC.

Any help would be greatly appreciated!

:10713


This thread was automatically locked due to age.
  • 0

    HI,

    The first thing to check is that the account you specify in the wizard to deploy as can log on the the machine where the Sophos Management Service resides.  At a test:

    runas /user:domain\username cmd.exe

    Does this launch CMD? Or do you get an error such as:
    1385 - Logon failure: the user has not been granted the requested logon type at this computer

    Regards,

    Jak

    :10715
  • 0

    I'll try that as soon as I can and update here. I'm already thinking that's an issue since (I believe) by default the local account of <servername>\SophosUpdateMgr is set as the account to be used. I'll need to change that to a domain account with rights.

    :10719
  • 0

    The account used to create the scheduled task on the remote machine is the one that you enter in the Protect wizard,

    That needs to be able to log onto the machine where the management service is located and needs to be an administrator over the target.


    Regards,

    Jak

    :10725
  • 0

    Sorry for my confusion... I forgot about that window. In that case, I have been properly entering the credentials as such domain.com\<username> and I'm a domain admin.

    Are there any logs I can provide for you? I'm not familiar with the aspect of the program.

    :10731
  • 0

    I would suggest using:

    <remotedomainshortformat>\administrator

    in the protect wizard, ensuring that "<remotedomainshortformat>\administrator" can logon to the machine where the Sophos management service resides.  

    Is that the same account as you're logged on as on the machine where the management service is running?

    If not I would suggest login in as that account, and test creating a scheduled task on the remote machine through a UNC path using the NetBIOS name of the remote machine. E.g.

    \\<remote>\C$\windows\tasks\

    Jak

    :10733
  • 0

    I am using the same credentials to logon to our Sophos server as I am for the protect computers wizard. They are my own.

    From the box with SEC I was able to remotely create a scheduled task on a remote machine (at \\remotepc.domain.com 00:00 copy /c copy C:\Temp\*.* C:\Temp2). This also worked with the short format. Both of these PC's are on the same domain.

    I receive no error message but nothing happens.

    :10737
  • 0

    If anyone needs any additional information I'd be happy to provide it. Having this feature working would be great.

    :10853
  • 0

    HI,

    Sorry for the delay...

    How about:

    1. Download DebugView from Microsoft and save it to the server:
    http://technet.microsoft.com/en-us/sysinternals/bb896647

    2. Close the SEC if open.


    3. Stop the Sophos Management Service. From running "services.msc"


    4. Add the following keys to the management server:

    ==

    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{60FDEEE1-49BD-4B2A-AAE6-9BF39C10662E}]
    @="TraceEEComputerInstall"
    "ErrorLevel"=dword:00000003
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{744B5D77-474B-412e-8116-21B05159F407}]
    @="TraceEEcomputerSearchImpl"
    "ErrorLevel"=dword:00000003
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{2B607C2C-C19D-426c-81EA-2F1B03C01A7A}]
    @="TraceEEComputerDiscovery"
    "ErrorLevel"=dword:00000003
    ==
    5. Start the Sophos Management Service again using Services.msc
    6. Open DebugView as an Administrator (right click on it and do a "run as administrator") and ensure that "Capture Global Win32" and "Capture Win32" are checked from the "Capture" menu if they both exist.
    7.Launch SEC, go into the protect wizard.  

    8. Start capturing in DebugView, and attempt a deployment.   You should see all the tracing appear.

    I'm not sure if you need all those trace guids, you might have to play around but hopefully the trace might throw a windows error or an error message to put you in the right area.

    Regards,
    Jak
    :10859
  • 0

    This was enlightening... I see the path the install action is pointing to is a mess.

    00000204 40.41305542 [24320]  Information TraceEEComputerInstall[0x00005F08] > ms::InstallTaskQueue::addComputers(1,<domain>\<username>)
    ms::GetPatchManagementUrlManager
    00000209 40.44344330 [24320]   Information TraceEEComputerInstall[0x00005F08] > ms::InstallTaskQueue::addComputer
    00000210 40.44651794 [24320]    Error       [0x00005F08] path `http://sophos.website.com:8085/CIDs/S000/SAVSCFXP` not UNC or HTTP
    00000211 40.44664764 [24320]    Error       [0x00005F08] path `` not UNC or HTTP
    00000212 40.44673538 [24320]    Error       [0x00005F08] path `` not UNC or HTTP

    The correct path used in my deployment packager is working fine. Where do I define (or redefine) the path this points to? I only need 'http://sophos.website.com:8085' not that last bit.

    Thanks again! I feel we're very close.

    :10873
  • 0

    RESOLUTION!!!

    Here was the problem.

    Under the Updating Policy, I set up a web CID for the Primary Server which I correctly configured using one of the Sophos guides. The problem was under the "Initial Install Source" tab. By default, the box "use primary server address" was checked which then appended the \CIDs/S000/SAVSCFXP path onto my Web CID which resulted in a bogus address. I changed that to the UNC Sophos share and I was good to go.

    So, I was able to keep my web CID but I had to set the Initial install source to UNC.

    Thank you very much for your help, jak. I highly doubt I would've found that if it weren't for your other troubleshooting steps which, by the way, are totally foreign to me but I could understand the result. If you can recommend a resource that I can more about leveraging Dbgview, that would be awesome. It was like magical logging.

    :10875
Unfiltered HTML