Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2969 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Newly instaled XP clients disappear from EM 3.0 console

NLNAV

Hello,

I'm having a strange problem. Since a few days my newly deployed XP clients disappears from my Em 3.0 console when i comply them with the group policy.

Situation.

We are upgrading our clients from w2k to XP with an pre configured image. Sophos is already installed in this image. The client appears in the em console when it joines the domain.

The status showing in em is "differs from policy" and "waiting for response from computer". After the "comply with group policy" action the client disappears from the em console.

The client reappears again after a reboot and has the same status as mentioned above.

Does anyone have an idea?

Regards,

Peter

:4387


This thread was automatically locked due to age.
Parents
  • 0

    Hello Peter,

    can't say I know exactly what's going on. Maybe this helps a little:

    Most of our clients are not under the IT-departments control (but nevertheless when they install Sophos they report to SEC and are managed). I've found out that literally hundreds of clients had been installed with one of three images and in SEC computers disappeared, re-appeared in the Unassigned group, changed names, showed tons of alerts, seemed to change policies at will and the like. With SEC 4.0 and SAV9.0 I noticed that they started to get "individual" identities when they upgraded (guess due to changes in the RMS component they re-registered when upgrading the client RMS). Over time most of them got their own identity.

    In order to identify which client is a clone I checked the database using osql/sqlcmd. A very interesting value is in column MessageSystemAddress of table ComputerAndDeletedComputers as it is a "high priority" value to determine a client's identity. So if you just change a computer's name it remains the same from SEC's point of view. I said "high priority" because SEC tries very hard to recognize an already known computer - if you un- and reinstall RMS it gets a different identity. So now you have two computers with the same name. Are both valid? If name and domain/workgroup are the same then probably only one is valid (as you otherwise would have problems with Windows networking). But what if they are the same but the computers are on different LANs? So SEC applies some logic (which changes from version to version) to address these questions.

    I used this query (I prefer sqlcmd because it has better formatting options) while dealing with the "clones":

    sqlcmd -E -S .\SOPHOS -d SOPHOS3 -Y 30 -Q "SELECT Name,Deleted,MessageSystemAddress FROM ComputersAndDeletedComputers WHERE some-selection-criterion"

    some-selection-criterion is for example: Name='CLONE01' or MessageSystemAddress LIKE 'Router$Image0%'

    Normally the computer's name is part of MessageSystemAddress but if it's name has been changed after it's been installed from an image where Sophos has already been installed then not. Here's some sample output:

    Name                           Deleted MessageSystemAddress
    ------------------------------ ------- ------------------------------
    JORGOS1                              0 Router$itsc195:747094
    VIFO021                              1 Router$itsc196:18046
    PSYCH21                              0 Router$itsc196:81061

    Shortly afterwards the same query gives:

    Name                           Deleted MessageSystemAddress
    ------------------------------ ------- ------------------------------
    CENTRAL                              0 Router$itsc195:747094
    VIFO021                              1 Router$itsc196:18046
    PSYCH21                              0 Router$itsc196:81061

    Obviously JORGOS1 and CENTRAL have been installed from the same image. In SEC CENTRAL would suddenly appear instead of JORGOS1. It's even more complex: If CENTRAL were newly installed but a deleted computer (i.e. not visible in SEC) with the same name and workgroup already existed in the database CENTRAL could suddenly appear in a different console group (perhaps Unassigned) and if then JORGOS1 again reports to SEC it will remain there.

    This is not a complete description but I hope it's of some use.

    Christian

    :4400
Reply
  • 0

    Hello Peter,

    can't say I know exactly what's going on. Maybe this helps a little:

    Most of our clients are not under the IT-departments control (but nevertheless when they install Sophos they report to SEC and are managed). I've found out that literally hundreds of clients had been installed with one of three images and in SEC computers disappeared, re-appeared in the Unassigned group, changed names, showed tons of alerts, seemed to change policies at will and the like. With SEC 4.0 and SAV9.0 I noticed that they started to get "individual" identities when they upgraded (guess due to changes in the RMS component they re-registered when upgrading the client RMS). Over time most of them got their own identity.

    In order to identify which client is a clone I checked the database using osql/sqlcmd. A very interesting value is in column MessageSystemAddress of table ComputerAndDeletedComputers as it is a "high priority" value to determine a client's identity. So if you just change a computer's name it remains the same from SEC's point of view. I said "high priority" because SEC tries very hard to recognize an already known computer - if you un- and reinstall RMS it gets a different identity. So now you have two computers with the same name. Are both valid? If name and domain/workgroup are the same then probably only one is valid (as you otherwise would have problems with Windows networking). But what if they are the same but the computers are on different LANs? So SEC applies some logic (which changes from version to version) to address these questions.

    I used this query (I prefer sqlcmd because it has better formatting options) while dealing with the "clones":

    sqlcmd -E -S .\SOPHOS -d SOPHOS3 -Y 30 -Q "SELECT Name,Deleted,MessageSystemAddress FROM ComputersAndDeletedComputers WHERE some-selection-criterion"

    some-selection-criterion is for example: Name='CLONE01' or MessageSystemAddress LIKE 'Router$Image0%'

    Normally the computer's name is part of MessageSystemAddress but if it's name has been changed after it's been installed from an image where Sophos has already been installed then not. Here's some sample output:

    Name                           Deleted MessageSystemAddress
    ------------------------------ ------- ------------------------------
    JORGOS1                              0 Router$itsc195:747094
    VIFO021                              1 Router$itsc196:18046
    PSYCH21                              0 Router$itsc196:81061

    Shortly afterwards the same query gives:

    Name                           Deleted MessageSystemAddress
    ------------------------------ ------- ------------------------------
    CENTRAL                              0 Router$itsc195:747094
    VIFO021                              1 Router$itsc196:18046
    PSYCH21                              0 Router$itsc196:81061

    Obviously JORGOS1 and CENTRAL have been installed from the same image. In SEC CENTRAL would suddenly appear instead of JORGOS1. It's even more complex: If CENTRAL were newly installed but a deleted computer (i.e. not visible in SEC) with the same name and workgroup already existed in the database CENTRAL could suddenly appear in a different console group (perhaps Unassigned) and if then JORGOS1 again reports to SEC it will remain there.

    This is not a complete description but I hope it's of some use.

    Christian

    :4400
Children
No Data
Unfiltered HTML