Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 8309 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot deploy Sophos protection to trusted domain

April Beachy

I'm a new Sophos customer and I have a new installation of Sophos Endpoint protection server.  I successfully installed Sophos protection to all my domain1.com computers.  I have a domain2.com that I am trying to deploy it to as well. 

I have a two way trust setup.  I have synchronized the domain with the console.  When I try to protect the computers I get:

   Installation failed                     Date/time                Code      Description                            

                                           12/20/2016 9:23:45 AM    0000002e  The installation could not be started. The computer may need additional configuration before installation. See article 29287.

 

Firewall is turned off

On PC: Service - Task Scheduler (Started), Service - Windows Installer (not Disabled), Service - Remote Registry (Started)

On Enterprise server:Firewall is turned off, Service - Remote Registry (Started)

 

I've ensured a nslookup of the Desktop PC from my SEC server matches the ipconfig result on the Desktop PC.

I can go to \\<SophosServerName>\SophosUpdate from the Desktop PC, it doesn't prompt for credentials

C:\ProgramData\Sophos\Update Manager\Update Manager folder (default location) is shared and the group 'Everyone' has read access.  Ensured these accounts are there with full control permission: SYSTEM, NETWORK SERVICE

From the endpoint computer I can open the central share in Windows Explorer (Start | Run | Type: \\<servername>\SophosUpdate\)

Created and ran a scheduled task on remote PC.

 

 

I have a support ticket but have not gotten anywhere with that.  Any Sophos users have an idea of what to check?  Does Sophos deploy to the computer as Computer.domain2.com?  or just computer?  Where are the logs on the server to see what the issue is?

 



This thread was automatically locked due to age.
  • 0

    Error 29287 refers to being unable to being unable to find the network path ( https://community.sophos.com/kb/en-us/29287 )

    Are you using the FQDN in the deployment and server name?

    ie avserver.domain1.com

    Just using avserver would work on the domain1.com domain but not domain2.com

    the other option or hack might be to create a DNS record in domain2.com with the same server name and point it to the IP of the server in domain1.

    Regards,
    Bohdan

  • 0 in reply to Bohdan.S

    Hello April Beachy and Bohdan.S,

    if I understand 's post correctly the share can be accessed using the server's NetBIOS name. If the server can't resolve the endpoints name as it appears in the console the symptom will be the same. When you did the nslookup of the Desktop PC from my SEC server did you use this name or did you qualify it? Did you try SCHTASKS /Create /S domain2computer from your SEC server?

    Christian

  • 0

    I could never get the Sophos system to use the fully qualified domain names so we created a GPO that added both Domains to the DNS settings for computers from Domain2.  Not how I wanted to manipulate the domains, but it worked.

     

    Any hints on how to get better response from Sophos support?  I have a ticket, the support tech is sick and no one else would talk to me.  On multiple issues and multiple calls we could not even get a support tech to remote into the system to take a look.  Is there a Gold support?  Was considering buying more Sophos products, but their support is enough to make me pay twice as much for a competitor's system.

     

     

     

  • +1

    Ran into a problem with this configuration.  When two computers have the same name on the different domains.  PC1.domain2.com and PC1.domain2.com.  The system never deploys to PC1.domain2.com.

     

    Any thoughts?

  • 0 in reply to April Beachy

    Hello April Beachy,

    SEC uses the (NetBIOS) name displayed to resolve the name, specifically it doesn't append any domain info. As the information (name) came from an external source you can't modify it easily..
    I haven't tested whether SEC relies relies solely on the resolver - likely it does. Protection is normally a one-time event and frankly for rather complex topologies I'd use a GPO or some other alternative means. Temporarily modifying etc\hosts could be a work-around.

    Christian

  • +1

    Ran into this problem today, the enterprise console would discover the machines when given an IP range but then would fail to deploy to all machines in domain2.com.

     

    Resolution for me was to two fold, the first was on the management server to modify the network adapter DNS search suffix to change to:

    domain1.com

    domain2.com

     

    I was then able to resolve all machines in domain2.com using just their NetBIOS name from the management server.

    This left the requirement for resolution of the management server from all the clients in domain2.com, as the management server had a unique name that was not present in domain2 I added a DNS A record for the server name into domain2 DNS zone. This meant all clients on domain2.com would resolve the FQDN via the DNS conditional forwarder for domain1.com and the NetBIOS name would resolve through domain2 DNS.

     

    This won't help if you have the management server name for 2 different servers in their respective domains but worked for my situation. Hope it helps.

Unfiltered HTML