KACE produits de gestion des systèmes de noeud final

Troubleshooting Agent Provisioning

Here are the key areas to investigate when trying to troubleshoot agent provisioning in your network.

Windows

Assumptions

  • The PC that you are trying to provision is called TARGETPC
  • Admin PC is called ADMINPC
  • Your KACE K1000 appliance hostname is called YOURKBOX and is the same name that is listed in the provisioning configuration AND in the Network settings. Please review this FAQ

Check for provisioning support files

Provisioning uses files located on a samba share to do the install.
  • Check for this list of files at \\YOURKBOX\client
version.txt
dotnetfx.exe
agent_remove.bat
agent_provision.bat
KNISetup_v11Silent.msi
KInstallerSetupSilent.msi
KInstallerSetup.exe
  • Check that the version.txt file contains the installed version reported at settings->K1000 Agent->Agent Updates from Kace

Use this if you are getting error: "The system cannot find the file specified."

Check for connectivity to the K1000 appliance shares

Provisioning attempts to run the files from \\YOURKBOX\client
  • On a TARGETPC open up explorer.exe
  • Browse to \\YOURKBOX\client. It should automatically connect as "Guest" and you should have readonly access to this share. Make sure yo are trying to connect using the host name you specified earlier.

Use this if you are getting error:
"The system cannot find the file specified."
ERROR: Failed to copy file - /kbox/bin/KBRemoteService.exe - NT_STATUS_SHARING_VIOLATION

If you are getting this error when trying to map a drive to the client share:

System Error 1240 Has Occurred. The Account Is Not Authorized to Login from This Station

RESOLUTION: 

microsoft network client: digitally sign communications (always) - set to disabled

http://support.microsoft.com/kb/224287


Ping TARGET PC from the KACE K1000 appliance

  • Open up the settings->support->troubleshooting tools
  • Switch to "edit mode"
  • Use the ping test to ping the TARGETPC ip address you are using in provisioning

Use this if you are getting error:
NT_STATUS_IO_TIMEOUT

Test connectivity to ports 139 and 445 on TARGETPC from the K1000 appliance

You cannot test this for certain in any other way. The provisioning results will tell you this. Make sure you have "Enable Debug Info:" turned on in the provisioning for detailed results.

However, a good way to test this would be telnet from ADMINPC to TARGETPC on ports 139 and 445.

e.g.

If you see a blank screen then the connection is working
If you see an error like then it is not working and you probably need to configure file and print sharing according to the K1000 appliance documentation.

Use this if you are getting error:
NT_STATUS_IO_TIMEOUT

Testing Admin Share & Credentials on your target PC

Method 1 (works well if you cannot easily control the TARGETPC)

The K1000 appliance uses a stub called kbrsl (pronounced "kbrizzle") to connect to the admin$ share on your PC. To test if this is working outside of the K1000 appliance do this:
  1. Open up computer management
  2. Navigate to "Shared Folders\Shares" and check that the "ADMIN$" share is listed
  3. On an admin PC download psexec.exe and save it to c: (http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx) -- Extract psexec.exe from the tools archive
  4. On an admin PC tell psexec to connect to the target PC and issue the command
    c:\psexec.exe \\TARGETPC -u Domain\username ipconfig /all
    . This should report back the ipconfig information of the remote machine.
  5. Map a drive to that machine and if the folder %systemroot%\temp\kace exists then delete it.
  6. Run this command
    c:\psexec.exe \\TARGETPC -u DOMAIN\username cmd.exe /c mkdir %systemroot%\temp\kace

Method 2

  1. On the TARGETPC Open up computer management
  2. Navigate to "Shared Folders\Shares" and check that the "ADMIN$" share is listed
  3. From an ADMINPC open file explorer.exe and browse to \\TARGETPC\Admin$ -- you should be prompted to login.
  4. Login with the same credentials you are using in the provisioning setup
  5. Browse to %systemroot%\temp on that machine (which is likely c:\windows\temp) and attempt to create a flle in the directory.

If Method 1 or Method 2 fails you need to correct your Admin$ share or open up ports 139 and 445 on TARGET PC

Use these methods if you are getting errors:
CreateProcessAsUser
NT_STATUS_LOGON_FAILURE
NT_STATUS_CONNECTION_REFUSED
NT_STATUS_CONNECTION_REFUSED
ERROR: Failed to open connection - NT_STATUS_BAD_NETWORK_NAME
ERROR: Failed to open connection - NT_STATUS_NO_LOGON_SERVERS
ERROR: Failed to open connection - NT_STATUS_WRONG_PASSWORD

Testing for installation

  • On the TARGETPC browse to c:\program files\kace\kbox
  • Is the updated KBOXClient.exe there?
  • launch services.msc
  • Is the "KBOX SMMP Management Service" running?
If the installation files are there and the service is running then provisioning was successful. You do not have a provisioning problem, but you might have a check-in problem and should review this FAQ

Use this if you are getting errors:
ERROR: Failed to copy file - /kbox/bin/KBRemoteService.exe - NT_STATUS_SHARING_VIOLATION

Disable or Uninstall Anti-Virus software

If you are running an anti-virus software such as McAffee, Symantec, etc., disable it temporarily, then attempt to provision again. 

Example of an error you might see caused by anti-virus software:

ERROR: Failed to copy file - /kbox/bin/KBRemoteService.exe - NT_STATUS_SHARING_VIOLATION

If disabling still yields the same error, uninstall your anti-virus software temporarily, then test again. 

If even after that the problem still continues, continue onto the next steps in this article, or search our knowledge base or ITNinja for more specific provisioning issues. 

Deploying .Net Framework

The agent requires the .Net 1.1 framework. .Net 3.0 and .Net 2.0 are not sufficient. We distribute the .Net runtime for you which ones on all platforms, including 64-bit, except for the following mentioned in this FAQ Provisioning will automatically install this framework if it detects it is needed except on 64-bit platforms.

If you have a 64-bit platform then you must check the box "Install .NET 1.1 on x64 Systems:". Please review this FAQ before you deploy to 64-bit platforms.

New Installation versus Re-provisioning

Commentary

In an efficient environment you should never have to re-provision your PCs. If you are upgrading your KACE K1000 appliance and agent software regularly (i.e. within a few months of each release) then you should have a smooth upgrade path that allows your machines to upgrade themselves. This is facilitated by the "Agent Updates from Kace" (i.e. Settings->K1000 Agent->Agent Updates from Kace) section. . When enabled the agent will be installed as a managed install the next time the PC checks in to the K1000 appliance.

However, there may be exceptions when you have to re-provision:

  • Orphaned agents due to host name change
    You can often deal with this by creating a temporary DNS name so that agents will connect to the new server
  • Orphaned agents due to misconfiguration of SSL
    It is possible to orphan your agents if you mistakenly enable SSL on the K1000 appliance and then disabling it OR if you enable SSL using incorrect host settings and now the agents are looking for a host that does not match the certificate (Note: the 5.1 agent is smart enough to try a last known good connection on port 80)
  • A machine that is re-imaged. This is not technically a re-provision. Furthermore, it is preferable to deploy the agent as a post-image installation task (after establishing the name of the machine)

Removing previous installations Method 1

  • Setup a provisioning using the options

Removing previous installations Method 2

  • Check the TARGETPC for existence of c:\program files\KACE\KBOX
  • If it exists then stop all K1000 services
  • Delete this directory and all contents including the config.xml and smmp.conf files (if they exist)
  • re-provision

When to contact Support

If all of the above settings have been checked and passed then please contact technical support. Be prepared to provide the following:
  • evidence of all the tests
  • demonstrated attempts at solving the problem including a description of the current roadblocks
  • log file from a sample provisioning that has the debug log option turned on.