Using the Client Deploy Tool

On smaller networks (less than about 5,000 computers) connected to Active Directory or NT Directory domains, you can use the Client Deploy Tool to install Windows Clients. For larger networks, you might find it easier to use other deployment methods. The Client Deploy Tool helps you roll out clients in an easy way, but there are some requirements and conditions:

• You must have an Active Directory or NT Directory domain (there is also an option to deploy to a list of computers if you have an administrator account on the computer).
• The Tivoli Endpoint Manager Client Deploy Tool can only target computers running Windows 2000, XP, Server 2003, Vista, Server 2008, 7, or Server 2008 R2.
• The computer running the Client Deploy Tool must be connected to the domain, but must not be the domain controller itself.
• The Service Control Manager (SCM) and the Remote Procedural Call (RPC) services must be running on the target machines.
• There must be no security policy on the computer that would prevent either a remote connection to the SCM or the issuance of a Remote Procedural Call.
• The dnsName property of every target computer in the Active Directory must be correctly defined.

The Client Deploy Tool makes it easier to push the Client to computers, but is not a full-featured enterprise-class software distribution tool. If you already have a software distribution tool, it is recommended that you use the existing software distribution tool instead.

The Tivoli Endpoint Manager Client Deploy Tool starts by getting a list of computers from the Active Directory server and remotely connecting to the computers (accessing 100 computers at a time) to see if the Client service is already installed on each computer. If it is, it reports Installed along with the status of the Client service such as Running, Stopped, and so on. If it cannot determine the status due to a permissions problem or for any other reason, it report Status Unknown. Otherwise it reports Not Installed – unless it cannot communicate with the computer at all, in which case it reports Not Responding.

If the Client is not yet installed, the tool provides interfaces that allow you to issue a Remote Procedural Call that accesses the shared installer and, with the proper domain administration credentials, runs it silently, with no user interaction.

 

Security Considerations

To use the Client Deployment Tool you will need some authentication credentials for the target endpoints and you will also need to check some security settings on the target endpoints.

Login credentials

Authentication credentials needed to use the tool include a username and password for an account that has administrator privileges on the target endpoints.

Firewall

The local firewall on the client can also interfere with this tool, and needs to either be turned off or configured to allow the tool access to the endpoint. After the TEM agent is deployed on the endpoint the firewall can be turned back on as long as the TCP and UDP port being used by TEM (by default 52311) is open to allow communication between the TEM agent and any TEM Relays or the TEM Server.

It is possible to leave the Windows Firewall on and simply enable an exception for File and Printer Sharing which will, in conjunction with the other information on this page, allow the Client Deploy Tool to operate sucessfully.

Group Policy Setting

In addition to the above security considerations there are specific steps which should be taken to ensure successful deployment of TEM clients using the Client Deploy Tool.

Make sure that the Sharing and security model for local accounts is set to Classic mode (see screenshot below). You can start the Group Policy Editor in Windows from Start->Run and entering gpedit.msc.

 

 

What are the requirements for using the BES Client Deploy Tool?

The BES Client Deploy tool comes with the BES Installation Generator.



When it is run, the BES Client Deploy Tool will do the following:

• Contact the domain controller (You can choose whether to use the NT deployment or AD deployment mode)
• Retrieve a list of computers in the domain
• Attempt to contact each computer to see if the BES Client is installed on the computer

You will then be presented with a list of all the computers in your network along with the status of whether the BES Client is installed or not installed or it will report that the computer was not responding if it is off or unreachable. You will then be able to choose computers in the list and deploy the BES Client to the remote computers using your Windows domain administration credentials.

Requirements to use BES Client Deploy Tool:

• The computers you are deploying to and the computer running the BES Client from must be part of an NT or AD domain (to deploy to different domains, copy the BES Client Deploy tool folder to a computer on thehttps://ssl.salesforce.com/s.gif different domain)
• You must be logged in with a domain administrator account with all necessary permissions (or any admin account with full permissions on the computers you wish to deploy to)
• You must type in the domain administrator password after you choose to deploy the BES Clients
• The remote computers you wish to deploy to must be Windows, 2000, XP, 2003 Server, Vista, 7, Server 2008, or Server 2008 R2
• The remote computers you wish to deploy to must have the following services running:
  • Workstation
  • Server
  • Net Logon
  • Remote Registry
• The remote computers you wish to deploy to must have 'File and Print sharing' enabled
• The remote computers you wish to deploy to must be reachable using windows RPC protocols. Note:The deploy tool will not work if there is a firewall blocking traffic between you and the remote computer or if the remote computer has a personal firewall blocking traffic. Also note that by default RPC utilizes port 135 as well as a random port above 1024. If you are using a firewall you may want to look into configuring the RPC port to a specific port number so that you can lock it down an allow traffic across that port without opening the firewall completely. (http://support.microsoft.com/kb/154596). RPC can utilize TCP or UDP ports so you should allow for both. The BES Client deploy tool itself does not make use of any other ports beyond what RPC utilizes. Once the BES Client has been installed it will use whichever port you have specified for your license (TCP/UDP 52311 by default)
• You cannot have any network or security policies in place that would prevent our application from connecting to the remote computer and running a service that will use the domain administrator credentials to copy files from a shared location and run them locally on the computer

 

Certain computers will not accept the RPC connections properly and the BES Client Deploy tool will report an error installing the BES Client. Sometimes these errors will go away if you try to deploy to the computer at a later time (this appears to happen "randomly" on about 2% of computers in most deployments).

If you are unable to use the BES Client Deployment tool for any reason, consider using a different method for BES Client deployment detailed in the BES Administrator's Guide at http://support.bigfix.com/product/.

 

What do the errors in the Client Deploy Tool mean?

The NET USE command, net use * \\targetcomputer\admin$ /user:domain\user password, can be used to tell you what kind of error the Client Deploy Tool is running into with the computers.



In the BES Client Deploy Tool if you get a message saying "Offline" typically with NET USE you get the following error:



Error: System error 53 has occurred. The network path was not found.

Meaning: Machine cannot be contacted.



In the BES Client Deploy Tool if you get a message saying "Connection Failed" with NET USE you get one of the following:



Error: System error 53 has occurred. The network path was not found.

Meaning: ADMIN$ share not available.



Error: System error 1219 has occurred. Multiple connections to a server or shared resource by the same user, using more than one user name, not allowed. Disconnect all previous connections to the server or shared resource and try again.

Meaning: If the machine used to run the BES Client Deployment Tool already has a connection to remote machine ADMIN$ share, using a different credential, this error will occur.



Error: System error 1311 has occurred. There are currently no logon servers available to service the logon request.

Meaning: Domain server not available for authentication.



Error: System error 1326 has occurred. Logon failure: unknown user name or bad password.

Meaning: Incorrect admin username or password.



If you receive " Access is Denied" with net use you will get the following error:



Error: System error 5 has occurred. Access is denied.

Meaning: Username/password correct, but account does not have permission to ADMIN$ share.



Error:No network provider accepted the given network path.

Meaning:the client or the server could not be resolved during the client deploy tool process.



 

• Check to be sure the RPC service is running.
  
  
  
   
• Check DNS and FQDN resolution. If DNS is broken so that the netbios name or the FQDN do not resolve, or resolve to different IP addresses than expected, the client deploy tool will not work. You may be able to troubleshoot this by trying to
  
  
  
   
• From the client:
  • ping the client deploy tool server by netbios name
    
    
    
     
  • ping the client deploy tool server by FQDN
    
    
    
     
  
  
  
  
   
• From the deploy tool server:
  • ping the client by netbios name
    
    
    
     
  • ping the client by FQDN
  
  
  The destination computer in each of the ping tests should resolve to both the expected computer and the expected IP address.
  
  
  
   
• What can also work is try to install the client by using the IP address. If using an IP address works, it is likely the issue is DNS related. For additional information please see the following article:http://www.jsifaq.com/SF/Tips/Tip.aspx?id=11005

Some common Network Path Errors and some sample solutions.

"Network path not found" in a domain network 1

"Network path not found" in a domain network 2

"Network path not found" in a workgroup network - error 53

No network provider accepted the given network path





"Network path not found" in a domain network 1



SYMPTOMS: When trying to join a W2K/XP to a Windows 2000 domain by using he NetBIOS domain name, you are successful but not the FQDN and you may receive one of the following error messages:1) The following error occurred attempting to join domain "example.com": The network location cannot be reached. For information about network troubleshooting, see Windows Help. 2) Network path not found.

RESOLUTION: This issue may occur if the TCP/IP NetBIOS Helper Service is not running on the client computer. To start the TCP/IP NetBIOS Helper Service, go to MMS>Services, double-click TCP/IP NetBIOS Helper Service.



"Network path not found" in a domain network 2



Symptom: some w2k/xp can't join the domain randomly. The DNS server is multihomed server.



Resolution: You can find some computer browser errors on the DNS server. Disable one of two NICs will work.



"Network path not found" in a workgroup network - error 53



RESOLUTIONS:

1) Make sure that File and Printer Sharing is enabled on on the shared computer.

2) Make sure that shared machine has something shared.

3) Make sure that you have created the same workgroup and logon the same username if you try to access w2k/xp network.

4) Make sure that you have enabled NetBIOS over TCP/IP if this is a mixed OS network.

 

Command Line Parameters for the Client Deployment Tool

The following are the command line parameters for the BigFix Client Deploy Tool:

• /useComputerNameList <computer name list file>
  
  Used to supply the path of a text file containing one NETBIOS computer name per line, which will be used for deployment, skipping over the discovery functionality of the deployment wizard.
• /automatic
  
  Can be used with /useComputerNameList to run without user input. Need to supply a password and possibly a username using the following flags.
• /password <password>
• /username <username>
• /domainNameSubstitution <old> <new>
  
  When deploying to a domain name found in active directory, this option will cause the first occurance of the string "<old>" in the domain name to be replaced with the string "<new>"
• /domainNameAppend <stringToAppend>

Note: The /username and /password command line options don't work in the BigFix 7.2.1.357 release.

For information on how to use the BigFix Client Deploy Tool to deploy to specific computers, please refer to http://support.bigfix.com/cgi-bin/kbdirect.pl?id=148.

 

Deploying Clients To a Specific List of Computers

To use the BES Client Deploy tool to deploy to a specific list of computers:

1. Make sure you are logged in as a domain administrator.
2. Create a text file called computerlist.txt and place it in the same directory as the BES Client Deploy Tool. (Located in the folder "C:\BES Installers\BESClientDeploy" by default).
3. Add the IP address or computer name to a separate line of the computerlist.txt file.
4. Run the BES Client Deploy Tool with the command line switch "/useComputerNameList computerlist.txt" (i.e., "BESClientDeploy.exe /useComputerNameList computerlist.txt").
5. The BES Client Deploy tool will open and prompt you to enter your username (use a fully qualified username) and password for the domain administrator.

 

Why does the BES Client Deploy Tool fail for all my Windows NT4 computers?

There is a problem with the BES Client Deploy Tool in version 5.1 that will stop it from working on Windows NT4 computers. A fix for the problem is possible by updating the BES Client Deploy Tool's executables. Please follow these steps to update those executables.

 

1. Create a copy of the BESClientDeploy folder and give the new folder a logical name like BESClientDeployNT4. The default location for the BESClientDeploy folder is C:\BESInstallers.
2. Download the following files: BESClientDeploy.exe and InstallerService.exe
3. Replace the existing BESClientDeploy.exe file in folder created in Step 1 with the downloaded BESClientDeploy.exe file.
4. Replace the existing InstallerService.exe file in the BigFixInstallSource folder of the folder create in Step 1 with the downloaded InstallerService.exe file.
5. The BESClientDeploy folder now contains an updated BES Client Deploy Tool that will be able to deploy to NT4 computers. You may use this updated BES Client Deploy Tool as you would use the normal BES Client Deploy Tool.