Tuesday, 2 December 2008

Altiris : Shared Guid Diagnostics Guide (aka Duplicate Guid Kit)

Article ID: 3848

Definition

A Shared Altiris Agent Guid is a configuration problem that causes mismatched inventory data, and prevents accurate management and event-message storage of managed computers by the Altiris Notification Server. The Altiris Agent Guid is the primary mechanism by which the Altiris Notification Server uniquely identifies each resource record in the NS database. In this situation, we are concerned with computer resource records. There are several potential causes of shared guids. They all originate from circumvention of the normal agent deployment process, or external changes to the agent's configuration. The end result is that two or more managed computers each claim to be the sole owner of the Agent Guid (which is supposed to be globally unique).

Known causes

OS Imaging: By default, the Notification Server will generate a new Guid upon the first request from a brand new Altiris Agent. The Altiris Agent then stores its assigned Guid in the registry for Windows, and on the file-system for the Linux, Unix and Macintosh platforms. Shared Guids can be caused by imaging a workstation that already has an Altiris Agent installed. Each restored copy of the workstation will have the same assigned Guid. This issue exists in all imaging solutions, with the exception of Deployment Server (DS) version 6.5 or better. The best solution is to schedule the Altiris Agent to install immediately after restoring an image (This can be done as a DS job). An alternate solution is to always remember to delete the guid from the workstation prior to imaging (error prone).

Software Packaging: This cause is less likely to occur, but simple software repackaging tools will include the Altiris Agent's registry or file location of the guid as part of the software package. Activity by the Altiris Agent can fool the packaging tool into thinking that the Guid belongs to the package. Deploying the bad software package overwrites the good guid with the one from the capture station. To avoid this problem, don't install the Altiris Agent on the workstation used for snapshoting the original software installation job.

Resolution

The purpose of this document is to demonstrate how to use the Notification Server’s shared GUID diagnostics kit to successfully identify and remove computers within the Notification Server database. The attached MS Word document contains screenshots for additional clarity (it is now considered out-of-date, and is merely provided for historical reference).

Installation

You can install the diagnostics kit by following the steps below. This utility contains several collections, a report, a package to remove the shared guids, and platform specific tasks. These items are all created in a Shared Guid Diagnostics v6.04 folder that is created by the import.

Note: Altiris NS Agent version 1508 or later is required for this to work.

  1. Download the xml file attached to this article and save it to a location on the Notification Server
  2. Find a location to install this utility. For this example we will create a folder called “Diagnostics” within the Tasks folder.
  3. Highlight the folder that you created. Right-click and choose Import.
  4. You will be prompted to choose the file to import. Choose the Shared Guid Diagnostics v6.05.xml file.
  5. Once the file has been imported into the Notification Server database, you should see the following structure:
  6. Enable each applicable Reset Guid Task. It's only neccessary to enable the task for platforms that exist in your environment.

Possible Duplicate Guids

  • These collections will query the Notification Server database for all computers that have reported a change in their GUID in the past seven days. Computers in this collection are used by the associated task to reset the Guid on the client computers.
    Note: After fixing shared GUIDs in the database, there is a possibility that some computers will still show up here. This collection is checking to see if the computer record has been changed in the last seven days, not if it has been fixed. To retrieve an accurate report, use the GUIDs Shared between 2 or more computers report or view the Machines that have run the Reset Guid Task collection.

Machines that have run the Reset Guid Task.

  • This collection will display any computers that have run a reset guid task, giving you a report of the machines that have completed the fix. Keep in mind that this report can not be 100% accurate due to the problem that is being addressed by the reset guid tasks.

GUIDs Shared between 2 or more computers.

  • Analyzes computers that have been sharing the same GUID, this is recognized when frequent name changes are occuring on a specific NS computer record. Once the duplicate GUID has been cleaned up, you will see the results in this report. This report doesn't distinguish by platform, and will also include un-managed computer records. By design, collections can not include unmanaged computers.

Reset Guid Tasks

  • These packages are responsible for running the appropriate task on the computers that are sharing the guid. On the Windows platform, it will use a built-in utility to strip out the Altiris Agent's guid from the registry. There are multiple places that the guid can be stored, depending upon if the DS Aclient is also present, and or older versions of the Altiris Agent have ever been used.
    • For the Windows platform, the following command is used: AeXAgentUtil.exe /resetguid
    • For Unix, Linux, and Macintosh computers, the file containing the guid is deleted, and the Altiris Agent is restarted as a background process. The agent restart is neccessary to flush the GUID from memory.
  • A new Guid is created by the Notification Server after the Altiris Agent sends the computer name and domain to the Notification Server. For each shared guid, one of the computers will retain ownership of the computer resource record, the remaining computers will be assigned new guids (and thus new NS computer resource records).
Permissions

By default, when this package in imported, the owner of the folder and items will be null. The administrative role will have access to this utility, but if permissions are to be set, you should set the ownership by doing the following:

  1. Right-click on the main folder
  2. Choose Properties
  3. Choose the Security Tab
  4. Choose the Take Ownership button.

Uninstall
To completely remove the Duplicate Diagnostic utility from your system, you should follow the steps below. Delete the following objects through the NS console (right-click > Delete).
1. Reset Guid tasks (3).
2. Possible Shared Guid collections (3)
3. Machines that have run the Reset Guid task collection
4. Guids shared between 2 or more computers report
5. The Reset Guid Agent Package. (You must first delete each "program" by clicking the delete button on the Programs tab of the package).

No comments: