10 Replies Latest reply on Aug 16, 2018 8:19 AM by jwood8

    Deploy machines to a new domain?

    jwood8 Apprentice

      Hi all,

       

      We have a core server running in a domain, which images workstations for the same domain and then the install steps join them to the domain, etc. The workstation is then managed from LDMS (EPM) for remote, patch, etc.

       

      We're having to implement a new domain as part of a global policy, which is tied to a PC rollout on Win 10.

       

      My question is - can I use my existing LDMS server to image, deploy and manage workstations on a different domain? Or will I need to deploy a new management server as a member of that domain first?

       

      Thanks!

        • 1. Re: Deploy machines to a new domain?
          steve.may Apprentice

          You sure can.  We have six different domains here and manage and provision all of our endpoints using one core.  We use some PowerShell scripts to join the domain during provisioning and just use a service account setup in each domain.

          1 of 1 people found this helpful
          • 2. Re: Deploy machines to a new domain?
            phoffmann SupportEmployee

            Aye - by and large, as long as networking plays ball (and you don't have DNS issues), we don't really "care" about domains.

             

            By and large, the only sensitive part is putting the agent down - once that's the case, we don't really worry much about domains as such for most things, and you might as well be in a workgroup environment (I say this because I - to this day - run into environments that are running in that mode).

             

            Once the agent is down, authentication to the agent happens via certs & such ... the only time domain stuff becomes relevant is accessing files from a file-share, where either HTTP and/or Preferred Servers (with separate credentials) can be a big help.

             

            Is that a decent enough start for you?

            1 of 1 people found this helpful
            • 3. Re: Deploy machines to a new domain?
              steve.may Apprentice

              I should add that the only difficulty we currently have is one of our domains does not have a trust to the others.  The techs in this domain have to do a couple extra steps to remote control machines since the security group from that domain cannot be added to the LANDESK Management Suite security group on the core server.  They have to use separate credentials when they remote control.

              1 of 1 people found this helpful
              • 4. Re: Deploy machines to a new domain?
                jwood8 Apprentice

                Hi all,

                 

                Thanks for the input! I'm actually in the process of doing this now but I'm seeing a few strange behaviours and wondered if anyone had prior experience of them?

                 

                1) When I build a machine on the new domain, the user gets a popup box for 'User Enrollment' asking them to enroll with location discovery services. This never happened on the old domain?

                2) Every time vulscan tries to run, it pops up a UAC box and you have to keep saying 'OK' to allow it to do things. If a normal user is logged on, it just fails.

                3) Weirdly, when patching it seems to try to download some of the patches by FQDN and some by IP. The ones by FQDN work, the IP not.

                 

                Appreciate these are strange and may be unique to us but thought I'd ask the question anyway!

                • 5. Re: Deploy machines to a new domain?
                  phoffmann SupportEmployee

                  If you have UAC popping, chances are that the agent wasn't installed "as admin" / by Local System so to speak, so UAC is constantly going to interfere with any binaries being run. (Gotta "love" UAC) ... so that's something iffy in how that image has been built.

                   

                  The "Some patches are access by IP, some by FQDN" has me scratching my head (I'm assuming that they're pointing to the same location in theory?). Clients only know of "the patch location" as a single place (which the Core has) ... AFTER that, you may have things like Peer Download or preferred server kicking off, but it should all be listed as being hosted on "the Core" (or wherever you store your patches) and be consistent!

                   

                  ... unless the UAC-related stuff is causing you issues with downloading / applying agent settings behaviour XML's (possible - UAC can eff up all manner of things once it's triggered) ...

                   

                  ... I would suggest looking at "what / how the install of the agent" is happening in that domain ... once UAC is "out of the equation", the rest may eiter fall in place on its own and/or be greatly helped at least.

                  1 of 1 people found this helpful
                  • 6. Re: Deploy machines to a new domain?
                    jwood8 Apprentice

                    I think the issue was that we had a provisioning agent installing and then we hadn't installed a full agent at the end of the build. Once this was done problems 2 and 3 disappeared. I'm still seeing the User Enrollment box popup though - what is generating this? It seems like an MDM sort of feature but we don't use any of that here.

                    • 7. Re: Deploy machines to a new domain?
                      phoffmann SupportEmployee

                      What process owns the "user enrollment" ...?

                       

                      It doesn't *sounds* like any of our stuff ... (that I'm aware of, at any rate)?

                       

                      If you can hunt down the process popping the window to a location & binary, that may be a good starting point. I wouldn't expect it to be a part of EPM itself at this point (unless you put down a lot of MDM stuff, but that'd be rather surprising for a Windows device) .

                       

                      Glad to hear that putting the full agent down properly sorted out the UAC shenanigans.

                      1 of 1 people found this helpful
                      • 8. Re: Deploy machines to a new domain?
                        jwood8 Apprentice

                        It's GPMM.exe in the LDClient folder, I knew it was related as the icon is the blue LD logo. Weird that I haven't ever seen this box before.

                        • 9. Re: Deploy machines to a new domain?
                          phoffmann SupportEmployee

                          Ohh - I think that's related to using THIS feature ... Geo-location ... it's part of the inventory settings...

                           

                           

                          ... if your box doesn't have Geo-location enabled ... that's one thing (and it requires end-user consent due to various countries' Legal requirements, IIRC).

                           

                          So if that's not something you're looking to make use of, you may want to turn it off in your respective agent behaviour.

                           

                          If it IS something that you're going to use, I don't think we can go around the legal requirement of user acceptance.

                          1 of 1 people found this helpful
                          • 10. Re: Deploy machines to a new domain?
                            jwood8 Apprentice

                            That sounds like a winner! It was enabled so I've set to block now. I'll try another build and let you know - thanks for the help!