14 Replies Latest reply on Jul 8, 2015 2:12 AM by phoffmann

    Provisioning fails at imaging stage

    Apprentice

      Hi,

       

      I have a bizarre problem that I cannot solve - can someone please help?

       

      My provisioning has started to fail after months of working fine. I am using WINPE & LDMS 8.8 SP3.

       

      Investigation has shown that the problem is the mapping of the drives just before the attempt to write the image. The script simply maps two drives, one for the Landesk files (IMAGEW.EXE) and another to the share with the images on. The first mapping works fine. The second drive mapping seems to work, but if I map the drive under the console and then try to access the drive, I get access denied. Therefore, the image cannot be read and the task fails.

       

      Now, this is not a permissions problem, as I can do the same thing on a normal client PC and the drive maps fine and can be accessed, unsing the same credentials, so it seems to be something specific to the WINPE environment. It seems to be a problem with drive mapping under WINPE - even though it has worked for months!

       

      I have tried updating the password in the OS task, removing and reinstalling the PXE rep & expanding the WINPE image - all of which have failed.

       

      Can anyone suggest anything else I can try please?

       

      Many Thanks

       

      Paul

        • 1. Re: Provisioning fails at imaging stage
          phoffmann SupportEmployee

          The problem won't be related to PXE reps.

           

          If the first mapping works fine, the problem is not related to the driver used either.

           

          The problem is most likely local to your second server (the one you're mapping to) - which I assume is different to the server you're first mapping to? The most COMMON reason for this is local policies.

           

          Just for recap, here's the local policies we NEED (on any device involved as a server with OSD/Provisioning):

           

          Preparing a Windows 2003 Server for a
          Management Suite core server installation
          When installing a Management Suite core server on Windows 2003 Server, you need to modify
          some Windows 2003 Server group policies. Refer to Microsoft Technical Support, the LANDesk
          Software support knowledge base, or the Microsoft MSDN documentation for specifics about the
          effects of these changes.


          To launch the group policy editor

           

          1. Click Start | Run, and type gpedit.msc. Click OK.
          2. Navigate to Local Computer Policy | Computer Configuration | Windows Settings |
          Security Settings | Local Policies | Security Options.

           

          3. Make sure the following polices have these security settings:
          • Domain member: Digitally encrypt or sign secure channel data (always): Disabled.
          • Microsoft network client: Digitally sign communications (always): Disabled.
          • Microsoft network server: Digitally sign communications (always): Disabled.
          • Network access: Let Everyone permissions apply to anonymous users: Enabled.
          • Network access: Restrict anonymous access to Named Pipes and Shares: Disabled.
          • Network security: Do not store LAN Manager hash value on next password change:
          Enabled.
          • Network security: LAN Manager authentication level: Send LM & NTLM responses.

           

          This is a straight copy from the LDMS Deployment Guide (for 8.8 in this case) - page 49 of 121.

           

          You'll be wanting to check on that direction (though I'm surprised it doesn't cough up an error) the most. My guess is that it's something to do with local policies or GPO's that changed for that server...

           

          - Paul Hoffmann

          LANDesk EMEA Technical Lead.

          • 2. Re: Provisioning fails at imaging stage
            Apprentice

            Many thanks for your detailed reply, but I'm afraid they did not solve the problem.

             

            Given that I can map to the same drive with the same credentials from another PC (XP based), I still think the problem lies in the WINPE image somewhere, but I still can't find out what the problem is.

            • 3. Re: Provisioning fails at imaging stage
              phoffmann SupportEmployee

              Hehe - accessing the server from Windows XP (and one that'll be part of the domain) is not the same thing as trying to access it from WinPE.

               

              Check on the same PC you could access from Win XP whether - if you boot it into WinPE - you can access that server. My guess is no (and thus again - GPO's being the most likely candidate based on historical cases) .

               

              - Paul Hoffmann

              LANDesk EMEA Technical Lead

              1 of 1 people found this helpful
              • 4. Re: Provisioning fails at imaging stage
                Apprentice

                You were (of course) correct all along. This time I checked the server settings myself (instead of asking a collegue to do it), and found most of them to be wrong!

                 

                All is now well with the world of provisioning again.

                 

                Many many thanks.

                 

                Paul

                • 5. Re: Provisioning fails at imaging stage
                  phoffmann SupportEmployee

                  Pleasure to help - though there's hardly the case of "of course" - flattering though it is. Normally I'd have expected some "oh no you won't" error in the mapping of the drive, so I'm pretty curious that this passed (apparently successful). "Oh well - Windows" I suppose, important thing is that it now works at least .

                   

                  May the imaging continue smoothly .

                   

                  - Paul Hoffmann

                  LANDesk EMEA Technical Lead

                  • 6. Re: Provisioning fails at imaging stage
                    Apprentice

                    hey Paul,

                     

                    I have a couple of quick questions regarding the security settings: If these settings are not set as you suggest, would it affect anything else besides provisioning? For example: inventory scans?

                     

                    And also, if I was deploying an image from share on another server (besides our core), would I have to set the security settings on the server that had the image being deployed on it?

                     

                    thanks.

                     

                    jeff

                    • 7. Re: Provisioning fails at imaging stage
                      phoffmann SupportEmployee

                      Hi Jeff.

                       

                      I quote myself from a little above to answer one of your questions:

                       

                      Just for recap, here's the local policies we NEED (on any device involved as a server with OSD/Provisioning):

                       

                      So, yes, if a device is hosting images, then you need to set those policies.

                       

                      By and large, these policies are PRIMARILY needed for OSD (since you've not given the context of your inventory scans, I'm assuming you're talking about Windows-OS based inventory scans, not OSD-related ones), but should be performed on the Core anyway (it's in our requirement/deployment docs after all).

                       

                      Now, from memory, Inventory (from Windows'y clients) should NOT be affected by these policies, since most of the policies are related to authentication and communication (i.e. from DOS-PE / WinPE / LinuxPE), while "normal" Windows-client are already part of the AD and thus have a lot fewer authentication woes.

                       

                      I can say with certainty that if the settings are not set as they should be they would affect OSD and Provisioning. I seem to recall that other things might be affected as well, but I don't recall clearly which ones those would be ... sorry. In any case, this shouldn't be used as a reason to NOT perform those local policy changes on the Core please .

                       

                      For some reason I seem to recall that patch (well - IIS-related things) can be a bit hissy, but that could be just generally IIS's touchiness that I'm thinking of...

                       

                      - Paul Hoffmann

                      LANDesk EMEA Technical Lead.

                      • 8. Re: Provisioning fails at imaging stage
                        Apprentice

                        Thanks so much, Paul.

                         

                        Yes. I was referring to your basic inventory scans. I have been having issues with inventory scans ending up in the error scan folder, and I have tweaked the inventory settings in a million different ways but i still end up getting error scans. So i was wondering if there was some sort of blockage going on....but now that I think about it, if the scan is in the error scan folder then it has obviously made it to the core so nothing has blocked it from getting there. I'll keep tweaking

                         

                        And about the provisioning, I have been having issues with the template failing to complete. It stops at the point where the ldprovisioning folder is created and rainstall.exe does not execute....but i have another thread open regarding all of that. I was thinking that something on the core was stopping the resident agent from being installed. Again, I'll keep tweaking....

                         

                        thanks, Paul.

                         

                        jeff

                        • 9. Re: Provisioning fails at imaging stage
                          phoffmann SupportEmployee

                          Ah right - no, inventory scans that end up in errorscan actually "make it" to the Core.

                           

                          If these policies aren't set as they should be, you'd be facing more the type of problem "client cannot talk to the server" (be it Core or another server). Inventory stuff works entirely differently .

                           

                          - Paul Hoffmann

                          LANDesk EMEA Technical Lead

                          • 10. Re: Provisioning fails at imaging stage
                            Apprentice

                            thanks again, Paul...

                             

                            one more question though....would those settings matter for capturing an image?

                             

                            jeff

                            • 11. Re: Provisioning fails at imaging stage
                              phoffmann SupportEmployee

                              Absolutely - yes.


                              Capture / restoration of an image all involves DOS-PE / Linux-PE / Win-PE based communication with servers (or at the very least the Core) - so 100% it would matter.

                               

                              After all, if the server you're trying to store the image to rejects your attempts at authenticating ... you're not going to get very far with saving the image files, for instance .

                               

                              - Paul Hoffmann

                              LANDesk EMEA Technical Lead

                              • 12. Re: Provisioning fails at imaging stage
                                Apprentice

                                Thanks again Paul....

                                 

                                you rock, man.

                                 

                                jeff

                                • 13. Re: Provisioning fails at imaging stage
                                  abhijit222223 Rookie

                                  We are using  LDMS 9.6 SP2 instaled in Windows 2012 Server, just wanted to know if the Group Policy /local security policy requirement is still same or if you can provide me any updated document regarding this. 

                                  • 14. Re: Provisioning fails at imaging stage
                                    phoffmann SupportEmployee

                                    I don't remember having had to set those policies in years now (bear in mind that the Provisioning WinPE image also got revved up in the meantime).

                                     

                                    I'd recommend starting a new thread with details on what your problem is, so that we might be able to help more specifically to that issue. This was something that applied roughly 10 years ago - things changed since then.