Community
cancel
Showing results for 
Search instead for 
Did you mean: 
jacace
Black Belt
98 Views

Error Extending AD Schema in SCS 5.0

Hi there!

I'm following the steps described in page 96 of Installation Guide, so I'm running the BuildBchema.vbs script but I got an error in the final execution (on ldifde). I've seen the logs written by this command and it's for access priviliges.

According to the manual the user must be Enterprise Admin coz server is running Win 2003 and that's user which one I'm logged on. I've granted also the Domain Admin, Dns Admin and Administrator role and error persists.

Many thanks,

Javier Andrs

0 Kudos
29 Replies
jacace
Black Belt
87 Views

Hello folks,

I've fixed the issue related to running the build schema script by adding the user in the schema admin group. In the installation manual (page 95) says:

"The user account that runs the scripts requires Enterprise Admin permissions, and for Windows 2000 must also be a member of the Schema Admins group in Active Directory."

So, it's necessary that user account be a member of schema admin also for Win2003.

But now I have another issue:

I've created a profile in SCS Console and I've configured the Intel AMT machine in Bios to be part of a domain, work in SMB modeand DHCP is active. In the server I registeredSCS Serverin the DNS.

Now I'm trying to registering Intel AMT Devices in the DNS but the procedure described in page 104-105 is not to clear; I understand that it's necesary a successful bootof the host operating system for matching the FQDN, so I let the Intel AMT machine doing it but I still don't receive the "Hello" message.

The question is: How can I verify the Hello message reception? and How can I see the non configured Intel AMT devices in the SCS Console?

Many thanks,

Javier Andrs

jacace
Black Belt
87 Views

Hi there,


This post is for completing last one.
I've added a new platform in SCS Console and I can see it in a profile I created under the not configured group.
I've also switched from SMB to Enterprise in the AMT machine, entering the domain name and the Server provision configuration (IP,PORT, and so on).
I understand that when server receives the Hello message compares it to the configured platform (from database or script) and the change it the status from not configured.

I have verified that there is no Hello message been sent and then the SCS never configure the platform; in other tools there used to be ways to scan the network and find the AMT platform and then configure it and in SCS all it's done behind scenes.

What can I do? I've follow all the steps in the manuals. My server is Win 2003, AMT 3.0 and SCS is configured for AD Extension integration.


Many thanks,

Javier Andrs

87 Views

Hi,

A couple of things to check - when you configured the AMT system, did you mention your provision server IP correctly? It should be either given as "ProvisionServer" (then the DNS should be able to resolve this for you) or the exact IP of the SCS server.

Did you enter the PID PPS that yo got from the SCS server to the AMT system?

Another thing to check is is there a firwall running on the client or the server that blocks the communication.

Thanks,

Sree

jacace
Black Belt
87 Views

Hi Sree,


Yes, I entered IP and the PID/PPS (on one touch configuration/Enterprise mode) correctly in the AMT machine.
There is no firewall or blocking software running at the server/client.

Many thanks,

Javier Andrs

87 Views

Hi,

Could you do a simple test here? Could you try to provision this client in Enterprise mode using AMT Director? I want to make sure that the client is setup correctly.

Thanks,

Sree

jacace
Black Belt
87 Views

Hi Sree,

I'm able to connect in SMB mode, but not in Enterprise Mode. I think it's because Director's info bar says "Provision Server Stopped", maybe cause is the same server where SCS is installed.

When I switch to Enterprise Mode, entering the key, the IP and port of provision server, I click connect and never connects.

Is there a log where I can see if there's smething wrong on SCS?
Is there a "Hello" log on SCS?


Many thanks,


Javier Andrs

87 Views

Hi,

It is because both director and SCS are using the same port - 9971. Please stop the SCS and then try the Director again for Enterprise mode. Or you can use a different system for the Director.

Another question is have you turned on logging in SCS? Does the log files say something about it?

Thanks,

Sree

jacace
Black Belt
87 Views

Hi Sree,

I did not say in last mail but I stopped the SCS service and Director did not change.

When I use a different system for Director I can connect without problems.

No, I haven't turn on logging, but what I tried to say is that where can I see the Hello messages in SCS?

Many thanks,

Javier Andrs

87 Views

Hi,

i contacted the SCS support team for this and they want to know whether there is a DNS entry for the provision server. please confirm this.

Thanks,

Sree

jacace
Black Belt
87 Views

Hi Sree,

I added an entry in DNS for Provision Server points the SCS server, but it's not actually used cause I entered the IP address in the AMT machine.

Thanks,

Javier Andrs

IDZ_A_Intel
Employee
87 Views

Hello there,

I'm pretty certain that just stopping the service isn't going to fix the port 9971 conflict. You would have to relaunch the Director and give it a different port - try 9981, for example, and make sure you put this new port in the Set up and config menus on the AMT system as well. (see this blog)- this is if you areusing the Director to provision. I beleive there is also a way to change the port that the SCS uses in it's Network Settings configuration UI - so if you are using the SCS, I would change the port there and use that port on the AMT system. The bottom line, is that they can't both be tying up port 9971 - if that's the case there will be no Hello packet

If this does not work, please turn on the SCS Log and send it to us so we can continue to escalate if needed - my FAQ blog has this as the first question. (This is also documented in the SCS User's guide as well.)

Other questions: Have you tried attaching a network sniffer to see what traffic is actually going back and forth? You are just trying non-TLS at this point, correct? (I'm sorry I can't see the whole thread from this screen.)

jacace
Black Belt
87 Views


Hello,

I sucessfully made an Enterprise Provision using Director(I'm also using a virtual machine).
Then I tried to provision with SCS and I could see that there was a platform added automatically, but the UUID is not the rigth one (see the new platform screen atached).

I'm sending u log files and I can see that the Hello message is received but SCS tries to do a match and nothing happens; I can also see an authorization error.

The rigth UUID I added is:
92CF7A0B-094A-DC11-9622-00E018889BFA

The wrong UUID added by SCS is:
00000000-0000-0000-0000-000000000000

Many thanks & waiting for your reply,

Javier Andrs

jacace
Black Belt
87 Views

I forgot telling u that the Profile settings I'm triying to set is one called "Basico" (please see attached files in post number 30259888 -the third one i this thread- )

thanks

IDZ_A_Intel
Employee
87 Views

Ok - so it looks like your provisioning is failing because the correct UUID is not in the Hello message (because it is not finding it in the database.) Could you look at the "Preparing and Manageing Platforms" section of the Console User's Guide to see how you need to add this information to your configuratioin? (I cut and pasted some of the text below.)

Source of Configuration Information: Database or Script

The SCS can be configured to locate Intel AMT device configuration information in one

of two ways: either from within the SCS database or via a script. When the SCS receives

a "Hello" message from a device it will look in the SCS database for a configuration

entry matching the UUID in the "Hello" message. If there is no match, and there is no

script, the SCS will revisit the queued "Hello" message periodically to see if an entry was

added to the database. If the script option was selected, the SCS will activate a script to

find the necessary information, given the UUID and the source IP in the "Hello"

message. When the SCS receives the configuration from the script, it stores the

information in the database.

Scripting Option

This option acquires the configuration information using a script if the required

parameters are not in the New Intel AMT database table. The SCS runs a script that

retrieves the parameters from an external source

The SCS distribution and documentation include sample scripts and directions for

several of these options. See "Using a Script to Import Intel AMT Configuration

Properties" on page 129.

Adding device information to the SCS database manually

This is the simplest approach but it is the most difficult for IT personnel. They have to

manually enter the UUID along with the other parameters into the New Intel AMT table.

jacace
Black Belt
87 Views

Hello Gael,


Many thanks for your reply.
I had already looked the "Preparing and Managing Platforms" sections and based on it I did it manually.
I got the UUID from AMT Commander and set the organizational Unit created during setup, the basic profile I did and the rigth FDQN.

Is it possible to see the UUID comming in the Hello message? It must be the same I copied in AMT Commander.
Why did SCS enter a new platform with a wrong UUID?

Thanks again and waiting for your reply,

Javier Andrs

IDZ_A_Intel
Employee
87 Views

Hello again,

I am going to have to wait and see what the SCS folks have to say about this... Have you tried starting fresh now with the SCS? Do a complete unprovision, get a fresh PID/PPS pair, make sure you have the UUID in the Database and then kick off the SCS? I'm wondering if your system is now in a "half-way" provisioned state - the SCS and the Director aren't really compatible so now that you know it works with the Director, I would start fresh with the SCS (if you haven't already done so.)

jacace
Black Belt
87 Views

Hello Gael,

This is a fresh try.
I'll be waiting for.

Many thanks again,

Javier Andrs

jacace
Black Belt
87 Views

Hi there,

I'm sending you the last log.
I can see that SCS can't match the arriving UUID with the one I manually entered in DB (I'm sure the one I entered it's OK cause I read it in commander) and then SCS inserts a new platform without parameters.

I have tried a lot of things and I'm really stressed about it; I can see in a table name XXX_requests that UUID column is 000000X, so I think that UUID is arriving from machine, but it's confusing cause in log files says that the arriving UUID is OK and the DB is bad.

Thanks in advance,

I attached the last log

Javier Andrs

IDZ_A_Intel
Employee
87 Views

Hi again,

Could you check one more thing for us?

  1. Go to the "Security Keys" menu in the SCS Console application
  2. Select the PID/PPS key that you chose for your AMT Client (click on view)
  3. Can you confirm that the Factory Default MEBx password is the MEBx password that is on your client? From the log that you provideditis possible thatthe SCS service was not able to log on to your AMT Client and so you got an HTTP/1.1 401 Unauthorized error. The "Factory Default MEBx password" needs to be set here to the MEBx password that you are currently using i.e., not "admin". You would need to set the password correctly prior to generating you PID/PPS keys and also specify what you want your new MEBx password to be (randomly created or manually.

2007.07.29,11:00:18,SUCCESS,SERVER=1,USER=AMTadmin,THREAD=3768,SOURCE=.AMTConnectionAMTConnection.cpp,LINE=315,
The SOAP connection with connection parameter set #1 failed: AMT Connection Error: SOAP Error [401]: "getFullCoreVersion: Fault: 'HTTP Error' : Details: 'HTTP/1.1 401 Unauthorized'".


2007.07.29,11:00:18,SUCCESS,SERVER=1,USER=AMTadmin,THREAD=3768,SOURCE=.AMTInterfaceAMTUtilitiesSOAP.cpp in:AMTUtilitiesSoap::VerifyUUID,LINE=1782,
UUID Mismatch!! DB UUID is: 00000000000000000000000000000000, AMT UUID is: 92CF7A0B094ADC11962200E018889BFA

38 Views

Hi Gael!
Thanks for your help. Javier is in my development team.
We will be following your directions and we will let you know.

Thanks once again, best regards
Maria
Reply