Why is the Notification Server saying that all of the Package Servers packages are invalid?

Products

IT Management Suite Software Management Solution

Issue/Introduction

It was noticed that when you look at the Package Server status in Notification Server your packages are displayed as invalid. When you look at the Package Server Console on the Package Server, you notice that the Package Server displays its packages as ready.

So you created a new package and confirmed that the Package Server downloads it and displays it as available However, the Notification Server initially displays it as pending until it receives data from the Package Server, and then the Notification Server displays it as invalid.

The agent.log file contains the following errors:

<event date='May 16 11:51:05' severity='2' hostName='pc100' source='CreateDirectoryPath' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='724' thread='1740' tickCount='495844828' >
<![CDATA[Cannot create directory: 0x80070005 [Access is denied] d:]]></event>
<event date='May 16 11:51:05' severity='2' hostName='pc100' source='EventTransport' module='AeXNSAgent.exe' process='AeXNSAgent.exe' pid='724' thread='1740' tickCount='495844843' >
<![CDATA[Error while copying event to capture directory: Access is denied (-2147024891)]]></event>

Every package is associated with the following error when the Send Package Status is run and is recorded in the 'Package Status' NSE file as well as the SWDPackageServer Table:

The trust relationship between this workstation and the primary domain failed(1789).

When you look at NTFS permissions, you notice that the .\Package Delivery\<Guid> directories on the Package Servers that the Notification Server is displaying as having invalid packages, and that there are only the Administrator and SYSTEM accounts present.

Environment

ITMS 8.x
Package Servers

Cause

The Package Server has failed to add the credentials configured in the SMP Console under:

Settings tab > Notification Server > Site Server Settings > Site Server Settings tree > Package Services > Package Service Settings > Security Settings.

You can choose from Anonymous access (default one), Application credentials (AppId), or specify a set of credentials to use (under "Click here to modify Agent Connectivity Credentials")

Resolution

Perform the following:

Manually request a new Client Settings Policy for every Package Server, so as to ensure that we are working within the full window between Configuration Requests, thus not affecting the Package Servers that are functioning correctly.
Configure the Security Settings for the Package Service Settings for anonymous access, so as to revert the PSAgent to its defaults.
Manually request a new Client Settings Policy for every problem Package Server.
Configure the Agent Connectivity Credentials for the AppId again.
Manually request a new Client Settings Policy for every problem Package Server.
Manually send a Package Status from all problem Package Servers to Notification Server.
Notification Server should now start displaying these Package Servers as having packages that are ready instead of invalid.

You may also need to perform this procedure afterwards on the Package Server:

Remove the .\Altiris\Notification Server\Snapshots\<GUID>.xml files from Notification Server.
Remove the .\Altiris\Altiris Agent\Package Delivery\<GUID>\snapshot.xml file from all GUID directories on the Package Server.
Remove the .\Altiris\Altiris Agent\Package Server Agent\PackageStatus\<GUID>\PackageStatus.xml files from all Guid directories.
Run the NS.Package.Refresh scheduled task on Notification Server.
Update the Symantec Management Agent's configuration policy on the Package Server.
Send the package status on Notification Server.

Additional Information

194234 How to setup Agent Connectivity Credential (ACC) and Best Practices