How to Prevent Shared GUIDs

Article Id: 181635
Status: Published
Updated On: 15-01-2014 08:49
Legacy Id: HOWTO93988
Products:
Management Platform (Formerly known as Notification Server)
Issue/Introduction:

 

Resolution:

A GUID is shared when two or more Symantec Management Platform (SMP) agents use the GUID at the same time. This can cause some odd behavior.
Shared GUIDs causes inaccurate inventory reporting, so, for instance, you will not know which computers have which software installed. In addition, Shared GUIDs prevents properly managing computers, because computers might receive policies intended for other computers, and so might receive a policy that it should not; or might not receive a policy that it should.

Background

In order for the SMP Server (Server) to manage each SMP Agent (Agent) properly, the Server must be able to identify each Agent uniquely. To do this, the Server assigns each Agent a unique GUID (Global Unique Identifier), and each Agent uses its assigned GUID in all subsequent communication with the Server.

When the Agent is installed, it does not have a GUID until the Agent requests and receives a GUID from the Server. When the Agent requests a GUID, the Agent supplies several identifying key values, including the computer’s "name.domain" value. Then the Server checks whether a GUID has been associated with the values supplied by the Agent, if found the Server returns the existing GUID to the Agent, otherwise the Server creates a new GUID, associates the new GUID with the key values supplied by the Agent and returns the new GUID to the Agent.

Note: in order for the SMP system to work properly,

  • each computer resource must have no more than one name.domain value, and
  • each name.domain value can be associated with one and only one computer resource

Note: UNIX, Linux and Macintosh agents are handled in a similar but slightly different manner.

Preventing Shared GUIDs

To ensure that each SMP agent receives a unique GUID, we suggest the following:

  • Run an AD import periodically on your Notification Server (NS), and deploy Symantec Management Agents only to computers that the NS first learned about via the AD import. In this way, only new GUID's are created during AD import and given to SMP agent when requested.
     
  • When setting up a new Managed Computer, prior to installing the SMP Agent, ensure that the computer has a unique name and has been joined to the AD domain, if there is an AD domain. This will ensure that when the computer requests its GUID, it will send the correct "name.domain" value to the SMP Server, and has a far better chance at getting a unique GUID.
     
  • When using Deployment Solution to image systems, be sure to use the built in jobs that clear the GUID from the system prior to mass deployments of a single image (mass = anything more than 1). Backup Images are the only exception to this as they are only restored to the system from which they were captured. Because by default we recommend capturing images with the agent in them, this agent will, per the information above, also have a GUID in them. If this is deployed across more than one computer, you will get duplicates in the console. However, if the jobs are used to prepare the image properly first, both DS 6.9 and DS 7.x will pull the GUID from the agent and tell the agent to get a new GUID the next time it starts.


Detecting Shared GUIDs
   Detecting computer with Shared GUIDs
   http://www.symantec.com/docs/HOWTO49693

Correcting Shared GUIDs
   Shared GUID cleanup script
   http://www.symantec.com/docs/TECH212345


Concerning the re-use of computer names

A computer name is re-used when one name is assigned first to one computer and later assigned to a different computer, but the name is not assigned to both computers at the same time.

Symantec Technical Support strongly discourages the re-use of computer names - as this is known to lead a variety of issues. If historical data must be retained, then computer names should not be reused.

The following suggestions are offered in the unlikely event that computers names must be re-used to corporate policy. While these suggestions may be helpful in some situations, their use is strongly discouraged.

Note: These suggested steps involve the deletion of all data about the previous computer from the database. This deletion is necessary to prevent data inconsistencies caused when the information about two different computers is merged. If historical data must be retained, then computer names should not be reused.

  • If you must re-use computer names and wish to replace a computer then turn off the previous computer and ensure that it does not communicate with the NS; delete the computer resource using the Altiris console, you may leave the computer in AD; and proceed as if the computer is new.
    Note: This process will delete all data about the previous computer from the database; and this deletion is necessary to prevent data inconsistencies caused when the information about two different computers is merged. If historical data must be retained, then computer names should not be reused.
     
  • If you must re-use computer names and wish to swap two computers then turn off both computers and ensure that neither communicates with the NS until they are reconfigured; delete both computer resources using the Altiris console, you may leave both computers in AD; and then proceed as if both computers are new.
    Note: This process will delete all previous data about each computer from the database; and this deletion is necessary to prevent data inconsistencies caused when the information about two different computers is merged. If historical data must be retained, then computer names should not be reused.