How to join a standalone IT Management Suite instance to domain, along with FQDN change?


Article ID: 185009


Updated On:


Management Platform (Formerly known as Notification Server)



The following process is based on tests that are performed when IT Management Suite 8.1 is installed with on-box SQL Server. Cloud-enabled Management is implemented. Remote Site Servers and client computers are communicating with Notification Server 8.1.

During testing, the following certificates have been used:
• For Notification Server Web Site, self-signed certificate generated by Symantec Installation Manager
• CEM Web Site certificate generated by Notification Server
• For remote Site Servers, Global Site Server settings policy is used to generate and sign certificate by Notification Server


Join a standalone ITMS instance to domain

STEP 1 On Notification Server, open IIS Manager and add additional HTTP(s) binding.
If you use HTTPs in your environment, then assign your certificate with new Notification Server's FQDN to the binding.

STEP 2 In the Symantec Management Console, on the Communication Profile policy page, add the new Notification Server's FQDN with appropriate port to allow all existing client computers to communicate with this Notification Server using old and new FQDN.

STEP 3 Add certificates for the new Notification Server's FQDN.
Note: If the new certificate is signed by other certificate, you must import the root certificate as well. The managed computers that have not joined the domain will not be able to communicate without CA certificate from Active Directory. The CA certificate will be automatically delivered to computers after they join the domain where the Notification Server computer is located.

STEP 4 On Notification Server, open the NSConfiguration.exe tool.
(located at: %NS Install Dir%\Notification Server\Bin\Tools)
Find the TaskServiceAdvancedSettingsAllowed option, check Enabled, and then click Save.

STEP 5 In the Symantec Management Console, on the Task Service Settings page, do the following:
• At the Preferred host, specify the new FQDN of Notification Server computer.
• Check Automatically restart services (Altiris Object Host Service, Client Task Data Loader, WWW Publishing) when configuration changes.
• Click Save changes.

STEP 6 To speed up delivering new Notification Server's FQDN with its new certificate, create an Update Client Configuration task and schedule it to Run Now on appropriate client computers and Site Server(s).
Note: Use the Client Configuration Policy Statistics report to check if managed client computers and Site Server(s) have received new configuration. If the value in Response Size (KB) column is bigger than 2, then this computer has received new configuration policy.

STEP 7 (This step is required only if CEM is implemented.) Join your Internet Gateway computer to new domain.
On Internet Gateway computer, in the Internet Gateway Manager, on the Servers tab, perform the following steps:
• Remove old Notification Server's FQDN.
• Add new Notification Server's FQDN with CEM :4726 port.

STEP 8 On the Notification Server computer, replace the old FQDN with the new one for Symantec Management Console.

STEP 9 If you have Site Servers and HTTPs bindings where certificate has changed, send basic inventory from these Site Servers to Notification Server and on Notification Server, run NS.Site Server Profiles Synchronization Schedule.{f04f27de-9c21-4746-99cc-8c43eb3ad2f9} task.
This task updates the IIS binding for each Site Server in the Site Server Communication Profile. After the client computers receive the updated Site Server Communication Profile policies, they will be able to communicate with the Site Servers.

STEP 10 (This step is required only, if any of the Site Servers were previously used through Internet Gateway.) After the Site Server has joined the domain and its FQDN is changed, update the Site Server's FQDN on Internet Gateway computer, in the Internet Gateway Manager, on the Server tab.

STEP 11 After some time, check the Agent Health of all client computers in the Computers view and make sure that all client computers successfully request policies and send basic inventory.

• If all client computers are Healthy, you can remove previously added additional HTTPs binding and leave only 80 and 443 HTTPs with new certificate of new Notification Server's FQDN.
• If some client computers have Needs attention status, go to the computer that has issues and check its Symantec Management Agent logs at:
C:\ProgramData\Symantec\Symantec Agent\Logs\
You can also check the Logs tab in the Symantec Management Agent UI to identify the issues.