How to join a standalone IT Management Suite instance to domain, along with FQDN change?
search cancel

How to join a standalone IT Management Suite instance to domain, along with FQDN change?

book

Article ID: 185009

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Introduction

The following process is based on tests that are performed when IT Management Suite 8.1 is installed with on-box SQL Server. Cloud-enabled Management is implemented. Remote Site Servers and client computers are communicating with Notification Server 8.1 (these steps still applies to versions 8.5 and 8.6).

During testing, the following certificates have been used:
• For Notification Server Web Site, self-signed certificate generated by Symantec Installation Manager
• CEM Web Site certificate generated by Notification Server
• For remote Site Servers, Global Site Server settings policy is used to generate and sign certificate by Notification Server

Resolution

NOTE: See our more recent information on SMP Server Domain or Host Name Change for the ITMS whitepaper for ITMS 8.5 and 8.6:
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/endpoint-security-and-management/it-management-suite/generated-pdfs/ITMS8.x_namechange_whitepaper.pdf

 

Join a standalone ITMS instance to a Domain

STEP 1 On the Notification Server, open IIS Manager and add additional HTTP(s) binding.
If you use HTTPS in your environment, then assign your certificate with the new Notification Server's FQDN to the binding.

STEP 2 In the Symantec Management Console, on the Communication Profile policy page, add the new Notification Server's FQDN with the appropriate port to allow all existing client computers to communicate with this Notification Server using the old and new FQDN.

STEP 3 Add certificates for the new Notification Server's FQDN.
Note: If the new certificate is signed by another certificate, you must import the root certificate as well. The managed computers that have not joined the domain will not be able to communicate without a CA certificate from Active Directory. The CA certificate will be automatically delivered to computers after they join the domain where the Notification Server computer is located.

STEP 4 On the Notification Server, open the NSConfiguration.exe tool.
(located at: %NS Install Dir%\Notification Server\Bin\Tools)
Find the TaskServiceAdvancedSettingsAllowed option, check Enabled, and then click Save.

STEP 5 In the Symantec Management Console, on the Task Service Settings page, do the following:
• At the Preferred host, specify the new FQDN of the Notification Server computer.
• Check Automatically restart services (Altiris Object Host Service, Client Task Data Loader, WWW Publishing) when configuration changes.
• Click Save changes.

Note:
With recent releases, this UI option for "preferred host" is no longer applicable. We introduced Task Server Communication profiles under "Settings > Agents/Plug-ins > Symantec Management Agent > Symantec Management Agent Communication Profiles > Task Server Communication Profiles" to provide a way to specify how Task Server communicates with Notification Server.

Post 8.5:

  1. In the SMP Console go to "Settings > Notification Server > Site Server Settings > Task Service > Settings".  Select the policy that targets the problem Tasks Server.
  2. Under "Communication Profile", check that the checkbox option "Use an alternate URL for the Task Server to access the NS" is not selected (if you used to have a "PreferredNSHost" reference, it is most likely this checkbox is selected and referencing to the old SMP Communication profile). 

  3. If it is checked, unchecked so the default new SMP one can be used.
  4. On the Task Server open "Services Manager" and restart the "Altiris Client Task Data Loader" service
  5. Open the Symantec Management Agent UI and manually update the configuration.

STEP 6 To speed up delivering the new Notification Server's FQDN with its new certificate, create an Update Client Configuration task and schedule it to Run Now on appropriate client computers and Site Server(s).
Note: Use the Client Configuration Policy Statistics report to check if managed client computers and Site Server(s) have received the new configuration. If the value in Response Size (KB) column is bigger than 2, then this computer has received a new configuration policy.

STEP 7 (This step is required only if CEM is implemented.) Join your Internet Gateway computer to a new domain.
On the Internet Gateway computer, in the Internet Gateway Manager, on the Servers tab, perform the following steps:
• Remove the old Notification Server's FQDN.
• Add new Notification Server's FQDN with CEM:4726 port.

STEP 8 On the Notification Server computer, replace the old FQDN with the new one for Symantec Management Console.

STEP 9 If you have Site Servers and HTTPS bindings where the certificate has changed, send basic inventory from these Site Servers to the Notification Server and on the Notification Server, run NS.Site Server Profiles Synchronization Schedule.{f04f27de-9c21-4746-99cc-8c43eb3ad2f9} task.
This task updates the IIS binding for each Site Server in the Site Server Communication Profile. After the client computers receive the updated Site Server Communication Profile policies, they will be able to communicate with the Site Servers.

STEP 10 (This step is required only if any of the Site Servers were previously used through Internet Gateway.) After the Site Server has joined the domain and its FQDN is changed, update the Site Server's FQDN on the Internet Gateway computer, in the Internet Gateway Manager, on the Server tab.

STEP 11 After some time, check the Agent Health of all client computers in the Computers view and make sure that all client computers successfully request policies and send basic inventory.

• If all client computers are Healthy, you can remove previously added additional HTTPS binding and leave only 80 and 443 HTTPS with the new certificate of the new Notification Server's FQDN.
• If some client computers have Needs attention status, go to the computer that has issues and check its Symantec Management Agent logs at:
C:\ProgramData\Symantec\Symantec Agent\Logs\
You can also check the Logs tab in the Symantec Management Agent UI to identify the issues.