Error Extending AD Schema in SCS 5.0

Error Extending AD Schema in SCS 5.0

Hi there!

I'm following the steps described in page 96 of Installation Guide, so I'm running the BuildBchema.vbs script but I got an error in the final execution (on ldifde). I've seen the logs written by this command and it's for access priviliges.

According to the manual the user must be Enterprise Admin coz server is running Win 2003 and that's user which one I'm logged on. I've granted also the Domain Admin, Dns Admin and Administrator role and error persists.

Many thanks,

Javier Andrs

30 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hello folks,

I've fixed the issue related to running the build schema script by adding the user in the schema admin group. In the installation manual (page 95) says:

"The user account that runs the scripts requires Enterprise Admin permissions, and for Windows 2000 must also be a member of the Schema Admins group in Active Directory."

So, it's necessary that user account be a member of schema admin also for Win2003.

But now I have another issue:

I've created a profile in SCS Console and I've configured the Intel AMT machine in Bios to be part of a domain, work in SMB modeand DHCP is active. In the server I registeredSCS Serverin the DNS.

Now I'm trying to registering Intel AMT Devices in the DNS but the procedure described in page 104-105 is not to clear; I understand that it's necesary a successful bootof the host operating system for matching the FQDN, so I let the Intel AMT machine doing it but I still don't receive the "Hello" message.

The question is: How can I verify the Hello message reception? and How can I see the non configured Intel AMT devices in the SCS Console?

Many thanks,

Javier Andrs

Hi there,

This post is for completing last one.
I've added a new platform in SCS Console and I can see it in a profile I created under the not configured group.
I've also switched from SMB to Enterprise in the AMT machine, entering the domain name and the Server provision configuration (IP,PORT, and so on).
I understand that when server receives the Hello message compares it to the configured platform (from database or script) and the change it the status from not configured.

I have verified that there is no Hello message been sent and then the SCS never configure the platform; in other tools there used to be ways to scan the network and find the AMT platform and then configure it and in SCS all it's done behind scenes.

What can I do? I've follow all the steps in the manuals. My server is Win 2003, AMT 3.0 and SCS is configured for AD Extension integration.

Many thanks,

Javier Andrs

Attachments: 

AttachmentSize
Downloadapplication/zip ScreenShots.zip475.01 KB

Hi,

A couple of things to check - when you configured the AMT system, did you mention your provision server IP correctly? It should be either given as "ProvisionServer" (then the DNS should be able to resolve this for you) or the exact IP of the SCS server.

Did you enter the PID PPS that yo got from the SCS server to the AMT system?

Another thing to check is is there a firwall running on the client or the server that blocks the communication.

Thanks,

Sree

Hi Sree,

Yes, I entered IP and the PID/PPS (on one touch configuration/Enterprise mode) correctly in the AMT machine.
There is no firewall or blocking software running at the server/client.

Many thanks,

Javier Andrs

Hi,

Could you do a simple test here? Could you try to provision this client in Enterprise mode using AMT Director? I want to make sure that the client is setup correctly.

Thanks,

Sree

Hi Sree,

I'm able to connect in SMB mode, but not in Enterprise Mode. I think it's because Director's info bar says "Provision Server Stopped", maybe cause is the same server where SCS is installed.

When I switch to Enterprise Mode, entering the key, the IP and port of provision server, I click connect and never connects.

Is there a log where I can see if there's smething wrong on SCS?
Is there a "Hello" log on SCS?

Many thanks,

Javier Andrs

Hi,

It is because both director and SCS are using the same port - 9971. Please stop the SCS and then try the Director again for Enterprise mode. Or you can use a different system for the Director.

Another question is have you turned on logging in SCS? Does the log files say something about it?

Thanks,

Sree

Hi Sree,

I did not say in last mail but I stopped the SCS service and Director did not change.

When I use a different system for Director I can connect without problems.

No, I haven't turn on logging, but what I tried to say is that where can I see the Hello messages in SCS?

Many thanks,

Javier Andrs

Hi,

i contacted the SCS support team for this and they want to know whether there is a DNS entry for the provision server. please confirm this.

Thanks,

Sree

Hi Sree,

I added an entry in DNS for Provision Server points the SCS server, but it's not actually used cause I entered the IP address in the AMT machine.

Thanks,

Javier Andrs

Hello there,

I'm pretty certain that just stopping the service isn't going to fix the port 9971 conflict. You would have to relaunch the Director and give it a different port - try 9981, for example, and make sure you put this new port in the Set up and config menus on the AMT system as well. (see this blog)- this is if you areusing the Director to provision. I beleive there is also a way to change the port that the SCS uses in it's Network Settings configuration UI - so if you are using the SCS, I would change the port there and use that port on the AMT system. The bottom line, is that they can't both be tying up port 9971 - if that's the case there will be no Hello packet

If this does not work, please turn on the SCS Log and send it to us so we can continue to escalate if needed - my FAQ blog has this as the first question. (This is also documented in the SCS User's guide as well.)

Other questions: Have you tried attaching a network sniffer to see what traffic is actually going back and forth? You are just trying non-TLS at this point, correct? (I'm sorry I can't see the whole thread from this screen.)

Hello,

I sucessfully made an Enterprise Provision using Director(I'm also using a virtual machine).
Then I tried to provision with SCS and I could see that there was a platform added automatically, but the UUID is not the rigth one (see the new platform screen atached).

I'm sending u log files and I can see that the Hello message is received but SCS tries to do a match and nothing happens; I can also see an authorization error.

The rigth UUID I added is:
92CF7A0B-094A-DC11-9622-00E018889BFA

The wrong UUID added by SCS is:
00000000-0000-0000-0000-000000000000

Many thanks & waiting for your reply,

Javier Andrs

Attachments: 

AttachmentSize
Downloadtext/plain Logs.zip.txt97.88 KB

I forgot telling u that the Profile settings I'm triying to set is one called "Basico" (please see attached files in post number 30259888 -the third one i this thread- )

thanks

Ok - so it looks like your provisioning is failing because the correct UUID is not in the Hello message (because it is not finding it in the database.) Could you look at the "Preparing and Manageing Platforms" section of the Console User's Guide to see how you need to add this information to your configuratioin? (I cut and pasted some of the text below.)



Source of Configuration Information: Database or Script

The SCS can be configured to locate Intel AMT device configuration information in one

of two ways: either from within the SCS database or via a script. When the SCS receives

a "Hello" message from a device it will look in the SCS database for a configuration

entry matching the UUID in the "Hello" message. If there is no match, and there is no

script, the SCS will revisit the queued "Hello" message periodically to see if an entry was

added to the database. If the script option was selected, the SCS will activate a script to

find the necessary information, given the UUID and the source IP in the "Hello"

message. When the SCS receives the configuration from the script, it stores the

information in the database.



Scripting Option

This option acquires the configuration information using a script if the required

parameters are not in the New Intel AMT database table. The SCS runs a script that

retrieves the parameters from an external source

The SCS distribution and documentation include sample scripts and directions for

several of these options. See "Using a Script to Import Intel AMT Configuration

Properties" on page 129.



Adding device information to the SCS database manually

This is the simplest approach but it is the most difficult for IT personnel. They have to

manually enter the UUID along with the other parameters into the New Intel AMT table.

Hello Gael,

Many thanks for your reply.
I had already looked the "Preparing and Managing Platforms" sections and based on it I did it manually.
I got the UUID from AMT Commander and set the organizational Unit created during setup, the basic profile I did and the rigth FDQN.

Is it possible to see the UUID comming in the Hello message? It must be the same I copied in AMT Commander.
Why did SCS enter a new platform with a wrong UUID?

Thanks again and waiting for your reply,

Javier Andrs

Hello again,

I am going to have to wait and see what the SCS folks have to say about this... Have you tried starting fresh now with the SCS? Do a complete unprovision, get a fresh PID/PPS pair, make sure you have the UUID in the Database and then kick off the SCS? I'm wondering if your system is now in a "half-way" provisioned state - the SCS and the Director aren't really compatible so now that you know it works with the Director, I would start fresh with the SCS (if you haven't already done so.)

Hello Gael,

This is a fresh try.
I'll be waiting for.

Many thanks again,

Javier Andrs

Hi there,

I'm sending you the last log.
I can see that SCS can't match the arriving UUID with the one I manually entered in DB (I'm sure the one I entered it's OK cause I read it in commander) and then SCS inserts a new platform without parameters.

I have tried a lot of things and I'm really stressed about it; I can see in a table name XXX_requests that UUID column is 000000X, so I think that UUID is arriving from machine, but it's confusing cause in log files says that the arriving UUID is OK and the DB is bad.

Thanks in advance,

I attached the last log

Javier Andrs

Attachments: 

AttachmentSize
Downloadtext/plain scs_win_server.log.txt34.79 KB

Hi again,

Could you check one more thing for us?

  1. Go to the "Security Keys" menu in the SCS Console application
  2. Select the PID/PPS key that you chose for your AMT Client (click on view)
  3. Can you confirm that the Factory Default MEBx password is the MEBx password that is on your client? From the log that you provideditis possible thatthe SCS service was not able to log on to your AMT Client and so you got an HTTP/1.1 401 Unauthorized error. The "Factory Default MEBx password" needs to be set here to the MEBx password that you are currently using i.e., not "admin". You would need to set the password correctly prior to generating you PID/PPS keys and also specify what you want your new MEBx password to be (randomly created or manually.

2007.07.29,11:00:18,SUCCESS,SERVER=1,USER=AMTadmin,THREAD=3768,SOURCE=.AMTConnectionAMTConnection.cpp,LINE=315,
The SOAP connection with connection parameter set #1 failed: AMT Connection Error: SOAP Error [401]: "getFullCoreVersion: Fault: 'HTTP Error' : Details: 'HTTP/1.1 401 Unauthorized'".

2007.07.29,11:00:18,SUCCESS,SERVER=1,USER=AMTadmin,THREAD=3768,SOURCE=.AMTInterfaceAMTUtilitiesSOAP.cpp in:AMTUtilitiesSoap::VerifyUUID,LINE=1782,
UUID Mismatch!! DB UUID is: 00000000000000000000000000000000, AMT UUID is: 92CF7A0B094ADC11962200E018889BFA

Hi Gael!
Thanks for your help. Javier is in my development team.
We will be following your directions and we will let you know.

Thanks once again, best regards
Maria

Hi Gael,

I uninstalled all and installed again.
Then, Imade new Security Keys and in Factory Defaul MEBx password I entered the same password on client and the result is the same: a new platform is added by SCS with empty or invalid parameters.

After all, I entered the database and I saw this (see atached screenshots):
-csti_pid_map table: looks ok (with passwords I entered)
-csti_configuration table: these parameters current_mebx_password, manual_mebx_password looks ok
-csti_mebx_passwords table: there are ok entries but there are others I don't see why they are present
-csti_profiles table: I let the basic factory profile but I saw there are also other passwords I dodn't know how they're entered/updated.

As a result, log is the same but I'm wondered about why is it not possible accessing by its web intarface (there is a page not found error)?.

Many thanks and waiting for your reply,

Javier Andrs

Attachments: 

AttachmentSize
Downloadtext/plain Screens.zip.txt239.13 KB

The web interface on the AMT machineI'm trying to access is:

http://192.168.0.132:16992/

And the result is:Internet Explorer cannot display the webpage

Hi Javier,

The Web UI address look fine but the machine needs to be provisioned in order to access it. I need to look at your last post and I'll get back to you when I have a decent response.

Have you tried deleting the machine with the 000000..... UUIDs from the SQL database? Maybe there is some confusion there.

Hi Gael,

Yes, I have tried deleting the wrong machine and adding it again, I have tried many manual tricks but nothing happens.

Many thanks,

Javier Andres

Hi Javier,

I have sent your screen shots to SCS Support. You seem to have a mix of randomly generated passwords in there and in some cases your current password is the same as the new password. I'm wondering if you can just get rid of those entries that have the old or incorrect password information in them - maybe there is some confusion in SCS due to this.

The important thing to do is: find out what is the current MEBx password.Delete all priorpid/pps pairs that may have wrong passwords associated with them. In your MEBx settings in the SCS, set the "default password" to your current password and then click on the "manual password" box and type in what you want the new password to be (these can't be the same as far as I know.) After you have done this, generate your new PID/PPS pairs and try again. Being daring, I'd clean up all those entries in the DB that have the weird passwords in them as well.

Also, have you been doing full unprovisions? CMOS Clears? I'm currently loading SCS 5.0 now and will try some things out as well so let's also see what SCS Support has to say about your password situation also. Note that they are in Isreal so we may not hear from them today.

Stay tuned.

Javier - SCS Support advises NOT to delete things from the DB :-) You should create a new profile, new PID-PPS keys, unprovision the machine and start everything again.

--Gael

Hello Gael,

I did it!!! =) =) =)
Let me give you my feedback:
1-When Hello message comes from AMT machine I suppose SCS saves it into csto_status_of_requests table, but I saw UUID coming was 00000000000000000000000000000000 (and that's incorrect)
2-We are talking about different SCS versions, in some instructions you'd gave me some windows aren't available. In SCS 5 there is only one input window which one asks for current Mbex password; that's during PID/PPS creation; the rarely thing is that I always entered the rigth one but there are others by factory in database (in csti_mebx_passwords table), and I believe those ones are used to connect (and then error comes) but worst thing is that you can't change those values (there is no UI for it).
3-When a profile it's created, there no parameter for admin password, but in database there is one saved, that could be another fail reason.
4-In screen 1 (attached file) you can see there is a column for a connection icon, and there is always showed as unppluged (but in in tab 2, connection section of platform details window is showed as connected), I think the icon status is wrong.

This is what I did:
1-I manually change all password in csti_mebx_passwords and csti_profiles table to the rigth one. (cause there is no way to do it by UI)
2-I manually change the UUID field in csto_status_of_requests table to meet the AMT machine UUID.
3-and wait for a while, now I'm happy!

Many thanks,

Javier Andrs

Attachments: 

AttachmentSize
Downloadimage/jpeg Screen1.JPG48.85 KB

Here other platform details window

Javier Andrs

Attachments: 

AttachmentSize
Downloadimage/jpeg Screen2.JPG106.1 KB

Hi Javier - I'm glad that you got it working. And yes, I was looking at SCS 3.x windows - I am sorry for any confusion that this may have caused.

Gael

Leave a Comment

Please sign in to add a comment. Not a member? Join today