Jack Coates’ Best Practice LDMS Doc – My two by ctm72403



Jack Coates’ Best Practice LDMS Doc – My two cents on
how to do it in pilot or production

DAY ONE – Installation, Inventory, and Basic Security
This document is a supplement to the formally approved Best Known Method available
at: http://community.landesk.com/support/docs/DOC-1081 Differences from that
document are purely due to my personal opinions, preferences, ideas and tools. If there
are conflicting recommendations, please contact me at jack.coates@landesk.com.

There is now a nice set of recommendations at
http://community.landesk.com/support/docs/DOC-2502 -- it tends to run a bit heavier
than mine, but there’s also the difference between pilot and production to consider.
    1. RAM: As much as possible, but 1GB for every 500 managed nodes is a decent
       rule of thumb.
   2. CPU: As much as possible, but rules of thumb are harder to come by, as workload
       varies. A single CPU box without multiple cores or hyper-threading will max out
       by 1,000 users; quad dual cores should be able to comfortably handle 10,000
       nodes. There’s also the definition of “acceptable” performance to consider… I’ve
       seen customers happily put up with performance that would drive me batty.
   3. Disk: The easiest setup is to put images and packages on the core, and provide
       disk space appropriately. If you’re going to serve those large files from a NAS or
       other pre-existing infrastructure, you can install the system on a mirrored pair,
       with a second mirrored pair for the database if local. More and faster disks will of
       course improve performance. Plan for 5 MB of database disk space per managed
       node. If you’re just looking for a number, make it 20GB minimum, 100GB
   4. Windows best practices:
           a. Put the install media at C:\i386.
           b. Make a separate drive D: for applications.

Page 1 of 39                                                                          8/18/2010

   5. Antivirus: during pilot there’s often no AV client; in production, the server team
       gets involved and there must be an AV client. This is the point where many
       servers go from acceptable performance to “someone poured oatmeal in my
       carburetor!” It’s not that AV products are inherently deadly to a core; it’s that
       they’re often not configured properly. I run LANDesk Antivirus on my core using
       these realtime settings:

       McAfee is the worst culprit; it needs too many exclusion records to document. I
       haven’t noticed Symantec on a server in years (good job, boys), but I’ve seen
       exclusions work properly for Trend and eTrust.
   6. Database location: The decision to place the database on the core, on a nearby
       server, or in a datacenter is politically fraught. Technically, the only thing that
       matters is to make sure that you’re choosing the least bottlenecked path, whether
       that’s local disk or local network. Additionally, access to the database for
       performance monitoring can be crucial when troubleshooting.

Page 2 of 39                                                                            8/18/2010

WINDOWS (45 minutes)
   1. Install Windows 2003 -- SP1 or R2 or SP2 will work. If you use R2 or SP2 and
       you plan to download installation material from LANDesk rather than transferring
       with physical media, you’ll need to add landesk.com to your Internet Explorer
       trusted sites. See http://community.landesk.com/support/docs/DOC-1002 for more
       information on this issue. Don’t run Windows Update yet! It will install .Net 3.5
       and screw up your IIS. Getting IIS and ASP.Net free of .Net 3.5 and hooked back
       up with .Net 2.0 SP1 may not be pleasant… it’s best to search the community for
       current best practice, and double-check your IIS config; in the worst cases though,
       I’ve had to remove .Net and reinstall it. That’s not supposed to be necessary, but
       it’s exactly the sort of voodoo chicken waving that Windows server
       administration encourages, with its poor logging, primitive packaging, and
       abstracted layers of obfuscation. In theory, all you have to do is make sure that
       IIS is set to use .Net 2.0.

Page 3 of 39                                                                         8/18/2010

Page 4 of 39                             8/18/2010

   2. Join the domain, login as a domain user rather than local admin.
   3. Install IIS and ASP.Net

Page 5 of 39                                                                       8/18/2010

   4. Install SNMP (only necessary for hardware monitoring or Server Manager).

   5. Up to 100 users, you can just let the LANDesk installer install SQL Express.
       Beyond that, you should provide SQL Server 2005 or Oracle 9. SQL 2005’s
       Service Pack 2 brought its performance in line, and it is now my recommendation.
       SQL 2000 still works.
   6. Remove Internet Explorer Enhanced Security Configuration. You don’t have to,
       but it’s easier. Alternatively, install Firefox.
   7. Install Web Services Enhancement 2.0 SP3 from Microsoft – the runtime option.
   8. Now you can run Windows Update, if you like. Or, just let LANDesk handle the
       patching later.
   9. Reboot if necessary.

Page 6 of 39                                                                        8/18/2010

LANDESK (4 hours, or 8 hours if explaining as we go)
   1. Extract the LANDesk 8.8 installer files to a network share, they’ll be necessary
       for your remote console installations (see
       http://community.landesk.com/support/docs/DOC-2493 when you’re ready for
       that). If you haven’t downloaded LANDesk yet, the Trial link is
   2. The installer will not run over Terminal Services unless you use the console

                                                           If you’re on XP SP3 or Vista,
   that’s mstsc.exe /admin instead (does the same thing, but the old switch doesn’t

Page 7 of 39                                                                         8/18/2010

   3. Install 8.8, select “LANDesk Management Suite and Server Manager”. Security
       Suite will be installed automatically as part of that choice.

   4. If this is a pilot or your environment is smaller than 100 nodes, choose “Create a
       new database” and it will install SQL 2005 Express (MSDE for versions older
       than 8.8) on your core. You may want to use the Advanced button to move the
       database files off of C:\. Remember the sa password you choose, it’ll come in
       handy later. Alternatively, here’s how to set up an MS-SQL database for use with
          a. Whether you’re using SQL Server 2000 or SQL Server 2005, you’ll need
               to ensure that Mixed Mode access is available. LANDesk must use a SQL
               account rather than a Windows account to access the database.

Page 8 of 39                                                                           8/18/2010

          b. If you’re installing SQL 2005, all access is disabled by default, even to
               localhost. I don’t know what the minimum required is, but enabling TCP
               and named pipes works.
          c. If you’re creating a dedicated user rather than using SA, you should ensure
               that this user is the database owner. The best way to do this is to login to
               the SQL Server Management Studio or SQL Enterprise Manager as the
               user you’ve created before creating the database. After you’ve created the
               database, you might want to go back to the user’s properties and set their
               default database to your LANDesk database, but this is purely a

Page 9 of 39                                                                           8/18/2010

          d. Default database settings are fine, as long as you make sure that it’s using
                the correct drives for its data and log files.

Page 10 of 39                                                                              8/18/2010

Page 11 of 39                             8/18/2010

Now you can point the install at your new database.

   5. Name your certificate, do not create a reports user, and you’re free to sit back and
       watch the progress bar.

Page 12 of 39                                                                        8/18/2010

        Reboot now.
   7. If you’re going to use the Lenovo ThinkVantage version of LANDesk, you’ll
        need the Toolkit version 3 from their support site and the Integration Kit
        (download links are in the documentation and Autorun.exe prerequisite checker of
        that LANDesk distribution); otherwise, you can skip this step.

Page 13 of 39                                                                         8/18/2010

   8. Allow it to reboot, then activate the core.

   9. Install Service Pack 3 Core Patch
       http://community.landesk.com/support/docs/DOC-1001 and the new help files:

Page 14 of 39                                                                    8/18/2010

   10. Right-click My Computer and add users/groups to the LANDesk Management
       Suite and LANDesk Reports groups.

   11. Log into the LANDesk Management Suite console. Following the wizards is fine,
       but read along in this doc so you can see why you’re doing what you’re doing.
   12. Configure > Services > Scheduler
          a. Enter domain and local admin accounts

Page 15 of 39                                                                      8/18/2010

   13. Let the services restart
   14. Use a domain admin account for your COM+ objects. This isn’t always strictly
       necessary, but… sometimes it is. If you don’t want to do this, don’t do it and see
       if you get weird problems like agents giving CBA8 errors when you send them
       right-click commands. The web services use these accounts to do various things.
       Start > Programs > Administrative Tools > Component Services > Computers >
       My Computer > COM+ Applications. Change Identity of LANDesk and
       LANDesk1 to a domain administrator. Right-click LANDesk and LANDesk1 to
       get to

Page 16 of 39                                                                        8/18/2010


   15. Configure > Services > OSD Validation > Validate both if possible. The DOS
       validation will request files from Windows NT 4.0 and Windows 98 distribution
       media; the WindowsPE validation will request files from Windows PE and
       Windows 2003 SP1 distribution media. This is done for licensing reasons and can
       be skipped if you only intend to use LinuxPE for OSD; alternatively, production
       environments can select to purchase a Windows PE license from LANDesk,
       which simply requires re-activating the core.
   16. View > Toolbox. This toolbox is just an easier way to access the Tools menu, so
       keep using that if you prefer. The Tools that you open will be in a series of tabs
       along the bottom of the console window. Each tool that is open consumes
       resources, of course, so it is good practice to keep them to a minimum. All visual
       components of the console can be dragged and dropped to a different location,
       making layouts; many LANDesk administrators will save several task-specific
       layouts and switch between them as needed. Use the Layouts dropdown to access
       this feature.

Page 17 of 39                                                                         8/18/2010

   17. Security & Patch Manager > select your channels and configure your alerts
          a. Schedule Update and set to run daily at a time in the past

Page 18 of 39                                                                       8/18/2010

   18. Agent Configuration > Default Windows Configuration
          a. Enable LANDesk Antivirus
          b. LANDesk Trust Agent is only necessary for doing Trusted Access
                network compliance testing.

          c. Use fully qualified domain name to locate the server, or even IP
          d. Run the inventory scanner once a day and on IP change

Page 19 of 39                                                                      8/18/2010

             e. Do not reboot after installing an agent. Note that this is different from the
                 global Never Reboot flag under Security and patch scan.

             f. Run policies once a day, only when user logged in
             g. Run security scan every day between 11 and 13, using Daily
                      i. Configure Daily agent behavior1 to
                              1. Scan AV, Custom, LANDesk, Drivers, Threats, Blocked
                              2. Show no repair or scan prompts
                              3. Repair if reboot is pending
                              4. Never reboot

 “Agent Behavior” is the same thing as “Scan and Repair Setting”… these are the profiles used to control
how the vulnerability scanner works.

Page 20 of 39                                                                                  8/18/2010

                ii. Configure Weekly agent behavior to
                       1. Scan Vulnerabilities & Spyware
                       2. Show no repair or scan prompts
                       3. Repair if reboot is pending
                       4. Reboot if necessary, prompt 2 hours 3 times
                       5. Snooze if prompt is ignored

Page 21 of 39                                                                      8/18/2010

          h. Leave Custom Variables alone until you see the need, they’re confusing.
          i. In a high-security environment, Frequent Security Scans have a place;
                configure them to scan a blank group, then put things in the group when
                you need rapid discovery and response. You can leave it off if you’re
                concerned about performance or bandwidth, but if you’ve got plenty of
                both this is a potential life-saver.
          j. Disable realtime spyware blocking unless your client machines have more
                RAM than they know what to do with. Realtime causes the entire Ad
                Aware database to be loaded into Softmon’s memory.

          k. Application blocking is not a bad thing, turn it on and notify the end user
                if you block something. That can be turned off when you roll out
                production clients, but it’s useful in testing.

          l. AV Settings

Page 22 of 39                                                                               8/18/2010

                      i. Enable Risky
                  ii. CPU util should be as low as possible
                  iii. Enable a scan every 7 days, between 22 and 4
                  iv. Allow real-time disabling up to 10 minutes
                      v. Realtime should scan infectable only
                  vi. exclude large files such as VMWare disks or ISO images.
           m. Enable Agent Watcher
                      i. check every 8 hours for changes – this is a “phone home, update
                         my config, and report on janky users” schedule.
                  ii. check every 10 minutes for okay state – this is when the agent
                         wakes up to see if a user’s been janky.
                  iii. only monitor services and files that you actually use.

   19. Create Advance Agent and set an Active Directory Group Policy Object (GPO) to
       push it out.

Page 23 of 39                                                                           8/18/2010

          a. Note that you may need to update this from time to time… it’s kind of a
                bummer to patch a bunch of desktops with a new LANDesk agent and
                then have the GPO restore your old agent. If you aren’t in charge of
                setting GPOs, make sure that you’ve got a good working relationship with
                whoever is, as you’ll probably be sending them an update every quarter or
          b. Here’s how to use Advance Agent if you can’t use a GPO… if you do
                have a login script or a competing management tool that can do remote
                execution, just give it this command: msiexec. exe /qn /install /package
                "\\CORE\ldlogon\advanceagent\Default Windows
                Configuration.msi". If you don’t have anything else, and you do have
                remote execution rights (which is to say File & Print Sharing is on, Simple
                File Sharing is off, and you know an administrative account/password set),
                check out the lddiscover.exe program in \\CORE\LDMAIN\Utilities.

   20. Column Configuration
          a. Remove OS Name
          b. Add Login Name, Primary Owner, Network>TCPIP, Last Updated by
                Inventory Server, System>Chassis Type, System>Manufacturer,
                System>Model, System>Serial Number
          c. Set as Default. You’ll need to set as default for each user, or let each user
                figure out their own column set. Column Sets are valid in the web
                interface too, look under Administration.

Page 24 of 39                                                                         8/18/2010

   21. Create queries:
          a. All nodes (DeviceID exists and DeviceID <> Unassigned)
          b. All windows clients (OS Name like Microsoft Windows XP or Vista)
   22. Security and Patch Manager > Schedule a Security Scan

          a. Policy

Page 25 of 39                                                                    8/18/2010

          b. use Weekly Behavior

          c. Target against All nodes query
          d. Schedule to recur weekly
   23. Delivery Methods, change all to Never Reboot, except the two Emergency ones
   24. Configure > Agent Discovery Options
          a. All visible items, refresh, uncheck DNS

Page 26 of 39                                                                    8/18/2010

   25. Administration > Users tab
          a. Configure the individual users' rights and email addresses
   26. When the vulnerability information has all downloaded...
          a. Security & Patch Manager > Type = Blocked Applications
                  i. Sort by Title, Drag apps from Unassigned to Block and Do Not
                     Block, per policy. “Potentially Malicious” apps should be
                     evaluated carefully before blocking.

Page 27 of 39                                                                         8/18/2010

          b. Type = Antivirus
                 i. Set AV-101 and applicable Up-to-date vulns to autofix
          c. Type = LANDesk Updates
                 i. Set all to Autofix
          d. Type = Security Threats
                 i. Set the custom variables in each threat to match corporate policy
                 ii. Enable autofix
                iii. There are some very useful compliance tests, there are some that
                    replicate Active Directory Group Policies (which is still useful if
                    you don’t have those or can’t control them), and then there’s the
                    outright dangerous ones. For instance, ST000052 (Disable Active
                    Scripting) or ST000060 (NSA’s Windows XP Guidelines). If
                    you’re held to this standard, repair those; if you’re not, you will be
                    unhappy with the results. The average user might as well nuke and
                    re-deploy a machine that’s had ST000060 applied to it. Drag
                    threats you don’t need to Do Not Scan.

OTHER (30 minutes)
   1. Use SQL tools to configure a maintenance plan.
   2. Make directories under ldlogon for images and packages

Page 28 of 39                                                                       8/18/2010

   3. Backup everything, or at least the LANDesk\Shared Files\Keys directory. The
       Shared Files directory is always on C:\. Read the Post Install Backup Whitepaper
       at http://community.landesk.com/support/docs/DOC-2343 for more details.
   4. Install maintenance add-ons
          a. If this is a production system, you’ll also want ldms_core from
                http://www.droppedpackets.org/scripts/ldms_core/ -- run the installer and
                configure it, then schedule a LANDesk task to run the managed script that
                it created.

Page 29 of 39                                                                         8/18/2010

Page 30 of 39                             8/18/2010

          b. Ldms_core does way more for you than can be described here – you
                should really give its manual some time.

Page 31 of 39                                                                        8/18/2010

DAY TWO – Software Distribution, OS Deployment,
Connection Control Manager, Server Monitoring

Software Distribution (1 to 2 hours, depending on size and
complexity of package)
   1. Select a package, copy it to ldogon/packages. If you can’t think of a package,
       there are several Best Known Method documents on
       http://community.landesk.com for common applications. For instance:
         Adobe Reader 7            http://community.landesk.com/support/docs/DOC-2350
         WinZip 10                 http://community.landesk.com/support/docs/DOC-1210
         MS Office 2003            http://community.landesk.com/support/docs/DOC-2161
          a. Define it in the console
          b. Set its command line per http://www.appdeploy.com – however, do not set
                /qn or quiet interface options for msiexec, as these will be ignored. User
                interface is handled by LANDesk’s Delivery Method.
          c. Note that most Microsoft MSI packages are notoriously bad at defining
                their package manifest; do not rely on the auto-detect button in the
                additional files area, but rather select the entire directory. Auto-detect
                works fine for non-Microsoft MSIs, such as Adobe Acrobat.

Page 32 of 39                                                                            8/18/2010

          d. Further note that LANDesk’s default behavior is to copy all install files
                locally, then run them from the local drive; this is done because Targeted
                Multicast and Peer Download allow it to be more efficient and faster than
                the run-from-source methods used by most other management tools.
                However, run-from-source is an option for those with resources to blow,
                and can be selected in the Delivery Method.

Page 33 of 39                                                                           8/18/2010

          e. Set a prerequisite query. Note that this is not the targeting query, deciding
                which systems will receive the package; rather, it is a safety filter which is
                checked after the target query resolves but before the push or policy
                begins. For instance, one might set an XP Power Toy package’s
                prerequisite query to only allow Windows XP nodes, in case someone
                accidentally schedules the package to all Windows nodes. This
                prerequisite query would then prevent the package being installed on
                servers or Windows 2000 workstations.

   2. Distribute it
          a. Schedule a Policy-supported Push of the package to machines that are on
                and machines that are off
          b. Turn on the machines that were off to observe how the policy kicks in.
          c. Run full inventory scans on targeted machines to force updating of the
                SLM information.

Page 34 of 39                                                                           8/18/2010

   3. Find the package in Software License Monitoring
   4. Assign a license to it

Page 35 of 39                                                                     8/18/2010

OS Deployment (2 hours if all goes well, 2 days if it doesn’t)
   1. Create a capture script
          a. Use WinPE or Linux, DOS performance is not as good. However, do note
                that Linux requires at least 256 MB RAM on the target machine and
                WinPE needs at least 384 MB. If you have low-end workstations, DOS is
                still able to do the job.
   2. Delete the UUID keys from one of the test machines
   3. Push the capture job to that machine. If it doesn’t work, the problem may be DNS,
       or it may be network drivers. Search http://community.landesk.com for
       instructions to force name resolution and inject drivers.

   4. Wipe the machine’s drive
   5. Create a deploy script to deploy the just-captured image.
   6. Create a PXE menu
   7. Push a PXE Representative to another test machine (assuming isolated network)

Page 36 of 39                                                                         8/18/2010

   8. PXE boot the test machine and select the imaging job
   9. When it’s done restoring the OS, it should have the proper device ID. It should
       also install any policies and auto-fix any vulnerabilities.

Connection Control Manager (1 hour)
   1. Build a new Device Control policy. Connection Control (network) policies are
       harder to test, but essentially work in a similar manner.
   2. Turn on Wireless blocking when Wired connection exists. For testing purposes,
       it’s useful to block USB storage devices; however, blocking USB Keyboards and
       Mice is never recommended.

Page 37 of 39                                                                          8/18/2010

   3. Chances are good that unblocking of a specific device will be required – for
       instance, most multi-function devices need to be unblocked, as do many
       specialized pieces of hardware such as check printers or scanners. To unblock, use
       usbmon.exe’s Advanced tab to find the identifying string, then add that string to
       your configuration and repush it.

   4. Finally, create an “Open” policy with nothing blocked, and push it to the test
       machine to remove Device blocking.

Server Monitoring (2 hours)
   1. Create a Server agent
   2. Push it to a server
   3. Observe the hardware monitors
   4. Trigger an alert
   5. Trigger a reboot and use the out of band console to check out the BIOS

Page 38 of 39                                                                        8/18/2010

DAY THREE – Patch Manager Process, Management

Patch Manager Process
The first thing to note is that setting up the Patch Manager Process requires access to the
database server’s SA account, so you might want to stop reading and just go get that. It’s
also always a good idea to check for the latest rollup, see
http://community.landesk.com/support/docs/DOC-2981 for links and more.

Now then, follow the instructions at http://community.landesk.com/support/docs/DOC-
2813 to configure the database connection (using the SA account), Domain connection,
and LDMS connection. If you’re not using a domain or also need local accounts, you’ll
want to configure local WinNT:// style access per that document.

After that’s all done, the Process Designer should be able to open and allow you to
configure things.

Management Gateway
If you’ve got an appliance, you just need to set it up. For testing, you can get a .vmdk
from your SE or ESP, and just use VMWare. Follow the setup menu, set up names and
IPs, then go to the core, select Configure > Management Gateway, and fill in the form.
Go to the second tab and post your certificate.

The biggest difficulty in using or testing the gateway is networking. If you want to really
test it or use it in production, you’ll need to install it in your company’s DMZ and assign
a real IP address to it; an externally resolvable DNS name is also handy, though not
strictly required. To test it internally without using the Internet, you can simply add a null
route or firewall rule to your test client, stopping it from reaching the core.

DAY FOUR – Provisioning, App Virtualization, LDAV,
HIPS, whipped cream and a cherry on top…

Page 39 of 39                                                                           8/18/2010

To top