A good rule of thumb would be if EPO can successfully deploy an agent to one client machine then the EPO server itself is working fine. The servertask log in EPO (Menu | Automation | Server Task Log) should log the push and if you drill down on a specific machine it should provide you an error for why the push failed. Also you can look in the server.log (by default in C:\Program Files\McAfee\ePolicy Orchestrator\DB\Logs) and search from the bottom of the log up for the machine name you pushed the agent to and see the error.
Here is a brief overview of how the push process works:
1- Accesses the "admin$" share on the client machine
2- Copies the framepkg.exe from the ePO server's repository to the admin$ share
3- Uses remote registry services to launch the install
See KB56386 for a more detailed list of enviromental requirments for the agent push:
I hope that helps!
I believe I've found something. To obtain the computer names for EPO, I went to Group Details, Edit Synch Type. I selected Active Directory and entered a specific DC. Then I synched the servers. EPO imported the names into the group as I wanted. And that is where I've been deploying the agents.
I just sorted the group by managed/unmanaged. What I found was that all of the managed computers have names 15 char or less. All of those not taking the agent are longer. Since we have two campuses, we add a prefix for the campus on the netbios name. We also add a graduation year and machine code. (ie; hs-studentname12-tb). So when EPO is doing a DNS lookup to find the IP address of the computer, it doesn't pass a complete string and the name resolution fails. Hence no agent is installed.
I'll have to see about importing the names a different way. If I use the import systems method, does the text file need to be .CSV or some special format?
This issue was the case in at least two of my failing groups. I'll need to see if this is true in all areas of my server. Can anyone comment on this?
That is interesting indeed. Are you sure this is EPO 4.5? ePO 4.0 patch 3 resolves an issue similar to this. See KB53310:
Are the names truncated in the EPO GUI? If so then you have certainly hit on the issue. When you push an agent EPO will attempt to do a DNS lookup based exactly on how the machine name appears in the EPO console so if it is wrong in the console the DNS lookup will also fail. Also you may want to look in the server log as it should show their exactly how EPO is attempting to resolve the name.
I'd also take a look at these computer objects in AD. Renaming a computer locally may not have renamed the computer object in AD and if you are doing an AD Sync EPO is pulling in the computer object and assuming that matches the DNS name.
I hope that helps
Yes EPO 4.5
I just checked the AD and indeed it doesn't show the full name. It correctly displays the DNS name as full however this field is not easily exportable. I'll need to expose that field another way or use a script to pull that value.
As it happens, this is the first year of our student tablet rollout. I've already seen that the long naming convention is a problem and will be changing our next rollout in summer of 10 to something shorter!
I'm going to perform a few tests with shorter names and see if this solves the problem.
Thanks for the quick feedback.
No problem I'm glad I could assist. I just noticed your question earlier about importing machines from a file. No .CSV is required a simple .TXT files with each computer name separated by a carriage return is all that is needed.
I went through the work of removing all of the short named computers from the system tree. I exported a new list from AD, and adjusted all of the names to match the actual DNS name of the machines. Then I successfully re-imported into the system tree.
I set up a task today to add all machines in the group, opting to check "only do the ones that don't have an agent managed by this server." I added the correct domain admin account.
The task ran to completion and displayed that 150 computers had been completed. I looked at the detail under sub-task and saw lots of these:
8:42: Started deployment to [machine name]
8:42: Failed to access remote system registry; system error; the network path was not found.
8:42 deploy agent installation package to target system was successful
However the system never appears in the system tree.
What am I missing?
You may want to look a the server.log and see if it contains more detailed information. By default the server.log is located in <EPO Install Directory>\DB\Logs.
With the information provided it appears to be either a DNS issue or that the remote registry service is not started on either the EPO server or the client machine. To confirm this either open up services and see if the service called "Remote Registry" is started or immediatly after you recieve the "failed to access remote system registry; system error; the network path was not found." error do this on the EPO server:
1- Start | Run | Regedit
2- File | Connect Network Registry
3- Enter the name of the machine you are attempting to push the agent to
4- Click OK
If you get an error then either the client is turned off, remote registry service is stopped on one of the two machines or DNS is not resolving the correct IP. If you don't get an error then try to create/delete a registry key on the client to confirm you have the appropriate permissions (assuming your logged onto the EPO server with the same credentials you are using to do the push).
I checked the settings this morning by remoting into the student computer. The remote registry service was turned off. I turned it back on and deployed the agent again. The log indicated that it was installled okay however nothing showed up in the system tree. I looked at the student event viewer and found an error indicating that the mcafee agent service needed to interact with the desktop and was not configured to do so.
What is really strange is that I've had several hundred student machines that took the agent in the past couple of weeks. I did not make any changes to the remote registry service or anything else recently.
I pinged the student machine from the command line of the EPO server, outside of EPO. No problem. But when I tried to ping it from inside the system tree, it fails to resolve the name. The name inside is correctly displayed, since I redid them several days ago as we discussed.
The push success message in the server task log only indicates that ePO was able to copy the framepkg.exe down to the client machine and launch the install. It does not mean the install was ultimately successful. In this case it looks like you are facing an agent install issue. Unfortunately you will most likely not be able to overcome this in EPO. You can try the forceinstall option but I doubt it will make a difference.
The next step in this scenario is to attempt to manually install the agent and see what error message pops up and/or review the agent install logs to determine why the install is failing.
Now in this specific case (from the information provided) it could also be that the agent install completed fine but the framework service is not starting for some reason. Just look in services and attempt to manually start the service (if it is present) then look look in the event log and see what the error is it is generating. Post that error in the forum and I may be able to give you a better response.