7 Replies Latest reply on Nov 19, 2010 10:18 AM by ron.sokol

    Servers than never stop being rogue

      Hi,

       

      I've got some Windows Servers (2003 R2, 2008 and 2008 R2) that are always detected as rogues. The epo is 4.5 Patch 3 with the latest rogue detection system.

      Some the cause is Alien Agent and others No Agent. I've tried to deploy agent and the ePO reports sucess but they don't stop being detected as rogues.

       

      How can I solve this?

       

      Thanks in advance.

       

      Dino

        • 1. Re: Servers than never stop being rogue
          rackroyd

          'Alien agent' status would suggest there may be more than one ePO server in the environment somewhere as Alien agent = agent managed by another ePO server.

          If so perhaps they are playing ping-pong with some of these servers in terms of management (or un-management).

           

          Rgds,

           

          Rob.

          • 2. Re: Servers than never stop being rogue

            Hi,

             

            Thanks for your input.

            There was another ePO server but it was replaced with this one.

            Some servers have the 'Alien Agent' status but others have 'No Agent'. The common thing is that I try to deploy the agent and the server reports sucess in the installation but they continue rogue.

             

            With the best regards,

             

            Dino

            • 3. Re: Servers than never stop being rogue
              rackroyd

              If the machines doing this have multiple ip or mac address they may still report as rogue.

              Have a look at the system info properties of a few of these machines and see what you find under the network settings.

              Also, make sure these machine's agents are really talking to the ePO server.

               

              Rgds,

               

              Rob.

              • 4. Re: Servers than never stop being rogue

                Hi,

                 

                The servers all have, at least, 2 nics with diferent ip.

                 

                I've check some of them and they have the tasks I created in the ePO and update with the ePO server so I think that the communication is done in a correct manner.

                 

                But still it shows as rogue....

                 

                Dino

                • 5. Re: Servers than never stop being rogue
                  ron.sokol

                  For what it's worth, had the same problem with an in place upgrade from 4.0 patch 4 to 4.5 patch 3.  All machines started triggering the RSD response automation.  What I realized is that my old responses were changed in the upgrade.  What is considered an RSD event is different now.  So I disabled the responses and re-enabled some other automations I had created a long time ago (note: I'm using 'server tasks' to do RSD response automation, not 'automated responses'.  This is more of a workaround than a solution.)

                   

                  My server task basically runs a query and based on the results, pushes an agent (force install over existing agent) with a stored credential on an hourly basis.  My 'detected systems' query just looks for Rogue = true.  So there seems to be a difference between a RSD 'event' and Rogue=true from my experience.  HTH.

                   

                  Oh, and the good news is that you can run the query and see exactly what will get the response this way.

                   

                   

                  Message was edited by: ron.sokol on 11/18/10 9:50:07 AM CST
                  • 6. Re: Servers than never stop being rogue

                    Hi,

                     

                    Yesterday I tried that method. It resolved for one of the servers. For the others the problems remains.

                     

                    But thanks...

                     

                    Dino

                    • 7. Re: Servers than never stop being rogue
                      ron.sokol

                      Do all the servers in questions show up when you run just the query?  Did the one that got fixed have no agent or an alien agent?  Can you look at the server task log details and see if the agent deployed to all and if not why not?  Can the servers in question communicate to the ePO server (default port 81)?  Try telnetting from one of them to the ePO server on 81: command> telnet <eposerver> 81 .  You may not see data, but if you get a prompt at all (cursor) you're connected.