BigFix Client Deploy Tool Support Guide
The IBM BigFix Client Deploy Tool User Guide
NOTE: The following content applies to BigFix versions older than 9.5.5.
Starting from the 9.5.5 level, for more details about the IBM BigFix Client Deploy Tool refer to:
The BigFix Client Deploy tool can be used to remotely deploy clients to Windows platform machines only. If there is a need to remotely deploy the BigFix client on other platforms (i.e. Solaris, HP-UX, AIX, Red Hat Linux, Suse Linux, and Mac OS-X operating systems) use the following BigFix Agent Deployment Wizard (stand-alone)
Note: This tool can also deploy Windows agents as well.
The BigFix Client Deploy tool is included in the BigFix Installation Generator and gets installed along with the server to the \BigFix Enterprise\BES Installers\BESClientDeploy directory by default. Sometimes the BES Installers directory is installed to a different directory on the server (for example: C:\BESInstallers).
You may need to search for this directory. The location of this folder is stored in the following registry key on the server:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\BES Installation Generator
The Client Deploy Tool can be launched from the Start menu on the Windows Server Machine at Start > All Programs > IBM BigFix > IBM BigFix Client Deploy
Additionally, the Client Deploy Tool can also be invoked from within the console in the Unmanaged Assets area to install a client to a specific endpoint. When you right click on an unmanaged asset in the list, you will see a menu item called "Install IBM BigFix Client..."
In version 9.0 of the console, this menu item is enabled by default. In previous versions of BigFix, if the menu item is not enabled (grayed out), you can enable it by copying the entire BESClientDeploy folder to the \BigFix Enterprise\BES Console directory and restart the console (the BESClientDeploy folder will then reside at: \BigFix Enterprise\BES Console\BESClientDeploy\ as well).
Upon running the tool from the Start menu, you will be presented with three options to look for computers within your network for which to deploy the BigFix client to:
The first and second option scan for computers within the Active Directory or within NT 4.0 domains, The third option presents with a text area to manually paste a list of known hostname, IP addresses, or an IP range; or a button to load in a file of hostnames, IP addresses, or IP ranges (one entry per line):
Note: You can also execute the CDT from the command line (see the Command Line Usage section in this article blow) while using a list file. You would do this by:
- Naming the list file something like computerlist.txt [one computer name or IP address per line
- Saving the file to the same directory as the CDT (default: \BigFix Enterprise\BES Installers\BESClientDeploy)
- And execute the following command at the command line: BESClientDeploy.exe /useComputerNameList computerlist.txt
- The CDT opens and prompts you to enter a username [with domain rights and local admin rights on the endpoints] and password.
The Windows user account and password that the user enters into the Client Deploy Wizard needs to be a domain admin user with local admin rights on the endpoints for which the client will be deployed to:
When it is run, the BigFix Client Deploy Tool will do the following:
- Contact the domain controller (You can choose whether to use the NT deployment or AD deployment mode)
- Retrieve a list of computers in the domain
- Attempt to contact each computer to see if the BigFix Client is installed on the computer
The user will be presented with a list of all the computers in the network along with the status of whether the BigFix Client is installed or not; or it will report that the computer was not responding if it is offline or unreachable. The user will then be able to choose computers from the list returned and deploy the BigFix Client them using their Windows domain administrator credentials.
- The computers you are deploying to and the computer running the BigFix Client from must be part of an NT or AD domain (to deploy to different domains, copy the BigFix Client Deploy tool folder to a computer on the different domain)
- You must be logged in with a domain administrator account with all necessary permissions (or any admin account with full local admin permissions on the computers you wish to deploy to)
- You must type in the domain administrator password after you choose to deploy the BigFix Clients
- The remote computers you wish to deploy to must be Windows, 2000, XP, 2003 Server, Vista, 7, Server 2008, or Server 2008 R2
- The remote computers you wish to deploy to must have the following services running:
- Net Logon
- Remote Registry
- The remote computers you wish to deploy to must have 'File and Print sharing' enabled
- Port 445 must not be blocked by a firewall. The predefined rule in the Windows firewall for this port is Netlogon Service (NP-In)
- The remote computers you wish to deploy to must be reachable using windows RPC protocols. Note: The deploy tool will not work if there is a firewall blocking traffic between you and the remote computer or if the remote computer has a personal firewall blocking traffic. Also take note that by default, RPC utilizes port 135 as well as a random port above 1024. If you are using a firewall you may want to look into configuring the RPC port to a specific port number so that you can lock it down and allow traffic across that port without opening the firewall completely (see: http://support.microsoft.com/kb/154596). RPC can utilize TCP or UDP ports so you should allow for both. The IEM Client deploy tool itself does not make use of any other ports beyond what RPC utilizes. Once the IEM Client has been installed it will use whichever port you have specified for your license (TCP/UDP 52311 by default)
- You cannot have any network or security policies in place that would prevent the application from connecting to the remote computer and running a service that will use the domain administrator credentials to copy files from a shared location and run them locally on the computer.
If you are unable to use the BigFix Client Deployment tool for any reason, consider using a different method for BigFix Client deployment detailed in the BigFix Installation Guide.
Command Line Usage
The following are the command line parameters for the BigFix Client Deploy Tool:
/useComputerNameList <computer name list file>
Used to supply the path of a text file containing one NETBIOS computer name or IP address per line, which will be used for deployment, skipping over the discovery functionality of the deployment wizard.
Can be used with /useComputerNameList to run without user input. Need to supply a password and possibly a username using the following flags. /password <password> /username <username>
/domainNameSubstitution <old> <new>
When deploying to a domain name found in active directory, this option will cause the first occurrence of the string "<old>" in the domain name to be replaced with the string "<new>"
/deployRetryDelay <seconds to delay>
/deployRetryCount <times to retry>
A retry count of 0 will cause it to only try once.
Note: The /username and /password command line options don't work in the TEM 188.8.131.527 release.
To enable debug logging for the Client Deploy Tool, add the value DebugOut [REG_SZ] to the following registry key HKLM\Software\BigFix\ClientDeploy. Set the value equal to a directory path and a file name (for example: C:\CDT\cdtdebug.log). The directory and file must exist ahead of activating the logging.
Common Errors and Problems:
The NET USE command, net use * \\targetcomputer\admin$ /user:domain\user password, can be used to tell you what kind of error the Client Deploy Tool is running into with the computers.
- In the CDT if you get a message saying "Offline" typically with NET USE you get the following error:
Error: System error 53 has occurred. The network path was not found.
Meaning: Machine cannot be contacted.
- In the CDT if you get a message saying "Connection Failed" with NET USE you get one of the following:
Error: System error 53 has occurred. The network path was not found.
Meaning: ADMIN$ share not available.
Error: System error 1219 has occurred. Multiple connections to a server or shared resource by the same user, using more than one user name, not allowed. Disconnect all previous connections to the server or shared resource and try again.
Meaning: If the machine used to run the Client Deployment Tool already has a connection to remote machine ADMIN$ share, using a different credential, this error will occur.
Error: System error 1311 has occurred. There are currently no logon servers available to service the logon request.
Meaning: Domain server not available for authentication.
Error: System error 1326 has occurred. Logon failure: unknown user name or bad password.
Meaning: Incorrect admin username or password.
- If you receive "Access is Denied" or "Windows Error: Logon failure: unknown user name or bad password" with net use you will get the following error:
- An incorrect username/password has been supplied
- The user account may be locked
- Insufficient permissions/privileges on the target machine
- File and Print sharing is disabled on the target machine
- The target machine is a Windows XP Home Edition machine and simple file sharing is enabled. This Microsoft Support article describes how to turn off simple file sharing.
- The Windows Firewall may be blocking the CDT.
Error: System error 5 has occurred. Access is denied.
Meaning: Username/password correct, but account does not have permission to ADMIN$ share.
Error: No network provider accepted the given network path.
Meaning: The client or the server could not be resolved during the client deploy tool process.
More information: The 'Access is Denied' or "Windows Error: Logon failure: unknown user name or bad password" status indicates that the CDT is unable to connect to the computer to determine if the IEM Client is installed. In addition, It is likely that you would also be able to deploy the client through the CDT if this error is encountered. The following conditions may be causing this error message:
- If you receive an RPC failure message; this will occur whenever :
- The remote machine is turned off.
- The remote machine has the RPC Service disabled.
- The remote machine has "file and printer sharing" disabled.
- The server machine is running from a Windows 2000 Professional machine instead of a Windows 2000 Server machine, and the number of RPC connections has exceeded 10.
- The remote machine is running a personal firewall that blocks the connection attempts.
- The connection attempt is blocked by a firewall in between the computer with the IEM Client Deploy tool and the remote machine.
- The remote machine is unreachable for any reason.
- RPC does not work properly on the remote computer for some unknown reason.
- If you receive the following error "Windows Error 0000046a: Not enough server storage is available to process this command."
The error indicates that IRPStackSize value is set too low on the endpoint machine resulting in not enough resources being allocated to use a local device.
Ensure the above list of issues are not the cause of the problem and then run the Client Deploy Tool again.
Note: Some customers report that after the computers reporting an RPC error are restarted, the RPC error goes away.
Note: As a way to test and see if RPC is listening Microsoft has a tool called "RPC Ping" which can be downloaded at this Microsoft knowledgebase article 831051.
Increase the IRPStackSize value on the endpoint. The following Microsoft KB article gives steps on where to do this in the registry:
Retry to deploy the client after the value has been increased. If the client deploy fails with the same error message, increment the IRPStackSize value and try to deploy the client again.
- Check that the RPC service is running.
- Check DNS and FQDN resolution. If DNS is broken so that the NETBIOS name or the FQDN do not resolve, or resolve to different IP addresses than expected, the client deploy tool will not work. You may be able to troubleshoot this by trying to
- From the client:
- Ping the client deploy tool server by netbios name
- Ping the client deploy tool server by FQDN
- From the deploy tool server:
- Ping the client by netbios name
- Ping the client by FQDN
Note: The destination computer in each of the ping tests should resolve to both the expected computer and the expected IP address.
Try installing the client by using the IP address. If using an IP address works, it is likely the issue is DNS related.
Network Path Errors and Their Solutions
Reason: No network provider accepted the given network path
- Error: "Network path not found" in a domain network 1:
- The following error occurred attempting to join domain "example.com": The network location cannot be reached. For information about network troubleshooting, see Windows Help.
- Network path not found.
When trying to join a W2K/XP to a Windows 2000 domain by using he NetBIOS domain name, you are successful but not the FQDN and you may receive one of the following error messages:
This issue may occur if the TCP/IP NetBIOS Helper Service is not running on the client computer. To start the TCP/IP NetBIOS Helper Service, go to MMS > Services, double-click TCP/IP NetBIOS Helper Service.
- Error: "Network path not found" in a domain network 2:
Some w2k/xp can't join the domain randomly. The DNS server is multihomed server.
You can find some computer browser errors on the DNS server. Disable one of two NICs will work.
- Error: "Network path not found" in a workgroup network - error 53
- Ensure that File and Printer Sharing is enabled on the shared computer.
- Ensure that the shared computer has something shared.
- Ensure that you created the same workgroup and logon with the same username if you try to access the w2k/xp network.
- Ensure that you enabled NetBIOS over TCP/IP if this is a mixed OS network.
How to troubleshoot "RPC Failure" in TEM Client Deploy
Using the TEM Client Deploy Tool
Using a list of computers with the BES Client Deploy To
Can I change the timeout and retry options in TEM Clien
What do the errors in the Client Deploy Tool mean?
IBM Endpoint Manager
Tivoli Endpoint Manager