Windoze/SAVCE tip of the day
January 3rd, 2007 — maxwellI’ve always read the horror stories about Symantec customers being hosed at some point on their networks during the course of updates and patches. Well, up until yesterday and today, I’ve never had a problem with their Corporate Edition software, and have been running it since version 8. We’re now up to 10. Anyways, I got an e-mail the other day about a 10.1.5.5010 patch which is supposed to patch clients and servers running 10.1.5.5000 and 10.1.5.5001. I was all patched up on my network running 10.1.5.5001 having patched prior months ago from 10.1.5.5000 with no problems. In fact, I’ve never had a single issue with the corporate version. I run the Symantec System Center on an XP box on top of VMware on CentOS…of course.
So I test the patch on a few clients laying around and didn’t have any issues the past few days, so I decided to patch the AV server, which usually takes about 15 minutes to do, and which I’ve done at least a few times already. Well, you know all that luck I’ve had while a ton of people are complaining about getting screwed up on patches ran out last night, and it completely wiped out root certificate pki items, which completely hosed my System Center installation. Long story short, I was at home working on things remotely and attempting to fix my SSC console and of course ‘Doze locked up. I had to give up at 9:00pm because I couldn’t talk to my VMware box. Ok, ok I know I said long story short:
The patch wiped the root certificates on the server which left the system center unable to verify things, because it had the old certificates. I attempted to load the old pki certificates folder back onto the server, but then I wasn’t able to unlock my AV installation on to server, and I wasn’t able to unlock the server group on the SSC. I ended up completely wiping the AV server installation and starting over from scratch reverting back to the older client version. I then created the new key set on the server, then I wrote a quick script for beyondexec to delete the old pki key set on the clients and copy the new one over, and then restart Symantec AntiVirus with a batch file. It worked like a charm and allowed me to talk to all my clients again with the Symantec System Center. Here’s my little beyondexec script to share.
Remember you’ll need domain admin rights and a network share. I’m using Samba on Linux.
Create a batch file called fix.bat:
net use t: \\share\sym_keys\pki\roots /USER:DOMAIN\admin password /PERSISTENT:NO DEL "C:\Program Files\Symantec AntiVirus\pki\roots\old.servergroupca.cer" XCOPY t:\new.servergroupca.cer "C:\Program Files\Symantec AntiVirus\pki\roots\" /Q /Y net stop "Symantec AntiVirus" net start "Symantec AntiVirus"
Once you’re done with that, you’ll need to create a command file and pick the machines you want to execute the batch file on across Beyondexec. Also, please substitute the actual key values in above. I’m using the terms old and new generically. This is actually a very long nuclear launch code number.
Create a run_fix.cmd file:
echo off set directory=C:\beyondexec\ set command=beyondexecv2.exe set args=-u domain_admin -p password -cs C:\updates\symantec_fix\fix.bat %directory%\%command% \\machine1 %args% %directory%\%command% \\machine2 %args% %directory%\%command% \\machine3 %args% ...and so on.
Now just grab Beyondexec and put it in C:\beyondexec and launch the command file you just created. Voila, problem fixed.
Remember if you read my how-to on the left in regards to WinXP Updates, you can use Beyondexec for all kinds of automation things…screw manual configurations. GUIs and prompts aren’t for network admins…