Best practice regarding AD accounts and FOG imaging

Good morning, I’d like to know what the preferred best practice is regarding new and pre-existing AD computer accounts when using FOG. Should pre-existing accounts (devices being reimaged) be deleted, deleted and recreated, reset, or just left alone to be overwritten? Same question applies to new computer accounts - should we create computer accounts prior to imaging or should we leave FOG to do that? I’m asking this because we continue to have problems with FOG naming PC’s and joining them to the domain - works only about 50% of the time and I’m trying to eliminate this as a potential cause. Thanks in advance!

Good morning,
The section of the fog.log you are looking at is dated 3/16…if you scroll down you will see the section from Friday…which brings to mind another question…why are there still fog.log entries from back in March and then appended with the log entries from Friday?

Cheers,
John

Today I have been reimaging a stack of laptops (Lenovo T460, T470, and T480’s) and was successful for about 8 in a row without any problems. The current device (Lenovo T490) has been successfully imaged in the past, but today for some reason it is not being renamed or joined to the domain (4 failed attempts in a row). I am pre-configuring the device in the web interface (and ensuring that I have the AD information entered as well as the checkboxes to rename and join domain).
I am running FOG 1.5.8 on the server, the image has FOG client 0.11.15). We’ve had many issues in the past with devices periodically not renaming or joining the domain, but since I started to use the web interface to pre-configure the hosts and create the task things have been working much better (I used to use the DOS/Pxe boot setup previously to create the task).
I’ve attached the C:\Fog.log file for you to review as I’m not entirely sure what the error messages should be telling me. Any help would be greatly appreciated.
NOTE - the laptop has an Intel I219-V NIC, Windows 10 v.1909, Single drive.
Thanks,
John YostHE-L002107-FOG2.log

I’ve always wondered why when we click on HOSTS from the top menu it brings us to a blank screen and from there we have to click on SHOW ALL HOSTS. It makes more sense to immediately show a list of all the hosts. It’s an extra, unnecessary click no matter what your intentions are (i.e. show all hosts, add host, etc.)

In the web interface when I go to Add New Host, I enter the hostname, MAC address, select the desired image to be applied, then scroll down to the Active directory section at the bottom. I place a checkmark in “Join Domain After Deploy” (which populates the fields with the AD information INCLUDING Name Change/AD Join Forced reboot). I save this information, then go back into Hosts, Show all hosts, I select the host I just created, then click on the Active Directory tab at the top and all the fields are empty. I select Name Change After Deploy, it again populates MOST of the fields except Name Change/AD Join Forced reboot. I check this option and save again. Thereafter when I go into the host all of the AD information is populated as it should be. My question is why do I need to enter/save the AD information twice - is this normal behavior or do I have a setting somewhere misconfigured?

@JYost
Thank you George…this pointed me to the etc/network/interfaces file where I found that the dns-search field only had “domain.local” and was missing “domain.com”. Once I added that into the dns-search field all was good and FOG was able to see devices which were online (denoted by green Windows icon).
Thanks again guys…great support as always!!!
Go ahead and mark this as solved.

Greetings,
When I create a new workstation in the Fog Host Management screen it initially shows up with a green Windows Icon as shown below:

After a minute or so the Windows icon disappears and I am presented with a Red exclamation as shown below:

This behavior is similar on 10 of our 11 FOG servers. The only server which is working normally is the one we rebuilt completely last week. When I create new hosts on that one the Windows icon stays and doesn’t change into a Red exclamation. Any ideas as to what could be causing this?
NOTES: We recently upgraded all of the 11 FOG servers to version 1.5.8. Prior to the upgrade ALL hosts on ALL servers were displayed with a Red exclamation similar to what they are now. Post upgrade - the only server not displaying Red exclamations’s on the hosts is the server we rebuilt completely (Reinstalled Linux, Installed & Configured FOG). Obviously this is a configuration issue, but I’m not even sure what that column in Host Management is for - I presume an indicator of successful 2-way communication between client and host?
NOTE: We were forced to recreate the certificate on several servers due to problems during the upgrade - Sebastian assisted us with this.

Thanks in advance,
John

Good afternoon,
I recently had a number of FOG servers that had certificate errors while being upgraded to FOG 1.5.8…these have been resolved, however in the process of doing so we had to recreate the certificates on the servers. Sebastian recommended uninstalling the FOG client from our existing hosts and reinstalling the latest client. I’d like to know if I can get a list of of uninstall GUID’s so that I can create a comprehensive script which will remove any version(s) present using msiexec.exe /x, and then reinstall the latest version.
i.e. version 0.11.19 = F6F12244-D443-4428-87B8-DA3DB3FF19DB
Thanks in advance!!
John

Good morning Sebastian, one last question if I may…
Since all of my images were built with an old FOG client from version 1.5.0 and we just updated to 1.5.8 as well as reinstalled the Certificates - will I need to rebuild my images with the new FOG client from 1.5.8?

Thank you!

I have performed the backup and re-installation of FOG as you directed and this time it appears to have completed without any errors. It still came up with the message that the current fogstorage database didn’t meet security standards…setup changed them for me, then gave me the credentials to copy down. It then said I will need to run the installer again after I change the .fogsettings file. But after I hit OK it did finish the install, and I do have access to the web interface.

1.) Do I need to change the snmysqluser and snmysqlpass values in the .fogsettings file?

2.) Do I need to run the installer again?

3.) Since I have several other servers displaying exactly the same (Creating SSL Certificate FAILED) error during the upgrade should I use the process you’ve outlined below to remedy those devices as well?

I will download a copy of the latest FOG client from the server and start deploying it to the workstations. I assume I will need to do this from each server which had the SSL error after I reinstall FOG, as each has it’s own IP internally configured in it?

Thank you VERY much for your help!!! The tech support on here is top notch and it’s awesome that you take the time to hand-hold new Linux users like myself

Yes, we can re-deploy the fog client without any problem to all of our workstations. I don’t recall anything happening back on 12-19-19. We have had problems on all of our FOG servers since I took over this position in June of 2019 though. When the various sites image laptops/PC’s about 50% of the time the device will not rename properly or join the domain. We end up having to do that manually. Not sure if that problem is related to our Certificate issue - thoughts?

Any thoughts as to my next course of action?

ls -alR /opt/fog/snapins/ssl OUTPUT:

fogadmin@usktfoglp001:/opt/fog/snapins$ ls -alR
.:
total 406536
drwxrwxrwx 3 fog      www-data      4096 Dec 10 06:23 .
drwxr-xr-x 5 root     root          4096 Jan  9  2019 ..
drwxrwxrwx 3 fog      www-data      4096 Apr  7 07:41 ssl
-rwxr-xr-x 1 fogadmin fogadmin 416273072 Dec 10 06:27 SymRedistributable.exe

./ssl:
total 24
drwxrwxrwx 3 fog      www-data 4096 Apr  7 07:41 .
drwxrwxrwx 3 fog      www-data 4096 Dec 10 06:23 ..
drwxrwxrwx 2 fog      www-data 4096 Dec 10 06:23 CA
-rw-r--r-- 1 root     root      102 Apr  7 08:41 ca.cnf
-rwxr-xr-x 1 fogadmin fogadmin 1590 Dec 10 06:23 fog.csr
-rwxrwxrwx 1 fog      www-data 3243 Jan  9  2019 .srvprivate.key

./ssl/CA:
total 24
drwxrwxrwx 2 fog      www-data 4096 Dec 10 06:23 .
drwxrwxrwx 3 fog      www-data 4096 Apr  7 07:41 ..
-rwxrwxrwx 1 fog      www-data 3243 Jan  9  2019 .fogCA.key
-rwxr-xr-x 1 fogadmin fogadmin 1801 Dec 10 06:23 .fogCA.pem
-rwxrwxrwx 1 fog      www-data   41 Apr  7 08:41 .fogCA.srl
-rwxr-xr-x 1 fogadmin fogadmin   17 Dec 10 06:23 .srl
fogadmin@usktfoglp001:/opt/fog/snapins$

ls -alR /var/www/html/fog/managment/other OUTPUT:

fogadmin@usktfoglp001:/var/www/html/fog/management/other$ ls -alR
.:
total 56
drwxr-xr-x  3 root root  4096 Apr  7 08:41 .
drwxr-xr-x 10 root root  4096 Apr  7 08:41 ..
-rw-r--r--  1 root root 35141 Apr  7 08:41 gpl-3.0.txt
-rw-r--r--  1 root root  6152 Apr  7 08:41 index.php
drwxr-xr-x  2 root root  4096 Apr  7 08:41 ssl

./ssl:
total 8
drwxr-xr-x 2 root root 4096 Apr  7 08:41 .
drwxr-xr-x 3 root root 4096 Apr  7 08:41 ..
-rw-r--r-- 1 root root    0 Apr  7 08:41 srvpublic.crt
fogadmin@usktfoglp001:/var/www/html/fog/management/other$

md5sum /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pm OUTPUT:

a4ee8c62634fc51e11a59965f8ebde85  /opt/fog/snapins/ssl/CA/.fogCA.pem
md5sum: /var/www/html/fog/management/other/ca.cert.pm: No such file or directory
fogadmin@usktfoglp001:~$ 

openssl x509 -noout -modulus -in /opt/fog/snapins/ssl/CA/.fogCA.pem | openssl md5 OUTPUT:

(stdin)= f8b599032ea17eddacb8cd45b94d32a5

openssl rsa -noout -modulus -in /opt/fog/snapins/ssl/CA/.fogCA.key | openssl md5 OUTPUT:

(stdin)= 707d08d4139a901ed6fec151abd68bf7

openssl verify -verbose -CAfile /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/fog/management/other/ssl/srvpublic.crt OUTPUT:

unable to load certificate
139785451083520:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

On this particular FOG server (located in our Kent, Washinton office) we have approximately 125 clients on it. And no, I’ve done nothing with the CA. I have a number of other FOG servers around the world which are exhibiting identical behavior when the upgrade is attempted (Creating SSL Certificate Failed). All are running Ubuntu 16.04. FOG versions are all either 1.5.4. or 1.5.5. Should I go ahead and run the commands you gave me? It was unclear as to whether you wanted to hold off until you knew the number of clients we are dealing with on this server.

inflating: packages/clientfiles/SmartInstaller.exe
‘packages/kernels/bzImage’ -> ‘/var/www/fog//service/ipxe/bzImage’
‘packages/kernels/bzImage32’ -> ‘/var/www/fog//service/ipxe/bzImage32’
‘packages/inits/init.xz’ -> ‘/var/www/fog//service/ipxe/init.xz’
‘packages/inits/init_32.xz’ -> ‘/var/www/fog//service/ipxe/init_32.xz’
‘packages/clientfiles/FOGService.msi’ -> ‘/var/www/fog//client/FOGService.msi’
‘packages/clientfiles/SmartInstaller.exe’ -> ‘/var/www/fog//client/SmartInstaller.exe’
mysqlnd
Synchronizing state of apache2.service with SysV init with /lib/systemd/systemd-sysv-install…
Executing /lib/systemd/systemd-sysv-install enable apache2
Synchronizing state of php7.1-fpm.service with SysV init with /lib/systemd/systemd-sysv-install…
Executing /lib/systemd/systemd-sysv-install enable php7.1-fpm
Signature ok
subject=CN = 10.6.210.155
Getting CA Private Key
CA certificate and CA private key do not match
139662081185536:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:…/crypto/evp/p_lib.c:93:
139662081185536:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:…/crypto/x509/x509_cmp.c:294:
root@usktfoglp001:~/fogproject/bin/error_logs#

edit:

snmysqlpass=‘fO7hK:KyRMUeKkF71Nho’

As instructed to do I’ve edited my .fogsettings file as follows:

snmysqluser=‘fogstorage’
snmysqlpass=‘fO7hKyRMUeKkF71Nho’

(I had to change the permissions on this file as it was read only, thereafter I was able to save the above)

The current fogstorage database password does not meet high
security standards. We will generate a new password and update
all the settings on this FOG server for you. Please take note
of the following credentials that you need to manually update
on all your storage nodes’ /opt/fog/.fogsettings configuration
files and re-run (!) the FOG installer:
snmysqluser=‘fogstorage’
snmysqlpass=‘fO7hK:KyRMUeKkF71Nho’

Press [Enter] to proceed after you noted down the credentials.

• Setting up MySQL user and database…OK
• Backing up user reports…Done
• Stopping web service…OK
• Setting up Apache and PHP files…OK
• Testing and removing symbolic links if found…OK
• Backing up old data…OK
• Copying new files to web folder…OK
• Creating config file…OK
• Downloading kernel, init and fog-client binaries…Done
• Extracting the binaries archive…OK
• Copying binaries to destination paths…OK
• Enabling apache and fpm services on boot…OK
• Creating SSL Certificate…Failed!
  root@usktfoglp001:~/fogproject/bin/error_logs#

FYI - I’m using the following commands to perform the upgrade:

sudo su -
sudo apt-get update && apt-get install git
git clone https://github.com/FOGProject/fogproject.git /root/fogproject
cd /root/fogproject
cd bin
./installfog.sh

Good morning,
I have been attempting to update our FOG servers from version 1.5.5 to 1.5.8 (all are running on Ubuntu 16.04). I repeatedly get an error message that the SQL username and password are not secure and that the FOG installer will re-create these. It asks me to copy the generated username and password (which I do) and to edit the .fogsettings file accordingly (which I do), then re-run the installer. I hit enter to continue and get the error “Creating SSL Certificate …FAILED”. After re-running the installer it gives me another password (which I change the .fogsettings file with) …hit enter to continue, then the SSL Certificate error comes up again. It’s a perpertual loop. NOTE: My linux skills are very basic, but any assistance would be greatly appreciated.
Thanks in advance,
John