1E Nomad Health Check

Scenario

There are a number of critical registry entries which control Nomad, along with firewall rules, ActiveEfficiency connectivity etc. This product pack will assist in verifying whether any Nomad settings or firewall rules etc. are incorrectly specified

Product Pack notes:

Scenario

There are a number of critical registry entries which control Nomad, along with firewall rules, ActiveEfficiency connectivity etc. This product pack will assist in verifying whether any Nomad settings or firewall rules etc. are incorrectly specified

Instructions

Questions

  • Test Nomad ActiveEfficiency Connectivity
  • Show Nomad Special Share Settings
  • Show Nomad P2PEnabled settings
  • Show SMB Shares and permissions where share name contains %ShareName%
  • Show Expected Nomad Shares
  • Get Alternate Download Provider Setting
  • Check Content Hash Settings
  • Show Cache Size

Resources

  • A PowerShell script to call the ActiveEfficiency API and return its version
  • A PowerShell script to enumerate SMB shares and permissions
  • A PowerShell script to perform the WMI query to request the alternate download provider setting

Notes

Test Nomad ActiveEfficiency Connectivity

ActiveEfficiency connectivity is tested by retrieving the AE URL from the registry and then attempting to retrieve the AE version by making a call to the AE endpoint. If the registry key is not specified, then the url is returned as (not configured in registry). If the version could not be retrieved, it is displayed as (unable to retrieve version).

Show Nomad Special Share Settings
Show Nomad P2PEnabled Settings

Nomad Special Share Settings and P2PEnabled settings are returned as a description of the bitmask of the settings. If no registry key exists, “(no registry value found)” is returned. If the bitmask is all zeroes, “(no options set)” is returned.

Otherwise for each bit position a description is added. For a bitmask of all 1s i.e 0xFFFF the result returned  for Special Share settings is

CUST|IPV6|NOIPV4|RSVD3|HIDE|NOSTATS|FANOUT|MCACCT|RSVD8|RSVD9|RSVD10|RSVD11|RSVD12|HTTPXFER|WEBLSZ|NOSMB

This corresponds to the description for bit position 0 through 15 respectively, as defined on this page

SpecialNetShare

Bit position 13 (from 0) is defined as RESERVED on this page. However this bit enables HTTP file transfers which are essential for Tachyon integration, hence is described as HTTPXFER here.

For P2PEnabled, a bitmask of all 1s i.e 0x7F (as only bits 0 through 6 are defined) returns

P2PENB|CNLESSSVR|CNLESSCLI|NETLITNAME|FQDN|HTTP|HTTPS

These are defined on this page

P2PEnabled

Show SMB Shares and permissions where share name contains %ShareName%

Show SMB Shares and permissions will show the accounts that have permissions to a share along with the access right (e.g read etc) and access type e.g (allow or deny). By default, all shares are shown. Otherwise, only shares containing the string specified in the %ShareName% parameter are included. To focus on Nomad shares, set %ShareName% to Nomad

Show Expected Nomad Shares

The result from the ‘Show SMB Shares’ script is filtered to show only expected Nomad shares. This confirms that the endpoint is appropriately configured for Nomad to operate successfully. Filtering is by the share name and associated account(s) that have permission.

The result is affected by two bit positions in the SpecialNetShare registry entry. The values of these are returned in two columns of the result:

  • IsHiddenShare (based on bit 4 of the registry entry)
  • UseComputerAcct (based on bit 7 of the registry entry)

The expected share name and account name by which the results are filtered is shown in the table below

In the table, domain\computername$ corresponds to the computer account on the endpoint

 

IsHiddenShare
UseComputerAcct
ExpectedShareName
ExpectedAcctName
0 0 NomadSHR SMSNomadP2P&
0 1 NomadSHR domain\computername$
1 0 NomadSHR$ SMSNomadP2P&
1 1 NomadSHR$ domain\computername$

 

Endpoints where there are shares that match the expected share name and have appropriate accounts will return rows showing the account permissions.

Endpoints where Nomad is not installed (no registry key) or where the share names and accounts don’t match the expected name and account will return no rows.

 

If Nomad is not configured to automatically create the required shares at startup (i.e use custom shares is set), and the shares have not been created, then this instruction will return no rows from such devices.

If Nomad is configured to automatically create the required shares at startup but the agent has not been started at least once, then this instruction will return no rows from such devices

You can use the more general ‘Show SMB Shares and Permissions’ instruction to troubleshoot issues with Nomad shares that are not set up consistently with the Nomad registry entry settings.

You can use the more general ‘Show Nomad Special Shares settings’ to troubleshoot the specific registry entry settings on an endpoint.

 

Get Alternate Download Provider Setting

Queries the WMI path “root\ccm\Policy\Machine\ActualConfig” and returns the logical name of the CCM_DownloadProvider class where the logical name = ‘NomadBranch’.

For devices where this cannot be queried, returns an empty string.

Devices on which the SCCM agent is not installed do not have the WMI path “root\ccm” and consequently will have no data

 

Check Content Hash Settings

Verifies that the CompatibilityFlags registry key has the appropriate bitmasks for hash checking. For a normal endpoint it is expected that the check hash bit (0x1000000) is set. For a DP, it is expected that the use hash bit (0x80000) is set.

It is ok in either case for both bits to be set; this is regarded as a correct setting. Otherwise, if for a DP the use hash bit is not set, or for a non-DP endpoint the check hash bit is not set, then the flags setting is returned as not OK.

If the endpoint does not have the CompatibilityFlags registry key then no data is returned because it is assumed that Nomad is not installed on that endpoint.

 

Show Cache Size

Shows the current size and path of the Nomad cache folder. Note that the size will include all folders underneath that folder, so Nomad log file sizes will be included in the total.

You must log in to submit a review. Click here to login.