Thursday, October 2, 2008

Operating System Deployment: Gethostbyname failed!

This may not be the most security related item that will get posted on this blog, but I have a theory that if I can't find the answer to something after about 15 minutes of searching the Internet, then it is my duty to put that information on the Internet.

I have been involved in a project with our Microsoft System Center Configuration Manager (SCCM) administrator to deploy operating system images over the network. The process is called Operating System Deployment (OSD). We were having a strange problem where some of our task sequences would work in one VLAN, but not in another. In the cases where the task sequence would fail, there would be an error in the log file that said GetHostbyName failed. Of course this lead us to look at our name resolution, but we simply weren't finding the answer.

Ultimately we noticed that we couldn't resolve the name of the SCCM server if we used just the NetBIOS name (not the fully qualified domain name). Turns out that on the SCCM server, in the IP configuration, we had not specified a WINS server. I have to be honest, I thought that WINS was dead technology and I didn't expect that System Center 2007 R2 was going to need that, but after we made the change things started working for us even in the VLANs where it didn't work before.

Now I still cannot answer why it was working in some VLANS and not others. All I know is that making this change has improved our situtation, and if you came here searching for that error then hopefully it makes life better for you too.

By the way, in case you're wondering why a security manager is working on operating system deployment, it has to do with quality assurance. I believe that risk management and quality assurance are the peanut butter and jelly of information security. By improving the quality of our imaging process we can ensure that more of our computers leave the door with the latest patches in place. This in turn improves our endpoint security and reduces our risk.


max said...

CM 2007 tries to find the lookup the management point in following order:
1.Active Directory Domain Services (does not work for OSD)
2.DNS (not enabled by default)
3.Server locator point (not enabled by default)
4. WINS (not enabled by default)

are you sure you double checked the above things?

just try to ping the full fqdn from command promt and check your dns settings.

Black Fist said...

Interesting. So the only name resolution option that is available by default doesn't work for OSD. It has been so long since we were troubleshooting this that I can't remember what we tried. Having said that, I'm pretty sure that I would have tried ping.