Problem When a Notification Server database is moved from one server to another (or if you decide to rebuild the server) the console will be locked (Access denied or only access to the shortcut tab) after you point the NS back to the original Database.
Environment Notification Server 6.0
Technique is best suited for when the old and new database servers are on different hosts.
Cause The SID's of the system and Altiris Administrators local group have changed from the information stored in the Altiris database. When the NS checks security it will fail to recognize the user as a member of the Altiris Administrators role
Resolution NOTE:: For this to be supportable in Notification Server 7.x the source NS and destination NS servers must have the exact same name Fully Qualified name (e.g. thisNS.domain.com , it is not sufficient for just the machine name to match).
To recover from this situation. follow these steps:
1. Run the following SQL query on the database created during the NS install:
select Trustee from SecurityTrustee where Guid in (select TrusteeGuid from SecurityRole where [Name] = 'Altiris Administrators')
2. Run the same query (above) on the database you can no longer access. This should return a different SID.
3. Run the following query on the database you can no longer access. This will replace the old SID with the current SID on the new NS server)
UPDATE SecurityTrustee SET Trustee = 'SID on working DB(step1)' WHERE Trustee = 'SID from the access denied DB (step2)'
4. Refresh the NS Console and you will now have access to all the tabs as per your Admin rights.
Note: An alternative method to get the SID is to logon as an Altiris Administrator account (on the NS host) and run command "whoami /GROUPS" and copy the SID for group "Altiris Administrator". A second alternative is to use Sysinternal's utility "psGetSid" with the /groups "Altiris Administrators" parameter (on the NS host).
Note: This technique only describes how to update the SID for the Altiris Administrator's Role. The process would need to be repeated for any other Altiris Roles. A more comprehensive approach is to rerun the NSSetup wizard (which will roll-back some NS settings to their defaults). If you don't want to run NSSetup, you can use the following query to identify the current SIDs on the Altiris Database and then modify them to use the right ones:
SELECT sr.name, st.* FROM securitytrustee st LEFT JOIN securityrole sr ON sr.trusteeguid = st.guid ORDER BY trusteeid
You can find all the right SIDs for the new Notification Server by running from the command prompt 'whoami /all'.
NOTE:: If the above-mentioned method does not restore access to the NS Console, run the following SQL Commands in Succession against the Database:
After running these two commands, refresh your console page. The Console page should load.
Imported Document ID: HOWTO2501
Subscribing will provide email updates when this Article is updated. Login is required.