This documentation supports the 21.3 (12.3) version of BMC Discovery.


Configuring Windows discovery

BMC Discovery is a Linux-based appliance. In previous releases, the methods that are used to access Microsoft Windows hosts were available only from Windows systems, consequently Windows discovery required a Windows proxy host. From BMC Discovery version 21.05, the appliance uses PowerShell as means to directly discover Windows hosts without the requirement for a proxy. For more information see Discovering Windows hosts with PowerShell.

Windows proxies

Windows proxies scan Windows hosts on behalf of the discovery service on the BMC Discovery appliance.

You can download the Windows proxies and Windows proxy manager as installation files from the appliance and install them on the local Windows host. For more information, see Installing BMC Discovery Proxy Manager.

Windows discovery is handled in one of the following ways:

  • Credential Windows proxy—A BMC Discovery service that runs on a customer-provided Windows host. To perform discovery, it uses credentials supplied by the BMC Discovery appliance from the credentials vault.
  • Active Directory Windows proxy—A BMC Discovery service that runs on a customer-provided Windows host. To perform discovery, it logs in as an Active Directory user.
    • When you install the proxy, you must configure it as a user on the Active Directory domain with the ability to log in and run discovery commands on the hosts to discover. The Active Directory proxies do not use the credentials that the BMC Discovery appliance supplies from the credentials vault.
    • When you install the Active Directory Windows proxy (as the Windows domain administrator), the appliance uses it to discover the Windows hosts in that domain. The proxy can discover only Windows hosts on the domain it is a member of, or other domains trusted by that domain. To discover domains that are not trusted, you must configure another Windows proxy with the appropriate domain permissions.

Windows proxies managed by the BMC Discovery Outpost

For Windows credentials, the BMC Discovery Outpost creates and manages one credential proxy service for one or more Windows credentials.

For AD credentials, the BMC Discovery Outpost automatically creates, updates, and deletes an AD Proxy service for each AD credential. An "AD credential" in this context is created when you choose Active Directory as the credential type in the BMC Discovery Outpost credential UI.

The username and password are not stored in the vault. A Windows service is started, and Windows itself stores an authentication token associated with the service. The "credential" is retained in the Windows service control manager.

Note

The error, The username is not valid will appear when creating an AD credential from a BMC Discovery Outpost that does not belong to Active Directory.

Windows proxy manager

The Managing proxies enables you to install and manage proxies on the Windows host on which the manager is installed. The Windows proxy manager is installed when you install a proxy. You can perform the following tasks using the Windows proxy manager:

  • Create (install a new proxy service)
  • Edit the port that the proxy uses and the user account that the proxy runs as
  • Delete (uninstall a proxy service)
  • Start a selected proxy
  • Stop a selected proxy
  • Restart a selected proxy

Windows proxy pool

To balance the load of the proxies, distribute discovery requests, and offer scalability and better performance solutions for Windows discovery, proxies are grouped into proxy pools based on the following criteria:

  • Type of proxies—A proxy pool must contain either Credential proxies or Active Directory proxies. A proxy pool must not contain proxies of both types.
  • Version of proxies—A proxy pool must contain either version 9.0 proxies or proxies of earlier versions. A proxy pool must not contain proxies of both version 9.0 and earlier versions.

Based on the proxy version and the version of the OS the proxy runs on, the proxy capability is one of the following:

  • Fully IPv6 capable—Can scan IPv6 addresses and retrieve IPv6 data (where BMC Discovery version 9.0 or later proxies are running on Windows 2008 or later).
  • Cannot scan IPv6 addresses—Can retrieve IPv6 data but the Windows version does not support scanning IPv6 addresses (where BMC Discovery version 9.0 or later proxies are running on versions of Windows older than Windows 2008).
  • Not IPv6 capable—Cannot scan IPv6 addresses and cannot retrieve IPv6 data (BMC Discovery proxies from versions older than 9.0).

The proxies in a pool must have identical access to Windows hosts, because only one proxy per pool is tested for access. The appliance UI displays the pools in the order (from top to bottom) in which you have added them to the appliance. You can change their order. For discovery tasks, the proxies in a Windows proxy pool are selected depending on their loading. If a proxy is overloaded, or unavailable, the discovery task is assigned to the next available proxy in the pool.

Operating System compatibility for IPv6 discovery

To discover IPv6 hosts, the OS and proxy compatibility requirements are as follows:

  • The version of the proxy must be of BMC Discovery 9.0 or later
  • The proxy must run on an OS that is Windows 2008 or later
  • The OS of the target hosts must be Windows 2008, Windows Vista, or a later version

The supported discovery methods are WMI and RemQuery.

Steps to configure Windows discovery

Before you can use a Windows proxy to discover your Windows IT infrastructure, you must perform the following tasks in the given order:

  1. Add Windows proxies to the appliance using the Windows proxy manager.
    For more information, see Managing proxies.
  2. Add Windows proxy pools.
    For more information, see adding proxy pools.
  3. Add Windows proxies to the proxy pools.
    For more information, see adding proxies to pools.
  4. Edit the firewall rules to permit communication between the appliance and the Windows proxies.
    For more information, see System communications and network ports.
  5. Verify that the Windows proxy service has started.
    For more information, see testing Windows credentials and communication.

Potential user lock out

By default, AD accounts permit a limited number of login attempts; for example, 3 attempts in 15 minutes. Access Denied errors from WMI, DCOM, and local commands such as systeminfo are counted as unsuccessful login attempts. Where target hosts are incorrectly configured, this limit can be exceeded and the account locked out.

To avoid this issue, configure the Discovery account to accept unlimited login attempts.


Was this page helpful? Yes No Submitting... Thank you

Comments