Skip to Content

Default language.

Information
Important This documentation space contains information about the on-premises version of BMC Helix Discovery. If you are using the SaaS version of BMC Helix Discovery, see BMC Helix Discovery (SaaS).

Running the BMC Discovery Outpost under a gMSA account

The BMC Discovery Outpost can operate using gMSA. The following provides a summary of how the  BMC Discovery Outpost operates on a host configured as a gMSA system:

  • The Outpost service runs as the local system user, not the gMSA user.
  • The Outpost worker processes also run as the local system user, not the gMSA user.
  • The local system user account does not connect to discovery targets.
  • All connections to discovery targets is by username/password, certificates, and so on.
  • An Active Directory credential in an Outpost starts an Active Directory proxy. The Active Directory proxy uses the gMSA account to discover hosts in the domain.

This section describes the procedure for running the BMC Discovery Outpost under a Group Managed Service Account (gMSA) in Active Directory.

The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:

Task

Action

Reference

1

Fulfill the prerequisites.

2

Ensure that you have a Microsoft Key Distribution Service (KDS) root key for your domain.

3

Create a domain security group for the BMC Discovery Outpost host.

4

Create the gMSA.

5

Install the gMSA on the BMC Discovery Outpost host.

6

Add the gMSA to the local administrators' group on the BMC Discovery Outpost host.

7

(Optional) Install the BMC Discovery Outpost.

8

Grant permissions to the gMSA account to discover hosts in the domain.

Before you begin 

Before you configure your system for running the BMC Discovery Outpost under gMSA, make sure that the following requirements are completed:

  • Your domain environment must fulfill the operating system and Active Directory Domain Service requirements, as listed in the Microsoft documentation.

  • You must have Administrator access to the domain, or have the appropriate permissions as described in the Microsoft documentation.

  • You must have a machine on which to install the BMC Discovery Outpost – the BMC Discovery Outpost host.

To create a KDS root key for your domain 

  1. At an elevated PowerShell prompt on a domain controller, run the following command:

    Get-KdsRootKey

    If the result shows that you already have a KDS root key, skip step 2.

  2. Run the following PowerShell command to create the root key. 

    Add-KdsRootKey -EffectiveImmediately
    Warning

    Note

    After running the command to create the root key, you need to wait for ten hours before continuing.

To create a domain security group for the BMC Discovery Outpost host 

  1. At an elevated PowerShell prompt on a domain controller, run the following command. Ensure that you modify the path as relevant to your domain:

    New-ADGroup "BMC Discovery Outpost" -GroupCategory Security -GroupScope Global -Path "DC=mydomain,DC=com"

  2. Run the following command to add your BMC Discovery Outpost host to this security group. Ensure that you substitute OUTPOSTSERVER with your actual BMC Discovery Outpost host name:

    Add-AdGroupMember -Identity "BMC Discovery Outpost" -Members OUTPOSTSERVER$

To create the gMSA 

  • At an elevated PowerShell prompt on a domain controller, run the following command. Ensure that you replace mydomain with the actual name of your domain:

    New-ADServiceAccount -Name "bmc-disco-outpost" -DnsHostName "bmc-disco-outpost.mydomain.com"  -PrincipalsAllowedToRetrieveManagedPassword "BMC Discovery Outpost"
    Warning

    Note

    In the command to create the gMSA, "BMC Discovery Outpost" must match the name of the security group that you created in the earlier procedure.

To install the gMSA on the BMC Discovery Outpost host 

  1. Reboot the BMC Discovery Outpost host to ensure that it is up-to-date with the group membership.

  2. At an elevated PowerShell prompt on the BMC Discovery Outpost host, run the following command:

    Install-AdServiceAccount "bmc-disco-outpost"
    Warning

    Note

    You may need to install the Active Directory PowerShell module to run the command.

To add the gMSA to the local administrators' group on the BMC Discovery Outpost host 

  • At an elevated PowerShell prompt on the BMC Discovery Outpost host, run the following command. Ensure to replace mydomain with the name of your domain:

    Add-LocalGroupMember -Group "Administrators" -Member "mydomain\bmc-disco-outpost$"

(Optional) To install the BMC Discovery Outpost

If you have the BMC Discovery Outpost already installed on the BMC Discovery Outpost host, skip to the next section. Otherwise, you can download the installer for the BMC Discovery Outpost from the Manage > Outposts & Proxies option and install the BMC Discovery Outpost using the steps in Installing-the-BMC-Discovery-Outpost.

To add a gMSA credential

To add a gMSA credential, from the Credentials page, add a Windows Active Directory credential and select Use Group Managed Service Account. See Adding-credentials for more information.

To grant permissions to the gMSA account to discover hosts in the domain 

The gMSA account must have the appropriate permissions to allow the BMC Discovery Outpost access to the hosts in the domain that it is scanning. This can be done by either adding the gMSA account to an appropriate domain administrators' group or by adding the gMSA account to the local administrators' group on each machine individually.

It should now be possible to scan Windows hosts in the domain.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Discovery 25.2 (On-Premises)