Running the Windows proxy under a gMSA account

This section describes the procedure for running the Windows proxy (or the BMC Discovery Outpost) under a Group Managed Service Account (gMSA) for an Active Directory proxy.

The following table describes the tasks that you must perform in the specified sequence, the description of the action that you must perform, and the reference to the procedure:

Task	Action	Reference
1	Fulfill the prerequisites.	Before you begin
2	Ensure that you have a Microsoft Key Distribution Service (KDS) root key for your domain.	Create a KDS root key for your domain
3	Create a domain security group for the proxy host.	Create a domain security group for the proxy host
4	Create the gMSA.	Create the gMSA
5	Install the gMSA on the proxy host.	Install the gMSA on the proxy host
6	Add the gMSA to the local administrators' group on the proxy host.	Add the gMSA to the local administrators' group
7	(Optional) Install the BMC Discovery proxy.	Install the BMC Discovery proxy
8	Configure the BMC Discovery proxy to run as the gMSA account.	Configure the BMC Discovery proxy
9	Grant permissions to the gMSA account to discover hosts in the domain.	Grant permissions to the gMSA account

Before you begin

Before you configure your system for running the Windows proxy under a gMSA account, make sure that the following requirements are completed:

Your domain environment must fulfill the operating system and Active Directory Domain Service requirements, as listed in the Microsoft documentation.
You must have Administrator access to the domain, or have the appropriate permissions as described in the Microsoft documentation.
You must have a machine on which to install the Discovery Proxy – the proxy host.

To create a KDS root key for your domain

At an elevated PowerShell prompt on a domain controller, run the following command:

Get-KdsRootKey
If the result shows that you already have a KDS root key, skip step 2.
Run the following PowerShell command to create the root key.
Add-KdsRootKey -EffectiveImmediately
Note
After running the command to create the root key, you need to wait for ten hours before continuing.

To create a domain security group for the proxy host

At an elevated PowerShell prompt on a domain controller, run the following command. Ensure that you modify the path as relevant to your domain:
New-ADGroup "BMC Discovery Proxy" -GroupCategory Security -GroupScope Global -Path "DC=mydomain,DC=com"
Run the following command to add your proxy host to this security group. Ensure that you substitute PROXYSERVER with your actual proxy host name:

Add-AdGroupMember -Identity "BMC Discovery Proxy" -Members PROXYSERVER$

To create the gMSA

At an elevated PowerShell prompt on a domain controller, run the following command. Ensure that you replace mydomain with the actual name of your domain:
New-ADServiceAccount -Name "bmc-disco-proxy" -DnsHostName "bmc-disco-proxy.mydomain.com" -PrincipalsAllowedToRetrieveManagedPassword "BMC Discovery Proxy"
Note
In the command to create the gMSA, "BMC Discovery Proxy" must match the name of the security group that you created in the earlier procedure.

To install the gMSA on the proxy host

Reboot the proxy host to ensure that it is up-to-date with the group membership.
At an elevated PowerShell prompt on the proxy host, run the following command:
Install-AdServiceAccount "bmc-disco-proxy"
Note
You may need to install the Active Directory PowerShell module to run the command.

To add the gMSA to the local administrators group on the proxy host

At an elevated PowerShell prompt on the proxy host, run the following command. Ensure to replace mydomain with the name of your domain:
Add-LocalGroupMember -Group "Administrators" -Member "mydomain\bmc-disco-proxy$"

(Optional) To install the BMC Discovery proxy

Note

The Discovery Proxy installer does not allow you to configure the Active Directory proxy to run as a gMSA account. The Windows Proxy Manager also does not allow you to set the user for a service to be a gMSA account.

If you have the BMC Discovery proxy already installed on the proxy host, skip to the next section. Otherwise, you can download the installer for the Windows Proxy from the Manage > Discovery Tools option and perform the following steps:

Double-click the installer to start the installation wizard of the BMC Discovery proxy.
Click Next to accept the default settings for the Installation folder, Start Menu folder, and additional tasks.
The wizard displays the Active Directory Proxy dailog.
Select the Create an Active Directory Proxy check box and the Do not enter credentials option.
Click Next and continue with the remaining steps to complete the installation.

To configure the BMC Discovery proxy to run as the gMSA account

Perform the following steps when you already have an Active Directory proxy running:

Follow the instructions provided here to change the user that the proxy runs as.
In the Log On tab, do the following:
1. Set the This account name as mydomain\bmc-disco-proxy$ where you replace mydomain with your actual domain name.
2. Leave the password fields blank.
Click Apply and then OK to save the settings.
Restart the proxy so that it runs as the new account.

To grant permissions to the gMSA account to discover hosts in the domain

The gMSA account must have the appropriate permissions to allow the Discovery proxy access to the hosts in the domain that it is scanning. This can be done by either adding the gMSA account to an appropriate domain administrators' group, or by adding the gMSA account to the local administrators' group on each machine individually.

It should now be possible to scan Windows hosts in the domain after a Discovery appliance has been configured to use the proxy.

gSMA gsma