Using the Asset Discovery process in no way prevents you from synching your Active Directory OU's for Computer, User, Security Groups. This module has it own area to configure credentials and you can have as many entries as needed. Some customers choose to use a single set of creds and add multiple entries for each protocol as required. I am not sure why you may have multiple SNMP (v1,v2 or v3) Read Only creds to access switches but BCM can handle that...
After your discoveries complete, create a query to find all switches and use that query to populate a device group and now all your switches are in a group...
I hope that answers your question
If you want to scan the switch's subnet, you can creeate an special target with the IP´s range.
Remenber that you can create an special configuration item whit credentials to SNMP and re-use in each scan job. Asset Discovery --> Configuration --> Scan Configuration.
When you create an scan, you join the tarjet and scan configuration, you can use an scan configuration in various scanners an d you create many scans on the same server.
Thank you for the replies thus far.
We currently have 50 offices (and growing), all at different geographic locations. Within those offices, there are a very large amount of subnets.
At first, I thought what would be best is syncing BMC Client Management (BCM) to our Active Directory environment. I’m assuming that this would have all of our OU’s created automatically in BCM, and those OU’s would have the assets already discovered in there. Our OU is geographically based. The problem is that we have Macs and Linux systems which are not in Active Directory, but belong to those offices. We also have switchers, routers, printers, and firewalls. We would require subnet scanning for all of those. And finally, some systems which aren’t even on the Domain. Assuming that the above Active Directory syncing works in automatically creating/maintaining the Device Groups, I would need a method to put those assets in a geographic group. For example, let’s say we have an office in New York City (NYC). If I sync with Active Directory, it will auto-create the OU’s. But when I do a subnet scan for the rest, I would need to create a new Group within the NYC folder and set up a criteria that would route stuff with that IP to that folder.
There’s a part of me that thinks I should just manually create the 50 groups, and set up subnet scans for each office. Then, use a query to route discovered devices with a specific IP to those groups (ideally I would prefer Default Gateway, but I don’t see that as an option for dynamic population criteria). This way, everything belonging to that subnet gets dropped into the correct folder. My only question there is if there’s a section in BMC where I can just input one set Domain Admin credentials, which will be applied across all scans. When I used the Asset Discovery Wizard during my trial, it certainly looked like I had to place them for each Discovery I set up (which would get annoying in a hurry come password expiration time).
I guess the tl;dr version of this is;
- Is there a central place where I can input credentials that will be applied to *all* subnet scans, even if I create 50+ different subnet scans?
- For dynamic population of groups via criteria, is there a way to do this leveraging Default Gateways, rather than just IP’s?
Cheers, and thank you all for the help.
I would recommend that you set up a scanner per office (relay can be used as the scanner or any other device with an agent)... Set up your subnets to be scanned... Caution: Windows OS as a scanner should be limited to 2,000 IPs or a x.x.x.x/21 CIDR... Linux OS can scan many more IPs without having a heart attack.
Once your scanner has completed it's scan(s) you can create a query using the value "Discovered By" = Scanner Name... This is the easiest method to group all devices discovered without needing to add all IPs. If your Network team is "good" and did not inherit a mess from previous network admins there could be some method to the IP schemes... Such as each office has unique IPs such as "Starting with 10.9." Assigned class B for the Phoenix office... That works too.
Then you can run a query to locate devices needing an agent and create a device group with all Linux devices in Phoenix without agent... Set up a rollout using that offices Relay as the rollout server... After each scan, any Linux device discovered needing agent will be a member of this device group assigned to the Phoenix Rollout server and will get an agent installed... After installation the device is removed from this device group as it no longer meets the criteria.
Thank you for your post! Regarding your overall suggestion(s), you're saying that I should;
1) Set up the Initial Scanner
2) Scan the subnets there.
3) Create a query with "Discovered By".
4) Assign that query to a manually created group.
5) Push the agent out via a rollout, and let the agent handle the capturing of SMB/WMI information through the admin credentials placed the in "Global Settings > Accounts" section. (This should eliminate the need to put WMI-caliber credentials for each scan, as the agent will take care of that stuff?)
After that, you're suggesting I then push out a Relay Agent for the next Device Group ( https://docs.bmc.com/docs/display/public/BCM121/Rolling+out+relay+agents covers it, if I am not mistaken), then repeat steps 2 - 5 after setting up the relay as a Scanner.
Also, sadly, we've got 9824 IP's in one datacenter (which is where the main scanner is located, naturally). Do you have any suggestions for that as well?
Thank you so much for your initial post, it's a great help!
Maybe I assumed too much.. Are you a RemedyForce customer using Client Management to populate your CMDB? If so, then disregard the installing agent. Please understand most users in this community uses Client Management to "manage" end points and that is my fault if I am correct that you are using the included ability to use Client Management to "discover and populate your CMDB.
Ah, I should have stated what our intended use is!
Yes, we are using Remedyforce alongside Client Management. We have the Inventory and Compliance modules only, so to that end, the current goals are:
1) Populate the Remedyforce CMDB by integrating Client Management system with Remedyforce.
2) Be able to run reports and track what kind of hardware/software we have on our network.
3) Software license tracking (ie; we’re entitled to 10 copies of Office 2013, but we’re using 13).
Down the road we may look at other options, but these are the primary ones for now. Frankly, if we can do those items *without* installing the agent, then I won’t be complaining! With that in mind, the three issues I’m currently facing are;
- For 2 & 3, we want to be able to organize these through geographic location. The routing criteria for discovered devices needs to be simple. Your suggestion to set up relays in each office and set those up as a scanner seemed like the best option so far, as doing this by IP’s could get messy (relays also may help reduce network traffic, yes?). If there’s no need to install an agent everywhere, perhaps we could install just a relay on a server for each office?
- Our primary datacenter has 9800+ IP’s, which is nearly 8000 more than the amount you said Windows Scanners can handle.
- A big one is the administrator account. Per security best practices, accounts that have permissions near (or equal to) domain admin get changed after a certain period of time. I really do not want to have to go into 50+ Scan Configurations to modify the password each time (or heaven forbid, have to create 50+ new Scan Configurations if I can’t just change the password on an existing one).
Cheers, and thanks!
1 of 1 people found this helpful
Thanks for the clarification... This helps a lot...
- Scan only 2,000 IP addresses: This is per scan! You can set up your "Targets" to limit to 2,000 IPs but you can configure multiple scans... We use a SQLite DB on the scanner and I have found that trying to scan more than 2,000 IPs take a very long time vs running multiple scans on the scanner
- Agent vs. No Agent: Your licensing only allows for "read only" mode. Even with an agent installed you will not be able to update the local admin password or ensure who is and who is not in the local administrators group. There are Op Rules in this community that allows you "inventory" the membership of that group. The benefit of having an agent on each device is the inventory is a push from the client to the master where a scan is a pull. If a device is not reachable during scan times then you can not update inventory. I always suggest installing an agent to ensure your inventories are always as current as possible.
- Using both AD and Discovery you can Organize by Geographical Location... If you have laptops that travel between sites and you only scan then you must rely on AD OU location (where they are supposed to be). Asset Discovery will tag the devices record with which scanner last discovered the device. By having an agent on board you can organize by Relay, so when a device, Laptop, checks in, you will always know what office the laptop is in or at least last seen.
- Compliance: By collecting special inventory items such as security memberships (with an agent) you can create compliance rules and locate devices not compliant very easily. That is what it is designed to do.
- SLM: having an agent on board will send back to the master server any DELTA inventories.. So if MS Visio was just installed, you will be able to see that devices software inventory be updated and ensuring that this was an approved installation of premium software and alert you if you go OVER your license count.
Have you read thru all the docs yet? I always tell folks that the product is easy to use but not too intuitive. Reading the docs is a great way to understand how the product works, (F1 key while in the console provides context sensitive help). Using the instant expert helps with specific tasks... Professional Services is the easiest way to ensure you are using "Best Practices" and getting the most from this very powerful tool.
I've read through most of the docs, yes. And they’ve been quite helpful! And generally, I'm pretty good with picking up and utilizing applications. But you're right that this isn't the most intuitive platform in some areas, and my concern about leveraging domain administrative credentials after setting up subnet scanning, and what occurs when those expire, wasn't addressed in those documents.
Every Scan Configuration has this section;
My concern is since I’ll have 50+ Scan Configurations, I don’t want to have to change the SMB Windows password 50+ times whenever the SMB Windows password gets changed otherwise, the SMB attempts will fail whenever those scans runs.
Essentially, I'm hoping that there's a central location for that kind of stuff, like how there's Global Settings > Account Credentials for agent rollouts. Where you input the domain admin credentials in that section, if the password changes you just update in that one place.
So in light of this, should I be able to disable the SMB scanning for the subnets, and fully rely on the installed agents to collect the data via WMI/SMB?
I’m also struggling with understanding how AD and Discovery can co-exist, in my mind if I set a criteria for “Discovered By needs to go in XYZ Device Group”, that would overwrite the AD syncing. Again, the documents I have read were not very clear on this. But this is a minor thing compared to the “what happens to your Scan Configurations when your SMB login credentials expire/change” problem.
Finally, we’re using a full blown SQL DB server, but breaking things up into target groups of 2000 IP’s or less seems like a great idea. I recall that when I tried using Remedyforce’s built-in Scanner, the server used for that large datacenter kept on freezing, so that’s probably the reason why that happened.
Thanks again for taking the time to help!
1 of 1 people found this helpful
You assign "a" scan configuration to each scan... This is a reusable object... Create one and call it "Enterprise Credentials"... Assign this one to each scan... You will need to update domain account password in one spot... then you do need to "Reassign" the scan after changing password... Most customers will use a service account that is a member of local admins group on Workstations... maybe a second account for Servers as it may be a different account (best practices)... This way it reduces your LOE... You also may want to turn off Software Inventory (checkbox) under the selected scanner IF you have agents on the box doing the delta inventories anyway... This will reduce both cpu on local workstation/server and reduce bandwidth returning fulls every scan...
This is perfect, exactly what I was looking for! Thank you so much for taking the time to help in this thread.