MeierAndre asked a question.
Do you use multiple AD within your organization?
Hi SNOW community,
we have an on-prem installation with multiple domains (which have a trust). We did a migration to the latest infrastructure and therefor updated all SNOW components. Within this migration we moved from the integrated AD discovery in SNOW inventory and setup the SNOW Inventory AD discovery. Now we were facing some issues as only one domain will be covered and we would like to identify if the issues we were facing already known from other companies. Do you have multiple domains in place and use an integration to SNOW? How have you setup the connection and which challenges have you identified?
Best regards
André
Hey Meier,
Within the Snow Inventory Admin console (C:\Program Files\Snow Software\Snow Inventory\Server\snowserveradmin.exe) you can configure multiple LDAP paths (for multiple domains); example attached. You would have to ensure that the service account & master inventory server could communicate to the other domains from the inventory server itself to query successfully; using LDAP or LDAPS.
If that isn't the case; you could configure AD integration if you have to set up Local AD Discovery configuration on the other domains. (https://docs.snowsoftware.com/snow-inventory/en/UUID-866b1880-01d1-4d64-3400-7565774d6b9f.html)
Hi Nathan,
Thank you for the update!
As mentioned before this was the way we used in the past but we have been told this should not be used anymore as there is no further development. Instead we should use the "new" SNOW Inventory AD discovery tool. Do you know more about this or the situation about which method should be used and could also be used in the future?
We either tried to use both methods but none of them works for us. Currently we also have the issue within the configuration in the SNOW Inventory AD discovery we enabled both, Computer as well user object gathering but the user collection has not been initiated. We also tried with and without SSL as there was a defect in the past about this. So we would be happy if there is someone who has multiple domains in place and also gather this information. So we could get in contact and figure out how the setup has been done and where we may have an issue?
Best regards
André
Hey Andre,
No worries; always happy to help. I have configured multiple domains for many customers in the past (I'm a snr. tech consultant at Snow based in Australia). I often use LDAPS tools to verify that the Snow Inventory server can 'see' the domain & query successfully. (You can test both LDAPS & LDAP) - if the service account you are using can't query it using the utility it will be network/configuration at the AD layer. Maybe worth trying & validating you can fetch the information using Microsoft LDP tool. (https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771022(v=ws.11) - It works on newer servers too. If you are able to query computer objects then I assume it may be permissions to the User CN.
You can also see the AD logging in the C:\ProgramData\SnowSoftware\Inventory\Server which may also give you some insights; such as authentication issues to the CN for example. Remember if the Inventory Server is a member of the domain to be scanned it should be entered such as LDAP://DC=MyDomain,DC=com but if the Inventory Server is not a member of the domain to scanned: LDAP://DC001.MyDomain.com.
Hope this helps you out; if not our Snow Support Team in your timezone may be able to jump on a call & help out further.