This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inventory collection from computers in another domain

Summary

How to Collect Inventory from Computers Present Outside the Domain of an Inventory Beacon

Synopsis

To collect inventory from a target device according to the recommendations from Flexera Software, both FlexNet inventory beacon and the target computers need to be part of the same domain. Though it is recommended that you deploy at least one FlexNet inventory beacon in the domain of targets, some situations (such as network policies) may restrict the deployment of multiple FlexNet inventory beacons in your network. For Windows-based computers, you can configure the appropriate FlexNet inventory beacon to collect inventory from devices present outside the beacon?s domain. This article describes the procedure of configuring an inventory beacon (deployed on a shared drive) to collect inventory from targets that are outside its domain.

Discussion

FlexNet Manager Suite offers several methods for collecting inventory from targeted computers. Each of these methods works in a different way and involves different Flexera Software components like FlexNet inventory beacon and FlexNet inventory agent. With the following recommended methods of inventory collection, the inventory beacon needs special configuration to collect inventory from targets outside its domain:


Inventory collection through the locally-installed FlexNet inventory agent
To deploy the FlexNet inventory agent, an account (either a Windows domain account, or a local account on the Windows server) is created. This account it granted with the SC_MANAGER_ALL_ACCESS privilege and the credentials for this account are registered in the secure Password Store on the appropriate inventory beacon. You create a discovery and inventory rule with an action to adopt the target computer. The rule flows down to the inventory beacon and executes according to its schedule.
According to the discovery and inventory rule execution schedule, the inventory beacon starts a Windows service that downloads a set of executable files from the inventory beacon onto the target machine to install the agent. Once the agent is installed on the target machine, it automatically collects inventory and uploads it to the inventory beacon according to the agent inventory schedule defined through the Inventory Settings page. For information on discovery and inventory rules, see Discovery and Inventory Rules in the online help, and for information on agent deployment, see the FlexNet Inventory Agent and Managed Devices guide which is downloadable from the title page of the online help.
To deploy FlexNet inventory agent on a computer outside the domain of the appropriate inventory beacon, the inventory beacon needs special configuration stated in the Configuring the FlexNet Inventory Beacon section.

Inventory collection through the zero touch method

The FlexNet inventory beacon can also collect inventory via zero touch inventory collection. In this method, the inventory beacon remotely connects to the target computer and collects inventory. To collect inventory from the target computer, you create a discovery and inventory rule targeting the computer, and having an action to collect the required inventory. This rule flows down to the inventory beacon. According to the discovery and inventory rule execution schedule, the inventory beacon starts a Windows service on the target computer that executes the inventory collection component (ndtrack.exe) from the inventory beacon. The inventory collection component uploads the collected inventory to the inventory beacon. For more information on discovery and inventory rules, see Discovery and Inventory Rules in the online help, and for information on zero touch inventory collection, see the FlexNet Inventory Agent and Managed Devices guide which is downloadable from the title page of the online help.

To collect inventory from a computer outside the domain of the appropriate inventory beacon, the inventory beacon needs special configuration stated in the Configuring the FlexNet Inventory Beacon section.

Prerequisites

The following are the prerequisites to collect inventory from a target that is outside the domain of the inventory beacon:
  • The inventory beacon configuration is independent of the trust relationship between the inventory beacon domain and the target computer domain.
  • The FlexNet inventory beacon should be installed on a shared location. For information on installing and configure the inventory beacon, see What is an Inventory Beacon? in the online help.
  • An account (either a Windows account in the domain of the target computer, or in the domain trusted by the domain of the target computer, or a local account on the target Windows computer) is required with full access to the Windows Service Control Manager on the target computer (specifically, the account must have the SC_MANAGER_ALL_ACCESS privilege). You must register this account in the secure Password Store on the appropriate inventory beacon. For more information, see the Password Management Page in the online help.
  • The Local System account on the target computer (identified on the network as the target computer?s domain account in Active Directory) must be able to access the inventory beacon that is deployed on the chosen shared network location. You can use the following procedure to verify that your network settings allow this access:
  1. To check the connectivity between the target computer and the inventory beacon, download the Microsoft PsExec tool from the Microsoft Technet and copy it to the target computer. This tool can be used to launch an interactive command prompt locally as the Local System account.
  2. Log on to the target computer as the local system account (mentioned in the third bullet point above) and execute the psexec.exe -i -s cmd.exe command to open the command prompt running as SYSTEM.
  3. In the command line window, execute the dir \\<etc><IP address of the inventory beacon server>\mgsRET$ to check the connectivity between the target computer and the inventory beacon.

If successful, the command should return a list of the files in the file share.

Note: (Only for Oracle inventory collection) The local NT_Authority\SYSTEM account must be a member of the ora_dba database group in the Oracle security settings. In the sqlnet.ora file located in the ORACLE_HOME\network\admin directory, the SQLNet.AUTHENTICATION_SERVICES property must be set to (NTS).


Configuring the FlexNet Inventory Beacon

Depending on your domain, network, and target computer configuration, some (or all) of the following steps may be required to make the inventory beacon accessible from target computers outside its network domain. Flexera Software recommends that you consult your system administrators and make the minimum changes necessary in your environment.
1. On the computer where you have installed the FlexNet beacon software, navigate to Control Panel, Administrative Tools, Local Security Policy. The Local Security Policy window appears.

2. Click the Local Policies folder in the left pane.

3. Double-click the Security Options folder in the right pane to view the list of policies.

4. Verify that the following policies have these values set:
  • Network access: Let Everyone permissions apply to anonymous users = Enabled
  • Network access: Shares that can be accessed anonymously = mgsRet$ and ManageSoftRET$
  • Network access: Sharing and security model for local account= Guest only-local users authenticate as Guest
  • Network security: LAN Manager authentication level= Send LM & NTLM -use NTLMv2 session security if negotiated
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients = None

5. Navigate to Control Panel, Administrative Tools, Computer Management, Local Users and Groups, Users.
  1. Right click on Guest and select Properties. The Guest Properties dialog appears.
  2. Ensure that the Account is disabled checkbox is unchecked.

6. Navigate to Control Panel, Network and Sharing Center, and click Change advanced sharing settings.
  1. Expand the Password protected sharing section.
  2. Ensure that the Turn off password protected sharing option is selected.
7. Open the Registry Editor and ensure that the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous registry key is set to 0 (REG_DWORD)
Configuration of the FlexNet Inventory Beacon for a second Domain
[note: this diagram shows the interaction between an agent and a beacon in 2 different Domains, however, the same diagram can also apply for a Child Beacon and Parent Beacon as they use the same communication methods as the agent>beacon methods]


Verification

Use the following method to verify that the inventory is collected by FlexNet Manager Suite:
  • For a locally-deployed Flexnet inventory agent: Wait for the next inventory collection and upload, according to the defined schedule. If you have deployed the agent through a discovery and inventory rule, the All Discovered Devices page would list all those devices, but the All Inventory page would display the inventory for those devices only after the overnight reconciliation job is finished.
  • For zero touch inventory collection: Check the status of the appropriate discovery and inventory rule. Upon successful rule execution, the All Discovered Devices and All Inventory pages should display the inventory for those devices, only after the overnight reconciliation job is finished.

‎Jun 08, 2018 02:06 AM

Was this article helpful? Yes No
No ratings
0 Kudos
Version history
Last update:
‎Jun 08, 2018 02:06 AM
Updated by: