Readying the DOMAIN Environment

Before installing the Windows Probe and running a discovery you should make the following changes to ensure the client environment is ready for exploration. Collabrance recommends making these changes more than 90 minutes in advance of running your first discovery to allow group policy changes to propagate into the environment (DNS changes may take longer).

There should be no changes necessary to your client’s hardware firewall to allow for monitoring. The N-Central agents and probes will be sending minimal traffic over ports 443 (HTTPS), 80 (HTTP) and 22 (SSH). These ports are usually readily available for outbound traffic in most environments.

The Windows Firewall on local devices will block communication from the N-Central Server and Windows Probe by default. Three exceptions must be made in the Windows Firewall on each device to ensure information collection. This can be done by manually adding exceptions or disabling the Windows Firewall, or by creating a Group Policy Object (GPO) to add the exceptions. Collabrance recommends creating a GPO, as it allows you to remotely manage settings for Windows devices without configuring them each individually. 

3rd party software firewalls (including anti-virus firewalls) should be disabled or configured similar to the Windows Firewall. Without these changes, a device might not be discovered, or may be discovered with a device class of “Other”. If a Windows device is discovered with the class “Other”, we will be unable to collect information such as the operating system, Windows service packs, hard disk space, and RAM.

Create and configure a new Group Policy Object (GPO)

1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.
2. In the navigation pane, expand Forest:YourForestName, expand Domains, right click YourDomainName, and select Create a GPO in this domain, and Link it here...
3. Click Action, and then click New.
4. In the Name text box, enter the name for your new GPO as “N-Central Discovery”, click OK.
5. Right click your newly created GPO, and then click Enforced.
   a. This should help the settings in this GPO take precedence over any competing GPO’s.
6. Right click your GPO again, and then click Edit to open Group Policy Management Editor.
7. Enter the settings as detailed in the table below. Note: The path below might be slightly different depending on the server OS. 
   
   
8. Close all Group Policy Management Windows when finished.

Group Policy / 3rd Party Software Firewall Considerations

• Changes to Group Policy can take up to 90 minutes to propagate to devices based on Group Policy refresh time. To immediately apply new GPO settings to a device, run gpupdate/force on the device, or restart Windows.
• Linking the GPO to the domain and choosing Enforce will work for many environments. Refer to the Microsoft TechNet article Group Policy Processing and Precedence for additional considerations.
• Note that you will need to manually install a Windows Agent on devices to ensure data collection if any of the following apply:
  • You are unable to create a GPO to add Windows Firewall exceptions.
  • A 3rd party software firewall is installed on devices and is blocking communication with the probe server. In addition, you are unable to make the necessary exceptions or would have to make exceptions in a large group of computers.

Ensure SNMP is enabled with a community string of "public" on all network devices and servers that you plan to monitor with N-Central. Refer to your device documentation on how to accomplish this, as it may be different for each device.

Reference the following link for information on how to install and configure the SNMP Services feature on Server 2008 R2: http://blog.skufel.net/2012/09/how-to-adding-snmp-to-windows-server-2008-r2 

Note: You do not need to use “public”, however most devices will default to that string, as will N-Central. If you choose to change this you will need to be diligent in changing this string on your discoveries and on the individual devices in N-Central on their respective Properties tabs.

Configuring the settings detailed below will help ensure that environments using DHCP do not detect duplicate devices based on multiple DNS entries for the same device.

Determine How DNS and DHCP Are Managed

Before performing any of the following steps, determine how DNS and DHCP are managed on this network. The following instructions pertain to networks where DNS and DHCP is managed by a Windows server. If DNS and DHCP are not being managed by a Windows server, make note of this. Should this prospect become a subscriber, one of the stabilization steps may be to move DNS and DHCP management to a Windows server depending on the environment.

Remove Duplicate DNS Records

If DNS is being managed by a Windows server and aging/scavenging is not enabled, we recommend removing duplicate DNS records prior to running an N-Central discovery. This will ensure that duplicate devices do not appear in N-Central, and that discovery results will be accurate. You may remove duplicate records manually, or configure DNS aging/scavenging to do this for you. Collabrance recommends configuring DNS aging/scavenging, but note that it can take several days for duplicate DNS records to be removed.

Note: Please take note of duplicate records in DNS if you must run a discovery prior to aging/scavenging performing cleanup. This will help you troubleshoot anomolies in your discovery results.

DNS Aging and Scavenging Configuration

To configure aging and scavenging on Windows servers, perform the following steps for each DNS server on the network. It can take several days for duplicate DNS records to be removed via aging/scavenging.

1. Access the DNS Management console.
2. Right-click the DNS server name, select Set Aging/Scavenging for All Zones.
3. Check Scavenge stale resource records. Determine appropriate values for both “No-refresh interval” and “Refresh interval”, then enter those values in their respective fields.
   • Determining the “No-refresh interval” and “Refresh interval” values.
     • Ideally this value should be less than or equal to the DHCP lease length value. The default value for DHCP leases when managed by a Windows server is 8 days.
     • Example: If the DHCP lease time is 8 days, the sum of the “No-refresh interval” and “Refresh interval”should be equal to or less than 8 days. Therefore, 4 days is an acceptable value for both the “No-refresh interval” and “Refresh interval”. Note: If you are unable to determine the DHCP lease length, you can leave the “No-refresh interval” and “Refresh interval” values at their default of 7 days. 
       

4. Check “Apply these settings to the existing Active Directory-integrated zones”, then click OK. 
   
5. Repeat steps 6 – 9 for each “Forward Lookup Zone” and each “Reverse Lookup Zone” on the DNS server.
6. Right-click on the “Lookup Zone” and click Properties.
7. Click on Aging. 
   
8. Ensure that “Scavenge stale resource records” is checked, then click OK. 
   
9. If prompted, ensure that “Apply these settings to the existing Active Directory-integrated zones” is checked, then click OK. 
   
10. Once all “Lookup Zones” have been verified, close the DNS Management Console.

Create a new user account in the prospect’s Active Directory. This account will be used to run the Windows Probe service, and will be used by Collabrance technicians to access domain devices for support.

Service Account Criteria

Username: svcnetworkprobe
Password: Choose a password that you’ll use for all of your Subscribers
Account Options: Password Never Expires
Member Of: Enterprise Admins, Domain Admins, Administrators (If Domain Administrators is not already a member)

Log into the server you’ll be installing the probe on with the svcnetworkprobe account.

Note: You must log into the probe server with the svcnetworkprobe account at least once prior to installing the probe, or you will receive an error during installation.