Importing From Active Directory
Tip:If you have a hierarchy of domains, you must separately collect Active Directory data from each domain and subdomain. This is because IT Asset Management respects the separation of your domains (for example, isolating development or testing domains), and also needs to collect both the group membership and the foreign security principal objects from each domain and subdomain. You may achieve this either by having an inventory beacon within a target domain, or by using an inventory beacon that either has a trusted relationship with the target domain, or a username and password to access the target domain.
Note:Several settings may be added to the registry on the inventory beacon server to configure how FlexNet Beacon attempts to collect Active Directory data from a domain controller. For more information, see Registry Keys for Inventory Beacon and start from ActiveDirectoryImporter.
Note:You may have configured IT Asset Management to automatically create locations (a kind of enterprise group) from the sites imported from Active Directory (navigate to the Inventory tab on the IT Asset Management Settings General page (Administration > IT Asset Management Settings > General), and select Synchronize device location with site subnets). If you are using this approach, and you have configured IT Asset Management as the source of truth for sub-capacity calculations of PVU consumption, you need to visit Enterprise > Locations to ensure that links to the mandatory IBM regions are added.
Start this process from the FlexNet Beacon interface.
To import domains, sites, subnets, users, and computers from Active Directory:
1. | Select the Active Directory link from the Data collection group in the FlexNet Beacon interface. |
The list of your Active Directory connections displays. By default it includes a single connection to gather Active Directory data from the domain in which this inventory beacon is located. From this tab, you can also turn off Active Directory import altogether, or select a particular Active Directory connection from the list and Delete it.
2. | Choose either of the following: |
• | To change the settings for a previously-defined Active Directory connection, select that connection from the list, and click Edit... (Use this option only for error correction, and not to re-purpose an entry for a different domain. To achieve that, delete the old and create a new replacement.) |
• | To create a new connection, click New. |
The Active Directory Connection dialog displays.
3. | Complete (or modify) the values in this dialog, as follows: |
Property |
Description |
||||||||||||||||||
Connection name |
A descriptive name for this connection that you will recognize later in lists. The name may contain alphanumeric characters, underscores or spaces, but must start with either a letter or a number. |
||||||||||||||||||
Domain or domain controller |
Leave blank for the domain in which this inventory beacon is located. Otherwise, identify the domain controller to be queried, providing one of (in order of preference):
Tip:If you plan to select the Use SSL check box (described below), do not use the IP address. Because an IP address is not permitted to match the Common Name (CN) recorded in the certificate used by the domain controller, the LDAPS request fails if you use SSL with an IP address in place of the name of the domain controller. With LDAPS (when Use SSL is checked), you may use either:
|
||||||||||||||||||
Username |
Specify an account that has at least read permissions on the target domain controller. If you leave this field blank, the account that runs the inventory beacon service on this inventory beacon attempts to read the details from Active Directory in the (remote) target domain. Tip:The account running the FlexNet Beacon service was specified when this inventory beacon was installed. |
||||||||||||||||||
Password |
Enter the password for the nominated account. (Leave blank when the Username field is blank.) |
||||||||||||||||||
Use SSL |
Select this check box to use the LDAPS protocol (also known as "LDAP over SSL") for communication between the inventory beacon and a domain controller. Use this setting with care. Select this check box when:
This last condition (having the inventory beacon trust the domain controller's certificate) is commonly arranged by ensuring that the inventory beacon has a locally-installed copy of the root certificate issued by the Certification Authority (CA) that issued the domain controller's certificate. Note:Trust of the SSL certificate is completely independent from trust between the domains concerned. Setting up trust relationships between domains is neither required nor sufficient to ensure operations using the LDAPS protocol. For LDAPS, the CA may be one of:
|
||||||||||||||||||
Use SSL (Continued) |
Whenever trust of the domain controller's SSL certificate does not exist, collection of Active Directory data with the Use SSL check box selected will fail. To remedy this, you may either:
Tip:To avoid special configuration for trusting certificates across domains, an alternative approach is to install an inventory beacon in the domain to be queried for Active Directory data. For more information about enabling LDAPS, see Enable LDAP over SSL with a third-party certification authority. |
4. | Click Save to close the dialog and display the Active Directory connection in the list. |
5. | With the connection selected in the list of current imports, click Schedule... and choose a schedule for collection of Active Directory data. |
For more information about setting a schedule, see Scheduling a Connection.
The Active Directory data is collected by the inventory beacon at the time of your choosing. Completed collections are uploaded to the cloud promptly (the uploader is triggered by default every ten minutes). Once completely staged in the cloud, the data is immediately imported into your compliance database.