Documenting Active Directory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 08:55 AM
I have been asked to move Active Directory documentation from an old system to ServiceNow's CMDB but am having trouble figuring out how to represent some of the data. We do not have ITOM/Discovery and I will be repeatedly running a script outside of ServiceNow, sending data to the IRE (https://instance.service-now.com/api/now/identifyreconcile/enhanced).
I am using the Active Directory Service class (cmdb_ci_appl_active_directory) and added the following attributes:
- Distinguished Name (string)
- NetBIOS Name (string)
- Domain Name (string)
- Forest Name (string)
- UPN Suffixes (string)
- Alternative UPN Suffixes (string)
- Replication Links (string)
- Site Links (string)
- Site List (string)
- Recycle Bin Enabled (true/false)
- Privileged Access Management Enabled (true/false)
- Domain Naming Master (reference to Windows Server)
- Schema Master (reference to Windows Server)
- RID Master (reference to Windows Server)
- Infrastructure Master (reference to Windows Server)
- PDC Emulator (reference to Windows Server)
- Forest Functional Level (string)
- Domain Functional Level (string)
- GPOs (string)
This all works fine, but the input data also has lists such as "AllDomainControllers", "ReadOnlyDomainControllers", "FullDomainControllers", and "DHCPServers". We have a process for creating Windows Server CIs for each server, so I was thinking that I could match the source data to CI records and do a related list on the Active Directory Service class. As far as I can tell though, this will not be possible without adding attributes to cmdb_ci_win_server, such as "FullDomainConroller" (for example), so that the "FullDomainControllers" related list has something other than "Windows server" to look for. Is that correct or am I missing something?
A following is a sanitized version of the source JSON, before I make any modifications to send to the IRE API:
{
"Trusts": [],
"SchemaMaster": "DC-v1.domain.local",
"Sites": [
"San Francisco-CA",
"Austin-TX"
],
"PDCEmulator": "DC-v1.domain.local",
"AllDomainControllers": [
{
"Name": "DC-V2",
"HostName": "DC-v2.domain.local",
"ComputerObjectDN": "CN=DC-V2,OU=Domain Controllers,DC=domain,DC=local",
"OperatingSystem": "Windows Server 2019 Standard",
"Site": "San Francisco-CA",
"IsGlobalCatalog": true,
"IsReadOnly": false,
"OperationMasterRoles": "",
"Description": "No description found in Active Directory.",
"IpV4Address": "fe80::50c1:98ee:6845:c052 10.1.1.2"
},
{
"Name": "DC-V1",
"HostName": "DC-v1.domain.local",
"ComputerObjectDN": "CN=DC-V1,OU=Domain Controllers,DC=domain,DC=local",
"OperatingSystem": "Windows Server 2019 Standard",
"Site": "San Francisco-CA",
"IsGlobalCatalog": true,
"IsReadOnly": false,
"OperationMasterRoles": "SchemaMaster DomainNamingMaster PDCEmulator RIDMaster InfrastructureMaster",
"Description": "No description found in Active Directory.",
"IpV4Address": "10.1.1.3"
}
],
"DomainNamingMaster": "DC-v1.domain.local",
"SiteList": [
{
"SiteName": "San Francisco-CA",
"Servers": " ",
"Subnets": "10.1.1.0/24"
},
{
"SiteName": "San Francisco-CA",
"Servers": " ",
"Subnets": "10.99.99.0/24"
},
{
"SiteName": "Austin-TX",
"Servers": "",
"Subnets": "10.5.5.0/24"
}
],
"UPNSuffixes": [
"domain.com"
],
"InfrastructureMaster": "DC-v1.domain.local",
"GC": [
"DC-v1.domain.local",
"DC-v2.domain.local"
],
"DistinguishedName": "DC=domain,DC=local",
"DomainFunctionalLevel": "Windows 2008",
"ForestName": "domain.local",
"ReplicationLinks": [
{
"ReplicateFrom": "CN=NTDS Settings,CN=DC-V2,CN=Servers,CN=San Francisco-CA,CN=Sites,CN=Configuration,DC=domain,DC=local",
"AutoGenerated": false,
"Name": "DC-V2",
"ReplicateTo": "CN=DC-V1,CN=Servers,CN=San Francisco-CA,CN=Sites,CN=Configuration,DC=domain,DC=local"
},
{
"ReplicateFrom": "CN=NTDS Settings,CN=DC-V1,CN=Servers,CN=San Francisco-CA,CN=Sites,CN=Configuration,DC=domain,DC=local",
"AutoGenerated": false,
"Name": "DC-V1",
"ReplicateTo": "CN=DC-V2,CN=Servers,CN=San Francisco-CA,CN=Sites,CN=Configuration,DC=domain,DC=local"
}
],
"ForestFunctionalLevel": "Windows 2008R2 Forest",
"RIDMaster": "DC-v1.domain.local",
"NetBIOSName": "domain",
"OptionalFeatures": [
{
"Name": "Recycle Bin Feature",
"RequiredForestMode": 4,
"RequiredDomainMode": null,
"Status": false
},
{
"Name": "Privileged Access Management Feature",
"RequiredForestMode": 7,
"RequiredDomainMode": null,
"Status": false
}
],
"SiteLinks": [
{
"Name": "DEFAULTIPSITELINK",
"SiteList": "CN=Austin-TX,CN=Sites,CN=Configuration,DC=domain,DC=local CN=San Francisco-CA,CN=Sites,CN=Configuration,DC=domain,DC=local",
"Cost": 100,
"ReplInterval": 180
}
],
"RODC": [],
"FullDomainControllers": [
{
"Name": "DC-V2",
"HostName": "DC-v2.domain.local",
"ComputerObjectDN": "CN=DC-V2,OU=Domain Controllers,DC=domain,DC=local",
"OperatingSystem": "Windows Server 2019 Standard",
"Site": "San Francisco-CA",
"IsGlobalCatalog": true,
"IsReadOnly": false,
"OperationMasterRoles": "",
"Description": "No description found in Active Directory.",
"IpV4Address": "fe80::50c1:98ee:6845:c052 10.1.1.2"
},
{
"Name": "DC-V1",
"HostName": "DC-v1.domain.local",
"ComputerObjectDN": "CN=DC-V1,OU=Domain Controllers,DC=domain,DC=local",
"OperatingSystem": "Windows Server 2019 Standard",
"Site": "San Francisco-CA",
"IsGlobalCatalog": true,
"IsReadOnly": false,
"OperationMasterRoles": "SchemaMaster DomainNamingMaster PDCEmulator RIDMaster InfrastructureMaster",
"Description": "No description found in Active Directory.",
"IpV4Address": "10.1.1.3"
}
],
"DhcpServers": [
"dc-00.domain.local",
"fs-tx.domain.local",
"dc-v1.domain.local",
"dc-v2.domain.local"
],
"GPOs": [
{
"Name": "Domain Password Policy",
"GUID": "@{value=0d7d7779-84dd-4d87-a39b-4c23834ce1df; Guid=0d7d7779-84dd-4d87-a39b-4c23834ce1df}",
"Linked To": "@{OU Name=domain; OU Path=domain.local; Enabled=true; Enforced=false}",
"Computer Settings": "@{Enabled=true; Settings=System.Object[]}",
"User Settings": "@{Enabled=true; Settings=}"
},
{
"Name": "Desktop Baseline Policy",
"GUID": "@{value=122b0fee-9c05-4fbc-9a8e-0792748c49fa; Guid=122b0fee-9c05-4fbc-9a8e-0792748c49fa}",
"Linked To": "@{value= ; Count=2}",
"Computer Settings": "@{Enabled=true; Settings=System.Object[]}",
"User Settings": "@{Enabled=true; Settings=System.Object[]}"
},
{
"Name": "Default Domain Policy",
"GUID": "@{value=31b2f340-016d-11d2-945f-00c04fb984f9; Guid=31b2f340-016d-11d2-945f-00c04fb984f9}",
"Linked To": "@{OU Name=domain; OU Path=domain.local; Enabled=true; Enforced=false}",
"Computer Settings": "@{Enabled=true; Settings=System.Object[]}",
"User Settings": "@{Enabled=true; Settings=}"
},
{
"Name": "Default Domain Controllers Policy",
"GUID": "@{value=6ac1786c-016f-11d2-945f-00c04fb984f9; Guid=6ac1786c-016f-11d2-945f-00c04fb984f9}",
"Linked To": "@{OU Name=Domain Controllers; OU Path=domain.local/Domain Controllers; Enabled=true; Enforced=false}",
"Computer Settings": "@{Enabled=true; Settings=}",
"User Settings": "@{Enabled=true; Settings=}"
},
{
"Name": "System Center Essentials All Computers Policy",
"GUID": "@{value=7c1432fb-7502-4d57-a098-6ffe7830e43b; Guid=7c1432fb-7502-4d57-a098-6ffe7830e43b}",
"Linked To": "@{OU Name=domain; OU Path=domain.local; Enabled=true; Enforced=false}",
"Computer Settings": "@{Enabled=true; Settings=}",
"User Settings": "@{Enabled=false; Settings=}"
},
{
"Name": "Network Drives",
"GUID": "@{value=7edd2ce4-1f59-4f98-b7e8-d820223e8bf9; Guid=7edd2ce4-1f59-4f98-b7e8-d820223e8bf9}",
"Linked To": "",
"Computer Settings": "@{Enabled=true; Settings=System.Object[]}",
"User Settings": "@{Enabled=true; Settings=}"
},
{
"Name": "Local Administrator",
"GUID": "@{value=e30cc61e-bbf1-4729-9612-05eb19965cf2; Guid=e30cc61e-bbf1-4729-9612-05eb19965cf2}",
"Linked To": "@{value= ; Count=2}",
"Computer Settings": "@{Enabled=true; Settings=}",
"User Settings": "@{Enabled=true; Settings=}"
}
],
"CustomerName": "Acme Inc",
"SourceDc": "DC-v2.domain.local",
"ServiceNowSysId": "edc092a0615ae910a69a1e8dd46d43cc"
}
I would appreciate any other thoughts on how you would handle this source data.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 10:06 AM
Hi there @Mike Hashemi
That is a very long question, hehe
You can use custom relationship types to handle lists like "AllDomainControllers" and "FullDomainControllers". Create these relationships in the cmdb_rel_type table and establish them via scripts:
function createRelationship(parentSysId, childSysId, type) {
var relGR = new GlideRecord('cmdb_rel_ci');
relGR.initialize();
relGR.parent = parentSysId;
relGR.child = childSysId;
relGR.type = type;
relGR.insert();
}
var adSysId = 'your_ad_service_ci_sys_id';
var fullDomainControllers = [/* Array of FullDomainController CIs */];
fullDomainControllers.forEach(function(controller) {
createRelationship(adSysId, controller.sys_id, 'FullDomainController');
});
This avoids adding extra attributes to cmdb_ci_win_server and keeps your data model clean.
If this helps kindly accept the response thanks much.
Kind Regards,
Mohamed Azarudeen Z
Developer @ KPMG
Microsoft MVP (AI Services), India
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 01:06 PM
I like that idea. I'll have to run it from PowerShell, but I assume I can do it with the Table API. I suppose I could write a scripted API, but that seems like more work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2024 09:32 AM
I created a relationship in cmdb_rel_type, with FullDomainController::FullDomainControllerFor. In this example, the Windows Server CIs in the fullDomainControllers array would be the parent and the Active Directory Service would be the child (right?). So I switched the parameter order when calling createRelationship, replaced 'FullDomainController' with the relationship's sys_id, and ran the script from "Scripts - Background". Checking out cmdb_rel_ci, I see that an record was created that shows what I expect. Great. Now that I have the FullDomainController::FullDomainControllerFor, I believe I can include that in the payload sent to the IRE API.
Is it possible to have a related list show the CIs with a given relationship (FullDomainController::FullDomainControllerFor in this case)?
