ITOM Discovery Best Practices for Windows Servers (9 tips + Flow to Memorize)

Rafael P
Tera Expert

5 hours ago

1. Authentication and Credential Strategy

Windows Discovery relies primarily on WMI over DCOM, with RPC and SMB as supporting components.

Best practices:

  • Use a dedicated domain service account.

  • Grant the account local administrator privileges on target servers.

  • Ensure the account can execute remote WMI queries.

  • Use WinRM / PowerShell only if explicitly configured and required.

Key principle for the exam:
Discovery depends on WMI availability and permissions. If WMI access fails, Discovery will not succeed.

2. Required Services and Network Connectivity

The following services must be available on the Windows server:

  • Windows Management Instrumentation (WMI)

  • Remote Procedure Call (RPC)

  • Server (LanmanServer)

  • Remote Registry (recommended for full classification)

Required network ports:

  • TCP 135 for RPC Endpoint Mapper

  • Dynamic RPC port range (default 49152–65535, or a restricted configured range)

  • TCP 445 for SMB

WinRM ports (5985/5986) are required only when WinRM-based discovery is intentionally enabled.

3. MID Server Placement and Architecture

MID Server placement directly impacts Discovery reliability.

Best practices:

  • Place MID Servers within the same network security zone as the Windows targets.

  • Ensure proper DNS resolution from the MID Server.

  • Maintain sufficient network latency and bandwidth for WMI communication.

  • Use multiple MID Servers segmented by environment, region, or security boundary.

From an exam perspective, MID Server issues often explain inconsistent or partial Discovery results.

4. WMI Readiness and Validation

WMI is the foundation of Windows Discovery.

Best practices:

  • Validate WMI access manually before scheduling Discovery.

  • Ensure DCOM hardening policies allow remote WMI access.

  • Confirm that local and domain security policies do not restrict administrative shares or remote registry access.

Discovery tuning is ineffective if WMI communication is blocked at the operating system or policy level.

5. Use of Out-of-the-Box Windows Patterns

Windows classification and exploration are driven by Discovery Patterns.

Best practices:

  • Use out-of-the-box Windows Server patterns as the default.

  • Clone patterns only when custom software or non-standard logic is required.

  • Never modify out-of-the-box patterns directly.

Pattern execution follows three stages:

  • Identification

  • Classification

  • Exploration

If classification does not complete, the CI remains a generic Computer record.

6. Identification and Reconciliation (IRE) Alignment

Proper identification prevents CI duplication.

Best practices:

  • Use stable, unique identifiers such as:

    • Serial Number

    • Virtual Machine UUID

    • Cloud Instance ID

  • Avoid identification based solely on hostname or IP address.

  • Ensure Discovery has higher precedence than manual or import-based data sources unless explicitly designed otherwise.

For the exam, incorrect IRE configuration is a frequent root cause of Discovery issues.

7. Domain, GPO, and Security Alignment

Security configuration must support automated discovery.

Best practices:

  • Validate Group Policies do not block WMI or RPC communication.

  • Ensure Remote Registry and administrative shares remain accessible.

  • Align password rotation policies with credential updates in ServiceNow.

  • Avoid interactive authentication mechanisms on service accounts.

ServiceNow best practice emphasizes secure automation without compromising functionality.

8. Logging and Troubleshooting

Effective troubleshooting starts with the correct logs.

ServiceNow:

  • Discovery Status

  • ECC Queue

  • MID Server logs (agent.log, wrapper.log)

Windows target server:

  • WMI-Activity logs

  • Security logs

  • System logs

If access or permission errors appear in Windows logs, Discovery configuration changes will not resolve the issue until those errors are addressed.

9. Windows Servers in Cloud Environments

For cloud-hosted Windows servers:

  • Use Cloud Discovery APIs for initial identification.

  • Use instance IDs as primary identifiers.

  • Combine cloud-based discovery with OS-level discovery for completeness.

  • Expect dynamic IP addressing and host lifecycle changes.

Exam Mental Model

Windows Discovery is a WMI-driven process executed through MID Servers and governed by Identification and Reconciliation rules. Successful Discovery requires alignment across credentials, network connectivity, operating system policies, and data governance.

Technical Flow to Memorize

Windows Server → WMI and RPC → MID Server → Discovery Patterns → Identification and Reconciliation → CMDB

Preview file
1446 KB
0 Helpfuls
  • 183 Views
0 REPLIES 0