Kingston Discovery - How is triggered the pattern"Active Directory Domain Controller On Windows"

Cedric Creton
Tera Expert

Hello, I'm trying to discover AD services or AD Domain Controller but it is failing

How is triggered the pattern? I don't see any Classifier related to that at first glance.

I also listed discovery_classifier_probe table and found no horizontal pattern to trigger "the pattern"Active Directory Domain Controller On Windows"

Is there a special mechanism for that???

 

Best Regards

 

Cedric

 

1 ACCEPTED SOLUTION

blitzburgh79
Giga Expert

This actually has to be setup manually by following the steps below:

  • Navigate to Discovery > CI Classification > Process
  • Click on "New" and create a process classifier with the following parameters:
    • Table: Active Directory Domain Controller
    • Relation Type: Runs on::Runs
    • Condition: Name contains lsass.exe
    • Click on Save and add the "Active Directory Domain Controller Pattern" as follows:
    • Under "Triggers probes", click on "Edit..."
    • Choose "Horizontal Pattern":
    • Click on "HorizontalDiscoveryProbe-Horizontal Patt" and choose "Active Directory Domain Controller Pattern on Windows"
    • Perform a rediscovery and Active Directory domains should get created in the "cmdb_ci_ad_controller" table.

reference: https://hi.service-now.com/kb_view.do?sysparm_article=KB0714349

View solution in original post

4 REPLIES 4

Michael Skov2
Kilo Guru

The pattern is used for Service Mapping.

There are two different pattern types: infrastructure and application (shared library as well, but thats not relevant here). Infrastructure is windows server, load balancer (Netscaler, F5 etc), switches, routers etc. Application is... applications running on infrastructure components.

Application patterns are launched when running discovery, if there is a horizontal discovery probe for it - which there isnt for AD.

Cedric Creton
Tera Expert

Hi Michael,

 

Deployed service mapping plugin in adev instance and started a map around an  AD contoller,

 

Now I understand why the relate patterns have a trigger based on entry point on tcp or ldap connection.

 

Documentation is not clear on what could be discovered ONLY by Discovery 

If you read that doc first: https://docs.servicenow.com/bundle/kingston-it-operations-management/page/product/discovery/concept/c_Software.html then AD should be discovered by Discovery's patterns...

Now I'm referring rather to: https://docs.servicenow.com/bundle/kingston-it-operations-management/page/product/discovery/reference/r_WhatDiscoveryCanDiscover.html  when my manager ask me "which classes can we discover"?

 

Thank you

 

best Regards

 

Cedric

blitzburgh79
Giga Expert

This actually has to be setup manually by following the steps below:

  • Navigate to Discovery > CI Classification > Process
  • Click on "New" and create a process classifier with the following parameters:
    • Table: Active Directory Domain Controller
    • Relation Type: Runs on::Runs
    • Condition: Name contains lsass.exe
    • Click on Save and add the "Active Directory Domain Controller Pattern" as follows:
    • Under "Triggers probes", click on "Edit..."
    • Choose "Horizontal Pattern":
    • Click on "HorizontalDiscoveryProbe-Horizontal Patt" and choose "Active Directory Domain Controller Pattern on Windows"
    • Perform a rediscovery and Active Directory domains should get created in the "cmdb_ci_ad_controller" table.

reference: https://hi.service-now.com/kb_view.do?sysparm_article=KB0714349

I'd propose a slight adjustment from the conditions listed in the KB article. lsass.exe runs on most Windows computers (servers or desktops). This means the pattern will waste time/resources executing on a lot of extra machines, and throw a ton of Match step predicate is not matched errors.

To avoid these unnecessary errors, I'd suggest adding a condition where Listening On contains :389:

  • find_real_file.png

 

Domain Controllers will be listening on different ports than an lsass.exe process on a regular Windows machine. One port specifically used for DC is 389 See this Microsoft support article for more information:
https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-w...

Different environments may be configured uniquely. If these conditions do not identify Domain Controllers, more information can be found on the cmdb_running_process table, or by speaking to your organization's AD Admin.