Inventory Technologies

Published: February 25, 2008   |   Updated: April 17, 2009

 

Before running the Microsoft Assessment and Planning Toolkit (MAP), you should become familiar with how the wizards perform the assessments as well as the technologies used to perform them.

Download the Microsoft Assessment and Planning Toolkit

General Requirements

The inventory technologies used in the Microsoft Assessment and Planning Toolkit (MAP) require direct network connectivity to the computers being inventoried. To help ensure the effectiveness and efficiency of the inventory and assessment, do the following:

  • If any known network issues exist or network changes are planned, resolve the issues before performing an inventory. For instance, if restructuring of the IP address scheme is planned, complete it before running the wizard.
  • The appropriate credentials are available for running the wizard. The inventory wizard uses WMI, Remote Registry Service, Performance Counters, Active Directory Domain Services, and SNMP to collect the inventory data.
  • Ensure that all computers and devices to be inventoried are powered on and connected to the network. Send a notice advising users to leave their computers on for the time inventory is planned. Users can log off, but should not power off their computers.

Windows Networking Protocols

If you want to find computers in workgroups and Windows NT® 4.0 domains, you can use the Windows Networking Protocols computer discovery method found in the Assessment Wizard. This method uses the Computer Browser service to find computers that are on the network.

The Computer Browser service does not work effectively across network segments (broadcast domains). You can use this method to find computers in workgroups by connecting the computer performing the inventory to each subnet and running the wizard again. If you use this method to find computers joined to a Windows NT 4.0 domain, you do not need to rerun the wizard and connect to each individual network subnet.

The Computer Browser service is implemented through Server Message Block (SMB), which is enabled through the file and print sharing protocols. The "File and Printer Sharing for Microsoft Networks" and the "Client for Microsoft Networks" services must be enabled on the network adapter of each computer.

It can take up to 15 minutes for a new computer or a computer recently turned on to register and propagate to all browse masters (computers that manage the list of computers). You should not begin inventory until all computers have been turned on for this period of time.

Note   For help troubleshooting problems with the Computer Browser service, go to https://support.microsoft.com/kb/188305.

Active Directory Domain Services

If computers and devices are joined to a Windows 2000 Server, Windows Server® 2003 or Windows Server® 2008 Active Directory® forest, use the Active Directory computer discovery method to obtain a list of computers from Active Directory.

When you use this method, the wizard attempts to connect to a domain controller and query the domain for the computer list. The network adapter on the computer running the wizard should be configured to use Dynamic Host Configuration Protocol (DHCP) and connect to a network that has a domain controller that can be queried. The wizard prompts for credentials to connect to Active Directory. By default, a Domain User account has the appropriate access rights to connect to a domain controller and query for the list of computers.

Note   Computers that have not logged on to Active Directory for more than 90 days will not be inventoried by the wizard, even if the computer object is valid in Active Directory.

Windows Management Instrumentation

WMI is used to collect hardware, device, and software information from the remote computers. This inventory method is required for all assessment scenarios and must be enabled on all remote computers. The Assessment Wizard will not provide an option to enable WMI. It must be enabled via group policies, logon scripts, or manually on each computer.

Note   By default the WMI Windows Installer Provider is not enabled on Windows Server 2003 computers. As a result, Windows Server 2003 computers will not be able to report installed applications, unless this is enabled.

To connect remotely and perform the WMI inventory, you will need to provide accounts that are members of the local Administrators group on the computer being inventoried. For most networks, the network administrator will have a domain or local account that is a member of the local Administrators group on all of the computers in the environment. These are the accounts you should enter on the Inventory Accounts Wizard page to perform the WMI inventory.

Note   By default in Windows domain environments, the Domain Admins security group is added to the local Administrators group on a computer when it is joined to a domain.

The following table describes all of the common WMI considerations for the Assessment Wizard.

Table 1. WMI Considerations

Required Configuration

Description

Set password for local accounts

If a computer is in a workgroup and the local account used for inventory does not have a password configured, then by default, logon is limited to the console only. For a WMI inventory of the computer to be successful, the local account needs to be a member of the local Administrators group and must have a password defined.

Configure network access policy

If the computer is in a workgroup, you need to manually change the "Network access: Sharing and security model for local accounts" policy setting from "Guest only" to "Classic" on the local computer. For more information, go to https://technet2.microsoft.com/WindowsServer/en/library/c63ec62e-cc31-4c12-96a7-dbd8089ad6971033.mspx?mfr=true

Enable Remote Administration exception

The Remote Administration exception needs to be enabled for computers when the Windows Firewall is enabled. This exception opens TCP port 135. If you have another host firewall installed then you will need to allow network traffic through this port. On an individual computer, you can enable this exception using the following procedure.

Allow for remote administration

Click Start, click Run, type gpedit.msc, and then click OK.

Under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

Right-click Windows Firewall: Allow remote administration exception, and then click Properties.

Click Enabled, and then click OK.

Enable File and Printer Sharing exception

The File and Printer Sharing exception must be enabled for computers when the Windows Firewall is enabled. This exception opens TCP ports 139 and 445, as well as UDP ports 137 and 138. If you have another host firewall installed then you will need to allow network traffic through these ports.

Other WMI connectivity information

Many host-based and software-based firewall products will block DCOM traffic across the network adapters on the computer. For example, remote WMI connections will most likely fail when attempting to connect to a computer running the Microsoft Internet Security and Acceleration (ISA) firewall service. To enable remote WMI access, you need to make sure that the TCP/UDP ports mentioned previously for the Remote Administration and File and Printer Sharing exceptions are open on the computer running the software firewall.

Computers that are running the Windows Firewall will introduce some challenges in the inventory process. By default, the Windows Firewall is configured to block remote requests to authenticate and connect to the computer via WMI. The following sections describe how to enable the required exceptions using Active Directory Group Policy and scriptable commands.

Active Directory Environments

Use the Group Policy Editor to edit the policies on the organizational units (OUs) containing the computers on which you want to perform the assessment. For instructions on how to use the Group Policy Editor, go to https://support.microsoft.com/kb/307882.

  1. Using the Group Policy Editor, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options. In Network access: Sharing and security model for local accounts, click Classic – local users authenticate as themselves.
  2. Using the Group Policy Editor, click Computer Configuration, click Administrative Templates, click Network, click Network Connections, click Windows Firewall, and then click Domain Profile.
  3. In Windows Firewall: Allow remote administration exception, click Enabled. In Allow unsolicited incoming messages from, type the IP address or subnet of the computer performing the inventory.
  4. In Windows Firewall: Allow file and print sharing exception, click Enabled. In Allow unsolicited incoming messages from, type the IP address or subnet of the computer performing the inventory.

After saving the policy changes, you need to wait for the policy settings to be applied to the client computers, which can take up to two hours.

Workgroups and Windows NT 4.0 Domains

For computers in a workgroup, you need to manually configure each computer. For computers in a Windows NT 4.0 domain, use logon scripts to configure the Windows Firewall exceptions.

  1. Using the Local Security Policy tool available from the Administrative Tools menu of the computer to be inventoried, click Security Settings, click Local Policies, and then click Security Options. In Network access:
    Sharing and security model for local accounts click Classic – local users authenticate as themselves.
  2. To enable the remote administration exception, manually run the following command, or run it from a logon script on each computer:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
  3. To enable the file and printer sharing exception, manually run the following command, or run it from a logon script on each computer:
    netsh firewall set service type = fileandprintmode = enableprofile = all

Remote Registry Service

The Remote Registry service is used to find the roles installed on a server. It is also required for running the Performance Metrics Wizard and completing the Windows Server 2008 role assessments. This service is installed on Windows-based clients and servers, but the following conditions must exist for this inventory method to be successful:

  • The Remote Registry service must be started. By default, it is configured to start automatically.
  • The Windows Firewall Remote Administration exception must be enabled.
  • You must authenticate using local Administrator equivalent privileges.

If the Remote Registry service is disabled on a server, then you need to enable it before performing the inventory. You can either manually enable the service or configure it to start via Group Policy and wait until the servers are rebooted (and the service is started) before starting the Windows Server 2008 Hardware Assessment or Performance Metrics Wizard.

Simple Network Management Protocol

This inventory method is enabled when you select the option to generate the SNMP Devices Report in the Assessment Wizard. Otherwise this inventory method is not enabled. For inventories of large environments, you should not select the “SNMP Devices Report” option in the Assessment Wizard unless you need data about SNMP-enabled devices.

For the SNMP method to be successful, the following conditions must exist:

  • The device must be SNMP V1- or V2-compliant.
  • The SNMP-enabled device must be accessible over the network and capable of accepting the authentication request from the computer performing the inventory.
  • You need to provide community strings (case sensitive) that authenticate successfully on the SNMP-enabled devices.

Community and Feedback

To interact with other members of the Microsoft Assessment and Planning community, learn more about the tool, and get help with questions, visit the Microsoft Assessment and Planning forum on TechNet at https://go.microsoft.com/fwlink/?LinkID=110990.

To send feedback or suggestions for improving the Microsoft Assessment and Planning Toolkit (MAP), send e-mail to mapfdbk@microsoft.com.

About Solution Accelerators

Solution Accelerators are authoritative resources that help IT pros plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free, prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.

Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as:

  • Communication and collaboration
  • Security, data protection, and recovery
  • Assessment and Planning
  • Deployment
  • Operations and management

 

Download the Microsoft Assessment and Planning Toolkit