Importing from Active Directory

FlexNet Manager Suite 2019 R2 (On-Premises Edition)
To reduce manual data entry and enable enhanced inventory features, your inventory beacon imports data from Active Directory (where available): domains, sites, subnets, users, and computers are all available. (To manage licenses for applications where access is controlled through group membership, such as those deployed through Citrix and App-V, FlexNet Manager Suite also imports Active Directory groups, along with details of which users are members of which groups; but the complexities of group membership are not displayed in the web interface.) By default, this happens automatically for the domain where the inventory beacon server is located. You can change the defaults on each inventory beacon.
Tip: If you have a hierarchy of domains, you must separately collect Active Directory data from each domain and subdomain. This is because FlexNet Manager Suite respects the separation of your domains (for example, isolating development or testing domains), and also needs to collect both the group membership and the foreign security principal objects from each domain and subdomain. You may achieve this either by having an inventory beacon within a target domain, or by using an inventory beacon that either has a trusted relationship with the target domain, or a username and password to access the target domain.
Note: Several settings may be added to the registry on the inventory beacon server to configure how FlexNet Beacon attempts to collect Active Directory data from a domain controller. For more information, see Registry Keys for Inventory Beacon and start from ActiveDirectoryImporter.
Remember: You may have configured FlexNet Manager Suite to automatically create locations (a kind of enterprise group) from the sites imported from Active Directory (navigate to System Settings > Inventory tab, and select Synchronize device location with site subnets). If you are using this approach, and you have configured FlexNet Manager Suite as the source of truth for sub-capacity calculations of PVU consumption, you need to visit Enterprise > Locations to ensure that links to the mandatory IBM regions are added.

Start this process from the FlexNet Beacon interface.

To import domains, sites, subnets, users, and computers from Active Directory:

  1. Select the Active Directory link from the Data collection group in the FlexNet Beacon interface.
    The list of your Active Directory connections displays. By default it includes a single connection to gather Active Directory data from the domain in which this inventory beacon is located. From this tab, you can also turn off Active Directory import altogether, or select a particular Active Directory connection from the list and Delete it.
  2. Choose either of the following:
    • To change the settings for a previously-defined Active Directory connection, select that connection from the list, and click Edit.... (Use this option only for error correction, and not to re-purpose an entry for a different domain. To achieve that, delete the old and create a new replacement.)
    • To create a new connection, click New.
    The Active Directory Connection dialog displays.
  3. Complete (or modify) the values in this dialog, as follows:
    Control Comments

    Connection name

    A descriptive name for this connection that you will recognize later in lists. The name may contain alphanumeric characters, underscores or spaces, but must start with either a letter or a number.

    Domain or domain controller Leave blank for the domain in which this inventory beacon is located. Otherwise, identify the domain controller to be queried, providing one of (in order of preference):
    1. The name of the domain controller (such as dcserver.tmnis.org)
    2. The fully qualified domain name (such as tmnis.org)
    3. Its IP address.
    Tip: If you plan to select the Use SSL check box (described below), do not use the IP address. Because an IP address is not permitted to match the Common Name (CN) recorded in the certificate used by the domain controller, the LDAPS request fails if you use SSL with an IP address in place of the name of the domain controller. With LDAPS (when Use SSL is checked), you may use either:
    • The fully qualified name of the domain controller, which must exactly match the Common Name (CN) value on the SSL certificate used on the domain controller. When there is a correct match (and the inventory beacon trusts the Certification Authority for the SSL certificate on the domain controller), LDAPS works both within a single domain and across domains.
    • The fully qualified domain name (without a specific server name). In this case, the LDAPS service supplies the nearest appropriate domain controller. If it supplies the server name matching the CN in the SSL certificate on that domain controller, the LDAPS communication works both within a single domain and across domains. However, due to DNS aliases, the server name supplied may not match the CN in the SSL certificate, and LDAPS communication fails in this case.
    Username Specify an account that has at least read permissions on the target domain controller. If you leave this field blank, the account that runs the inventory beacon service on this inventory beacon attempts to read the details from Active Directory in the (remote) target domain.
    Tip: The account running the FlexNet Beacon service was specified when this inventory beacon was installed.
    Password Enter the password for the nominated account. (Leave blank when the Username field is blank.)
    Use SSL

    Select this check box to use the LDAPS protocol (also known as "LDAP over SSL") for communication between the inventory beacon and a domain controller.

    Use this setting with care. Select this check box when:
    • The domain controller from which the inventory beacon is to import Active Directory data is fully specified in the Domain or domain controller field (see notes above), and
    • The domain controller is configured to allow use of the LDAPS protocol, and
    • The inventory beacon trusts the SSL certificate used by the domain controller for its LDAPS communication.
    This last condition (having the inventory beacon trust the domain controller's certificate) is commonly arranged by ensuring that the inventory beacon has a locally-installed copy of the root certificate issued by the Certification Authority (CA) that issued the domain controller's certificate.
    Note: Trust of the SSL certificate is completely independent from trust between the domains concerned. Setting up trust relationships between domains is neither required nor sufficient to ensure operations using the LDAPS protocol.
    For LDAPS, the CA may be one of:
    • A third party CA (such as DigiCert). Well-known third party CA certificates are likely to work without further configuration, since Microsoft installs the root certificates for many of them as a standard part of Microsoft Windows (and Windows Server) installations. In this situation, your inventory beacon is likely to trust the SSL certificate from the domain controller.
    • Enterprise CA, which are integrated with Active Directory Domain Services. This may be configured for cross-forest and cross-domain certification; but if it is not, the LDAPS protocol will work within child domains (within a forest), but not across peer domains (until special arrangements are made, as described below).
    • Stand-alone CAs, which are not integrated with Active Directory. By default with stand-alone CAs, the LDAPS protocol will function neither within a single domain nor across domains until special arrangements are made.
    Whenever trust of the domain controller's SSL certificate does not exist, collection of Active Directory data with the Use SSL check box selected will fail. To remedy this, you may either:
    • Clear the Use SSL check box (in which case collection of Active Directory data attempts to use the default LDAP protocol)
    • Make special arrangements to deploy a copy of the root certificate for the Certification Authority (issuing the SSL certificate used on the target domain controller) to the inventory beacon making the request for Active Directory data. This will almost certainly be necessary for stand-alone CAs; and is necessary across forests (and some domains) for Enterprise CAs; and may rarely be required for third-party CAs.
    Tip: To avoid special configuration for trusting certificates across domains, an alternative approach is to install an inventory beacon in the domain to be queried for Active Directory data.
    For more information about enabling LDAPS, see https://support.microsoft.com/en-au/kb/321051.
  4. Click Save to close the dialog and display the Active Directory connection in the list.
  5. With the connection selected in the list of current imports, click Schedule... and choose a schedule for collection of Active Directory data.
    For more information about setting a schedule, see Scheduling a Connection.
The Active Directory data is collected by the inventory beacon at the time of your choosing. Completed collections are uploaded to your application server promptly (the uploader is triggered by default every ten minutes). Once completely staged on your application server, the data is immediately imported into your compliance database.