Return to the MAP Toolkit Getting Started Guide



Now that you have determined the collectors that will be required, there are certain considerations and configurations that must be verified or implemented in your environment in order to inventory your environment with a high degree of success.  In Phase 3, you will review the sections below and using the data collection requirements from Phase 2, understand and configure your environment to allow MAP to inventory the computers in your environment.

Preparing your environment

My goal requires that I use:

How to prepare your environment:

WMI

The Inventory and Assessment Wizard will not provide an option to enable WMI.

 You must enable it through Group Policy settings, logon scripts, or manually on each computer. Based upon your environment, you may have different considerations when using WMI as a collector technology. See the following topics at the MAP Wiki site for additional details.

WMI in Active Directory Environments 

Firewall Considerations Using WMI 

WMI In Workgroups and Windows NT 4.0 based Domains 

SQL Server Authentication (Native and Windows)

SQL Server uses Port 1433 for default instances and port 1434 for the SQL Server Browser Service. For named instances, MAP queries the browser service and learns the port numbers assigned by SQL Server or that were manually set by the user. See this support article for more information on named instance port numbers.

SSH

Port 22 is the default port MAP will use. In the Inventory and Assessment Wizard, you can change the port that MAP uses if a non-default port is used in your environment.

MAP uses HAL commands through SSH to inventory hardware information from computers running Linux operating systems. If the HAL package is not installed on the target computers or the inventory account lacks permission to use those commands, MAP will fall back to dmidecode if that fails. Dmidecode needs to access /dev/mem to get its data, which is restricted to root only. If that fails as well, then MAP will report blank values for some of the hardware properties in the reports.

Oracle

Port 1521 is the default port MAP will use for connecting to the Oracle SQL database engine. In the inventory wizard, you can change the port that MAP uses if a non-default port is used in your environment.

The 64-bit Oracle client must be installed on the computer that is running MAP in order to connect directly to the database engine and collect the schema information. If the 64-bit Oracle client is not installed MAP will still collect some basic information about the Oracle server from WMI or SSH.  MAP will not collect schema information if the 32-bit Oracle client is installed on the computer running MAP.

VMware

Ports 80 and/or 443 are the default ports for HTTP and HTTPS respectively. In the inventory wizard, you can change the port that MAP uses if a non-default port is used in your environment. Some VMware environments use ports 8222 and/or 8333 for HTTP and HTTPS, but these are not listed by default in MAP.

PowerShell

Ports 5985 and 5986 are the default ports for PowerShell HTTP and HTTPS respectively. In the Inventory and Assessment wizard, you can change the port that MAP uses if a non-default port is used in your environment.  Additionally, you can designate whether or not to use SSL and whether or not to validate the server certificate.  If certificate validation is selected, you will need to ensure that the certificate is trusted by the MAP computer.

Active Directory

In a domain that consists of Windows Server® 2003–based domain controllers, the default dynamic port range is 1025 through 5000. Windows Server 2008 R2 and Windows Server 2008, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, increased the dynamic port range for connections. The new default start port is 49152, and the new default end port is 65535. Therefore, you must increase the remote procedure call (RPC) port range in your firewalls. If you have a mixed domain environment that includes a Windows Server 2008 R2 and Windows Server 2008 server and Windows Server 2003, allow traffic through ports 1025 through 5000 and 49152 through 65535. See this article for more information.

System Center Configuration Manager

If you plan to use System Center Configuration Manager for the discovery method of computers in your environment, then you must configure the System Center Configuration Manager site server as follows:

  1. Open the Configuration Manager Console
  2. Under the Site Database node that will be used for discovery, go to the Security Rights node and click Manage ConfigMgr Users
  3. Grant the account that will be used for discovery the following rights:
    1. Class: Collection, Instance: All instances, Rights: Read, Read Resource
    2. Also, ensure the account is in the local Windows security group named “SMS Admins”

Forefront Endpoint Protection

If you will be collecting data for Forefront Endpoint Protection usage tracking, you will need to enable remote PowerShell on the appropriate server computers. To do so, log on to each System Center Configuration Manager server that has Forefront Endpoint Protection components installed, and ensure PowerShell will allow remote connections from the computer on which you have installed MAP. If non-default ports are used for PowerShell, make note of the port numbers used by PowerShell on this computer, as you will need to enter them in the MAP inventory wizard. You may also designate specific SSL or certificate requirements in the inventory wizard.  For more information see http://technet.microsoft.com/en-us/magazine/ff700227.aspx.

Do not run Lync Server and Forefront EndPoint Protection Server scenarios concurrently.  The inventory data will not produce valid results for either scenario.  If you wish to run both scenarios, it is recommended to run one of them first and then MAP again with the other scenario selected.

Lync Server

If you will be collecting data for Lync Server usage tracking, you will need to enable remote PowerShell on the appropriate server computers. To do so, log on to each Lync server of interest and ensure PowerShell will allow remote connections from the computer on which you have installed MAP. If non-default ports are used for PowerShell, make note of the port numbers used by PowerShell on this computer, as you will need to enter them in the MAP inventory wizard. You may also designate specific SSL or certificate requirements in the inventory wizard.  For more information see http://technet.microsoft.com/en-us/magazine/ff700227.aspx.

Do not run Lync and Forefront EndPoint Protection Server scenarios concurrently.  The inventory data will not produce valid results for either scenario.  If you wish to run both scenarios, it is recommended to run one of them first and then MAP again with the other scenario selected.

Configure Log Files for Windows Server

To capture logon information, the Audit Logon policy needs to be set to “Success,” which is the default for all Windows Server operating systems since Windows Server 2003. You can also set this configuration manually in the Group Policy Management Console (GPMC) or automatically using the Auditpol.exe command-line tool.

For more information about these Group Policy settings, see the following resources:

MAP 8.5 can be configured to use the new User Access Logging (UAL) feature in Windows Server 2012.  For Windows Server 2012, there is no need for log parsing.   For more information about UAL, see http://go.microsoft.com/fwlink/?LinkId=255466.

Configure Log Files for SQL Server

SQL Server 2008 Enterprise and Datacenter Editions introduced audit event configuration for Windows security logging, which enabled SQL Server 2008 to log logon events to the Windows Security log. The MAP Toolkit can parse these logs to track usage for SQL Server 2008 Enterprise and Datacenter Editions.

To enable SQL Server 2008 or newer to log audit events to the Windows security log

On each SQL Server 2008 or newer instance for which you need to track usage, run the following SQL command:

/* Turn LOGIN logging on */

USE MASTER

GO

/* Note: the name 'Server_Audit' is your choice */

CREATE SERVER AUDIT [Server_Audit]

TO SECURITY_LOG WITH ( QUEUE_DELAY = 1000,  ON_FAILURE = CONTINUE);

ALTER SERVER AUDIT [Server_Audit]

WITH (STATE = ON);

 

USE MASTER

GO

/* Note: the name 'login_audit' is your choice */

CREATE SERVER AUDIT SPECIFICATION [login_audit]

FOR SERVER AUDIT Server_Audit

ADD (SUCCESSFUL_LOGIN_GROUP) WITH (STATE = ON);

Configure the Audit Object Access Setting

The Audit object access setting must be configured to capture the events. The best way to do this varies depending on your operating system. To write to the Windows Security log, the account under which the SQL Server service is running must have the Generate Security Audits permission to write to the Windows Security log. By default, the LOCAL SERVICE and the NETWORK SERVICE accounts have this permission. This step is not required if SQL Server is running under one of those accounts. You must have Administrator privileges on the computer to configure these settings.

To use Auditpol.exe to configure the Audit object access setting for Windows Vista or Windows Server 2008 or later

  1. Open a command prompt with administrative permissions.
    1. On the Start menu, point to All Programs, point to Accessories, right-click Command Prompt, and then click Run as administrator.
    2. If the User Account Control dialog box opens, click Continue.
    3. Run the following statement* to enable auditing from SQL Server.

auditpol /set /subcategory:"application generated" /success:enable /failure:enable

  1. Close the command prompt window.
  2. This setting takes effect immediately.
  3. *Note:  /subcategory:”application generated” will only work with English language operating systems.  If your operating system is a different language, you will need to use the localized parameter.

To use Secpol.msc to configure the Audit object access setting for Windows operating systems earlier than Windows Vista or Windows Server 2008

  1. On the Start menu, click Run.
  2. Type secpol.msc and then click OK.
  3. In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click Audit Policy.
  4. In the results pane, double-click Audit object access.
  5. On the Local Security Setting tab, in the Audit these attempts area, select both Success and Failure.
  6. Click OK.
  7. Close the Security Policy tool.

This setting takes effect immediately.

To use Secpol.msc to grant the Generate Security Audits permission to an account

  1. On the Start menu, click Run.
  2. Type secpol.msc and then click OK. If the User Access Control dialog box appears, click Continue.
  3. In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
  4. In the results pane, double-click Generate security audits.
  5. On the Local Security Setting tab, click Add User or Group.
  6. In the Select Users, Computers, or Groups dialog box, either type the name of the user account, such as domain1\user1 and then click OK, or click Advanced and search for the account.
  7. Click OK.
  8. Close the Security Policy tool.

This setting takes effect when SQL Server is restarted.

To stop monitoring SQL Server 2008 logon events to the Windows Security log

Run the following SQL command on each SQL Server 2008 instance for which you want to stop monitoring events.

/* Turn LOGIN logging off */

use MASTER

GO

ALTER SERVER AUDIT SPECIFICATION [login_audit] WITH (STATE = OFF);

DROP SERVER AUDIT SPECIFICATION [login_audit];

ALTER SERVER AUDIT [Server_Audit] WITH (STATE = OFF);

DROP SERVER AUDIT [Server_Audit];

Configure Log Files for SharePoint Server

To capture access information for supported versions of Microsoft SharePoint Server, configure the generation of Internet Information Services (IIS) logs on the servers for which you plan to monitor client access.

You must configure IIS logging in the W3C log file format (called “W3C Extended” on some operating systems) with the following fields included:

  • date
  • time
  • s-sitename
  • s-computername
  • s-ip
  • s-port
  • cs-uri-stem
  • cs-uri-query
  • cs-username
  • c-ip
  • sc-status

SharePoint or IIS administrators might use W3C logging for other reasons. If these administrators require additional fields to be logged, they can add those fields to the configuration. However, administrators should not remove any of the fields that the Software Usage Tracker requires.

For information about enabling W3C logging in IIS, see:

MAP 8.5 can be configured to use the new User Access Logging (UAL) feature in Microsoft Windows Server 2012.  For SharePoint Server 2013 running on a computer running Windows Server 2012, there is no need for log parsing.   For more information about UAL, see http://go.microsoft.com/fwlink/?LinkId=255466.


Troubleshooting environmental issues


Return to the MAP Toolkit Getting Started Guide