Forwarding Local Security Solution Data Between Notification Servers
What if you wanted to take your Local Security Solution (LSS) data, and use Inventory Forwarding to move the data to a destination Notification Server? If you did this, you could have a backup of your managed passwords and have those passwords accessible on the destination server too. You can pull this of with Inventory Forwarding. Here's how to configure your Notification Server to do this.
Inventory Forwarding does support the forwarding of Local Security Solution data. The LSS data is inventory-like data and the related data classes forward just like normal Inventory Solution Data Classes.
The key element to remember is that Local Security Solution data relates the computer data to the collected administrative user data. Therefore, when we forward the resources, we need to forward both user and computer resources to be able use the solution on the reporting or destination side.
This requires the creation of a collection of user resources. While this collection seems to have all of its primary data appearing to be computers, it also contains the user information we need for resource associations to be correctly made. The query provided below is optimal for creating this important collection.
The following steps take you through the creation of the Inventory Forwarding Rule. While you could include this data in other forwarding rules, it is recommended that this data be contained within its own rule. This allows it to be scheduled independently, and not cause undue strain on the Notification Server.
To create an inventory forwarding rule, open the configuration tab, and go to Server Settings>Notification Server Infrastructure > Inventory Forwarding. Right Click on Inventory Forwarding, and select New>Inventory Forwarding Rule, as shown in Figure 1
Figure 1 - Creating the Inventory Forwarding Rule
Follow the steps below to complete the rule creation:
- At the "Rule Name:" and "Description:" options of the page, give the rule a name and description that provides you the reference information you need to use and maintain the rule.
- At the "Resources:" option, select the Resources you would like to forward. Figure 2 shows options available. In this situation, you actually need to forward two types of resources.
- Computer Resources - Make a selection of a computer collection that most completely represents the computers that you want to capture LSS data for.
- User Resources - In this case, since the password is associated to both a computer AND a user account, we need to have a collection of users to reference to capture that information. To this end, you need to create a collection of users that can be used for this purpose. An optimal SQL query for collecting all Administrator users would be:
Select vItem.Guid from Inv_Global_Account_Details INNER JOIN vItem ON vItem.Guid = _ResourceGuid where Rid=500
This picks up non-English administrator and accounts that have been renamed. This collection should be created and stored in a regular collection definition. See Figure 2 for the collection picker.
Figure 2 - Computer and User Collection Picker
- At the "Inventory Classes:" selection, click to bring up the data class picker. This allows you to select the dataclasses to forward. Figures 3 and 4 show the data class picker. At a minimum, please make sure that it includes the following dataclasses:
Infrastructure > Global Account Details
Infrastructure > Global Domain Details
Security Management > Local Security < Local Account Settings
Security Management > Local Security < Local User Account Details
Security Management > Local Security < User Account Password
Security Management > Local Security < Privilege Membership [Optional]
You can include all of the remaining Local Security dataclasses as well. They are not required, but you can then assure that all of your Local Security data is backed up.
Figure 3 - Data Class Picker
Figure 4 - Data Class Picker
- At the "Destination:" menu choice, select the destination Notification Server that you would like to forward the data to.
- At the "Credential:" menu choice, provide the correct credentials to be able to access each Notification Server.
- Next, choose a replication schedule. It is recommended to create a custom schedule so that this procedure can be tracked and observed, independent of other scheduled tasks.
- Next, if so desired, enable and choose the data verification level, and the verification schedule. Again, it is recommended to create a custom schedule so that this procedure can be tracked and observed, independent of other scheduled tasks.
- Browse back to the top of the screen and Click on the "Enable" checkbox to enable the rule.
- Lastly, click "Apply" at the bottom of the page, to complete creation of this Inventory Forwarding Rule.
This will create the rule. Following a successful run of the rule, you should be able to connect to the destination servers console, and, using normal access techniques, open and display the managed passwords for the forwarded servers.
Note that one of the scheduled tasks on the rollup server for Replication handles the replication of Resource Associations. Unless this is enabled then the Resource Associations will not be replicated and the Users (and Groups) whilst replicated will not be associated with their computers.