• State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 32 subscribers
  • Views 1335 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Windows Script Monitor - Automatic Services - Cross Forest & Domain with No Trust

rboyer

Hello Community!

I have a situation where I simply want to monitor if a service has a startup type of automatic and if the service is in a started state. If the service is in a stopped state, I want solarwinds to be able to alert on it.

I've used a similar template and runs on about 60% of my servers for servers that sit on the same domain as the SAM server.

The problem becomes when cross domain is required, where the node sits on a separate forest & domain with no trust. Is there any way to run scripts without a trust required to the necessary domain?

I'm running into the impersonation issue, where the script runs locally on the SAM server, trying to execute against the destination node. The issue is that the destination account doesn't have permission to the local SAM server. This is obvious since there's no trust to the destination domain, however, I suspect there should be some method of allowing this authentication through to the destination node on the separated domain.

I do not want to gather statistic data through the templates, if i can help it. The build out of the templates would take a long time to do such a simple task.

The script solves my problem, however, I need to figure out how to impersonate the other domain properly without a trust. Is this possible?

Template Used: Check All Services Which Set To Automatic Mode Are Running

Thanks,

Ryan

  • 0

    If there is no trust between the domains then you are unable to connect/authenticate against the remote computer due to Kerberos authentication. This is a limitation of Windows operating system security. You can test this yourself by attempting to map a drive from the Orion server to the remote host using that account.

    If you're interested in monitoring the service state on a remote host where no domain trust exists I recommend using SNMP with SAM's "Service Status - SNMP" monitor instead of WMI or RPC.

  • 0 in reply to aLTeReGo

    I can obviously connect to the other nodes in the domains fine through windows authentication, since it will prompt for the destination credentials to use. If you supply these, then it will connect fine with no error. I can use normal WMI templates to monitor the services through solarwinds, the credentials solarwinds uses is the destination credentials; the issue is with running scripts against the destination server through solarwinds.

    Is there a way to use powershell scripts through solarwinds that would work properly?

    The template I used appears to be a VB script in some fashion.

    Ryan

  • 0 in reply to rboyer

    Yes, SAM's PowerShell Script Monitor supports remote execution and impersonation. Note: WinRM will need to be configured on the Orion server and remote host the script will execute against.

  • 0 in reply to aLTeReGo

    Is there any way to get the VB script through solarwinds to work properly with impersonation?

    If there were templates that were in Solarwinds to check this type of functionality, I would certainly use it. The only ones are end user generated and grab performance data as well, which isn't what I'm after.

    WinRM won't work since we have legacy servers as well and WinRM doesn't work as well with the older systems.

    SNMP, which requires another thing to be installed, similar to legacy WinRM isn't desirable.

    Ryan

  • 0 in reply to rboyer

    VBScript, unlike PowerShell has no built-in mechanism for supporting impersonation. Impersonation must instead be incorporated into the script itself. The link below provides a few examples of how this is done.

  • 0 in reply to aLTeReGo

    I'm looking into what I need to do to revamp the script.

    Is there a way to use local accounts on the nodes?

    Let's say I have a monitor account, named monitor and this account exists local to all of my servers. Is there a way in Solarwinds SAM to specify the .\ method of authenticating locally? (e.g. .\monitor)

    I tried this on a pre-existing node, which has the new account and i get an immediate failure.

    Thanks,

    Ryan

  • 0 in reply to rboyer

    SAM will pass the ".\" as part of the credentials, but your script will need to handle them appropriately. Is there any reason why SAM's "Service Status - SNMP" monitor does not satisfy your requirements? As an aside, we're currently working on a Agent for SAM that can be installed on a machine where no domain trust exists to allow you to monitor all aspects of that host as you normally would agentlessly. VBscripts would also be executed locally on the server where the agent is installed.

  • 0 in reply to aLTeReGo

    I'm keeping SNMP as a last resort option right now, since it will require installing SNMP across a large quantity of servers in our environment to take advantage of the service monitor.

    The agent based design would solve a few of our problems actually and we look forward to the next release.

    Is there any statics yet on how many resources the agent use when they're deployed under typical templates?

    Thank You,

    Ryan

  • 0 in reply to rboyer

    One number I will share now is that the agent installer itself is a mere 16MB in size. It's been designed from the ground up to be very lightweight and efficient.

  • 0 in reply to rboyer

    With VBscript or Powershell you can specify and use credentials. I mean, most of the service stuff is just using WMI on the backend as the native cmdlets [for PSH] don't support all the attributes that you need to get full data for this script. If you don't want creds in your scripts [I wouldn't] you should be able to specify a cred profile in SAM. See screenshot below.

    Capture1.jpg

    As long as you pass it valid credentials for the remote domain it will auth fine. It's not a limitation of Windows persay aLTeReGo, it's as-designed. emoticons_happy.png   Honestly the trust and forest part is mostly out of the question here. Since you can access remote shares, etc from the SAM server to those hosts, the necessary fw ports and whatnot have also been validated.

    I've messed with the template you are using and you're correct, it is vbscript. You could do the same with PSH as it is mostly doing a Get-WMIObject and parsing data.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.