5 Replies Latest reply on Jan 6, 2017 11:23 AM by cwinning

    Best Practices for Shavlik Protect and MS Domain Controllers

    MichaelR Rookie

      We are attempting to have Shavlik Protect do a scan on a Windows Domain Controller.  Currently the scan fails with Error 452: Unable to Connect to the Remote Machine and we have looked at Error 452: Unable to Connect to the Remote Machine for help.  Because the server is a DC it treats accounts differently we are wondering if there is any other information that Shavik might have when trying to scan such a server?

       

      Regards,

       

      Michael

        • 1. Re: Best Practices for Shavlik Protect and MS Domain Controllers
          cwinning CommunityTeam

          Hello,

           

          Other than required ports, supplying a valid hostname\IP Address and domain credentials should be sufficient.  It could be UAC causing issues, take a look at this: 

           

          Patch Scanning Prerequisites

           

          Are you able to connect to the DC using this? 

          net use \\machine_name\IPC$ /user:domain\ username password

           

          Taking a look in the hf*.log locate in C:\ProgramData\LANDESK\Shavlik Protect\Logs could show you more of the issue.

           

          Thanks,

          Charles

          • 2. Re: Best Practices for Shavlik Protect and MS Domain Controllers
            MichaelR Rookie

            Sorry in the delay on responding, holidays. 

             

            A quick question on the way Shavlik handles domain credentials.  We have some very tight restrictions in terms of what accounts can login to various machines in our environment.  So an account that can login into the our DC cannot be used anyplace else in our environment because of Group Policy. Does Shavlik attempt to use a scan credential in anyway on the local server?

             

            To test the theory on our end we are going to create a special account on our end that has rights to login into both our Domain Controller and Servers (the box with Shavlik is a standard server) and then use that as the credentials for Shavlik to Scan with. 

             

            Also here is the section of the log from the latest scan attempt.

             

            2017-01-04T12:33:43.3582590Z 11d4 S BaseThread.cpp:54 Entering threading::BaseThread::StartThread.

            2017-01-04T12:33:43.3712578Z 1384 W NetworkLogon.cpp:117 Failed to check administrative access to 'IP REMOVED', attempt 1, error: 5.

            2017-01-04T12:33:43.3712578Z 1384 W MachineSelector.cpp:86 Credentials passed in were not admin - using clouc

            2017-01-04T12:33:43.3752605Z 1384 W NetworkLogon.cpp:117 Failed to check administrative access to 'IP REMOVED', attempt 1, error: 5.

            2017-01-04T12:33:43.3752605Z 1384 I DBOutput.cpp:39 Scan '23a4363c-b333-48ca-8740-4e6622a64df7' not scanned reason: 452.

            2017-01-04T12:33:43.3782638Z 1384 I ScanWorkItem.cpp:531 All is not well DC004(10.1.204.226)

            • 3. Re: Best Practices for Shavlik Protect and MS Domain Controllers
              cwinning CommunityTeam

              Hello,

               

              Credentials specified as the Browse Credentials or the Admin Credentials in the Machine Group are only used to access what they are specified for.  Browse Credentials are used to enumerate machine in Domain or OU types scans.  The Admin Credentials are used to connect to the enumerated machine via the admin share. These credentials are not used on the local Protect server.

              From your example the specified credentials failed then it failed-over to the CLOUC (currently logged on user credentials) which also failed. Experience tells me working with locked down credentials isn't going to be easy,  What did the net use command from above tell you?  If that fails, no scan will be performed.

               

              Thanks,

              Charles

              1 of 1 people found this helpful
              • 4. Re: Best Practices for Shavlik Protect and MS Domain Controllers
                MichaelR Rookie

                Net use failed.

                 

                After some internal debate we have decided to just keep doing what we have been doing and that is manually patching the DCs. 

                 

                Thanks for the responses!

                • 5. Re: Best Practices for Shavlik Protect and MS Domain Controllers
                  cwinning CommunityTeam

                  Thanks for the heads-up, at least these DCs are very secure.  =)

                   

                  Thanks,

                  Charles