Scanning with an Active Directory Domain scanning target

Active Directory Domain is an agentless, fully automated scanning target suitable for scanning Windows computers that are part of an Active Directory domain. Active Directory Domain can be configured to scan an entire domain or only a select number of sites or OUs. It contacts your domain controllers every X number of minutes to retrieve a list of newly logged on computers and scans those computers if they haven't been scanned by an Active Directory Domain target in the last X number of hours or days. If a computer was scanned by an Active Directory Domain target at one point, but then does not report to a domain controller again, the Active Directory Domain target will also rescan that computer after X number of hours or days.

Active Directory Domain scanning targets allow you to scan an unlimited number of domains. To submit a domain (entirely or in part) for scanning with an Active Directory Domain target, hit the Add Scanning Target button in the following section of the web console and choose the Active Directory Domain scanning type in the resulting popup: Scanning\Scanning Targets. You'll need to enter your domain's DNS and NetBIOS names into the popup window. If you have multiple scanning servers, there will be separate configuration tabs on the Scanning Targets page, one for each server.

Scanning Targets menu
Active Directory Domain scanning target
 As agentless scanning of Windows computers requires credentials, make sure to submit and map your Windows scanning credentials as well, by following the instructions in this knowledge base article.

Active Directory Domain settings

Below is an overview of available Active Directory Domain buttons, options and settings. What is scanned by the target can be configured in the Add Scanning Target popup itself, while the schedule that is used can be configured further down the Scanning\Scanning Targets page. The same schedule applies to all Active Directory Domain targets.

Active Directory Domain scanning target settings
Active Directory Domain scanning target schedule
  • Domain DNS name: your domain's DNS name. If you're not sure what your domain's DNS name is, you can verify this by following the instructions in this knowledge base article.
  • Domain (Netbios): your domain's NetBIOS name. If you're not sure what your domain's NetBIOS name is, you can verify this by following the instructions in this knowledge base article.
    You must submit your domain's DNS and NetBIOS names, even if you don't plan on scanning your entire domain.
     If the Active Directory Domain target sees a non-Windows asset report to a domain controller, that asset is passed off to the same scanning procedure used by the IP Range scanning targets and is scanned as well. An asset is considered a Windows computer if its operatingSystem attribute in Active Directory is blank or includes the words "Windows" or "Hyper". Objects whose operatingSystem attribute is not blank and does not include the words "Windows" or "Hyper" are considered non-Windows.
  • Description: custom description you can assign to the scanning target
  • Add OU Filter: use this button to limit scanning to certain computer containers or OUs.
    If you add OU filters, the Active Directory Domain target will only scan the specified OUs and any sub-OUs contained within.
  • Add Site Filter: if you add a site filter, the Active Directory Domain target will only contact domain controllers in the specified Active Directory site for a list of newly logged on computers.
    Whenever possible, it is recommended that you use OU filters instead of site filters. Unless you are absolutely certain which domain controllers belong to which site and which computers are managed by those domain controllers, do not use site filters.
    If you add both site and OU filters, the site filters are applied first and then the OU filters. The Active Directory Domain target will only contact domain controllers in the specified site(s) for a list of newly logged on computers and, of those newly logged on computers, only computers that belong to the OUs submitted by you will be scanned.
  • Enable: check/uncheck this box to enable/disable scanning of the scanning target.
  • Check Interval: determines how often (every X number of minutes) the Active Directory Domain target contacts your domain controllers to retrieve a list of newly logged on computers.
  • Min. Time Between Scan (per Asset): determines how long (X number of hours or days) the Active Directory Domain target will wait before rescanning a machine previously scanned by the target. In the example above, the Active Directory Domain target will scan a computer that reports to a domain controller, if that computer hasn't been scanned by the target in the last 20 hours.
  • Max. Time Between Scan (per Asset): determines how long (X number of hours or days) the Active Directory Domain target will wait before rescanning a machine that was previously scanned by the target, but that has not reported to a domain controller again. In the example above, the Active Directory Domain target will rescan a computer previously scanned by the target after 3 days, even if that computer has not reported to a domain controller again.

Related Articles