Overview 💥
Liongard’s Active Directory Inspector is fully supported when the Agent runs locally on domain controllers (DCs) running Windows Server 2012 and newer.
As part of the 2024 Active Directory inspector modernization, remote inspection capability was removed. Liongard no longer supports remote inspections that rely on WinRM/ADWS. Agents must be installed locally on DCs for inspection going forward.
This change improves security, reliability, and performance in large AD environments.
Why this changed 🤔
Security: Removing remote inspection eliminates the need for WinRM/ADWS connectivity and the associated credential exposure surface.
Reliability & Performance: Local inspections reduce timeouts and increase data completeness—especially in large or distributed Active Directory environments.
Simplicity: Fewer moving pieces (no ADWS install/WinRM restrictions) reduces configuration complexity and support overhead.
Liongard communicated this change across the 2024 modernization/release notes to ensure partners migrate remote inspectors to local agent installations.
Support Matrix 🧑🏫
Windows Server version | Local inspection (Agent on DC) | Remote inspection (Agent off-DC) | Notes |
Windows Server 2016 and newer | ✅ Fully supported | ❌ Not applicable — remote inspection removed | Recommended target for all DCs. |
Windows Server 2012, 2012 R2 and older | ⚠️ Limited / Not recommended | ❌ Not supported | These OS versions are EOL; running production DCs on them is discouraged. Legacy remote methods (ADWS) are deprecated for Liongard. |
Short guidance: Migrate to local Agent installations on DCs running Windows Server 2016+. Where possible, upgrade OS versions rather than relying on legacy workarounds.
Steps to Resolve (Migrate from Remote → Local) 👨💻
Below are step-by-step instructions to migrate an Active Directory Inspector that currently uses remote inspection to a supported local agent on the domain controller.
Pre-migration checks (gather information)
✅ On the Liongard Platform: Admin → Inspectors → Active Directory →Add Column for "Remote Inspection" — identify inspectors showing Remote Inspection = Yes . Record Environment name(s) and Inspector name(s).
✅ Verify domain controllers (DCs) OS versions: collect winver / OS build and list DC hostnames. (See commands below.)
✅ Confirm Agent version running in your environment; target using the latest Agent versions recommended in release notes (Agent upgrades may be automatic but confirm).
Useful commands (run on a DC or via remote management):
# Get OS caption and version
Get-CimInstance -ClassName Win32_OperatingSystem | Select Caption, Version, BuildNumber
# Check ADWS service (if present)
Get-Service -Name ADWS -ErrorAction SilentlyContinue | Select Name, Status
Migration steps — convert a remote inspector to local (recommended approach) 🚀
Note: The following is a general workflow — exact steps may vary slightly depending on agent management and onboarding practices in your org.
1️⃣ Prepare the DC(s)
Ensure the DC is running Windows Server 2016 or newer. If not possible, plan an OS upgrade as the preferred long-term solution.
Confirm maintenance window and change freeze windows with your stakeholders.
2️⃣ Validate prerequisites for installing the Liongard Agent on a DC
Local admin permissions on DC.
Antivirus exclusions, host firewall rules to allow the Agent (check agent docs).
Ensure you understand any internal change control implications for installing third-party agents on DCs.
3️⃣ Install Liongard Agent on the Domain Controller
Use your standard agent deployment method (manual installer, SCCM, Group Policy / software distribution) to install the Liongard Agent on the DC.
If your environment requires it, pre-stage the agent configuration and authentication per your onboarding docs.
4️⃣ Register / Assign the Agent to the Active Directory Inspector
In Liongard, create or modify the Active Directory Inspector configuration to point to the local Agent on that DC.
If the previous inspector was remote, either create a new inspector for the local agent or update the existing inspector to use the new local agent host.
5️⃣ Run an initial inspection
Trigger a manual inspection (or wait for the automatic run) and monitor Inspector logs and UI status until Completed.
Validate the data collected (Users/Groups/Computers/DNS) and compare any previous metric outputs for parity.
If you cannot run a local agent on older DCs (legacy cases) 🤷
Historically, Liongard supported remote inspection using ADWS on older OSs (2012/2008/2003) if ADWS was installed — but that remote workflow has been removed in 2024 modernization. Running remote inspections via ADWS is no longer a supported path for current Active Directory Inspector versions. Attempting to rely on ADWS for Liongard remote inspection may result in incomplete/inconsistent behavior and is not recommended.
If you have legacy controllers that cannot host an Agent, plan a migration/upgrade of those domain controllers (preferred).
Additional Diagnostics (if inspections fail after migration) 🧐
Collect these items before opening a support case:
Environment ID and Inspector ID (from Liongard UI).
Agent logs from the DC (location varies; include time window).
Inspector logs and last run timestamps (UI → Inspector → Job history).
OS version and build of the DC(s): output of
Get-CimInstance -ClassName Win32_OperatingSystem.Agent version and install method.
Any firewall or AV logs showing blocked connections (if applicable).
Screenshots or exported outputs showing specific data missing or errors.
Quick checks:
Verify Agent process is running on the DC.
Confirm Liongard UI shows the agent-hosted inspector and last run status is Completed.
If expected data is missing, rerun the inspection with the agent in debug mode (CCDM — Clear Cache + Debug Mode) to gather verbose logs.
Troubleshooting — Common Errors & Fixes 🤩
Symptom | Likely cause | Fix / Next step |
Inspector fails to run after local agent install | Agent not running, or insufficient privileges |
|
Inspector times out in large AD | Agent/inspector needs longer runtime or Agent version update |
|
Data missing (e.g., DNS/DHCP not collected) | Permissions or role separation |
|
Best Practices / Prevention 🌟
Standardize on Windows Server 2016+ for domain controllers. Upgrades improve security posture and compatibility.
Install Agent locally on DCs instead of relying on remote methods. Local inspection is the supported model.
Document the migration: which inspector entries were updated or removed, and who approved the change.
Run post-migration validation: compare pre- and post-migration metrics for parity.
Keep Agents up to date with the latest versions recommended in Liongard release notes to benefit from performance and timeout improvements.
Should I migrate to local Agent? 🤨
Situation | Recommended action |
Using remote inspector today (WinRM/ADWS) | Migrate to local Agent on DC (required; remote removed). |
DCs run Windows Server 2016+ | Install local Agent; fully supported. |
DCs run Windows Server 2012 R2 or older | Plan OS upgrade. |
Large AD with timeouts | Use updated Agent + modern inspector; local inspections improve performance. |
When to Contact Liongard Support 🦁
Open a support ticket if any of the following occur after migration attempts:
Local Agent is installed but inspector run fails or shows incomplete data.
You need help mapping remote inspector configurations to local agent setups across many DCs.
You cannot install an Agent on specific DCs for legitimate operational reasons and need guidance on alternate approaches (Support will advise but may require infrastructure changes).
Provide when opening a ticket: Environment ID, Inspector ID, Agent version, OS version output, agent/inspector logs, and a brief description of steps taken so far.
Third-Party Links Disclaimer ‼️
This article references Microsoft guidance on ADWS and Liongard release notes. Microsoft documentation and third-party commands are provided for reference and troubleshooting. Liongard is not responsible for changes made to your Active Directory or server OS.
Useful references
Summary 🙌
Liongard requires local Agent installations for Active Directory inspection going forward; remote inspection using ADWS/WinRM has been removed (2024 modernization).
Use Windows Server 2016/+ domain controllers for full, supported functionality. Older OS versions are end-of-life and present security and compatibility risks.
Migrate remote inspectors to local agents, validate via manual inspection runs, collect logs if issues arise, and contact Support with Environment/Inspector IDs and logs if you need help.