Nutanix Requirements
DMC runs a 'Physical Servers' (bare-metal) scan of Nutanix hosted machines.
All metrics (CPU, memory, disk, network etc) will be collected at guest-level, nothing is collected at hypervisor-level.
DMC supports scanning of Windows and Linux servers hosted on Nutanix with the following requirements.
Supported Operating Systems¶
| Operating System | Support Details |
|---|---|
| Windows Server 2008 R2 and above | Collects metrics for Windows servers |
| Ubuntu | Collects metrics for Linux servers |
| Red Hat | Collects metrics for Linux servers |
| CentOS | Collects metrics for Linux servers |
| SUSE | Collects metrics for Linux servers |
Network Requirements¶
DMC requires network access to target Nutanix guest VMs within the scope of discovery.
| Source | Destination | Ports | Purpose |
|---|---|---|---|
| Jump Box | Windows VMs | 5985 (HTTP), 5986 (HTTPS) | Windows Remote Management (WinRM) |
| Jump Box | Linux VMs | 22 (SSH) | Linux management and data collection |
Windows VM Prerequisites¶
PowerShell Remoting must be enabled on Windows VMs to allow DMC to run PowerShell commands over WinRM connections.
Enable Powershell Remoting¶
Open Powershell¶
Open PowerShell as Administrator on each Windows VM
Run Command¶
Run the following command:
powershell
Enable-PSRemoting -force
Enable AllowRemoteShellAccess¶
In order to allow DMC to successfully collect guest information please ensure that AllowRemoteShellAccess is enabled in WinRM Configuration
Set-WSManInstance -ResourceURI winrm/config/winrs -ValueSet @{AllowRemoteShellAccess="true"}.
This enables the WinRM service and configures the necessary firewall rules for remote PowerShell connections.
PowerShell Constrained Mode¶
DMC does not support PowerShell constrained mode. This feature must be disabled on Windows VMs to allow DMC to collect the required system information.
To disable PowerShell constrained mode:
Check Current Status¶
Run the following command to check if constrained mode is enabled:
$ExecutionContext.SessionState.LanguageMode
Disable Constrained Mode¶
If the output shows "ConstrainedLanguage", run the following command to disable it:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Check UAC Token Filtering¶
Run the following command to check if UAC token filtering is enabled:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy
If the value is 0, UAC token filtering is enabled and may prevent DMC from collecting data. Set the value to 1 to disable filtering:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
PowerShell constrained mode restricts the execution of certain PowerShell commands and modules, which prevents DMC from collecting necessary system information. Ensure this mode is disabled before running DMC discovery.
Credential Requirements¶
To ensure DMC can perform discovery the following permissions are required.
Windows VM Access¶
| Account | Minimum Required Permissions | Reason |
|---|---|---|
| Domain Admin or Local Admin | Interactive Login Rights | Required to collect system settings, software inventory, active processes, and network dependencies to assist with environment assessment. |
| Remote Management Users | Group membership | Enables WinRM connections for remote data collection |
| Performance Monitor Users | Group membership | Allows performance data collection |
| Performance Log Users | Group membership | Enables performance logging access |
Verify Group Membership: Being a Local Admin or Domain Admin may not automatically include membership in the Remote Management Users, Performance Monitor Users, or Performance Log Users groups. Verify that your Windows VM Access account is a member of all required groups before running DMC discovery.
UAC Filtering Note: Sometimes, even after adding the account to the right groups, it may not return the needed data because of UAC filtering. To fix this, give the user account the right permissions on the CIMV2 namespace and its sub-namespaces on the target server. For infomation how to troubleshoot UAC filtering please see here
Linux VM Access¶
| Account | Minimum Required Permissions | Reason |
|---|---|---|
| Root or Sudo-enabled user | System access for package queries and process monitoring | Required to collect system settings, software inventory, active processes, and network dependencies to assist with environment assessment. |
Usernames can be entered in either user/domain or user@domain.com format for Windows VMs; both styles are supported.
Least Privilege Guest OS Account Setup¶
If you prefer to use least-privilege accounts instead of admin accounts, you can set up dedicated user accounts with specific permissions.
Windows VM Accounts¶
For Windows VMs, you can create a least-privileged Windows user account:
Prerequisites: - PowerShell remoting must still be enabled on the Windows VMs (see Windows VM Prerequisites above)
Required Group Memberships:
| Group | Purpose | Alternative |
|---|---|---|
| Remote Management Users | Enables WinRM connections | WinRMRemoteWMIUsers_ |
| Performance Monitor Users | Allows performance data collection | Required |
| Performance Log Users | Enables performance logging access | Required |
Required permissions: The account needs these permissions so DMC can create a CIM connection with the server and collect configuration and performance data from the required WMI classes.
Additional Requirements: - For Windows Server 2008 and 2008 R2, ensure that WMF 3.0 is installed on the servers.
Linux VM Accounts¶
You need a user account that has sudo permissions to execute specific commands with NOPASSWD on the Linux VMs you want to discover.
This account helps collect configuration and performance data, perform software inventory (find installed applications), and enable agentless dependency analysis using SSH.
Required sudo access (NOPASSWD):
| Command | Purpose | Full Path |
|---|---|---|
| netstat or ss | Network connection analysis | /usr/bin/netstat, /usr/bin/ss |
| ps | Process information | /usr/bin/ps |
| ls | File system listing | /usr/bin/ls |
Sudoers file entry example:
username ALL=(ALL) NOPASSWD: /usr/bin/netstat, /usr/bin/ss, /usr/bin/ps, /usr/bin/ls
Important: Ensure that you enable NOPASSWD for the account so it can run the required commands without asking for a password each time it uses sudo. Also modify the sudoers file to disable terminal (requiretty) for the user account.
Some Linux distributions, like Red Hat, have different base configurations. We have noticed that commands/executables may be located in different paths, and there may also be restrictions on running remote commands without a TTY session.
Hence, it is important to check the following:
- If the commands are not in the expected path (e.g., /usr/bin/ls), you can find the correct path using command -v ls or command -v netstat and include the correct path in the sudoers file.
- If the sudoers file requires a TTY session for users (requiretty), you need to disable that for the username used for scanning. To do this, add Defaults:username !requiretty to the sudoers file (replacing username with the actual account name). To verify it is effective, try running a remote command via SSH, such as ssh username@host sudo id, and confirm it executes without a TTY error.
SSH Key Requirements¶
For Linux VMs, DMC supports SSH private keys created using the ssh-keygen command with the following algorithms:
| Algorithm | Support Details |
|---|---|
| RSA | Full support for RSA key pairs |
| DSA | Full support for DSA key pairs |
| ECDSA | Full support for ECDSA key pairs |
| ed25519 | Full support for ed25519 key pairs |
Important Notes: - SSH keys with passphrases are not supported. Use keys without a passphrase. - SSH private key files created by PuTTY are not supported. - Only SSH private key files in OpenSSH format are supported.

