locked
Critical ! AD System Discovery Methods RRS feed

  • Question

  •  

    Dear all,

     

    How can I add "Computers" OU in SCCM 2007 discovery methods?

     

    Because in our environment, all computers when join domain, that will add to "Computers" Container

     

    "Computers" Container has 9000 computers object, but in SCCM 2007 All Collection only has 4000 object

     

    Also, I have check SCCM DB Table, the table only has 4000 object

     

    I had try to add SCCM Custom LDAP or GC query and point to "Domain Name" -> "Computers"

     

    and check the adsysdis.log and it was show

     

    "ERROR: Failed to bind to AD Object LDAP://CN=COMPUTERS,DC=LAB,DC=DEMO, error=The specified directory service attribute or value does not exist.~~"

     

     

    "ERROR: Failed to enumerate directory objects in AD container LDAP://CN=COMPUTERS,DC=LAB,DC=DEMO

     

     

     

     

    Monday, May 26, 2008 5:11 AM

Answers

  • First of all you need to know if the 9000 objects are real computers. I suggest using oldcmp.exe to generate a report to see how many of those are no longer valid then disable the invalid accounts.


    Second of all as a best practice you shouldn't leave computers in the default computers OU but that's a discussion for elsewhere.

     

    Next, ConfigMgr will only discover the objects that are in AD and will resolve in DNS, that's why step 1 above is important.

     

     

    Lastly you should just be able to browse and select the OU you want to search. Click the yellow icon that looks like the sun, select the custom LDAP or GC query radio button and click browse. The only time I have seen the browse not work is if you are trying to get to another domain than the one your server is in. In that case you can enter the LDAP to that domain then browse.

     

    Your LDAP query should resemble this: LDAP://CN=COMPUTERS,DC=MYDOMAIN,DC=FOREST

     

    Also you need rights to read from AD for AD System Discovery to work.

     

    Configuration Manager 2007 might not have sufficient access to Active Directory Domain Services. Configuration Manager 2007 must have Read access to the containers that you specify for Active Directory System Discovery, Active Directory System Group Discovery, and Active Directory User Discovery. Configuration Manager 2007 uses the site server computer account to perform Active Directory discovery. When the site server computer account is used in domains other than the domain in which the site server is located, the account must have user rights on those domains. The account must at least be a member of the Domain Users group or local Users group on the domains.

     

     

    Tuesday, May 27, 2008 2:13 PM

All replies

  • First of all you need to know if the 9000 objects are real computers. I suggest using oldcmp.exe to generate a report to see how many of those are no longer valid then disable the invalid accounts.


    Second of all as a best practice you shouldn't leave computers in the default computers OU but that's a discussion for elsewhere.

     

    Next, ConfigMgr will only discover the objects that are in AD and will resolve in DNS, that's why step 1 above is important.

     

     

    Lastly you should just be able to browse and select the OU you want to search. Click the yellow icon that looks like the sun, select the custom LDAP or GC query radio button and click browse. The only time I have seen the browse not work is if you are trying to get to another domain than the one your server is in. In that case you can enter the LDAP to that domain then browse.

     

    Your LDAP query should resemble this: LDAP://CN=COMPUTERS,DC=MYDOMAIN,DC=FOREST

     

    Also you need rights to read from AD for AD System Discovery to work.

     

    Configuration Manager 2007 might not have sufficient access to Active Directory Domain Services. Configuration Manager 2007 must have Read access to the containers that you specify for Active Directory System Discovery, Active Directory System Group Discovery, and Active Directory User Discovery. Configuration Manager 2007 uses the site server computer account to perform Active Directory discovery. When the site server computer account is used in domains other than the domain in which the site server is located, the account must have user rights on those domains. The account must at least be a member of the Domain Users group or local Users group on the domains.

     

     

    Tuesday, May 27, 2008 2:13 PM
  • I have also the same issue with a SCCM 2007 R2 + SP2 BETA in mixed mode

    The server computer account have read right on all AD but and discusse well with AD (net dump show requests for entries in system contener) but don't search for computers.
    ADSYSDIS.log
    Starting the data discovery.~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><ven. août 21 00:00:02.321 2009 W. Europe Daylight Time><thread=5264 (0x1490)>
    INFO: Full synchronization requested~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><ven. août 21 00:00:02.337 2009 W. Europe Daylight Time><thread=5264 (0x1490)>
    ERROR: Failed to enumerate directory objects in AD container LDAP://OU=Computers,DC=agencelambert,DC=lan~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><ven. août 21 00:00:04.587 2009 W. Europe Daylight Time><thread=5264 (0x1490)>
    STATMSG: ID=5204 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=SIM02 SITE=ALF PID=1720 TID=5264 GMTDATE=jeu. août 20 22:00:04.587 2009 ISTR0="LDAP://OU=Computers,DC=agencelambert,DC=lan" ISTR1="The specified domain either does not exist or could not be contacted.~~" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><ven. août 21 00:00:04.587 2009 W. Europe Daylight Time><thread=5264 (0x1490)>
    STATMSG: ID=5202 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=SIM02 SITE=ALF PID=1720 TID=5264 GMTDATE=jeu. août 20 22:00:04.587 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="0" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><ven. août 21 00:00:04.587 2009 W. Europe Daylight Time><thread=5264 (0x1490)>
    *** Shutting Down ************************~  $$<SMS_AD_SYSTEM_DISCOVERY_AGENT><ven. août 21 00:00:04.587 2009 W. Europe Daylight Time><thread=5264 (0x1490)>

    and same issue whith ADUSRDIS.LOG
    Friday, August 21, 2009 9:30 AM
  • Hi,

    With SP2 Beta this is a known bug ...
    Replace LDAP://OU=Computers,DC=agencelambert,DC=lan" with LDAP://DomainController:Port/OU=Computers,DC=agencelambert,DC=lan"

    Cheers,
    Serge
    • Proposed as answer by Garth JonesMVP Wednesday, January 4, 2012 5:00 AM
    Saturday, August 22, 2009 9:43 PM