locked
Active Directory System Discovery RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have a few questions regarding the Discovery Methods in SCCM - starting with AD System Discovery

    1. I have one central site and 2 parent sites, along with 70 secondary sites, should the discovery methods be enabled only at the central or all primary sites?
    2. Defining Active Directory Containers, when I identify The Distinguished Name (LDAP), by default they are set to recursive - YES and Group - EXCLUDED. I am assuming here that excluded means that during polling SCCM AD System Discovery will NOT poll these OU's - is this a correct assumption?
    3. I am trying to keep the database clean and am trying to start by re-defining the discovery methods as I continue to get inactive machines into the database through the discovery methods. In our environment we have a NO DELETE policy for AD Computers, we will disable after 6 months of no activity and move those PC's to an OU that I have excluded from the discovery methods. Any suggestions on a way to help keep the database clean and managed?

    Thanks

    Friday, June 8, 2012 4:01 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    1. Generally, you should enable discovery on the sites which manage the clients for the OUs that they manage. The main reason to do this is if you use automatic client installationg: http://myitforum.com/cs2/blogs/jgilbert/archive/2007/02/22/sms-2003-client-push-installation-method-explained.aspx

    2. Group Excluded means not to look at the membership of security groups contained in the OU for additional resources.

    3. (Side comment: why would you have a no delete policy? That makes no sense. Are you expecting a computer to show up after 2 years of not being on the network? What are the neagtive ramifications even if it does, you simply rejoin it to the domain.) AD System Discovery will not discovery disabled resources thus those reosurces will age and will be removed by the Delete Aged Discovery Task. Also, implement and use Clinet Status Reporting (CSR) -- a part of R2. It will let you identify and mark clients as inactive which can then be removed by the Delete Inactive Resource task.

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    • Proposed as answer by Quan xu Monday, June 11, 2012 9:39 AM
    • Marked as answer by Garth JonesMVP Friday, January 1, 2016 7:02 PM
    Saturday, June 9, 2012 1:53 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    1. Generally, you should enable discovery on the sites which manage the clients for the OUs that they manage. The main reason to do this is if you use automatic client installationg: http://myitforum.com/cs2/blogs/jgilbert/archive/2007/02/22/sms-2003-client-push-installation-method-explained.aspx

    2. Group Excluded means not to look at the membership of security groups contained in the OU for additional resources.

    3. (Side comment: why would you have a no delete policy? That makes no sense. Are you expecting a computer to show up after 2 years of not being on the network? What are the neagtive ramifications even if it does, you simply rejoin it to the domain.) AD System Discovery will not discovery disabled resources thus those reosurces will age and will be removed by the Delete Aged Discovery Task. Also, implement and use Clinet Status Reporting (CSR) -- a part of R2. It will let you identify and mark clients as inactive which can then be removed by the Delete Inactive Resource task.

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    • Proposed as answer by Quan xu Monday, June 11, 2012 9:39 AM
    • Marked as answer by Garth JonesMVP Friday, January 1, 2016 7:02 PM
    Saturday, June 9, 2012 1:53 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Just to answer the "no delete policy" question...

    Been fighting that one for years... The powers at be refuse to let us delete (all political).

    (They are lightening up and letting us delete after 12 months inactivity). But, that's leaving a messy SCCM environment, and will continue to do so.

    Thanks for the info, there were a few settings that were left over from the initial installation of 2003, migrated to SCCM 2007, before I took the reigns and started to clean up.

    You are suggesting that discovery is turned on at ALL Secondary Sites?


    • Edited by mike72_E Monday, June 11, 2012 6:18 PM added another question
    Monday, June 11, 2012 5:36 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    hi Jason,

    just on point #2 - there is also the AD security Group Discovery on its own, so what's the difference between this and the "Include Groups" as per your explanation.

    Cheers,
    Xm

    Tuesday, July 17, 2012 11:35 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    (Sorry for the late reply)

    Security Group Discovery discovers AD security groups but not their members.

    Include groups doesn't discover groups, it discovers members of groups that happen to be within the OUs that are in the scope of the System Discovery.

    Jason | http://blog.configmgrftw.com

    Thursday, August 9, 2012 10:41 PM