Types of Discoveries:
Active Directory Forest Discovery
The Active Directory Forest discovery can discover sites and subnets and create Configuration Manager boundaries for them. This discovery method allows you to automatically create the Active Directory or IP subnet boundaries that are within the discovered Active Directory Forests. It supports a user-defined account as the discovery resource in each forest and can publish to the Active Directory Domain Service of a forest if publishing is enabled and the account has permissions.
Active Directory Group Discovery
The Active Directory Group discovery has the ability to discover groups from a defined location in Active Directory. This discovery includes local, global and universal security groups and the membership within these groups. With this discovery you also have the ability to discover computers that have logged on to the domain in any given period of time. Distribution groups are not discovered as group resources.
Active Directory System Discovery
Active Directory System discovery gives you the ability to discover computers in a specific location within Active Directory Domain Services. Computer discovery is required in order to push the SCCM client out to computers. You can also configure discovery for computers that have logged into the domain in a specific period of time to prevent discovery of machine accounts that are obsolete.
Active Directory User Discovery
The Active Directory User discovery is just that, it lets you discover users in specific containers within AD. This discovery comes with some solid filtering options when discovering user accounts such as attributes, child containers and groups.
Network Discovery
Network discovery searches your network infrastructure for network devices that have an IP address and can discovery devices that might be found by other discovery methods including printers, routers and bridges.
Enabling Discovery:
Now that we have a little better understanding of the different types of discoveries lets go ahead and turn them on. In the Admin space, expand Hierarchy Configuration and Select Discovery Methods.
You will see all of the discoveries discussed earlier. You will also notice that all of them are disabled by default except for Heartbeat discovery.
Where to Run Discoveries:
This is the time to consider where you intend to run discoveries. Once an object is discovered its information is disseminated within the SCCM hierarchy automatically so it may not make sense to have multiple sites querying the same information. You can, however have multiple discoveries running on alternating schedules, if items in your environment change frequently. Just be sure to not have them running simultaneously as this can cause network latency and create duplicate records in the database. Plan each discovery schedule carefully so they do not overlap. Other things to consider when setting up discoveries are running the discovery from a location which has a fast network connection to the domain controller. Also take into account the Active Directory topology as well to ensure you are discovering the most current information.
Since we are running this in a lab with only one site and one DC this is not a huge issue but for you it may be.
Active Directory Forest Discovery
Active Directory Forest discovery is one I would consider running at the top of your hierarchy. If you have built a CAS server and it is in good network proximity to the Domain Controller, I would run it on the CAS. So lets go ahead and enable Forest discovery. Right Click on Active Directory Forest Discovery and Select Properties. The Forest Discovery Properties windows will open. Check the box for Enable Active Directory Forest Discovery to enable the discovery. Then Check Automatically create Active Directory Site boundaries when they are discovered and Automatically create IP address range boundaries for IP subnets when they are discovered. For now leave the discovery schedule set to 1 Week. Click OK
You will be prompted to run the discovery as soon as possible. Click Yes
Now that we have Forest discovery enabled we want to make sure that publishing is enabled so we can write back the following information to Active Directory (assuming you extended the Active Directory Schema):
- SMS-Site-<site code>
- SMS-MP-<site code>-<site system server name>
- SMS-SLP-<site code>-<site system server name>
- SMS-<site code>-<Active Directory site name or subnet>
Active Directory Group Discovery
Now lets move on to Group discovery. Back in Discovery Methods Right Click on Group Discovery and Select Properties. In the Active Directory Group Discovery Properties window Check Enable Active Directory Group Discovery. Now there are two ways to discover groups, individually by group, and by location. The latter is much easier in my opinion as it gives you the ability to query the entire domain instead of calling out individual containers. Click Add then Select Location...
For the Location you will be asked for a Name and Location. I called it All Groups. Then Click Browse
The easiest way is just to select the top level domain. The query will then go through all the containers to do a discovery. Click OK
Verify the LDAP information has been populated. Click OK
You will see your newly added group discovery. Click on the Polling Schedule tab.
Here you can define exactly how often it does a full scan. You can also chose to have a delta discovery run (recommended). Click Schedule
In the Custom Schedule pane you can define exactly when you want the full scan to run. Adjust the time to fit your needs and Click OK
Click on the Option Tab. From here you can define how far back to go to scan for computers and how recently they have updated their passwords. I enable all three options and set the length to 90 days. Click OK
You will be prompted to run a full scan as soon as possible. Click Yes
Active Directory System Discovery
Now lets enable the System discovery. Right Click on Active Directory System Discovery and select Properties. Check the box to enable discovery and Click on the Orange Star
Same as before Click Browse and select the container you want to run discovery on. Repeat the process for multiple containers. You can select the top level of the domain as we did before but if you have a lot of computers in your environment this can cause high bandwidth utilization so you might want to run the initial scan and all scheduled scans in off peak hours. Click OK
As before adjust polling schedule to suit your environmental needs. Click on the Active Directory Attributes tab. You can see that quite a few attributes are selected by default, but you can add even more as needed. I have chosen to add badPasswordTime and badPwdCount as well. Click on the Option tab
Again Check both option boxes and set the interval to 90 days. Click OK
You will be prompted to run the initial scan as soon as possible. Click OK
Active Directory User Discovery
User discovery is very similar to System discovery. Right click on Active Directory User Discovery and select Properties. Check the box to enable discovery and Click on the Orange Star. As in System discovery select the containers you wish to scan and Click OK.
On the Polling Schedule you can define when the Scan will run.
In Active Directory Attributes you can add any additional user attributes to scan. Click OK.
You will be prompted to run the scan as soon as possible. Click OK
More to come!
If you like this blog, give it a g+1
Contributing documentation:
Technet
Hi thanks for the post. Can u please tell me how do i discover the computer out of my domain. Like my laptop which is out of my lab domain.
ReplyDeleteCrazy, this will be the subject of a future post.
ReplyDelete