Active Directory System Discovery
I have a few questions regarding the Discovery Methods in SCCM - starting with AD System Discovery I have one central site and 2 parent sites, along with 70 secondary sites, should the discovery methods be enabled only at the central or all primary sites?Defining Active Directory Containers, when I identify The Distinguished Name (LDAP), by default they are set to recursive - YES and Group - EXCLUDED. I am assuming here that excluded means that during polling SCCM AD System Discovery will NOT poll these OU's - is this a correct assumption?I am trying to keep the database clean and am trying to start by re-defining the discovery methods as I continue to get inactive machines into the database through the discovery methods. In our environment we have a NO DELETE policy for AD Computers, we will disable after 6 months of no activity and move those PC's to an OU that I have excluded from the discovery methods. Any suggestions on a way to help keep the database clean and managed? Thanks
June 8th, 2012 12:01pm

1. Generally, you should enable discovery on the sites which manage the clients for the OUs that they manage. The main reason to do this is if you use automatic client installationg: 2. Group Excluded means not to look at the membership of security groups contained in the OU for additional resources. 3. (Side comment: why would you have a no delete policy? That makes no sense. Are you expecting a computer to show up after 2 years of not being on the network? What are the neagtive ramifications even if it does, you simply rejoin it to the domain.) AD System Discovery will not discovery disabled resources thus those reosurces will age and will be removed by the Delete Aged Discovery Task. Also, implement and use Clinet Status Reporting (CSR) -- a part of R2. It will let you identify and mark clients as inactive which can then be removed by the Delete Inactive Resource task.Jason | | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2012 9:53pm

Just to answer the "no delete policy" question... Been fighting that one for years... The powers at be refuse to let us delete (all political). (They are lightening up and letting us delete after 12 months inactivity). But, that's leaving a messy SCCM environment, and will continue to do so. Thanks for the info, there were a few settings that were left over from the initial installation of 2003, migrated to SCCM 2007, before I took the reigns and started to clean up. You are suggesting that discovery is turned on at ALL Secondary Sites?
June 11th, 2012 1:36pm

hi Jason, just on point #2 - there is also the AD security Group Discovery on its own, so what's the difference between this and the "Include Groups" as per your explanation. Cheers, Xm
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2012 7:36pm

(Sorry for the late reply) Security Group Discovery discovers AD security groups but not their members. Include groups doesn't discover groups, it discovers members of groups that happen to be within the OUs that are in the scope of the System Discovery.Jason |
August 9th, 2012 6:42pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics