Introduction
In an earlier post you installed System Center Configuration Manager (Current Branch). In this post you will learn about configuring discovery. Planning for discovery in ConfigMgr is an important step while configuring your sites and hierarchies. You need to discover objects in locations that you select and these discovered resources are what you want to manage (devices/users). These discovered resources can be targeted with software and/or get the ConfigMgr client agent installed via Client Push functionality.
Discovery within System Center Configuration Manager (Current Branch) has 6 methods listed below:
- Active Directory Forest Discovery
- Active Directory Group Discovery
- Active Directory System Discovery
- Active Directory User Discovery
- Heartbeat Discovery
- Network Discovery
When a discovery method successfully finds a new resource, discovery puts information about that resource into a file that is called a discovery data record (DDR), which is processed by a primary or central administration site. Processing of a DDR creates a new record in the site database for newly discovered resources, or updates existing records with the DDRs new information. [Source: Technet]
Step 1. Enable Active Directory Forest Discovery
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.
In the Configuration Manager console, click on Administration and select Hierarchy Configuration, click on Discovery Methods. The first discovery method listed is Active Directory Forest Discovery. This discovery method can be enabled on CAS or Primary site(s). Unlike other discovery methods, Active Directory Forest Discovery does not discover resources that you can manage. Instead, this method discovers Active Directory network locations and can convert those locations into boundaries for use throughout your hierarchy.
To discover Active Directory network locations and convert those locations into boundaries open the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory Forest Discovery for the primary site and right click, choose Properties.
The General window appears with one option, Enable Active Directory Forest Discovery. Select it and two more choices are revealed:
- Automatically create active directory site boundaries when they are discovered
- Automatically create IP address range boundaries for IP subnets when they are discovered.
Select the second option and leave the default schedule for every 1 weeks.
Tip: Selecting both options above is fine in a LAB. In Production however, you should consider only selecting to discover IP address ranges. For clarification about this point please review this post from Jason Sandys (Enterprise Mobility MVP) about why IP Subnet Boundaries are EVIL
Click Apply, you’ll be prompted if you want to run a discovery as soon as possible, answer Yes.
Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the ADForestDisc.log file. The log file will be located in in the <InstallationPath>\LOGS folder.
When publishing is enabled for a forest and that forests schema is extended for Configuration Manager, the following information is published for each site that is enabled to publish to that Active Directory forest:
- SMS-Site-<site code>
- SMS-MP-<site code>-<site system server name>
- SMS-<site code>-<Active Directory site name or subnet>
To verify that you’ve enabled publishing browse to Administration, Site Configuration, Sites, and check the properties of your Primary site server. Click on the Publishing tab.
Step 2. Enable Active Directory Group Discovery
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.
You can use Active Directory Group Discovery to search Active Directory Domain Services (AD DS) to identify the group memberships of computers and users. This discovery method searches a discovery scope that you configure, and then identifies the group memberships of resources in that discovery scope. By default, only security groups are discovered.
However, you can discover the membership of distribution groups when you select the checkbox for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box. When you discover a group, you can also discover limited information about its members.
Note: This does not replace Active Directory System Discovery or Active Directory User Discovery and is usually insufficient to build complex queries/collections or to serve as the bases of a client push installation.
Active Directory Group Discovery can discover the following information:
- Groups
- Membership of Groups
- Limited information about a groups member computers and users, even when those computers and users have not previously been discovered by another discovery method
Tip: This step assumes you want to discover resources recursively in the windowsnoob OU. Therefore, it may be necessary to move servers into their respective OU which is a child OU under the windowsnoob OU created in this guide otherwise they will not be discovered by this discovery method. You can do that via Active Directory Users and Computers on AD1.
In the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory Group Discovery and choose properties.
Select the option to Enable Active Directory Group Discovery and click on Add to see two more choices, Groups and Location. These options are explained below:
- Groups: Use groups if you want to search one or more specific Active Directory groups. You can configure the Active Directory Domain to use the default domain and forest, or limit the search to an individual domain controller. Additionally, you can specify one or more groups to search. If you do not specify at least one group, all groups found in the specified Active Directory Domain location are searched.
- Location: Use a location if you want to search one or more Active Directory containers. This scope option supports a recursive search of the specified Active Directory containers that also searches each child container under the container you specify. This process continues until no more child containers are found.
Note: When you configure a discovery scope, select only the groups that you must discover. This is because Active Directory Group Discovery attempts to discover each member of each group in the discovery scope. Discovery of large groups can require extensive use of bandwidth and Active Directory resources.
Select Location from the drop down menu. Give it a name like Active Directory Group Discovery – P01 and select browse to decide where to recursively search. In this example I select the previously created windowsnoob Organizational Unit (OU) which will contain your servers, users, computers and devices.
Click on the Polling schedule tab and decide what is appropriate for your setup, the default is 7 days for a full Active Directory Group Discovery and you can enable Delta Discovery (enabled by default). This discovery method finds resources in Active Directory Domain services that are new or modified since the last discovery cycle in the time interval specified (default is 5 minutes).
Next, you can review the three options on the Options tab
and click Apply when ready and answer Yes to running the full discovery.
Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the adsgdis.log file. The log file will be located in in the <InstallationPath>\LOGS folder.
Step 3. Enable Active Directory System Discovery
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.
Use Configuration Manager Active Directory System Discovery to search the specified Active Directory Domain Services (AD DS) locations for computer resources that can be used to create collections and queries. You can then install the client to discovered computers by using client push installation. To successfully create a discovery data record (DDR) for a computer, Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address.
By default, Active Directory System Discovery discovers basic information about the computer including the following:
- Computer name
- Operating system and version
- Active Directory container name
- IP address
- Active Directory site
- Last Logon Timestamp
In the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory System Discovery and choose Properties, place a checkmark in Enable Active Directory System Discovery.
Click on the yellow starburst to add some Active Directory containers. For path click on browse and browse to the location you want to discover systems in.
Tip: You can add several locations by repeating this process and selecting different locations, but only add the locations you need to add as you don’t want to generate unnecessary network and CPU bandwidth.
On the Polling schedule tab, stick to the defaults and then select the Active Directory Attributes tab, if you want to add an attribute to discover select one from the list and choose Add >> in the example below you are adding an Active Directory attribute called msTPM-ownerinformation. There are many attributes to choose from, use only the ones you need to get your job done.
and click Apply and Ok and answer Yes to run a full discovery as soon as possible.
Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the adsysdis.log file. The log file will be located in in the <InstallationPath>\LOGS folder.
Step 4. Enable Active Directory User Discovery
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.
Use Configuration Manager Active Directory User Discovery to search Active Directory Domain Services (AD DS) to identify user accounts and associated attributes. You can view the default list of object attributes returned by Active Directory User Discovery, and configure additional attributes to be discovered in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab. By default, Active Directory User Discovery discovers basic information about the user account including the following:
- User name
- Unique user name (includes domain name)
- Domain
- Active Directory container names
In the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory User Discovery and choose Properties. Place a checkmark in Enable Active Directory User Discovery as shown below.
Select the Enable Active Directory User Discovery box and click on the yellow starburst to add some active directory locations to discover users.
You can configure the Polling tab and Active Directory Attributes tab settings if you wish, then click apply and answer yes to Run a Full Discovery now.
Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the adusrdis.log file. The log file will be located in in the <InstallationPath>\LOGS folder.
Step 5. Review what has been discovered in the console
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.
In the ConfigMgr console, in the Assets and Compliance workspace, select Users, then select All Users, the discovered Users should appear.
In the Assets and Compliance workspace, select All User Groups, the discovered User Groups should appear.
In the ConfigMgr console, in the Assets and Compliance workspace, select Devices, then select All Systems, the discovered Systems should appear.
Note: If you are wondering why AD1 does not appear it is because that server is placed under the Domain Controllers container and that container path was not added to any system discovery method.
Downloads
You can download a Microsoft Word copy of this guide (dated 2015/12/17) here:
Configuring Discovery for System Center Configuration Manager (Current Branch).zip 865.78KB 8 downloads
Summary
In this guide you configured Discovery methods in System Center Configuration Manager (Current Branch) to discover resources that you want to manage. In the next part of this new series you will configure Boundaries.
until next time, adios and thanks for reading.