How can I configure discovery for System Center Configuration Manager (Current Branch)

Introduction

In an earlier post you installed System Center Configuration Manager (Current Branch). In this post you will learn about configuring discovery. Planning for discovery in ConfigMgr is an important step while configuring your sites and hierarchies. You need to discover objects in locations that you select and these discovered resources are what you want to manage (devices/users). These discovered resources can be targeted with software and/or get the ConfigMgr client agent installed via Client Push functionality.
Discovery within System Center Configuration Manager (Current Branch) has 6 methods listed below:

  • Active Directory Forest Discovery
  • Active Directory Group Discovery
  • Active Directory System Discovery
  • Active Directory User Discovery
  • Heartbeat Discovery
  • Network Discovery

When a discovery method successfully finds a new resource, discovery puts information about that resource into a file that is called a discovery data record (DDR), which is processed by a primary or central administration site. Processing of a DDR creates a new record in the site database for newly discovered resources, or updates existing records with the DDRs new information. [Source: Technet]

 

Step 1. Enable Active Directory Forest Discovery

Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

In the Configuration Manager console, click on Administration and select Hierarchy Configuration, click on Discovery Methods. The first discovery method listed is Active Directory Forest Discovery. This discovery method can be enabled on CAS or Primary site(s). Unlike other discovery methods, Active Directory Forest Discovery does not discover resources that you can manage. Instead, this method discovers Active Directory network locations and can convert those locations into boundaries for use throughout your hierarchy.

 

To discover Active Directory network locations and convert those locations into boundaries open the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory Forest Discovery for the primary site and right click, choose Properties.

 

properties of active directory forest discovery.png

 

The General window appears with one option, Enable Active Directory Forest Discovery. Select it and two more choices are revealed:

  • Automatically create active directory site boundaries when they are discovered
  • Automatically create IP address range boundaries for IP subnets when they are discovered.

Select the second option and leave the default schedule for every 1 weeks.

 

Tip: Selecting both options above is fine in a LAB. In Production however, you should consider only selecting to discover IP address ranges. For clarification about this point please review this post from Jason Sandys (Enterprise Mobility MVP) about why IP Subnet Boundaries are EVIL

 

active directory forest discovery general screen.png

 

Click Apply, you’ll be prompted if you want to run a discovery as soon as possible, answer Yes.

 

yes to discovery.png

 

Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the ADForestDisc.log file. The log file will be located in in the <InstallationPath>\LOGS folder.

 

forest discovery.png

 

When publishing is enabled for a forest and that forests schema is extended for Configuration Manager, the following information is published for each site that is enabled to publish to that Active Directory forest:

  • SMS-Site-<site code>
  • SMS-MP-<site code>-<site system server name>
  • SMS-<site code>-<Active Directory site name or subnet>

To verify that you’ve enabled publishing browse to Administration, Site Configuration, Sites, and check the properties of your Primary site server. Click on the Publishing tab.

 

published.png

 

Step 2. Enable Active Directory Group Discovery
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

You can use Active Directory Group Discovery to search Active Directory Domain Services (AD DS) to identify the group memberships of computers and users. This discovery method searches a discovery scope that you configure, and then identifies the group memberships of resources in that discovery scope. By default, only security groups are discovered.

 

However, you can discover the membership of distribution groups when you select the checkbox for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box. When you discover a group, you can also discover limited information about its members.

 

Note: This does not replace Active Directory System Discovery or Active Directory User Discovery and is usually insufficient to build complex queries/collections or to serve as the bases of a client push installation.

Active Directory Group Discovery can discover the following information:

  • Groups
  • Membership of Groups
  • Limited information about a groups member computers and users, even when those computers and users have not previously been discovered by another discovery method

Tip: This step assumes you want to discover resources recursively in the windowsnoob OU. Therefore, it may be necessary to move servers into their respective OU which is a child OU under the windowsnoob OU created in this guide otherwise they will not be discovered by this discovery method. You can do that via Active Directory Users and Computers on AD1.

 

servers ou.png

 

In the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory Group Discovery and choose properties.

 

active directory group discovery properties.png

 

Select the option to Enable Active Directory Group Discovery and click on Add to see two more choices, Groups and Location. These options are explained below:

  • Groups: Use groups if you want to search one or more specific Active Directory groups. You can configure the Active Directory Domain to use the default domain and forest, or limit the search to an individual domain controller. Additionally, you can specify one or more groups to search. If you do not specify at least one group, all groups found in the specified Active Directory Domain location are searched.
  • Location: Use a location if you want to search one or more Active Directory containers. This scope option supports a recursive search of the specified Active Directory containers that also searches each child container under the container you specify. This process continues until no more child containers are found.

Note: When you configure a discovery scope, select only the groups that you must discover. This is because Active Directory Group Discovery attempts to discover each member of each group in the discovery scope. Discovery of large groups can require extensive use of bandwidth and Active Directory resources.

Select Location from the drop down menu. Give it a name like Active Directory Group Discovery – P01 and select browse to decide where to recursively search. In this example I select the previously created windowsnoob Organizational Unit (OU) which will contain your servers, users, computers and devices.

 

add location.png

 

Click on the Polling schedule tab and decide what is appropriate for your setup, the default is 7 days for a full Active Directory Group Discovery and you can enable Delta Discovery (enabled by default). This discovery method finds resources in Active Directory Domain services that are new or modified since the last discovery cycle in the time interval specified (default is 5 minutes).

 

polling.png

 

Next, you can review the three options on the Options tab

 

options.png

 

and click Apply when ready and answer Yes to running the full discovery.

 

full discovery.png

 

Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the adsgdis.log file. The log file will be located in in the <InstallationPath>\LOGS folder.

 

adsgdis log.png

 

Step 3. Enable Active Directory System Discovery
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

Use Configuration Manager Active Directory System Discovery to search the specified Active Directory Domain Services (AD DS) locations for computer resources that can be used to create collections and queries. You can then install the client to discovered computers by using client push installation. To successfully create a discovery data record (DDR) for a computer, Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address.

By default, Active Directory System Discovery discovers basic information about the computer including the following:

  • Computer name
  • Operating system and version
  • Active Directory container name
  • IP address
  • Active Directory site
  • Last Logon Timestamp

In the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory System Discovery and choose Properties, place a checkmark in Enable Active Directory System Discovery.

 

enable active directory system discovery.png

 

Click on the yellow starburst to add some Active Directory containers. For path click on browse and browse to the location you want to discover systems in.

 

windowsnoob container.png

 

Tip: You can add several locations by repeating this process and selecting different locations, but only add the locations you need to add as you don’t want to generate unnecessary network and CPU bandwidth.

 

On the Polling schedule tab, stick to the defaults and then select the Active Directory Attributes tab, if you want to add an attribute to discover select one from the list and choose Add >> in the example below you are adding an Active Directory attribute called msTPM-ownerinformation. There are many attributes to choose from, use only the ones you need to get your job done.

 

ms-tpmownerinformation.png

 

and click Apply and Ok and answer Yes to run a full discovery as soon as possible.

Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the adsysdis.log file. The log file will be located in in the <InstallationPath>\LOGS folder.

 

adsysdis.png

 

Step 4. Enable Active Directory User Discovery
Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

Use Configuration Manager Active Directory User Discovery to search Active Directory Domain Services (AD DS) to identify user accounts and associated attributes. You can view the default list of object attributes returned by Active Directory User Discovery, and configure additional attributes to be discovered in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab. By default, Active Directory User Discovery discovers basic information about the user account including the following:

  • User name
  • Unique user name (includes domain name)
  • Domain
  • Active Directory container names

In the ConfigMgr console, in the Administration workspace, select Hierarchy Configuration, then select Discovery Methods and right click Active Directory User Discovery and choose Properties. Place a checkmark in Enable Active Directory User Discovery as shown below.

 

Enable active directory user discovery.png

 

Select the Enable Active Directory User Discovery box and click on the yellow starburst to add some active directory locations to discover users.

 

users.png

 

You can configure the Polling tab and Active Directory Attributes tab settings if you wish, then click apply and answer yes to Run a Full Discovery now.

 

Tip: If you want to review the discovery of objects via this discovery method, you can use CMTrace to open the adusrdis.log file. The log file will be located in in the <InstallationPath>\LOGS folder.

 

discovering users.png

 

Step 5. Review what has been discovered in the console

Note: Perform the following on your ConfigMgr server as a user with Full Administrator permissions in the ConfigMgr console.

 

In the ConfigMgr console, in the Assets and Compliance workspace, select Users, then select All Users, the discovered Users should appear.

 

discovered users.png

 

In the Assets and Compliance workspace, select All User Groups, the discovered User Groups should appear.

 

discovered user groups.png

 

In the ConfigMgr console, in the Assets and Compliance workspace, select Devices, then select All Systems, the discovered Systems should appear.

 

All Systems.png

 

Note: If you are wondering why AD1 does not appear it is because that server is placed under the Domain Controllers container and that container path was not added to any system discovery method.

 

Downloads

You can download a Microsoft Word copy of this guide (dated 2015/12/17) here:

 

Attached File  Configuring Discovery for System Center Configuration Manager (Current Branch).zip   865.78KB   8 downloads

 

Summary

In this guide you configured Discovery methods in System Center Configuration Manager (Current Branch) to discover resources that you want to manage. In the next part of this new series you will configure Boundaries.

 

until next time, adios and thanks for reading.

This entry was posted in System Center Configuration Manager (Current Branch). Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.