SCCM 2012 Active Directory System Discovery - How does it find systems?
I have setup System Discovery for the forest and have not limited the view of the forest in any way. Also I have it to setup to discover everything, no limits on the number of days since last check-in. But I have some objects that haven't checked
into the domain in years that are enabled (yes i want to delete them) and others are disabled that don't show up. If there is a discovered object that I disable in AD, I run a full discovery and it still found.
My question is for this discovery, what criteria does SCCM look for? I assume that it authenticates to the domain with the supplied user account and reads Active Directory and pulls objects. From there, does it pull Disabled objects or leave
them be? If a client hasn't checked in in over 90 (or any number) days, does it discard that automatically? I'm just trying to understand the discovery process.
Jason Apt, Microsoft Certified Master | Exchange 2010
My Blog
it should look for objects that are in AD and also in DNS. When you use the 90 days rules, those objects will not be deleted from the ConfigMgr database (that's a site maintenance rule), the discovery process will just not discover the object.
Kent Agerlund | My blogs: blog.coretech.dk/kea and
SCUG.dk/ | Twitter:
@Agerlund | Linkedin: Kent Agerlund
Similar Messages
-
SCCM 2012: Active Directory Group Discovery, Delta Discovery?
Hi,
Our scenario:
*Software is requested via a seperate system which puts AD computer objects in groups
*Software within SCCM 2012 is deployed to computer collections
*Computer collections query AD groups, in those AD groups the pc's reside
*Collections memberships run via AD query (every 20 minutes)
*We deploy an OS (Windows 7) via SCCM
*Machine policy is updates every 20 minutes
What is important: AD Group discovery is set to full discovery every 7 days, delta discovery set to 15 minutes
So what happens:
*Pc is staged correctly with Windows 7 but software isn't coming through in time (sometimes it's there within the hour, sometimes it takes 6 hours)
*If we run a full AD Group discovery mostly software is installing immediately
*Sometimes a SCCM 2012 client machine reset policy or reinstall client solves the problem
My questions:
*Would it be better to run full discoveries every x minutes since this always solves our problem
*Would it be better to disable the delta discovery if we do the change above to minimize AD queries
=> tried that now (full discovery every 30 minutes and disabled delta discovery) but I don't want to put to much pressure on our domain controller
*Our software collections are limited to all systems, we could limit them to a Windows 7 collection. Probably we should do that but any suggestion how to do this safely in Powershell?
Please advise.
J.
Jan Hoedt
Note: what I don't get is why a full ad discovery system discovery sovles the problem since SCCM 2012 collections do a AD query, what 's the link there?So, let me see if I get this correct for our situation:
Our own developed system puts pc’s in AD groups
SCCM 2012 polls these groups, by default 1/week full discovery then every 30 minutes a delta discovery
We deploy software to computer collections, these collections check the SCCM 2012 database every 30 minutes (collection update) Note: the query our collection do, is based upon requirement of Windows 6.1 + membership of an AD group.
The SCCM 2012 client/computer does a computer policy update every 30 minutes to see what collections it is member of and see then the software to be deployed
2 questions:
*Our my assumptions correct? Specifically point 3.: is the query fully coming from an ad sync (or also from sccm client, f.e. Windows 6.1%)?
*Don’t we have a step to much then, wouldn’t it be better to add a direct membership of the AD group within SCCM? This direct membership would mean no query and so save us about 20 minutes (run of query)?
Jan Hoedt -
SCCM 2012-Active Directory Site
Hello All,
I was create the collection by name of IN-ACTIVE for India location but in that collection USA systems also falling then when I was check those all USA machines the Active Directory site name showing different OU name
Here my Goal is :
Why other Country machines reporting to this collection and AD site name also showing another not USA OU ?
Anyone can help me
Best Regard's Krishnaif you are sure that,US computers are not in India location OU ,you may check by picking up one US computer(that you feel,it is part of India OU Collection ),properties ,and look for its OU details.
Can you post your WQL Query ?
Eswar Koneti | Configmgr blog:
www.eskonr.com | Linkedin: Eswar Koneti
| Twitter: Eskonr -
SCCM 2012R2 Active Directory System Discovery
I just set up SCCM and was kind of going back and forth on how I wanted to run the computer discovery portion. I deleted some computers from the devices section and know I want them back but when I run a rescan they are not populating. I didn't push
the client or anything just ran the system discovery. How do I get those machines back? Thanks.Correct, the AD System Discovery needs to be able to resolve the computer name to an ip address. See also:
http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_ADSystemDisc
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
Active Directory System Group discovery has been removed
Hello,
I noticed in SCCM 2012 Active Directory System Group discovery has been removed which discovery is provided the
information previously collected through this discovery?
Thanks,
Dom
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity ManagerHi,
Yes Active Directory System Group Discovery has been removed (not Active Directory System Discovery)
It is written in http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_DiscoveryMethods
What's new in SCCM 2012
and confirmed in
http://blogs.technet.com/b/elie/archive/2012/05/10/system-center-2012-configuration-manager-part2-discovery-methods.aspx
Thanks,
DOm
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager -
Active Directory service discovery failed
Hi forum user,
I have integrated my SGD with AD.
I saw the following error in jserver log file:
# more jserver2698_error.log
2007/07/24 15:25:22.626 (pid 2698) server/ldap/error #1185261922626
Sun Secure Global Desktop Software (4.31) ERROR:
Active Directory service discovery failed: Failed to find any valid Site objects.
Looking up Global Catalog DNS name: gc.tcp.telbru.com.bn. - HIT
Looking for GC on server: Active Directory:ts1.telbru.com.bn:/172.25.11.96:3268:Up - HIT
Checking for CN=Configuration: DC=telbru,DC=com,DC=bn - MISS
Checking for CN=Configuration: CN=Configuration,DC=telbru,DC=com,DC=bn - HIT
Looking up domain root context: DC=telbru,DC=com,DC=bn - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: portal.telbru.com.bn - HIT
Failed to discover Active Directory Site, Domain and server data.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
Why the error occurred ?
What is the resolution to this error ?
Appreciate any help. Thanks.This error message is telling you that SGD failed to find any site objects in your AD tree. This should not stop users from logging in, it will just mean that SGD will not be able to work out which AD site is local to the SGD server.
If you are not using sites in your AD setup, then you do not need to worry about this.
Hope this helps,
DD -
Doing Active Directory System Discovery security roles
Hi Experts
I am assigning users who have specific roles in SCCM2012 (Reporting, application management etc) , they are not assigned with permissions which is the same as Full Administrator or Operation Manager.
The team would like to run Active Directory System Discovery on the Primary Site server to detect the computer objects found in the AD once they have joined the new computers to the domain, they are unable to perform RUN on the Active Directory System Discovery
as the option is not available to them. Possible to advise, which additional security roles should I assign to them so that the RUN command can appear?? They are unable to do this with the current permission as listed below, RUN is not listed when they right
click on Active Directory System Discovery, unlike the Full Administrator:
Application Administrator
Application Author
Application Deployment Manager
Operating System Deployment Manager
Read-only Analyst
Remote Tools Operator
Software Update ManagerHi,
You could create a Custom role and modify the rights.
Administration workspace >Security >Security Roles >Select a Built-in role >Click Copy on the ribbon.
Otherwise, Role-based Administration Modeling and Auditing Tool helps administrators to model and audit RBA configurations.
http://www.microsoft.com/en-us/download/details.aspx?id=36213
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Error in Active Directory System Discovery (0x80005010)
Hi,
I've configured Active Directory System Discovery in a SCCM 2007 R2 SP2 configuration. I see several SCCM clients being populated with OU information, but others do not. I've taken a look in the adsysdis.log. There it states for a very large number of computer accounts:
INFO: discovered object with ADsPath = 'LDAP://<domain controller>/<DN computerobject>'
WARN: Could not get property (domain) for system (0x80005010)
Afterwards there is no entry that states a ddr is written for this computer object and the SCCM client object is not populated with information.
Can someone explain what exactly is the issue, and how to solve it?I got exactly same issue - SCCM 2007 SP2 two primary sites (one central). AD sctructure got one forest and two domains.
Does anyone solved this issue ?
adsysdis.log :
Starting the data discovery. SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: Processing search path: 'LDAP://CN=COMPUTERS,DC=MY,DC=DOMAIN'. SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: Full synchronization requested SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: DC DNS name = 'dc01.my.domain' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: search filter = '(&(objectClass=user)(objectCategory=computer))' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: ads path = 'LDAP://dc01.my.domain/CN=COMPUTERS,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: Bound to 'LDAP://dc01.my.domain/CN=COMPUTERS,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=TEST1,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=COMP2,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=SRV2,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
INFO: discovered object with ADsPath = 'LDAP://dc01.my.domain/CN=SRV3,CN=Computers,DC=MY,DC=DOMAIN' SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: Could not get property (operatingSystem) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: Could not get property (operatingSystemVersion) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: Could not get property (domain) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: Could not get property (dNSHostName) for system (0x80005010) SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
ERROR: System SRV3 is a unsupported operating system, unsupported version, or malformed AD entry. Reported system type is: (). SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0)
WARN: CADSource::ProcessSystemInfo: Failed to get IP Address for the system. SMS_AD_SYSTEM_DISCOVERY_AGENT 19.11.2009 17:11:15 5360 (0x14F0) -
Exclude servers from Active Directory System Discovery
We would like to exclude all servers from being discovered by Active Directory System Discovery. Is there any way to achieve this, i. e. with a custom LDAP query? Or does SCCM always detect all systems in the configured OUs? (Moving all servers to a separate
OU is not an option.)Well, good question ;) ... We don't use SCCM on servers, and the basic reason was excluding them from statistics. Of course we want to prevent accidental client installation, but that can be done in other ways (like mentioned by Eswar).
Still, we always get tons of "computers without client", low success rates etc. Of course all that can be adjusted, excluding servers from "All Systems" etc., but excluding the servers directly from discovery would be the easiest way. If it can't be done,
it can't be done, and we will be able to live with that. I just wanted to know IF it can be done.
Well.If that is the issue with reporting,then you may have to edit the report to avoid servers in displaying in reports ,so will be on right track with results.
Or while creating collections to exclude certain number of computers or may be more,create a AD sec group and all the computers to it .Create collection to exclude computers which are member of this AD group to aviod accidentals installation...
Please click on "vote as Helpful" if you feel this post helpful to you.
Eswar Koneti | Configmgr blog:
www.eskonr.com | Linkedin: Eswar Koneti -
Excluding some computers from Active Directory System Discovery
Hi,
I am trying to exclude some computers from Active Directory System Discovery. I created a new Organizational Unit for those excluded computers and that OU is NOT under the OU that I am discovering in the OU hierarchy. I specified the location
to be discovered under the Active Directory System Discovery properties. However, it is still discovering the computers that I wanna exclude from the discovery. I deleted those computers from console manually and run the discovery again, it still
discovers them.
What I might be doing wrong?
Thanks
Yavuz Selim AtmacaHi,
If you check under properties on the object, you can see which discovery agent is discovering the reasource, it could be the Group Discovery as well. That is where I would start to troubleshoot it.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Good morning,
We've been experiencing some odd behavior with discovery. After Active Directory System Discovery, some computers have Operating_System_Name_and0 as only the version number; for example, " 6.1" (note the space before the 6) vs.
"Microsoft Windows NT Workstation 6.1" (although, not limited to Windows 7 workstations).
Here are two seemingly identical machine records in Active Directory WCBWIN7VDI10 and WCBWIN7VDI11.
After discovery
select Name0, Operating_System_Name_and0 from v_r_system where Name0 LIKE 'WCBWIN7VDI1[0,1]'
yields
Name0 Operating_System_Name_and0
WCBWIN7VDI10 6.1
WCBWIN7VDI11 Microsoft Windows NT Workstation 6.1
For discovery on a new domain yesterday we have the following distribution:
select count (*) as [count], convert (nvarchar, Creation_Date0, 110) as [creation date], Operating_System_Name_and0
from v_r_system where Full_Domain_Name0 like 'aaa.bbb.ccc'
group by Operating_System_Name_and0, convert (nvarchar, Creation_Date0, 110)
order by Operating_System_Name_and0
count
creation date
Operating_System_Name_and0
274
12-01-2014
3
12-01-2014
5.0
23
12-01-2014
5.1
124
12-01-2014
5.2
20
12-01-2014
6.0
5109
12-01-2014
6.1
6
12-01-2014
6.2
4
12-01-2014
6.3
1
12-01-2014
CentOS 6.0
13
12-01-2014
Microsoft Windows NT Server
54
12-01-2014
Microsoft Windows NT Server 5.2
9
12-01-2014
Microsoft Windows NT Server 6.0
120
12-01-2014
Microsoft Windows NT Server 6.1
2
12-01-2014
Microsoft Windows NT Server 6.2
7
12-01-2014
Microsoft Windows NT Server 6.3
6
12-01-2014
Microsoft Windows NT Workstation 5.1
3501
12-01-2014
Microsoft Windows NT Workstation 6.1
1
12-02-2014
Microsoft Windows NT Workstation 6.1
5
12-01-2014
Microsoft Windows NT Workstation 6.2
1
12-01-2014
Microsoft Windows NT Workstation 6.3
2
12-01-2014
SLES 11
6
12-01-2014
Windows Embedded Standard 6.1
Anybody know why this occurs? We typically build our server vs. workstation collections with this.
Thanks,
Terence DurningHi Terence,
What is the value in Active Directory for the computer account?
Do you have the same behavior if you run this query?
SELECT DISTINCT Operating_System_Name_and0 FROM v_R_System ORDER BY 1
You are talking about a space before 6.1. Do I see also a space for all Microsoft Windows like "Microsoft Windows NT Workstation 6.3" ?
Nick Pilon - Blog: System Center Dudes -
Remove Active Directory User Discovery
We're looking at enabling Active Directory User Discovery in our Config Mgr 2012 instance as as part of testing Intune. If we decide to not implement Intune, will we be able to disable Active Directory User Discovery, and remove that information from
the database?
If so, is there good documentation on how to do this?
ThanksThe easiest is to disable the Active Directory User Discovery
and than delete all the users from the All Users collection.
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
New 2012 Active Directory Domain - Naming Convention
Hi Guys,
I am working for a start-up company, who currently use Office 365 (Mid-Size Business) for their email and for the use of SharePoint.
I have been tasked with designing and building a fresh new 2012 Active Directory, but I am a little unsure of how to name the new domain with Server 2012, previously I would have used a ".local" name, but I have read a lot of articles that say
this should not be done anymore, rather we use the external domain name of the company with a sub-domain prefixed.
Whilst I have read quite a bit about this method, there doesn't seem to be a clear right or wrong answer, can someone advise what would be best practice in my situation?
Kind Regards
SimonThanks for all the information guys :-)
Our external domain is as follows:
company.parentcompany.org.uk
I am now looking at using the following name internally:
internal.company.parentcompany.org.uk
What (if any) DNS entries are required for browsing to our website, and for using outlook online and lync online?
Many thanks for any help that can be provided.
Regards
Simon. -
2012 Active Directory compatibility
Hi,
i have 2 servers one with all the setup Active Directory (Server 2003) and a new one for ERP application (Server 2012). My question is Whether 2 servers, 2003 Active Directory compatible with 2012 Active Directory and how to. Thank you for your
kind advice
SaifulHi,
If i understood correctly your question, you are asking if the 2003 AD domain controller is compatble with another 2012 AD domain controller?
If this is the case then the answer would be yes once you have the schema requirements for 2012 domain controllers upgraded. There is an issue with 2003 DCs and 2012 R2 in terms of AES encryption but there is a hotfix for that released by Microsoft.
See more below:
https://support.microsoft.com/kb/2989971?wa=wsignin1.0
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx
Hope it helps.
Regards,
Calin -
Upgrade from Windows Server 2012 Active Directory to Windows Server 2012 R2 Active Directory
We are currently running Windows Server 2012 Active Directory and would like to upgrade to Windows Server 2012 R2 AD. Is it OK to just do an in-place upgrade, or is it advisable to build new domain controllers on R2? Are there any guides or articles anyone
can recommend?Hi Ginandtonic,
To upgrade DC(Domain Controller) from windows server 2012 to windows server 2012 r2, please refer to these articles:
Upgrade from windows Server 2012 to 2012 R2
Upgrade Active Directory from 2012 to 2012 R2
I hope this helps.
Best Regards,
Anna
Maybe you are looking for
-
I recently got the new iPad and I have been unable to open documents. I was previously able to on my old iPad. Any suggestions?
-
Port problem while running Run 'rmid ' command
Hi I tried to run the follwoing command. D:\Material\EJB\Ejb\3eCode\StatelessSession\HelloWorld>rmid -J-Djava.security.po licy=rmid.policy The response is as follows Activation.main: an exception occurred: Port already in use: 1098; nested except ion
-
When in iTunes Store sample tunes cut out after 15 seconds - would be nice if I could listen to the entire sample play. I'm using Windows 7 and have latest iTunes software. Anyone have a solution?
-
I can't see photos on Facebook.What should i do?
When i open facebook i can't pictures except the profile pictures.
-
Imac won't boot with new hard drive installed
So I installed a new 1Tb caviar black in my PPC G5 Imac, but when I turn the computer on, I get no video, no startup chime, nothing. The power light does come on, and fans start running after a minute or so, but thats it. I can't boot from the instal