introduction
after we have installed SCCM successfully : it’s time to deploy SCCM client ,
BUT ,,,,
before that : we have to configure how SCCM server will discover client computer and users as well as groups
in this article we will focus on how to configure discovery method
let us go ….
Discovery mthods
So what are discovery methods in configuration manager?
Simply
you have resources in your company >> and to gather the resource information : SCCM verver use these of methods which called discovery methods.
Configuration Manager uses a variety of discovery methods to gather resource information and each of the discovery methods gathers information about different objects.
Decory methods include :
- Active Directory System Discovery
- Active Directory users Discovery
- Active Directory Group Discovery
- Active Directory Forest Discovery Methods
- Network Discovery
- Heartbeat Discovery Methods
below we will see how to discover them one by one
Active Directory System Discovery
Use this discovery method to search the specified Active Directory Domain Services locations for computer resources that can be used to create collections and queries.
You can also install the Configuration Manager client on a discovered device by using client push installation.
By default, this method discovers basic information about the computer, including the following attributes:
Computer name
Operating system and version
Active Directory container name
IP address
Active Directory site
Time stamp of last logon
Some consideration about AD system discovery method
- Discover [computers that joined to domain]using account computer [SCCM141.pioneers.lab ] since its member of group [all authenticated users ]
- Polling schedule : either [full discovery] or[ Delta discovery]
- When site server [SCCM141.pioneers.lab ] perform full discovery for first time à it create [Data Discovery Record ] DDR record for 90 days in DB ,
- If record has NOT been renewed within 90days à record will be deleted
- Each time site server perform full discovery à it will automatically renew DDR in DB
- Full discovery should NOT be more than 90 days
- Set schedule to delete outdated DDR in DB à administration àsite configuration à site à select our site [PR1] à RC àsite maintenance à delete aged Discovery Data à set days which is by default first Saturday after 90 days
- [Delta Discovery] gather only update DDR record [NOT replicated] which is by default every 5 minutes
- [Delta Discovery] seem to be light method and didn’t renew not updated DDR
- [Delta Discovery] is considered as complementary for [FULL Discovery]
- We can run discovery now à discovery now
- SCCM site server rely on DNS DB to discover client à Client should have DNS record so SCCM able to discover it and create DDR record
- Normally DNS accept client to register for 7 days and then wait another 7 days for update ,
- So … its recommended to clear DNS database from aged records to avoid SCCM site server discover them while they are NOT working à DNS zone à properties à general àageing à check scavenge stale resources record à this will delete aged record in DNS
- Result of any discovery method will be stored at à Asset and Compliance à devices à all systems
- Please note that we have two records on result discovery
- x64 Unknown Computer (x64 Unknown Computer)
- x86 Unknown Computer (x86 Unknown Computer)
- these two records will be used later
Active Directory Group Discovery
This discovery method is intended to identify groups and the group relationships of members of groups. By default, only security groups are discovered. If you want to also find the membership of distribution groups, you must check the box for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box.
Some consideration about AD group discovery method
- By default Discovery group discover only [security group ] , but we can also ask to discover [distribution group ] > administration > discovery methods > active directory group discovery methods > properties > options > check [the member ship of distribution group ]
- Result of any discovery method will be stored at > Asset and Compliance > devices > all systems
- Select properties of any client [please note agent has NOT been deployed yet ]
- It will show that component name that used to gather client attribute called [SMS_AD_SYSTEM_DISCOVERY_AGENT]
- We have created fake computer name in active directory and notes that [SMS_AD_security_group_discovery_agent ] discovery was able to discover it
- All client attributes called DDR file
Active Directory User Discovery
Use this discovery method to search Active Directory Domain Services to identify user accounts and associated attributes.
By default, this method discovers basic information about the user account, including the following attributes:
User name
Unique user name (includes domain name)
Domain
Active Directory container names
Active Directory Forest Discovery Methods
Unlike other Active Directory discovery methods, Active Directory Forest Discovery does not discover resources that you can manage. Instead, this method discovers network locations that are configured in Active Directory. It can convert those locations into boundaries for use throughout your hierarchy.
When this method runs, it searches the local Active Directory forest, each trusted forest, and each additional forest that you configure in the Active Directory Forests node of the Configuration Manager console.
Use Active Directory Forest Discovery to:
Discover Active Directory sites and subnets, and then create Configuration Manager boundaries based on those network locations.
Identify supernets that are assigned to an Active Directory site. Convert each supernet into an IP address range boundary.
Publish to Active Directory Domain Services (AD DS) in a forest when publishing to that forest is enabled. The specified Active Directory Forest Account must have permissions to that forest.
Network Discovery
Use this method to discover the topology of your network and to discover devices on your network that have an IP address. Network Discovery searches your network for IP-enabled resources by querying the following entities:
- Servers that run a Microsoft implementation of DHCP
- Address Resolution Protocol (ARP) caches in network routers
- SNMP-enabled devices
- Active Directory domains
Some consideration about network discovery method
- Network discovery use protocol [Network Abstraction Layer NAL] to search network with anonymous authentication
- If some network devices disable to respond to [anonymous authentication] à it will not be discovered
- We can disable anonymous authentication on windows computer à regedit àHKLMàsystemàcurrentcontrolsetàLSAàrestrict anonymous àset to 1
- Please note that network discovery don’t have option [run discovery now] but inly schedule
- Also we notes that [network discovery\subnet] was able to discover STC router with IP [172.16.0.0] ,
- Its recommended to some tools to create virtual network devices , like [cisco network assistant which is free from cisco website ]
- If network speed is slow [wan connection or VPN] à its recommended to check [network speed] on general tab of [ network discovery methods ] so SCCM site server will double SNMP time out to wait response from network nodes
Heartbeat Discovery Methods
Heartbeat Discovery differs from other Configuration Manager discovery methods.
It is enabled by default and runs on each computer client (instead of on a site server) to create a DDR.
For mobile device clients, this DDR is created by the management point that the mobile device client is using.
To help maintain the database record of Configuration Manager clients, do not disable Heartbeat Discovery.
In addition to maintaining the database record, this method can force discovery of a computer as a new resource record.
It can also repopulate the database record of a computer that was deleted from the database.
Some consideration about Heartbeat discovery method
- Used after deploy client agent NOT before
- Client agent refresh his own DDR record in SCCM DB every 7 days
- SCCM is configured to delete inactive client from SCCM DB à administration à site configuration à site à PR1 site à RC maintenance à delete inactive client [defaiult is disabled ]
- This used to make sure that only active client will stay in SCCM DB
the Result of Discovery Methods
now let us to see the result of performing discovery methods above
conclusion
in this article we have configure SCCM discovery methods
next article we will see how to configure boundary and how to configure network firewall to pass required port between DMZ servers farm and LAN client computers
