| technology | system admin - Ross Heintzkill
Active Directory Discovery Explained
System Center 2012 Configuration Manager is, admittedly, something of an antique. The software started as SMS and has evolved into Endpoint Config Manager. Many of its features over the years have been stripped off and turned into their own processes and tools, which both demonstrates its value, but also undercuts its continued usefulness.
If you find yourself using System Center 2012 Config Manager, you might struggle with finding resources helping you understand it. In this post, we cover how to use the Active Directory discovery methods that Config Manager makes possible, and how to make the most of the features and options that can be a little difficult to navigate.
What is Active Directory?
Quick Definition: Active Directory is a service developed by Windows for identifying, authenticating and authorizing users of a network. Active Directory (AD) was introduced with Windows Server 2000 and has continued to be released with most subsequent Windows Server versions. It is now more of a set of processes and services than it is one standalone service. Network administrators can use Active Directory to create and manage domains, users and objects within a network to provide oversight and control of network usage and access.
What is Active Directory Discovery?
Quick Definition: Active Directory (AD) Discovery is the process used to discover what things can be managed in an AD-controlled network. "Thing" may sound broad, but that's because there are different network objects at different levels of control and access in Active Directory. AD Discovery is one of seven different processes for identifying Forests, Groups, Systems, Users and more inside an AD-enabled network.
An Overview of Active Directory Discovery [VIDEO]
In this video, Greg Shields covers the new best practices for enabling Active Directory discovery methods in Configuration Manager 2012. If you’re running ConfigMgr, use this quick peek to double-check the settings in your own environment.
What is Systems Management Server (SMS)?
Quick Definition: Systems Management Server, or SMS, is one of the earliest network administration tools developed by Microsoft for MS networks. It was the tool network administrators could use to manage hardware and software assets, distribute new software and more. SMS has evolved many times: in 2007, it was rebranded System Center Configuration Manager, and in 2019 it became Endpoint Configuration Manager. It's usually now called "Config Manager".
SMS stands for Systems Management Server, but back in the days before it was called Config Manager, it was often referred to by a different name. And if you do a search right now for "what does SMS config manager stand for," you'll find blog posts and replies of people calling it by its old nickname: "Slow-moving software". SMS doesn't stand for slow-moving software, but some network administrators don't seem to realize that's not its real name.
Part of the reason for that name is all the time-outs and scheduling that goes on inside the config manager infrastructure deep under the covers. And previous versions of the application had interesting limitations that could make the speed of SMS even slower. Fortunately, a lot has changed and improved since elements of SMS got peeled off and given their own products and processes.
One of the ways in which they've improved is discovery methods – especially and particularly Active Directory discovery methods. This post is going to be a quick peek at some of the new best practices in enabling AD discovery methods in Config Manager 2012.
If you don't have Config Manager, pay particular attention. And if you do, double-check the settings in your own environment.
What are the Discovery Options in Configuration Manager?
We'll assume before we start that you've set up some boundaries in your AD environment. And now that they've been assigned, the next thing that can be done is look at different Discovery Methods. We'll be walking through some of these options while actually using Configuration Manager 2012. We recommend you open up the software for yourself and follow along.
Back in 2007, there were a bunch of discovery methods that served to do nothing more than confuse people. "Active Directory System Group" or "Site/System Group", and on and on. They were very poorly named. So thankfully, in 2012, we've gone and changed the naming structure to make things a little more obvious.
While navigating the System Center 2012 Configuration Manager, in the left Administration sidebar, you'll see a list of available settings. Under Overview, find Hierarchy Configuration, and click "Discovery Methods". This will display a list of options:
- Active Directory Forest Discovery
- Active Directory Group Discovery
- Active Directory System Discovery
- Active Directory User Discovery
- Heartbeat Discovery
- Network Discovery
This table also shows whether each of those discovery methods is enabled or disabled, on what site, and offers a description.
What is Active Directory Forest Discovery?
The first of these AD discovery groups is AD Forest Discovery. We'll double-click that option and open its dialogue window. Active Directory Forest Discovery is for helping you discover your sites and services.
So, whatever sites are out there, what are the subnets associated with those sites? Something that Config Manager made possible is that you can create boundaries from the information you discover in that Forest Discovery.
Notice that one of the radio check boxes is "Automatically create AD site boundaries when they are discovered. If we were to turn that on, we'd generate site boundaries. The other option we see is "Automatically create IP address range boundaries for IP subnets when they are discovered". Enabling that would generate IP address-ranged boundaries as well.
Unlike the other discovery methods, Forest Discovery is not used for populating the Assets and Compliance Node, which you can find in the left sidebar. Forest Discovery is really for the entire site and hierarchy.
What we'll do is select "Yes" to run that Forest Discovery — and we see that it is now "Enabled" on the window we were on earlier.
How Can Active Directory System Discovery Go Wrong?
After running Forest Discovery, we have to make some decisions. Back in the 2007 days, we had a certain notion of System Discovery. That notion went something like this: we might turn on AD System Discovery and say, "Go and grab all of the computers in my domain. Do that by searching through all child containers, and use the computer account of the site server to do that." With that instruction, SMS would go off and grab all of the computer accounts.
But there's something of a problem there. Consider this: In your Active Directory, can you honestly say that you know every computer account is actually a working computer? You might say yes, but I mean every account.
There has to be that one computer, right? The stories change from place to place, but they all start sounding similar after a while. "Oh, yeah, Phil's computer used to be named 'Phil', but then Phil changed his name – or we fired Phil, and now Phil's computer is Bill, but we still have Phil's computer's account in AD." The bottom line is that something went sideways, and there's really no computer associated with that computer account.
So, back in the day, turning on AD computer system discovery could kind of be a bad thing? The numbers vary, but generally about 80% of accounts were known-good. And 20% were known-bad. But there wasn't a systematic way of knowing which were which. And administrators just knew that when it was time to do compliance reports on the latest patch of the month, about 20% of machines would never respond because they didn't actually exist.
Long story short, a lot of people told Microsoft on a regular basis, "You gotta fix this." And, in System Center 2012 Configuration Manager, they did. Thanks, Bill.
What Does Active Directory System Discovery Do?
If you double-click the AD System Discovery line in the Discovery Methods table, you'll get a dialogue window that gives you a lot of opportunities to custom-tailor your discovery. We'll start by going to the "Option" tab. Here we find exclusions.
In this tab, we have two options. We can effectively tell Active Directory to "find all the computer accounts, but return only the accounts in which the computer has actually logged onto the domain in a given period of time". A completely separate radio button let's us tell AD to "return only those who've updated their computer account password in a given period of time".
This may seem like a pretty normal filter now, but at the time it was important, and if you work with Config Manager 2012, you need to know that option is there. What this means is that if you want to capture those computers that are just sitting there — that nobody ever logs into — but still update their computer account password, you can include or exclude them at will.
In addition to that, there are other machines that get logged into all the time. To capture those, you might want to turn those both on as well.
So depending on what you're interested in, whether it's the machines that are logged in, so the actively being used machines or machines that are just still network-attached, you can determine which one you want on this tab of the Active Directory System Discovery Properties.
If you've been working as a network administrator for a few years, you might remember a really old command line tool. If your memory stretches all the way back to 1998, you might know a UI from a website called joware.net. The name of it was Old CMP and it happened to also be old as dirt. You could use Old CMP to identify what machines hadn't logged on in 90 days. And using Old CMP, you could even remove those inactive machines from Active Directory if you wanted to.
Now that we've got Active Directory System Discovery on Config Manager, it's not hard to perform that same kind of inventory and filter by the same kind of data. Interestingly, you can do the same thing with PowerShell too.
How to Set Up a Polling Schedule in Configuration Manager
After turning on the System Discovery and applying the settings you want, you'll need to identify a polling schedule. Fortunately for everyone, these days, the Discovery results get augmented with what's called Delta Discovery. That says that once a week, an Active Directory-wide poll gets done of all objects. And then, every five minutes after that, only additions and modifications to that will be pulled. Delta Discovery saves resources by not requiring a pull more often than every seven days.
In addition to changing the defaults of how frequently data is pulled, it's also possible to change what attributes are discovered by default. From the same window, click the "Active Directory Attributes" tab and explore what attributes can be added to the data pull.
By default, there are a number of object attributes that get discovered. In addition to those, additional attributes can be added so that your Discovery Data is that much more useful.
Obviously these are just a few of the many options that Configuration Manager makes possible when working with Active Directory.