Let’s Configure SCCM Active Directory System Discovery. You can discover systems and users in your network once I have a post to build New ConfigMgr Primary Server.
Active directory system and user discovery are some of the first steps you perform to configure the new SCCM infrastructure. Once SCCM discovers all these users and systems, gets the ability to manage users and systems.
The SCCM AD system discovery is a must for proper management of Windows 11 or Windows 10 devices using ConfigMgr. Using the AD system discovery you can also create SCCM Collections based on Active Directory OU.
ConfigMgr Client Install – Install SCCM Client Manually Using Command Line
Related Post – Extend AD Schema for SCCM | ConfigMgr. More details “Learn How to Extend AD Schema for SCCM | ConfigMgr | MEMCM.”
What is SCCM Discovery?
You use one or more discovery methods in SCCM to find device and user resources that you want to manage. There are several different methods to discover users and resources from your network parameter. I recommend using Active Directory as your source for SCCM discovery.
SCCM discovery methods find different devices on your network, devices, and users from AD, or users from Azure AD). I don’t recommend using network discovery. Heartbeat discovery is switched ON by default. I don’t recommend disabling heartbeat discovery.
Related Topic – ConfigMgr Client Action Discovery Data Collection Cycle
When an SCCM discovery method successfully finds information about a resource, it puts that information into a file called a discovery data record (DDR). That file is then processed by a primary or CAS site. Processing of a DDR creates a new record in the site database for newly discovered resources, or updates existing records with new information.
There are some prerequisites that the SCCM server will check before creating DDR for each of the discovered objects. One of them is a valid DNS record for the device object if it’s a device resource.
How to Configure SCCM Active Directory System Discovery
ConfigMgr discovery methods find different devices on your network, devices, and users from Active Directory or users from Azure Active Directory (Azure AD).
Use the AD System Discovery discovery method to search the specified Active Directory Domain Services locations for computer resources. Once the resources are discovered and created, a corresponding record is created in SCCM that can be used to create collections and queries.
NOTE! – You can also install the Configuration Manager client on a discovered device by using client push installation.
Configure Active Directory System Discovery
Let’s start the Configuration Manager discovery process to manage AD system records.
As part of AD system discovery, you will need to make sure that there is a valid DNS record for all the devices discovered from AD. Otherwise, SCCM won’t create device records for those discovered systems from AD.
Launch Configuration Manager Console. Navigate via \Administration\Overview\Hierarchy Configuration\Discovery Methods.
Right, Click on Active Directory System Discovery. Click on Properties.
Enable Active Directory System Discovery. Click on the * button to select the Active Directory OU or discover the systems from all active directories.
Click on BROWSE from Active Directory Container. Select the OU from where you want to discover the computer.
Select MEMCM and Click OK to discover all the computers in the Active directory for my test lab.
NOTE! – For the production environment – I would recommend selecting a particular OU than the entire Active Directory domain.
Click OK to continue.
Click OK to continue to complete the SCCM configuration Active Directory System Discovery.
Select YES to continue with FULL discovery. “Do you want to run FULL discovery as soon as possible?”
Confirmation | Verification – Configure SCCM Active Directory System Discovery
Let’s check the SCCM log file called ADSYSDIS.log to confirm whether configuring Active directory system discovery works fine?
Some of the important steps notified in the log file snippet below:
- Valid Search Scope Name: LDAP://DC=memcm,DC=com
- Starting the data discovery
- Full synchronization requested
- discovered object with ADsPath
- DDR was written for the system ‘ADMEMCM’
- successfully completed directory search~
SMS_EXECUTIVE started SMS_AD_SYSTEM_DISCOVERY_AGENT as thread ID 8144 (0x1FD0) ** Service Thread is starting **~ Connecting to site server's (\CMMEMCM.memcm.com) registry~ Inbox source is local on CMMEMCM.MEMCM.COM Component setting of ACTIVE was specified in the site control file.~ Removing redundant containers and validating them…~ INFO: No AD Containers Exclusions property list specified in site control file. The Run Count value in the site control file is 1.~ The Schedule token value in the site control file is 000120000010A000.~ Incremental synchronization is enabled.~ The Full Synchronization Schedule token value in the site control file is 0001170000100038.~ Filtering Last Logon Timestamp is disabled.~ Days of Logon Timestamp is 90.~ Filtering Last Password Set is disabled.~ Days of Last Password Set is 90.~ Optional attributes count = 0 !!!!Valid Search Scope Name: LDAP://DC=memcm,DC=com Search Path: LDAP://DC=MEMCM,DC=COM IsValidPath: TRUE Starting the data discovery.~ Connecting to site server's (\CMMEMCM.memcm.com) registry~ INFO: Succeed to clean up meta data in DB. INFO: -------- Starting to process search scope (LDAP://DC=memcm,DC=com) -------- INFO: Processing search path: 'LDAP://DC=MEMCM,DC=COM'.~ INFO: Full synchronization requested~ INFO: New DC DNS name = 'ADMEMCM.memcm.com'~ INFO: New highest committed USN = '55699'~ 0> INFO: New service object invocation Id = '3706bc8949381a48b752fcdd2b31454b'~ INFO: Search provider = 'LDAP'~ INFO: discovered object with ADsPath = 'LDAP://ADMEMCM.MEMCM.COM/CN=ADMEMCM,OU=Domain Controllers,DC=memcm,DC=com'~ INFO: DDR was written for system 'ADMEMCM' - F:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\adse9mg1.DDR at 3/7/2020 11:29:30. INFO: discovered object with ADsPath = 'LDAP://ADMEMCM.MEMCM.COM/CN=SQLMEMCM,CN=Computers,DC=memcm,DC=com'~ $$<03-07-2020 11:29:30.889+00> INFO: successfully completed directory search~ INFO: -------- Finished to process search scope (LDAP://DC=memcm,DC=com) STATMSG: ID=5202 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AD_SYSTEM_DISCOVERY_AGENT" SYS=CMMEMCM.MEMCM.COM SITE=MEM PID=3716 TID=8144 GMTDATE=Sat Mar 07 11:29:31.001 2020 ISTR0="1" ISTR1="5" ISTR2="5" ISTR3="0" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 *** Shutting Down **~
Results – ConfigMgr AD System Discovery
Let’s check the console to see whether the System or Computers records are available under ALL SYSTEMS nodes.
Navigate to \Assets and Compliance\Overview\Devices\All Systems
NOTE! – Now, the system or computer records there in SCCM DB, you can install ConfigMgr Client on these computer records. ConfigMgr Client Install – Install SCCM Client Manually Using Command Line
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
We recently may have had a password change. but for system discovery, we get this in the logs.
ISTR0=”LDAP://DC=AIIG,DC=LOCAL” ISTR1=”The user name or password is incorrect.~~” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 LE=0X0 $$
I am thinking the password had been changed by Thycotic. Is there a password for this I can update inside configuration manager or do we need to just ensure the correct password exists in AD. We are leveraging a service account to impersonate a user. Doesn’t appear to be permission related but rather AD account access. It’s the area where it says Active Directory Discovery Account, Specify an account.
Thank you.
If in case Ad domain is not connected to Sccm console how can i solve the issue
You just need to have read-only access and you will need to open the firewall ports to reach AD domain from SCCM servers.
Anoop – can LDAP 389 be disabled (b/c of vulnerabilities) and LDAPS 636 be used in it’s place for this?
Chris – As per the logs LDAP://DC=MEMCM,DC=COM always use LDAP. But if LDAP is not reachable I don’t know whether SCCM will try to use LDAPS or not. I never tested this scenario. So Ican’t confirm.
can i use my work or school AD account for azure AD setup how to setup that
Are you referring to the Manual Process for joining devices to Azure AD? https://www.anoopcnair.com/windows-11-azure-ad-join-manual-process-10/