After completing the installation of SCCM 2012 R2, you will have to perform some initial configuration before you can start assigning clients to the site. Discovery can be used, to locate potential clients prior to installing client software on those systems, to create custom queries and collections based on the discovered objects, or to determine if clients are still healthy and reachable. Boundaries can, through Boundary Groups, be used for assigning clients to sites, or finding content and policy servers. In this blog post we will go through the process of configuring Discovery Methods, Boundaries and Boundary Groups.
1. Discovery Methods
Discovery is the process by which ConfigMgr finds objects in your infrastructure and keeps them up to date in the ConfigMgr database. Obejcts can be users, groups, computers and even certain type of network infastructure resources. When an object is discovered, the discovery method creates a DDR (Data Discovery Record) file with basic data about the object.
The CAS or a primary site processes the DDR, inserting the discovery data into the site database and replicating it throughout the hierarchy. DDRs are the main method to tell ConfigMgr site crucial details about clients. A DDR for a computer object for example, will include information such as its Netbios name, FQDN, MAC Address and other unique information about that computer. Once you install the client on a computer, more information about the object will be added to the DDR. Discovery information can be used to create custom queries and collections that logically group resources for management tasks such as the assignment of custom client settings and software deployments.
SCCM 2012 R2 offers six different configurable discovery methods, and one that is not configurable. All discovery methods are configured by navigating to Administration -> Hierarchy Configuration -> Discovery Methods
I just want to mention two side notes before we dive into the different discovery methods.
- The Authenticated Users group has Read permissions on the Domain object, so the site server’s computer account can be specified as the AD Group/User/System discovery account, unless you don’t want to burden the site server with this task, in which case you can define a user account to perform this task.
- Delta discovery, which runs by default every 5 minutes, will only discover any changes made to the objects. The process will discover when you modify existing objects, such as adding an existing computer account to an existing group. By using delta discovery in conjunction with the collection property Use Incremental Updates For This Collection, you can reflect all changes in the collection within 10 minutes. Five minutes for the delta discovery and five more minutes for the incremental collection update.
1.1 Heartbeat Discovery
This is the only discovery method that is enabled by default. It is recommended to not disable it, as ConfigMgr uses this discovery method to determine if clients are healthy and reachable. When a device installs the ConfigMgr client, it sends a heartbeat discovery record bringing the new resource into the database. Ergo, its the computer account of the client that initiates the discovery process.
The only configurable option for Heartbeat Discovery is how often it should run.
You can configure when to delete an inactive client from the ConfigMgr site database, by using Heartbeat Discovery in conjunction with the Delete Aged Discovery Data Site Maintenance task.
1.2 Active Directory Forest Discovery
This discovery method returns information about AD subnets and AD Sites. You can automatically add discovered AD subnets and AD sites as boundaries. AD subnets will be added as IP address range boundaries, and not IP subnet.
It only discovers information in those forests that are created as AD Forest objects in the Administration workspace. The local forest and trusted forests are automatically created. To add an AD Forest object, navigate to Administration -> Hierarchy Configuration -> Active Directory Forests, then select Add Forest in the ribbon bar or the right-click context menu
These are the different configurations you can make for an AD Forest Object. The different options are self-explanatory
1.3 Active Directory User Discovery
This discovery method is used to discover user objects in AD. It is not used at all in the client deployment process but plays an important part of the user-centric application model. By enabling this method you can discover user objects, to whom you can target different deployments such as applications.
1.3.1 To specify AD Containers to search in, click on the starburst icon
1.3.2 Click on Browse (Alternatively you can enter an LDAP or Global Catalog Query manually)
1.3.3 Select a Container, click OK
1.3.4 Configure the remaining options if you like, then click OK. The option Discover Objects Within Active Directory groups is especially useful in scenarios where you want the AD User Discovery method to find user objects within AD groups.
1.3.5 On the Polling Schedule tab you can configure options related to full and delta discovery.
1.3.6 Attributes can be specified for AD User Discovery on the Active Directory Attributes tab. The information you specify will be added to the discovery data and used in queries and reports like any other discovery information.
1.4 Active Directory System Discovery
This discovery method is used to discover computer resources in the specified AD Domain Services locations. The ConfigMgr client can subsequently be installed on the discovered computers by use of client push installation. To successfully create a discovery data record (DDR) for a computer, Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address.
1.4.1 To specify AD Containers to search in, click on the starburst icon
1.4.2 Click on Browse (Alternatively you can enter an LDAP or Global Catalog Query manually)
1.4.3 Select a Container, click OK
1.4.4 Configure the remaining options if you like, then click OK. The option Discover Objects Within Active Directory groups is especially useful in scenarios where you want the AD System Discovery method to find computer objects within AD groups.
1.4.5 On the Polling Schedule tab you can configure options related to full and delta discovery.
1.4.6 Attributes can be specified for AD System Discovery on the Active Directory Attributes tab. The information you specify will be added to the discovery data and used in queries and reports like any other discovery information.
1.4.7 On the Options tab, you can configure options that help prevent discovering stale computer accounts in AD.
1.5 Active Directory Group Discovery
This Discovery method lets you discover AD groups and their memberships. It inventories groups, group membership, group membership relations, and basic information about the objects that are members of these discovered groups if these resources are not already discovered by other discovery methods. Because this discovery method is not optimized to discover computer and user resources, its recommended to run this discovery method after having run AD System Discovery and AD User Discovery.
1.5.1 To search for objects within a specific group, Click on Add -> Groups on the General tab
1.5.2 Enter a Name to reflect the group(s) you want to add, then click on Browse (will open the select groups dialog box, where you can search for groups by name) or Add (will allow you to specify the distinguished name(s) of groups you want to add). Configure the remaining options if you like, then click OK.
1.5.3 To search for all groups in a specific location, click on Add -> Location in the General tab
1.5.4 Enter a Name to reflect the group(s) you want to add, then specify path manually or click on Browse to browse for a container. Configure the remaining options if you like, then click OK.
1.5.5 On the Polling Schedule tab you can configure options related to full and delta discovery.
1.5.6 On the Options tab, you can configure options that help prevent discovering stale computer accounts in AD. And you can also enable discovering the membership of distribution groups. Distribution groups are not discovered as group resources.
1.6 Network Discovery
It searches your network infrastructure for devices that have an IP address, and can find devices such as computers, printers, routers, and bridges. Its generally not recommended to enable this discovery method unless absolutely necessary, such as if you have many workgroup clients in your environment. This discovery method can also discover network topology data. Discovered information can be used in queries, collections, and reports.
1.6.1 There are three types (levels) of discovery, you must specify one of these
Topology – Discovers routers and subnets
Topology and client – Discovers routers, subnets, computers, printers, etc.
Topology, client, and client operating system – In addition to topology and potential clients, this level attempts to discover the computer OS name and version.
1.6.2 On the Subnets, Domains and SNMP Devices tabs, you can specify SNMP devices, domains and subnets, in which to discover resources. Local subnet and local domain of the site server are defined by default.
1.6.3 On the SNMP tab, you can specify a list of SNMP community names and the maximum number of router hops for the discovery process.
1.6.4 On the DHCP tab, you can specify DHCP servers, to discover DHCP clients of those servers. The DHCP servers must run a Microsoft implementation of DHCP.
1.6.5 On the Schedule tab, you can specify when to run Network Discovery, and the duration of it.
1.7 Server Discovery
Configuration Manager also uses a process named Server Discovery (SMS_WINNT_SERVER_DISCOVERY_AGENT), as a discovery method. This discovery method creates resource records for computers that are site systems, such as a computer that is configured as a management point. This method of discovery runs daily and is not configurable.
2. Boundaries and Boundary Groups
A boundary is a network location on the intranet that can contain one or more devices that you want to manage. Internet-based clients do not use boundary information.
2.1.1 To create a Boundary, navigate to Administration -> Hierarchy Configuration -> Boundaries, then select Create Boundary in the ribbon bar or the right-click context menu
2.1.2 Its possible to create four types of Boundaries
IP Subnet – You define a Subnet ID.
AD Site – You specify an Active Directory site. Obviously several subnets can belong to an AD site.
IPv6 prefix – Specify an IPv6 prefix
IP Address range – Specify a range of IP addresses
Microsoft recommends to leverage boundary types based on the following priority (based on how much strain they put on SQL Server); AD sites, IP subnet/IPv6 and finally IP address range. But opinion differ on this, and most administrators actually prefer to use the IP address range type, because of its inherent characteristics.
2.1.3 On the Boundary Groups tab, you can add the boundary to one or more Boundary Groups
Overlapping boundary configurations for content location is supported in SCCM 2012 R2. If a client’s network location belongs to multiple boundary groups, a list of Distribution Points and State Migration Points are sent to the client, when it requests content or state migration information. This behavior enables the client to select the nearest server from which to transfer the content or state migration information.
2.2 Boundary Groups
Boundary Groups are collection of boundaries. To use a boundary, it must be added to one or more boundary groups, because boundaries in themselves can not be used to manage clients. Boundary groups without assigned boundaries serve no purpose.
Boundary Groups can be used for assigning clients to sites or finding content servers (Distribution Points and State Migration Points). Beginning with SCCM 2012 SP2 and SCCM 2012 R2 SP1, boundary groups can also provide clients with a list of preferred management points. Clients will try to use a preferred management point before using management points that are not associated with the clients boundary. Clients that fall into a boundary assigned to a boundary group, will use the settings defined in that boundary group.
2.2.1 To create a Boundary group, navigate to Administration -> Hierarchy Configuration -> Boundary Groups, then select Create Boundary Group in the ribbon bar or the right-click context menu
2.2.2 Specify a name for the group, then click Add
2.2.3 Select boundaries to add to the boundary group, click OK
2.2.4 On the References tab, you can specify options for the three functions boundary groups serve
Use this boundary group for site assignment – This function enables automatic site assignment, in other words it enables clients to find a primary site for client assignment. It also determines the ConfigMgr site that performs client push installation.
Select site system servers – Determine which Distribution Points, State Migration Points and Management Points clients should use. Network connection speed value is utilized by Distribution Points, it can be configured as slow or fast. The network connection speed and the deployment configuration determine whether a client can download content from a distribution point when the client is in an associated boundary group.
If a client does not fall into a boundary associated with a boundary group, you have to assign it to a site manually, either through client installation properties or the Configuration manager control panel applet.