Archives for: December 2008

A question I often get is; does ConfigMgr integrate with Active Directory? The answer is a tricky one since you can say; yes and no.

My perspective of integration is a two way dynamic process between multiple applications. The most common use of Active Directory with ConfigMgr is discovery and to extend the Active Directory schema. The extension allows ConfigMgr to publish data in a container named ‘System Management’ which is a sub of the Active Directory System container.

The System Management container is not created by default so this should be done by hand with the ADSIEDIT tool.
All site system computer accounts must have rights on this sub-container to publish their data. An important note on this subject; also Secondary Site and rights are only required on the sub-container, not the System container and all child objects.

The advantage of using the Active Directory this way is that clients can locate the ConfigMgr server through Active Directory. If you don’t want to extend the schema you must configure a Server Locator Point in WINS and a Management Point in DNS or you should provide the path to the server in the commandline when installing the ConfigMgr client.

You want my advice…., always extend the schema! By the word ‘Schema’ most administrator get a frightened look on their face but believe me I have never faced any issues and so are some other consultants or program managers of Microsoft.

The following article of Microsoft helps you to decide whether or not to extend the schema:
http://technet.microsoft.com/en-us/library/bb694066.aspx
This article describes how to extend the schema:
http://technet.microsoft.com/en-us/library/bb680608.aspx

The ConfigMgr Management Point data in Active Directory:

So this is an example of one way integration; ConfigMgr publishing data in Active Directory. There is also another advantage of using Active Directory data in ConfigMgr.

In an earlier post I already talked about deploying ConfigMgr packages through Active Directory groups. This is a great example and also the use of the ConfigMgr discovery methods like; Active Directory System Discovery, User discovery, System Group discovery and Security Group discovery.
With these discovery methods you can query the entire domain of a specific Organisational Unit to discover systems in your organizations. When they are discovered you can deploy the ConfigMgr client to them so they can be managed with ConfigMgr.

Active Directory System discovery method in ConfigMgr:

We discussed two ways of using Active Directory, why is not fully integrated then? Well it is not dynamic. Especially for the last example, when you for instance delete a computeraccount object in Active Directory it will remain in the ConfigMgr database. So there is no dynamic / pro-active integration there.
Microsoft is aware of this and to get more grip on this you can configure the; Delete Aged Discovery Task in ConfigMgr.

This task will delete only the resources that have not been updated by any discovery method for the designated period that you can configure (Let's say 14 days). So the workstations will remain in the collection until that task runs, with the assumption nothing else has discovered them.
The task is located under: Site Database, Site Management, Your Site, Site Maintenance and then Tasks.
As you can see, the task is enabled by default and set to delete data older than 90 days.

So is there integration well yes and no. It’s more of what your perspective of integration is.