Planning for Discovery in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

System Center 2012 Configuration Manager discovery identifies computer and user resources that you can manage by using Configuration Manager. It can also discover the network infrastructure in your environment. Discovery creates a discovery data record (DDR) for each discovered object and stores this information in the Configuration Manager database.

When discovery of a resource is successful, discovery puts information about the resource in a file that is referred to as a discovery data record (DDR). DDRs are in turn processed by site servers and entered into the Configuration Manager database where they are then replicated by database-replication with all sites. The replication makes discovery data available at each site in the hierarchy, regardless of where it was discovered or processed.

You can use discovery information to create custom queries and collections that logically group resources for management tasks such as the assignment of custom client settings and software deployments. Computers must be discovered before you can use client push installation to install the Configuration Manager client on devices.

Use the following sections to help you plan for discovery in Configuration Manager:

  • Discovery Methods in Configuration Manager

  • Decide Which Discovery Methods to Use

  • About Active Directory System, User, and Group Discovery Methods

    • Shared Discovery Options

    • Active Directory System Discovery

    • Active Directory User Discovery

    • Active Directory Group Discovery

  • About Active Directory Forest Discovery

  • About Delta Discovery

  • About Heartbeat Discovery

  • About Network Discovery

  • About Discovery Data Records

  • Decide Where to Run Discovery

  • Best Practices for Discovery

What’s New in Configuration Manager

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

System Center 2012 Configuration Manager introduces the following changes for discovery:

  • Each discovery data record is processed and entered into the database one time only, at a primary site or central administration site, and then the discovery data record is deleted without additional processing.

  • Discovery information entered into the database at one site is shared to each site in the hierarchy by using Configuration Manager database replication.

  • Active Directory Forest Discovery is a new discovery method that can discover subnets and Active Directory sites, and can add them as boundaries for your hierarchy.

  • Active Directory System Group Discovery has been removed.

  • Active Directory Security Group Discovery is renamed to Active Directory Group Discovery and discovers the group memberships of resources.

  • Active Directory System Discovery and Active Directory Group Discovery support options to filter out stale computer records from discovery.

  • Active Directory System, User, and Group Discovery support Active Directory Delta Discovery. Delta Discovery is improved from Configuration Manager 2007 R3 and can now detect when computers or users are added or removed from a group.

Discovery Methods in Configuration Manager

Before you enable discovery methods for Configuration Manager, ensure you understand what each method can discover. Because discovery can generate a large volume of network traffic, and the resultant DDRs can result in a significant use of CPU resources during processing, plan to use only those discovery methods that you require to meet your goals. You could use only one or two discovery methods to be successful, and you can always enable additional methods in a controlled manner to extend the level of discovery in your environment.

Use the following table to help you plan for each of the six configurable discovery methods.

Discovery method

Enabled by default

Accounts that run discovery

More information

Active Directory Forest Discovery

No

Active Directory Forest Discovery Account, or the computer account of the site server

  • Can discover Active Directory sites and subnets, and then create Configuration Manager boundaries for each site and subnet from the forests that you have configured for discovery. When Active Directory Forest Discovery identifies a supernet that is assigned to an Active Directory site, Configuration Manager converts the supernet into an IP address range boundary.

  • Supports a user-defined account to discover resources for each forest.

  • Can publish to the Active Directory Domain Services of a forest when publishing to that forest is enabled, and the specified account has permissions to that forest.

Active Directory System Discovery

No

Active Directory System Discovery Account, or the computer account of the site server

  • Discovers computers from the specified locations in Active Directory Domain Services.

Active Directory User Discovery

No

Active Directory User Discovery Account, or the computer account of the site server

  • Discovers user accounts from the specified locations in Active Directory Domain Services.

Active Directory Group Discovery

No

Active Directory Group Discovery Account, or the computer account of the site server

  • Discovers local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups are not discovered as group resources.

Heartbeat Discovery

Yes

Computer account of the client

  • Used by active Configuration Manager clients to update their discovery records in the database.

  • Heartbeat Discovery can force discovery of a computer as a new resource record, or can repopulate the database record of a computer that was deleted from the database.

Network Discovery

No

Computer account of the site server

  • Searches your network infrastructure for network devices that have an IP address.

  • Can discover devices that might not be found by other discovery methods. This includes printers, routers, and bridges.

All configurable discovery methods support a schedule for when discovery runs. With the exception of Heartbeat Discovery, you can configure each method to search specific locations for resources to add to the Configuration Manager database. After discovery runs, you can change the locations that a discovery method searches. These new locations are searched during the next discovery run. However, the next run of the discovery method is not limited to the new locations and always attempts to discover information from all current configured locations.

Heartbeat Discovery is the only discovery method that is enabled by default. To help maintain the database record of Configuration Manager clients, do not disable Heartbeat Discovery.

In addition to these discovery methods, Configuration Manager also uses a process named Server Discovery (SMS_WINNT_SERVER_DISCOVERY_AGENT). This discovery method creates resource records for computers that are site systems, such as a computer that is configured as a management point. This method of discovery runs daily and is not configurable.

Decide Which Discovery Methods to Use

To discover potential Configuration Manager client computers or user resources, you must enable the appropriate discovery methods. You can use different combinations of discovery methods to locate different resources and to discover additional information about those resources. The discovery methods that you use determine the type of resources that are discovered and which Configuration Manager services and agents are used in the discovery process. They also determine the type of information about resources that you can discover.

Discover Computers 
When you want to discover computers, you can use Active Directory System Discovery or Network Discovery.

As an example, if you want to discover resources that can install the Configuration Manager client before you use client push installation, you might run Active Directory System Discovery. Alternately you could run Network Discovery and use its options to discover the operating system of resources (required to later use client push installation). However, by using Active Directory System Discovery, you not only discover the resource, but discover basic information and can discover extended information about it from Active Directory Domain Services. This information might be useful in building complex queries and collections to use for the assignment of client settings or content deployment. Network Discovery, on the other hand, provides you with information about your network topology that you are not able to acquire with other discovery methods, but Network Discovery does not provide you any information about your Active Directory environment.

It is also possible to use only Heartbeat Discovery to force the discovery of clients that you installed by methods other than client push installation. However, unlike other discovery methods, Heartbeat Discovery cannot discover computers that do not have an active Configuration Manager client, and returns a limited set of information. It is intended to maintain an existing database record and not to be the basis of that record. Information submitted by Heartbeat Discovery might not be sufficient to build complex queries or collections.

If you use Active Directory Group Discovery to discover the membership of a specified group, you can discover limited system or computer information. This does not replace a full discovery of computers but can provide basic information. This basic information is insufficient for client push installation.

Discover Users 
When you want to discover information about users, you can use Active Directory User Discovery. Similar to Active Directory System Discovery, this method discovers users from Active Directory and includes basic information in addition to extended Active Directory information. You can use this information to build complex queries and collections similar to those for computers.

Discover Group Information 
When you want to discover information about groups and group memberships, use Active Directory Group Discovery. This discovery method creates resource records for security groups.

You can use this method to search a specific Active Directory group to identify the members of that group in addition to any nested groups within that group. You can also use this method to search an Active Directory location for groups, and recursively search each child container of that location in Active Directory Domain Services.

This discovery method can also search the membership of distribution groups. This can identify the group relationships of both users and computers.

When you discover a group, you can also discover limited information about its members. This does not replace Active Directory System or User Discovery and is usually insufficient to build complex queries and collections or serve as the bases of a client push installation.

Discover Infrastructure 
There are two methods that you can use to discover network infrastructure, Active Directory Forest Discovery and Network Discovery.

You can use Active Directory Forest Discovery to search an Active Directory forest for information about subnets and Active Directory site configurations. These configurations can then be automatically entered into Configuration Manager as boundary locations.

When you want to discover your network topology, use Network Discovery. While other discovery methods return information related to Active Directory Domain Services and can identify the current network location of a client, they do not provide infrastructure information based on the subnets and router topology of your network.

About Active Directory System, User, and Group Discovery Methods

This section contains information about the following discovery methods:

  • Active Directory System Discovery

  • Active Directory User Discovery

  • Active Directory Group Discovery

Note

The information in this section does not apply to Active Directory Forest Discovery.

These three discovery methods are similar in configuration and operation, and can discover computers, users, and information about group memberships of resources that are stored in Active Directory Domain Services. The discovery process is managed by a discovery agent that runs on the site server at each site where discovery is configured to run. You can configure each of these discovery methods to search one or more Active Directory locations as location instances in the local forest or remote forests.

When discovery searches an untrusted forest for resources, the discovery agent must be able to resolve the following to be successful:

  • To discover a computer resource with Active Directory System Discovery, the discovery agent must be able to resolve the FQDN of the resource. If it cannot resolve the FQDN, it will then attempt to resolve the resource by its NetBIOS name.

  • To discovery user or group resource with Active Directory User Discovery or Active Directory Group Discovery, the discovery agent must be able to resolve the FQDN of the domain controller name you specify for the Active Directory location.

For each location instance that you specify, you can configure individual search options such as enabling a recursive search of the locations Active Directory child containers. You can also configure a unique account to use when it searches that location instance. This provides flexibility in configuring a discovery method at one site to search multiple Active Directory locations across multiple forests, without having to configure a single account that has permissions to all locations.

When each of these three discovery methods run at a specific site, the Configuration Manager site server at that site contacts the nearest domain controller in the specified Active Directory forest to locate Active Directory resources. The domain and forest can be in any supported Active Directory mode, and the account that you assign to each location instance must have Read access permission to the specified Active Directory locations. Discovery searches the specified locations for objects and then attempts to collect information about those objects. A DDR is created when sufficient information about a resource can be identified. The required information varies depending on the discovery method that is being used.

If you configure the same discovery method to run at different Configuration Manager sites to take advantage of querying local Active Directory servers, you can configure each site with a unique set of discovery options. Because discovery data is shared with each site in the hierarchy, avoid overlap between these configurations to efficiently discover each resource one time. For smaller environments, you might consider running each discovery method at only one single site in your hierarchy to reduce administrative overhead and the potential for multiple discovery actions to rediscover the same resources. When you minimize the number of sites that run discovery you can reduce the overall network bandwidth that is being used by discovery, and reduce the overall number of DDRs that are created and must be processed by your site servers.

Many of the discovery method configurations are self-explanatory. Use the following sections for more information about the discovery options that might require additional information before you configure them.

Shared Discovery Options

The following table identifies configuration options that are available on multiple Active Directory Discovery methods.

Key:

√ = Supported

Ø = Unsupported

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

Delta Discovery

Delta Discovery is an option available for each Active Directory discovery method except Active Directory Forest Discovery. Configuration Manager can use Delta Discovery to search Active Directory Domain Services (AD DS) for specific attributes that have changed after the last full discovery cycle of the discovery method. You can configure a short interval for Delta Discovery to search for new resources because discovering only new resources does not affect the performance of the site server as much as a full discovery cycle does.

Delta Discovery can detect the following new resource types:

  • Computer objects

  • User objects

  • Security group objects

  • System group objects

Delta Discovery cannot detect when a resource has been deleted from AD DS. You must run a full discovery cycle to detect this change.

DDRs for objects that Delta Discovery discovers are processed similarly to the DDRs that are created by a full discovery cycle.

You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery method.

Filter stale computer records by domain logon

Ø

You can configure discovery to exclude discovery of stale computer records based on the last domain logon of the computer. When this option is enabled, Active Directory System Discovery evaluates each computer it identifies. Active Directory Group Discovery evaluates each computer that is a member of a group that is discovered.

Use of this option requires the following:

  • Computers must be configured to update the lastLogonTimeStamp attribute in AD DS.

  • The Active Directory domain functional level is set to Windows Server 2003 or later.

When configuring the time after the last logon, consider the interval for replication between domain controllers.

You configure filtering on the Option tab in both Active Directory System Discovery Properties and Active Directory Group Discovery Properties dialog boxes by selecting the option Only discover computers that have logged on to a domain in a given period of time.

Warning

When you configure both of the stale record filters on the same discovery method, computers that meet the criteria of either filter are excluded from discovery.

Filter stale records by computer password

Ø

You can configure discovery to exclude discovery of stale computer records based on the last computer account password update by the computer. When this option is enabled, Active Directory System Discovery evaluates each computer it identifies. Active Directory Group Discovery evaluates each computer that is a member of a group that is discovered.

Use of this option requires the following:

  • Computers must be configured to update the pwdLastSet attribute in AD DS.

When configuring this option, consider the interval for updates to this attribute in addition to the replication interval between domain controllers.

You configure filtering on the Option tab in both Active Directory System Discovery Properties and Active Directory Group Discovery Properties dialog boxes by selecting the option Only discover computers that have updated their computer account password in a given period of time.

Warning

When you configure both of the stale record filters on the same discovery method, computers that meet the criteria of either filter are excluded from discovery.

Search customized Active Directory attributes

Ø

Each discovery method supports a unique list of attributes that can be discovered.

You configure Active Directory customized attributes on the Active Directory Attributes tab in both the Active Directory System Discovery Properties and Active Directory User Discovery Properties dialog boxes.

Active Directory System Discovery

Use Configuration Manager Active Directory System Discovery to search the specified Active Directory Domain Services (AD DS) locations for computer resources that can be used to create collections and queries. You can then install the client to discovered computers by using client push installation. To successfully create a discovery data record (DDR) for a computer, Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address.

By default, Active Directory System Discovery discovers basic information about the computer including the following:

  • Computer name

  • Operating system and version

  • Active Directory container name

  • IP address

  • Active Directory site

  • Last Logon Timestamp

In addition to the basic information, you can configure the discovery of extended attributes from Active Directory Domain Services.

You can view the default list of object attributes returned by Active Directory System Discovery, and configure additional attributes to be discovered in the Active Directory System Discovery Properties dialog box on the Active Directory Attributes tab.

For more information about how to configure this discovery method, see Configure Active Directory Discovery for Computers, Users, or Groups.

Active Directory System Discovery actions are recorded in the file adsysdis.log in the <InstallationPath>\LOGS folder on the site server.

Active Directory User Discovery

Use Configuration Manager Active Directory User Discovery to search Active Directory Domain Services (AD DS) to identify user accounts and associated attributes.

You can view the default list of object attributes returned by Active Directory User Discovery, and configure additional attributes to be discovered in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab.

By default, Active Directory User Discovery discovers basic information about the user account including the following:

  • User name

  • Unique user name (includes domain name)

  • Domain

  • Active Directory container names

In addition to the basic information, you can configure the discovery of extended attributes from Active Directory Domain Services.

For more information about how to configure this discovery method, see Configure Active Directory Discovery for Computers, Users, or Groups.

Active Directory User Discovery actions are recorded in the file adusrdis.log in the <InstallationPath>\LOGS folder on the site server.

Active Directory Group Discovery

Use Configuration Manager Active Directory Group Discovery to search Active Directory Domain Services (AD DS) to identify the group memberships of computers and users.

This discovery method searches a discovery scope that you configure, and then identifies the group memberships of resources in that discovery scope. By default, only security groups are discovered. However, you can discover the membership of distribution groups when you select the checkbox for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box.

Use Active Directory Group Discovery to discover the following information:

  • Groups

  • Membership of Groups

  • Limited information about a groups member computers and users, even when those computers and users have not previously been discovered by another discovery method

This discovery method is intended to identify groups and the group relationships of members of groups. This method of discovery does not support the extended Active Directory attributes that can be identified by using Active Directory System Discovery or Active Directory User Discovery. Because this discovery method is not optimized to discover computer and user resources, consider running this discovery method after you have run Active Directory System Discovery and Active Directory User Discovery. This is because this discovery method creates a full DDR for groups, but only a limited DDR for computers and users that are members of groups.

You can configure the following discovery scopes that control how Active Directory Group Discovery searches for information:

  • Location: Use a location if you want to search one or more Active Directory containers. This scope option supports a recursive search of the specified Active Directory containers that also searches each child container under the container you specify. This process continues until no more child containers are found.

  • Groups: Use groups if you want to search one or more specific Active Directory groups. You can configure the Active Directory Domain to use the default domain and forest, or limit the search to an individual domain controller. Additionally, you can specify one or more groups to search. If you do not specify at least one group, all groups found in the specified Active Directory Domain location are searched.

Warning

When you configure a discovery scope, select only the groups that you must discover. This is because Active Directory Group Discovery attempts to discover each member of each group in the discovery scope. Discovery of large groups can require extensive use of bandwidth and Active Directory resources.

Note

You have to run either Active Directory System Discovery or Active Directory User Discovery to create collections that are based on extended Active Directory attributes and to ensure accurate discovery results for computers and users.

For more information about how to configure this discovery method, see Configure Active Directory Discovery for Computers, Users, or Groups.

Active Directory Group Discovery actions are recorded in the file adsgdis.log in the <InstallationPath>\LOGS folder on the site server.

About Active Directory Forest Discovery

Use Configuration Manager Active Directory Forest Discovery to discover IP subnets and Active Directory sites and to add them to Configuration Manager as boundaries.

Unlike other discovery methods, Active Directory Forest Discovery does not discover resources that you can manage. Instead, this method discovers Active Directory network locations and can convert those locations into boundaries for use throughout your hierarchy.

Use Active Directory Forest Discovery to do the following:

  • Discover IP subnets in an Active Directory forest

  • Discover Active Directory sites in an Active Directory forest

  • Add the IP subnets and Active Directory sites that are discovered as boundaries in Configuration Manager

  • Publish to the Active Directory Domain Services of a forest when publishing to that forest is enabled, and the specified Active Directory Forest Account has permissions to that forest

Manage Active Directory Forest Discovery in the Configuration Manager console from the following nodes under Hierarchy Configuration in the Administration workspace:

  • Discovery Methods: Here you can enable Active Directory Forest Discovery to run at the top-level site of your hierarchy. You can also specify a simple schedule to run discovery, and configure it to automatically create boundaries from the IP subnets and Active Directory sites that it discovers. Active Directory Forest Discovery cannot be run at a child primary site or at a secondary site.

    Note

    This discovery method does not support Delta Discovery.

  • Active Directory Forests: Here you configure the additional Active Directory forests that you want to discover, specify the account to use as the Active Directory Forest Account for each forest, and configure publishing to each forest. Additionally, you can monitor the discovery process and add IP subnets and Active Directory sites to Configuration Manager as boundaries and members of boundary groups.

When publishing is enabled for a forest and that forests schema is extended for Configuration Manager, the following information is published for each site that is enabled to publish to that Active Directory forest:

  • SMS-Site-<site code>

  • SMS-MP-<site code>-<site system server name>

  • SMS-SLP-<site code>-<site system server name>

  • SMS-<site code>-<Active Directory site name or subnet>

Note

Secondary sites always use the secondary site server computer account to publish to Active Directory. If you want secondary sites to publish to Active Directory, ensure the secondary site server computer account has permissions to publish to Active Directory. A secondary site cannot publish data to an untrusted forest.

Tip

To configure publishing for Active Directory forests for each site in your hierarchy, connect your Configuration Manager console to the top-level site of your hierarchy. The Publishing tab in an Active Directory site Properties dialog box can only display the current site, and its child sites.

Warning

When you clear the option to publish a site to an Active Directory forest, all previously published information for that site, including available site system roles, is removed from the Active Directory of that forest.

Active Directory Forest Discovery runs on the local Active Directory forest, each trusted forest, and each additional forest that you configure in the Active Directory Forests node of the Configuration Manager console.

Active Directory Forest Discovery actions are recorded in the following logs:

  • All actions, with the exception actions related to publishing, are recorded in the ADForestDisc.Log file in the <InstallationPath>\Logs folder on the site server.

  • Active Directory Forest Discovery publishing actions are recorded in the hman.log and sitecomp.log in the <InstallationPath>\Logs folder on the site server.

About Delta Discovery

Delta Discovery is not a full discovery method in Configuration Manager, but an option available for the Active Directory System, User, and Group discovery methods. Delta Discovery can identify most changes to a previously discovered resource in Active Directory and use fewer resources than a full discovery cycle.

When you enable Delta Discovery for a discovery method, the discovery method searches Active Directory Domain Services (AD DS) for specific attributes that have changed after the discovery method’s last full discovery cycle. These changes are submitted to the Configuration Manager database to update the resources discovery record.

By default, Delta Discovery runs on a five minute cycle. This is because it uses fewer resources during discovery than a full discovery cycle, and does not affect the performance of the site server as much as a full discovery cycle would. When you use Delta Discovery, consider reducing the frequency of the full discovery cycle for that discovery method.

Delta Discovery can detect changes on Active Directory objects. The following are the most common changes that Delta Discovery detects:

  • New computers or users added to Active Directory

  • Changes to basic computer and user information

  • New computers or users that are added to a group

  • Computers or users that are removed from a group

  • Changes to System group objects

Although Delta Discovery can detect new resources, and changes to group membership, it cannot detect when a resource has been deleted from AD DS.

DDRs for objects that Delta Discovery discovers are processed similarly to the DDRs that are created by a full discovery cycle.

You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery method.

About Heartbeat Discovery

Heartbeat Discovery differs from other Configuration Manager discovery methods. It is enabled by default and runs on each computer client to create a discovery data record (DDR). For mobile device clients, this DDR is created by the management point that is being used by the mobile device client.

Heartbeat Discovery runs either on a schedule configured for all clients in the hierarchy, or if manually invoked, on a specific client by running the Discovery Data Collection Cycle on the Action tab in a client’s Configuration Manager program. When Heartbeat Discovery runs, it creates a discovery data record (DDR) that contains the client’s current information including network location, NetBIOS name, and operational status details. It is a small file, about 1KB, which is copied to a management point, and then processed by a primary site. The submission of a Heartbeat Discovery DDR can maintain an active client’s record in the database, and also force discovery of an active client that might have been removed from the database, or that has been manually installed and not discovered by another discovery method.

Heartbeat Discovery is the only discovery method that provides details about the client installation status by updating a system resource client attribute that has the value Yes. To send the Heartbeat Discovery record, the client computer must be able to contact a management point.

Note

With Configuration Manager SP1, the Heartbeat discovery data record also includes the version of the client agent.

The default schedule for Heartbeat Discovery is set to every 7 days. If you change the heartbeat discovery interval, ensure that it runs more frequently than the site maintenance task Delete Aged Discovery Data, which deletes inactive client records from the site database. You can configure the Delete Aged Discovery Data task only for primary sites.

Note

Even when Heartbeat Discovery is disabled, DDRs are still created and submitted for active mobile device clients. This ensures that the Delete Aged Discovery Data task does not affect active mobile devices. When the Delete Aged Discovery Data task deletes a database record for a mobile device, it also revokes the device certificate and blocks the mobile device from connecting to management points.

Heartbeat Discovery actions are logged in the following locations:

  • For computer clients ,Heartbeat Discovery actions are recorded on the client in the InventoryAgent.log in the %Windir%\CCM\Logs folder.

  • For mobile device clients, Heartbeat Discovery actions are recorded in the DMPRP.log in the %Program Files%\CCM\Logs folder of the management point that the mobile device client uses.

About Network Discovery

Use Configuration Manager Network Discovery to discover the topology of your network and devices on your network.

Network Discovery searches your network for IP-enabled resources by querying servers that run a Microsoft implementation of DHCP, Address Resolution Protocol (ARP) caches in routers, SNMP-enabled devices and Active Directory domains.

To successfully discover a resource, Network Discovery must identify the IP address and the subnet mask of the resource. Because different types of devices can connect to the network, Network Discovery can discover resources that cannot support the Configuration Manager client software. For example, devices that can be discovered but not managed include printers and routers.

Network Discovery can return several attributes as part of the discovery record it creates. This includes the following:

  • NetBIOS name

  • IP addresses

  • Resource domain

  • System roles

  • SNMP community name

  • MAC addresses

To use Network Discovery, you must specify the level of discovery to run. You also configure one or more discovery mechanisms that enable Network Discovery to query for network segments or devices. You can also configure settings that help control discovery actions on the network. Finally, you define one or more schedules for when Network Discovery runs.

Note

Complex networks and low bandwidth connections can cause Network Discovery to run slowly and generate significant network traffic. As a best practice, run Network Discovery only when the other discovery methods cannot find the resources that you have to discover. For example, use Network Discovery if you must discover workgroup computers. Workgroup computers are not discovered by other discovery methods.

When discovery identifies an IP-addressable object and can determine the objects subnet mask, it creates a discovery data record (DDR) for that object.

Network Discovery activity is recorded in the Netdisc.log in <InstallationPath>\Logs on the site server that runs discovery.

Levels of Network Discovery

When you configure Network Discovery, you specify one of three levels of discovery:

Level of discovery

Details

Topology

This level discovers routers and subnets but does not identify a subnet mask for objects.

Topology and client

In addition to topology, this level discovers potential clients such as computers, and resources such as printers and routers. This level of discovery attempts to identify the subnet mask of objects it finds.

Topology, client, and client operating system

In addition to topology and potential clients, this level attempts to discover the computer operating system name and version. This level uses Windows Browser and Windows Networking calls.

With each incremental level, Network Discovery increases its activity and network bandwidth usage. Consider the network traffic that can be generated before you enable all aspects of Network Discovery.

For example, when you first use Network Discovery, you might start with only the topology level to identify your network infrastructure. Then, you could reconfigure Network Discovery to discover objects and their device operating systems. You could also configure settings that limit Network Discovery to a specific range of network segments to discover objects in network locations that you require and avoid unnecessary network traffic and discovery of objects from edge routers or from outside your network.

Network Discovery Options

To enable Network Discovery to search for IP-addressable devices, you must configure one or more options that specify how to query for devices. The options are listed in the following table.

Option

Details

Requirements

Domains

Specify each domain that you want Network Discovery to query.

Network Discovery can discover any computer that you can view from your site server when you browse the network. Network Discovery retrieves the IP address and then uses an Internet Control Message Protocol echo request to ping each device that it finds. The ping command helps determine which computers are currently active.

The site server that runs discovery must have permissions to read the domain controllers in each specified domain.

Note

To discover computers form the local domain, you must enable the Computer Browser service on at least one computer that is located on the same subnet as the site server that runs Network Discovery.

SNMP Devices

Specify each SNMP device that you want Network Discovery to query.

Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that responds to the query. This value returns arrays of IP addresses that are client computers or other resources such as printers, routers, or other IP-addressable devices.

To query a device, you must specify the IP Address or NetBIOS name of the device.

You must configure Network Discovery to use the community name of the device, or the device rejects the SNMP-based query.

DHCP

Specify each DHCP server that you want Network Discovery to query.

Network Discovery can query both 32-bit and 64-bit DHCP servers for a list of devices that are registered with each server.

Network Discovery retrieves information by using remote procedure calls to the database on the DHCP server.

When Network Discovery enumerates a DHCP server, it does not always discover static IP addresses. Network Discovery does not find IP addresses that are part of an excluded range of IP addresses on the DHCP server, and does not discover IP addresses that are reserved for manual assignment.

Note

Network Discovery supports only DHCP servers that run the Microsoft implementation of DHCP.

Important

To successfully configure a DHCP server in Network Discovery, your environment must support IPv4. You cannot configure Network Discovery to use a DHCP server in a native IPv6 environment.

For Network Discovery to successfully query a DHCP server, the computer account of the server that runs discovery must be a member of the DHCP Users group on the DHCP server.

For example, this level of access exists when one of the following is true:

  • The specified DHCP server is the DHCP server of the server that runs discovery.

  • The computer that runs discovery and the DHCP server are in the same domain.

  • A two-way trust exists between the computer that runs discovery and the DHCP server.

  • The site server is a member of the DHCP users group.

Note

Network Discovery runs in the context of the computer account of the site server that runs discovery. If the computer account does not have permissions to an untrusted domain, both the Domain and DHCP server configurations can fail to discover resources.

Limiting Network Discovery

When Network Discovery queries an SNMP device on the edge of you network, it can identify information about subnets and SNMP devices that are outside your immediate network. You can limit Network Discovery by configuring the SNMP devices that discovery can communicate with, and by specifying the network segments to query.

Use the following configurations to limit the scope of Network Discovery:

Configuration

Details

Subnets

Configure the subnets that Network Discovery queries when it uses the SNMP and DHCP options. Only the enabled subnets are searched by these two options.

For example, a DHCP request can return devices from locations across your whole network. If you want to only discover devices on a specific subnet, specify and enable that specific subnet on the Subnets tab in the Network Discovery Properties dialog box. When you specify and enable subnets, you limit future DHCP and SNMP discovery operations to those subnets.

Note

Subnet configurations do not limit the objects that the Domains discovery option discovers.

SNMP Community names

To enable Network Discovery to successfully query a SNMP device, configure Network Discovery with the community name of the device.

  • If Network Discovery is not configured by using the community name of the SNMP device, the device rejects the query.

Maximum hops

When you configure the maximum number of router hops, you limit the number of network segments and routers that Network Discovery can query by using SNMP.

  • The number of hops that you configure limits the number of additional devices and network segments that Network Discovery can query.

For example, a topology-only discovery with 0 (zero) router hops discovers the subnet on which the originating server resides, and includes any routers on that subnet.

The following diagram shows what a topology-only Network Discovery finds when it runs on Server 1 with 0 router hops specified: subnet D and Router 1.

Topology-Only Network Discovery Diagram

The following diagram shows what a topology and client Network Discovery finds when it runs on Server 1 with 0 router hops specified: subnet D and Router 1, and all potential clients on subnet D.

Network Client Discovery Diagram: Router hops

To get a better idea of how additional router hops can increase the amount of network resources that are discovered, consider the following network:

Example of Initial Network Discovery, Hop Count 4

Running a topology-only Network Discovery from Server 1 with one router hop discovers the following:

  • Router 1 and subnet 10.1.10.0 (found with zero hops).

  • Subnets 10.1.20.0 and 10.1.30.0, subnet A, and Router 2 (found on the first hop).

Warning

Each increase to the number of router hops can significantly increase the number of discoverable resources and increase the network bandwidth that Network Discovery uses.

Discovery Data Records Created by Network Discovery

When Network Discovery discovers an object, it creates a discovery data record (DDR) for that object. For Network Discovery to discover an object, it must identify the object IP address and then identify its subnet mask. If Network Discovery cannot determine the subnet mask of an object, it does not create a DDR.

Network Discovery uses the following methods to identify the subnet mask of an object:

Method

Details

Limitation

Router ARP cache

Network Discovery queries the ARP cache of a router to find subnet information.

Typically, data in a router ARP cache has a short time-to-live. When Network Discovery queries the ARP cache, the ARP cache might no longer contain information about the requested object.

DHCP

Network Discovery queries each DHCP server that you specify to discover the devices for which the DHCP server has provided a lease.

Network Discovery supports only DHCP servers that run the Microsoft implementation of DHCP.

SNMP Device

Network Discovery can directly query a SNMP device.

For Network Discovery to query a device, the device must have a local SNMP agent installed. You must also configure Network Discovery to use the community name that is being used by the SNMP agent.

Configuration Manager processes DDRs that are created by Network Discovery just as it processes DDRs that are created by other discovery methods.

About Discovery Data Records

Discovery data records (DDRs) are files created by a discovery method that contain information about a resource you can manage in Configuration Manager. DDRs contain information about computers, users and in some cases, network infrastructure. They are processed at primary sites or at central administration sites. After the resource information in the DDR is entered into the database, the DDR is deleted and the information replicates as global data to all sites in the hierarchy.

The site at which a DDR is processed depends on the information it contains:

  • DDRs for newly discovered resources that are not in the database are processed at the top-level site of the hierarchy. The top-level site creates a new resource record in the database and assigns it a unique identifier. DDRs transfer by file-based replication until they reach the top-level site.

  • DDRs for previously discovered objects are processed at primary sites. Child primary sites do not transfer DDRs to the central administration site when the DDR contains information about a resource that is already in the database.

  • Secondary site do not process discovery data records and always transfer them by file-based replication to their parent primary site.

DDR files are identified by the .ddr extension, and have a typical size of about 1 KB.

Decide Where to Run Discovery

When you plan to use discovery in Configuration Manager, you must consider where to run each discovery method.

After Configuration Manager adds discovery data to a database, it is quickly shared between all sites in the hierarchy. Because there is no benefit to discovering the same information at multiple sites in your hierarchy, consider configuring a single instance of each discovery method that you use to run at a single site instead of running multiple instances of a single method at different sites.

However, periodically it might help assign the same discovery method to run at multiple sites, each with a separate configuration and schedule. This is because at each site, all configurations for a single discovery method are evaluated every time that discovery method runs. If you do configure multiple instances of a single discovery method to run at different sites, plan the configuration of each carefully to avoid having two or more discovery processes discover the same resources. Discovering the same locations and resources at multiple sites can consume additional network bandwidth and create duplicate DDRs for resources that add no value and must still be processed by your site servers.

The following table identifies at which sites you can configure the different discovery methods.

Discovery method

Supported locations

Active Directory Forest Discovery

  • Central administration site

  • Primary Site

Active Directory Group Discovery

  • Primary site

Active Directory System Discovery

  • Primary site

Active Directory User Discovery

  • Primary site

Heartbeat Discovery1

  • Primary site

Network Discovery

  • Primary site

  • Secondary site

1 Secondary sites cannot configure Heartbeat Discovery but can receive the Heartbeat DDR from a client.

When secondary sites run Network Discovery, or receive Heartbeat Discovery DDRs, they transfer the DDR by file-based replication to their parent primary site. This is because only primary sites and central administration sites can process discovery data records (DDRs). For more information about how DDRs are processed, see About Discovery Data Records in this topic.

Consider the following when you plan where to run discovery:

  • When you use an Active Directory Discovery method for systems, users, or groups:

    • Run discovery at a site that has a fast network connection to your domain controllers.

    • Consider the Active Directory replication topology to ensure discovery can access the latest information.

    • Consider the scope of the discovery configuration and limit discovery to only those Active Directory locations and groups that you have to discover.

  • If you use Network Discovery:

    • Use a limited initial configuration to identify your network topography.

    • After you identify your network topography, configure Network Discovery to run at specific sites that are central to the network areas that you want to more fully discover.

  • Because Heartbeat Discovery does not run at a specific site, you do not have to consider it in general planning for where to run discovery.

  • Because each site server and network environment is different, limit your initial discovery configurations and closely monitor each site server for its ability to process the discovery data that is generated.

Best Practices for Discovery

Use the following best practices information to help you use discovery in System Center 2012 Configuration Manager.

Run Active Directory System Discovery and Active Directory User Discovery before you run Active Directory Group Discovery

When Active Directory Group Discovery identifies a previously undiscovered user or computer as a member of a group, it attempts to discover basic details for the user or computer. Because Active Directory Group Discovery is not optimized for this type of discovery, this process can cause Active Directory Group Discovery to run slow. Additionally, Active Directory Group Discovery identifies only the basic details about users and computers is discovers, and does not create a complete user or computer discovery record. When you run Active Directory System Discovery and Active Directory User Discovery, the additional Active Directory attributes for each object type are available, and as a result, Active Directory Group Discovery runs more efficiently.

When you configure Active Directory Group Discovery, only specify groups that you use with Configuration Manager

To help control the use of resources by Active Directory Group Discovery, specify only those groups that you use with Configuration Manager. This is because Active Directory Group Discovery recursively searches each group it discovers for users, computers, and nested groups. The search of each nested group can expand the scope of Active Directory Group Discovery and reduce performance. Additionally, when you configure delta discovery for Active Directory Group Discovery, the discovery method monitors each group for changes. This further reduces performance when the method must search unnecessary groups.

Configure discovery methods with a longer interval between full discovery, and a more frequent period of delta discovery

Because delta discovery uses fewer resources than a full discovery cycle, and can identify new or modified resources in Active Directory, when you use delta discovery you can reduce the frequency of full discovery cycles to run one per week or less. Delta discovery for Active Directory System Discovery, Active Directory User Discovery and Active Directory Group Discovery identifies almost all the changes of Active Directory objects and can maintain accurate discovery data for resources.

Run Active Directory Discovery methods at primary site that has a network location that is closest to your Active Directory domain controller

To improve the performance of Active Directory discovery, it is recommended to run discover at a primary site that has a fast network connection to your domain controllers. If you run the same Active Directory discovery method at multiple sites, it is recommended to configure each discovery method to avoid overlap. Unlike past versions of Configuration Manager, discovery data is shared between sites. Therefore, it is not necessary to discovery the same information at multiple sites. For more information, see Decide Where to Run Discovery.

Run Active Directory Forest Discovery at a only one site when you plan to automatically create boundaries from the discovery data

If you run Active Directory Forest Discovery at more than one site in a hierarchy, it is recommended to only enable options to automatically create boundaries at a single site. This is because when Active Directory Forest Discovery runs at each site and creates boundaries, Configuration Manager cannot merge those boundaries into a single boundary object. When you configure Active Directory Forest Discovery to automatically create boundaries at multiple sites, the result can be duplicated boundary objects in the Configuration Manager console.