Enhanced System Discovery 2007

Enhanced System Discovery 2007 is designed to improve your SMS 2003 or
Configuration Manager 2007 integration with Active Directory.
Features like Computer Age filtering, Delta Discovery, and support to administrator configured discovery of AD attributes have made ESD a popular tool for enterprises.
Download and Evaluation ESD 2007 from www.systemcentertools.com\esd2007.html.

Here is a summary of how ESD 2007 compares to SMS 2003 and Configuration Manager 2007:

Capability ESD 2007 SMS 2003 SCCM 2007
Ability to extend discovery with additional AD Attributes Yes No Yes
Support for multi-valued AD attributes such as system description, and memberof (group membership) Yes No No
Ability to filter on the whenchanged attribute Yes No No
Delta Discovery – Only Discover AD Objects that have changed since the last discovery Yes No No
Discover only systems that should be assigned to the site. Yes No No
Discover Systems and System Information from Active Directory Domains Yes Yes Yes
Discover Systems and System Information from NT4 Domains Yes No No
Run the discovery agent on a workstation reducing SMS/SCCM Server load Yes No No
Resolve Client Subnets via AD Sites Yes Yes Yes
Resolve Client Subnets via SMS/SCCM Server Locator Point No No No

Feature Overview Extend discovery with multi-valued and single value AD Attributes

settingsESD 2007 offers the ability to extend your discovery with attributes that exist in Active Directory.
There are several types of AD attributes. While most AD attributes have a single value, some have multiple values.
Examples of attributes with multiple values are memberof (Computer Group memberships) and Description.

Filter on the when changed attribute

ESD 2007 also can filter objects in AD, so you only import into your SMS server systems that are currently in use on your network.

Delta Discovery

Delta Discovery is a capability that can significantly speed up your discovery time. Delta Discovery is disabled by default because it can make ESD seem like it is not working. However, once basic ESD functionality is verified as working, Delta Discovery should almost always be enabled. By enabling Delta Discovery, ESD will keep track of the last time it ran. Upon consecutive executions of ESD it will only query AD for systems that have changed since the last time it ran. This means that a domain of 1000 systems may only have 50 that have changed in one day, and those 50 are the only ones that are rediscovered. It is noteworthy that all systems that are active in AD will change at least once every 30 days when they change their password.

Filter on Site Assignment

Identified as “DiscoverLocalOnly”, Filtering on Site assignment is another way to drastically improve your discovery times and also prevent the discovery of systems that you don’t care about in your site.

Discover Systems from AD domains

This basic capability is the foundation of ESD 2007. While also available with SMS 2003 and SCCM 2007, ESD can do this at a much faster rate.

Discover Systems from NT 4.0 domains

If you still have NT 4.0 domains (I’m sorry), then ESD is likely your only option for discovering these systems.

Workstation Based Execution

ESD 2007 doesn’t have to run on your primary site server and can instead run on a workstation. This can reduce the load on your primary site and enable you to run ESD much more frequently making the synchronization between AD and SCCM much tighter.

Resolve Client Subnets via AD Sites

ESD 2007 can use the same method that the SMS 2003 and SCCM 2007 use to determine a systems subnet based on its IP address. When the IP address of a system is determined, AD is queried to determine the actual AD site the system is a member of and also determines the AD subnet associated with that IP Address. When the AD information is reliable, this is the best way to discover subnets. However, if AD is super-netted and your actual network subnets are not then this mechanism can produce incorrect subnets.

Resolve Client Subnets via Server Locator Point

If you don’t have Active Directory or AD is super-netted, ESD provides another option for determining the subnet. Using the SLP requires more configuration, but can accurately determine your client’s subnets if AD is unreliable for that in your organization.

Quick Setup Instructions

Install the Enhanced System Discovery MSI on a workstation or SMS site server (defaults to c:\program files\enhanced system discovery).
· If installed on a Primary Site Server, will automatically configure the registry.
· Execute the Enhanced System Discovery.exe. Configure a scheduled task to run ESD on a schedule.

Configuration at ‘HKLM\Software\System Center Tools\Enhanced System Discovery 2007.’
· A subkey should be created for each domain. A default subkey is automatically created.

Extending Discovery with additional AD Attributes

You can use the adsystemattribs.xml to add additional AD attributes not provided out of the box. Please note that making changes and adding attributes will permanently change your SMS SQL Schema. You should verify attributes exist in AD, and test by in a test SMS environment or by initially writing your DDR’s to a temporary directory and reviewing them to ensure the information is being collected properly.

Default ADsystemattribs.xml

<?xml version="1.0" encoding="utf-8" ?>

<ADAttributeList>

                <ADAttrib>

                                <ADAttribName>cn</ADAttribName>

                                <DDRPropertyName>Name</DDRPropertyName>

                                <DDRPropertyLength>128</DDRPropertyLength>

                </ADAttrib>

                <ADAttrib>

                                <ADAttribName>operatingSystem</ADAttribName>

                                <DDRPropertyName>Operating System Name and Version</DDRPropertyName>

                                <DDRPropertyLength>128</DDRPropertyLength>

                </ADAttrib>

                <ADAttrib>

                                <ADAttribName>whenChanged</ADAttribName>

                                <DDRPropertyName>whenChanged</DDRPropertyName>

                                <DDRPropertyLength>128</DDRPropertyLength>

                </ADAttrib>

                <ADAttrib>

                                <ADAttribName>ADSPath</ADAttribName>

                                <DDRPropertyName>ADSPath</DDRPropertyName>

                                <DDRPropertyLength>128</DDRPropertyLength>

                </ADAttrib>

                <ADAttrib>

                                <ADAttribName>userAccountControl</ADAttribName>

                                <DDRPropertyName>userAccountControl</DDRPropertyName>

                                <DDRPropertyLength>128</DDRPropertyLength>

                </ADAttrib>

  <ADAttrib>

    <ADAttribName>description</ADAttribName>

    <DDRPropertyName>Description</DDRPropertyName>

    <DDRPropertyLength>256</DDRPropertyLength>

  </ADAttrib>

  <ADAttrib>

    <ADAttribName>memberof</ADAttribName>

    <DDRPropertyName>ESDmemberof</DDRPropertyName>

    <DDRPropertyLength>512</DDRPropertyLength>

  </ADAttrib>

</ADAttributeList>

Support and Troubleshooting

To troubleshoot please examine the EnhancedSystemDiscovery.log.
For support please e-mail
and include the EnhancedSystemDiscovery.log and an export of your registry settings.

Appendix A – Understanding Delta Discovery

Delta Discovery is an advanced capability in ESD 2007 that relies on proper time synchronization between the system running ESD 2007 and the AD domain controllers.
Lags in directory synchronization may also have an effect on Delta Discovery working properly. This appendix will walk you through how Delta Discovery works.

Appendix B - Registry configuration Reference

Active Directory Domain

Configuration Options: Yes - No
Yes - you are running ESD against an Active Directory.
No – you are running ESD against a Windows NT 4.0 domain.

ADConnectLogonDomain

Configuration Options: “Domainname\Username”

You can use the credentials that the ESD process is running under or alternate credentials.
Alternate credentials are useful if you are accessing many domains that require different credentials for the AD connection.

ADConnectClearPassword

Configuration Options: Type in your password

This password is encrypted upon first run of ESD, and then this registry value is blanked out.

ADConnectEncryptedPassword

Configuration Options: Created by ESD

ESD takes your clear text password and encrypts it and stores it in the registry as an encrypted password.

ADSPaths

Configuration example:
cn=computers,dc=centerlogic,dc=com
ou=servers,dc=centerlogic.com,dc=com

A registry multivalue string for each AD ou or container you want to search. Leave blank to search all of AD. Not applicable to NT 4.0 domains.

ComputerObjectRequiredActivity

Configuration example: 30

Configure to only discover computers where their AD Ojbect has changed within a certain number of days.
All Computer Objects change their password periodically; typically 30 days. Typically this is set to 45 days or less.
To disable and discover similar to SMS 2003 out-of-the-box, leave blank.

DDRPath

Configuration example: D:\SMS\Inboxes\auth\ddm.box\

Path to write ddr’s to. When first using ESD, write to a temporary directory for testing.
Can be a mapped drive so ESD can run on a workstation, thereby reducing additional load on the SMS Server.

DDRPrefix

Configuration example: ESD

All DDR’s created by ESD will have this string of text in front of them followed by a number.
Change this when you have multiple domains, so the DDR’s do not write over each other.

DeltaDiscovery

Configuration options: Yes – No (Default is No)

Delta Discovery will only discover systems from AD if they have changed since the last time ESD ran. While ESD has always been faster than the out of the box SMS discovery, using DeltaDiscovery will make this AD discovery process even faster and could enable you to run ESD on an hourly basis or even more frequently.

DiscoverDisabled

Configuration options: Yes/No – Default is No.

Set to Yes to Discover Disabled Computer account. No setting means disabled computer objects will not be discovered. Pretty sure AD System discovery will discover disabled.

DiscoverLocalOnly

Configuration options: Yes/No – Default is No.

Useful when you only want to discover records that would actually be assigned to the server. Particularly important if using the DiscoveryPingReplyOnly setting.

Forced AD Site Name

Configuration options: Blank or “Default-First-Site-Name”

Generally this should be left blank unless you have only one AD Site in your environment, then set this as your AD Site name.

LastChangedDDRPropertyName

Configuration example: Days Since AD Activity

ESD takes the whenchanged property of the computer object and calculates the number of days from the current date. It stores this value in SMS with the name configured. This enables simple collections and web reports.

LicenseKey

Configuration option: Must be provided to Enable full functionality

ESD will only run for a limited number of days without a licensekey. The licensekey must be set for each domain configuration.

Log File Path

Configuration example: c:\enhancedsystemdiscovery.log

Path for ESD log file, which is VERY informative in true SMS log file fashion.

Log Detail

Configuration options: 1-3

How detailed the log file is. If you want to troubleshoot, set to 3. For basic day to day operations, set to 1. The greater the number, the greater the size of the log file. Log Size may need to be increased as a result.

Log Size

Configuration example: 2000000

Maximum size in kilobytes of the log file. After reaching the maximum size threshold, the log file will be renamed to .lo_.

ManagedByDDRPropertyName

Configuration example: ManagedBy

A new ddr property will be created containing the username or usergroup that is configured in AD. AD stores this as an LDAP Adspath (long format), but ESD converts this to a domain\usergroup or domain\username (short format). This conversion enables easy use of this property in web reports and vbscripts.
See www.systemcentertools.com for a vbscript to e-mail users managing systems where patches need applied or systems are reboot pending.

MaxInstances

Configuration example: 1

Number of instances of ESD that can be running concurrently. This setting should not be changed.

MustResolve

Configuration options: Yes - No. Yes is the default.

Means the device must resolve to an IP address in order to be discovered. Typically left at the default of “Yes”.

NetBiosDomainName

Configuration example: SYSTEMCENTERTOOLS

Automatically configured and discovered when ESD is installed on the primary site. Should be reviewed to make sure it is correct. This becomes the DDR value for Resource Domain or Workgroup in SMS.

Page Size

Configuration example: 2000 (default)

Increment size for querying AD. Can be tweaked to adjust performance. Generally left at default.

PingTimeout

Configuration example: 2000 (default)

Time in milliseconds to wait for a device to respond. Can be adjusted based on use of DiscoveryLocalOnly. Not application if DiscoverPingReplyOnly is set to No, or DiscoverLocalOnly is set to No.

Retrieve Subnet and Site Info From

Configuration example: SystemCenterTools.com

AD DNS domain name to communicate with to get AD site names from. Must be used if Force AD Site Name is not used.

SLPName

Configuration example: SMSServerName

If using SLP as the subnetresolutionmethod or discoverlocalonly, a SLP Name must be configured in order to use the SLP to determine the IP subnet of the clients or the client’s assigned site.

SMS Server

Configuration option: SMS Primary Site Server Name

Name of the SMS Primary Site.

SMS Site Code

Configuration example: SCT

3 Digit Site Code of the Primary Site where the DDR’s are deposited.

SubnetResolutionMethod

Configuration options: AD or SLP

Method to be used for determining the IP subnet of the client. SLP must be used if discovering from an NT 4.0 domain.

SubnetMasks

Configuration example: 255.255.255.0

Needed to accurately discover a system’s subnet when SLP is configured as the SubnetResolutionMethod. Useful when discovering from an NT 4.0 domain or, AD’s IP Subnets are not representative of the network IP Subnets as defined in DHCP.

whenChangedDDRPropertyName

Configuration example: whenChanged

The name of the DDR Property to use for storing the objects AD whenChanged value in SMS. Generally should not be modified.

Appendix C – FAQ

Question: Playing with the Enhanced System Discovery tool. Awesome stuff in there and learning more about accessing LDAP. I'm having a problem though.
It looks like DDR's are being created but the following errors are showing up in the status page of Discovery Data Manager: The data file "C:\SMS\inboxes\ddm.box\ESD3610.DDR" that was submitted by the client whose SMS unique ID is "GUID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", was rejected because the file was not signed and an authentication key was required.
It looks like there's a different GUID for each of the many entries and the field for the 'DaysSinceADActivity' in the properties window is blank in all the machines.
Could someone point me in the direction to resolving this?

Answer: Yeah... if you enable some additional security in your site it can break the DDR path in ESD.
Just change it to c:\sms\inboxes\auth\ddm.box and it works around that problem.

Question: I try to launch Enhanced System Discovery but nothing runs and none of the registry configuration is created.

Answer: Check a couple of things. 1.) Disable UAC if you are running on Vista, Windows 7 or Server 2008. 2.) Make sure you are running as an administrator. 3.) Make sure the smsrsgenctl.dll has successfully registered. To register it manually just run regsvr32.exe "c:\program files\enhanced system discovery\smsrsgenctl.dll"

 

 

 

ask