Prepare your Environment for Running sms 2003 - Active Directory Part2 - blog by Kim Oppalfens

blog by Kim Oppalfens

Blog about System center configuration manager 2007

Prepare your Environment for Running sms 2003 - Active Directory Part2

Are you tired of seeing your Active directory system group and active directory user discovery in error all of the time?

Is your status filled with messages like:

SMS Active Directory System Group Discovery Agent reported errors for X objects. DDR's were generated for Y objects that had errors while reading non-critical properties. DDR's were not generated for Z objects that had errors while reading critical properties.

Do you see following message in the adsysgrp.log and adusrdis.log:

Could not get property (memberOf) for system XXXXXXXX or

Could not get property (memberOf) for user XXXXXXXX

Then read on, I'll explain what is happening and more importantly what you can do about it.

 Explaining the Issue (Logs and status messages)

The status message is telling you that it can't read a critical property of a user or computer object. It is also telling you that this might be a security or replication issue, or that the property might not be available. All suggestions which you probably verified already. The log files are actually telling you the property that couldn't be read, it is the memberOf property, which contains the group memberships for users and computers.

This memberof property in active directory contains all groups you are a member of, with the exception of the first group you are a member of. This is because the first group is actually stored in the PrimaryGroupId attribute. The issue you are seeing is because the SMS 2003 discovery methods cannot handle an empty memberof attribute. To be technically accurate they can't distinguish between an empty or unreadable memberof attribute.

As you might have deducted from the information above, the issue you are seeing is because you have users and/or computers in your discovery scope that are only a member of a single group. The fix is easy enough, just add all users and computers to a dummy group to make sure the memberof attribute is no longer empty. The rest of this article will show you the necessary steps to identify which users and/or computers have an empty member of attribute.

Query Users with Empty Memberof attribute (Requires Active Directory 2003)

Open Active Directory Users & Computers

Open Saved queries

Right-click and select new query

Type in a name for the query

Click Define Query

In the Find list box select Custom Search

Click the Field button, select user  and member of

In the condition list box select Not Present, click Add and Ok twice.

 Query Computers with Empty Memberof attribute (Requires Active Directory 2003)

Open Active Directory Users & Computers

Open Saved queries

Right-click and select new query

Type in a name for the query

Click Define Query

In the Find list box select Custom Search

Click the Advanced tab and type in type in the following query:

(&(&(objectCategory=computer)(!memberOf=*)))

Add Users to a group to avoid discovery issue

Create a group called GG_Sms2003dummyusersgroup  (or another namesthat is in line with your naming convention).

Multi select the users you found in the previous query and add them to the GG_Sms2003dummyusersgroup

Multi select the computers you found in the previous query and add them to the GG_Sms2003dummycomputersgroup

Add Computers to a group to avoid discovery issue

Create a group called GG_Sms2003dummycomputersgroup (or another name that is in line with your naming convention).

In the view menu select Users, Groups and computers as containers

Make sure you open up the + signs so that you can see the group you created in the tree pane.

Go back to the results of your query, multi-select all the results and drag them into the group in the tree pane.

You should see a box stating the Add to group operation was succesfully completed.

 

Enjoy


--
"Everyone is an expert at something"
Kim Oppalfens - Sms Expert for lack of any other expertise
Windows Server System MVP - SMS
http://www.blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/default.aspx

 

 

Share this post:                                       
Posted: Apr 25 2007, 06:02 PM by kimoppalfens | with 4 comment(s)
Filed under:

Comments

Victor Farias said:

I followed your instructions but I'm having problems with the GG_Sms2003dummycomputersgroup.  I can't add the results of the computer group query to this group.  I was able to create the user group query and add the results to the GG_Sms2003dummyusersgroup with no problem.  Am I doing something wrong?

# May 30, 2007 3:41 PM

kimoppalfens said:

Nope your not apparently.

I stopped after testing it for users but you apparently can't add computers to a group after you multi-select them.

I'll update my post to do it through export list and a batch file.

Thanks for the feedback

# May 30, 2007 4:40 PM

nirvana99 said:

Dear All,

Will SCCM allow for multiple AD forests to be effectively managed ? I have a customer with a data center. He has one AD forest on his management VLAN. All of his customers have separate AD forests on separate VLANs. Will SCCM allow for secondary sites only on each of the AD forests thereby allowing for the management AD forest (and its Central Site) to manage the downstream customers and their downstream resources?

Thank in advance you for your help?

Nirvana99

# September 7, 2007 12:16 PM

kimoppalfens said:

Hi Nirvana 99,

The policy for connecting secondary sites to a primary site cross forest had not changed in configmgr 2007. So, the answer is no, this is not a supported configuration. If the customers install a primary site than it would be a supported config.

Kim Oppalfens

# September 7, 2007 3:06 PM