Enhanced System Discovery 2007
Enhanced System Discovery 2007 is designed to improve your SMS 2003 or
Configuration Manager 2007 integration with Active Directory.
Features like Computer Age filtering, Delta Discovery, and support to administrator configured discovery of AD attributes have made ESD a popular tool for enterprises.
Download and Evaluation ESD 2007 from www.systemcentertools.com\esd2007.html.
Here is a summary of how ESD 2007 compares to SMS 2003 and Configuration Manager 2007:
|Capability||ESD 2007||SMS 2003||SCCM 2007|
|Ability to extend discovery with additional AD Attributes||Yes||No||Yes|
|Support for multi-valued AD attributes such as system description, and memberof (group membership)||Yes||No||No|
|Ability to filter on the whenchanged attribute||Yes||No||No|
|Delta Discovery – Only Discover AD Objects that have changed since the last discovery||Yes||No||No|
|Discover only systems that should be assigned to the site.||Yes||No||No|
|Discover Systems and System Information from Active Directory Domains||Yes||Yes||Yes|
|Discover Systems and System Information from NT4 Domains||Yes||No||No|
|Run the discovery agent on a workstation reducing SMS/SCCM Server load||Yes||No||No|
|Resolve Client Subnets via AD Sites||Yes||Yes||Yes|
|Resolve Client Subnets via SMS/SCCM Server Locator Point||No||No||No|
Feature Overview Extend discovery with multi-valued and single value AD Attributes
ESD 2007 offers the ability to extend your discovery with attributes that exist in Active Directory.
There are several types of AD attributes. While most AD attributes have a single value, some have multiple values.
Examples of attributes with multiple values are memberof (Computer Group memberships) and Description.
Filter on the when changed attribute
ESD 2007 also can filter objects in AD, so you only import into your SMS server systems that are currently in use on your network.
Delta Discovery is a capability that can significantly speed up your discovery time. Delta Discovery is disabled by default because it can make ESD seem like it is not working. However, once basic ESD functionality is verified as working, Delta Discovery should almost always be enabled. By enabling Delta Discovery, ESD will keep track of the last time it ran. Upon consecutive executions of ESD it will only query AD for systems that have changed since the last time it ran. This means that a domain of 1000 systems may only have 50 that have changed in one day, and those 50 are the only ones that are rediscovered. It is noteworthy that all systems that are active in AD will change at least once every 30 days when they change their password.
Filter on Site Assignment
Identified as “DiscoverLocalOnly”, Filtering on Site assignment is another way to drastically improve your discovery times and also prevent the discovery of systems that you don’t care about in your site.
Discover Systems from AD domains
This basic capability is the foundation of ESD 2007. While also available with SMS 2003 and SCCM 2007, ESD can do this at a much faster rate.
Discover Systems from NT 4.0 domains
If you still have NT 4.0 domains (I’m sorry), then ESD is likely your only option for discovering these systems.
Workstation Based Execution
ESD 2007 doesn’t have to run on your primary site server and can instead run on a workstation. This can reduce the load on your primary site and enable you to run ESD much more frequently making the synchronization between AD and SCCM much tighter.
Resolve Client Subnets via AD Sites
ESD 2007 can use the same method that the SMS 2003 and SCCM 2007 use to determine a systems subnet based on its IP address. When the IP address of a system is determined, AD is queried to determine the actual AD site the system is a member of and also determines the AD subnet associated with that IP Address. When the AD information is reliable, this is the best way to discover subnets. However, if AD is super-netted and your actual network subnets are not then this mechanism can produce incorrect subnets.
Resolve Client Subnets via Server Locator Point
If you don’t have Active Directory or AD is super-netted, ESD provides another option for determining the subnet. Using the SLP requires more configuration, but can accurately determine your client’s subnets if AD is unreliable for that in your organization.
Quick Setup Instructions
Install the Enhanced System Discovery MSI on a workstation or SMS site server (defaults to c:\program files\enhanced system discovery).
· If installed on a Primary Site Server, will automatically configure the registry.
· Execute the Enhanced System Discovery.exe. Configure a scheduled task to run ESD on a schedule.
Configuration at ‘HKLM\Software\System Center Tools\Enhanced System Discovery 2007.’
· A subkey should be created for each domain. A default subkey is automatically created.
Extending Discovery with additional AD Attributes
You can use the adsystemattribs.xml to add additional AD attributes not provided out of the box. Please note that making changes and adding attributes will permanently change your SMS SQL Schema. You should verify attributes exist in AD, and test by in a test SMS environment or by initially writing your DDR’s to a temporary directory and reviewing them to ensure the information is being collected properly.
<?xml version="1.0" encoding="utf-8" ?>
<DDRPropertyName>Operating System Name and Version</DDRPropertyName>
Support and Troubleshooting
To troubleshoot please examine the EnhancedSystemDiscovery.log.
For support please e-mail
and include the EnhancedSystemDiscovery.log and an export of your registry settings.
Appendix A – Understanding Delta Discovery
Delta Discovery is an advanced capability in ESD 2007 that relies on proper time synchronization between the system running ESD 2007 and the AD domain controllers.
Lags in directory synchronization may also have an effect on Delta Discovery working properly. This appendix will walk you through how Delta Discovery works.
- Open Active Directory Users and Computers for your domain. Select the view tab and then select Add/Remove Columns.
- Find the modified column in the available columns and add it to the displayed columns. The modified column is equivalent to the whenchanged AD attribute that is discovered with ESD 2007. Click OK.
- Browse to an OU containing computer objects. Pick a system and take note of its modified value. In the case of this screen shot, the value is 9/18/2007 1:56:38PM.
- Change the systems computer description, and then take note of the updated modified value.
Appendix B - Registry configuration Reference
Active Directory Domain
Configuration Options: Yes - No
Yes - you are running ESD against an Active Directory.
No – you are running ESD against a Windows NT 4.0 domain.
Configuration Options: “Domainname\Username”
You can use the credentials that the ESD process is running under or alternate credentials.
Alternate credentials are useful if you are accessing many domains that require different credentials for the AD connection.
Configuration Options: Type in your password
This password is encrypted upon first run of ESD, and then this registry value is blanked out.
Configuration Options: Created by ESD
ESD takes your clear text password and encrypts it and stores it in the registry as an encrypted password.
A registry multivalue string for each AD ou or container you want to search. Leave blank to search all of AD. Not applicable to NT 4.0 domains.
Configuration example: 30
Configure to only discover computers where their AD Ojbect has changed within a certain number of days.
All Computer Objects change their password periodically; typically 30 days. Typically this is set to 45 days or less.
To disable and discover similar to SMS 2003 out-of-the-box, leave blank.
Configuration example: D:\SMS\Inboxes\auth\ddm.box\
Path to write ddr’s to. When first using ESD, write to a temporary directory for testing.
Can be a mapped drive so ESD can run on a workstation, thereby reducing additional load on the SMS Server.
Configuration example: ESD
All DDR’s created by ESD will have this string of text in front of them followed by a number.
Change this when you have multiple domains, so the DDR’s do not write over each other.
Configuration options: Yes – No (Default is No)
Delta Discovery will only discover systems from AD if they have changed since the last time ESD ran. While ESD has always been faster than the out of the box SMS discovery, using DeltaDiscovery will make this AD discovery process even faster and could enable you to run ESD on an hourly basis or even more frequently.
Configuration options: Yes/No – Default is No.
Set to Yes to Discover Disabled Computer account. No setting means disabled computer objects will not be discovered. Pretty sure AD System discovery will discover disabled.
Configuration options: Yes/No – Default is No.
Useful when you only want to discover records that would actually be assigned to the server. Particularly important if using the DiscoveryPingReplyOnly setting.
Forced AD Site Name
Configuration options: Blank or “Default-First-Site-Name”
Generally this should be left blank unless you have only one AD Site in your environment, then set this as your AD Site name.
Configuration example: Days Since AD Activity
ESD takes the whenchanged property of the computer object and calculates the number of days from the current date. It stores this value in SMS with the name configured. This enables simple collections and web reports.
Configuration option: Must be provided to Enable full functionality
ESD will only run for a limited number of days without a licensekey. The licensekey must be set for each domain configuration.
Log File Path
Configuration example: c:\enhancedsystemdiscovery.log
Path for ESD log file, which is VERY informative in true SMS log file fashion.
Configuration options: 1-3
How detailed the log file is. If you want to troubleshoot, set to 3. For basic day to day operations, set to 1. The greater the number, the greater the size of the log file. Log Size may need to be increased as a result.
Configuration example: 2000000
Maximum size in kilobytes of the log file. After reaching the maximum size threshold, the log file will be renamed to .lo_.
Configuration example: ManagedBy
A new ddr property will be created containing the username or usergroup that is configured in AD. AD stores this as an LDAP Adspath (long format), but ESD converts this to a domain\usergroup or domain\username (short format). This conversion enables easy use of this property in web reports and vbscripts.
See www.systemcentertools.com for a vbscript to e-mail users managing systems where patches need applied or systems are reboot pending.
Configuration example: 1
Number of instances of ESD that can be running concurrently. This setting should not be changed.
Configuration options: Yes - No. Yes is the default.
Means the device must resolve to an IP address in order to be discovered. Typically left at the default of “Yes”.
Configuration example: SYSTEMCENTERTOOLS
Automatically configured and discovered when ESD is installed on the primary site. Should be reviewed to make sure it is correct. This becomes the DDR value for Resource Domain or Workgroup in SMS.
Configuration example: 2000 (default)
Increment size for querying AD. Can be tweaked to adjust performance. Generally left at default.
Configuration example: 2000 (default)
Time in milliseconds to wait for a device to respond. Can be adjusted based on use of DiscoveryLocalOnly. Not application if DiscoverPingReplyOnly is set to No, or DiscoverLocalOnly is set to No.
Retrieve Subnet and Site Info From
Configuration example: SystemCenterTools.com
AD DNS domain name to communicate with to get AD site names from. Must be used if Force AD Site Name is not used.
Configuration example: SMSServerName
If using SLP as the subnetresolutionmethod or discoverlocalonly, a SLP Name must be configured in order to use the SLP to determine the IP subnet of the clients or the client’s assigned site.
Configuration option: SMS Primary Site Server Name
Name of the SMS Primary Site.
SMS Site Code
Configuration example: SCT
3 Digit Site Code of the Primary Site where the DDR’s are deposited.
Configuration options: AD or SLP
Method to be used for determining the IP subnet of the client. SLP must be used if discovering from an NT 4.0 domain.
Configuration example: 255.255.255.0
Needed to accurately discover a system’s subnet when SLP is configured as the SubnetResolutionMethod. Useful when discovering from an NT 4.0 domain or, AD’s IP Subnets are not representative of the network IP Subnets as defined in DHCP.
Configuration example: whenChanged
The name of the DDR Property to use for storing the objects AD whenChanged value in SMS. Generally should not be modified.
Appendix C – FAQ
Question: Playing with the Enhanced System Discovery tool. Awesome stuff in there and learning more about accessing LDAP. I'm having a problem though.
It looks like DDR's are being created but the following errors are showing up in the status page of Discovery Data Manager: The data file "C:\SMS\inboxes\ddm.box\ESD3610.DDR" that was submitted by the client whose SMS unique ID is "GUID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", was rejected because the file was not signed and an authentication key was required.
It looks like there's a different GUID for each of the many entries and the field for the 'DaysSinceADActivity' in the properties window is blank in all the machines.
Could someone point me in the direction to resolving this?
Answer: Yeah... if you enable some additional security in your site it can break the DDR path in ESD.
Just change it to c:\sms\inboxes\auth\ddm.box and it works around that problem.
Question: I try to launch Enhanced System Discovery but nothing runs and none of the registry configuration is created.
Answer: Check a couple of things. 1.) Disable UAC if you are running on Vista, Windows 7 or Server 2008. 2.) Make sure you are running as an administrator. 3.) Make sure the smsrsgenctl.dll has successfully registered. To register it manually just run regsvr32.exe "c:\program files\enhanced system discovery\smsrsgenctl.dll"