Module 2

Discovering and Organizing

Resources
Module Overview
• Configuring Resource Discovery
• Configuring Boundaries and Boundary Groups
• Configuring User and Device Collections
• Configuring Role-Based Administration
Lesson 1: Configuring Resource Discovery
• What Is Resource Discovery?
• Overview of Discovery Methods
• Active Directory® Discovery Methods
• Demonstration: Configuring Active Directory Discovery
Methods
• What Is Network Discovery?
• What Is Heartbeat Discovery?
• Monitoring Discovery by Using Component Status and
Log Files
What Is Resource Discovery?

Resource discovery is the process of detecting and acquiring

information about network resources

Active Directory
.DDR
Site
Database
Site Server
Network

Discovery gathers information about network resources

1 (computers, users, security groups, and network infrastructure)

2 Discovery generates a DDR file

Discovery Data Manager loads the information from the DDR file
3 into the database
Overview of Discovery Methods

Discovery methods include:

Active Directory Forest Discovery

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Network Discovery

Heartbeat Discovery
Active Directory Discovery Methods
For Active Directory Forest Discovery, the options include:

Enabling Active Directory Forest Discovery and

boundary creation

Specifying Active Directory forest options

For all other Active Directory discovery methods, specify:

At least one Active Directory container

Any additional search options

The polling schedule

Demonstration: Configuring Active Directory
Discovery Methods
In this demonstration, you will see how to:
• Configure and run Active Directory Forest Discovery
• Examine the discovered forest resources
• Configure and run Active Directory System Discovery
• Configure and run Active Directory User Discovery
• Examine the discovered system and user resources
What Is Network Discovery?
A discovery method to search the network for resources that
meet a specific criteria

Windows XP Windows 7
Site Server
Client Client

Discovery
Agent Client Client
Windows 7 Windows Vista
Server 1 Printer 1
You have three main options to configure:
Topology

Topology and client

Topology, client, and client operating system

What Is Heartbeat Discovery?
A discovery method that refreshes the Configuration Manager
client computer discovery data in the site database

.DDR .DDR

Site
Database .DDR
Site Server

By default, Heartbeat Discovery runs every seven days

You can configure the schedule, but understand the

implications when reducing the Heartbeat Discovery
interval
Monitoring Discovery by Using Component Status
and Log Files

Component name Log file

SMS_AD_FOREST_DISCOVERY_MANAGER ADForestDisc.log

SMS_AD_SYSTEM_DISCOVERY_AGENT adsysdis.log

SMS_AD_USER_DISCOVERY_AGENT adusrdis.log

SMS_DISCOVERY_DATA_MANAGER ddm.log

SMS_NETWORK_DISCOVERY netdisc.log

SMS_WINNT_SERVER_DISCOVERY_AGENT ntsvrdis.log
Lesson 2: Configuring Boundaries and
Boundary Groups
• Overview of Client Assignment
• What Is a Boundary?
• What Is a Boundary Group?
• Demonstration: Configuring Boundaries and Boundary
Groups
Overview of Client Assignment

Client assignment is a process that determines the

Configuration Manager site that manages a client
computer

Assign clients to a Configuration Manager site by:

• Manually specifying the site code to

use Central
Administration
• Configuring the client to automatically Site (CAS)
assign to a site based upon
boundaries and boundary groups

Primary Primary
Site (S01) Site (S02)
 What Is a Boundary?
A network location that contains one or more devices that you
want to manage

IP Subnet IP Range

Active Directory
Site IPv6 Prefix
What Is a Boundary Group?

An object you create to organize the boundaries that have been

defined

You can use boundary groups to perform the following functions:

• Providing automatic site assignment for clients

• Enabling content access to distribution points or state migration
points
Demonstration: Configuring a Boundary and a
Boundary Group
In this demonstration, you will see how to:
• Configure a boundary
• Configure a boundary group
Lab A: Configuring Resource Discovery and
Boundaries
• Exercise 1: Configuring Active Directory Discovery Methods
• Exercise 2: Configuring Boundaries and Boundary Groups

Logon information
Virtual machine 10747A-NYC-DC1-A 10747A-NYC-CFG-A
User name Contoso\Administrator
Password Pa$$w0rd

Estimated time: 30 minutes

Lab Scenario
Contoso, Ltd has expanded its operations, and you have
been asked to configure two new network segments to be
managed by the Configuration Manager infrastructure.
One segment is situated in Toronto, Canada. The other
segment is an IP address range that is to be allocated to a
VPN network range. The Active Directory administrator
has already created the appropriate OU and site for the
Toronto location. You need to configure an appropriate
discovery method to discover new users and devices in
this new location. You also need to configure boundaries
to represent the Toronto and VPN network segments and
configure appropriate boundary group settings.
Lab Review
• You notice that there are no members listed in the All User
Groups built-in collection. What should you do?
• Which discovery method will automatically create IP
subnet boundaries when they are discovered?
• You have created a boundary group and have added
several boundaries. However, you notice that clients
within the boundaries are not being installed. What should
you do?
Lesson 3: Configuring User and Device Collections
• Overview of User and Device Collections
• Types of Rules Used to Create and Manage Collections
• Demonstration: Creating Collections
• Applying Maintenance Windows to Collections
• Monitoring Collections
Overview of User and Device Collections

Collections represent groups of resources that consist of

computers, users, and security groups

You can use collections to:

• Organize resources into manageable units

• Organize collections of target resources for performing
operations such as application deployments or installing
software updates
• Target groups of computers for specific configuration settings
• Integrate role-based administration
Types of Rules Used to Create and Manage Collections

Collection rule types include:

Direct Rule

Query Rule

Include Collections

Exclude Collections

• Incremental collection member evaluation every 5 minutes

• Full collection member evaluation every 7 days
• Specify a Limiting collection as a basis for resources
Demonstration: Creating Collections
In this demonstration, you will see how to:
• Create a collection by using a direct rule
• Create a query-based collection
Applying Maintenance Windows to Collections

Use maintenance windows to configure a specific period of

time during which required deployments, software update
distributions, and task sequences can run

A Maintenance window does not prevent the following tasks:

If PC1 is a
Policy
Best
Other member ofinclude:
downloads
Practices:
considerations Collection A, Collection B, and Collection C,
and:
Deployed
Inventory
Assign
Collection software
maintenance
A’s will
andmaintenance
metering not
windows run
data if maximum
collection
only
window to and5run
from time
reporting
is collections
P.M. extends
specifically
to 8 P.M.
created
past the for
endthat purpose
of the maintenance window
Collection B’s maintenance window is from 4 A.M. to 7 A.M.
Wake On LAN transmission and out of band management
If maximum
Include run time of
a description is set
the to “Unknown,”
maintenance deployed
window software
in the name
Collection
of the C’s maintenance
collection window is from 7 P.M. to 11 P.M.
may run past the end of maintenance window
Deployments, software updates, and task sequences
specifically
Then, configured to
PC1’s maintenance ignore will
windows maintenance
be 4 A.M. windows
to 7 A.M., and 5
or to
P.M. user-initiated
11 P.M. deployments
Monitoring Collections
Method Examples Description

Component Status SMS_COLLECTION_EVALUATOR Provides status information related

to collections

Log files Colleval.log Provides detailed status

information related to collections

All Status Messages for a Specific

Collection at a Specific Site
Status Message Provides specific status information
Queries Collection Member Resources based upon a query
Manually Deleted

Collections Created, Modified,

and Deleted

All Collections

All resources in a specific

Reports collection Provides information related to
collection-based tasks
All package and program
deployments to a specified
collection
Lab B: Configuring User and Device Collections
• Exercise 1: Creating a Device Collection
• Exercise 2: Creating a User Collection
• Exercise 3: Configuring a Maintenance Window

Logon information
Virtual machine 10747A-NYC-DC1-A 10747A-NYC-CFG-A
User name Contoso\Administrator
Password Pa$$w0rd

Estimated time: 30 minutes

Lab Scenario
To support the new Toronto location, you need to create
several collections. You must create a device collection
containing only Windows® 7 workstations that are placed
in the Toronto Clients OU. You also need to create a user
collection that represents all of the users located in Toronto.
You are also asked to ensure that deployments are installed
to the Toronto location only during the hours of 8 P.M. and
4 A.M. each day.
Lab Review
• You need to create a collection that includes a static list of
members. Which rule type would you use?
• You need to create a collection with workstations that do
not have Microsoft Office installed. How can this be
accomplished?
• You need to ensure that applications cannot be installed
during working hours. What can you do?
Lesson 4: Configuring Role-Based Administration
• Overview of Role-Based Administration
• Default Security Roles
• What Are Security Scopes?
• The Process for Adding an Administrative User to
Configuration Manager
• Reports on Role-Based Administration
• Demonstration: Implementing Role-Based Administration
Overview of Role-Based Administration
Use the role-based administration feature to define
security settings and to delegate administrative tasks to
users or groups

Defining role-based administration:

• Must specify one or more security roles

• Must specify a security scope or collection for the user
• Can specify both scopes and collections
• Can be further customized by mapping security roles to
specific security scopes and collections

Assign a Assign a Assign a

Role Scope Collection
Application Custom scope Custom collection
Administrator containing containing users
objects to or computers to
User manage manage Administrative
user
Default Security Roles

• Configuration Manager includes 14 built-in security roles

• Each built-in role contains a set of individual permissions to
perform actions on different types of objects
What Are Security Scopes?

Use security scopes to define which securable objects an

administrative user can view and manage

Considerations:

• All securable objects are initially assigned to the Default security

scope
• All securable objects must be assigned to at least one security
scope
• All administrative users must be assigned to at least one security
scope
The Process for Adding an Administrative User to
Configuration Manager
Reports on Role-Based Administration

Reports provide information related to the configuration and

use of role-based administration

The reports on role-based administration include:

Demonstration: Implementing Role-Based
Administration
In this demonstration, you will see how to:
• View security roles
• Create security scopes
• Assign securable objects to security scopes
• Add an administrative user
Lab C: Configuring Role-Based Administration
• Exercise 1: Configuring a New Scope for Toronto
Administrators
• Exercise 2: Configuring a New Administrative User

Logon information
Virtual machine 10747A-NYC-DC1-A 10747A-NYC-CFG-A
User name Contoso\Administrator
Password Pa$$w0rd

Estimated time: 30 minutes

Lab Scenario
The Toronto location has an administrative team that will
be allowed to deploy specific applications to the Toronto
workstations and users. You need to configure the
appropriate administrative users, determine their security
roles, and configure security scopes to provide the proper
administrative permissions.
Lab Review
• In the Configuration Manager console, which nodes can
you tag with a specific security scope?
• You want to provide an administrative user with the
permissions to create and deploy applications. Which
security role would provide this capability?
• An administrative user should only be able to administer a
specific collection. How can you configure this?
Module Review and Takeaways
• Review Questions