Active Directory System retrieves details about the computer, such as computer name, Active Directory container name, IP address, and Active Directory site. It generates a DDR for each computer it discovers in Active Directory.

Active Directory System Group Discovery works only for systems that are already discovered and assigned to the local primary site and any direct child secondary sites. Active Directory System Group Discovery is not available for secondary sites. If a resource has been discovered and is assigned to the SMS site, Active Directory System Group Discovery extends other discovery methods by retrieving details such as organizational unit, global groups, universal groups, and nested groups. Active Directory System Group Discovery cannot discover a computer that has not already been discovered by another method.

For more information about discovering resources, see Appendix C: "Understanding SMS Clients" in the Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deploymenton Microsoft TechNet.

The Active Directory User Discovery method discovers users and the user groups of which they are members.

For more information about discovering resources, see Chapter 4, "Understanding SMS Clients," in the Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide.

Whether you have Windows NT domains or Active Directory domains, you can use either Active Directory User Account Discovery or Windows User Account Discovery. However, Active Directory User Discovery returns more information from Active Directory domains and it continues to work with those domains when you switch them to native mode. You should only use Windows User Account Discovery with Windows NT 4.0 domains, not with Active Directory domains.

For more information about discovering resources, see "Appendix C: Client Deployment Planning" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Data discovery records (DDRs) are relatively small (1 KB on average). However, the type and frequency of discovery that you configure can result in a large number of DDRs that are generated for specific periods of time. If you enable Windows User Account Discovery or Windows User Group Discovery, you specify when the discovery method polls each domain. Discovery generates a new DDR for all user accounts or group accounts in each domain. If you enable Heartbeat Discovery or Network Discovery, you specify the schedule when you want the discovery to occur. With Network Discovery you also configure how long you want discovery to run. To reduce network traffic, run Network Discovery from different servers, using a different configuration and schedule on each server. With the Active Directory discovery methods, SMS polls the closest Active Directory server to discover computers, users, or system groups in the containers specified. This process can cause significant network traffic, so you should plan to schedule it accordingly.

For more information about network considerations, see "Appendix F: Capacity Planning for SMS Component Servers" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

SMS might not have sufficient access to Active Directory. SMS must have Read access to the containers that you specify for Active Directory System Discovery, Active Directory System Group Discovery, and Active Directory User Discovery. If you are using standard security, SMS uses the SMS Service account. If you are using advanced security, SMS uses the site server computer account. When the SMS Service account or site server computer account is used in domains other than the domain in which the site server is located, the account must have user rights on those domains. The account must at least be a member of the Domain Users group or local Users group on the domains.

For more information about discovery methods, see "Appendix C: Client Deployment Planning" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Active Directory Systems Discovery uses two pieces of information to determine if a computer is a member of a network.

1. The computer's account in Active Directory.
2. Successful IP address name resolution.

If Active Directory Systems Discovery can obtain both pieces of information, the machines are discovered and a DDR is created for each machine. This behavior can be prevented by enabling DNS scavenging on your DNS server. For more information about predefined site maintenance tasks, see "Appendix I: Predefined Site Maintenance Tasks" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Backup, Recovery and Maintenance on Microsoft TechNet.

You need to configure Active Directory System Group Discovery and have it perform a discovery cycle. To force a discovery cycle, in the Active Directory System Group Discovery Properties dialog box, Click the Polling tab and select Run discovery as soon as possible. That will report the OUs and containers the client is a member of. When this data has been added to the SMS site database, you can create queries and collections using that data. Use the System Container Name or System OU Name attributes from the System Resource class.

For more information about how to configure Active Directory System Group Discovery, see the SMS 2003 Help.

DHCP network discovery is disabled by default when the SMS site is running advanced security. This is by design. Advanced security relies on using the LocalSystem Account context to access server resources such as DHCP data. However, DHCP data cannot be accessed by using the LocalSystem Account security context. Therefore, DHCP network discovery is disabled in advanced security mode.

For more information about choosing a discovery method, see "Appendix C: Client Deployment Planning" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deploymenton Microsoft TechNet.

Network Discovery will only create a DDR for resource if it can positively determine the resource's subnet mask or Active Directory site. The subnet mask can be determined if:

• The client's IP address is listed in a trusted router's ARP cache, and the router has only a single IP address on that interface.
• The client has an SNMP agent running, and network discovery is configured to use the community name the client is configured for.
• The client is a Microsoft DHCP client. This is not an option if you are using advanced security because there is no DHCP support for network discovery in advanced security. If you are using standard security, the SMS site server must have user-level security access on the DHCP servers to retrieve database information from those servers. The SMS Service account must have domain user credentials in the same domain as the DHCP server.