I do not have any sorting criteria set.
I pull in 4 or 5 OUs from AD and I have it set to "Delete Empty Groups" on the sync properties. One OU is "Domain Controllers". As such, I have to manually create a "Domain Controllers" subgroup in the system tree so they are not dumped in the Top level. Ok, I can handle that. I have an on-demand scan task linked on that subgroup I created.
Well, on every AD sync, that subgroup is deleted and the systems are moved to L&F, tags deleted, etc. If I create sorting criteria for the "Domain Controllers" subgroup, it has no effect. I leave "Domain Controllers" at the bottom of the sorting criteria list. Will moving that up help?
If I set the Sync properties to NOT delete empty groups, the DCs are not even pulled into the System Tree. Sometimes one of them will come in, but usually none. I have 2 domains set up and all this happens to both so I must be misunderstanding something.
I have not changed any default sorting method in Menu->Configuration->Server Settings
If you are using AD sync than both system and the structure are updated in the system tree to reflect the systems and structure of the Active Directory.
Configure the synchronization settings on each group that is a mapping point in the System Tree.
At the same location, you can configure whether to:
• Deploy agents to discovered systems.
• Delete systems from the System Tree when they are deleted from Active Directory.
• Allow or disallow duplicate entries of systems that exist elsewhere in the System Tree.
So I think you didn't exclude the AD container from the synchronization. These containers and their systems are ignored during synchronization.
I'll suggest to use only System only synchronization. not System and Structure.
You can also use sorting based on IPs and tag (need to create under tag catalog). and enable system tree shorting so automatically all systems will move into right group dueing Agent to server communication.
We sync about 6 domains and sync the structure and systems and exclude Empty containers, with move systems into their correct location in the system tree so the AD structure always wins.
Could you detail the systems in you system tree branch sync point please and we could help with your config.
Certified McAfee Product Specialist - ePO
I'm trying to avoid too much integration if I can help it (i.e. sorting based on subnet/ip) just because I feel it can get a bit messy in our environment. I did try just sorting DCs on tag, but the tags were erased and they were moved to L&F so it seems like something else is going first.
Both domains (they are not root domains, if that matters) are set up like this - Container names slightly different but result is the same - DCs moved to L&F. Also, for some reason, I could not just import OU=x,DC=x,DC=DOMAIN,DC=COM.
Import Systems and Container Structure
Leave systems in their current System Tree
Excluding Empty groups (systems had been semi-randomly coming into EPO at all with this unchecked - along with a bunch of the AD structure I dont care about)
Delete System from System Tree on removal from sync point
Maybe the best idea is to just import flat list of machines, but I would prefer to go off of AD structure if I can help it. Less maintenance for me long term.