5 Replies Latest reply on May 20, 2015 5:22 PM by rrodrig1

    system Tree best practices


      Hi all, new to EPO and I am in the process of implementing a new server. Just wondering how people setup their system tree. Do you do a straight AD sync ?


      I was thinking of doing a folder structure like this rather than using AD tree!




      Servers - (Additional subfolders) SQL, Exchange, General


      Looking for any advice.




        • 1. Re: system Tree best practices

          I am doing in a same format as all servers are having naming convention so it is good to track in this format.

          With naming conversion it is easy to do shorting with Tag.

          • 2. Re: system Tree best practices

            You have a few options available to you.

            1. Utilize Active Directory or portions of AD that would help populate groups in your system tree.
            2. You can utilize IP sorting as an alternative for placing systems in a group.
            3. Depending on how many systems you plan to manage you could also do a free form design.


            • 3. Re: system Tree best practices

              I have always found a hybrid approach seems to work best using AD to populate systems and getting them into ePO but using Sorting Criteria to handle the heavy lifting when it comes to placing them in the right group in the tree.  This way you can leverage Tags, IPs and custom properties (if used as a tag criteria) right along with using known-good AD groups/containers.  Let's face it, AD is rarely kept pristine or even cleaned up except once every few months at best (usually, YMMV) so it makes little to no sense to continually populate your ePO environment with deleted, duplicated, disabled and deactivated systems.  Find out which CN/OUs are used for system builds and system removal - do not sync those groups - then add the main systems to your ePO as you see fit and need.

              • 4. Re: system Tree best practices
                Richard Carpenter
                Hi all. 

                Your system tree design should be tailored to your organisations needs. 

                Valid points made about poorly maintained AD structures, but on the other hand if you have a well logically organised structure and well maintain retirement processes why not use it? 

                Policies and client tasks are assigned at the system tree group level, so if for example you have all your SQL servers in a given OU it would make sense to apply an SQL policy to that OU?

                You can also leverage the Data Centre  Connectors if you use MOVE AV to populate your system tree groups. 

                This all comes down to how you want to assign your policies and client task.   Either used tree location or tags or in our case a combination of both. 

                I currently sync 7 AD domains into our tree, along with our VMWare DMZ synced using the vCentre Data Centre Connector. Some systems are also sorted manually. 




                Volunteer Moderstor

                Certified McAfee Product Specislist - ePO

                • 5. Re: system Tree best practices

                  Hi joeshmo,


                  What you've proposed should work just fine if you're running a small organization with decent bandwidth.


                  Many organizations will apply policies via the system tree, so if you plan to assign policies at the system tree level (as opposed to Policy Assignment Rules), then your design works really well for the most part.


                  If you're running a very large organization across geographically disparate locations, then you may want to reconsider this design.


                  For more information, take a look at our ePO 5.1 Best Practice Guide for more details (PD25519 - Section 4: What the System Tree Does).


                  Good luck!