7 Replies Latest reply on Nov 28, 2007 2:58 AM by tonyb99

    Active Directory discovery imports


      I created a discovery task to import new systems from my active directory automatically into my epo directory. The first Active Direcotry Import Task worked fine. Every system has been imported into the right container.

      But now newly addes systems are not pushed into the right conainer but into the lost&found directory.

      Here is a small example to show what I mean:

      one system which has been imported through the active directory import task:
      _mydomain --> server --> terminalserver --> myterminalserver1

      now a newly added system imorted by the discovery task: myterminalserver2
      _mydomain --> lost&found --> server --> terminalserver --> myterminalserver2

      So what is wrong here? Any idea?

      Best Regards,
        • 1. RE: Active Directory discovery imports
          This sounds like this known issue awaiting next EPO patch:

          When a new group is created under My Organization, the group displays at the same level but below Lost&Found in the System Tree.

          https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&exte rnalId=613852&sliceId=SAL_Public&dialogID=17226540&stateId=1 0 17218988
          • 2. RE: Active Directory discovery imports

            sorry I forgot to say that I am using ePO Server 3.6 not 4.0.

            I´ve read the knowledge base article. But I am not creating new groups, just new systems are added to the active directory. For instance I am installing a new terminalsserver terminalserver2, which is member of my domain and listed in my active directory under:

            _mydomain --> server --> terminalserver --> myterminalserver1

            When ePO Server does the discovery task I can find this new system in the ePO Directory under:

            _mydomain --> lost&found --> server --> terminalserver --> myterminalserver2

            The ePO Server alredy has this directory path _mydomain --> server --> terminalserver
            Because my first active director import on the ePO server has created this path correctly. Even systems which existed in the active directory before the import are correctly in the ePO directory. So myterminalsever1 for instance is under _mydomain --> server --> terminalserver. But newly addes systems always displayed under lost&found.

            I also have a similar problem with systems that I have moved within my active directory. For instance I moved a system Client1 from _mydomain --> locationA to _mydomain --> locationB. The ePO Server is not recognizing this movement. (I´ve read ePO4.0 can do this). So I thought I will just delete Client1 from the ePO directory and the next active directory discovery task will reinsert Client1 into the right path.

            But the ePO server did the following after discovery: _mydomain --> lost&found --> locationB --> Client1

            So I am having the same problem as with newly added system.
            • 3. RE: Active Directory discovery imports
              DO you have IP filtering set on the groups in directory?
              If the new ones dont fit into the upper level IP filters then they will go to lost and found
              • 4. RE: Active Directory discovery imports

                no, I don´t have any ip filters set. I just ran the active directory import wizard for three containers, client, memberserver, domaincontroller. Then I configured the discovery task. The mapping between active directory and epo directory should be fine, cause I didn´t change anything. for domain controller it is: ou=domain controllers,dc=mydomain,dc=com for instance.
                • 5. RE: Active Directory discovery imports
                  its by design in 3.6.1 (well it depends where you mapped the site to :P):

                  Active Directory (AD) integration information:
                  The AD integration feature in ePolicy Orchestrator (ePO) 3.6.x has 2 parts: Import (manual) and Discovery [COLOR=#ff0000][COLOR=#000000](scheduled task)[/COLOR]. [/COLOR]
                  The Import feature (Import Active Directory Computers option) places the computers in the corresponding location in ePO as they were in AD.

                  The Discovery feature (Active Directory Discovery Task), places new computers in the Lost & Found group of the corresponding mapped site, under a new sub-tree to indicate its location.
                  The Active Directory Discovery Task adds newly discovered computers, but does not update computer entries that are already in the ePO directory. If an existing computer is moved in Active Directory, the corresponding entry in the ePO Directory tree will not be affected.
                  • 6. RE: Active Directory discovery imports
                    Oh no,

                    why isn´t that specified in the product guide? To my mind this should be mentioned in the product guide.

                    So, if the Discovery Task does not have the ability to import new systems from the active directory tree into the correspronding epo directory tree, what are the best practices or workarounds to maintain an active directory with 2.000 systems?

                    Actually I am in the middle of a project. The ePO Server ist already installed and also the active directory is running. At the beginning of 2008 we will start a roll out of about 2.000 systems. Therefore I am unhappy that the discover task can not put this new systems automatically into the right epo directory tree.

                    Any recommendations how I can handle this?

                    By the way:
                    - Is ePO4.0 able to import new systems into the right tree?
                    - And is ePO4.0 also able to update computer entries, when they have been moved within the active directory?
                    I think I´ve read this somewhere on the mcafee website.
                    So with ePO4.0 I wouldn´t have those problems right?

                    Best Regards
                    • 7. RE: Active Directory discovery imports
                      Yes it does seem rather maintenance intensive in 3.6.1 with them wanting you to manually do everything.

                      TBH I havnt bothered with the EPO4 AD bit yet as the 3.6.1 I replaced in that case covers hundreds of workgroup and NT domains. The documenation is worth reading and the bit you probably want is here:

                      https://knowledge.mcafee.com/SupportSite/dynamickc.do?sliceId=SAL_Public&command =show&forward=nonthreadedKC&externalId=613837

                      Be aware though if you are considering 4.0 to check all your products are supported and that you cant yet use Rogue system sensor till they update the software (may be as late as second quarter next year)