This content has been marked as final. Show 7 replies
This sounds like this known issue awaiting next EPO patch:
When a new group is created under My Organization, the group displays at the same level but below Lost&Found in the System Tree.
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&exte rnalId=613852&sliceId=SAL_Public&dialogID=17226540&stateId=1 0 17218988
sorry I forgot to say that I am using ePO Server 3.6 not 4.0.
I´ve read the knowledge base article. But I am not creating new groups, just new systems are added to the active directory. For instance I am installing a new terminalsserver terminalserver2, which is member of my domain and listed in my active directory under:
_mydomain --> server --> terminalserver --> myterminalserver1
When ePO Server does the discovery task I can find this new system in the ePO Directory under:
_mydomain --> lost&found --> server --> terminalserver --> myterminalserver2
The ePO Server alredy has this directory path _mydomain --> server --> terminalserver
Because my first active director import on the ePO server has created this path correctly. Even systems which existed in the active directory before the import are correctly in the ePO directory. So myterminalsever1 for instance is under _mydomain --> server --> terminalserver. But newly addes systems always displayed under lost&found.
I also have a similar problem with systems that I have moved within my active directory. For instance I moved a system Client1 from _mydomain --> locationA to _mydomain --> locationB. The ePO Server is not recognizing this movement. (I´ve read ePO4.0 can do this). So I thought I will just delete Client1 from the ePO directory and the next active directory discovery task will reinsert Client1 into the right path.
But the ePO server did the following after discovery: _mydomain --> lost&found --> locationB --> Client1
So I am having the same problem as with newly added system.
DO you have IP filtering set on the groups in directory?
If the new ones dont fit into the upper level IP filters then they will go to lost and found
no, I don´t have any ip filters set. I just ran the active directory import wizard for three containers, client, memberserver, domaincontroller. Then I configured the discovery task. The mapping between active directory and epo directory should be fine, cause I didn´t change anything. for domain controller it is: ou=domain controllers,dc=mydomain,dc=com for instance.
its by design in 3.6.1 (well it depends where you mapped the site to :P):
Active Directory (AD) integration information:
The AD integration feature in ePolicy Orchestrator (ePO) 3.6.x has 2 parts: Import (manual) and Discovery [COLOR=#ff0000][COLOR=#000000](scheduled task)[/COLOR]. [/COLOR]
The Import feature (Import Active Directory Computers option) places the computers in the corresponding location in ePO as they were in AD.
The Discovery feature (Active Directory Discovery Task), places new computers in the Lost & Found group of the corresponding mapped site, under a new sub-tree to indicate its location.
The Active Directory Discovery Task adds newly discovered computers, but does not update computer entries that are already in the ePO directory. If an existing computer is moved in Active Directory, the corresponding entry in the ePO Directory tree will not be affected.
why isn´t that specified in the product guide? To my mind this should be mentioned in the product guide.
So, if the Discovery Task does not have the ability to import new systems from the active directory tree into the correspronding epo directory tree, what are the best practices or workarounds to maintain an active directory with 2.000 systems?
Actually I am in the middle of a project. The ePO Server ist already installed and also the active directory is running. At the beginning of 2008 we will start a roll out of about 2.000 systems. Therefore I am unhappy that the discover task can not put this new systems automatically into the right epo directory tree.
Any recommendations how I can handle this?
By the way:
- Is ePO4.0 able to import new systems into the right tree?
- And is ePO4.0 also able to update computer entries, when they have been moved within the active directory?
I think I´ve read this somewhere on the mcafee website.
So with ePO4.0 I wouldn´t have those problems right?
Yes it does seem rather maintenance intensive in 3.6.1 with them wanting you to manually do everything.
TBH I havnt bothered with the EPO4 AD bit yet as the 3.6.1 I replaced in that case covers hundreds of workgroup and NT domains. The documenation is worth reading and the bit you probably want is here:
Be aware though if you are considering 4.0 to check all your products are supported and that you cant yet use Rogue system sensor till they update the software (may be as late as second quarter next year)