I am new to SCCM and have some questions about best practices for discovery methods.My SCCM environment consists of a central primary parent server and 5 regional servers setup as primary child sites around the globe.We have enabled AD System discovery at each regional server. The discovery is restricted to the computers in the AD OU that pertains to that region. So each primary child site sees only the machines within its region. Each regional server then rolls that discovery up to the primary parent site. This process works great for computer accounts.Here is where it gets tricky and I need some help:I am not sure the best practice for discovering user accounts and security groups.If I restrict those discoveries to only the regional site OU's then any global security group will only be seen from the region that it was created in. So a security group created in the US would show on the US server, but would not show on the Canada server. I could enable User and Security group discovery and set the OU at the root level of the domain so each regional server pulls all users and security groups from the entire domain, but then each regional site would report all the information to the primary parent site and assume I would see duplicates. How can I ensure that each regional site sees the global security groups and users within the entire domain without getting duplicate records at the central primary parent site? I am stuck and not quite sure how to proceed. If I have left any information out or not been clear please let me know. Thanks!

I do all user discovery at the central site. Actually I whenever possible I do all discovery at the central site. It's not always possible though, it depends on your situation. John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum

I do all user discovery at the central site. ... but then you don't have that discovery information available at child sites, or am I missing something? Example: create a collection that contains client in OU xyz at the central site. The collection (or to be precise the query) is replicated down to the downloevel sites. No discovery at child sites => no OU information for those clients => empty collection. So knecoli22 set it up right imho.

... but then you don't have that discovery information available at child sites I have actually never thought of that and I was thinking of secondary sites not child primary sites. So in the case where all the users are in a single OU and all the computers are in another single OU but there are multiple primary sites would you discover those users and comptuers from each primary site? Let's take it a step further, if you have multiple prmiary sites reporting to a central site and you know will never create collections at the child sites would you still discover all resources from all sites? (assume there's no OU seperation of locations)In the past I have run just system group discovery on child primary sites and all other discovery at the central. But again, I don't normally create collections at child primary sites so maybe I was doing it wrong. John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum

Hi, we have a very similar environment in wich we have one central site and 5 primary child sites. We do system discovery from each primary site as the computers are separated on different OUs. The thing is that when we do user discovery, some users belonging to a region are located on another regions OU, so the site that is suppose to service the computer of this particular user, doesnt have the user record. We are thinking two alternatives to this case, and I would like to ask if you can recommend wich is better: 1) All user discovery setted on the central site: In this case, will the primary site have the user information, in case we want to advertise some software to a user collection ? 2) All user discovery setted on all primary sites: In this case, every primary site will have the full list of users, and will send the users information to the central site... will this solution generate some sort of conflict on the central site, as the same user is being received from different primary sites? We will appreciate much your help Regards

#1: no. Discovery information is only replicated up (not down). #2: it will not generate conflicts, but the central site has to process each discovery record 5 times (as that information is being replicated up). That will put some load on the server.Torsten Meringer | http://www.mssccmfaq.de

Thank you very much Torsten, we will set discovery on the child sites so