myITforum and Windows IT Pro Forums

Keeping SCCM Clean

Author Message
pschwan

  • Total Posts : 43
  • Scores: 2
  • Reward points : 20900
  • Joined: 9/18/2008
  • Status: offline
Keeping SCCM Clean Friday, May 15, 2009 2:31 PM (permalink)
0
[Helpful answer received] / [List Solutions Only]
OK, so I ran a report earlier today and included the Last Software Inventory Collection date in the report.  I noticed that some of the dates were going all the way back to December.  One particular machine I checked was no longer in Active Directory and not online.  Mind you...I have no idea how long it has been since the machine was actually removed from AD or taken offline, but with a last inventory date of 12/18/08 I'm guessing it was within a few days of that date.  Still, it was marked as Active in SCCM
 
A few settings:
 
- Software and Hardware Inventory Client Agents are set to 7 days
- Heartbeat Discovery is enabled and set to 1 week
- Delete Inactive Client Discovery Data is not enabled
- Delete Obsolete Client Discovery Data is enabled and set to 7 days
- Delete Aged Inventory History is enabled and set to 90 days
- Delete Aged Discovery Data is enabled and set to 60 days
 
I know that DDRs are created via the Active Directory System Discovery method via an LDAP query and subsequent DNS lookup, and that once the DDR is created that particular record is agnostic with respect to the continued existence of its corresponding AD object.  What I'm looking for is a means of ensuring reasonable accuracy and integrity of our inventory data by making sure invalid records for machines that are no longer in AD and/or no longer online are regularly purged from the database.
 
So...given the above settings, can anybody help me understand what I need to do to ensure that records like the example I gave don't keep showing up in my reports?
 
Many thanks in advance!
 
-Phil
 
#1
    pschwan

    • Total Posts : 43
    • Scores: 2
    • Reward points : 20900
    • Joined: 9/18/2008
    • Status: offline
    RE: Keeping SCCM Clean Tuesday, May 19, 2009 1:47 PM (permalink)
    0
    Really?  Nobody else understands these process for keeping the SCCM database clean either?
     
    #2
      gerthc

      • Total Posts : 27
      • Scores: 5
      • Reward points : 0
      • Joined: 12/3/2007
      • Status: offline
      RE: Keeping SCCM Clean Tuesday, May 19, 2009 2:36 PM (permalink)
      0
      I've noticed a few things you don't have turned on.  There is a task to clear the install flag after so many days.  I would enable this then if possible turn on the auto-push of the SCCM client.  This is if there has been no heartbeat after so many days (we have ours set to 21 days) it removes the client install flag, then the auto push for the client will attempt to reinstall the client.  This should help fix broken clients.
       
      I also built a collection in SCCM that looks at the AD discovery agent date/time.  Everytime a computer is discovered/rediscovered in AD this agent date updates.  Once you remove the account from AD, this date will not update anymore.  My collection pulls in any computers that have been removed from AD for over 15 days.  I then do a delete special on this collection.  This will remove all of the systems from SCCM.  Right now it's manual and we run it once a week.  It has helped us keep our SCCM database much much cleaner then it use to be.
       
      #3
        cpierer

        • Total Posts : 63
        • Scores: 0
        • Reward points : 11660
        • Joined: 11/25/2008
        • Status: offline
        RE: Keeping SCCM Clean Wednesday, May 20, 2009 1:37 AM (permalink)
        0
        Hi Gert,

        Could you please provide your query? Are you just querying AgentTime?

        Thx
        Chris
         
        #4
          gerthc

          • Total Posts : 27
          • Scores: 5
          • Reward points : 0
          • Joined: 12/3/2007
          • Status: offline
          RE: Keeping SCCM Clean Wednesday, May 20, 2009 8:54 AM (permalink)
          0
          select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where Name in (select Name from  SMS_R_System where ((DATEDIFF(day, SMS_R_SYSTEM.AgentTime, getdate()) >=15) and AgentName = "SMS_AD_SYSTEM_DISCOVERY_AGENT")) and Name in (select Name from  SMS_R_System where ((DATEDIFF(day, SMS_R_SYSTEM.AgentTime, getdate()) >=45) and AgentName = "Heartbeat Discovery"))
           
          Make sure before you do a delete special that there are no "active clients"  Since it is doing the look up against name, if you have a duplicate name (1 obsolete and 1 active) if you do not delete the obsolete it will list both in there.
           
          #5
            eyona

            • Total Posts : 199
            • Scores: 35
            • Reward points : 1920
            • Joined: 8/17/2003
            • Location: israel
            • Status: offline
            RE: Keeping SCCM Clean Sunday, May 24, 2009 7:17 AM (permalink)
            0
            well basicly you two options:
            1: stop using AD discovery (or start cleaning AD as part of normal operating prodcedures)
            2: customize your reports to ignore those machines either by adding a condition based on days since inventory or by creating a collection
            that has only valid machines and running the reports aginst that collection or dependent collections
             
            #6
              klong566

              • Total Posts : 200
              • Scores: 4
              • Reward points : 22060
              • Joined: 8/24/2009
              • Status: offline
              RE: Keeping SCCM Clean Thursday, June 24, 2010 10:51 AM (permalink)
              0
              Oh wow just stumbled upon this old thread.
               
              This is the sort of path I'm looking for where our asset manager does the removal of workstations from our AD and SCCM.  I tried out that query, it picked up 464 items. Went to to ping the collection and 161 were pingable.
               
              Anyone else use queries like these? And had more luck.
               
              #7
                skissinger

                • Total Posts : 4915
                • Scores: 470
                • Reward points : 133500
                • Joined: 9/13/2001
                • Location: Sherry Kissinger
                • Status: offline
                RE: Keeping SCCM Clean Thursday, June 24, 2010 11:28 AM (permalink)
                0
                This is an ongoing issue for most ConfigMgr engineers, until you design your environment in a way that makes sense to your organization, yet really does clear out the obsolete records.  In some companies, 21 days (to account for 2-week vacations) is enough, in others, 6 months isn't long enough (long contract jobs offsite, and they don't have Native Mode/IBCM yet).

                So that's the first decision you need to make: what's an acceptable stale time?  Once you know that, the next step (IMO) would be to determine if you *really* need AD System Discovery.  We don't.  We don't have it on at all.  Heartbeat is our primary discovery method.  If you don't push the client from the console, the need for AD System Discovery is diminished. (you install the client in your image, or via GPO computer logon script, like we do).

                If you find you *do* need AD system discovery, I'd go check out (and buy, and implement) systemcentertools.com 's Enhanced System Discovery.  It has tons of built-in checks to really reduce/eliminate your ConfigMgr environment discovering stale AD objects.
                mofmaster@myitforum.com
                My Blog
                Microsoft MVP - ConfigMgr
                 
                #8
                  klong566

                  • Total Posts : 200
                  • Scores: 4
                  • Reward points : 22060
                  • Joined: 8/24/2009
                  • Status: offline
                  RE: Keeping SCCM Clean Friday, June 25, 2010 1:29 AM (permalink)
                  0
                  Thanks Sherry for your insight.

                  I try revisit this issue every few months whenever I get a chance. It's amazing how most of yas deal with it with your 10's of 1000's of machines to manage. I sometimes feel overwhelmed and I'm only managing 1300 max heheh.

                  The first decision on acceptable stale time shouldn't be hard to get an answer for with management. The second decision looks tougher to get management on board. We've got our collection hierarchy based on OU's. Maybe I'll restructure them to be based on ip ranges (floor by floor).

                  If we were to drop ad system discovery would it be overkill in deleting all systems so they can get rediscovered again?

                  I think we may have a good window of opportunity to go down the deploy client via gpo path as we have upgraded to SP2 but our clients have not. I can see it as one extra way we could see what's active/inactive via version number. Oops sorry just thinking out loud.

                  One last question out of curiosity do you have some form of a client health structure going on with your collections? Or that ain't necessary since your environment is pretty healthy.
                   
                  #9
                    skissinger

                    • Total Posts : 4915
                    • Scores: 470
                    • Reward points : 133500
                    • Joined: 9/13/2001
                    • Location: Sherry Kissinger
                    • Status: offline
                    RE: Keeping SCCM Clean Friday, June 25, 2010 7:56 AM (permalink)
                    0
                    "collection hierarchy based on OU's. Maybe I'll restructure them to be based on ip ranges (floor by floor)"  No, don't switch to ip ranges.  That's much more difficult.  besides, OU discovery does NOT come from AD System Discovery.  That comes from AD System Group Discovery--keep that on.  The sequence of events (for us, anyway), is a) machine is imaged, does auto-discovery, and heartbeat places the object for the first time in the database.  b) AD System Group Discovery runs to get the OU, c) the Collection updates based on the OU a box is in, and that new box drops into the collection.

                    No, don't delete all systems.  Well, you can.  It technically won't hurt anything...but it's kind of overkill.  You'd be better off just waiting it out; wait for the objects that don't get re-discovered to drop out.   And of course you'd lose all history if you delete.  sometimes that's important.

                    Client Health Collection structure: yes and no... we don't have anything elaborate.  We do base on the same values as what creates v_r_system_valid; like decommissioned=0, that kind of thing.  But not to the degree as I've seen other client health collections.
                    mofmaster@myitforum.com
                    My Blog
                    Microsoft MVP - ConfigMgr
                     
                    #10
                      klong566

                      • Total Posts : 200
                      • Scores: 4
                      • Reward points : 22060
                      • Joined: 8/24/2009
                      • Status: offline
                      RE: Keeping SCCM Clean Monday, June 28, 2010 5:02 AM (permalink)
                      0
                      Cool cool, I've put through a change request to test going down the gpo startup path. :)

                      One last q on this, do you have the software/hardware inventory client agents off then since the script does this for you?
                       
                      #11
                        skissinger

                        • Total Posts : 4915
                        • Scores: 470
                        • Reward points : 133500
                        • Joined: 9/13/2001
                        • Location: Sherry Kissinger
                        • Status: offline
                        RE: Keeping SCCM Clean Monday, June 28, 2010 8:50 AM (permalink)
                        0
                        [This post was marked as helpful]
                        The GPO client health script doesn't do inventory.  All the GPO startup script does is get the client installed if not installed, and ensure it's working if it is installed.  It does NOT do the work of the actual client.

                        Leave sinv/hinv on.  Hinv I usually recommend daily.  Sinv can be more infrequent; usually somewhere between 3 and 7 days.  I recommend Sinv more infrequent for 2 reasons:  #1) Sinv is a higher burden on the clients.  Minutes, sometimes Hours on the client before it finishes and sends up it's report.  Hinv (for us anyway) is less than a minute.  Of course it depends what you have enabled in the mof for Hinv.  Reason #2) Sinv, despite it's name of "Software Inventory", isn't as useful as you think it is.  Most of the time when you create a collection query or report regarding software, you use the contents of Add/Remove Programs.  Hinv actually is the agent that reports that, not Sinv.  So really... Sinv is much lower on the scale of usefulness.
                        mofmaster@myitforum.com
                        My Blog
                        Microsoft MVP - ConfigMgr
                         
                        #12
                          egroff

                          • Total Posts : 98
                          • Scores: 12
                          • Reward points : 22900
                          • Joined: 10/28/2007
                          • Location: TN
                          • Status: offline
                          RE: Keeping SCCM Clean Friday, July 02, 2010 2:24 PM (permalink)
                          0
                          Cleanup AD with JoeWare OldCmp program. Use the output and leverage CollAdd.vbs to populate a collection with these computer objects. Then use the Delete Special option. If you still see old records, you have client issues. Track that way. Let me know if you'd like some JoeWare command lines. They report well too!
                           
                          #13
                            klong566

                            • Total Posts : 200
                            • Scores: 4
                            • Reward points : 22060
                            • Joined: 8/24/2009
                            • Status: offline
                            RE: Keeping SCCM Clean Monday, July 05, 2010 11:05 AM (permalink)
                            0
                            Yep yep, cheers
                            We've been using oldcmp but instead of deleting computers I'm putting them in a disabled ou. Then using queries to exclude now.
                             
                            #14
                              skissinger

                              • Total Posts : 4915
                              • Scores: 470
                              • Reward points : 133500
                              • Joined: 9/13/2001
                              • Location: Sherry Kissinger
                              • Status: offline
                              RE: Keeping SCCM Clean Monday, July 05, 2010 2:05 PM (permalink)
                              0
                              "putting them in a disabled ou" Tip... if you're doing that, then if you can, in AD, on that OU, set DENY on that ou for the computer account for your primary site server.  You'll get an error in the logs for the Discovery logs about "can't see in this ou", but that's exactly what you want.  By denying read to that OU's contents, your primary site server can no longer re-discover objects in that OU.
                              mofmaster@myitforum.com
                              My Blog
                              Microsoft MVP - ConfigMgr
                               
                              #15
                                klong566

                                • Total Posts : 200
                                • Scores: 4
                                • Reward points : 22060
                                • Joined: 8/24/2009
                                • Status: offline
                                RE: Keeping SCCM Clean Tuesday, July 06, 2010 1:02 AM (permalink)
                                0
                                Cheers for the tip.
                                I thought it wouldn't be necessary if I had the disabled OU outside of the OU's specified in ad system group discovery?
                                 
                                #16
                                  skissinger

                                  • Total Posts : 4915
                                  • Scores: 470
                                  • Reward points : 133500
                                  • Joined: 9/13/2001
                                  • Location: Sherry Kissinger
                                  • Status: offline
                                  RE: Keeping SCCM Clean Tuesday, July 06, 2010 7:26 AM (permalink)
                                  0
                                  that would work too; but often people just discover all of their domain, they don't explicitly define the OUs to discover.
                                  mofmaster@myitforum.com
                                  My Blog
                                  Microsoft MVP - ConfigMgr
                                   
                                  #17
                                    klong566

                                    • Total Posts : 200
                                    • Scores: 4
                                    • Reward points : 22060
                                    • Joined: 8/24/2009
                                    • Status: offline
                                    RE: Keeping SCCM Clean Tuesday, July 06, 2010 10:49 AM (permalink)
                                    0
                                    Cool got ya.
                                     
                                    #18
                                      Online Bookmarks Sharing: Share/Bookmark

                                      Jump to:

                                      Current active users

                                      There are 0 members and 2 guests.

                                      Icon Legend and Permission

                                      • New Messages
                                      • No New Messages
                                      • Hot Topic w/ New Messages
                                      • Hot Topic w/o New Messages
                                      • Locked w/ New Messages
                                      • Locked w/o New Messages
                                      • Read Message
                                      • Post New Thread
                                      • Reply to message
                                      • Post New Poll
                                      • Submit Vote
                                      • Post reward post
                                      • Delete my own posts
                                      • Delete my own threads
                                      • Rate post

                                      2000-2014 ASPPlayground.NET Forum Version 3.9