Active Directory Integration – How it works


Steve Rachui wrote a great post on this – which goes a little deeper than some of the other documents and blogs presently out there:


http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx


I want to add one comment:


Q:  “How often does the agent poll active directory if it doesn’t find policy when the machine first joins the domain?”


A:  The agent will poll AD to look at the SCP’s referenced above, when the Healthservice first starts up.  Then – it will poll, by default, every hour from that point forward, looking in AD to see if it has information about management groups to join.


So – the RMS runs the AD assignment rules once per hour to update AD containers…. and the agent checks those containers once per hour.  Theoretically – the maximum time from when you add an agent assignment rule, to the time the agent picks this up – should be 2 hours.  Sometimes it can take a little longer, due to a modification of an assignment rule on the MS is really a delete action, then a write action.


The time interval that an agent inspects AD for policy is configurable as well:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager


Create a DWORD value named “ADPollIntervalMinutes” to the period you wish for the healthservice to check AD for new config.  Without setting this key yourself it defaults to 60 (minutes).

Comments (0)