CMDB – Configuration Items (CIs) Active Directory Connector Best Practise

Don't fill up the CMDB will obsolete Configuration Items(CIs).

• Ask this question - will I report on this CI? If the object is not required to be reported on, or if it is transient then don’t include it.

• Consider Automating a workflow that identifies and moves obsolete Active Directory objects to OUs that are not being targeted through Connector(s).

• A Blog Reference which contains Orchestrator RunBook ideas how to Manage Obsolete AD objects here: https://myitforum.com/myitforumwp/2013/07/17/clean-up-active-directory-and-cm-2012-with-orchestrator/

Ensure each Configuration Item(CI) has a single source of truth.

• Select either the AD Connector or the Configuration Manager for Computers objects and not both

  If a CI is synchronised by more than 1 connector and each source i.e. AD and Configuration Manager has a different value, then the last Connector synchronisation will determine the value that is written to the database that is until the next Connector sync schedule. Minimise contention.

• Create multiple AD Connectors *example 1 for each CI type to manage data set size and synchronisation times.

Do not synchronize AD Group objects unless required

 Ensure to select the option ‘Do not write null values for properties not set in Active Directory’.

• Using this setting ensures the connectors do not update CI values to NULL.

 Use LDAP filters to only import relevant types of objects.

• Printer Objects = (objectCategory=printQueue)
• Enabled User Accounts = (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
• For more information on LDAP filters see here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

 When implementing multiple AD connectors stagger the schedule so they don’t all run at the same time and ensure they do not run during Backup or other Maintenance Windows

• A great blog reference here: https://blog.scsmsolutions.com/2012/03/update-ad-and-sccm-connector-scheduler-with-powershell

AD Connector Deletion

• Never delete an AD connector without first disabling the connector, creating a new AD Connector and completing a synchronisation further information here: https://technet.microsoft.com/en-us/library/ff461049.aspx & here https://technet.microsoft.com/en-us/library/ff461175.aspx 

 

Line Manger and User must be imported using the same connector

• Line Manager and User CIs must be importing using the same connector, this ensures the relationship in place for use Reviewer Activities which leverage the Line Manager refer to here: https://social.technet.microsoft.com/Forums/systemcenter/en-US/59b72a39-b2f4-4e17-b815-22e7231a7af7/scsm-2012-ad-connector-not-syncing-manager-information?forum=connectors

 

Mapping AD Connector Properties to Service Manager https://technet.microsoft.com/en-us/library/hh524307.aspx

Mihai Sarbulescu has an excellent blog covering AD connectors tweaks https://blogs.technet.com/b/mihai/archive/2013/08/14/tweaking-the-ad-and-cm-connectors-in-service-manager-2012.aspx

The Service Manager Product Group has also posted an excellent blog improving AD Connector performance
https://blogs.technet.com/b/servicemanager/archive/2014/03/19/improving-ad-connector-performance.aspx