Поделиться через


SCSM Active Directory Connector optimization

Often customers setup Active Directory connectors to import all objects from the root of the Domain. This means that all users (enabled and disabled), groups and computer objects are imported.

First thing to consider about the AD Connector is to determine whether we need all objects in the CMDB.

Lets start with the computers: If you're also using the Configuration Manager connector, there really isn't a need for the AD connector to import all computers, as it only means SCSM needs to import, merge and maintain two sources. All relevant information about the computers are delivered by the SCCM connector. I therefore often recommend my customers not to import computers via the AD Connector. There could of course be examples where the AD connector needs to import computers from AD.

Next up are the AD Groups: Groups are often not used in SCSM as they don't contain membership and often WIs are assigned to support groups and then to individual user accounts. What I recommend my customer is not to import all AD groups and only import the relevant ones, if any.

Last and final are the User accounts: The AD connector imports all users in a domain, regardless enabled or disabled. Also if the customer has contacts in AD that are created as Domain users, these are imported as well. If is therefore very important to consider which OUs to import and also whether or not to import both Enabled and Disabled users.

What I typically do, depending on the customers OU structure, is create separate AD connectors to avoid populating the CMDB with unneeded data.

Note: Create a different run as account for each connector. This will create a separate Monitoringhost.exe process on the workflow management server for each connector when it runs. This makes it easier to see which connector is currently running and how much memory/CPU it is consuming. It also makes it easier to isolate that one process from other workflows/connectors so that it can be terminated without affecting other workflows/connectors running.

When configuring a connector to only import user accounts that are enabled, you need to use LDAP filters that were introduced in SCSM2012.

Create the Connector and at the Select Objects option, select 'Users or User Groups' and insert the following LDAP query:

(&(ObjectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Note: Unless needed for a purpose, always select the option ‘Do not write null values for properties not set in Active Directory’. Using this setting ensures the connectors do not update the same attributes, despite being null.

This will only import the User accounts that are Enabled.

When looking in the CMDB with SQL Management studio, you can identify which user is imported with what AD Connector.

Select * from LFXSTG.AD_User Where

Username = '<Username>'

This will return the source of the specific user, in this example 3 different connectors - (before the cleanup of duplicate connectors)

If you then run the SQL Query:

Select * from LFX.Datasource

You will get a list of connectors where the Datasource ID equals the LFX_SourceID from the previus query.

Setting up the connectors to only import relevant data, helps you keep an optimized and relevant CMDB.

Remember that Service Manager is not a laundrymat, dirty data doesn't get cleaned when imported :-)

Comments

  • Anonymous
    May 29, 2013
    Great post! Could the LFx.DataSource contain old connectors which has been removed from the console ? If it can, could that prevent new connectors to work properly? The reason i ask this is that i have some trouble with my connectors. I can create them, but they do not import any data. I do not get any error messages in the OMLog and/or security log. But when i run the query "Select * from LFX.Datasource" i get 15 rows containing the old connectors (they do not show up in the conole and does not show up in powershell "get-scsmconnectors"). Regards Björn

  • Anonymous
    January 04, 2014
    Pingback from Configure the Active Directory connector in Service Manager 2012 | Koolman

  • Anonymous
    November 27, 2015
    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets. http://movieboxappdownloads.com/ - It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment it doesn't charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on 'Obscure sources'.