SCCM 2012: Part IV – Hierarchy Configuration

In Part III we completed the installation of System Center Configuration Manager 2012. Now we’ll turn our attention to setting the baseline for the SCCM console by configuring the necessary components in the Hierarchy Configuration section of the Administration page. Make sure you are already inside of the SCCM Console. If not, click Start > All Programs > Microsoft System Center 2012 > Configuration Manager > Configuration Manager Console.

In the left-hand corner you will see four different options:

– Assets and Compliance
– Software Library
– Monitoring
– Administration

In Part IV, we will be spending our time in the Administration tab, within the Hierarchy Configuration folder. I’ve expanded out all of the sections and provided a screenshot so you can see all of the configuration settings here.


Let’s begin with Discovery Methods. Here is the description of each Discovery we are about to cover:


Active Directory Forest Discovery
Right-click on Active Directory Forest Discovery and select Properties. I have selected all three checkboxes. I want to Enable Forest Discovery, I want SCCM to create new site boundaries when they are discovered, and I want to auto-create IP address range boundaries when subnets are discovered. I am running this once a week, configure the settings to your liking, these options are very straight-forward. Click Apply and click Yes when prompted to run the full discovery ASAP. Then click OK.

For each of these Discovery items, always click “Yes” when prompted to run a full discovery as soon as possible. This will help us get kick-started in establishing some data in SCCM.


Active Directory Group Discovery
I am going to enable SCCM to discover all AD Groups once daily. Right-click on Active Directory Group Discovery and select Properties. On the General tab, check the Enable checkbox. Then click Add > Location. In the Name: field I entered “All Domain Groups” and then set the LDAP string to this: “LDAP://DC=Domain,DC=com”. Then check the Recursively search AD Child Containers checkbox. Leave the site server’s computer account as the Discovery Account and click OK.

Click on the Polling Schedule tab. The default is once a week. I want this to run daily, so click on Schedule… Then change the custom interval to 1 day, click OK.

Next click the Option tab. Click Discover the membership of distribution groups. Then click Apply, Yes, then OK.

Here is what we have done: We’ve set a daily Active Directory Group Discovery at the root of my domain, which will discover any groups within my domain, using the SCCM server account which has appropriate AD permissions to do this. It will also include the members of any Distribution Groups.




Active Directory System Discovery
Right-click on Active Directory System Discovery and select Properties. On the General tab, check the Enable checkbox, click the starburst icon and enter in “LDAP://DC=domain,DC=com”. Make sure both checkboxes are selected.

On the Polling Schedule click Scheduling… and set this one to 1 day also.

Next, on the Active Directory Attributes tab, you will see the default system attributes that are pulled into the SCCM database by default. You can add any additional attributes that you would like from the Available attributes: field that you may need. I find the defaults are adequate.

On the Option tab, I leave the defaults. This ensures that all machines that exist in AD are discovered. Click Apply, Yes, and OK.

Here is what we have done: We’ve set a daily Active Directory System Discovery at the root of the domain, that will find all systems within my domain using the SCCM system account. This will also discover any objects within AD groups with no exceptions.



Active Directory User Discovery
Right-click on Active Directory User Discovery and select Properties. This will be configured almost identically to the System Discovery.

On the General tab, check the Enable checkbox, click the starburst icon and enter in “LDAP://DC=domain,DC=com”. Make sure both checkboxes are selected.

On the Polling Schedule click Scheduling… and set this one to 1 day also.

Next, on the Active Directory Attributes tab, you will see the defaults user attributes that are discovered. Again, I find the default values adequate. Add any necessary attributes you would like and click Apply, Yes, and OK.



Heartbeat Discovery
This is Enabled by default to run once weekly. This only needs to be configured if you configure automatic site-wide pushes, which in this guide we will not be doing. In almost every situation where you will be implementing SCCM, it will be into an existing environment. You will want to control your pushes and not enable auto-site-wide pushes by default.

Network Discovery
Right-click on Network Discovery and select Properties. On the General tab, select Enable Network Discovery and then select the Topology, client, and client operating system radio button. Again, we want as much relevant information in SCCM about our environment as possible and this makes the most sense.

Click on the Domains tab. Enter the name of your domain here and click OK. Finally, click the Schedule tab. Click the starburst, and set a custom interval of 1 day. Click Apply and OK.

Here is what we have done: We’ve set a daily Network Discovery at the root of the domain, that will find the complete topology, clients, and clients’ OS, within my domain.




Now if you click on the Assets and Compliance section on the bottom left of the console, and then navigate to Overview > Users for example, when you click on Users and it loads, you should see a list of all the users and groups:

users edit

If you do not see any data here within 10 minutes of enabling and running the discovery, go to Monitoring > Overview > System Status > Site Status and make sure your Site System Roles are all green. If you notice any error right click on the role, then click Show Messages > All.


Boundary Configuration

Now let’s go back to our Administration tab. Right-click on Boundary Groups and click Create Boundary Group. I named my group Domain Boundary Group. Then click Add… and select the checkbox next to Default-First-Site-Name. Click OK. Then click the References tab. Click the Use this boundary group for site assignment checkbox, which enables computer resources to be assigned to our site during discovery. Lastly click Add… and then add both your SCCM and your SQL servers. Click Apply then OK.


You will notice now, that in the Boundary Groups listing, now there is one group, one member with two site systems (SCCM and SQL server respectively).

Now click on Boundaries. Notice that there is a Group Count of 1. If you right-click on the Boundary, and go through the tabs, you will see that this is an Active Directory Site, with two site systems, and you will see the Boundary Group we created.

The Default-First-Site-Name comes from the site name in Active Directory Sites and Services. This can be renamed, but there is no real added benefit. Leaving the default is fine and is normally the case in a domain, but I wanted to clarify where that name comes from.


We will skip both Exchange Server Connectors and Addresses for now. The Exchange Server Connector we will not need as I will not need mobile device management (ActiveSync Policy, Remote Wipe Capability, etc). Below is a blog post on configuring this, should you need this feature, note Exchange 2010 is required.

As for the Addresses, this is used to send information between sites. Since this is a Primary-Standalone configuration, we’ll not be needing this.

Next click Active Directory Forests. Here you will see your domain, along with its Discovery and Publishing Statuses. These should both be in a Succeeded state. If not, confer your monitoring tab and troubleshoot the issue. Most likely, your SCCM computer account does not have appropriate permissions to Active Directory.


At this point we have configured our SCCM environment to discover all Users, Groups, and Systems within our Active Directory Domain Boundary Group we’ve created. We’ve also made sure that the Configuration Manager site computer resources are assigned to our site during discovery. We’ve defined our Site System servers and confirmed all our SMS roles are active and running without error. Further we’ve ensured that Discovery and Publishing to our domain is successful.

In Part V, we will go over the Site Configuration including adding additional roles, as well as the Security sections of the Administration page.

Thanks for reading! If you have any questions, comments, let me know. I’d be happy to help anyone who may need assistance with their SCCM implementation.

  • Pingback: System Center Configuration Manager and Endpoint Protection Manager 2012 | Gabe's Blog()

  • Leon

    This is a fantastic guide, worked perfectly, thank you for all your time and effort.

    • Gabriel

      Hi Leon, thanks so much for the feedback. Very happy this guide has been helpful to you in your setup!


  • Aaron Metelski

    Thank you for putting this together, I have a question on adding the boundary groups. When I go to add the “site system servers” the SCCM server is the only one that allows me to add. The SQL server is on the same machine also, is this why is does not show up?

    • Gabe

      Hi – I’m not familiar with this scenario; does the reporting work? I bet you’d need to still configure the roles then check the site system roles status