Configuration Manager 2007 might not have access to Active Directory Domain Services. Configuration Manager 2007 must have Read access to the containers that you specify for Active Directory System Discovery, Active Directory System Group Discovery, and Active Directory User Discovery. Configuration Manager 2007 uses the site server computer account to perform Active Directory discovery. When the site server computer account is used in domains other than the domain in which the site server is located, the account must have user rights on those domains. The account must at least be a member of the Domain Users group or local Users group on the domains. Additionally, when the resource is in a different forest than the site server, a forest trust is required between the two forests.

The following types of attributes are supported for Active Directory discovery:

• ADSTYPE_DN_STRING
  
  
• ADSTYPE_CASE_EXACT_STRING
  
  
• ADSTYPE_CASE_IGNORE_STRING
  
  
• ADSTYPE_PRINTABLE_STRING
  
  
• ADSTYPE_NUMERIC_STRING
  
  
• ADSTYPE_BOOLEAN
  
  
• ADSTYPE_INTEGER
  
  
• ADSTYPE_UTC_TIME
  
  
• ADSTYPE_LARGE_INTEGER
  
  
• ADSTYPE_DN_WITH_STRING
  
  

The following types of attributes are not supported for Active Directory discovery:

• ADSTYPE_OCTET_STRING
  
  
• ADSTYPE_PROV_SPECIFIC
  
  
• ADSTYPE_OBJECT_CLASS
  
  
• ADSTYPE_NT_SECURITY_DESCRIPTOR
  
  
• ADSTYPE_UNKNOWN and ADSTYPE_INVALID
  
  
• ADSTYPE_DN_WITH_BINARY
  
  

Active Directory System Discovery uses two pieces of information to determine whether a computer is a member of a network:

1. The account of the computer in Active Directory Domain Services.
   
   
2. Successful IP address name resolution.
   
   

If Active Directory Systems Discovery can obtain both pieces of information, the computers are discovered and a data discovery record (DDR) is created for each computer. This behavior can be prevented by enabling Domain Name System (DNS) scavenging on your DNS server.

Network Discovery creates a DDR for a resource only if it can positively determine the resource's subnet mask. The subnet mask can be determined if the following conditions are met:

• The client's IP address is listed in a trusted router's ARP cache, and the router has only a single IP address on that interface.
  
  
• The client has a Simple Network Management Protocol (SNMP) agent running, and Network Discovery is configured to use the community name the client is configured for.
  
  
• The client is a Microsoft Dynamic Host Configuration Protocol (DHCP) client.
  
  

  Note
  The site server computer account must have domain user credentials in the same domain as the DHCP server.

This behavior occurs when a discovered computer uses the RestrictAnonymous=1 setting. Configuration Manager 2007 does not use the network abstraction layer (NAL) for authentication. Therefore, Network Discovery makes only anonymous connections. To discover the operating system, you must enable an alternative method of discovery, such as Active Directory System Discovery.

Active Directory System Discovery creates a DDR for a resource only if it can resolve the name to the IP address by using DNS. If a valid DNS entry does not exist for a computer, Configuration Manager 2007 does not discover the computer, but does create a status message stating there were errors for that computer. You might see these computers referred to as "bogus" in adsysdis.log.