I am running 2303 in a single site with 1 local DP, one DP at a hardware vendor for imaging, and a CMG. The CMG was just deployed a couple of months ago, and this might be the root of my current issue. Last week I noticed a lot of systems starting to show offline in the console, and soon all them were offline. It’s long story how I got that resolved and I can give details later, but during that time I also noticed that under Assets and Compliance\Users…I had no users. This view previously displayed all discovered AD users.
I have been working on this for several days now, and I cannot give an exhaustive list of everything I have tried, but here are some key data points:
- We are running local AD and are syncing to a Federated domain in M365/AAD. This has been functional for over a decade.
- Aduserdis.log (from file system) shows that users are being discovered and messages are being put into the database queue.
- SMS_AD_USER_DISCOVERY_AGENT (from console) – during delta syncs it will generate a handful of DDRs with 0 errors. During full syncs, it reports
“errors for 375 objects. DDRs were generated for 0 objects that had errors while reading non-critical properties. DDRs were not generated for 375 objects that had errors while reading critical properties.”
- I have a couple thousand users. I’ll worry about the 375 errors above when I can get anyone else to show up in the view.
- SMS_AZUREAD_DISCOVERY_AGENT (from console) shows completed successfully on every cycle, no errors.
- SMS_AZUREAD_DISCOVERY_AGENT (from file system) ) shows that users are being discovered and messages are being put into the database queue.
- DDM.log does not show any errors, but frequently records
“CDiscoverDataManager::ObsoleteOldRecords - Client's SMSID and Previous SMSID are same which will result in self obsoleting. Therefore Skipped obsoleting.”
I cannot find anything regarding what this message means or if it is relevant to my problem.
My SQL skills are weak, but in the DB I see:
- Dbo.users contains several thousand users, with records going back to our initial installation.
- Dbo.ADDiscoveryStats shows a valid DDRCount for the expected number of current users, but ChangedObjectCount is always 0. I do not know if this is expected or not, but I’m thinking not.
- Dbo.v_R_User shows no records.
I have tried:
- Disabling each of the local AD and AAD discoveries, individually and together.
- Disabling delta syncs and only running full syncs.
- Changing the AD discovery to use a service account rather than the SCCM computer account. (It’s back to computer now)
- Re-applying the permissions on the local AD OUs
The initial problem with Devices going offline was due to Auto-Enroll failure with our PKI. This has been resolved, and devices are reporting into the MP using https and PKI. I do not know if the Users broke at the same time, or broke because of something I did fixing the Devices.
I have exhausted every phrasing for this problem that I can think of in both Google and Bing. I’ve not found anything like this. Can anyone help?