SMS AD Security Group Distribution
It’s a rather stressful weekend that our SMS operation team has to try to deploy an application to a group of users to meet the Monday deadline in the last minute notice.
We determined that we have to use AD Security Group Distribution as there are no other ways to identify the machine names for the users. We do this on the fly and as this option was never in production. There was a few tests in small scale and they did worked months ago. But this time it just doesn’t work. We created collection based on AD security group and advertise the package to it but nothing happens. So something must changed between the last test and now?
Trying to look up on the Internet and it seems there are not a lot of documentation regarding AD security group distribution. Finally we discovered that the AD security group discovery was disabled on the primary site even though it is enabled in the central site. Once we enabled the AD security group discovery on one of the primary site, the users in that AD group in that site started to get advertisement the next day.
Lesson learned: In order to use AD security group distribution, the AD security group discovery need to be enabled at the primary site where the users and machines reporting their inventory data. Enable the discovery in central site is not enough!