Steve Rachui wrote a great post on this – which goes a little deeper than some of the other documents and blogs presently out there:
http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx
I want to add one comment:
Q: “How often does the agent poll active directory if it doesn’t find policy when the machine first joins the domain?”
A: The agent will poll AD to look at the SCP’s referenced above, when the Healthservice first starts up. Then – it will poll, by default, every hour from that point forward, looking in AD to see if it has information about management groups to join.
So – the RMS runs the AD assignment rules once per hour to update AD containers…. and the agent checks those containers once per hour. Theoretically – the maximum time from when you add an agent assignment rule, to the time the agent picks this up – should be 2 hours. Sometimes it can take a little longer, due to a modification of an assignment rule on the MS is really a delete action, then a write action.
The time interval that an agent inspects AD for policy is configurable as well:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager
Create a DWORD value named “ADPollIntervalMinutes” to the period you wish for the healthservice to check AD for new config. Without setting this key yourself it defaults to 60 (minutes).