Having duplicate names after a Full AD Import occurs.
Last Updated April 20, 2009
After running a Full AD Import, multiple computers with duplicate names appears in the NS Console under Configuration>Server Settings>Notification Server Infrastructure>Merge Computers>Merge computers with duplicate names.
Customer merge those machines but by the next Full AD Import those machines will come back as duplicates.
Looking under the ResourceKey table, you may see multiple entries for the same machine name:
After verifying settings with the customer, we found out that the actual issue was caused by some task/policy for Local Security Solution. The customer was using Mixed Mode Domains (for example, Altiris and AltirisInc), which both names were valid, so when AD Import and Basic Inventory updated the resources, those were using the one name (let say Altiris) to refresh the name.domain and distinguishedname entries under the ResourceKey table. However, there was another task running that was updating/overwriting the distinguishedname to the second domain name (let say AltirisInc).
The NS logs reflected this change:
Priority: 4 Date: 2/27/2009 2:00:54 AM Tick Count: 530690765 Host Name: ServerName Process: AtrsHost.exe (472) Thread ID: 4604 Module: AltirisNativeHelper.dll Source: MSoft.DirectoryServices.Resources.LdapDirectoryResource.CheckResourceKey Description: Directory Sync 9d9003e4-5214-4e04-9f24-de0ebe650e4c for Resource 1a723d3e-2bdc-43d6-8e42-edef84cc5703 changed name.domain key from 'BMOMO.ALTIRIS' to 'BMOMO.ALTIRISINC'
Local Security Solution installs another component call “Altiris Directory Services” which does an LDAP query to the AD server and pulls AD info some of which is not pulled by NS’s AD import. With this import Local Security Solution can be configured to manage AD groups and AD user passwords just like it does for local computers. If the customer does not use these two features of Local Security Solution then there is no reason to do the Directory Services synchronization task.
In this case, after identifying what could be the task changing the name.domain and distinguishedname entries for the ResourceKey table on those Resources, you can verify how frequently this occurs by running this query:
SELECT * FROM ResourceKeyChanged WHERE KeyName = 'name.domain' AND KeyValue LIKE '%Computer name goes here%' ORDER BY ChangeTime desc, ChangeType
1. The NS logs referenced a task called 'Resource Discovery Update'. 2. Check if 'Resource Discovery Update' is enable in the NS Console under Configuration>Solutions Settings>Security Management>Maintenance>Resource Discovery. 3. Disable 'Resource Discovery Update' task. 4. Merge the duplicate machines by using the 'Merge computers with duplicate names' task or create your own with CMDB (which you can setup to run automatically rather than going one by one as the Merge computers with duplicate names does. 5. Run a Full AD Import for your computers to check if more duplicates are generated. Note: you may get new duplicate names but usually it is expected. We suggest to keep merging the computers until all the entries are cleared from the previous Local Security Solution's 'Resource Discovery Update'. 6. If for some reason you start seen the same computers been considered as duplicates again, verify if you have a task called 'Active Directory Sync Task' (under Tasks>Security Management>Task Management>Server Tasks>Directory Services). If you do, since we can't disable the task, change the schedule to run once in the future or delete it if you don't need it.
Applies To Notification Server 6.0.6074 SP3 + Rx Altiris Integrated Component for Microsoft Active Directory 6.1.842 AD Import Hotfix 34704 Altiris Local Security Solution for Windows 6.2.1430
Imported Document ID: TECH41834
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe