The Symantec Management Platform Console application generally maintains excellent data integrity between its products and its database. This is therefore not likely a defect or issue with Altiris, but is due to other causes that the user may not be aware of. Extensive troubleshooting may be needed to determine what the cause(s) were. This article's purpose is to provide some of the more common examples of how assets can be deleted. Note: Many sections of this article can also be used to troubleshoot changes to an asset, such as a serial number or comment change, etc. But primarily, this article is designed to diagnosis missing assets and why they are now missing.
Causes and Problem Areas
- Cause: Data loss due to the environment.
Problem Area(s): Core system; various other Altiris products depending on what they are doing; SQL Server.
If the Symantec Management Platform server and/or SQL Server are performing poorly, such as due to a low amount of resources or otherwise being over-taxed, data loss may occur. This would likely have to be an extreme situation to have an entire record or records vanish, however. The following articles provides information on what to check on both the Symantec Management Platform server and on the SQL Server:
How to increase Queue processing performance in NS 7.1 SP2
Event Queues in ITMS 7.1 SP2
Common Performance Monitor counter thresholds
How to create a Performance Monitor counter set for Altiris support
Creating a maintenance plan in SQL Server 2005 or 2008 to optimize database performance
- Cause: Purging Maintenance is set to delete computers.
Problem Area(s): Core system.
If Purging Maintenance is set to delete computers, this will delete computers based on any that don't report in for the specified amount of time. This can be checked and changed in the Symantec Management Platform Console by clicking on the Settings button > Notification Server > Purging Maintenance, then click on the Purging Maintenance tab and disable Delete if it is enabled.
- Cause: The Microsoft Active Directory Imported deleted assets no longer found in AD.
Problem Area(s): Core system.
If the Microsoft Active Directory Import is set to synchronize its imported data to what is currently in AD, it will delete records in Altiris if the matching record in AD was removed. This can affect computers, users, print queues, sites, subnets and roles and accounts. This can be checked and changed in the Symantec Management Platform Console by clicking on the Settings button > All Settings > Notification Server > Microsoft Active Directory Import, and then check the Directory Synchronization Schedule. Disable this if if is enabled if this is not desired to delete synched records from AD.
- Cause: Duplicate or shared GUIDs cause records to be combined.
Problem Area(s): Core system (for Agents); Deployment Solution (for images).
If duplicate or shared GUIDs exist, this can result in records being combined unexpectedly. Incorrect practices for Agent and image deployment are the main causes of this. The following articles provide additional information about this:
Resolving issues with shared GUIDs
Shared Guid Diagnostics Guide (aka Duplicate Guid Kit)
- Cause Duplicate computer names/reusing the same computer cause records to be combined.
Problem Area(s): Core system.
Similar to the duplicate or shared GUID issue above, duplicate computer names (domain\computer name) and reusing computers (repurposing/reusing an old computer for a new user or purpose) for managed computers are actually not supported by Altiris. This results in severe issues with many tasks and policies. Ensure therefore that all computers on the same domain that are managed have unique names. The following articles provides additional information about this:
Issues occur when using duplicate computer names and/or GUIDs
What issues may result from reusing computer names within SMP?
Computer's Manufacturer, Model, Serial Number or System Number are incorrect
How to troubleshoot duplicate assets
- Cause: Assets in a hierarchy are deleted on other servers in the hierarchy.
Problem Area(s): Core system.
This is working as the customer has set up their hierarchy/stand-alone replication rules to work. If this is not desired, changes to the hierarchy/stand-alone replication rules would need to be made.
Even if it's not believed that this is the issue or that it's believed that the server is not in a hierarchy or using stand-alone replication rules, these should be checked regardless. Especially if the table searches in the Advanced Troubleshooting section doesn't provide a clear indication to what's happening, this is a very good indication that a hierarchy/stand-alone replication rule is the cause. For example, an asset may show that it was deleted at 3:00 AM by looking at the Evt_NS_Item_Management table, which the Altiris service account is the user that is doing this. If nothing's then found in Windows Task Scheduler or in the Altiris database regarding this entry, this is likely then caused by a hierarchy/stand-alone replication rule.
To check the hierarchy/stand-alone replications, in a Symantec Management Platform Console, click on Settings > Notification Server > Hierarchy, and then check both the Topology and Replication tabs. If anything is configured here, then this is likely what is causing the issue.
IMPORTANT NOTE: Asset Management, CMDB Solution and Barcode Solution are not supported on child servers in a hierarchy nor do they support the replication of their data with stand-alone replication rules. Therefore, the only solution for this scenario would be to remove the Asset products from all child servers. The following article provides additional information about this:
Does Asset Management or CMDB Solutions support hierarchy and stand-alone replication rules?
- Cause: Merged assets cause records to be combined.
Problem Area(s): Core system; CMDB Solution.
If merge rules or manual merges have been performed, the result will be one final record with another now deleted. The following describes the different types of merges and where these can be checked at. Note: When any kind of merge occurs, the deleted record is not added to the ItemDeleted table.
The Core system performs a daily merge which is controlled by the Merge Duplicate Resources task. This can be viewed on the Symantec Management Platform server in the Windows Task Scheduler, and is set to run daily at 6:15 AM. If records were merged by this task, these can be viewed by running the report Merged Resources, found in the Symantec Management Platform Console by clicking on the Reports button > Notification Server Management > Server > Resource Reports > Merged Resources. Note: This report does not show resources manually merged or merged by a CMDB merge rule.
Deployment Solution/Core system
If old computers are being reimaged by Deployment Solution, when they check in, they will generally merge back to their old records. This can happen if the computer's name or MAC address is the same. The supported method of reimaging computers in Altiris is to first fully delete the old computer record, then the new record can come in correctly from the reimaged computer. This will, by design, require the old computer's data to be fully deleted. Otherwise, the reimaged computer will most likely merge back to the original record "unexpectedly". Computers merged should then appear on the Merged Resources report too, as described in the above Core system section.
CMDB merge rules can be checked and changed in the Symantec Management Platform Console by clicking on the Manage button > Jobs and Tasks > CMDB > Duplicate Computer Merge, and Duplicate User Merge and Resource Merge Rule. Out of box, there are no merge rules enabled to run. Disable any merge rules as necessary that are found in these locations.
The ResourceMerge and Evt_Resource_Merge tables can be checked for any CMDB merge, rule or manual. The attached SQL script "Find CMDB merged assets.txt" demonstrates how the database can be checked.
- Cause: Automation policies or other tasks (manual or scheduled) deleted the assets.
Problem Area(s): Core system; CMDB Solution.
There may be an automation policy or task that is causing this. For automation policies, this can be checked and changed in the Symantec Management Platform Console by clicking on the Manage button > Automation Policies, then checking all listed automation policies for the ability to delete assets.
The Evt_Task_Instances view can be checked for tasks that are ran manually or scheduled. If this shows that users manually ran the task, then the Altiris Administrator would need to perform training on when to and not to do this, or remove the Altiris user's permissions to do this. If this was a scheduled task, the Altiris Administrator can remove or reschedule the task as necessary. The following SQL script demonstrates how to find this information:
ORDER BY 3 DESC
- Cause: Altiris Users have deleted assets.
Problem Area(s): CMDB Solution.
Altiris users that have permissions to delete assets may do so without further authorization. The Altiris Administrator in charge of setting up and managing the security roles. The Altiris Administrator should ensure that only those authorized to delete assets are set to do so. Security roles can be managed in the Symantec Management Platform Console by clicking on the Settings button > Security > Account Management.
The ability to delete assets is only granted to the Symantec Administrators role for the out of box Symantec Management Platform Console, however, the Altiris Administrator can add custom security roles or break inheritance with out of box roles that can also be made then to be able to delete assets. Also, if security roles are embedded into other security roles, such as the Barcode User security role having the Symantec Administrator security role inside of it, this will further complicate finding what Altiris users in what security roles have the permission to delete assets. Therefore, the Altiris Administrator may need to perform extensive management of the security roles and users to be sure only those who should be deleting assets have that permission.
Checking for embedded security roles
1. In the Symantec Management Platform Console, click on the Settings button > Security > Account Management.
2. Click on Roles.
3. Click on Symantec Administrators.
4. On the Members tab, the Altiris users that are part of the role are listed. If any Type shows "Role", this is an embedded role, which will grant full Symantec Administrators rights to that role, even if normally it was a very locked down role, such as Barcode Users. If this is not desired, remove the embedded role(s). Note: Custom security roles should also be evaluated for their permissions outside of this, as one may have virtually Symantec Administrators rights, and that may have embedded roles too. But for just out of box roles, these steps would be sufficient to remove embedded roles from the only role that out of box would be able to delete assets.
Troubleshooting custom or altered security roles
If there are custom or altered (broken inheritance) security roles present, this presents an issue of trying to determine what security roles have the ability to delete assets. Several SQL scripts have been included with this article as examples of how to investigate this in the database. The attached SQL script "List the permissions for the specified security role.txt" can be used to list permissions for the specified security role. This can be useful to compare out of box altered security roles to non-altered to see if permissions have changed. The attached SQL script "Find security roles that have permissions to delete computers.txt" can be used to see which security roles have the delete resource specific permission.
Checking if a user deleted an asset
The Evt_NS_Item_Management table can be checked for assets that Altiris users deleted. If an Altiris user is found to have deleted an asset, the Altiris Administrator would need to perform training on when to and not to do this, or remove the Altiris user's permissions to do this. The following SQL script demonstrates how to find this information:
WHERE Action = 'Delete'
ORDER BY 3
If the Altiris user account found to have deleted the asset is the Application Identity, then either someone is logging in as that and performing the action, or a task or policy is doing so on behalf of the App ID. Further investigation can then be performed on what this was based on the App ID's GUID, such as the Investigate GUIDs of deleted assets and deletion date/times section discusses under Additional Troubleshooting.
- Cause: Data Connector import is set to remove assets.
Problem Area(s): Data Connector Solution.
If any Data Connector import rule is set to remove assets, all prior imported assets on the last import will be removed if they are not also present in the current import. This can be checked and changed in the Symantec Management Platform Console by clicking on the Settings button > All Settings > Notification Server > Connector > Import Rules. Then, check each import rule to see if it has the following set:
Removed assets: Delete permanently from CMDB
If so, disable this or change it to not delete.
The following article provides additional information about this:
Data Connector import rule removes unexpected resource types
If Data Connector import rules or custom CMDB are scheduled, and it is suspected they are the cause, the following article describes how to easily check these for their schedule:
How to check if a custom CMDB rule or Data Connector import rule is scheduled
- Cause: A restore of the Altiris database was performed.
Problem Area(s): SQL Server.
If the Altiris Symantec_CMDB database was restored, it's very possible that assets (any many other record types) are now missing because they did not exist in the backup. This can occur even if the backup is only an hour old as new computers checking in would have created computer assets, which did not exist previously in the backup. Therefore, this scenario is expected when performing a restore, and there is unfortunately no way to recover missing assets (or other record types), unless they have an automated method of being brought in afterwards (as Agents checking in would, for example).
- Cause: SQL scripts have been ran that deleted assets.
Problem Area(s): SQL Server.
If the user ran SQL scripts that deleted assets or truncated tables, these have been permanently deleted from the database. Any user that has access to the SQL Server, with access to run SQL scripts, may have performed this, whether authorized or not. Ensure that only authorized Altiris users have permission to access the SQL Server to help prevent this. This would not result in a record being added to the ItemDeleted table, however, so if there are records there, then most likely SQL scripts were not the cause. WARNING: Performing this is not recommended and may result in the user's database becoming unsupportable by Technical Support. The only solution would be to restore the database or in some cases, a table may be able to be copied from the backup of the database. (It is strongly recommended to restore the entire database, however, as it's hard to say what was impacted by this manual change.)
- Cause: A custom ServiceDesk or Workflow project has deleted the assets.
Problem Area(s): ServiceDesk/Workflow.
If ServiceDesk/Workflow are part of the Altiris environment, if there is a custom project that that can manipulate assets, it's possible that this has deleted assets. The user would want to then discuss this with their ServiceDesk/Workflow team to see if such a custom project exists and if so, either allow it to continue making changes (such as deletions) or discuss with them to not have that permission, as the Symantec Management Platform Console has no control over its records being deleted form an outside source.
- Cause: The asset was found or was there all along but has missing/changed data classes, such as its serial number or comment are missing or changed.
Problem Area(s): CMDB Solution, Asset Management Solution. Generally any changes to any asset, be it computer, purchase order, purchase receipt, monitor, etc., are reflected in its Resource Change History. This, along with the Evt_NS_Item_Management table, can be checked for changes made by user or task. For example, if a computer had its comment changed, right click on it from the Home > Service and Asset Management > Manage Configuration Items > Computers and Peripherals > Computer and then click on CMDB Functions > Resource Change History. For more information about Resource Change History, refer to the following article. Note: Most but not all changes to the asset are recorded in the Resource Change History. Some changes that are not recorded are direct SQL updates, merges, deletions, stand-alone replication rules and some tasks such as the Inventory to Asset Synchronization task.
A computer's Resource Change History no longer records certain changes
- Investigate GUIDs of deleted assets and deletion date/times.
The GUID of a deleted asset can be checked in the entire database for other tables that the GUID appears in. These tables and columns can be used as a method to give an idea about what happened. Likewise, the date and time that the deletion can be searched for to see what processes were running at that time. The following two articles provide SQL scripts that can help perform this:
Find all tables that contain a specific GUID
How to search a Microsoft SQL database for a data value
- Check tables that can be used to help track deleted assets, such as if users performed this:
Note: It is beyond the scope of Altiris and the Symantec Management Platform to monitor, keep track of, document and otherwise determine which user deleted what record or made what change. While some of this data can be incidentally found in the database, its purpose in being there is not to monitor user's actions or to provide this data to an administrator looking to find who deleted or changed what. If the customer need such a level of security, they are encouraged to procure a third-party Microsoft SQL Server security product, as Altiris does not offer this.
The following tables can be used to help track deleted or removed assets. These are:
ItemDeleted - Shows deleted assets.
ResourceMerge - Shows merged assets.
History and History Delta tables - Shows the history of assets.
UserSettings table - Shows some Altiris user activity.
Inv_Account_Details - Shows basic login information.
Evt_NS_Item_Management - Shows more Altiris user activity, specifically what Altiris user account was used to delete assets.
An example SQL script is attached to this article, "Find general user activity during a date range.txt", to help see if specific users were at least online during a resource deletion. This won't show if they deleted anything but may give information on where they were in the console when the issue occurred. Note: As the UserSettings table is updated, dates in this become overwritten and so this is not an ongoing "log" of what an Altiris user has performed. Therefore, reviewing this table is likely not to show every clear data or any at all, but it can certainly be looked at for some information.
For more information on historical changes and deletions, refer to the following article:
What reports offer a historical view of asset changes or deletions?
- Review the Windows Task Scheduler on the Symantec Management Platform server for running Altiris and other processes.
Check the Windows Task Scheduler on the Symantec Management Platform to see what Altiris and other processes were running during the deletion to help determine if any of these were the cause.
- Review the Evt_NS_Scheduled_Event table for running Altiris tasks and processes.
Check the Evt_NS_Scheduled_Event table to see what Altiris tasks and processes were running during the deletion to help determine if any of these were the cause.. For example:
- Review the installed Altiris applications in the Symantec Installation Manager.
Review the Altiris applications installed in the Symantec Installation Manager to help determine if any of these could be a cause.
Certain third party applications have capabilities to do this too, such as those from Arellia. These are working as designed, however, and should be configured to prevent deletions and purges in their specific configurations. For example, users can be deleted by how some Arellia products work. The following article provides additional information about this:
Newly created users in the Symantec Management Console disappear soon after creation
Deleted data cannot generally be recovered by the Symantec Management Platform itself. It is up to the user to find the best method to bring their data back based on their needs and processes involved for how their data comes into the environment.
- Depending on how the data was originally brought into the Symantec Management Platform, this may then be the best way to restore the data. For example, if assets were brought in by Barcode Solution or a Data Connector import rule, use these again to bring in the deleted assets. And, computers will be re-created that have Agents on them or if they are in Active Directory and the Microsoft Active Directory Import is performed. Likewise, Network Discovery and WINS Import can also bring assets into back.
- The user may wish to consider restoring their database to the last good backup where they know the deleted assets are still in. As mentioned, however, a database restore in itself can cause data loss, so this should only be performed as a last resort.
Unable to find computer by searching for its Serial Number
Computer Status value unexpectedly changes
Computer's Manufacturer, Model, Serial Number or System Number are incorrect or missing
How to determine what process or user renamed a computer name
Computer Barcode field value disappears later after being set
How to troubleshoot duplicate assets