After running a Full AD Import, multiple computers with duplicate names appears in the NS Console under Configuration>Server Settings>Notification Server Infrastructure>Merge Computers>Merge computers with duplicate names.

Customer merge those machines but by the next Full AD Import those machines will come back as duplicates.

Looking under the ResourceKey table, you may see multiple entries for the same machine name:

Resourceguid                                                              Keyname                 Keyvalue                  
-------------------------------------------------------------------------------------------
A8E5397B-014B-4185-A815-BABCFC3A73B9 distinguishedname      CN=LAPT09,OU=COMPUTERS,OU=LINDON,DC=ALTIRISINC,DC=COM
A8E5397B-014B-4185-A815-BABCFC3A73B9 name.domain             LAPT09.ALTIRIS
483494A9-1497-4B15-8F55-4E3BD1A67766     name.domain             LAPT09.ALTIRISINC    

 

After verifying settings with the customer, we found out that the actual issue was caused by some task/policy for Local Security Solution. The customer was using Mixed Mode Domains (for example, Altiris and AltirisInc), which both names were valid, so when AD Import and Basic Inventory updated the resources, those were using the one name (let say Altiris) to refresh the name.domain and distinguishedname entries under the ResourceKey table. However, there was another task running that was updating/overwriting the distinguishedname to the second domain name (let say AltirisInc).
The NS logs reflected this change:

Priority: 4
Date: 2/27/2009 2:00:54 AM
Tick Count: 530690765
Host Name: ServerName
Process: AtrsHost.exe (472)
Thread ID: 4604
Module: AltirisNativeHelper.dll
Source: MSoft.DirectoryServices.Resources.LdapDirectoryResource.CheckResourceKey
Description: Directory Sync 9d9003e4-5214-4e04-9f24-de0ebe650e4c for Resource 1a723d3e-2bdc-43d6-8e42-edef84cc5703 changed name.domain key from 'BMOMO.ALTIRIS' to 'BMOMO.ALTIRISINC'

Priority: 4
Date: 2/27/2009 2:00:54 AM
Tick Count: 530690328
Host Name: ServerName
Process: AtrsHost.exe (472)
Thread ID: 4604
Module: AltirisNativeHelper.dll
Source: MSoft.DirectoryServices.Resources.LdapDirectoryResource.CheckResourceKey
Description: Directory Sync 9d9003e4-5214-4e04-9f24-de0ebe650e4c for Resource 1a723d3e-2bdc-43d6-8e42-edef84cc5703 added distinguishedname CN=BMOMO,OU=COMPUTERS,OU=LINDON,DC=ALTIRISINC,DC=COM

Apparently these changes were running under a specific schedule (which in this case was the Hourly schedule) and caused by this task:

Priority: 4
Date: 2/27/2009 2:00:05 AM
Tick Count: 530641109
Host Name: ServerName
Process: aexsvc.exe (1744)
Thread ID: 5752
Module: AltirisNativeHelper.dll
Source: MSoft.Resource.Discovery.ResourceDiscoveryUpdateTask.OnSchedule
Description: Starting Item Task ef993be4-4382-45b3-8d39-42092413e056 : Resource Discovery Update

Local Security Solution installs another component call “Altiris Directory Services” which does an LDAP query to the AD server and pulls AD info some of which is not pulled by NS’s AD import.   With this import Local Security Solution can be configured to manage AD groups and AD user passwords just like it does for local computers.  If the customer does not use these two features of Local Security Solution then there is no reason to do the Directory Services synchronization task.

In this case, after identifying what could be the task changing the name.domain and distinguishedname entries for the ResourceKey table on those Resources, you can verify how frequently this occurs by running this query:

SELECT * FROM ResourceKeyChanged 
WHERE KeyName = 'name.domain'
AND KeyValue LIKE '%Computer name goes here%' 
ORDER BY ChangeTime desc, ChangeType

1. The NS logs referenced a task called 'Resource Discovery Update'. 
2. Check if 'Resource Discovery Update' is enable in the NS Console under Configuration>Solutions Settings>Security Management>Maintenance>Resource Discovery.
3. Disable 'Resource Discovery Update' task. 
4. Merge the duplicate machines by using the 'Merge computers with duplicate names' task or create your own with CMDB (which you can setup to run automatically rather than going one by one as the Merge computers with duplicate names does.
5. Run a Full AD Import for your computers to check if more duplicates are generated.
Note: you may get new duplicate names but usually it is expected. We suggest to keep merging the computers until all the entries are cleared from the previous Local Security Solution's 'Resource Discovery Update'.
6. If for some reason you start seen the same computers been considered as duplicates again, verify if you have a task called 'Active Directory Sync Task' (under Tasks>Security Management>Task Management>Server Tasks>Directory Services). If you do, since we can't disable the task, change the schedule to run once in the future or delete it if you don't need it.

Applies To
Notification Server 6.0.6074 SP3 + Rx
Altiris Integrated Component for Microsoft Active Directory 6.1.842
AD Import Hotfix 34704
Altiris Local Security Solution for Windows 6.2.1430