The biggest culprits of this, aside from what mgarza896 mentioned above, is;
a) BIOS Updates and/or mainboard changes. The Primary Keys for DS are almost always configured for MAC address, and quite often Serial Number. If both are selected, a change in value from EITHER will result in a duplicate DS account being produced. Changing the mainboard will change both. Sometimes updating the BIOS on a computer will have it report different information as well (weird), and if you use Asset Tag or UUID for the primary key, this can cause huge issues.
b) The most common cause, like above, is a change on the system... but this can also be caused by other hardware or software. While Altiris/Symantec have a configuration INI for the agents to block certain MAC addresses reporting to DS, it's not complete. Computers with multiple NICs (like mobile computers with wireless, etc) will usually have at least three (3) MAC addresses; Wireless, LAN, and Bluetooth. If they install a VPN client, Virtual PC, Himachi, or any other software/connection that uses "virtual networks" then you will get those as well.
In our case, even if we deploy a computer (we'll use the mobile computers as an example), we'll deploy it on the LAN (obviously). The primary key then becomes Serial+MAC. Now, I am not sure if it's "by design" or a bug, but DS appears to switch the "primary MAC" to the most-used adapter. If these mobile devices end up 99% wireless connected, they will seem to change the MAC they report with and therefore change the primary key - resulting in a duplicate DS account that appears at the bottom of "All Computers".
The only way to resolve this is to populate the client files for "exclude MAC addresses", or remove "MAC" from the primary key. One requires a lot of work, file deployments and maintenance, and the other can cause BCD errors when deploying systems using WinPE. It's a nightmare.