Symantec Management Platform (Notification Server)

Hello all,

I need a little help. I have created a OU (named AltirisTest) and a computer account in Active Directory. The computer account was manually created and does not belong to a physical computer. I performed an AD Import on the NS (NS 6) I then went to Resource Management>Resources>Organizational Structures>mydomain.com>AltirisTest and I see that the AD Import pulled in the new OU and computer account. I then went to AD and deleted the computer account from the AltirisTest OU. I went back to the NS and performed a new AD Import and then set the Directory Synchronization Schedule to every Half-Hour. I let all of this cook overnight, this am I was expecting to see the computer account gone from Resource Management>Resources>Organizational Structures>mydomain.com>AltirisTest BUT it was not. I manually performed a Purge Maintenance by selecting the "Purge Now" button. The computer is still there and its status is Active. This computer is not showing up in the computers that need the Agent collection because no Basic Inventory could be run to verify the OS and it is not in the All Computers collection because it is not managed. I can create a collection based on vComputer.Name and IsManaged=0 and the computer is there. It is not marked for deletion in the ItemResource table. The import rule is still active. I know Purge Maintenance would not delete it because it is not managed (I had to try though) so why is it not being deleted by Directory Sync? Does this highlight a problem with Directory Sync or is it even working? Thanks.

There have been several hotfixes for AD Import; are you running any of those?  The latest one was released along with the "R13" update for NS6 last year; you can see where to download it from here (it should be in Solution Center as well, don't recall where it shows up exactly though...maybe Hotfixes or Updates when viewing available Solutions):
http://www.symantec.com/docs/DOC2031 <update link: http://www.symantec.com/docs/DOC1963 >

In particular you need that if you have a 2008 native AD implementation.

What results do you get with "real" computer objects, which are tied to a managed machine?  Your example is all well and good, but it is not very real-world.

In my experience, you must do a "full import" to get proper collection membership updates; the Update import just doesn't seem to work very well.  If you watch the NS logviewer while the Directory Resync process runs, does it remove teh computer?  Also, are you pointing to the domain in general (ad.mycompany.com) or a particular DC?  Generally you get better results by targetting a particular DC, i.e. mydc1.ad.mycompany.com.

...I don't normally create "dummy" computer objects this way, but can you specify OS information about a "dummy" object like this when you create it?  When AD Import runs it will load OS information gleaned from AD about the computer, which of course is normally populated into AD when you connect an actual operational OS to that computer account.  This could be interfering as well.  I would really suggest using a "real" computer accout for your testing purposes.

Try targeting the specific DC for troubleshooting, in case this is a replication issue between DCs in a domain.  Though I always point to a generic reference (subdomain.domain.com) as opposed to a particular controller (dc01.subdomain.domain.com) for redundancy.

can you try the same behavior with a REAL account (meaning the associated computer has logged onto AD)? I'm just wondering if the fact that it's never been activated is the reason for the issue (in addition to the two fine gentleman's comments above).

Thanks for all of your responses, sorry I could not answer any sooner. I will answer your questions below.

There have been several hotfixes for AD Import; are you running any of those? 

I just applied KB34704 AD Connector update. Of several things this update was going to fix the problem of AD Import failing after a previously know OU was missing during the LDAP query. I created the test OU and fake computer account to test this behavior but I have now been sidetracked with this issue. I plan on applying Rollup 13 in a few days.

What results do you get with "real" computer objects, which are tied to a managed machine? 

That is mixed and is why I applied this update. Previously I have had several (230 or so) AD Imported computers (1800 total computers) set to “Retired” by the NS as opposed to being deleted by Directory Sync and are not being purged because they are Retired.

If you watch the NS logviewer while the Directory Resync process runs, does it remove the computer?

The logviewer appears to show Directory Resync working. The only errors associated with Directory Resync are with deleting a collection that says it has dependencies but none are present.  If I look in the ItemReference table it has an entry with a ReferenceType=0 to a collection that in the item table shows ProductUninstalled=0. I searched the entire NS for that collection and I cannot find it. Should I delete that entry from the ItemReference table? Could this hold up the processing of the rest Directory Resync, it hangs on that error?

Also, are you pointing to the domain in general (ad.mycompany.com) or a particular DC? 

This is a 2003 domain and I’m pointing to a particular server, I know the redundancy is better to a domain but I feel I get better results this way. I always do Full Imports on computer objects.

Can you specify OS information about a "dummy" object like this when you create it?

It appears not.

Can you try the same behavior with a REAL account (meaning the associated computer has logged onto AD)?

I’m trying too but the only computer I could test with was a managed computer, so I removed the agent using the NS Console however the computer  is still showing as IsManaged=1 and I don’t have access to it anymore. Long story…busy IT shop.  If I could manually force IsManaged=0 like you can force Unmanaged Mode in ForeFront I would be set.