Right now I do a complete report of the age of the Computer Account's AD password (via non-altiris scripts), the timestamp of the DNS record update of the machine (via non-altiris scripts), and compare that to Altiris reports with the max Agent config request time and Last Login time.
This is primarily used to locate stale machines, laptops (OR VMs) that have been offline too long (and not marked as retired or "in stock" in Altiris Asset.
Various vbscripts or powershell scripts can be used. One I like will enumerate all AD Computer objects, ping them, and then queries the PC Name via WMI. This can quickly give us info on machines that have matching DNS records and those that don't (we don't have DNS scavanging enabled).