Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 19873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duplicate unmanaged machines when AD syncs

mgomez

We're experiencing an issue with some machines, after an AD sync occures there is a dupelicate unmanaged machine created.  Even if I delete the unmanaged machine, next AD sync it shows up again.  I found this article that said the bug was fixed in version 4.7 but we are on version 5.2

http://www.sophos.com/en-us/support/knowledgebase/1462/7800/1471/8850/111697.aspx

This is happening with probably 100 machines.

:45097


This thread was automatically locked due to age.
  • 0

    Hello mgomez,

    after an AD sync occurs

    so you have a synchronized group with the clients in the correct (sub-)group(s) and when the interval has passed then some machines ave a "second" (besides the correct one) and unmanaged entry in the same group? 100 machines out of how many under this synchronization point? Anything the clients could have in common, does this happen for new computers (perhaps a test machine) as well?

    Christian

    :45115
  • 0

    Thanks for the reply.  Yes actually it appears that the managed machine is showing up in the "unassigned" group, and the machine that is created when the sync occurs is in the proper group in the "Global Group" tree,  I wonder if I delete the managed unassigned machine maybe when the next sync occurs it will fix that machine?

    The 100 machines is a rough estimate based on what I saw when I was scrolling through the list of all machines,  this is out of 1900 machines.

    :45123
  • 0

    Hello mgomez,

    so the managed machines have never been in the correct (i.e. synced) group? As you can only delete computers under a synchronization point but not move them out or in, in which SEC group have they been before? 

    I wonder if I delete the managed unassigned machine

    Delete (from SEC) does not remove a computer entry (and its history) from the database, it just hides it. If the computer reports to SEC again, or appears to match a computer "found" by Import/Discover/Sync it is simply "undeleted" (and retaining all its history). 

    You actually have (at least) two computers with the same name in the database (for whatever reason). For whatever reason sync prefers the unmanaged over the active/managed. The result is likely the same whether you "delete" the one, the other, or both. Could you post a screenshot of SEC's Computer Details tab for such a pair? I'm to lazy to try to understand the logic of the stored procedure(s) involved - that's why I asked whether it happens with newly added computers as well. Might be a legacy issue.

    You could try the following (usual disclaimer about following advice not given by Support in general and modifying the database in particular applies):

    1. list the duplicates as pre Jak's post in this thread (adjust the database name, SOPHOS52 or SOPHOS521). This might or might not give some insight
    2. choose one of the pairs and SQL delete the unmanaged computer in the synced group from the database (DELETE from ComputersAndDeletedComputers Where NAME='....' AND Managed=0 AND IdentityTag='...') . perhaps backup the database first :smileywink:, anyway make sure that no sync occurs at this time
    3. with the next sync the now single computer should be moved to the correct group

    Christian

    :45163
  • 0

    Here's a screen shot of one of the duplicate pairs.  Notice the first one shows the proper AD group, but the second one that's actually managed is in the unassigned group and of course I can't move it to the correct group.

    Untitled.png

    :45225
  • 0

    I ran the query from the forum you linked.  There are far more duplicate names than I thought, over 1000 returns from that query, some of which are not only doubled but tripled or quadrupled.  This doesn't make any sence to me.

    Is there any reason this would happen?  When machines are removed from the domain do we need to somehow remove them from Sophos?  I also noticed some of the duplicate machines have the same machineID while others don't.  I can't find any link here.

    How would I go about deleting all of these, would it have to be a manual process?

    :45227
  • 0

    Hello mgomez,

    some of which are not only doubled but tripled or quadrupled

    some debris is expected to accumulate over time especially if the database has been upgraded over several versions. Also, reimaged or OS upgraded machines might not be considered a match. ...

    duplicate machines have the same machineID

    Hm, usually the problem is only one entry for distinct machines. Same name, same ID - which attributes differ (though this could be more an academic problem). 

    removed from the domain do we need to somehow remove them from Sophos

    The main reason for keeping computers in the background (i.e. only flagged as deleted) is the preservation of their history.

    How would I go about deleting all of these

    Please have a look at Using PurgeDB with Enterprise Console and related articles and threads.

    Looking at your screenshot - I notice that the entry in the synced group has no domain information. Sync should populate the Domain/Workgroup attribute. I assume it is missing for the duplicates and present for the managed ones. But whether or not, I think there's some issue with the sync logic and I suggest you contact Support. While database-deleting the unmanaged (and undomained) entries might solve your problem this behaviour of sync should IMO be investigated.

    Christian

    :45289
  • 0

    I am having the same issue, and it is definetly getting worse with time.  mgomez, wondering if the purge worked for you?

    :56368
Cookie Information Banner