Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Subscribers 4 subscribers
  • Views 67170 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duplicate Computers in SEC

CRH

Hi all,

I'm running SEC 5.3.1 on Win Server 2012 R2. I have AD sync enabled and I'm seeing a ton (as in hundreds) of old computers showing up in the Unassigned group. It appears that the computers showing up in Unassigned are computers that have since been re-imaged or a name that has been reused. These computers are often times duplicates of active computers that are being synced from AD (if I scroll through the top level server list of computers, I'll see the same name listed two or three times in a row with only one computer being active - the others are greyed out). 

We do include SAV in our base images, but have followed the steps in KB 12561 prior to sysprep'ing the images. Despite this, it seems as though the console is holding on to old computers and allowing duplicates to be created. 

Given the number of endpoints we have (close to 9,000), this is adding quite a bit of overhead in SEC and making it difficult to see what's actually going on. 

Any ideas?

Thanks!



This thread was automatically locked due to age.
  • 0

    Hello CR Hiestand,

    could you post a partial screenshot of duplicates on the top level view, tab Computer Details (minimize the IP address and Last user columns)? Would make it easier to guess what could be the cause.
    If the computers in Unassigned are unmanaged (grey) or Disconnected (Last message time "old") you could simply delete them (don't worry if you accidentally hit a live one, it will reappear).

    Christian

  • 0 in reply to QC
    Hi Christian,

    Thanks for your reply. Here's a screenshot of a duplicate computer - http://imgur.com/k5xnlpQ

    I've actually tried numerous times deleting all of the Unassigned computers, but they return. I'm not sure why they're returning since AD sync is occurring and obviously there is only one computer with this name in AD.

    Thanks again!
  • 0 in reply to CRH

    Hello CR Hiestand,

    you've blanked the Domain/workgroup column - I assume the managed entry contains the correct value, the other none?
    AD sync had its peculiarities, thought most of them have been sorted out. If you delete the Unassigned ones - do all of them pop into existence again with the next sync? And is this a new issue or has it been going on for quite some time (i.e. previous SEC versions and the database has been migrated)?

    I'm not sure why they're returning - me too. Tried to find some idea in older threads (did I say that the Search in this Community ... has still some potential for development?), nothing that looks like a solution though. Just in case you are curious:
    https://community.sophos.com/products/endpoint-security-control/f/3/p/8773/21956
    https://community.sophos.com/products/endpoint-security-control/f/3/p/2694/4076#4076
    https://community.sophos.com/products/endpoint-security-control/f/3/p/8773/18275#18275          

    Christian

  • 0 in reply to QC
    Hi Christian,

    Yes, the domain value is correct and the unmanaged computer is blank.

    The unmanaged machines do appear again.

    What I've also noticed happening is that under the AD synced group, a computer (let's say ADM-TEST) will show up as unmanaged. But that computer exists in AD, has SAV installed and exists in the AD OU that is linked to the Sophos group. If I go look in the Unassigned group, there is that same computer - except this one shows as online, managed, etc. Of course no group policies are applying since it's not in a group. If I delete the synced computer and/or the Unassigned computer, they both show back up in the same fashion.

    Thanks for the links. I've been looking around the forum a while on this topic since it's been an ongoing issue. The current server/DB has been upgraded since ~5.0 release up to the current 5.3.1.
  • 0 in reply to CRH
    I should note that what I've just described seems to be the core issue with duplicates - that computers being synced from AD are showing up as unmanaged/greyed out while the "live" computers (with the same names!) are showing up in Unassigned.

    I deleted (hidden, as I understand it at least) all of the computers in Unassigned this morning. There are now over 100 there again.
  • 0 in reply to CRH

    Hello CR Hiestand,

    as the logic apparently fails to manage this correctly it's either that
    a) the logic is (still) flawed or
    b) there's an inconsistency in the database that the logic isn't supposed to be able to handle
    You'd have to contact Support for investigation (can't say though if they are able/willing to analyze and if necessary escalate it or just try to help you "fix" it). The Management Service permits to trace a lot of things (including AD sync and subsequent actions) - did this once in a Beta.

    I wonder if you have not only duplicates but more than two computers for each name (and perhaps this is what confuses the logic)?
    sqlcmd -E -S .\SOPHOS -d SOPHOS521 -Y 20 -Q "SELECT Name,COUNT(Name) FROM ComputersAndDeletedComputers GROUP BY Name HAVING COUNT(Name)>1"

    I'd check one or two of the multiples
    sqlcmd -E -S .\SOPHOS -d SOPHOS521 -Y 20 -Q "SELECT Name,ID,DomainName,Deleted,Managed,InsertedAt,LastMessageTime FROM ComputersandDeletedComputers WHERE Name='computer'"
    might or might not give some insight.

    On second thoughts - might suffice if you use PurgeDB to get rid of the unmanaged entries. Nevertheless it's a good idea to perform the above checks before and after to see what PurgeDB did.

    Christian

  • 0 in reply to QC
    Thanks again Christian. I did try the PurgeDB which cleaned up quite a bit, but it appears the issue of AD sync not matching with the actual computers isn't being helped by that.

    I also looked at the results of the two SQL commands you included and it certainly appears as though computers being brought in through AD sync are not being matched to the actual computers. There isn't any obvious difference between the computers when I ran the second command - the domain is listed as the same, all the fields are valid, etc. - the last message time is the only difference, essentially indicating to me the "Stale" record (probably from AD sync) and the "live" record (which would show up in Unmanaged).

    I'll contact support and see if they have any ideas. Perhaps at this point it would be best to forgo AD sync and just allow the computers to report in on their own and specify a group path when the base images are created so policies are applied on their own.
  • 0 in reply to CRH

    Hello CR Hiestand,

    ran the commands (actually a slightly modified combination of them) against my database and - lo and behold! - I too have a few duplicates. I am not using AD sync and all are managed ones (we do not discover/find and use protect, only rely on the endpoint contacting the server after install a custom package with the GroupPath option). I've in addition selected the MessageSystemAddress and IdentityTag. The results suggest that at least one object in each tuple has been renamed (after it has contacted the management server for the first time).

    a group path [...] so policies are applied
    you can apply initial policies to the base image as per 12561 section 2, members of the Unassigned group do not receive policies but nevertheless keep the existing ones (in other words, moving an endpoint to Unassigned does not clear or reset the policies). Just in case: GroupPath is a one-shot parameter but perhaps you have read and are referring to Moving a computer between groups ....

    ... and please follow up with what Support said or how you decided.

    Christian

  • 0 in reply to QC
    I've opened a case with support and was asked to run the diag utility. I submitted results last week but haven't heard anything back. So far support is leaving a bit to be desired.
  • 0 in reply to CRH

    Hello CR Hiestand,

    was asked to run the diag utility
    boilerplate reply for problems with non-obvious cause. I doubt that the standard logs will give any insight though. BTW: Do you know SophServ? Click    All other products   on the Contact Support page. Be insistent. As said, the current SEC versions should handle sync correctly and perhaps your particular workflow exposes a flaw - but that's mere speculation. But whatever Support intends to do they should keep you updated. 

    Christian

Unfiltered HTML