Duplicate SCCM (2007) Records Not Showing The Correct AD Discovery Objects After a Data Discovery Cycle

Recently, we changed vendors for client computer purchases and have them imaged before shipping to our locations.  They are applying our custom wim using MDT with our SCCM client installed and joined to the domain using a generic name.  Once received it goes through the new provisioning process that includes renaming it while on the domain, adding security groups for non-standard app deployment and then is moved into a production OU from the staging OU.

What we are encountering with new process is that when a computer is renamed, the new name is discovered and has a record created.  After a DDR to update the record, the original one reflects the new name change and then NULLs the new one.  The issue is that the new one contains the AD discovery objects for security groups and OU information which the original active one doesn't have.

This was tested extensively prior to writing the documentation but upon my return this did not appear to work anymore.  I created a case with MS support and they were able to reproduce the problem that I showed him.  I think he was under the assumption that SCCM 2007 would be able to recognize by the GUID which is the active one and correct itself.   Our AD Discovery cycles runs every 2 hours and Heartbeat is set daily and even when the service is restarted it doesn't send a DDR that the engineer said it would.  So if it was left to SCCM under the current settings that would not correct itself and require our manual intervention to correct.

So his suggestion was to turn off the AD discovery on the staging OU and to test it out. 

It didn't seem to work w/o manual intervention.

Based on this, it seems it is a known issue.

https://blogs.technet.microsoft.com/configmgrteam/2011/09/09/known-issue-and-workaround-duplicate-records-when-you-use-unknown-computer-support-with-active-directory-delta-discovery/


On a side note this is a script I created for the tech/supervisors to only export the SCCM groups to copy to the new computer account.  This writes to a CSV file named by the computer name you enter.

Export Specific Security Groups from AD Computer Object

$computer = Read-Host -Prompt 'Input computer name'

$PC =  $computer + "$"

Get-ADPrincipalGroupMembership -Identity $PC | Where-Object {$_.Name -like '*-SCCM*'} |select Name | export-csv c:\$pc.csv -NoTypeInformation

Same for the bulk computer account creation, I was told someone was creating hundreds manually.

The below is a modified script I found online that was used to create bulk VMs in VMWare.  I replaced the commands to create the VMs and made it so you can create the objects to start at a certain number because we in certain amounts each time.

http://vinf.net/2010/02/25/quick-and-dirty-powershell-to-create-a-large-number-of-test-vms-with-sequential-names/

Bulk Computer Creation Script

$erroraction = "Silently-Continue"

$Nameconvention = 'USPC'

$HOW_MANY_TO_CREATE = Read-Host -Prompt 'Enter # of accounts to create'

$start = Read-Host -Prompt 'Enter starting #'

$NumArray = (1..$HOW_MANY_TO_CREATE)

foreach ($number in $numArray )

{

$seqn=$number + $start

$name =  $seqn | % {"{0:0##}" -f $_}

$string = $Nameconvention + $name

echo Creating $string

new-adcomputer $string -Path '' -Enabled $true

}

Please modify accordingly to your environment and test it.