Solved

Duplicate objects found in ForeignSecurityPrincipals - can we delete?

Posted on 2007-03-21
8
1,225 Views
Last Modified: 2012-06-27
we're using an analyzer utility that reported duplicate objects in our ForeignSecurityPrincipals and I'm not sure if we can safely delete the dupes or not...

S-1-5-11 CNF:2cee5e9d-78ef-45de-bccb-c0307b1f9208
is a dupe of
S-1-5-11

and
S-1-5-4 CNF:e1fe2bce-4860-4fbe-9381-94f750c556c5
is a dupe of
S-1-5-4

Can I delete the ones with CNF*** in the object name?

We're running Windows 2003 single domain on two domain controllers.

0
Comment
Question by:SGKomen
  • 4
  • 3
8 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18765610
The "CNF:<GUID>" object denotes a conflict object, which means that a replication conflict occured and this CNF object was created by AD to resolve the conflict. That you are seeing these objects makes me question the overall replication health of your Active Directory, as the creation of conflict objects should essentially never happen if AD is functioning properly - have you run a repadmin, dcdiag and netdiag on each of your DCs to determine if there are any configuration errors?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 18765855
I'm not sure why you should have anything at all in the Foreign Security Principals on a simple domain.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18765902
KCTS - even in a single domain, FSP will get populated with the well-known SIDs such as Administrator, Everyone, etc., if they are used in any AD ACLs.  It makes sense from AD's perspective - the SID for "Everyone" needs to live -somewhere-.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:SGKomen
ID: 18766840
DCDIAG
Passed all tests on both servers


NETDIAG
Passed all tests on both servers
it Skipped the IP Security and WAN configuration Test on both servers
it Skipped the Trust Relationship test on the primary DC


Not sure what command switches you want me to use with repadmin?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18766965
repadmin has a number of switches depending on the kind of information that you're looking for. In this case, repadmin /replsum will provide you with a summary of the replication traffic between your DCs. When you have a moment, I highly recommend the following Technet Webcast that details many of the available command-line switches available with repadmin: http://support.microsoft.com/kb/905739. I refer to this webcast again and again, it's quite useful.

Since dcdiag came back fine on both DCs, assuming repadmin /replsum doesn't show any errors you can probably go ahead and delete the CNF objects in the FSP container. (All usual caveats apply regarding taking good backups beforehand and testing in your lab if you have one before making the deletion on a production network.)
0
 

Author Comment

by:SGKomen
ID: 18767191
Thanks for the tip. I ran repadmin /replsum and it came back fine.

Source DC           largest delta  fails/total  %%  error
 DLS-DC-01                 11m:26s    0 /   5    0
 DLS-DC-02                 03m:35s    0 /   5    0


Destination DC    largest delta    fails/total  %%  error
 DLS-DC-01                 03m:36s    0 /   5    0
 DLS-DC-02                 11m:27s    0 /   5    0

We're going to move the two objects to another OU and see what happens.
0
 

Author Comment

by:SGKomen
ID: 18767407
hhmm ok can't move FSP objects to another OU. And our backup/restore consists of using a program called RestoreAdmin by Netpro, but it doesn't seem to monitor the FSP container.

Any easy way of backing up the FSP objects?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18768315
If you can't back up the FSP objects individually (I'm not familiar with the ins and outs of the RestoreAdmin product, though I do like NetPro as a company), just take a full System State backup to be on the safe side.  

I'm 99.9% certain that deleting those CNF objects isn't going to do you any harm, but we all know that Murphy was an optimist so I'll never -ever- advocate hitting the "Delete" button without first covering my (and your) tail.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question