Duplicate objects found in ForeignSecurityPrincipals - can we delete?

Posted on 2007-03-21
Last Modified: 2012-06-27
we're using an analyzer utility that reported duplicate objects in our ForeignSecurityPrincipals and I'm not sure if we can safely delete the dupes or not...

S-1-5-11 CNF:2cee5e9d-78ef-45de-bccb-c0307b1f9208
is a dupe of

S-1-5-4 CNF:e1fe2bce-4860-4fbe-9381-94f750c556c5
is a dupe of

Can I delete the ones with CNF*** in the object name?

We're running Windows 2003 single domain on two domain controllers.

Question by:SGKomen
  • 4
  • 3
LVL 30

Expert Comment

ID: 18765610
The "CNF:<GUID>" object denotes a conflict object, which means that a replication conflict occured and this CNF object was created by AD to resolve the conflict. That you are seeing these objects makes me question the overall replication health of your Active Directory, as the creation of conflict objects should essentially never happen if AD is functioning properly - have you run a repadmin, dcdiag and netdiag on each of your DCs to determine if there are any configuration errors?
LVL 70

Expert Comment

ID: 18765855
I'm not sure why you should have anything at all in the Foreign Security Principals on a simple domain.
LVL 30

Expert Comment

ID: 18765902
KCTS - even in a single domain, FSP will get populated with the well-known SIDs such as Administrator, Everyone, etc., if they are used in any AD ACLs.  It makes sense from AD's perspective - the SID for "Everyone" needs to live -somewhere-.

Author Comment

ID: 18766840
Passed all tests on both servers

Passed all tests on both servers
it Skipped the IP Security and WAN configuration Test on both servers
it Skipped the Trust Relationship test on the primary DC

Not sure what command switches you want me to use with repadmin?
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 30

Expert Comment

ID: 18766965
repadmin has a number of switches depending on the kind of information that you're looking for. In this case, repadmin /replsum will provide you with a summary of the replication traffic between your DCs. When you have a moment, I highly recommend the following Technet Webcast that details many of the available command-line switches available with repadmin: I refer to this webcast again and again, it's quite useful.

Since dcdiag came back fine on both DCs, assuming repadmin /replsum doesn't show any errors you can probably go ahead and delete the CNF objects in the FSP container. (All usual caveats apply regarding taking good backups beforehand and testing in your lab if you have one before making the deletion on a production network.)

Author Comment

ID: 18767191
Thanks for the tip. I ran repadmin /replsum and it came back fine.

Source DC           largest delta  fails/total  %%  error
 DLS-DC-01                 11m:26s    0 /   5    0
 DLS-DC-02                 03m:35s    0 /   5    0

Destination DC    largest delta    fails/total  %%  error
 DLS-DC-01                 03m:36s    0 /   5    0
 DLS-DC-02                 11m:27s    0 /   5    0

We're going to move the two objects to another OU and see what happens.

Author Comment

ID: 18767407
hhmm ok can't move FSP objects to another OU. And our backup/restore consists of using a program called RestoreAdmin by Netpro, but it doesn't seem to monitor the FSP container.

Any easy way of backing up the FSP objects?
LVL 30

Accepted Solution

LauraEHunterMVP earned 500 total points
ID: 18768315
If you can't back up the FSP objects individually (I'm not familiar with the ins and outs of the RestoreAdmin product, though I do like NetPro as a company), just take a full System State backup to be on the safe side.  

I'm 99.9% certain that deleting those CNF objects isn't going to do you any harm, but we all know that Murphy was an optimist so I'll never -ever- advocate hitting the "Delete" button without first covering my (and your) tail.

Featured Post

Being driven mad by email signature updates?

Having to make a change to your users’ email signatures, yet again? Feel like your head is going to explode? Rely on an Exclaimer email signature management solution to make the process simple!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now