Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Duplicate objects found in ForeignSecurityPrincipals - can we delete?

Posted on 2007-03-21
Medium Priority
Last Modified: 2012-06-27
we're using an analyzer utility that reported duplicate objects in our ForeignSecurityPrincipals and I'm not sure if we can safely delete the dupes or not...

S-1-5-11 CNF:2cee5e9d-78ef-45de-bccb-c0307b1f9208
is a dupe of

S-1-5-4 CNF:e1fe2bce-4860-4fbe-9381-94f750c556c5
is a dupe of

Can I delete the ones with CNF*** in the object name?

We're running Windows 2003 single domain on two domain controllers.

Question by:SGKomen
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 30

Expert Comment

ID: 18765610
The "CNF:<GUID>" object denotes a conflict object, which means that a replication conflict occured and this CNF object was created by AD to resolve the conflict. That you are seeing these objects makes me question the overall replication health of your Active Directory, as the creation of conflict objects should essentially never happen if AD is functioning properly - have you run a repadmin, dcdiag and netdiag on each of your DCs to determine if there are any configuration errors?
LVL 70

Expert Comment

ID: 18765855
I'm not sure why you should have anything at all in the Foreign Security Principals on a simple domain.
LVL 30

Expert Comment

ID: 18765902
KCTS - even in a single domain, FSP will get populated with the well-known SIDs such as Administrator, Everyone, etc., if they are used in any AD ACLs.  It makes sense from AD's perspective - the SID for "Everyone" needs to live -somewhere-.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 18766840
Passed all tests on both servers

Passed all tests on both servers
it Skipped the IP Security and WAN configuration Test on both servers
it Skipped the Trust Relationship test on the primary DC

Not sure what command switches you want me to use with repadmin?
LVL 30

Expert Comment

ID: 18766965
repadmin has a number of switches depending on the kind of information that you're looking for. In this case, repadmin /replsum will provide you with a summary of the replication traffic between your DCs. When you have a moment, I highly recommend the following Technet Webcast that details many of the available command-line switches available with repadmin: I refer to this webcast again and again, it's quite useful.

Since dcdiag came back fine on both DCs, assuming repadmin /replsum doesn't show any errors you can probably go ahead and delete the CNF objects in the FSP container. (All usual caveats apply regarding taking good backups beforehand and testing in your lab if you have one before making the deletion on a production network.)

Author Comment

ID: 18767191
Thanks for the tip. I ran repadmin /replsum and it came back fine.

Source DC           largest delta  fails/total  %%  error
 DLS-DC-01                 11m:26s    0 /   5    0
 DLS-DC-02                 03m:35s    0 /   5    0

Destination DC    largest delta    fails/total  %%  error
 DLS-DC-01                 03m:36s    0 /   5    0
 DLS-DC-02                 11m:27s    0 /   5    0

We're going to move the two objects to another OU and see what happens.

Author Comment

ID: 18767407
hhmm ok can't move FSP objects to another OU. And our backup/restore consists of using a program called RestoreAdmin by Netpro, but it doesn't seem to monitor the FSP container.

Any easy way of backing up the FSP objects?
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 18768315
If you can't back up the FSP objects individually (I'm not familiar with the ins and outs of the RestoreAdmin product, though I do like NetPro as a company), just take a full System State backup to be on the safe side.  

I'm 99.9% certain that deleting those CNF objects isn't going to do you any harm, but we all know that Murphy was an optimist so I'll never -ever- advocate hitting the "Delete" button without first covering my (and your) tail.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question