Solved

Duplicate objects found in ForeignSecurityPrincipals - can we delete?

Posted on 2007-03-21
8
1,208 Views
Last Modified: 2012-06-27
we're using an analyzer utility that reported duplicate objects in our ForeignSecurityPrincipals and I'm not sure if we can safely delete the dupes or not...

S-1-5-11 CNF:2cee5e9d-78ef-45de-bccb-c0307b1f9208
is a dupe of
S-1-5-11

and
S-1-5-4 CNF:e1fe2bce-4860-4fbe-9381-94f750c556c5
is a dupe of
S-1-5-4

Can I delete the ones with CNF*** in the object name?

We're running Windows 2003 single domain on two domain controllers.

0
Comment
Question by:SGKomen
  • 4
  • 3
8 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18765610
The "CNF:<GUID>" object denotes a conflict object, which means that a replication conflict occured and this CNF object was created by AD to resolve the conflict. That you are seeing these objects makes me question the overall replication health of your Active Directory, as the creation of conflict objects should essentially never happen if AD is functioning properly - have you run a repadmin, dcdiag and netdiag on each of your DCs to determine if there are any configuration errors?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 18765855
I'm not sure why you should have anything at all in the Foreign Security Principals on a simple domain.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18765902
KCTS - even in a single domain, FSP will get populated with the well-known SIDs such as Administrator, Everyone, etc., if they are used in any AD ACLs.  It makes sense from AD's perspective - the SID for "Everyone" needs to live -somewhere-.
0
 

Author Comment

by:SGKomen
ID: 18766840
DCDIAG
Passed all tests on both servers


NETDIAG
Passed all tests on both servers
it Skipped the IP Security and WAN configuration Test on both servers
it Skipped the Trust Relationship test on the primary DC


Not sure what command switches you want me to use with repadmin?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18766965
repadmin has a number of switches depending on the kind of information that you're looking for. In this case, repadmin /replsum will provide you with a summary of the replication traffic between your DCs. When you have a moment, I highly recommend the following Technet Webcast that details many of the available command-line switches available with repadmin: http://support.microsoft.com/kb/905739. I refer to this webcast again and again, it's quite useful.

Since dcdiag came back fine on both DCs, assuming repadmin /replsum doesn't show any errors you can probably go ahead and delete the CNF objects in the FSP container. (All usual caveats apply regarding taking good backups beforehand and testing in your lab if you have one before making the deletion on a production network.)
0
 

Author Comment

by:SGKomen
ID: 18767191
Thanks for the tip. I ran repadmin /replsum and it came back fine.

Source DC           largest delta  fails/total  %%  error
 DLS-DC-01                 11m:26s    0 /   5    0
 DLS-DC-02                 03m:35s    0 /   5    0


Destination DC    largest delta    fails/total  %%  error
 DLS-DC-01                 03m:36s    0 /   5    0
 DLS-DC-02                 11m:27s    0 /   5    0

We're going to move the two objects to another OU and see what happens.
0
 

Author Comment

by:SGKomen
ID: 18767407
hhmm ok can't move FSP objects to another OU. And our backup/restore consists of using a program called RestoreAdmin by Netpro, but it doesn't seem to monitor the FSP container.

Any easy way of backing up the FSP objects?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18768315
If you can't back up the FSP objects individually (I'm not familiar with the ins and outs of the RestoreAdmin product, though I do like NetPro as a company), just take a full System State backup to be on the safe side.  

I'm 99.9% certain that deleting those CNF objects isn't going to do you any harm, but we all know that Murphy was an optimist so I'll never -ever- advocate hitting the "Delete" button without first covering my (and your) tail.
0

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now