Duplicate objects found in ForeignSecurityPrincipals - can we delete?

we're using an analyzer utility that reported duplicate objects in our ForeignSecurityPrincipals and I'm not sure if we can safely delete the dupes or not...

S-1-5-11 CNF:2cee5e9d-78ef-45de-bccb-c0307b1f9208
is a dupe of

S-1-5-4 CNF:e1fe2bce-4860-4fbe-9381-94f750c556c5
is a dupe of

Can I delete the ones with CNF*** in the object name?

We're running Windows 2003 single domain on two domain controllers.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The "CNF:<GUID>" object denotes a conflict object, which means that a replication conflict occured and this CNF object was created by AD to resolve the conflict. That you are seeing these objects makes me question the overall replication health of your Active Directory, as the creation of conflict objects should essentially never happen if AD is functioning properly - have you run a repadmin, dcdiag and netdiag on each of your DCs to determine if there are any configuration errors?
Brian PiercePhotographerCommented:
I'm not sure why you should have anything at all in the Foreign Security Principals on a simple domain.
KCTS - even in a single domain, FSP will get populated with the well-known SIDs such as Administrator, Everyone, etc., if they are used in any AD ACLs.  It makes sense from AD's perspective - the SID for "Everyone" needs to live -somewhere-.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

SGKomenAuthor Commented:
Passed all tests on both servers

Passed all tests on both servers
it Skipped the IP Security and WAN configuration Test on both servers
it Skipped the Trust Relationship test on the primary DC

Not sure what command switches you want me to use with repadmin?
repadmin has a number of switches depending on the kind of information that you're looking for. In this case, repadmin /replsum will provide you with a summary of the replication traffic between your DCs. When you have a moment, I highly recommend the following Technet Webcast that details many of the available command-line switches available with repadmin: http://support.microsoft.com/kb/905739. I refer to this webcast again and again, it's quite useful.

Since dcdiag came back fine on both DCs, assuming repadmin /replsum doesn't show any errors you can probably go ahead and delete the CNF objects in the FSP container. (All usual caveats apply regarding taking good backups beforehand and testing in your lab if you have one before making the deletion on a production network.)
SGKomenAuthor Commented:
Thanks for the tip. I ran repadmin /replsum and it came back fine.

Source DC           largest delta  fails/total  %%  error
 DLS-DC-01                 11m:26s    0 /   5    0
 DLS-DC-02                 03m:35s    0 /   5    0

Destination DC    largest delta    fails/total  %%  error
 DLS-DC-01                 03m:36s    0 /   5    0
 DLS-DC-02                 11m:27s    0 /   5    0

We're going to move the two objects to another OU and see what happens.
SGKomenAuthor Commented:
hhmm ok can't move FSP objects to another OU. And our backup/restore consists of using a program called RestoreAdmin by Netpro, but it doesn't seem to monitor the FSP container.

Any easy way of backing up the FSP objects?
If you can't back up the FSP objects individually (I'm not familiar with the ins and outs of the RestoreAdmin product, though I do like NetPro as a company), just take a full System State backup to be on the safe side.  

I'm 99.9% certain that deleting those CNF objects isn't going to do you any harm, but we all know that Murphy was an optimist so I'll never -ever- advocate hitting the "Delete" button without first covering my (and your) tail.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.