I have objects in my Active Directory (AD) domain that have CNF in their name followed by a globally unique identifier (GUID). What are these objects?

A. AD is a multimaster environment, with each domain controller (DC) being able to create new objects. Each AD object has a distinguished name (DN) made up of its Relative Distinguished Name (RDN) (e.g., CN=John Savill) and its parent container (e.g., CN=Users, DC=savilltech, DC=com). An object's DN must be unique; two objects can't have the same DN. Now imagine that I have administrators in two different locations that each decide to create a new user called "Bruce Wayne" in the default Users container of the domain. (I'm using different locations because if the DCs were in the same location, the speed of replication between DCs in a site make it unlikely that the objects could be created simultaneously; the first object creation will likely have already replicated before the second object is created.) When the replication interval is reached, the DCs replicate and a collision occurs. The object that was created last will "win" and be kept, whereas the object that was created first will be renamed with an RDN in the format <original name> CNF: <objectGuid>. You will need to manually delete one of the objects, ideally the one marked "CNF." You can also delete the non-CNF object and rename the CNF object.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish