Recipe 12.11 Finding Conflict Objects

12.11.1 Problem

You want to find conflict objects that are a result of replication collisions.

12.11.2 Solution Using a graphical user interface
  1. Open LDP.

  2. From the menu, select Connection Connect.

  3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

  4. For Port, enter 389 or 3268 for the global catalog.

  5. Click OK.

  6. From the menu, select Connection Bind.

  7. Enter credentials (if necessary) of a user that can view the object.

  8. Click OK.

  9. From the menu, select Browse Search.

  10. For BaseDN, type the base DN from where you want to start the search.

  11. For Scope, select the appropriate scope.

  12. For Filter, enter (|(cn=*\0ACNF:*)(ou=*\0ACNF:*)).

  13. Click Run. Using a command-line interface

The following command finds all conflict objects within the whole forest:

> dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter[RETURN]
"(|(cn=*\0ACNF:*)(ou=*\0ACNF:*))" Using VBScript
' This code finds any conflict objects in a forest.
' If the search times out, you may need to change strBase to
' a specific OU or container
strBase   = "<GC://" & "<ForrestRootDN>" & ">;"
' ------ END CONFIGURATION ---------

strFilter = "(|(cn=*\0ACNF:*)(ou=*\0ACNF:*));"
strAttrs  = "distinguishedName;"
strScope  = "Subtree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

WScript.Echo objRS.RecordCount & " conflict objects found"
while not objRS.EOF
  Wscript.Echo objRS.Fields.Item("distinguishedName").Value

12.11.3 Discussion

Any distributed multi-master system has to deal with replication collisions, and Active Directory is no different. A collision can occur if an object is created on one domain controller and before that object has time to replicate out, an object with at least the same name, if not identical, is created on a different domain controller. So which object wins? With Active Directory, the last object created wins and gets to keep its name while the first object created has to be renamed. The format of the renamed object is:


where <ObjectName> is the original name of the object, followed by a null termination character, followed by CNF:, followed by the object's GUID.

It is good to periodically scan your Active Directory tree to ensure you do not have a lot of conflict objects hanging around. It is a bit problematic to find conflict objects in a single query because the filter to find them is not optimized. In all three solutions, you have to perform a leading and trailing match pattern search (with *) and this can easily timeout if you have a lot of objects. You may want to restrict your initial search to a few containers so the search is quicker. Most notably, you'll want to search against your containers that have computer objects because they can frequently generate conflict objects. This can occur when a computer account is created, joined to a domain, and then the computer reboots. After the computer starts up, if it authenticates against a domain controller that has not replicated the new computer object, the domain controller will add a new object, which eventually results in a conflict.

See MS KB 297083 for more information on how to handle conflict objects after you've identified them.

12.11.4 See Also

MS KB 218614 (Replication Collisions in Windows 2000) and MS KB 297083 (How to Rename an Object After a Replication Collision Has Occurred)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List