none
Conflict objects in CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com

    Question

  • I have found some CNF objects in my OID list;  3 have matching original objects whilst 2 do not.

    Whilst I am happy purging CNF copies of simple security principals, OIDs are uncharted waters for me.... Can I still delete all five ?

    Should I have different approaches for the 3 that match and for the 2 that do not have original objects any more ?

    uSNChanged is sometimes greater on the original, sometimes on the CNF copy - not sure if that is relevant.

    Thanks in advance

    Nick


    Ignite a fire and a man is warm for a night: ignite a man, and he is warm for the rest of his life.

    Thursday, April 25, 2013 4:01 PM

Answers

  • You could find some reference from the following page: http://technet.microsoft.com/en-us/library/cc783853(v=ws.10).aspx

    OID container
    Windows Server 2003 adds an object identifier (OID) container to the configuration container. Because OIDs are not hard-coded in version 2 templates, the OID container is required to work with version 2 templates. The common name for the OID container is:

    CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=

    Windows Server 2003 includes four predefined issuance policy OIDs:

    •All issuance (2.5.29.32.0). The all issuance policy OID indicates that the issuance policy contains all other issuance policies. Typically, this object identifier is only assigned to CA certificates.


    •Low assurance (1.3.6.1.4.1.311.21.8. x.y.z. 1.400). The low assurance OID is used to represent certificates that are issued with no additional security requirements.

    Note


    ◦The x.y.z portion of the OID is a randomly generated numeric sequence that is unique for each Windows Server 2003 forest.


    •Medium assurance (1.3.6.1.4.1.311.21.8. x.y.z .1.401). The medium assurance OID is used to represent certificates that have additional security requirements for issuance. For example, a smart card certificate that is issued in a face-to-face meeting with a smart card issuer might be considered a medium assurance certificate and contain the medium assurance object identifier.


    •High assurance (1.3.6.1.4.1.311.21.8. x.y.z .1.402). The high assurance OID is used to represent certificates that are issued with the highest security. For example, the issuance of a key recovery agent certificate might require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from a Windows Server 2003, Enterprise Edition CA.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, May 06, 2013 6:49 AM

All replies

  • You can remove CNF objects. CNF is basically stands for conflicts. CNF objects gets created due to duplicate objects,lingering objects due to replication issues etc.

    http://blogs.technet.com/b/janelewis/archive/2006/10/30/unravelling-cnf.aspx

    http://blogs.technet.com/b/ad/archive/2008/06/06/conflict-resolution-lingering-objects-printers.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, April 26, 2013 4:57 AM
  • Awinish - thanks for your comment.

    As the original post indicates, I am familiar with CNF objects... but my query was specifically about the impact of removing CNF OID objects that were no longer accompanied by the initial version, or where the CNF version had received updates after creation.

    What do you know about OID objects  and the impact of deleting the instance that is in use ?

    Nick


    Ignite a fire and a man is warm for a night: ignite a man, and he is warm for the rest of his life.

    Friday, April 26, 2013 12:19 PM
  • You could find some reference from the following page: http://technet.microsoft.com/en-us/library/cc783853(v=ws.10).aspx

    OID container
    Windows Server 2003 adds an object identifier (OID) container to the configuration container. Because OIDs are not hard-coded in version 2 templates, the OID container is required to work with version 2 templates. The common name for the OID container is:

    CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=

    Windows Server 2003 includes four predefined issuance policy OIDs:

    •All issuance (2.5.29.32.0). The all issuance policy OID indicates that the issuance policy contains all other issuance policies. Typically, this object identifier is only assigned to CA certificates.


    •Low assurance (1.3.6.1.4.1.311.21.8. x.y.z. 1.400). The low assurance OID is used to represent certificates that are issued with no additional security requirements.

    Note


    ◦The x.y.z portion of the OID is a randomly generated numeric sequence that is unique for each Windows Server 2003 forest.


    •Medium assurance (1.3.6.1.4.1.311.21.8. x.y.z .1.401). The medium assurance OID is used to represent certificates that have additional security requirements for issuance. For example, a smart card certificate that is issued in a face-to-face meeting with a smart card issuer might be considered a medium assurance certificate and contain the medium assurance object identifier.


    •High assurance (1.3.6.1.4.1.311.21.8. x.y.z .1.402). The high assurance OID is used to represent certificates that are issued with the highest security. For example, the issuance of a key recovery agent certificate might require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from a Windows Server 2003, Enterprise Edition CA.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, May 06, 2013 6:49 AM
  • Hi Uncle Nick,

    did you ever got a satisfactory answer to your question? I have here the exact same problem - the CNFs have higher USNs as their "correct" representations unter the "OID" container. Can these be deleted without negative effects?

    Thanks and with kind regards,

    John Ranger


    JR

    Monday, December 16, 2013 10:47 AM