DHCP Server Scope Move and CNF (Conflict) Entries


  • Subject DHCP Scope Data move from one DC to an newly Promoted DC

    Large parts of this operation were described in

    I have a quite different start position on my Windows 2003 domain

    Netservices records:

    CN= (DHCP server with disabled service , though authorised)

    CN= (only DHCP)

    CN=DHCPRoot                            Class/dHCPClass Distingiushed Name CN=DhcpRoot,CN=Netservices,CN=...........

    CN=DHCPRoot CNF:some guid     Class/dHCPClass  Distingiushed Name CN=DHCPRoot\some guid,CN=Netservices,CN=services,cn=configuraton;cn.....

    The intention is to recover the DHCP data with daily exported DHCP date to file using netsh, at least this is the way it was setup prior to my coming. Mainly to recover if the principal DHCP server is dead, and noical  typdatabase backup/restore operation is possible.

    This is what I have to perform:

    Now I face the job to move the DHCP scope from CN: to an new DHCP Server (to be CN: on new storage and phase out the first one

    I'm puzzled too with the last two records.

    My plans are to export DHCP to a flat file using netsh, disable the current DHCP server, import the flatfile to the new DHCP server, ask the network guy to assure proper DHCP relaying cross sites, authorise new server and do some tests on the remote site for which relaying must occure as well as the local site (mainly HP thinclients that autoconnect to Citrix to the Main Office site). I hopefully will not get any authorisation problems, but as the reported ones only relates to systems having the same name or IPs which is not my case I have no real worries.

    Can someone explain what the last 2 records a.o the one with CNF actually indicate and what has to be done with them ? Do they have to edited ? or is in my case all well ?

    I suppose they will not bother me at all for getting my job done.


    Stefan T

    Qoute answer from Ace Fekay


    As for the CNF, that means "CONFLICT," which simply means there is a conflicting or duplicate entry in the AD database. Anything with a CNF is pretty much useless and should be deleted.


    Tell you what, it concerns me that you have found CNFs. While in ADSI Edit, please check the DNS partitions (all three of them) to make sure you don't see any CNFs or "InProgress" entries, for they are DNS zone conflicts and duplicates. If you find any, please delete them. Here's how:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    Published by Ace Fekay, MCT, MVP DS on Sep 2, 2009 at 2:34 PM  2313  0

    My Answer to this very usefull data:

    I have 4 DC in the root domain, and all 4 DNS zones are setup as ForestDNSZones !

    As such the Domain & DomainDNSZones entries consulted via ADSIedit, show no entries and surely no CNF or InProgress entries.,

    All is nicely stored in the ForestDNSZones section, I can not spot any "CNF" or "In Progress" Entries on the Root Domain, I will have to check the child domain.

    • Edited by StefT Thursday, May 10, 2012 2:22 PM
    Thursday, May 10, 2012 2:17 PM

All replies

  • Hi,
    How are things going? I just want to check the status of the issue. If you have any update or concern, please feel free to let us know.
    Best Regards,

    Aiden Cao

    TechNet Community Support

    Monday, May 14, 2012 1:24 AM
  • StefT,

    My comments about prefixed "CNF..." and "InProgress..." DNS zones were for the DNS applications and the DNS portion of the DomainNC partitions. And yes, they are useless and causes problems with DNS and subsequently with AD. Therefore if there are any of them in the DNS partitions, by all means, absolutely delete them.

    And if at anytime I see a "CNF..." elsewhere, then it also indicates a duplicate value in the database for that object. THis applies to what you're seeing. As far as how it got there, is a good question. There may have been replication problems during the first time setting up your DC or when you added a DC, or when you added a child domain. And could that have happened? Another good question. Lot's of scenarios could have caused it. One main scenario is DNS design, especially when there's a child domain involved. To better comment on that, I would need to know your DNS forest design. To see what I mean and the different DNS design options that will support full forest resolution (whcih is absolutely required), please see the following:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM


    So my previous suggestion to delete the "CNF..." in that other thread you posted to and that I replied, still stands. It's a duplicate and shouldn't be there. Maybe the following link will help.


    Quoted from the link below:

    To resolve this issue, follow these steps:

    1. Start the Active Directory Service Interfaces (ADSI) Edit MMC snap-in. To do this, follow these steps:
      1. Click Start, click Run, type Adsiedit.msc, and then click OK.
      2. Click Tools, and then click ADSI Edit.
    2. In the console tree, expand the Configuration container, expand CN=Configuration, expand CN=Services, and then expand CN=NetServices.
    3. In the details pane, you may find objects that resemble the following:
      CNF:<GUID>,CN=NetServices,CN=Services,CN=Configuration, <var>domain</var>
    4. Right-click the objects, and then click Delete.
    5. Exit the ADSI Edit MMC snap-in.


    Windows Server 2003-based DHCP server intermittently becomes unauthorized, and event 1046 is logged in the System event log


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs:

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, May 14, 2012 5:30 AM