group/user not displayed when adding local group on windows 2008

I have a windows 2008 server I recently added to a child domain.  I can add users, group from the parent domain to the local groups on the windows 2008 server.  However, if i try to add a child domain user or group it seemingly adds correctly, but it doesn't show up in the members list of the group -- only the parent domain user/group.  If I add the same child domain user or group to the list again I get a message that the user, group is already part of the local group.


When adding the user/group, check names works correctly and resolves the group.  The odd part is that when added to the members list, I get the SID displayed e.g. "DOMAIN\user (S-1-5...)" as if it can't completely resovle the name.

Even if I do, from a command line 'net localgroup "local group name"' it lists only the parent domain users, but if I add the child domain users from the command line I get the same "The specified account name is already a member of the group."

Permissions seem to be applied, but I can't review nor can I remove permissions if needed.
dmorrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mark1208Commented:
Hi dmorr,

Can you provide some additional information?
1) Domain functional level
2) Forest functional level
3) Type and Scope of the groups being modified on the WS2008 server
4) Role(s) of the WS2008 server
5) Do additional WS2003 member servers joined to the child domain exhibit the same behavior? How about additional WS2008 member servers?
6) Does netdom verify /d:childdomain servername complete successfully (where childdomain = domain WS2008 server is joined to and servername = WS2008 computer name)?

Hang in there!
-Mark
0
dmorrAuthor Commented:
1.  windows server 2008
2.  windows server 2003
3.  global security group being added to a local group  (remote desktop users)
4.  before any roles were installed this was happening.  now i have terminal services role installed and it continues.  the group acl does seem to be applied so users in the group can use rdp, but it's not visible through compmgmt or from net localgroup (difficult for management)
5. this is a new domain and i have not put any ws2003 server in it.  however, i did put an xp workstation and it was able to successfully see add groups.
6.  verified.
 
Thanks for getting back to me!!
0
mark1208Commented:
My apologies for the delay, and thanks for providing additional information!

At the risk of making you feel like we're playing 20 questions ... I'm still trying to mentally narrow this down a bit.  :)

7) Can you duplicate the issue with a newly created local group on the WS2008 server? (i.e. create a test group to see if the problem is only with builtin/default groups)

8) Based on your response to Q5, is the WS2008 box also a DC for the child domain, since no other servers are members? If not, where is the DC for the child domain in all of this?

9) What was the source media for the WS2008 install (physical media/DVD, MSDN .ISO, cloned image, etc.)?

For what it's worth, I scoured the Interweb and found this (but unfortunately no resolution). So at least you're not alone! We just have to figure out how to reproduce it. Awaiting your responses to move forward.  :)

Thanks for your patience,
Mark
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

dmorrAuthor Commented:
I apologize for the delay...
7.  with a new local group, the group will resolve if I check the name.  similarly i can browse the domain for the group; however, when finally commiting the changes (final OK), I get an error indicating the group cannot be found.
8.  This WS2008 is not the DC.  in this domain i currenly have this WS2008 server, the WS2008 DC and that's it.  I am building w/in the next day or so another WS2008R2 server to put in the domain.  I'll find out what the results are with that too.
9.  VMware template that has been used many times in the parent domain without issue.
0
mark1208Commented:
Let's see if you can reproduce this "fun" behavior on the second WS2008 box and go from there. :)  At least that will tell us if we're dealing with something unique to the WS2008 member server or higher up at the domain/forest level.

Let me know how it goes? I like these weird ones!
0
dmorrAuthor Commented:
This morning I finished te WS2008 R2 server and it doesn't display the same problem.  It appears to be isolated to the WS2008 server.
0
mark1208Commented:
I'm sure this sounds obvious, but have you already tried removing/readding the original WS2008 box from/to the child domain?
0
dmorrAuthor Commented:
I've actually gone as far as to create a new one -- same results.
0
mark1208Commented:
So you're saying that you have this problem specifically with WS2008 and not with WS2008 R2? Meaning, the WS2008 box was rebuilt using the same VMware image used elsewhere and yet it exhibits the same behavior?

Apologies again for the 40,000 questions.  :)
0
dmorrAuthor Commented:
correct.
0
mark1208Commented:
I know you mentioned that the WS2008 VMware image worked successfully when built for other domains. Any chance you might be able to install a non-imaged version, just to be sure that something funky isn't going on within the build (SID leftovers, etc.)?

If nothing else, that would help us differentiate root cause between the server itself (OS build or VM configuration) and something much more complicated going on with at the child-domain level. Not to mention, I think that approach would ultimately be more efficient than grasping at straws from a troubleshooting standpoint.

What do you think ... feasible?  :)
-Mark
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dmorrAuthor Commented:
Let me work on a new buid over the next day or two and get back.  I agree that may be better.
0
mark1208Commented:
Hi dmorr,

Just checking in to see how things turned out after the rebuild ... any good news?  :)

-Mark
0
dmorrAuthor Commented:
I wasn't able to get a new machine rebuilt w/out an image and the other system is no longer required.  so this never did get resolved, but isn't an issue anymore either.  i may come across it again, I'm sure but can't allocate time to troubleshoot a problem that doesn't affect me anymore.  Thanks for the assistance to this point.
0
dmorrAuthor Commented:
not an issue any longer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.