Unable to see the domain accounts name in the domain member server's local admin group

Hello atlasdey,

Those numbers you see are not "random numbers" but they are in fact the SID (security identifier)

http://technet.microsoft.com/en-us/library/cc778824(WS.10).aspx - Highly technical explanations of SIDs

An easier way to think of a SID or GUID is very similar with how websites use URLs. For most people remembering an IP address doesnt make sense, so we have domain names like microsoft.com that point to the actual IP address.

SIDs are similar in the way that each object has an ID that you typically don't see, but they are unique and the common names such as the user's account name reference the ID behind the scenes.

You can use tools like psgetsid to query information relating to the SID.

The question I have is that why does server abc only show domain accounts in SID in its local admin group. This is not normal. I suspect something is not connecting.

There ate 2 possible issues:

1) DNS server cannot be contacted and SIDs cannot be translated to DNS names or some firewall issues
2) users were deleted from AD and no one remove them from this group. Then AD doesn't know anything about them (they are not in AD database) and only SIDs are displayes

For firewall issues, please check which ports are necessary for proper AD function
http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx

Regards,
Krzysztof

you will need to open the ports below on your firewall:
RPC endpoint mapper 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC dynamic assignment 1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP) 389/tcp LDAP ping 389/udp L
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
Domain Name Service (DNS) 53/tcp1, 53/udp
Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp

I hope that the information above helps
LR

Can my server in DMZ only uses the RODC to obtain the necessary information?
I really hope that all my servers in DMZ have to poke ports open on my firewall to talk to the RWDC in the Inside zone.

On your firewall you just have to  allow the rwdc to receive traffic from the rodc on the mentioned ports and vice versa.

Yes. Currently my firewall is allowing the ports you mentioned between the RODC and RWDC.
One other thing I also found is that my server abc pings the domain name, it actually tries to ping the RWDC in the the inside zone first.
However, in the network setting, I set the RODC as the DNS server in the TCP/IP setting. How can I make the server abc to only use RODC for all domain related tasks?

Have you tried to flush dns on the abc server "icon fig /flushdns" then try to ping again.

I tried ipconfig /dnsflush. However, when I ping the domain name, I see the server abc uses different domain controller from time to time. I am not sure why it changes.

Since you're pinging with the domain name it will give you one of the ip addresses from all the srv record registered in your domain.

when you have multiple Domain controllers you're going to usually ping the domain controller you've authenticated to if you ping Abc.net You may get one server or another. Usually a DC in the same site as you, if there are multiple DC's then usually one you've authenticated to.

Are you still seeing the Sid instead of the user names?

I just checked the server. I am not seeing the SID anymore. Although I am seeing the user groups, I am not sure what I did fixed the problem.
I am thinking that perhaps this has to do with a new remote site's DNS server/domain controller. This new domain controller in the remote site is also a RWDC and provides itself in the DNS parent forwarding list. It is possible my abc server could use that remote site's DNS server to resolve my domain name. When the server abc cannot reach that remote DNS server/domain controller, it is unable to translate SID to the user groups.
 
My RODC in DMZ is also a DNS server. How can I make my server abc only use that RODC for all DNS related requests? I have already set the TCP/IP property of my RODC and server abc to use the RODC as the only DNS server.
By the way, when I ping the domain name from my RODC, I do see that it resolves the domain name to the remote domain controller which it does not have full access across the VPN.

I have configured the thrid DNS on my RODC to use loopback and now it pings the correct DNS server (my RWDC) to resolve my domain name.
I am just wondering why does it take me to configure the third DNS server as a loopback interface to resolve this issue.
Before the configured change proposed by iSiek, my RODC's NIC uses 127.0.0.1 as the first DNS server choice. The second one is the other reachable RWDC DNS server. There was no thrid DNS server setting.

One more thing I would like to mention here is that there are 2 RWDC DNS servers in my Inside zone. If I use the very first domain controller which I created in my domain as the DNS server in my RODC's NIC setting, eveyrthing works. If I changed the DNS server to be my other RWDC which I created after my first domain controller in the past, then my RODC will still resolves the domain name by using the unreachable domain controller at remote site.
Why is that?

No one is responding but I believe there is a different issue in my network.