Unable to see the domain accounts name in the domain member server's local admin group

I built a Read Only Domain Controller (RODC) in a DMZ. RODC has a connection to the regular domain controller in the Inside Zone network.
I added a server named, abc in the domain and moved it to the DMZ. I configured this server to use the RODC as the DNS server.
It seems that the server can use the RODC for user authentication. However, when I checked the local admin group of this server, I see there are accounts listed in random characters. I assumed that they are the domain accounts.
Why do those accounts list in the random characters?
Moreover, when I ping my domain, server abc still tries to ping the domain controller in the Inside zone instead of the RODC in DMZ. Why does happen?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello atlasdey,

Those numbers you see are not "random numbers" but they are in fact the SID (security identifier)

http://technet.microsoft.com/en-us/library/cc778824(WS.10).aspx - Highly technical explanations of SIDs

An easier way to think of a SID or GUID is very similar with how websites use URLs. For most people remembering an IP address doesnt make sense, so we have domain names like microsoft.com that point to the actual IP address.

SIDs are similar in the way that each object has an ID that you typically don't see, but they are unique and the common names such as the user's account name reference the ID behind the scenes.

You can use tools like psgetsid to query information relating to the SID.

atlasdevAuthor Commented:
The question I have is that why does server abc only show domain accounts in SID in its local admin group. This is not normal. I suspect something is not connecting.
Krzysztof PytkoSenior Active Directory EngineerCommented:
There ate 2 possible issues:

1) DNS server cannot be contacted and SIDs cannot be translated to DNS names or some firewall issues
2) users were deleted from AD and no one remove them from this group. Then AD doesn't know anything about them (they are not in AD database) and only SIDs are displayes

For firewall issues, please check which ports are necessary for proper AD function

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

you will need to open the ports below on your firewall:
RPC endpoint mapper 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC dynamic assignment 1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP) 389/tcp LDAP ping 389/udp L
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
Domain Name Service (DNS) 53/tcp1, 53/udp
Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp

I hope that the information above helps
atlasdevAuthor Commented:
Can my server in DMZ only uses the RODC to obtain the necessary information?
I really hope that all my servers in DMZ have to poke ports open on my firewall to talk to the RWDC in the Inside zone.
On your firewall you just have to  allow the rwdc to receive traffic from the rodc on the mentioned ports and vice versa.
atlasdevAuthor Commented:
Yes. Currently my firewall is allowing the ports you mentioned between the RODC and RWDC.
One other thing I also found is that my server abc pings the domain name, it actually tries to ping the RWDC in the the inside zone first.
However, in the network setting, I set the RODC as the DNS server in the TCP/IP setting. How can I make the server abc to only use RODC for all domain related tasks?
Have you tried to flush dns on the abc server "icon fig /flushdns" then try to ping again.
atlasdevAuthor Commented:
I tried ipconfig /dnsflush. However, when I ping the domain name, I see the server abc uses different domain controller from time to time. I am not sure why it changes.
Since you're pinging with the domain name it will give you one of the ip addresses from all the srv record registered in your domain.

when you have multiple Domain controllers you're going to usually ping the domain controller you've authenticated to if you ping Abc.net You may get one server or another. Usually a DC in the same site as you, if there are multiple DC's then usually one you've authenticated to.

Are you still seeing the Sid instead of the user names?

Krzysztof PytkoSenior Active Directory EngineerCommented:
That's normal, DNS round robin mechanism is working in this case :)

You cannot set up DC authentication order in a Site. There is only possibility to assign subnets to particular Site for DC authentication but you cannot selects which DCs will be used for authentication. All available in SIte are responsible for that.

Can you use portqry on your faulty server and see if (for sure) all necessary ports are opened?

and last choice, make sure in this case if your DC in DMS points to DNS server as itself (in case that it is DNS server too). Then it will try to resolve DNS names using its own DNS database copy


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atlasdevAuthor Commented:
I just checked the server. I am not seeing the SID anymore. Although I am seeing the user groups, I am not sure what I did fixed the problem.
I am thinking that perhaps this has to do with a new remote site's DNS server/domain controller. This new domain controller in the remote site is also a RWDC and provides itself in the DNS parent forwarding list. It is possible my abc server could use that remote site's DNS server to resolve my domain name. When the server abc cannot reach that remote DNS server/domain controller, it is unable to translate SID to the user groups.
My RODC in DMZ is also a DNS server. How can I make my server abc only use that RODC for all DNS related requests? I have already set the TCP/IP property of my RODC and server abc to use the RODC as the only DNS server.
By the way, when I ping the domain name from my RODC, I do see that it resolves the domain name to the remote domain controller which it does not have full access across the VPN.
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, you should set up on your RODC this DNS settings for NIC

Primary DNS: RODC itself
Alternate DNS: that RWDC from which you suspect it works fine
3rd DNS: (loopback interface)

and according to DCs IP response. Your RODC doesn't have to have full access, it will query the next server from DNS zone. To check what will respond in DNS domain ping query, open DNS management console and go to your zone. Then look for these entries:

(same as parent folder)   Host(A)     IPAddress

this is a list of all of yours DCs in a domain. When you do these steps in command-line on a DC

ipconfig /flushdns
ping dns-domain-name

and repeate it numerous times, you will see that each time another DC's IP is respond from database (and you should see that it was the next from DNS zone list). When you reach the last one on the list, DNS will start from the neginnig and so on

atlasdevAuthor Commented:
I have configured the thrid DNS on my RODC to use loopback and now it pings the correct DNS server (my RWDC) to resolve my domain name.
I am just wondering why does it take me to configure the third DNS server as a loopback interface to resolve this issue.
Before the configured change proposed by iSiek, my RODC's NIC uses as the first DNS server choice. The second one is the other reachable RWDC DNS server. There was no thrid DNS server setting.

One more thing I would like to mention here is that there are 2 RWDC DNS servers in my Inside zone. If I use the very first domain controller which I created in my domain as the DNS server in my RODC's NIC setting, eveyrthing works. If I changed the DNS server to be my other RWDC which I created after my first domain controller in the past, then my RODC will still resolves the domain name by using the unreachable domain controller at remote site.
Why is that?
atlasdevAuthor Commented:
No one is responding but I believe there is a different issue in my network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.