Windows 2000 to 2008/2012 trust issue / ForeignSecurityPrincipal container
Would appreciate any ideas you might have that I may have missed with this issue. In summary as best as I can:
Domain01 - has 1 x Windows 2000 DC, "Server05". AD / DNS domain is just "domain01.". In Mixed-mode for some reason. Being migrated away from.
Domain02 - has 1 x Windows 2008R2, 1 x Windows 2012. AD / DNS domain is domain02.company,com. In 2003 mode.
File services are currently in Domain01
PC's are moving to Domain02
Users are mainly on Domain01 but moving to Domain02
The issues are:
In ADUC for Domain01 you add a Domain02 user to a domain-local group and it accepts it but closing and re-opening the group just shows a SID andpopup error. An entry is created in the ForeignSecurityPrincipals container, but this doesn't show the name, just the SID.
In the NTFS rights on a Domain01 members server there were a number of SIDs showing, these proved to be where Domain02 users had been added before.
NTFS permissions on files/folders can have added users, global groups from either domain OK and work, but if he adds Domain01\Global Group and Domain02\GlobalGroup to a domain local group in Domain01 it shows just SID for Domain02\GlobalGroup.
NLTEST and GUI show Trusts working (and they must be, one domain can admin the other etc.),
NLTEST can lookup DC from opposite domains etc.
REPADMIN and dcdiag show no errors, and there are no errors in the event logs of any of the DC's.
So any idea what could cause users from the Domain02 domain added to the 2000 domain groups to show SID only, and the ForeignSecurityPrincipals too. The other way around they show SID and name as expected.
I went in there to look expecting an obvious trust issue or DNS etc. Did find DNS issue that was fixed but everything else seems to test OK!
thanks
Steve
Domain01 - has 1 x Windows 2000 DC, "Server05". AD / DNS domain is just "domain01.". In Mixed-mode for some reason. Being migrated away from.
Domain02 - has 1 x Windows 2008R2, 1 x Windows 2012. AD / DNS domain is domain02.company,com. In 2003 mode.
File services are currently in Domain01
PC's are moving to Domain02
Users are mainly on Domain01 but moving to Domain02
The issues are:
In ADUC for Domain01 you add a Domain02 user to a domain-local group and it accepts it but closing and re-opening the group just shows a SID andpopup error. An entry is created in the ForeignSecurityPrincipals container, but this doesn't show the name, just the SID.
In the NTFS rights on a Domain01 members server there were a number of SIDs showing, these proved to be where Domain02 users had been added before.
NTFS permissions on files/folders can have added users, global groups from either domain OK and work, but if he adds Domain01\Global Group and Domain02\GlobalGroup to a domain local group in Domain01 it shows just SID for Domain02\GlobalGroup.
NLTEST and GUI show Trusts working (and they must be, one domain can admin the other etc.),
NLTEST can lookup DC from opposite domains etc.
REPADMIN and dcdiag show no errors, and there are no errors in the event logs of any of the DC's.
So any idea what could cause users from the Domain02 domain added to the 2000 domain groups to show SID only, and the ForeignSecurityPrincipals too. The other way around they show SID and name as expected.
I went in there to look expecting an obvious trust issue or DNS etc. Did find DNS issue that was fixed but everything else seems to test OK!
thanks
Steve
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for input, had forgotten this was still open. We have worked around the issue as they migrate.
ASKER
Will look back when not on mobile later.
Steve