• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 967
  • Last Modified:

Windows 2000 to 2008/2012 trust issue / ForeignSecurityPrincipal container

Would appreciate any ideas you might have that I may have missed with this issue.  In summary as best as I can:

Domain01 - has 1 x Windows 2000 DC, "Server05".  AD / DNS domain is just "domain01.". In Mixed-mode for some reason.   Being migrated away from.

Domain02 - has 1 x Windows 2008R2, 1 x Windows 2012. AD / DNS domain is domain02.company,com.  In 2003 mode.

File services are currently in Domain01
PC's are moving to Domain02
Users are mainly on Domain01 but moving to Domain02

The issues are:

In ADUC for Domain01 you add a Domain02 user to a domain-local group and it accepts it but closing and re-opening the group just shows a SID andpopup error.  An entry is created in the ForeignSecurityPrincipals container, but this doesn't show the name, just the SID.

In the NTFS rights on a Domain01 members server there were a number of SIDs showing, these proved to be where Domain02 users had been added before.

NTFS permissions on files/folders can have added users, global groups from either domain OK and work, but if he adds Domain01\Global Group and Domain02\GlobalGroup to a domain local group in Domain01 it shows just SID for Domain02\GlobalGroup.

NLTEST and GUI show Trusts working (and they must be, one domain can admin the other etc.),

NLTEST can lookup DC from opposite domains etc.

REPADMIN and dcdiag show no errors, and there are no errors in the event logs of any of the DC's.

So any idea what could cause users from the Domain02 domain added to the 2000 domain groups to show SID only, and the ForeignSecurityPrincipals too.  The other way around they show SID and name as expected.

I went in there to look expecting an obvious trust issue or DNS etc.  Did find DNS issue that was fixed but everything else seems to test OK!


Steve Knight
Steve Knight
  • 2
1 Solution
windows 2000, ....mixed, it sounds as though this was the original NT that was upgraded to windows 2000. Since you are migrating away from this system, raising domain/forest level to windows 2000 native should not be an issue .....
I'm not sure 2000 had the AD sites and trusts. you need to establish a trust between the two.
When you add a user to domain1 from domain2 it prompts for password to access/search the domain2 listing.  When you reenter the ADUC on windows 2000 DC and the trust is not there, it has only the SID you added it has no information on who to contact to resolve the SID to the name.

Steve KnightIT ConsultancyAuthor Commented:
Thanks, I think it may be an issue between 2000 2012 but they are trusted OK, at least were, and seem to be for other things - there is no prompting for credentials so it is using the trust there.

Will look back when not on mobile later.

Steve KnightIT ConsultancyAuthor Commented:
Thanks for input, had forgotten this was still open. We have worked around the issue as they migrate.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now