Windows 2000 to 2008/2012 trust issue / ForeignSecurityPrincipal container

Would appreciate any ideas you might have that I may have missed with this issue.  In summary as best as I can:

Domain01 - has 1 x Windows 2000 DC, "Server05".  AD / DNS domain is just "domain01.". In Mixed-mode for some reason.   Being migrated away from.

Domain02 - has 1 x Windows 2008R2, 1 x Windows 2012. AD / DNS domain is,com.  In 2003 mode.

File services are currently in Domain01
PC's are moving to Domain02
Users are mainly on Domain01 but moving to Domain02

The issues are:

In ADUC for Domain01 you add a Domain02 user to a domain-local group and it accepts it but closing and re-opening the group just shows a SID andpopup error.  An entry is created in the ForeignSecurityPrincipals container, but this doesn't show the name, just the SID.

In the NTFS rights on a Domain01 members server there were a number of SIDs showing, these proved to be where Domain02 users had been added before.

NTFS permissions on files/folders can have added users, global groups from either domain OK and work, but if he adds Domain01\Global Group and Domain02\GlobalGroup to a domain local group in Domain01 it shows just SID for Domain02\GlobalGroup.

NLTEST and GUI show Trusts working (and they must be, one domain can admin the other etc.),

NLTEST can lookup DC from opposite domains etc.

REPADMIN and dcdiag show no errors, and there are no errors in the event logs of any of the DC's.

So any idea what could cause users from the Domain02 domain added to the 2000 domain groups to show SID only, and the ForeignSecurityPrincipals too.  The other way around they show SID and name as expected.

I went in there to look expecting an obvious trust issue or DNS etc.  Did find DNS issue that was fixed but everything else seems to test OK!


LVL 44
Steve KnightIT ConsultancyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

windows 2000, ....mixed, it sounds as though this was the original NT that was upgraded to windows 2000. Since you are migrating away from this system, raising domain/forest level to windows 2000 native should not be an issue .....
I'm not sure 2000 had the AD sites and trusts. you need to establish a trust between the two.
When you add a user to domain1 from domain2 it prompts for password to access/search the domain2 listing.  When you reenter the ADUC on windows 2000 DC and the trust is not there, it has only the SID you added it has no information on who to contact to resolve the SID to the name.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve KnightIT ConsultancyAuthor Commented:
Thanks, I think it may be an issue between 2000 2012 but they are trusted OK, at least were, and seem to be for other things - there is no prompting for credentials so it is using the trust there.

Will look back when not on mobile later.

Steve KnightIT ConsultancyAuthor Commented:
Thanks for input, had forgotten this was still open. We have worked around the issue as they migrate.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.