Resolving Sids to friendly names

[Luton Bee]

I have a strange problem with some (not all) users in active directory.
What happens is that the properties > security dialogue displays the
SIDS and not the friendly name on some of the entities that have
permissions to the user. This problem only exists in this screen, all
other groups and memberships resolve correctly. I have tried this on
the FSMO holder so I can't see how it is can be a network or resolver
issue. I have run both dcdiag and netdiag with no problems. any ideas?

Thanks in advance

 

[Herb Martin]

I have a strange problem with some (not all) users in active directory.
What happens is that the properties > security dialogue displays the
SIDS and not the friendly name on some of the entities that have
permissions to the user. This problem only exists in this screen, all
other groups and memberships resolve correctly. I have tried this on
the FSMO holder so I can't see how it is can be a network or resolver
issue. I have run both dcdiag and netdiag with no problems. any ideas?

Usually this is due to one of a couple of problems:

Lost trust (the objects with SIDS are from a formerly
trusted domain, or one where the other DCs cannot
be currently found, although AD DCs seem to be
caching the names too for Group membership.)

Machine is no longer in the domain (this is likely not
your issue since you seem to have it on the DC, and
this is really just a special case of the previous item,
since in some sense a machine trusts it Domain while
it is a member.)

Objects were deleted -- the user no longer exists and
so the reference (a SID) is displayed since the name
is no longer available.

Note that most of the above can also be cause by lost
communication, even if the object still exist the name may
not be resolvable from the SID.

For a DC issue I would first run DCDiag (a good practice
in ANY DC "problem" and a good practice to perform
regularly), then I would double-check any external trusts,
and name resolution through DNS for all domains in the
forests as well as NetBIOS resolution for all externally
trusted domains.

Trusts (and thus SID->Name resolution) will not generally
work correctly if name resolution is not working properly.

 

[Luton Bee]

Thanks for the pointers Herb

I have run dcdiag and all tests pass except smtpsvc on local machine
and a couple printer driver errors in the system log. We don't have any
external trusts and never have had. we run a single forest, single
domain 2000 AD over multiple sites with multiple servers and GC's. I
had wondered about DNS but though by trying to view the objects on the
FSMO role holder machine I would negate any DNS problems? Is there a
way of checking for all the needed DNS srv records in an AD integrated
DNS zone?

Thanks

 

[Paul Bergson]

The dcdiag should validate that for you if all the options are set. If you
are unsure, you can download a gui script I wrote it should be simple to set
and run. It also has the option to run individual tests without having to
learn all the switch options.

The script is at http://pbbergs.dynu.com/windows/windows.htm, download it
and save it to c:\program files\support tools\

Just select both dcdiag and make sure verbose is set. (Leave the default
settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

The defn's should be found here
http://www.microsoft.com/technet/pr...irectory/maintain/opsguide/part1/adogd10.mspx

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

Thanks for the pointers Herb

I have run dcdiag and all tests pass except smtpsvc on local machine
and a couple printer driver errors in the system log. We don't have any
external trusts and never have had. we run a single forest, single
domain 2000 AD over multiple sites with multiple servers and GC's. I
had wondered about DNS but though by trying to view the objects on the
FSMO role holder machine I would negate any DNS problems?

That really shouldn't help (or hurt) -- all DCs have the entire
contents of the Domain (partition of the AD) database.

The five FSMO roles are really about (most) protecting changes
to a limited set of things which are dangerous to multi-master
(Schema, adding domains to forest, RIDs) or that just don't
need or make sense for multi-mastering (PDC Emulator, IM)

Is there a
way of checking for all the needed DNS srv records in an AD integrated
DNS zone?

You did that with DCDiag. It checks not just the DNS
server used by the DC, but also checks other DNS servers
listed (NS records) in the zone which supports AD.

Where precisely does the problem occur? (You ealier said
"properties->security dialogue" but I don't believe you said
properties of "what"?

It is possible that some permission was given, the object(User)
was deleted, but the permission remains even though the
tombstone has expired and been purged. (The user is truly gone.)