SIDs instead of the user friendly names

[dbowman]

I have a two way trust set up with a Windows 2003 AD and a Windows NT4
domain in order to start the migration of the NT4 domain to AD. If I
log on Windows 2003 DC and add users from the Windows NT4 Domain to a
2003 Group all appears to be fine. But when I close that group and
reopen it I get a message saying "Some of the Object names cannot
be shown in their user-friendly form. This can happen if the object is
from
an external trust and that domain is unavailable to translate the
object's
name." and I'm stuck looking at the SIDs instead of the user friendly
names
Any Ideas?

Thanks

 

[Ace Fekay [MVP]]

In

I have a two way trust set up with a Windows 2003 AD and a Windows NT4
domain in order to start the migration of the NT4 domain to AD. If I
log on Windows 2003 DC and add users from the Windows NT4 Domain to a
2003 Group all appears to be fine. But when I close that group and
reopen it I get a message saying "Some of the Object names cannot
be shown in their user-friendly form. This can happen if the object is
from
an external trust and that domain is unavailable to translate the
object's
name." and I'm stuck looking at the SIDs instead of the user friendly
names
Any Ideas?

Thanks

I usually see this when either the trust fails or if there's a really slow
link between each side of the trust. Can you elaborate on your topology and
any other pertinent info, such as speed of link, is this a test environment
in a VPC or VMWare machine, or anything else you can think of?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

 

[dbowman]

Thank you for your reply.
I have the main AD DC (the one with all the FSMO) at the HQ, and a DC
at the troubled site (let's call it B). There is a VPN link between the
sites, but the bandwidth should not be a problem, since I have the
same setup (with slower links too) all over the world and there's
really no traffic between the sites.
Moreover there's a WINS server at B, replicating with the WINS at HQ.
If try to add the users from a PC at HQ it works smoothly, but if I do
it on any computer (not just the DC) at B it fails...
Very strange indeed...

 

[Ace Fekay [MVP]]

In

Thank you for your reply.
I have the main AD DC (the one with all the FSMO) at the HQ, and a DC
at the troubled site (let's call it B). There is a VPN link between
the sites, but the bandwidth should not be a problem, since I have
the same setup (with slower links too) all over the world and there's
really no traffic between the sites.
Moreover there's a WINS server at B, replicating with the WINS at HQ.
If try to add the users from a PC at HQ it works smoothly, but if I do
it on any computer (not just the DC) at B it fails...
Very strange indeed...

It almost sounds like a communication issue with your VPN routers (not
saying it is). I've seen one instance where a company updated the VPN
firmware for their SonicWalls and the update altered the MTU settings. After
that all kinds of replication and domain communication issues occured. MTU
needs to be at 1500, no less. If less, there is now a tech article to alter
a 2003 DC to accomodate, but not for 2000.

Otherwise, I would look at firewalls to make sure they are wide opened
between locations.

What errors are in the Event viewers of any DC?

Ace

 

[dbowman]

I think I solved the problem.
The NT4 DC still contained in its database an account of a very old
computer, dismissed a looooong time ago.
The 2003 DC had coincidentally the same name, so I guess the problem
arised from the fact that when the AD DC tried to authenticate
with the NT4 DC to resolve the SIDs it was denied authorizations
because the name didn't match the account.
After deleting the old account everything seems to work smoothly.
Thanks for your time and suggestions!

 

[Ace Fekay [MVP]]

In

I think I solved the problem.
The NT4 DC still contained in its database an account of a very old
computer, dismissed a looooong time ago.
The 2003 DC had coincidentally the same name, so I guess the problem
arised from the fact that when the AD DC tried to authenticate
with the NT4 DC to resolve the SIDs it was denied authorizations
because the name didn't match the account.
After deleting the old account everything seems to work smoothly.
Thanks for your time and suggestions!

Dupe names can definitely do that! Glad you found it.

Ace