Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 23, 2016 12:45 PM
Good day,
After a recent power outage our domain ran into replications problems across our two Domain Controllers. The primary domain controller was Server 2003 R2, the other is a Server 2008 R2.
Since we had just purchased hardware for replacing the primary domain controller, we tried to migrate the FSMO roles to the new DC (Server 2012 R2) which failed. In the end we seized the roles using the new Server 2012 R2 domain controller.
Now however we are having a problem when trying add NTFS and Share permissions to files, the builtin Domain Local - Security Groups (e.g. Account Operators, Administrators, Remote Desktop Users etc.) are not showing up. Even when going to the advanced options and searching when trying to add permissions, they are not appearing in the search results.
They however are listed in Active Directory in the Builtin OU.
All replies (7)
Thursday, November 24, 2016 2:10 AM
Hi,
I would suggest to run the following tools on each domain controller to see if we could get more information to help troubleshooting the problem.
-> DCDIAG /V /C /D /E /s: dcname > c:\dcdiag.log ,
-> netdiag.exe /v > c:\netdiag.log
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> ntfrsutl ds dcname > c:\sysvol.log
-> dnslint /ad /s "ip address of dc"
And also please run dcdiag /test:dns command to check if there is DNS misconfigured error.
And you could check the logs in the event viewer for more details.
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, November 29, 2016 4:47 AM
Hi,
I am checking how the issue going, if you still have any questions, please feel free to contact us.
And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.
Appreciate for your feedback.
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, December 2, 2016 7:47 PM
Hi,
Sorry about the late reply, I've been out of office for most of the week.
So I've run all the commands you listed that were not deprecated and everything seems mostly fine. Can't find an error that would point to it, (only seeing a SystemLog error).
I have noticed, from the both Domain Controllers, that I am able to find the builtin Domain Local accounts when trying to add NTFS share permissions. I am however unable to find it when using member servers.
But this is the strange part, if from a DC I browse to the path on a member server (e.g. \fileshare\c$\SharedFolder) and go to the security properties of the folder, the builtin domain local accounts are not showing up to be added. But it works on folders located on the DCs themselves.
Thanks again.
Saturday, December 3, 2016 3:04 PM
The same is happening if browsing from a member server.
If from a member server I browse to a path on the domain controller, I am able to add the Builtin Domain Local groups to NTFS permissions. So it doesn't seem to be a matter of replication because it is able to find the relevant groups, just not add them to folders hosted on the local machine.
Any idea why this would be happening?
Tuesday, December 6, 2016 2:01 AM | 1 vote
Hi,
It seems that this might be by design. Built-in groups are local to the computer. The security groups in the 'Builtin' directory in AD is local to Domain Controller, the same cannot be added on the member server or client machine.
Please see the similar thread for more details from:
Cannot see Builtin security groups in NTFS permissions on 2008 R2 member server
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 6, 2016 5:08 AM
Thank you, I finally understand.
To get a better background as to why we ran into the problems, all of our previous main file shares, were located on the old 2003 domain controller that failed.
When we restored the backups, to a different member server, our users who were members of those builtin groups, no longer had access to their files. But now I understand why those permissions will no longer work.
Thanks again.
Thursday, December 8, 2016 1:44 AM
Hi,
Great share and update, it will be greatly helpful to others who have the same question.
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].