none
trusted Domain AD accounts resolves only with SID value RRS feed

  • Question

  • Hi All,

    Today while doing pre-checks before migration on AWS cloud server found that we are not able to create domain\username logins in SQL Instance hosted on it.  however same was possible previously as we have existing logins there, verified in other 2 servers of same cluster servers. We  found no issues there also tried to create forest domain\usernames logins in all the 3 servers and found no issue.

    As shown below it resolves only SID value. Could you please any expert can help here to fix the issue. What can be the cause.?

    Some related MS article found here https://support.microsoft.com/en-us/help/324321/how-to-troubleshoot-error-15401 but no resolution yet.

    NLTest /dclist forboth return expected results from the correct regional DCs. 

    I'm also able to do things like get-aduser against both Prod and PC without specifying credentials.And, I can look up my PC user by SID as well (simulating a SID to name resolution):

    We looked at this for a few hours and think it's related to the overall issue with Singapore DCs being in old Macro accounts vs proper core accounts.

    

    our troubleshooting shows that this issue is intermittent and difficult to predict. This might explain why we were able to add trusted domain accounts in the past without issue, 



    CHANDU


    Friday, November 15, 2019 7:16 AM

All replies

  • Hi,

    Before going further, I would appreciate your help in clarifying the following situations:

    Did any error messages happen ?

    Any clues in the event viewer?

    Also want to make sure that is your environment a azure AD or local AD

    Thanks for your support and patience .

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 18, 2019 10:05 AM
  •  

    Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 20, 2019 7:07 AM
  • I am not sure that I properly understand your description. Is there still any account in your AD DS with the SID above? If not then the behavior of displaying only the SID is expected.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, November 25, 2019 1:24 PM
  • Hi Flingmin,

    Thanks for looking into it.

    Actually, there is no errors on it. when we try to add the user account it resolves SID only instead with name. We have only one way trust between these two domains.

    we didn't have any Azure only maintaining local AD.

    But, we have some 2016 domain controllers built in AWS cloud.

    One of our techie found the below things can fix issue. can you please check once and let us know if this is case to fix the issue and whats the reason behind it.

    We've been working through User ID SID resolution issues between the 2 domains as described above and as a result we have been deleting the following Registry keys, set in accordance with CIS Guidelines, from the both domain DCs in the AWS Southeast Region:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\NodeType

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClients

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\RPC\EnableAuthEPResolution 

    Regards

    CHANDU



    CHANDU

    Tuesday, November 26, 2019 6:13 AM
  • Account looks fine and exists in AD.when we try to add the user account it resolves SID only instead with name. 

    please let us know your suggestions.

     

    CHANDU

    Tuesday, November 26, 2019 6:14 AM
  • Hi,

    Would you please tell how did you setup DNS Zones for trusted domain?

    It seems like the same issue with yours, for your reference:

    https://social.technet.microsoft.com/Forums/Lync/en-US/d4468f54-ef88-48c9-9c43-d9fc217cab59/sid-only-shows-up-when-adding-a-domain-user-account-from-an-external-trusted-domain?forum=winserverDS

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 26, 2019 7:09 AM
  •  

    Hi,

    Welcome to share your current situation.

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Fan

     


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, November 28, 2019 10:05 AM