How resolve error "occured while attempting to save properties for group Users" ?

SCLANO FRANCESCO 1 Reputation point
2020-08-04T08:06:45.95+00:00

Hi, I already described this problem in another microsoft community and they suggest me to ask for this problem in this community. Follows a description of the problem.

  • In our data center we used following domains: A, C, D, and E. We succesfully used these domains with many applications for many years. Each domain is managed by a windows server 2012 r2 with AD schema level of Windows 2012 R2 functionality. Furthermore these domains are all trusted each other.
  • Team Fondation Server 2017 update 1 is installed in a virtual machine that we call "VM17". This vm is a windows server 2012 r2 in domain A (service account of TFS is a user of domain A, service account is properly configured as A domain controller, log on as a service etc.). We succesfully used TFS 2017 for many months.
  • Azure DevOps Server 2019 update 1.1 is installed in a virtual machine that we call "VM19". This vm is a windows server 2016 in domain A (service account od DevOps is a user of domain A, service account is properly configured as A domain controller, log on as a service etc.).
  • Domain B is a "new" domain specifically setup for managing users of TFS/DevOps. Domain B is managed by a windows server 2016with AD schema level of Windows 2016 functionality. Domain B is trusted with domains A, B, C and E.
  • The trust between domain B and all other domains properly works. The proof is that if in virtual machine VM17, by TFS web interface, I succesfully added more than 100 TFS users from domain B. Furthermore, both by virtual machine VM17 and VM19 if I succesfully shared a folder with full control with a domain B user.
  • Now we want to upgrade from TFS 2017 update 1 to Azure DevOps Server 2019 update 1.1. To do this we already installed DevOps 2019 on the virtual machine VM19 and then we'll move the collection (as described here https://learn.microsoft.com/en-us/azure/devops/server/admin/move-project-collection?view=azure-devops-2019)
  • VM19 in installed in domain A. DevOps 2019 service account is a admin domain A user. The problem is that from DevOps 2019 web interface I'm able to see users of domain B but when I try to add them I obtain "Unable to find Windows identity for" (see point 7 above for details on message error). Obviously we want to reuse in DevOps 2019 all 100 domain B users we already succesfully used with TFS 2017.
  • Furthermore in VM19 if I try to add a domain B user in the local group of users I obtain following error

15330-error-domain-2.png

So the problem not seems due to exclusively Azure DevOps 2019 but rather to an incompatibility between:

  1. domain A managed by windows server 2012 r2 with AD schema level of Windows 2012 R2 functionality
  2. domain B managed by windows server 2016 with AD schema level of Windows 2016 functionality (domain used specifically to manage TFS/DevOps users)
  3. windows server 2016 in which is installed Azure DevOps Server 2019 in domain A

Is the problem due to an incompatibility of schema level of domains A and B? If yes, now we cannot upgrade schema level of domains A, C, D and E because there are many critical applications that currently runs in these domains. So I hope that changing 3) point above as follows will resolve the problem
3') windows server 2012 r2 in which we will install Azure DevOps Server 2019 in domain A

Could you please confirm that incompatibility above described is the problem? Furthermore will 3') resolve the problem?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,205 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2020-08-05T03:09:27.537+00:00

    Hello SCLANOFRANCESCO-5839,

    Thank you for posting in our Q&A forum.

    Bsed on the description, VM19 is a member server in domain A.

    Based on the description "if I try to add a domain B user in the local group of users", do we want to add a domain B user in domain B (not local user on any DC) into Users group in Local Users and Groups on VM19?

    If we mean it is a domain B user, we can check if this user is exist.

    Or do we want to add a domain B user in Local User and Group on one DC into Users group in Local Users and Groups on VM19?
    If we mean it is a domain B user in Local Users and Groups on one DC, this user is not exist.

    Because once a member server is promoted to a domain controller it will no longer have local accounts. I mean when you install Active Directory, it removes any local accounts.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2020-08-11T06:52:41.353+00:00

    Hello SCLANOFRANCESCO-5839,

    I am sorry for the late reply.

    Based on my research, we can check if ther are duplicated machine SID in your domain A or domain B with the tools below (the tools are mentioned in the following similar cases).

    Ntdsutil
    https://support.microsoft.com/en-us/help/816099/how-to-find-and-clean-up-duplicate-security-identifiers-with-ntdsutil

    PsGetSid v1.45
    https://learn.microsoft.com/zh-cn/sysinternals/downloads/psgetsid

    Here are two similar case for your reference.

    A member could not be added to or removed from the local group because the member does not exist.
    https://social.technet.microsoft.com/Forums/windows/en-US/0c5222c7-7990-439b-93e3-9bc69d652588/a-member-could-not-be-added-to-or-removed-from-the-local-group-because-the-member-does-not-exist?forum=winserverDS

    AD Connect Setup: A member could not be added to or removed from the local group because the member does not exist
    https://learn.microsoft.com/en-us/answers/questions/40034/ad-connect-setup-a-member-could-not-be-added-to-or.html

    Best Regards,
    Daisy Zhou

    0 comments
  3. Thameur-BOURBITA 32,586 Reputation points
    2020-08-11T07:55:37.117+00:00

    Hi,
    If you want add a user from another domain in one of local group of one of your member server , you should avoid to add it directly. Try to use a domain group with local domain as scope

    Did you try use a ad a group instead of a user ?

    Try to create a new group in same domain with the Local domain as scope to accept member from another domain, then add it in the local group in the member server .

    1. Create new domain group in same domain of ember server with local domain as scope
    2. Add this group in local group of member server
    3. Add users from another domain in domain group
    0 comments
  4. SCLANO FRANCESCO 1 Reputation point
    2020-08-19T13:11:04.763+00:00

    I apologize for my late reply.
    I got the official microsoft support involved, as soon as we get the results I will share them on this forum.

  5. SCLANO FRANCESCO 1 Reputation point
    2020-08-08T16:02:33.72+00:00

    Hello Daisy,
    sorry for the delay. I was busy with this problem but I didn't find a solution yet. Please involve also your colleagues to analyze the problem and help us find a solution as soon as possible, since this problem is critical for us.
    I answer you below point by point:

    1)
    Bsed on the description, VM19 is a member server in domain A.
    Yes, I confirm that VM19, like VM17, is a member server in domain A.

    2)
    Or do we want to add a domain B user in Local User and Group on one DC into Users group in Local Users and Groups on VM19?
    If we mean it is a domain B user in Local Users and Groups on one DC, this user is not exist.
    Because once a member server is promoted to a domain controller it will no longer have local accounts. I mean when you install Active Directory, it removes any local accounts.

    I well know the fact the once a member server is promoted to a domain controller it will no longer have local account. I well know when I install Active Directory, it removes any local accounts.

    3)
    Based on the description "if I try to add a domain B user in the local group of users", do we want to add a domain B user in domain B (not local user on any DC) into Users group in Local Users and Groups on VM19?
    If we mean it is a domain B user, we can check if this user is exist.
    I mean I want to add a domain B user in domain B (not local user on any DC) into Users group in Local Users and Groups on VM19.
    I checked that this user exist, I did this check with many users and all of them exist.
    The problem is that I successfully added domain B user in vm17

    16524-tfs17ok.png

    but I unsuccessfully added domain B user in vm19.

    16494-devops19ko.jpg

    So my upgrade from TFS 2017 to DevOps 2019 is blocked because in DevOps 2019 I'm not able to add all domain B users (they are more than 100) that already succesfully used TFS 2017 for many months (these users are pm, programmers, testers etc.) .

    Let me try again to schemately explain my environment and my problem. I have 4 virtual machines:
    A) vm17 – windows server 2012 r2 configured in domain A (this is the vm that runs Team Foundation Server 2017 update 1 on premises)
    B) vm19 - windows server 2016 configured in domain A (this is the vm that runs Azure DevOps Server 2019 update 1.1 on premises
    C) domain A - windows server 2012 r2
    D) domain B - windows server 2016 – this domain is exclusively used to manage users of TFS 2017 and DevOps 2019
    Domain A and domain B are in trust each other (bidirectional, not transitive). Trust properly works.

    Is the problem due to an incompatibility of schema level of domains A and B? If yes, now we cannot upgrade schema level of domains A because there are many critical applications that currently runs in this domain. So I hope that changing B) point above in B') as follows will resolve the problem
    B') vm19 - windows server 2012 r2 configured in domain A (this is the vm that runs Azure DevOps Server 2019 update 1.1 on premises

    Could you please confirm that incompatibility above described is the problem? Furthermore will B') resolve the problem? Otherwise, what could be the cause of the problem and its solution?

    0 comments