question

SCLANOFRANCESCO-5839 avatar image
0 Votes"
SCLANOFRANCESCO-5839 asked RyanWilson-2019 answered

How resolve error "occured while attempting to save properties for group Users" ?

Hi, I already described this problem in another microsoft community and they suggest me to ask for this problem in this community. Follows a description of the problem.

  • In our data center we used following domains: A, C, D, and E. We succesfully used these domains with many applications for many years. Each domain is managed by a windows server 2012 r2 with AD schema level of Windows 2012 R2 functionality. Furthermore these domains are all trusted each other.

  • Team Fondation Server 2017 update 1 is installed in a virtual machine that we call "VM17". This vm is a windows server 2012 r2 in domain A (service account of TFS is a user of domain A, service account is properly configured as A domain controller, log on as a service etc.). We succesfully used TFS 2017 for many months.

  • Azure DevOps Server 2019 update 1.1 is installed in a virtual machine that we call "VM19". This vm is a windows server 2016 in domain A (service account od DevOps is a user of domain A, service account is properly configured as A domain controller, log on as a service etc.).

  • Domain B is a "new" domain specifically setup for managing users of TFS/DevOps. Domain B is managed by a windows server 2016with AD schema level of Windows 2016 functionality. Domain B is trusted with domains A, B, C and E.

  • The trust between domain B and all other domains properly works. The proof is that if in virtual machine VM17, by TFS web interface, I succesfully added more than 100 TFS users from domain B. Furthermore, both by virtual machine VM17 and VM19 if I succesfully shared a folder with full control with a domain B user.



  • Now we want to upgrade from TFS 2017 update 1 to Azure DevOps Server 2019 update 1.1. To do this we already installed DevOps 2019 on the virtual machine VM19 and then we'll move the collection (as described here https://docs.microsoft.com/en-us/azure/devops/server/admin/move-project-collection?view=azure-devops-2019)

  • VM19 in installed in domain A. DevOps 2019 service account is a admin domain A user. The problem is that from DevOps 2019 web interface I'm able to see users of domain B but when I try to add them I obtain "Unable to find Windows identity for" (see point 7 above for details on message error). Obviously we want to reuse in DevOps 2019 all 100 domain B users we already succesfully used with TFS 2017.

  • Furthermore in VM19 if I try to add a domain B user in the local group of users I obtain following error

15330-error-domain-2.png


So the problem not seems due to exclusively Azure DevOps 2019 but rather to an incompatibility between:
1) domain A managed by windows server 2012 r2 with AD schema level of Windows 2012 R2 functionality
2) domain B managed by windows server 2016 with AD schema level of Windows 2016 functionality (domain used specifically to manage TFS/DevOps users)
3) windows server 2016 in which is installed Azure DevOps Server 2019 in domain A

Is the problem due to an incompatibility of schema level of domains A and B? If yes, now we cannot upgrade schema level of domains A, C, D and E because there are many critical applications that currently runs in these domains. So I hope that changing 3) point above as follows will resolve the problem
3') windows server 2012 r2 in which we will install Azure DevOps Server 2019 in domain A

Could you please confirm that incompatibility above described is the problem? Furthermore will 3') resolve the problem?


windows-serverwindows-active-directory
error-domain-2.png (402.3 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello SCLANOFRANCESCO-5839,

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello Daisy,
sorry for the delay. I was busy with this problem but I didn’t resolve yet. Anyway I answer you below point by point.
Please analyze and help me to resolve this problem since is very critical for us!

Best Regards

Francesco Sclano

0 Votes 0 ·

Hello
Have you check the information I mentioned in the last reply?

Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.

I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @SCLANOFRANCESCO-5839,

I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello SCLANOFRANCESCO-5839,

Thank you for posting in our Q&A forum.

Bsed on the description, VM19 is a member server in domain A.

Based on the description "if I try to add a domain B user in the local group of users", do we want to add a domain B user in domain B (not local user on any DC) into Users group in Local Users and Groups on VM19?

If we mean it is a domain B user, we can check if this user is exist.

Or do we want to add a domain B user in Local User and Group on one DC into Users group in Local Users and Groups on VM19?
If we mean it is a domain B user in Local Users and Groups on one DC, this user is not exist.

Because once a member server is promoted to a domain controller it will no longer have local accounts. I mean when you install Active Directory, it removes any local accounts.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SCLANOFRANCESCO-5839 avatar image
0 Votes"
SCLANOFRANCESCO-5839 answered SCLANOFRANCESCO-5839 published

Hello Daisy,
sorry for the delay. I was busy with this problem but I didn't find a solution yet. Please involve also your colleagues to analyze the problem and help us find a solution as soon as possible, since this problem is critical for us.
I answer you below point by point:

1)
Bsed on the description, VM19 is a member server in domain A.
Yes, I confirm that VM19, like VM17, is a member server in domain A.

2)
Or do we want to add a domain B user in Local User and Group on one DC into Users group in Local Users and Groups on VM19?
If we mean it is a domain B user in Local Users and Groups on one DC, this user is not exist.
Because once a member server is promoted to a domain controller it will no longer have local accounts. I mean when you install Active Directory, it removes any local accounts.

I well know the fact the once a member server is promoted to a domain controller it will no longer have local account. I well know when I install Active Directory, it removes any local accounts.

3)
Based on the description "if I try to add a domain B user in the local group of users", do we want to add a domain B user in domain B (not local user on any DC) into Users group in Local Users and Groups on VM19?
If we mean it is a domain B user, we can check if this user is exist.

I mean I want to add a domain B user in domain B (not local user on any DC) into Users group in Local Users and Groups on VM19.
I checked that this user exist, I did this check with many users and all of them exist.
The problem is that I successfully added domain B user in vm17

16524-tfs17ok.png

but I unsuccessfully added domain B user in vm19.

16494-devops19ko.jpg

So my upgrade from TFS 2017 to DevOps 2019 is blocked because in DevOps 2019 I'm not able to add all domain B users (they are more than 100) that already succesfully used TFS 2017 for many months (these users are pm, programmers, testers etc.) .

Let me try again to schemately explain my environment and my problem. I have 4 virtual machines:
A) vm17 – windows server 2012 r2 configured in domain A (this is the vm that runs Team Foundation Server 2017 update 1 on premises)
B) vm19 - windows server 2016 configured in domain A (this is the vm that runs Azure DevOps Server 2019 update 1.1 on premises
C) domain A - windows server 2012 r2
D) domain B - windows server 2016 – this domain is exclusively used to manage users of TFS 2017 and DevOps 2019
Domain A and domain B are in trust each other (bidirectional, not transitive). Trust properly works.



Is the problem due to an incompatibility of schema level of domains A and B? If yes, now we cannot upgrade schema level of domains A because there are many critical applications that currently runs in this domain. So I hope that changing B) point above in B') as follows will resolve the problem
B') vm19 - windows server 2012 r2 configured in domain A (this is the vm that runs Azure DevOps Server 2019 update 1.1 on premises

Could you please confirm that incompatibility above described is the problem? Furthermore will B') resolve the problem? Otherwise, what could be the cause of the problem and its solution?




tfs17ok.png (490.7 KiB)
devops19ko.jpg (177.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello SCLANOFRANCESCO-5839,

I am sorry for the late reply.

Based on my research, we can check if ther are duplicated machine SID in your domain A or domain B with the tools below (the tools are mentioned in the following similar cases).


Ntdsutil
https://support.microsoft.com/en-us/help/816099/how-to-find-and-clean-up-duplicate-security-identifiers-with-ntdsutil

PsGetSid v1.45
https://docs.microsoft.com/zh-cn/sysinternals/downloads/psgetsid


Here are two similar case for your reference.

A member could not be added to or removed from the local group because the member does not exist.
https://social.technet.microsoft.com/Forums/windows/en-US/0c5222c7-7990-439b-93e3-9bc69d652588/a-member-could-not-be-added-to-or-removed-from-the-local-group-because-the-member-does-not-exist?forum=winserverDS


AD Connect Setup: A member could not be added to or removed from the local group because the member does not exist
https://docs.microsoft.com/en-us/answers/questions/40034/ad-connect-setup-a-member-could-not-be-added-to-or.html



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,
If you want add a user from another domain in one of local group of one of your member server , you should avoid to add it directly. Try to use a domain group with local domain as scope

Did you try use a ad a group instead of a user ?

Try to create a new group in same domain with the Local domain as scope to accept member from another domain, then add it in the local group in the member server .

  1. Create new domain group in same domain of ember server with local domain as scope

  2. Add this group in local group of member server

  3. Add users from another domain in domain group



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SCLANOFRANCESCO-5839 avatar image
0 Votes"
SCLANOFRANCESCO-5839 answered DaisyZhou-MSFT edited

I apologize for my late reply.
I got the official microsoft support involved, as soon as we get the results I will share them on this forum.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @SCLANOFRANCESCO-5839,

Thank you for your update.

Meanwhile, thank you for your sharing the result in advance!

I hope the issue will be resolved soon.

Thank you for your time and efforts.



Best Regards,
Daisy Zhou

0 Votes 0 ·
RyanWilson-2019 avatar image
0 Votes"
RyanWilson-2019 answered

hey have you had any updates on this

I have a Sharepoint 2019 with the same issue

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.