[Windows Server 2008 R2 SP1, latest hotfixes as of March 15, 2013]. I have a security group called "IT" in Domain1. I have a server2 in Domain2. There is a one-way trust from Domain1 into Domain2. I want to share a folder called "Apps" on server2 so that the IT group on Domain1 can access it. I am successfully sharing, but something is weird. When I originally added Domain1\IT as a group to access the shared folder, it showed up with correct icon and text in the sharing dialog. But when I re-open the Sharing dialog to review the permissions, it take a very long time to enumerate, and then finally shows a ? icon, with the text "<Unknown Contact>". The shared folder is correctly accessible by the IT group in Domain1, but this makes me feel that something is wrong. Anyone know why?
Windows 2008 R2 Folder Sharing across domain displays
network-sharewindows-server-2008-r2
Best Answer
So your "Unknown Contact" is what's known as a foreign security principal in Domain2. There is a container in the default naming context of your directory at
CN=ForeignSecurityPrincipals,DC=domain2,DC=com
. Inside that container should be pointers that Active Directory will use to resolve all the people from Domain1 that are known to Domain2. Domain2 knows the SIDs, but it has to ask Domain1 to kindly translate that SID into a SamAccountName.Because your trust is one-way, Domain2 can't do that because Domain1 doesn't trust it.
You could enable anonymous SID translation in Domain1, but that's a security risk. Or you could make your trust 2-way.
What you have now, "Unknown Contact" isn't preventing anything from working as you have noticed, as the SID is sufficient to check forest trust. It's just kind of an aesthetic problem right now.
More MS documentation:
And finally, this bit from the Microsoft AskDS blog (which is a great blog btw):
http://blogs.technet.com/b/askds/archive/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious.aspx
Edit: As a workaround, you could consider creating a security group in Domain2 called "People who can access Apps on Server2" and add the user principals from Domain1 to that group.