If you are running your Active Directory in Mixed mode and FSMO roles are on the Windows 2000 or Windows 2003 DC, you won’t be able to see the following built-in groups:
- Event Log Readers
- Cryptographic Operators
- Certificate Service DCOM Access
Some of these groups have introduced with Windows 2008 and some these groups have changed name. For example, Certificate Service DCOM Access serves the same purpose as CERTSVC_DCOM_ACCESS in Windows 2003.
However, if you are running Active Directory in Windows 2000/2003 and Windows 2008 mixed mode and your PDC Emulator FSMO roles is not on the Windows 2008 DC, you won’t be able to see these groups. You need to transfer the PDC Emulator FSMO role to windows 2008/Windows 2008 R2 DC (or newest OS) to resolve this issue.
Update - Wednesday, July 25, 2012 9:50 PM
I received the following email from Chris regarding this topic. I thought I would share it with you.
From: Christoffer Andersson
Sent: Wednesday, July 25, 2012 9:50 PM
To: Santhosh Sivarajan
Subject: Active Directory - Built-In Groups
Just came across your article: http://portal.sivarajan.com/2012/03/active-directory-mixed-mode-and-built.html
Just wanted to share that: This can be accomplished without moving/transferring the PDC to a DSA running the latest bits: (This is how MS deal with the presence of the required RODC* groups even if the PDC isn’t running Win2k8 or above)
The state that “runSamUpgradeTasks” are stored in sam-domain-updates, haven’t really got time to decode the values yet, but lower it allows re-creation of built in groups.
Modifying the “wellKnownOtherObjects” attribute on the SamServer object at the PDC (1. WIN2K DC) to contain “B:32: 6ACDD74F3F314AE396F62BBE6B2DB961:<X>” where <X> is the NTDS Settings object of (3. WIN2K3 DC), calling “runSamUpgradeTasks” will cause new groups defined in the Windows Server 2003 release to be created in the domain without moving off the PDC role from the (1. WIN2K DC)
Christoffer Andersson – Principal Advisor