Friendly names of Key Admins groups aren't displayed in Windows Server 2016

Applies to: Windows Server 2016

Symptoms


In Windows Server 2016, you run the ADPREP /DOMAINPREP command to grant access to two new security principals that have the relative identifiers (RID) 526 and 527. These refer to the Key Admins and Enterprise Key Admins security groups. In this scenario, the 526 and 527 RIDs can't be resolved to friendly names until a Windows Server 2016 domain controller owns the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role.

Security properties

Additionally, both groups are given read and write access to the ms-DS-Key-Credential-Link attribute on all child objects from the domain root.

The RID 527/Enterprise Key Admins group has full control of the domain naming context (NC) head and all subordinate objects in the forest root domain and all child domains.

Screenshot 2 of the security properties

Cause


Windows Server 2016 introduces new security principals. The ADPREP /DOMAINPREP command defines permissions in Active Directory partitions for different security principals

Friendly names are displayed for security principals when a computer running the operating system (OS) version that introduced them is deployed in key roles in an Active Directory forest.

Regarding default permissions assigned to the key admin groups, the intention is for that group to have delegated write access on the msdsKeyCredentialLink attribute only, which is identical to the access that the Domain Key Admins group has.   
 

Resolution


To make the 526 and 527 security identifiers resolve to friendly names, host the PDC FSMO role on a Windows Server 2016 domain controller. To do this, you can either install a Windows Server 2016 DC as the first DC in a new forest or transfer the PDC FSMO role to a Windows Server 2016 DC.