🟠 High   ⏱ 5–30 min  Last verified: 06 July 2027
Affected versions: Windows Server 2019

πŸ“– ~2 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On Windows Server 2019 domain controllers and member servers, a primary group SID anomaly blocks user authentication, group policy processing, or directory access. The impact ranges from single-user lockouts to forest-wide replication and trust failures, and remediation must follow change-control because identity is foundational to every dependent service.

Environment & Reproduction

The issue reproduces on Windows Server 2019 domain controllers running the ActiveDirectory PowerShell module, typically after group changes, GPO edits, migrations, or replication interruptions. Validate on a lab DC promoted into a forest functional level of 2016 or higher, and capture state before changes.

Get-ADDomain | Select Name,DomainMode,Forest
Get-ADDomainController -Filter * | Select HostName,OperatingSystem

Root Cause Analysis

The defect stems from a primary group SID anomaly where AD attributes, group memberships, policy precedence, or replication metadata diverge from the intended state. Common contributors include stale Kerberos tickets, oversized tokens, broken trust relationships, GPO targeting errors, and unresolved tombstone or SID conflicts after migration.

Quick Triage

Capture the failing user or computer object state, the relevant security event, and the resultant policy before applying changes. Snapshot replication health with repadmin and confirm time sync across DCs because Kerberos depends on a five-minute clock skew window.

repadmin /replsummary
w32tm /monitor

Step-by-Step Diagnosis

Walk the identity stack from the user object, through group membership and PSO precedence, to the authenticating DC and DNS resolver, collecting evidence for a primary group SID anomaly at each hop.

Get-ADUser jdoe -Properties PrimaryGroupID,MemberOf | Format-List PrimaryGroupID,MemberOf
Illustrative mockup for windows-server-2019 β€” error_dialog
Diagnosis view for primary group sid β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Apply the targeted remediation below to restore expected behaviour for a primary group SID anomaly, then trigger replication and gpupdate so the change propagates across the domain.

Still having issues? Our Help Desk team can diagnose and resolve this for you. Get in touch for a free consultation.

# Reset primary group to Domain Users (RID 513)
Set-ADUser jdoe -Replace @{primaryGroupID=513}
Get-ADUser jdoe -Properties PrimaryGroupID
Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
PowerShell remediation for primary group sid β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Where the primary fix is blocked by change control, downtime windows, or licence limitations, the alternative path below achieves the same outcome via UI tools, scripted bulk operations, or staged group rollout.

# Add user back to Domain Users and demote prior primary group via Active Directory Users and Computers

Verification & Acceptance Criteria

Confirm the user, group, or trust now reports the expected state and that a representative authentication or access operation succeeds end-to-end against the affected workload.

(Get-ADUser jdoe -Properties PrimaryGroupID).PrimaryGroupID

Rollback Plan

If the change introduces regressions, restore the pre-change attributes from AD Recycle Bin, authoritative restore, or the documented backup, then force replication so the rollback is consistent across DCs.

Set-ADUser jdoe -Replace @{primaryGroupID=514}

Prevention & Hardening

Codify the validated identity baseline in Group Policy, fine-grained password policies, and AD delegation templates, and add scheduled health checks via repadmin, dcdiag, and AAD Connect Health where applicable.

# Audit users with non-default primaryGroupID quarterly
Get-ADUser -Filter {PrimaryGroupID -ne 513} -Properties PrimaryGroupID

Related: Kerberos KRB_AP_ERR_MODIFIED, NTLM fallback warnings, GPO event 1085, AD replication events 1864/2042, AAD Connect export errors, and trust authentication failures in the Security and Directory Service logs.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Active Directory Domain Services on Windows Server 2019, AD Recycle Bin, Fine-Grained Password Policies, AAD Connect, AGDLP, FSMO roles, and the official AD Forest Recovery Guide.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.