When the service account lacks the ability to discover a domain (due to permissions), particularly the root domain, an 'Invalid Primary Authentication Provider Id" error will be returned when adding a group with PrimaryAuthenticationProviderId = {id of domain}.
The inability to discover certain domains is why Safeguard shows some domains but not others.
In the case of the root domain, Safeguard nevertheless assigns an Id for the root domain as a Primary Authentication Provider. This is invalid because the service account can't perform queries against the root domain.