Domain Administrator on new member server doesn't have local admin rights ???

STLBCO
STLBCO used Ask the Experts™
on
I created a member server that is W2003 RD2.  I have installed all updates.  I have added it to my domain.  Everything appears normal.  EXCEPT when I log onto the server with the domain administrator's account, my access is limited on the member server.  Obviously I am not an administrator on the local server (the new one).  I was pretty sure that when I added any other server to the domain and logged in as the domain administrator I immediately had all rights to the local server.  Did something change that I'm not aware of?  (no surprise there).  Could use the steps to rectify this problem.  Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007

Commented:
         Hi STLBCO
                 Try demoting then rejoining the server to domain via dcpromo

Regards

Commented:
If you want to keep it a member server, I wouldn't run dcpromo on it.

You can add your domain administrator account to the local admin group.  Is that the steps you are looking for?

Commented:
Right click My Computer, select manage, expand local user and groups, right click Administrators groups and insert your domain admin account.

If it is a member server, it won't necessarily grant your domain admin accounts full control.  
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Wow, thanks for the quick response.  I want to make this a AD server, but was hesitant to do it if its still having security issues.  I tried removing and readding it to the domain, but no joy on that one.  I'll take a look at the other suggestions.  

Do you think making it an Acitve Directory server will download the right security to it?

Commented:
My fault.  I didn't realize you wanted to make this an AD DC.  There aren't security issues with AD that haven't been addressed already, especially if you are using Windows 2003 servers/AD.  By running the dcpromo, the domain admin group along with several other AD only groups (schema, etc.) will be added.

Author

Commented:
Well .........in the perfect world I guess.

I started by adding DNS & DHCP first.  Then when I went to run the DCPROMO (I forgot to run the netdiag/dcdiag utilities) it couldn't find the domain.  So I went back to look at DNS and it hasn't updated with the DNS on the other AD Server.  When I ran netdiag, it fails with the domain errors "NO_SUCH_DOMAIN", but my domain is stlbridge.local, but in the error message it lists the domain that can't be found as STLBRIDGE ???

Maybe I should remove DNS and try again? or remove it from the domain all together and then readd ti?

BTW I had added Domain Admins to the local administrator account thinking that would work - Added the administrator account and it worked perfectly, but then on to the next problem.......

Commented:
(Almost sounds like a new questioon...)   Hahahahaha!!  Just kidding.

Make sure your server has a static IP address, that you have a static DNS entry (use the primary DNS as the DNS server of your existed AD DC) and are logged into the server as a domain admin.
Top Expert 2007
Commented:
        Hi STLBCO
               *Hey Hey hang on! Are you installing DNS and DHCP to your member candidate server? This is wrong for beginning.
              *First of all, this machine's IP must be in the same subnet of your Domain controller, and the preferred dns server tab in TCP/IP properties should be the Domain Controller's IP.
              *You should be able to ping your PDC (Primary domain controller) by name in cmd line. If you can't, you can't join this domain.
              *DHCP and DNS usually are not configured/installed in normal conditions unless you have a different/special purpose.

Regards

Commented:
He phrased the solution better then I did.

Author

Commented:
Never activated the DHCP scope and removed the DNS (figured the same thing).  Removed and then rejoined the domain and the directories seem to be talking.  I'm going to give it 30 minutes to finish replicating everything and then see if I can then install the DNS.  (maybe I don't need it???)

They are in the same subnet.  Not sure why DNS was installed in the first place.  It was on both servers.  ( I am rebuilding one of them - hence all the problems.  First one crashed taking the Exchange server with it).  I'm trying to get to a stable AD platform so that I can start the Exchange madness.......

Commented:
What do you mean install DNS?

Author

Commented:
installed the DNS server on the AD

Author

Commented:
Now I'm having issues replicating which is about where I started this madness about 5 days ago.  I'm very frustrated at this point.  I"ve started from Square zero 3 times already.  I have a feelind that the newer software (R2?) doesn't like my exiting AD Server at all.  I have never had this much trouble trying to bring up a piece of hardware in my life and I've done more than a few dozen installations in the past.  I am not sure why this one is proving so difficult.  I'll see if I can post the dcdiag and error list

Commented:
Hang in there.  We'll get it.  Are there any routers/firewalls inbetween the two servers?  Is DNS installed before you do the dcpromo and is the server you are promoting to a dc using the other DC as the primary DNS entry?

Author

Commented:
Nothing between - firewall settings off.....on same switch

DNS and AD Global catalog server exist on network.

DNS was installed after dcpromo

It is now using the other dc as the primary dns entry (I'm assuming on the DNS entries for the IP protocal on the network card.....sorry head is starting to hurt)

However, I get access denied when I try to get into the DNS server on the newly promoted DC.  DNS server service is running.  Got a 13508 error in the FRS log as it's having trouble replicating

=================================================================================
The File Replication Service is having trouble enabling replication from STLB-BACKUP to STLB-MAIN for c:\windows\sysvol\domain using the DNS name stlb-backup.stlbridge.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name stlb-backup.stlbridge.local from this computer.
 [2] FRS is not running on stlb-backup.stlbridge.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
==================================================================================

Commented:
Enter in the DNS Suffix into your new DC (it should already be there, but....)

Commented:
Also, check your DNS entries on the your old DC to see if the new server has been entered.

Author

Commented:
netdiag gives me
the system volume has not been completely replicated
 "cannot find a primary authorative DNS server for the name 'stlb-main.stlbridge.local'
The name 'stlb-main.stlbridge.local' may not be registered.

dcdiag gives me
DSGetDcName returned informaton for \\stlb-main.stlbridge.local when we were trying to reach STLB-MAIN

Commented:
For what its worth, I have never installed DNS after promoting to a DC.  I always have DNS installed before-hand.  I hate to see you have to de-promote it again.

Commented:
Check the DNS entries on your original DNS server.

Author

Commented:
Can't get there from here.......dc won't let me check

however name is listed as stlb-main.stlbridge.local and domain as stlbridge.local

I did check the DNS entries and they look ok to me but i may be missing something

Author

Commented:
same as parent looked the same in old dns

the A record didn't have the ptr checked, did that..............

Author

Commented:
if i have to i'll depromote it.  i've been through all the nftsutl stuff, etc clearing out things when it hasn't come out cleanly.  I swear it looked pretty clean this time around before I dcpromo'd it.

Commented:
It's 530pm here.  I am heading out by will have my laptop with me when I get home.  I will check with my neighbor who is a Sr. AD Engineer for the KY State IS Department.  I will ask him why this is failing and what to do next.  He handles this AD BS all day.  I will post back later this evening with some info (hopefully productive) and go from there.

Author

Commented:
Yeah, it's 4:35 here so I'm not far behind you.  If you have something good post it please, i'll probably come in around 5am for a last ditch effort tomorrow.  I forsee one of those 16 hour days (and a Friday too....@#$#)

Thanks alot for all the help, I REALLY appreciate it.
Commented:
Not a problem.  I will help as much as I can.  I try to keep up with the posts.  I would recommend that you close this question and open another in the AD section.  The AD guru's may be able to offer MUCH more exact info then what I may know and they may have seen something like this before.  If not, it's cool.

Anyhow, after talking to the senior AD guy, he made the following recommendations.  80% of the problems with AD come from DNS errors.  We should start with that.

1.  Demote your existing DC
2.  Verify the FRS is running on the other DC server
3.  Make sure that DNS is installed
4.  Promote the DC

We need to make sure that we get it right this time as too many changes without proper replication will mess up the DC's.  

Commented:
Have you restarted the FRS service on the original server?

Author

Commented:
I will try that right now......thanks

Will update status here shortly.  I almost did that very same thing last night, but thought I would wait.

Once more into the breach...................

Commented:
Good luck!  Verify the RFS is running on the DC's.

Author

Commented:
Well the dcpromo went ok and then I went ahead and removed the DNS server also.  I rebooted after each.  On the restart, I had a 111666 DNS error which had something to do with the A record.   Using www.eventid.net (an excellent resource) I found that the security was hosed on the A record for this server so I deleted it and did an ipconfig /registerdns and it was all good.   Reloaded DNS and rebooted - good, then reloaded AD.  Sort of good.  It appears that DFS, DNS and Directory replication are all good from the logs but still having 13508 (FRS is having trouble replicating....).  I thought I would give it 30 minutes to make sure we still have a problem.

I restarted FRS on the other server and it is running on this one.  That's were it stands as of right now.  I'm going to poke around on the 13508 error and see what I can find out.

Author

Commented:
Here's an interesting side note...!
I went to access the DNS console on the new server and it's access denied??????????????

Commented:
Well isn't that interesting.  Let me see what I can find.

Commented:
Can you access the DNS console from the original DC and are you using GPO's?

Author

Commented:
Yes.  I think I found the fix for that - restarting the server now.  I also found that the SYSVOL on the new AD was there, but not shared and did not have any security on it.  So I manually added that to the folder by comparing it to the SYSVOL on the working AD.  Yes, I can access DNS on the working AD.

Well it's come up and it's all good except for the #@#$@ 13508 error having trouble enabling replication.

I think I will move this to the AD forum now.  I appreciate your help very much.  Thanks for haning in there with me.  450 for you and 50 for Mrh as he did also help some.....

Commented:
Great working with you STLBCO.  You did great!  Now enjoy your weekend.  Thanks for the points!

Author

Commented:
Just to follow up, I didn't move to the AD forum......

Found this article (again - didn't try it the first time)

http://support.microsoft.com/default.aspx?scid=kb;en-us:290762

Using the BurFlags registry key to reinitialize File Replication Service replica sets.  Once I followed that and restarted the server, everything seems to be working.  I'm backing it up now and letting it sit on the network for a bit to see if it generates errors before I move on to reloading our Exchange server.  It was great having you for support.  Got to come up with a better name for me, used the company letters....blah..

Have a good weekend!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial