Solved

Unable to promote or demote a DC

Posted on 2007-11-15
4
773 Views
Last Modified: 2010-04-21
I have an account that is part of the Domain admins group, the Schema admins group, and the server operators group but I am unable to promote or demote a domain controller.  I am the one who installed and configured all of these servers. Our security guy implemented a bunch of GPO's that I am now in charge of but I can't find anything that would stop me from promoting a server.  Any Ideas?  The error I get  says that my account doesn't have access to change the account for z000tsm1$ to a domain controller.  I can get the exact words if someone needs them.
0
Comment
Question by:m-moloney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20292317
Get the exact words.
Get any errors in the event logs.
But most importantly, find out what your 'security guy' has changed - in detail.
0
 
LVL 15

Accepted Solution

by:
JimboEfx earned 500 total points
ID: 20292332
was the message like this?

http://support.microsoft.com/kb/250874

note the reference to change to security policy...
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20292604
Sometimes DCPromo gets stuck and you have to put the switch of DCPromo /f  from the command prompt. That /f forces DCpromo execution.

I have never run into a Access denied error when promoting or demoting a machine. Usually you are logged on as the Domain Administrator when trying to execute DCpromo. I also don't know of a GPO that will prevent you from removing the AD database.

If you look at your GPO's it must be a default domain policy, or a Group policy object on the whole domain to prevent the Domain Administrator from doing anything to the server's drive. Let me see if I can find the exact policy that would prevent this from happening.
0
 
LVL 3

Author Closing Comment

by:m-moloney
ID: 31409428
I checked the user rights assignment for delegating and it was configured but noone was added. DUH
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question