Solved

Unable to promote or demote a DC

Posted on 2007-11-15
4
772 Views
Last Modified: 2010-04-21
I have an account that is part of the Domain admins group, the Schema admins group, and the server operators group but I am unable to promote or demote a domain controller.  I am the one who installed and configured all of these servers. Our security guy implemented a bunch of GPO's that I am now in charge of but I can't find anything that would stop me from promoting a server.  Any Ideas?  The error I get  says that my account doesn't have access to change the account for z000tsm1$ to a domain controller.  I can get the exact words if someone needs them.
0
Comment
Question by:m-moloney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20292317
Get the exact words.
Get any errors in the event logs.
But most importantly, find out what your 'security guy' has changed - in detail.
0
 
LVL 15

Accepted Solution

by:
JimboEfx earned 500 total points
ID: 20292332
was the message like this?

http://support.microsoft.com/kb/250874

note the reference to change to security policy...
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20292604
Sometimes DCPromo gets stuck and you have to put the switch of DCPromo /f  from the command prompt. That /f forces DCpromo execution.

I have never run into a Access denied error when promoting or demoting a machine. Usually you are logged on as the Domain Administrator when trying to execute DCpromo. I also don't know of a GPO that will prevent you from removing the AD database.

If you look at your GPO's it must be a default domain policy, or a Group policy object on the whole domain to prevent the Domain Administrator from doing anything to the server's drive. Let me see if I can find the exact policy that would prevent this from happening.
0
 
LVL 3

Author Closing Comment

by:m-moloney
ID: 31409428
I checked the user rights assignment for delegating and it was configured but noone was added. DUH
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question