Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Unable to promote or demote a DC

Posted on 2007-11-15
4
Medium Priority
?
786 Views
Last Modified: 2010-04-21
I have an account that is part of the Domain admins group, the Schema admins group, and the server operators group but I am unable to promote or demote a domain controller.  I am the one who installed and configured all of these servers. Our security guy implemented a bunch of GPO's that I am now in charge of but I can't find anything that would stop me from promoting a server.  Any Ideas?  The error I get  says that my account doesn't have access to change the account for z000tsm1$ to a domain controller.  I can get the exact words if someone needs them.
0
Comment
Question by:m-moloney
  • 2
4 Comments
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20292317
Get the exact words.
Get any errors in the event logs.
But most importantly, find out what your 'security guy' has changed - in detail.
0
 
LVL 15

Accepted Solution

by:
JimboEfx earned 2000 total points
ID: 20292332
was the message like this?

http://support.microsoft.com/kb/250874

note the reference to change to security policy...
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20292604
Sometimes DCPromo gets stuck and you have to put the switch of DCPromo /f  from the command prompt. That /f forces DCpromo execution.

I have never run into a Access denied error when promoting or demoting a machine. Usually you are logged on as the Domain Administrator when trying to execute DCpromo. I also don't know of a GPO that will prevent you from removing the AD database.

If you look at your GPO's it must be a default domain policy, or a Group policy object on the whole domain to prevent the Domain Administrator from doing anything to the server's drive. Let me see if I can find the exact policy that would prevent this from happening.
0
 
LVL 3

Author Closing Comment

by:m-moloney
ID: 31409428
I checked the user rights assignment for delegating and it was configured but noone was added. DUH
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question