Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unable to promote or demote a DC

Posted on 2007-11-15
4
Medium Priority
?
781 Views
Last Modified: 2010-04-21
I have an account that is part of the Domain admins group, the Schema admins group, and the server operators group but I am unable to promote or demote a domain controller.  I am the one who installed and configured all of these servers. Our security guy implemented a bunch of GPO's that I am now in charge of but I can't find anything that would stop me from promoting a server.  Any Ideas?  The error I get  says that my account doesn't have access to change the account for z000tsm1$ to a domain controller.  I can get the exact words if someone needs them.
0
Comment
Question by:m-moloney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20292317
Get the exact words.
Get any errors in the event logs.
But most importantly, find out what your 'security guy' has changed - in detail.
0
 
LVL 15

Accepted Solution

by:
JimboEfx earned 2000 total points
ID: 20292332
was the message like this?

http://support.microsoft.com/kb/250874

note the reference to change to security policy...
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20292604
Sometimes DCPromo gets stuck and you have to put the switch of DCPromo /f  from the command prompt. That /f forces DCpromo execution.

I have never run into a Access denied error when promoting or demoting a machine. Usually you are logged on as the Domain Administrator when trying to execute DCpromo. I also don't know of a GPO that will prevent you from removing the AD database.

If you look at your GPO's it must be a default domain policy, or a Group policy object on the whole domain to prevent the Domain Administrator from doing anything to the server's drive. Let me see if I can find the exact policy that would prevent this from happening.
0
 
LVL 3

Author Closing Comment

by:m-moloney
ID: 31409428
I checked the user rights assignment for delegating and it was configured but noone was added. DUH
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question