Solved

Windows Server 2008 AD Domain Admins

Posted on 2009-04-03
3
313 Views
Last Modified: 2012-06-27
I am setting up a staging network complete with a whole new domain. I have decided to use Server 2008. (I'll add that currently this network is run inside of a VMWare ESX environment, but that shouldn't make a difference). My problem is, when i join new 2008 servers to the domain, my domain admin account that I created does not have admin rights. It looks like it has rights with a 2003 server joined to the domain, but 2008 just will not accept domain admin privileges from AD. The only difference that I see between the 2008 and 2003 servers is that XXXDOMAIN\Domain Admins is automatically listed in the builtin administrators group on the 2003 servers, but not the 2008. If i try and add XXXDOMAIN\Domain Admins on server 2008, it says it is already a member when I apply. I assume that since DA's are implicitly local admins, they just stopped having it list the group on server 2008. Am I missing something here?  I have tried re-joining the servers to the domain, and re-adding the account to AD. Any ideas?
0
Comment
Question by:downscm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 24070001
I don't know the exact root cause of your issue at the moment. But just FYI, one of our domains is with Windows Server 2003 domain and when we added Windows server 2008 as member servers of the Windows Server 2003 domain, the Domain Admins group of the Windows Server 2003 domain is listed in both the Win2k3 and Win2k8 member servers' local Administrators groups.

Have you tried to use restricted group GPO to add the Domain Admins group to these Windows Server 2008 member servers and see if the Domain Admins group will show up on the local Administrators group? What I'm not too clear is that if the Domain Admin account does not have right on the Windows server 2008 machine, how could you add the Domain Admins group to the local Administrators group without access denied message but one saying it is already a member when you click on apply.
0
 

Author Comment

by:downscm
ID: 24072603
Well I added the domain admin group to the 2008 local admins using the built in local Admin account. That's why it let me do that without access denied. I have not tried using GPO's. I will look into that.  
0
 

Accepted Solution

by:
downscm earned 0 total points
ID: 24172439
Reinstalled DC and rebuilt domain and it is working fine now. Don't know what was wrong.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question