Link to home
Start Free TrialLog in
Avatar of BigmacMc

asked on

No permissions on DC after promotion

A Windows 2012 R2 was promoted as a DC in an existing domain.  The domain is running functional level domain/forest of 2003.  There are other 2012 R2 machines already promoted and behaving.

After the promotion we can login with domain credentials but we can't run anything as Administrator - like Server Manager.  A popup indicates we may not have sufficient rights.  If I drill to c:\windows\system32\servermanager.exe and try to RunAs and enter domain credentials I get an access denied.

At this point I'd like to demote it as a DC, but can't open powershell or server manager as administrator.

Any ideas as to how I might troubleshoot this.  As a 2nd option is there a way to remotely demote the DC.

Avatar of Amit
Flag of India image

I assume you have some GPO, which is blocking access to your new DC's. Check what all GPO's are applied on DC's.

If you want to demote, you can delete them from AD and perform metadata cleanup and then promote again. However, until you find the cause, i don't see any reason of demoting them.
Avatar of BigmacMc


There's only one DC I'm having a issue with.  We had promoted one the other day that appears to be working normally.  All the DC's are in the default Domain Controllers OU.  From what I can tell replication is occurring.

I've attached dcdiag.txt after running dcdiag.exe on the server.  Some of the errors may be because I can't open anything as Administrator
It is still replicating. DC promotion is not completed. Leave server for a day. Then check again.
Avatar of BigmacMc

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the update
Never really figured this out, it was just easier to remove and start over