Yesterday I promoted a brand new server with a fresh install of 2008 R2 to a domain controller. This would be the 5th DC in the domain and the second running 2008 R2.

Everything seemed to be fine. Later when I logged in I realized the domain admin account had no rights. I cannot open any of the AD snap ins or manage the server at all. All I get is Access Denied errors when I try to open anything up.

If I log in with a different account with domain admin rights it works fine.

I have never seen the domain admin account denied access to everything. If anyone has any ideas I would be greatful.

In the end I will probably just wipe it, but I would like to understand what happened first.

Hello,

are you using the Builtin Administrator account?

Please check your user membership and make sure that he is member of the Domain Admin group.

Any problems with AD replication?

 

Yeah the built in admin. He is a memeber and it only happens on the one new server. It's fine on the other 4. Ad seems to replicate fine. Not really sure what to make of it.

Please use Microsoft Skydrive to upload the output of these commands on the new DC:

 

ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]

dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt

repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]

dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

 

Once done, post a link here.

What are the exact errors that you are facing?

 

 

Hello,

all members of enterprise/domain/builtin administrators on the new OS version belong to UAC, only the Administrator has less restrictions and even sometimes must use RUNAS to elevate them.

So either configure UAC settings for the other admins or disbale UAC(not recommended).

Hi,

 

Please write down the detailed error message here for research. What is the result if you right click the AD snap ins like Active Directory Users and Computers, then choose "Run as administrator"? On the problematic DC, run the following command:

 

dcdiag /v  >c:\dcdiag.txt

 

If any error is found in the dcdiag.txt, please paste the errors here. After logging on with the problematic Domain Admins account, launch CMD and run the following command:

 

whoami /all > C:\test.txt

 

Please open test.txt and paste the result here for research.

 

Thanks.

Nina

When I run the above command in CMD I get 'access denied.' Also get access denied when changing permissions to folders, which is what prompted me to find this article. Running Win 2008 R2 Enterprise. Account is part of local and domain admins. Please help!

When I run the above command in CMD I get 'access denied.' Also get access denied when changing permissions to folders, which is what prompted me to find this article. Running Win 2008 R2 Enterprise. Account is part of local and domain admins. Please help!

Hello,

this thread is really old. Please create your own new one and describe your problem in detail with all steps you have done.

And if you have UAC enabled assure to use an elevated command prompt, RUN AS ADMINISTRATOR, to start it with the required permissions.