No announcement yet.

Domain Administrator restricted on new secondary DC

  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Administrator restricted on new secondary DC

    1. Running W2k server (SP4 with Rollup 1) on AD1 as PDC
    2. Added AD2 as SDC
    3. Promoted AD2 to PDC
    4. Migrated roles to AD2
    5. Demoted AD1 to domain member

    System working fine, but several months later needed to replace AD2 with new server (need to keep name and IP):
    6. Added AD1 as SDC
    7. Promoted AD1 to PDC
    8. Migrated roles to AD1
    9. Demoted AD2 to domain member
    10. Removed AD2 from domain

    So far so good. AD1 working as DC.

    11. Added AD2-new as domain member
    12. When logged in to AD2-new after reboot, Run command gone from Start menu and Command Prompt access is denied; Administrative Tools missing from menus; tried running dcpromo (only worked by double click on executable) and was able to add AD2-new as SDC, but could not transfer Roles to SDC to make it PDC
    13. All user accounts now being asked to change their passwords and if they do, are locked out of system
    14. AD1 is not restricted for the Domain Administrator in any way

    Managed to get AD1 functioning as PDC and DNS server and other functions it has, but need to find out what is causing decreased functioning of Domain Administrator. There is a Group Policy that is set on an OU of RWusers (not the User OU), but the Domain Administrator is not a member of that OU, it is in the Users OU. That GPO removes Run from the Start menu, does not allow the user to save to the hard drive of the workstation and does not allow use of USB ports, CD/DVD drive or floppy drive. I'm thinking that the GPO was initially set as part of the Default Domain Policy and that no one is owning up to it. I've looked and cannot find where it might be set, but I may no longer have rights to see it as Domain Administrator.

    I need to try to clean this up and keep my AD setup and users. I followed KB226243 (How to reset security settings in the default Domain GPO in Windows 2000) and that did not fix the problem -- I believe that is due to the restricted nature of the domain administrator user in this case (I could be wrong....). Suggestions?

    My only other option that I can see is to totally remove the domain and introduce a new AD2-new with a clean install of AD and the domain set up there and then propagated to the other machines.

    This is a time critical problem. Any help would be appreciated.


  • #2
    Re: Domain Administrator restricted on new secondary DC

    did you place AD2 into an excluded OU before you went thru the motions?

    no cmd? that sucks... so i guess that a "gpupdate /force" is not gonna fly...

    as long as the server is being excluded from the GPO that is causing the "undesired functionality loss" in AD... as long as it is in an exempt OU, just reboot the thing... and force it to update the local user/machine policy.

    do you have other DCs in your forest? did you allow time for replication to complete?
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...