Questions

Domain Admin Rights

Tags:
+
0 Votes
Locked

Domain Admin Rights

Jamesa
I've just installed 2 new Win2k3 Servers into my existing Win2k3 Domain.

Both servers joined the domain just fine. Both show up in active directory just fine.

HOWEVER, when I log into the two new servers as the domain administrator, they both refuse to allow me to run any programs. Saying that I don't have sufficient rights to access that file (any install program).

Logging in as the local administrator resolves this problem, but I can't seem to figure out why they domain admin doesn't appear to have the rights to install programs.

The Windows firewall is turned off.

Any help would be appreciated.
  • +
    0 Votes
    CG IT

    after joining the domain and being put in the computers or servers OU, at a minimum, the default domain security policy will be applied. That means that the domain admin account listed under the local machine security policy option would be changed to the domain admin account.

    That is unless the block policy inheritence is used.

    +
    0 Votes
    Jamesa

    I agree, it shouldn't. I'm using the domain admin account on other win2k3 servers with no problems, so it shouldn't be an active directory default domain security policy. Any ideas on how to check this out? I've GOT to get to installing some software :>

    I did install both of these servers YESTERDAY with full patches.. did gates change another feature? LOL

    +
    0 Votes
    IC-IT

    The Domain Admins to the local admin group.

    +
    0 Votes
    CG IT

    you can add them to the local admin group. Simple, easy fix.. however that doesn't fix a possibly more serious problem of GP not being applied. I would modify the default domain GP with 1 simple change like having a interactive logon message displayed and see if that works. If it doesn't, then GP isn't being applied to those servers.

    +
    0 Votes
    Kjell_Andorsen

    Here's a couple things you might want to check if you haven't already.

    Did the servers get placed in the appropriate OU or are they still in the default Computers container?

    Have you run RSOP or the Group Policy Result Wizard from the GPMC to see if GPOs are being properly applied?

    In the Computer management console have you checked if the Domain admins group is added to the local administrators group on the servers?

    You might also want to check the system logs to see if any weird errors relating to group policy show up.

    +
    0 Votes
    Jamesa

    The servers are in the default Computers OU as are all my systems.

    Gropu policy result wizard reports all is well.

    CM on the new machine shows domain admins in the local aministrators group.

    And THEN I find something in the logs:

    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    +
    0 Votes
    ThumbsUp2

    Is this the error you're getting?

    http://support.microsoft.com/kb/938448

    What's the Event ID that you get?

    +
    0 Votes
    Jamesa

    sorry, the event id was 1054

    +
    0 Votes
    CG IT

    see this:

    http://support.microsoft.com/kb/324174/en-us

    this indicates a DNS problem.

    +
    0 Votes
    ThumbsUp2

    I couldn't PM you back to answer. You're not accepting PM's. (How does one turn those off anyway? Oh well!)

    I'm afraid though, that I'm not the one you need to be in communication with. I can help do research, but I am in NO way any expert on this stuff. You know far more than I do. I've been watching this thread because I too am interested in learning what the problem is and how to fix it.

    CG IT is probably the one you need to communicate with, if he's willing.

    +
    0 Votes
    CG IT

    that is Group Policy related and further if the workstation is saying it can not obtain the DC name [name to ip resolution], then that points to a DNS problem.


    But I think Thumbsup has the correct link if your running dual core AMD Opterons and the problem is server related and not workstation related.

    +
    0 Votes
    ThumbsUp2

    Your link takes us nowhere. Here are a couple of others maybe?

    http://tinyurl.com/2fonaj

    http://support.microsoft.com/kb/324174/en-us

    +
    0 Votes

    DNS

    Jamesa

    Checked the other servers, (according to the 324174 article), they have the proper dns setup.

    As for the other. I do see netlogon messages on my AD server. I see lots of additional messages... The netdiag command does not work (says I don't have it), and the gpupdate command produces no new events.

    This is obviously a Group policy/ad event .. any additional ways to check/repair this ongoing problem. Looks like microsofts biggest recommendation is to restart the dns service. Been there, done that.

    +
    0 Votes
    CG IT

    you may have the right address listed on client computers, but if your DNS records aren't correct, then client requests for resources from DNS aren't going to get the right information.

    It could be GP issue but if it is, then the local machine policy has a no override or block on it because the domain GP isn't being applied [per your other posts]. GP processing order is local machine, site, domain and OU where if this is a domain then at a minimum the domain policy will apply in the absence of an OU policy. All that's being applied is the local machine.

    You might want to try disjoining the computer from the domain and rejoin it. See if that fixes the GP problem.

    So what other error messages are you getting other than 1054?

    +
    0 Votes
    Kjell_Andorsen

    This will most likely not fix your issue as I agree it seems to be with DNS, but as a matter of best practice I would recommend not leaving servers or workstations in the default computer container as it is not an OU and can't have OU specific GPOs assigned to it. I would reccomend making an OU for servers and one for workstations, possibly creating sub OUs underneath them so that you can apply computer specific GPOs to different groups of computers.

    Also as a side note, this also goes for the default "users" container in AD. It is also a container, not an OU and any user account placed in it can only have local, site or domain policies assigned to it.

    +
    0 Votes
    CG IT

    I believe your problem is a connectivity problem. If your running Gigabit NICs, Windows has a known issue with them.

    here's the link

    http://support.microsoft.com/kb/239924/

    +
    0 Votes
    CG IT

    I believe your problem is a connectivity problem. If your running Gigabit NICs, Windows has a known issue with them.

    here's the link

    http://support.microsoft.com/kb/239924/

  • +
    0 Votes
    CG IT

    after joining the domain and being put in the computers or servers OU, at a minimum, the default domain security policy will be applied. That means that the domain admin account listed under the local machine security policy option would be changed to the domain admin account.

    That is unless the block policy inheritence is used.

    +
    0 Votes
    Jamesa

    I agree, it shouldn't. I'm using the domain admin account on other win2k3 servers with no problems, so it shouldn't be an active directory default domain security policy. Any ideas on how to check this out? I've GOT to get to installing some software :>

    I did install both of these servers YESTERDAY with full patches.. did gates change another feature? LOL

    +
    0 Votes
    IC-IT

    The Domain Admins to the local admin group.

    +
    0 Votes
    CG IT

    you can add them to the local admin group. Simple, easy fix.. however that doesn't fix a possibly more serious problem of GP not being applied. I would modify the default domain GP with 1 simple change like having a interactive logon message displayed and see if that works. If it doesn't, then GP isn't being applied to those servers.

    +
    0 Votes
    Kjell_Andorsen

    Here's a couple things you might want to check if you haven't already.

    Did the servers get placed in the appropriate OU or are they still in the default Computers container?

    Have you run RSOP or the Group Policy Result Wizard from the GPMC to see if GPOs are being properly applied?

    In the Computer management console have you checked if the Domain admins group is added to the local administrators group on the servers?

    You might also want to check the system logs to see if any weird errors relating to group policy show up.

    +
    0 Votes
    Jamesa

    The servers are in the default Computers OU as are all my systems.

    Gropu policy result wizard reports all is well.

    CM on the new machine shows domain admins in the local aministrators group.

    And THEN I find something in the logs:

    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    +
    0 Votes
    ThumbsUp2

    Is this the error you're getting?

    http://support.microsoft.com/kb/938448

    What's the Event ID that you get?

    +
    0 Votes
    Jamesa

    sorry, the event id was 1054

    +
    0 Votes
    CG IT

    see this:

    http://support.microsoft.com/kb/324174/en-us

    this indicates a DNS problem.

    +
    0 Votes
    ThumbsUp2

    I couldn't PM you back to answer. You're not accepting PM's. (How does one turn those off anyway? Oh well!)

    I'm afraid though, that I'm not the one you need to be in communication with. I can help do research, but I am in NO way any expert on this stuff. You know far more than I do. I've been watching this thread because I too am interested in learning what the problem is and how to fix it.

    CG IT is probably the one you need to communicate with, if he's willing.

    +
    0 Votes
    CG IT

    that is Group Policy related and further if the workstation is saying it can not obtain the DC name [name to ip resolution], then that points to a DNS problem.


    But I think Thumbsup has the correct link if your running dual core AMD Opterons and the problem is server related and not workstation related.

    +
    0 Votes
    ThumbsUp2

    Your link takes us nowhere. Here are a couple of others maybe?

    http://tinyurl.com/2fonaj

    http://support.microsoft.com/kb/324174/en-us

    +
    0 Votes

    DNS

    Jamesa

    Checked the other servers, (according to the 324174 article), they have the proper dns setup.

    As for the other. I do see netlogon messages on my AD server. I see lots of additional messages... The netdiag command does not work (says I don't have it), and the gpupdate command produces no new events.

    This is obviously a Group policy/ad event .. any additional ways to check/repair this ongoing problem. Looks like microsofts biggest recommendation is to restart the dns service. Been there, done that.

    +
    0 Votes
    CG IT

    you may have the right address listed on client computers, but if your DNS records aren't correct, then client requests for resources from DNS aren't going to get the right information.

    It could be GP issue but if it is, then the local machine policy has a no override or block on it because the domain GP isn't being applied [per your other posts]. GP processing order is local machine, site, domain and OU where if this is a domain then at a minimum the domain policy will apply in the absence of an OU policy. All that's being applied is the local machine.

    You might want to try disjoining the computer from the domain and rejoin it. See if that fixes the GP problem.

    So what other error messages are you getting other than 1054?

    +
    0 Votes
    Kjell_Andorsen

    This will most likely not fix your issue as I agree it seems to be with DNS, but as a matter of best practice I would recommend not leaving servers or workstations in the default computer container as it is not an OU and can't have OU specific GPOs assigned to it. I would reccomend making an OU for servers and one for workstations, possibly creating sub OUs underneath them so that you can apply computer specific GPOs to different groups of computers.

    Also as a side note, this also goes for the default "users" container in AD. It is also a container, not an OU and any user account placed in it can only have local, site or domain policies assigned to it.

    +
    0 Votes
    CG IT

    I believe your problem is a connectivity problem. If your running Gigabit NICs, Windows has a known issue with them.

    here's the link

    http://support.microsoft.com/kb/239924/

    +
    0 Votes
    CG IT

    I believe your problem is a connectivity problem. If your running Gigabit NICs, Windows has a known issue with them.

    here's the link

    http://support.microsoft.com/kb/239924/