Hi, and thanks for taking a look.
My network has a 2008 r2 domain controller and a 2003 server backup controller. Recently I decided that hence forth I will be pushing software via GPO and security groups on my network.
I got this to work and it tested fine in the test environement.
When I tried to apply some software to the existing machines on the network the policy failed on certain machines. I traced the problem down to the 2003 server, tested several machines on the network and any machine connected to this server does not receive the policy correctly. I think this might be dues to the Server version difference. Finally I decided that I will make another 2008 R2 machine on the network a buckup controller and demote the 2003 to just being a file server again.
When I attempted to dcpromo my existing 2008r2 server to a Domain Controller I received the Access Denied message. I used this KB to try and resolve the issue.. http://support.microsoft.com/kb/2002413?wa=wsignin1.0 . The server was added to the Domain Controller OU, and the GPO does have my Administrator account set to “Enable computer and user accounts to be trusted for delegation”.
Additionally what I found is that when I perform whois /all while logged into a server with the Admin account it does not list “Enable computer and user accounts to be trusted for delegation” as being enabled, as a matter of fact it doesn't even list it.
So my problem is that at the moment my main Administrator account can neither promote or demote any Domain Controllers. I know that this account was previously used to promote domain controllers.
Any ideas as to what might be the root of this problem?