In the AZ-800 “Administering Windows Server Hybrid Core Infrastructure” objectives for Active Directory, server promotion is governed by forest/domain administrative roles. The materials state that promoting a member server to a domain controller in a given domain requires membership in either the Enterprise Admins group or the Domain Admins group of the target domain. The Configuration and Domain naming contexts that DCPromo touches (NTDS settings, SYSVOL/DFS-R readiness, DC computer account, and associated service SPNs) are protected so that “Enterprise Admins have full rights forest-wide, and Domain Admins have full rights within their respective domain.”
In this case, the requirement is to promote Server1 to a domain controller in canada.contoso.com. From the identities table:
Contoso\Admin1 is a member of Enterprise Admins (forest-wide authority).
Canada\Admin3 is a member of Canada\Domain Admins (authority within canada.contoso.com).
Contoso\Admin2 is Domain Admins (contoso.com) only, which does not grant administrative authority in the canada.contoso.com child domain.
Therefore, the users who can currently perform the required task for Server1 are Admin1 and Admin3.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit