I have a Windows Server 2012 R2 domain controller and a database server (W2K12R2/SQL Server 2012).
As allowed usergroup I have given the group "domain-admins" sysadmin rights.
But somehow any domain-administrator can't connect to that SQL Server, but when I add the domain-administrator user directly as allowed user it does work.
The active directory does work. RDP-Login works. Am I missing something?
Does anybody know how to grant access to the whole group "domain-admins"?
The error message is:
Servername: SRV-DB Error Number: 18456 Schweregrad: 14 Status: 1 Line of Code: 65536
In the event log it says (translated):
Error checking the token based server access with infrastructure failure.
State is "1" . I log on to that db-server with RDP as an domain-admin. I have to explicitly start SSMS with "run as administrator". Then I can access the "localhost". If I leave out starting SSMS as admin then I can't do that. I thought being in the group "domain-admins" would be enough.
Best Answer
I found the answer to my problem in this answer by Remus Rusanu.
As an domain-admin connected to that SQL-Server-Host via Remote Desktop. I had to start SQL Server Management Studio explicitly "as an administrator". (right-click -> run as administrator).
If SSMS isn't started in administrator mode, the current login is not in "builtin\administrators"-group. That was the problem.
It comes from Windows user access control (UAC). So that is actually a security "feature".