![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 98%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBN%3C/text%3E%3C/svg%3E)
105 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hi Brian,
Based on your issue description, it sounds like something is affecting that specific account post-promotion. The followings are a few potential causes of the issue.
- Token Bloat – When a server is promoted to a domain controller, certain accounts may get additional security groups assigned. If the affected account has too many security group memberships, the access token may exceed system limits, leading to resource exhaustion.
- Permission Changes – The account used for the promotion might have had specific permissions that were altered during the domain controller promotion process. Domain controllers handle authentication differently, and some privileges might not transfer as expected.
- Kerberos Tickets & Authentication Issues – If the account had cached credentials or existing authentication tickets before the promotion, they might not align correctly after the change.
- Service Dependencies – If the account has dependencies on specific services that behave differently on a domain controller, it might trigger insufficient resource errors.
Have you ever tried using other user accounts belonging to Enterprise or Domain Admin group to perform the promotion to Windows Server 2025 to see if the issue happens like the previous affected account used to perform the same promotion task.