Had an issue recently where the command “netdom query fsmo” failed with Access denied or Access is denied from an administrative server in our domain. Other symptoms include not being able to change domain controller in Active Directory Users and Computers.
Turns out that this server’s network was not configured correctly. There is a second network card on this server, and we usually set high manual metric and disable some features on this NIC. Not in this case, as I found out.
After I reconfigured the NIC with correct settings (manual 9999 metric, disable services, disable NETBIOS), and a reboot, the server worked as expected again.