oneobserver
asked on
Cannot access RDP on remote DC in SBS 2003 R2 domain
I have an SBS 2003 R2 domain setup with a remote DC at another office running Server 2003 Standard (not R2). While I was setting up the system I had installed Terminal Services on the machine in a fit of madness, thinking I needed it to enable the remote management capabilities through RDP. I did this before I had promoted the server to a DC. I had confirmed that I could get to the box with RDP and then continued to setup the rest of the box and then promoted it to a DC. At that time it said it was modifying the permissions of the Terminal services to only allow remote administration, which I said Yes to. Apparently I never tried to get back onto the box with RDP after that point. I have since installed the box in the remote network, setup everything locally and come back to the home office again. Now when I attempt to access the remote server with RWW or RDP direct, I get a dialog box after attempting to login that says: "To log onto this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop User's group, or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually". I have checked the Domain Users and Computers plug-in and cannot find that group listed, although when I tried adding administrator to it, It found the group when I did the Check Names step as a BUILTIN. This still didn't allow me access to that remote server and still gives the above error. I went into the Group Policy Management plug-in and found the rights for Allow log on through Terminal Services under Default Domain Policy/Computer Configuration/Security Settings/Local Policies/User Rights and it is set to undefined, but also says that by default Administrators and Remote Desktop Users should have this right enabled on Workstations and Servers and Administrators for Domain Controllers. Because I actually installed Terminal Services on that server and then promoted it to a DC, do I now need to explicitly define those rights in the GPMC to get it to let me remote in, or is there some other step that I am missing?
This is not urgent yet as nothing is broken, but it will be as soon as somebody want to make a change on the remote system, so 500 points to whom ever can get me back on this box!
markh
This is not urgent yet as nothing is broken, but it will be as soon as somebody want to make a change on the remote system, so 500 points to whom ever can get me back on this box!
markh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Been working through these steps, but not having much luck in finding a solution yet. Rebooting did not fix the issue. Odd additional behavior discovered: On the remote DC you can login to the console, but not via RDP. On the local SBS server you can log onto the SBS server via RDP, but not from the console. On both systems when denied access, the error message is the same as what was given above.
markh
markh
ASKER
Mystrey one is solved. Somewhere in the process of setting up the new server the administrator was added to the Remote Operators Group, which is what stopped local login on the SBS server. I removed Administrator from that group and was allowed access to the local SBS server. Been throiugh the whole list on the articles sited and still cannot get access to the remote server. I have determined that I can login to the remote server as anything except the actual administrator though, so I created a new user with administrator rights and am now waiting for the account to propogate to the server so it will let me log in with it to see if I can just uninstall Terminal Services on the remote machine, since I didn't really want it there anyway. Just RDP access for remote administration. Will update when I get access with the new account and let this thread know if that fixes the problem.
markh
markh
ASKER
markh