Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


After adding Active Directory/Domain Controller to a Windows 2003 Terminal Services server Remote Desktop to any domain controller now fails with "...you must be granted Allow log on through "...

Posted on 2009-02-18
Medium Priority
Last Modified: 2013-11-21
After adding a Domain Controller role (for use as backup domain controller) to an existing Terminal Services server running Windows 2003 R2 SP2, all users, including domain/Administrator are now getting "To log on to this computer, you must be granted Allow log on through Terminal Services..."  I've verifiied security in Group Policy as well as Domain Controller Security settings.  One thing I have noticed is the SysVol does not replicate.  As a matter of fact Sysvol and Netlogon shares never got created.  I've attempted to follow MS KB 315457, but when it comes to add a DWORD in HKEY_LOCAL_MACINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\
Replica Sets\ there is no GUID key on the original domain controller.  There is a GUID on the backup domain controller but not on the original.  Should a key be created on the original with the sam GUID as the backup and continue with the process?
Question by:SurfCitySC
  • 2
LVL 12

Accepted Solution

LingerLonger earned 750 total points
ID: 23670516
While I cannot find a definitive Microsoft document on it, there are various pages that have Microsoft MVPs suggesting that you do not do this - http://forums.msterminalservices.org/Server-Installation-windows-Domain-Controller-ftopict24603.html for example.
The security implications of the configuration are the main reason why you do not want to operate a DC with this config. Since Local Groups are gone, an application that requires Admin rights would essentially require you to make the user a Domain Admin to have the necessary rights from that box.
I have worked with servers in the past that have had this config, and have always run into other difficult to nail down problems - performance issues coming and going, profiles acting erratically, etc.
I would encourage you to demote the server back to a Member Server, and see if you can find another box to be the second DC.

Author Comment

ID: 23672568
This server had worked as a Terminal Server and backup Domain Controller when it was a Windows 2000 Server.  Recently it was upgraded to Windows 2003 Server R2.  All was fine until the adding the role Active Directory.  I understand the security implications but for this client a backup domain controller out weighed the performance and security ramifications.  In any case I removed the Active Directory role and I still am stuck with the error message.  If I try to log onto the primary Domain Controller using Remote Desktop (not Terminal Server) even as administrator I still get this error.  Could this be a group policy gone bad?
LVL 21

Expert Comment

ID: 23686509
If you have removed AD from the TS:

1. Check that the user you are connecting with (RDP) is in the "Remote Desktop Users" group
2. Open tscc.msc -> Right Click "RDP" -> Permissions -> Check that "Remote Desktop Users" have permissions
(I can't say 100 per cent for sure the correct menues since I'm to infront of my servers atm.)


Author Comment

ID: 23694042
I figured it out.  After adding Active Directory role the Administrators group gets removed from the security settings.

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question