After adding Active Directory/Domain Controller to a Windows 2003 Terminal Services server Remote Desktop to any domain controller now fails with " must be granted Allow log on through "...

Posted on 2009-02-18
Last Modified: 2013-11-21
After adding a Domain Controller role (for use as backup domain controller) to an existing Terminal Services server running Windows 2003 R2 SP2, all users, including domain/Administrator are now getting "To log on to this computer, you must be granted Allow log on through Terminal Services..."  I've verifiied security in Group Policy as well as Domain Controller Security settings.  One thing I have noticed is the SysVol does not replicate.  As a matter of fact Sysvol and Netlogon shares never got created.  I've attempted to follow MS KB 315457, but when it comes to add a DWORD in HKEY_LOCAL_MACINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\
Replica Sets\ there is no GUID key on the original domain controller.  There is a GUID on the backup domain controller but not on the original.  Should a key be created on the original with the sam GUID as the backup and continue with the process?
Question by:SurfCitySC
    LVL 12

    Accepted Solution

    While I cannot find a definitive Microsoft document on it, there are various pages that have Microsoft MVPs suggesting that you do not do this - for example.
    The security implications of the configuration are the main reason why you do not want to operate a DC with this config. Since Local Groups are gone, an application that requires Admin rights would essentially require you to make the user a Domain Admin to have the necessary rights from that box.
    I have worked with servers in the past that have had this config, and have always run into other difficult to nail down problems - performance issues coming and going, profiles acting erratically, etc.
    I would encourage you to demote the server back to a Member Server, and see if you can find another box to be the second DC.

    Author Comment

    This server had worked as a Terminal Server and backup Domain Controller when it was a Windows 2000 Server.  Recently it was upgraded to Windows 2003 Server R2.  All was fine until the adding the role Active Directory.  I understand the security implications but for this client a backup domain controller out weighed the performance and security ramifications.  In any case I removed the Active Directory role and I still am stuck with the error message.  If I try to log onto the primary Domain Controller using Remote Desktop (not Terminal Server) even as administrator I still get this error.  Could this be a group policy gone bad?
    LVL 21

    Expert Comment

    If you have removed AD from the TS:

    1. Check that the user you are connecting with (RDP) is in the "Remote Desktop Users" group
    2. Open tscc.msc -> Right Click "RDP" -> Permissions -> Check that "Remote Desktop Users" have permissions
    (I can't say 100 per cent for sure the correct menues since I'm to infront of my servers atm.)


    Author Comment

    I figured it out.  After adding Active Directory role the Administrators group gets removed from the security settings.

    Featured Post

    Want to promote your upcoming event?

    Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

    Join & Write a Comment

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now