Solved

dc logon & domain member logon query

Posted on 2014-02-06
6
410 Views
Last Modified: 2014-02-15
hi, could i please get some advice regarding the below :

question 1.

when i run 'dcpromo' on the master dc, this is the same password i always use to logon to the domain controller obviously, but i always use this same username & password to logon to all the domain controllers and what i did not realise until recently is that if i save files in my documents where i always save stuff on my master dc.  i can also logon with the same username & password on my domain member server and still see those same files i saved.  what i wanted to know is should i create a separate username & password to logon to each of the domain member servers so they have their own   ?

question 2.

as i logon to each domain member server which is the same 'username & password' as the domain controller, as i have not created anymore should i create a roaming folder just like i would for normal domain users  ?
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Accepted Solution

by:
Alex Green earned 167 total points
ID: 39838467
OK, I'm a little bit confused by the post however I'll try my best.

So you have a username and password you use to log onto the DC's, should you have a separate username and password for each DC. No you should not.

Your files in my documents are available on all servers, this is down to group policy and folder redirection, I wouldn't be too concerned about this.

No you should not create a roaming profile for server based accounts. It's not terrible but bad practice since you can fill up the C:\ quite quickly if you have a large roaming profile, also it'll increase your logon times to servers which you haven't logged onto previously.

Does that answer your question since I'm having a few issues understanding the question :(

Regards

Alex
0
 
LVL 10

Assisted Solution

by:Prashant Girennavar
Prashant Girennavar earned 167 total points
ID: 39838495
question 1.

answer :

 Domain controllers dont have the local administrator account.  i.e they have the administrator account centerliased  and you can use this single account to login to the all the domain controllers. Keep in mind that , the domain administrator account is not local , rather it is a central one and can be used to login to any domain contollers or member servers.

 what I suspect in your case is , you are using this account to login to the domain controllers and member servers , hence you are able to see my document information on all of them since the account which your are using is not local.

Question 2

I think the first question answer will answer most of this question.

More info can be found on below article

what is roaming profile -- http://en.wikipedia.org/wiki/Roaming_user_profile

how to set roaming profile -- http://www.sfu.ca/ad/roaming_profiles.html

Let us know if you have more questions :)

Thanks,

-Prashant Girennavar.
0
 

Author Comment

by:mikey250
ID: 39838506
yes you are giving me the answers i wanted.

"so you have a username and password you use to log onto the dc's, should you have a separate username and password for each dc.  no you should not."

- i only have 1 single dc, but if i had 2 or more, no i would still use the same username & password - im ok with that as i was referring to my dc.

"your files in my documents are available on all servers, this is down to group policy and folder redirection, i wouldn't be too concerned about this."

 "no you should not create a roaming profile for server based accounts.  it's not terrible but bad practice since you can fill up the c:\ quite quickly if you have a large roaming profile, also it'll increase your logon times to servers which you haven't logged onto previously."

- ok that is ok as had to make sure.


because when i use the domain administrator logon, i do not create redirection/roaming folder, like i would with domain user accounts, so i assume this is normal as administrators have access to each server anyway by default....unless i wanted to track my domain admin logon of daily use, just like a domain user account...thats my understanding, but if i did want to track the administrator i assume looking in the eventviewer for example is a way to do so.  so again i assume setting up a redirection/roamin folder for a domain admin is of no use.

question 1.  what there was an issue with logging on with my domain admin logon my my master dc and i could maybe fix it or not, but i needed to change something for another user for example, then i assume when i use the same domain admin account to logon to a domain member server that this would have issues logging on as it is connected to the master dc  ?
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
ID: 39839956
Since you have only single DC, you can keep two accounts with domain admins privileges
If anything wrong happens with one account, another account will take care of that.
Ensure that both accounts are member of following groups
domain admins,
enterprise admins
built-in administrators group.
Schema admins

because if any account gets locked, you can have another account to unlock it.
However note that built-in domain administrator account never get locked

Also its better if you could keep one ADC as well if your user count is more than 50 to avoid major downtime in case of server hardware failure.

Mahesh
0
 

Author Comment

by:mikey250
ID: 39861045
morning Mahesh thanks for that useful info.  appreciated.
0
 

Author Closing Comment

by:mikey250
ID: 39861050
sound advice.  appreciated.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Prevent to get Active Directory Policy on My PC 9 76
Copy user profile 6 36
Phantom drive appears in non-admin remote desktop sessions on Server 2008 R2 2 36
DNS logs 1 33
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question