Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

dc logon & domain member logon query

Posted on 2014-02-06
6
Medium Priority
?
414 Views
Last Modified: 2014-02-15
hi, could i please get some advice regarding the below :

question 1.

when i run 'dcpromo' on the master dc, this is the same password i always use to logon to the domain controller obviously, but i always use this same username & password to logon to all the domain controllers and what i did not realise until recently is that if i save files in my documents where i always save stuff on my master dc.  i can also logon with the same username & password on my domain member server and still see those same files i saved.  what i wanted to know is should i create a separate username & password to logon to each of the domain member servers so they have their own   ?

question 2.

as i logon to each domain member server which is the same 'username & password' as the domain controller, as i have not created anymore should i create a roaming folder just like i would for normal domain users  ?
0
Comment
Question by:mikey250
6 Comments
 
LVL 14

Accepted Solution

by:
Alex Green earned 668 total points
ID: 39838467
OK, I'm a little bit confused by the post however I'll try my best.

So you have a username and password you use to log onto the DC's, should you have a separate username and password for each DC. No you should not.

Your files in my documents are available on all servers, this is down to group policy and folder redirection, I wouldn't be too concerned about this.

No you should not create a roaming profile for server based accounts. It's not terrible but bad practice since you can fill up the C:\ quite quickly if you have a large roaming profile, also it'll increase your logon times to servers which you haven't logged onto previously.

Does that answer your question since I'm having a few issues understanding the question :(

Regards

Alex
0
 
LVL 10

Assisted Solution

by:Prashant Girennavar
Prashant Girennavar earned 668 total points
ID: 39838495
question 1.

answer :

 Domain controllers dont have the local administrator account.  i.e they have the administrator account centerliased  and you can use this single account to login to the all the domain controllers. Keep in mind that , the domain administrator account is not local , rather it is a central one and can be used to login to any domain contollers or member servers.

 what I suspect in your case is , you are using this account to login to the domain controllers and member servers , hence you are able to see my document information on all of them since the account which your are using is not local.

Question 2

I think the first question answer will answer most of this question.

More info can be found on below article

what is roaming profile -- http://en.wikipedia.org/wiki/Roaming_user_profile

how to set roaming profile -- http://www.sfu.ca/ad/roaming_profiles.html

Let us know if you have more questions :)

Thanks,

-Prashant Girennavar.
0
 

Author Comment

by:mikey250
ID: 39838506
yes you are giving me the answers i wanted.

"so you have a username and password you use to log onto the dc's, should you have a separate username and password for each dc.  no you should not."

- i only have 1 single dc, but if i had 2 or more, no i would still use the same username & password - im ok with that as i was referring to my dc.

"your files in my documents are available on all servers, this is down to group policy and folder redirection, i wouldn't be too concerned about this."

 "no you should not create a roaming profile for server based accounts.  it's not terrible but bad practice since you can fill up the c:\ quite quickly if you have a large roaming profile, also it'll increase your logon times to servers which you haven't logged onto previously."

- ok that is ok as had to make sure.


because when i use the domain administrator logon, i do not create redirection/roaming folder, like i would with domain user accounts, so i assume this is normal as administrators have access to each server anyway by default....unless i wanted to track my domain admin logon of daily use, just like a domain user account...thats my understanding, but if i did want to track the administrator i assume looking in the eventviewer for example is a way to do so.  so again i assume setting up a redirection/roamin folder for a domain admin is of no use.

question 1.  what there was an issue with logging on with my domain admin logon my my master dc and i could maybe fix it or not, but i needed to change something for another user for example, then i assume when i use the same domain admin account to logon to a domain member server that this would have issues logging on as it is connected to the master dc  ?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 664 total points
ID: 39839956
Since you have only single DC, you can keep two accounts with domain admins privileges
If anything wrong happens with one account, another account will take care of that.
Ensure that both accounts are member of following groups
domain admins,
enterprise admins
built-in administrators group.
Schema admins

because if any account gets locked, you can have another account to unlock it.
However note that built-in domain administrator account never get locked

Also its better if you could keep one ADC as well if your user count is more than 50 to avoid major downtime in case of server hardware failure.

Mahesh
0
 

Author Comment

by:mikey250
ID: 39861045
morning Mahesh thanks for that useful info.  appreciated.
0
 

Author Closing Comment

by:mikey250
ID: 39861050
sound advice.  appreciated.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question