SolvedPrivate

How to logon locally to an Active Directory Server

Posted on 2014-10-28
13
39 Views
Last Modified: 2016-02-25
Hello:

I recently closed a question regarding VEEAM Backup Software and Moving Virtual Servers from 1 host to another.  http://www.experts-exchange.com/Software/VMWare/Q_28544487.html

Everything is still work very well; but, i have a question about a topic that came up during this question.  Apparently, in the past, when VEEAM did a restore to an Active Directory Server or to an Exchange Server, that one needed to un-join the Windows Domain and then re-join the Domain.

My question is how can you logon locally to an Active Directory Domain controller?  I always thought that one cannot logon on the local side of a Domain controller.  That is one can only logon to the Domain side of a domain controller.

can someone clarify that for me?  Currently my work has the Main AD server also as the Exchange Server; hence, if we cannot logon locally to that Server and a restore is needed, the situation could be disastrous.

We are planning on migrating the Exchange mailboxes away from the current AD/Exchange Server into a new Exchange Server.  But that has not happened yet.

We use Windows 2008 R2 - 64-Bit for our AD and Exchange Server.   Again, my question is how can you logon locally to an Active Directory Domain controller?
0
Comment
Question by:Pkafkas
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 1

Author Comment

by:Pkafkas
ID: 40408884
I just spoke with VEEAM and they told me that this is an un-likely occurrence and if this would happen they would send me to the 'Situation 1' team.

I guess that is my plan for now; but, does anyone know of a way to logon locally to a Domain controller?  or am I missing something?
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40408891
There is a Group Policy that allows the right "logon locally" and you can grant this right to any Group or user. By Default Administrators have the right to logon locally and some other buildin Groups too.

Check:
Default Domain Controllers Policy ->  Computer Configuration  -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Log On Locally

http://support.microsoft.com/kb/234237/en-us
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40409191
I wil try logging in locally with my domain administrator account on 1 of our Domain Controllers.

I do not see that rule enabled.

locally
Locally_II
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 4

Expert Comment

by:Neeraj Kumar
ID: 40409962
Felix is right

You need to go to Domain controller organization unit and you will there Default domain controller policy , edit this policy by going in Computer configuration -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Log On Locally -> Add the user who need to logon locally on domain controller

The snapshot which you have attached above one point local group policy not Default domain controller policy
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40410824
OK, I found it.

logonlocal policy
It states that the built in 'administrators' group is included in the allowed users.  As is Domain Admins

group_builtin
So from the above oicj, built-in administrators group.  Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  Would a user need to be created on the local side to lgon locally to the server?
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40410928
Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  
yes
Would a user need to be created on the local side to lgon locally to the server?
No
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40412067
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
 
LVL 1

Expert Comment

by:Dale McKay
ID: 40412480
1.) Make sure the local "administrator" account is not disabled.

2.) Make sure you know the password for the local "administrator" account

Logging onto(into) using the local administrator account shouldn't be an issue if the domain is not available.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40414701
There is no local administrator account on that server, it is a Domain controller.

If I browse out to control panel and 'manage accounts'.  I do not see any accounts that are local to the server.  I only see accounts that are on the network.
0
 
LVL 1

Expert Comment

by:Dale McKay
ID: 40414750
Guess I lost sight of the issue that you were trying to solve. The local accounts will only come into play once you do dcpromo to remove the DC functionality.

Not sure that was the question you originally asked.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40414909
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40422261
Am I correct taht one cannot logon locally on a Microsoft Windows 20018 R2 Domain Controller?
0
 
LVL 13

Accepted Solution

by:
Felix Leven earned 500 total points
ID: 40422313
After DCPROMO (install/configure Active Directory), the server no longer uses the local account (Security Accounts Manager [SAM]) database.

Again, No local user database is available on the DC after DCpromo.

About the GPO and the "Local Logon" RIght
On a DC it allows a Domain user account to:

Logons initiated by pressing CTRL+ALT+DEL sequence on the attached keyboard requires the user to have this logon right.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question