SolvedPrivate

How to logon locally to an Active Directory Server

Posted on 2014-10-28
13
28 Views
Last Modified: 2016-02-25
Hello:

I recently closed a question regarding VEEAM Backup Software and Moving Virtual Servers from 1 host to another.  http://www.experts-exchange.com/Software/VMWare/Q_28544487.html

Everything is still work very well; but, i have a question about a topic that came up during this question.  Apparently, in the past, when VEEAM did a restore to an Active Directory Server or to an Exchange Server, that one needed to un-join the Windows Domain and then re-join the Domain.

My question is how can you logon locally to an Active Directory Domain controller?  I always thought that one cannot logon on the local side of a Domain controller.  That is one can only logon to the Domain side of a domain controller.

can someone clarify that for me?  Currently my work has the Main AD server also as the Exchange Server; hence, if we cannot logon locally to that Server and a restore is needed, the situation could be disastrous.

We are planning on migrating the Exchange mailboxes away from the current AD/Exchange Server into a new Exchange Server.  But that has not happened yet.

We use Windows 2008 R2 - 64-Bit for our AD and Exchange Server.   Again, my question is how can you logon locally to an Active Directory Domain controller?
0
Comment
Question by:Pkafkas
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 1

Author Comment

by:Pkafkas
ID: 40408884
I just spoke with VEEAM and they told me that this is an un-likely occurrence and if this would happen they would send me to the 'Situation 1' team.

I guess that is my plan for now; but, does anyone know of a way to logon locally to a Domain controller?  or am I missing something?
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40408891
There is a Group Policy that allows the right "logon locally" and you can grant this right to any Group or user. By Default Administrators have the right to logon locally and some other buildin Groups too.

Check:
Default Domain Controllers Policy ->  Computer Configuration  -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Log On Locally

http://support.microsoft.com/kb/234237/en-us
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40409191
I wil try logging in locally with my domain administrator account on 1 of our Domain Controllers.

I do not see that rule enabled.

locally
Locally_II
0
 
LVL 4

Expert Comment

by:Neeraj Kumar
ID: 40409962
Felix is right

You need to go to Domain controller organization unit and you will there Default domain controller policy , edit this policy by going in Computer configuration -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Log On Locally -> Add the user who need to logon locally on domain controller

The snapshot which you have attached above one point local group policy not Default domain controller policy
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40410824
OK, I found it.

logonlocal policy
It states that the built in 'administrators' group is included in the allowed users.  As is Domain Admins

group_builtin
So from the above oicj, built-in administrators group.  Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  Would a user need to be created on the local side to lgon locally to the server?
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40410928
Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  
yes
Would a user need to be created on the local side to lgon locally to the server?
No
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40412067
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
 
LVL 1

Expert Comment

by:Dale McKay
ID: 40412480
1.) Make sure the local "administrator" account is not disabled.

2.) Make sure you know the password for the local "administrator" account

Logging onto(into) using the local administrator account shouldn't be an issue if the domain is not available.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40414701
There is no local administrator account on that server, it is a Domain controller.

If I browse out to control panel and 'manage accounts'.  I do not see any accounts that are local to the server.  I only see accounts that are on the network.
0
 
LVL 1

Expert Comment

by:Dale McKay
ID: 40414750
Guess I lost sight of the issue that you were trying to solve. The local accounts will only come into play once you do dcpromo to remove the DC functionality.

Not sure that was the question you originally asked.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40414909
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40422261
Am I correct taht one cannot logon locally on a Microsoft Windows 20018 R2 Domain Controller?
0
 
LVL 13

Accepted Solution

by:
Felix Leven earned 500 total points
ID: 40422313
After DCPROMO (install/configure Active Directory), the server no longer uses the local account (Security Accounts Manager [SAM]) database.

Again, No local user database is available on the DC after DCpromo.

About the GPO and the "Local Logon" RIght
On a DC it allows a Domain user account to:

Logons initiated by pressing CTRL+ALT+DEL sequence on the attached keyboard requires the user to have this logon right.
0

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently changeā€¦
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlleā€¦

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now