SolvedPrivate

How to logon locally to an Active Directory Server

Posted on 2014-10-28
13
35 Views
Last Modified: 2016-02-25
Hello:

I recently closed a question regarding VEEAM Backup Software and Moving Virtual Servers from 1 host to another.  http://www.experts-exchange.com/Software/VMWare/Q_28544487.html

Everything is still work very well; but, i have a question about a topic that came up during this question.  Apparently, in the past, when VEEAM did a restore to an Active Directory Server or to an Exchange Server, that one needed to un-join the Windows Domain and then re-join the Domain.

My question is how can you logon locally to an Active Directory Domain controller?  I always thought that one cannot logon on the local side of a Domain controller.  That is one can only logon to the Domain side of a domain controller.

can someone clarify that for me?  Currently my work has the Main AD server also as the Exchange Server; hence, if we cannot logon locally to that Server and a restore is needed, the situation could be disastrous.

We are planning on migrating the Exchange mailboxes away from the current AD/Exchange Server into a new Exchange Server.  But that has not happened yet.

We use Windows 2008 R2 - 64-Bit for our AD and Exchange Server.   Again, my question is how can you logon locally to an Active Directory Domain controller?
0
Comment
Question by:Pkafkas
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 1

Author Comment

by:Pkafkas
ID: 40408884
I just spoke with VEEAM and they told me that this is an un-likely occurrence and if this would happen they would send me to the 'Situation 1' team.

I guess that is my plan for now; but, does anyone know of a way to logon locally to a Domain controller?  or am I missing something?
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40408891
There is a Group Policy that allows the right "logon locally" and you can grant this right to any Group or user. By Default Administrators have the right to logon locally and some other buildin Groups too.

Check:
Default Domain Controllers Policy ->  Computer Configuration  -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Log On Locally

http://support.microsoft.com/kb/234237/en-us
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40409191
I wil try logging in locally with my domain administrator account on 1 of our Domain Controllers.

I do not see that rule enabled.

locally
Locally_II
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Expert Comment

by:Neeraj Kumar
ID: 40409962
Felix is right

You need to go to Domain controller organization unit and you will there Default domain controller policy , edit this policy by going in Computer configuration -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Log On Locally -> Add the user who need to logon locally on domain controller

The snapshot which you have attached above one point local group policy not Default domain controller policy
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40410824
OK, I found it.

logonlocal policy
It states that the built in 'administrators' group is included in the allowed users.  As is Domain Admins

group_builtin
So from the above oicj, built-in administrators group.  Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  Would a user need to be created on the local side to lgon locally to the server?
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40410928
Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  
yes
Would a user need to be created on the local side to lgon locally to the server?
No
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40412067
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
 
LVL 1

Expert Comment

by:Dale McKay
ID: 40412480
1.) Make sure the local "administrator" account is not disabled.

2.) Make sure you know the password for the local "administrator" account

Logging onto(into) using the local administrator account shouldn't be an issue if the domain is not available.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40414701
There is no local administrator account on that server, it is a Domain controller.

If I browse out to control panel and 'manage accounts'.  I do not see any accounts that are local to the server.  I only see accounts that are on the network.
0
 
LVL 1

Expert Comment

by:Dale McKay
ID: 40414750
Guess I lost sight of the issue that you were trying to solve. The local accounts will only come into play once you do dcpromo to remove the DC functionality.

Not sure that was the question you originally asked.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40414909
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 40422261
Am I correct taht one cannot logon locally on a Microsoft Windows 20018 R2 Domain Controller?
0
 
LVL 13

Accepted Solution

by:
Felix Leven earned 500 total points
ID: 40422313
After DCPROMO (install/configure Active Directory), the server no longer uses the local account (Security Accounts Manager [SAM]) database.

Again, No local user database is available on the DC after DCpromo.

About the GPO and the "Local Logon" RIght
On a DC it allows a Domain user account to:

Logons initiated by pressing CTRL+ALT+DEL sequence on the attached keyboard requires the user to have this logon right.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
An article on effective troubleshooting
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question