How to logon locally to an Active Directory Server

Hello:

I recently closed a question regarding VEEAM Backup Software and Moving Virtual Servers from 1 host to another.  http://www.experts-exchange.com/Software/VMWare/Q_28544487.html

Everything is still work very well; but, i have a question about a topic that came up during this question.  Apparently, in the past, when VEEAM did a restore to an Active Directory Server or to an Exchange Server, that one needed to un-join the Windows Domain and then re-join the Domain.

My question is how can you logon locally to an Active Directory Domain controller?  I always thought that one cannot logon on the local side of a Domain controller.  That is one can only logon to the Domain side of a domain controller.

can someone clarify that for me?  Currently my work has the Main AD server also as the Exchange Server; hence, if we cannot logon locally to that Server and a restore is needed, the situation could be disastrous.

We are planning on migrating the Exchange mailboxes away from the current AD/Exchange Server into a new Exchange Server.  But that has not happened yet.

We use Windows 2008 R2 - 64-Bit for our AD and Exchange Server.   Again, my question is how can you logon locally to an Active Directory Domain controller?
LVL 1
PkafkasNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PkafkasNetwork EngineerAuthor Commented:
I just spoke with VEEAM and they told me that this is an un-likely occurrence and if this would happen they would send me to the 'Situation 1' team.

I guess that is my plan for now; but, does anyone know of a way to logon locally to a Domain controller?  or am I missing something?
0
Felix LevenSenior System and DatabaseadministratorCommented:
There is a Group Policy that allows the right "logon locally" and you can grant this right to any Group or user. By Default Administrators have the right to logon locally and some other buildin Groups too.

Check:
Default Domain Controllers Policy ->  Computer Configuration  -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Log On Locally

http://support.microsoft.com/kb/234237/en-us
0
PkafkasNetwork EngineerAuthor Commented:
I wil try logging in locally with my domain administrator account on 1 of our Domain Controllers.

I do not see that rule enabled.

locally
Locally_II
0
Neeraj KumarSystem adminCommented:
Felix is right

You need to go to Domain controller organization unit and you will there Default domain controller policy , edit this policy by going in Computer configuration -> Windows Setting  -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Log On Locally -> Add the user who need to logon locally on domain controller

The snapshot which you have attached above one point local group policy not Default domain controller policy
0
PkafkasNetwork EngineerAuthor Commented:
OK, I found it.

logonlocal policy
It states that the built in 'administrators' group is included in the allowed users.  As is Domain Admins

group_builtin
So from the above oicj, built-in administrators group.  Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  Would a user need to be created on the local side to lgon locally to the server?
0
Felix LevenSenior System and DatabaseadministratorCommented:
Theoretically speaking any user in this group shold be able to logon locally on the Domain controller?  
yes
Would a user need to be created on the local side to lgon locally to the server?
No
0
PkafkasNetwork EngineerAuthor Commented:
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
Dale McKayGlobal Principal ArchitectCommented:
1.) Make sure the local "administrator" account is not disabled.

2.) Make sure you know the password for the local "administrator" account

Logging onto(into) using the local administrator account shouldn't be an issue if the domain is not available.
0
PkafkasNetwork EngineerAuthor Commented:
There is no local administrator account on that server, it is a Domain controller.

If I browse out to control panel and 'manage accounts'.  I do not see any accounts that are local to the server.  I only see accounts that are on the network.
0
Dale McKayGlobal Principal ArchitectCommented:
Guess I lost sight of the issue that you were trying to solve. The local accounts will only come into play once you do dcpromo to remove the DC functionality.

Not sure that was the question you originally asked.
0
PkafkasNetwork EngineerAuthor Commented:
So if I wanted to logon to the Domain Controller (Virtual Server - VMware) and lets say that the network card was removed.  Theoretically speaking, I can logon locally as any user in that group.  But how would I attempt to logon locally?

Would I just logon as if I was logging on to the Domain even though I could not because the network card weas removed?  What is the step by step process and I will try that out.

1.  DC is up; but, when I click cntrl - alt - insert I logon how to the Virtual Server?
0
PkafkasNetwork EngineerAuthor Commented:
Am I correct taht one cannot logon locally on a Microsoft Windows 20018 R2 Domain Controller?
0
Felix LevenSenior System and DatabaseadministratorCommented:
After DCPROMO (install/configure Active Directory), the server no longer uses the local account (Security Accounts Manager [SAM]) database.

Again, No local user database is available on the DC after DCpromo.

About the GPO and the "Local Logon" RIght
On a DC it allows a Domain user account to:

Logons initiated by pressing CTRL+ALT+DEL sequence on the attached keyboard requires the user to have this logon right.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.