Announcement

Collapse
No announcement yet.

Admin has lost ability to RDP to DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Admin has lost ability to RDP to DC

    Hi all. I was trying to install BES (which by the way went ok seemingly but I had to remove for other issues) when this issue began. After rebooting my two DC I can now no longer log in RDP/term with my domain administrator account. I have other servers (terminal servers, etc..) that the domain admin can rdp into just fine but both of my DC give me the "to log on to this remote computer you must be granted the allow on thru terminal services right.....". I find this very odd. When I go check RDP users in built in in AD Administrator is there of course which gives it terminal services right by default. Funny thing is if I can't add my own user ID or anyone else's to either DC. I get the message 'the domain may be missing or in accessible'. IF this was LAN wide i'd be extremly worried. It's bad enough that i can't get into my DC's remotley with admin; don't care so much about the other users yet. Any thoughts or ideas? i'm still looking but coming up empty. seems it should be a basic fix

  • #2
    Re: Admin has lost ability to RDP to DC

    where did you install BES.

    Why did you reboot the domain controllers.

    The fact that on the domain controllers, it says cannot find domain, concerns me.

    How recent, and how tested, are your backups ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Admin has lost ability to RDP to DC

      Originally posted by tehcamel View Post
      where did you install BES.

      I installed BESE on the exchange server itself.

      Why did you reboot the domain controllers.

      I rebooted the DC to remove BESE when I uninstalled it.

      The fact that on the domain controllers, it says cannot find domain, concerns me.

      Yeah. Weird. I have looked in some logs and found 1030 and 1058 errors. Also found an DNS error saying it cant' talk to AD. So I followed a doc and restarted DNS. All logs look good so far

      How recent, and how tested, are your backups ?
      back ups are done nightly but the problem is this isn't domain wide. I can log into all my other servers and my domain admin can log into the DC as log as it's done locally

      Comment


      • #4
        Re: Admin has lost ability to RDP to DC

        run dcdiag, and see if it tells you anything
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Admin has lost ability to RDP to DC

          It is possible the sec policy on the DC was modified during the BES install. It is REALLY not recommended to do this. However, as was mentioned, DCDIAG can tell you a thing or two.

          You can also check at the console level if you can even log in there, does the domain list populate on the logon screen either way?

          Comment


          • #6
            Re: Admin has lost ability to RDP to DC

            Originally posted by tehcamel View Post
            run dcdiag, and see if it tells you anything
            Ok. I rean dcdiag. I'm new to this whole AD thing but I see two errors I don't understand. Maybe it makes sense to you guys. I ran this on a 2008 server R2:
            Code:
            Microsoft Windows [Version 6.0.6002]
            Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
            
            C:\Users\administrator.CHM>cd\
            
            C:\>dcdiag
            
            Directory Server Diagnosis
            
            Performing initial setup:
               Trying to find home server...
               Home Server = exchange
               * Identified AD Forest.
               Done gathering initial info.
            
            Doing initial required tests
            
               Testing server: Default-First-Site-Name\EXCHANGE
                  Starting test: Connectivity
                     ......................... EXCHANGE passed test Connectivity
            
            Doing primary tests
            
               Testing server: Default-First-Site-Name\EXCHANGE
                  Starting test: Advertising
                     Warning: EXCHANGE is not advertising as a time server.
                     ......................... EXCHANGE failed test Advertising
                  Starting test: FrsEvent
                     There are warning or error events within the last 24 hours after the
                     SYSVOL has been shared.  Failing SYSVOL replication problems may cause
                     Group Policy problems.
                     ......................... EXCHANGE passed test FrsEvent
                  Starting test: DFSREvent
                     ......................... EXCHANGE passed test DFSREvent
                  Starting test: SysVolCheck
                     ......................... EXCHANGE passed test SysVolCheck
                  Starting test: KccEvent
                     ......................... EXCHANGE passed test KccEvent
                  Starting test: KnowsOfRoleHolders
                     ......................... EXCHANGE passed test KnowsOfRoleHolders
                  Starting test: MachineAccount
                     ......................... EXCHANGE passed test MachineAccount
                  Starting test: NCSecDesc
                     Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                        Replicating Directory Changes In Filtered Set
                     access rights for the naming context:
                     DC=ForestDnsZones,DC=CHM,DC=LAN
                     Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                        Replicating Directory Changes In Filtered Set
                     access rights for the naming context:
                     DC=DomainDnsZones,DC=CHM,DC=LAN
                     ......................... EXCHANGE failed test NCSecDesc
                  Starting test: NetLogons
                     ......................... EXCHANGE passed test NetLogons
                  Starting test: ObjectsReplicated
                     ......................... EXCHANGE passed test ObjectsReplicated
                  Starting test: Replications
                     ......................... EXCHANGE passed test Replications
                  Starting test: RidManager
                     ......................... EXCHANGE passed test RidManager
                  Starting test: Services
                     ......................... EXCHANGE passed test Services
                  Starting test: SystemLog
                     ......................... EXCHANGE passed test SystemLog
                  Starting test: VerifyReferences
                     ......................... EXCHANGE passed test VerifyReferences
            
            
               Running partition tests on : ForestDnsZones
                  Starting test: CheckSDRefDom
                     ......................... ForestDnsZones passed test CheckSDRefDom
                  Starting test: CrossRefValidation
                     ......................... ForestDnsZones passed test
                     CrossRefValidation
            
               Running partition tests on : DomainDnsZones
                  Starting test: CheckSDRefDom
                     ......................... DomainDnsZones passed test CheckSDRefDom
                  Starting test: CrossRefValidation
                     ......................... DomainDnsZones passed test
                     CrossRefValidation
            
               Running partition tests on : Schema
                  Starting test: CheckSDRefDom
                     ......................... Schema passed test CheckSDRefDom
                  Starting test: CrossRefValidation
                     ......................... Schema passed test CrossRefValidation
            
               Running partition tests on : Configuration
                  Starting test: CheckSDRefDom
                     ......................... Configuration passed test CheckSDRefDom
                  Starting test: CrossRefValidation
                     ......................... Configuration passed test CrossRefValidation
            
               Running partition tests on : CHM
                  Starting test: CheckSDRefDom
                     ......................... CHM passed test CheckSDRefDom
                  Starting test: CrossRefValidation
                     ......................... CHM passed test CrossRefValidation
            
               Running enterprise tests on : CHM.LAN
                  Starting test: LocatorCheck
                     ......................... CHM.LAN passed test LocatorCheck
                  Starting test: Intersite
                     ......................... CHM.LAN passed test Intersite
            
            C:\>
            Last edited by Ossian; 25th June 2010, 18:48. Reason: Mod added CODE tags

            Comment


            • #7
              Re: Admin has lost ability to RDP to DC

              Did you try to login with the local admin account ?(2)
              Perhaps you forgot to specify the domain to which you wanted to login
              or perhaps your local admin has right to logon remotely and you should try that.

              Do you have physical access to the machine ?

              Btw I dont know about other people, but I like as much information as possible. I dont like guesswork..
              Please give points where appropriate

              <I dont create ready scripts for you, but I'm willing to point you in the right direction>

              Comment


              • #8
                Re: Admin has lost ability to RDP to DC

                Originally posted by Silver23 View Post
                Did you try to login with the local admin account
                As I understand it, the problem occurs when logging onto a DC, not a member server or workstation; as such it doesn't have a local admin account.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Admin has lost ability to RDP to DC

                  Originally posted by gforceindustries View Post
                  As I understand it, the problem occurs when logging onto a DC, not a member server or workstation; as such it doesn't have a local admin account.
                  that is correct. I was just looking just to be sure. As such since I can't edit my GP at all this has turned into a two fold issues: can't access either one of my DC's remotely and can not edit GP

                  Comment


                  • #10
                    Re: Admin has lost ability to RDP to DC

                    Originally posted by gforceindustries View Post
                    As I understand it, the problem occurs when logging onto a DC, not a member server or workstation; as such it doesn't have a local admin account.
                    Yea duh! Try remote desktopping to a DC without specifying your domain you'll see a nice Access is Denied message..

                    But that's not helping anyway..
                    Last edited by Silver23; 25th June 2010, 21:11.
                    Please give points where appropriate

                    <I dont create ready scripts for you, but I'm willing to point you in the right direction>

                    Comment


                    • #11
                      Re: Admin has lost ability to RDP to DC

                      Originally posted by Silver23 View Post
                      Yea duh! Try remote desktopping to a DC without specifying your domain you'll see a nice Access is Denied message..
                      yep! well, in my case it's the whole "make sure you are added to the log on locally..." message which.... I can't do

                      Comment


                      • #12
                        Re: Admin has lost ability to RDP to DC

                        gossett, please can you answer the rest of tehcamel's questions - where did you install BES, and why did you reboot the DCs?

                        We know that you can't login via Remote Desktop, but can you log in when sat in front of the console?

                        Originally posted by Silver23 View Post
                        Yea duh! Try remote desktopping to a DC without specifying your domain you'll see a nice Access is Denied message..
                        If you don't specify the domain, then it uses the DC's domain. Or at least, that's what has happened every time I've done it. I have never had "access denied" after not specifying the domain.
                        Gareth Howells

                        BSc (Hons), MBCS, MCP, MCDST, ICCE

                        Any advice is given in good faith and without warranty.

                        Please give reputation points if somebody has helped you.

                        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                        Comment


                        • #13
                          Re: Admin has lost ability to RDP to DC

                          wait, you can't logon to the console as well ? hmm that makes it slightly harder I suppose.

                          Do you have group management policies installed on a client computer ?
                          If so, you can still run that as a domain admin. That way you could resolve your problem by checking the policy's applied and changing them..

                          =-) being slightly more helpfull mode


                          just for clarification if anyone doesnt follow. the only reason any groups grant you remote desktop priviledges is because it is defined so in a group policy.
                          Which inturn probably write some registry key in binary in your registry =-)
                          Last edited by Silver23; 25th June 2010, 21:18.
                          Please give points where appropriate

                          <I dont create ready scripts for you, but I'm willing to point you in the right direction>

                          Comment


                          • #14
                            Re: Admin has lost ability to RDP to DC

                            Originally posted by gforceindustries View Post
                            gossett, please can you answer the rest of tehcamel's questions - where did you install BES, and why did you reboot the DCs?

                            We know that you can't login via Remote Desktop, but can you log in when sat in front of the console?
                            .
                            I think he answered your question with the last error he gave me..
                            Please give points where appropriate

                            <I dont create ready scripts for you, but I'm willing to point you in the right direction>

                            Comment

                            Working...
                            X