Admin has lost ability to RDP to DC

Home Forums Server Operating Systems Windows Server 2008 / 2008 R2 Admin has lost ability to RDP to DC

This topic contains 13 replies, has 5 voices, and was last updated by Avatar Anonymous 9 years, 4 months ago.

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • Avatar
    gossett
    Member
    #149747

    Hi all. I was trying to install BES (which by the way went ok seemingly but I had to remove for other issues) when this issue began. After rebooting my two DC I can now no longer log in RDP/term with my domain administrator account. I have other servers (terminal servers, etc..) that the domain admin can rdp into just fine but both of my DC give me the “to log on to this remote computer you must be granted the allow on thru terminal services right…..”. I find this very odd. When I go check RDP users in built in in AD Administrator is there of course which gives it terminal services right by default. Funny thing is if I can’t add my own user ID or anyone else’s to either DC. I get the message ‘the domain may be missing or in accessible’. IF this was LAN wide i’d be extremly worried. It’s bad enough that i can’t get into my DC’s remotley with admin; don’t care so much about the other users yet. Any thoughts or ideas? i’m still looking but coming up empty. seems it should be a basic fix

    tehcamel
    tehcamel
    Moderator
    #356043

    Re: Admin has lost ability to RDP to DC

    where did you install BES.

    Why did you reboot the domain controllers.

    The fact that on the domain controllers, it says cannot find domain, concerns me.

    How recent, and how tested, are your backups ?

    Avatar
    gossett
    Member
    #361457

    Re: Admin has lost ability to RDP to DC

    tehcamel;209143 wrote:
    where did you install BES.

    I installed BESE on the exchange server itself.

    Why did you reboot the domain controllers.

    I rebooted the DC to remove BESE when I uninstalled it.

    The fact that on the domain controllers, it says cannot find domain, concerns me.

    Yeah. Weird. I have looked in some logs and found 1030 and 1058 errors. Also found an DNS error saying it cant’ talk to AD. So I followed a doc and restarted DNS. All logs look good so far

    How recent, and how tested, are your backups ?

    back ups are done nightly but the problem is this isn’t domain wide. I can log into all my other servers and my domain admin can log into the DC as log as it’s done locally

    tehcamel
    tehcamel
    Moderator
    #356045

    Re: Admin has lost ability to RDP to DC

    run dcdiag, and see if it tells you anything

    Avatar
    Anonymous
    #374274

    Re: Admin has lost ability to RDP to DC

    It is possible the sec policy on the DC was modified during the BES install. It is REALLY not recommended to do this. However, as was mentioned, DCDIAG can tell you a thing or two.

    You can also check at the console level if you can even log in there, does the domain list populate on the logon screen either way?

    Avatar
    gossett
    Member
    #361458

    Re: Admin has lost ability to RDP to DC

    tehcamel;209150 wrote:
    run dcdiag, and see if it tells you anything

    Ok. I rean dcdiag. I’m new to this whole AD thing but I see two errors I don’t understand. Maybe it makes sense to you guys. I ran this on a 2008 server R2:

    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:Usersadministrator.CHM>cd

    C:>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server…
    Home Server = exchange
    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-NameEXCHANGE
    Starting test: Connectivity
    ……………………. EXCHANGE passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-NameEXCHANGE
    Starting test: Advertising
    Warning: EXCHANGE is not advertising as a time server.
    ……………………. EXCHANGE failed test Advertising
    Starting test: FrsEvent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ……………………. EXCHANGE passed test FrsEvent
    Starting test: DFSREvent
    ……………………. EXCHANGE passed test DFSREvent
    Starting test: SysVolCheck
    ……………………. EXCHANGE passed test SysVolCheck
    Starting test: KccEvent
    ……………………. EXCHANGE passed test KccEvent
    Starting test: KnowsOfRoleHolders
    ……………………. EXCHANGE passed test KnowsOfRoleHolders
    Starting test: MachineAccount
    ……………………. EXCHANGE passed test MachineAccount
    Starting test: NCSecDesc
    Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=CHM,DC=LAN
    Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=CHM,DC=LAN
    ……………………. EXCHANGE failed test NCSecDesc
    Starting test: NetLogons
    ……………………. EXCHANGE passed test NetLogons
    Starting test: ObjectsReplicated
    ……………………. EXCHANGE passed test ObjectsReplicated
    Starting test: Replications
    ……………………. EXCHANGE passed test Replications
    Starting test: RidManager
    ……………………. EXCHANGE passed test RidManager
    Starting test: Services
    ……………………. EXCHANGE passed test Services
    Starting test: SystemLog
    ……………………. EXCHANGE passed test SystemLog
    Starting test: VerifyReferences
    ……………………. EXCHANGE passed test VerifyReferences

    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ……………………. ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. ForestDnsZones passed test
    CrossRefValidation

    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ……………………. DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. DomainDnsZones passed test
    CrossRefValidation

    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ……………………. Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. Schema passed test CrossRefValidation

    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ……………………. Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. Configuration passed test CrossRefValidation

    Running partition tests on : CHM
    Starting test: CheckSDRefDom
    ……………………. CHM passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. CHM passed test CrossRefValidation

    Running enterprise tests on : CHM.LAN
    Starting test: LocatorCheck
    ……………………. CHM.LAN passed test LocatorCheck
    Starting test: Intersite
    ……………………. CHM.LAN passed test Intersite

    C:>
    [/CODE][CODE]
    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:Usersadministrator.CHM>cd

    C:>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server…
    Home Server = exchange
    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-NameEXCHANGE
    Starting test: Connectivity
    ……………………. EXCHANGE passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-NameEXCHANGE
    Starting test: Advertising
    Warning: EXCHANGE is not advertising as a time server.
    ……………………. EXCHANGE failed test Advertising
    Starting test: FrsEvent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ……………………. EXCHANGE passed test FrsEvent
    Starting test: DFSREvent
    ……………………. EXCHANGE passed test DFSREvent
    Starting test: SysVolCheck
    ……………………. EXCHANGE passed test SysVolCheck
    Starting test: KccEvent
    ……………………. EXCHANGE passed test KccEvent
    Starting test: KnowsOfRoleHolders
    ……………………. EXCHANGE passed test KnowsOfRoleHolders
    Starting test: MachineAccount
    ……………………. EXCHANGE passed test MachineAccount
    Starting test: NCSecDesc
    Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=CHM,DC=LAN
    Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn’t have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=CHM,DC=LAN
    ……………………. EXCHANGE failed test NCSecDesc
    Starting test: NetLogons
    ……………………. EXCHANGE passed test NetLogons
    Starting test: ObjectsReplicated
    ……………………. EXCHANGE passed test ObjectsReplicated
    Starting test: Replications
    ……………………. EXCHANGE passed test Replications
    Starting test: RidManager
    ……………………. EXCHANGE passed test RidManager
    Starting test: Services
    ……………………. EXCHANGE passed test Services
    Starting test: SystemLog
    ……………………. EXCHANGE passed test SystemLog
    Starting test: VerifyReferences
    ……………………. EXCHANGE passed test VerifyReferences

    Running partition tests on : ForestDnsZones
    Starting test: CheckSDRefDom
    ……………………. ForestDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. ForestDnsZones passed test
    CrossRefValidation

    Running partition tests on : DomainDnsZones
    Starting test: CheckSDRefDom
    ……………………. DomainDnsZones passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. DomainDnsZones passed test
    CrossRefValidation

    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ……………………. Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. Schema passed test CrossRefValidation

    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ……………………. Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. Configuration passed test CrossRefValidation

    Running partition tests on : CHM
    Starting test: CheckSDRefDom
    ……………………. CHM passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ……………………. CHM passed test CrossRefValidation

    Running enterprise tests on : CHM.LAN
    Starting test: LocatorCheck
    ……………………. CHM.LAN passed test LocatorCheck
    Starting test: Intersite
    ……………………. CHM.LAN passed test Intersite

    C:>
    [/CODE]

    Avatar
    Silver23
    Member
    #292260

    Re: Admin has lost ability to RDP to DC

    Did you try to login with the local admin account ?(2)
    Perhaps you forgot to specify the domain to which you wanted to login
    or perhaps your local admin has right to logon remotely and you should try that.

    Do you have physical access to the machine ?

    Btw I dont know about other people, but I like as much information as possible. I dont like guesswork..

    #344300

    Re: Admin has lost ability to RDP to DC

    Silver23;209164 wrote:
    Did you try to login with the local admin account

    As I understand it, the problem occurs when logging onto a DC, not a member server or workstation; as such it doesn’t have a local admin account.

    Avatar
    gossett
    Member
    #361459

    Re: Admin has lost ability to RDP to DC

    gforceindustries;209167 wrote:
    As I understand it, the problem occurs when logging onto a DC, not a member server or workstation; as such it doesn’t have a local admin account.

    that is correct. I was just looking just to be sure. As such since I can’t edit my GP at all this has turned into a two fold issues: can’t access either one of my DC’s remotely and can not edit GP

    Avatar
    Silver23
    Member
    #292263

    Re: Admin has lost ability to RDP to DC

    gforceindustries;209167 wrote:
    As I understand it, the problem occurs when logging onto a DC, not a member server or workstation; as such it doesn’t have a local admin account.

    Yea duh! Try remote desktopping to a DC without specifying your domain you’ll see a nice Access is Denied message..

    But that’s not helping anyway..

    Avatar
    gossett
    Member
    #361460

    Re: Admin has lost ability to RDP to DC

    Silver23;209172 wrote:
    Yea duh! Try remote desktopping to a DC without specifying your domain you’ll see a nice Access is Denied message..

    yep! well, in my case it’s the whole “make sure you are added to the log on locally…” message which…. I can’t do

    #344301

    Re: Admin has lost ability to RDP to DC

    gossett, please can you answer the rest of tehcamel’s questions – where did you install BES, and why did you reboot the DCs?

    We know that you can’t login via Remote Desktop, but can you log in when sat in front of the console?

    Silver23;209172 wrote:
    Yea duh! Try remote desktopping to a DC without specifying your domain you’ll see a nice Access is Denied message..

    If you don’t specify the domain, then it uses the DC’s domain. Or at least, that’s what has happened every time I’ve done it. I have never had “access denied” after not specifying the domain.

    Avatar
    Silver23
    Member
    #292264

    Re: Admin has lost ability to RDP to DC

    wait, you can’t logon to the console as well ? hmm that makes it slightly harder I suppose.

    Do you have group management policies installed on a client computer ?
    If so, you can still run that as a domain admin. That way you could resolve your problem by checking the policy’s applied and changing them..

    =-) being slightly more helpfull mode

    just for clarification if anyone doesnt follow. the only reason any groups grant you remote desktop priviledges is because it is defined so in a group policy.
    Which inturn probably write some registry key in binary in your registry =-)

    Avatar
    Silver23
    Member
    #292265

    Re: Admin has lost ability to RDP to DC

    gforceindustries;209174 wrote:
    gossett, please can you answer the rest of tehcamel’s questions – where did you install BES, and why did you reboot the DCs?

    We know that you can’t login via Remote Desktop, but can you log in when sat in front of the console?
    .

    I think he answered your question with the last error he gave me..

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.