3

I just set up a Windows Server 2008 R2 domain controller. Since the reboot of the domain controller I have been unable to RDP to the domain controller with my Admin account. I get this message:

To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, you must be granted this right manually.

  • The account is a member if Domain Admins, which is a member of Remote Desktop Users.
  • I made the account directly a member of Remote Desktop Users on the Domain Controller itself, and still couldn't login getting the same message.
  • I am able to login locally to the Domain Controller using the same account.
  • RSOP run on the Domain Controller shows that Allow log on through Remote Desktop Services right is assigned to Remote Desktop Services
  • RSOP shows that the Deny login on through Remote DEsktop Services is Not Defined.

What am I missing here? The same account can log in to other Windows Server 2008 R2 Domain Controllers fine.

Update: found this technet article which discusses various error messages to do with login and why they appear. Looking at the settings for RDP-Listener I see that there is a local group called Remote Desktop Users on the server, but the domain group is not listed. A local Administrators group still exists too. On other Domain Controllers the Domain version of the group is listed.

dunxd
  • 9,632
  • 22
  • 81
  • 118
  • 1
    I'm confused. Domain Controllers don't have local user accounts or groups. How did you add the user account in question to the local Remote Desktop Users group and how did you log on locally to the Domain Controller? – joeqwerty Mar 14 '13 at 16:24
  • It's a VM so I can login locally through vSphere client console. But that isn't normally how we do things, and if RDP isn't working as expected then what else is wrong? There is a group called Remote Destkop Users on our domain - Domain Admins is a member of this amongst others. – dunxd Mar 14 '13 at 16:30

2 Answers2

4

If you have access to local user accounts and groups then the machine is not a domain controller. Try removing the Active Directory role and add it back.

However, nothing worries me more than a DC that had problems during setup. I highly recommend running dcpromo to remove this server from AD, then wiping the VM and starting over from scratch. And definitely DO NOT sysprep a copy of another DC to start a new DC from.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • Thanks - if I am wiping this VM, do I need to follow any steps to undo the dcpromo that I already ran? I am assuming that if I just wipe it I will hit problems with my other domain controllers still trying to replicate with it - the setup does seem to have worked partially. – dunxd Mar 14 '13 at 16:52
  • Run dcpromo again BEFORE you wipe the box (removing the role does the same). It will REMOVE the server as an DC in your AD. Otherwise you'll end up with an orphaned DC, which is a huge pain in the butt. – John Homer Mar 14 '13 at 17:08
  • @JohnHomer good point. i'm going to integrate that in to my answer. – longneck Mar 14 '13 at 18:26
  • I removed the Active Directory Domain Services from the server. Then I *disabled our anti-virus on-access scanning* and ran dcpromo again. This time it seems to have worked. I guess that may have blocked some installation. Reenabling on-access afterwards configured to exclude for Domain Controller as directed by Microsoft . – dunxd Mar 15 '13 at 09:59
  • i'm tying to understand this link http://www.mssqltips.com/sqlservertip/2600/troubleshooting-windows-remote-desktop-connections/, and do DISJOINT then REJOINT DOMAIN have the same effect with DCPROMO..? – Rhak Kahr Sep 17 '14 at 10:01
  • @RhakKahr joining a computer to the domain has nothing to do with dcpromo. You should really ask a new question instead of commenting on someone else's question. – longneck Sep 17 '14 at 10:43
2

Is this server from a cloned image and/or has it been cloned to other servers? If yes, did you use sysprep with the Generalize option before joining it to your domain?

You could have duplicate SID's

Kozmo2005
  • 21
  • 1
  • No - fresh install of Windows Server 2008 R2 from boot media on a brand new VM, then added the Active Directory Domain Services role. – dunxd Mar 14 '13 at 16:54