Hi
In the Installing Active Directory Part 2 video of the Working with Active Directory course, (around 1.30-2.00 mins) the trainer alludes to the fact that local logins do not work once a server is promoted to a Domain Controller by typing in dc01\administrator as the User ID (which eventually fails).
However, I believe local logins will still work on a Domain controller e.g. in this case if we simply login using Administrator (no prefix) we should be logged in using the local Administrator account and not a Domain account.
-
Working with Active Directory course video question
-
I missed the ball completely and let this one slip by.
I believe that once it's promoted, there is no local SAM on the DC since I believe at least Windows Server 2008 if not earlier than that. If you can press F8 during the boot process this will allow you access ADRestore mode. This will restart the server but not load the AD to the point where it will be accessible.
-
Hello @Ankit-Sharda ,
Once a machine has the Active Directory role installed, and has been promoted to be a domain controller, you will no longer be able to log on normally using a local account. Ronnie is correct, you can boot into Active Directory Restore Mode (where Active Directory is not running) and use the Restore mode password set when Active Directory was configured. This is the only local account available, an can only be used when booted into Restore Mode.
When you log on using pre-Windows 2000 style credentials (domain\user) and omit the domain, Windows will assume you are logging in to the domain add the domain for you. To log in using a local account, you have to specify by using "computername\user" or ".\user" This is the way all Windows machines work, not just domain controllers. This is why users can log in just using there user name, and not have to type the domain name.
You can verify this by logging on to a domain controller as administrator, without the domain, as you suggested. Then open PowerShell and type "whoami". The results should be "domainname\administrator" If you try to log on to the domain controller using "DCname\administrator" or ".\administrator" it will fail.
The local administrator account from before Active Directory was installed, becomes the default domain administrator account in Active Directory. Whatever the password was for the local admin account is now the password for the built-in domain administrator account. The only local account left is the Restore Mode account.
Hope this helps, let me know if you have more questions!
Mike
