Logon interactively with domain account to disconnected DC ?

[Joe_SMS]

General question.


What instances should you be able to logon interactively to a domain
controller while its network cable is unplugged using a domain account
?


The DC is one of 50 in the domain with no FSMO roles. The question has
been brought up as to why you can logon to the console with a domain
account but the DC is not connected to the network so it can't see any
FSMO roles etc. It is a global catalog.


Why should you be able to logon to a DC with a domain account while its
not connected to the network ?


Why shouldn't you be able to ?


Whats the criteria ?

 

[Tomasz Onyszko]

General question.


What instances should you be able to logon interactively to a domain
controller while its network cable is unplugged using a domain account
?


The DC is one of 50 in the domain with no FSMO roles. The question has
been brought up as to why you can logon to the console with a domain
account but the DC is not connected to the network so it can't see any
FSMO roles etc. It is a global catalog.

First of all FSMO roles holders are not used in logon process, PDC
emulator can be conntacted in some cases to get new ADM files etc.

Why should you be able to logon to a DC with a domain account while its
not connected to the network ?

Becouse as long as it is operational DC even without contacting any
other DC it can authenticate You when You are logging on to this DC
locally. This is the role of the DC and DC can act for authentication
process on its own.

Why shouldn't you be able to ?
Whats the criteria ?

Sorry, I'm not getting a point of this questions. If DC is working even
without connecting to any other DC it can authenticate domain user.
That's all.

 

[Jorge_de_Almeida_Pinto]

General question.


What instances should you be able to logon interactively to a
domain
controller while its network cable is unplugged using a domain
account
?


The DC is one of 50 in the domain with no FSMO roles. The
question has
been brought up as to why you can logon to the console with a
domain
account but the DC is not connected to the network so it can't
see any
FSMO roles etc. It is a global catalog.


Why should you be able to logon to a DC with a domain account
while its
not connected to the network ?


Why shouldn't you be able to ?


Whats the criteria ?

by default only local administrators can interactively logon to a DC
(to the console) even if it is not a GC.

Think about the following...
Is a fsmo needed for logon?
PDC -> no (may be to check if a password is really not correct)
RID -> no, only assigns rid blocks to dcs
infra -> no, only updates references
domain naming -> no, for domain creation purposes
schema -> no, for schema update purposes

google for FSMO to see what the specific tasks are for each FSMO