While creating a Test Environment to check a few issues I am experiencing on a Previous RODC I set up. The following error kept coming up: “You must supply a user account Name”.
Upon doing a bit of research I did not find much except for an article advising to create a new account and adding the user to the Domain Admin Groups. Which is fine and it worked but it did not make sense why I could not add with the Default Admin account.
Well, it turns out the answer is much simpler than the above-mentioned. So to give a quick idea of how the Server is set up.
- Install the OS
- Create a password for the Local Administrator Account
- Do Windows Updates
- Install Services that are going to be used initially
- Join the Domain
- Configure Services accordingly
So the problem is simply when promoting to a domain controller, the Local Admin Account is still available and it tries and uses that account instead of the Domain Admin Administrator Account to authenticate. Simply supplying the correct credential fixed the issue and I was able to continue on.
The remaining question after this is what happens to another server’s Local Admin Accounts? With a DC it becomes the Main DC Administrator account. With Fileservers it is potentially whatever it was made the day it was set up or worse a person that is not security-aware set it up with a Simplistic Password.
To Start off look at Renaming and disabling Local Admin Accounts