@askmark
Just remembered something, a very important troubleshooting advice (from my experience, it will make your life so much easier):
- If you will implement smart card auth with the Yubikey at your clients,
- and if you enforce the use of smart cards for interactive logins for all users with a gp,
- and if your admin account gets locked out for whatever reason
...
you will not be able to login to the domain controller, not even in safe mode, to fix your problem, as you will be asked for a smart card (the MSDN articles, where safe mode bypasses smart cards, do not apply for Yubikeys). But you will be able to login (and troubleshoot) with the "directory services repair mode", as this will bypass the smart card requirement, even for Yubikeys. But you have to be able to get there with Server 2016 and 2012
before disaster strikes, so you have to enable the display of the boot menu at every startup, so you can select the "ds repair mode" (instead of safe mode). That's a 30 sec added delay (by default).
Also worth mentioning that Yubikeys (or any other smart cards) will not work in ILO, iDRAC etc. KVMs (I only use HP and DELL servers, so I can't really speak for the others, but nonetheless I doubt others support it).
With this in mind, you can (power) reset your dc and get to the boot menu without any further complications. Obviously, this is a security risk you will have to take, but I assume the servers are locked away from general public use. A user and password will still be required to login.
To do this, run this code in a cmd with admin privileges before anything else, on the dc:
Code:
bcdedit /set {bootmgr} displaybootmenu yes
Also, to best protect RDP or RDS, for admin accounts (or important accounts), also tick the "smart card is required..." in the user's properties account tab of the ad user's and computers list, as it will further harden the way a user authenticates to RDP/RDS, even if you enforce the use of a smart card by a gp by all users.
