Best practice for administrator account on Windows Server


I realise that this is similar to "Should I have multiple domain administrator accounts?", however I have recently encountered a problem where NLB on Windows Server 2008 caused an error if the Administrator account was not used (or UAC was on).

Does this mean that the Administrator account is required for configuring server features and if so what is the best practice for administrator accounts under this circumstance? Or is this simply a bug in Windows Server 2008 NLB?

Best Answer

I would count it as a bug but there might be some debate - what's happening is that the NLB configuration process requires elevation at some stage but fails to do so in a way that triggers the elevation prompt. With UAC enabled if you use the built in Administrator account or if the systems are part of a domain then a Domain Administrator account automatic elevation gets triggered. Accounts that are "merely" members of the local Administrators group do not behave this way and this results in a number of problems like this (e.g. you cannot connect to a remote admin share on a W2K8 system with an account unless it is The local Administrator or a member of Domain Administrators).

This behavior can be changed by GPO - there are some details in this technet article (it's about Vista but it applies to W2K8 servers in domain too).