[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 764
  • Last Modified:

Why to NOT install terminal server on existing DC and Exchange Server

PLease read below.  I need the "smoking gun"r eason not put put Terminal server on DC01.  They are insisting I do it, I of course want to do the right thing and sell a new server to them for Terminal Server.  Please comment and help a brother out.

Wilson,  After speaking with you this morning, I should have asked you a question, as the information below is predicated on it.  Have you attempted to install the Oracle application in LAX locally on these PCs?   Have you determined that there is a performance issue?  As you are aware, this is a VPN connection, and the limiting performance factor is the speed of the connection.  This is a 10Mbps/1Mbps Down/Up circuit.
Please call me any time after 7AM EST (GMT -05:00) on my cell phone at 973-896-4951 to discuss anything as indicated below.
After discussions with you this morning, Earl, Jim and I spoke at length about adding terminal services to your current server infrastructure at M&M.  Currently M&M has two servers.  DC01 and DC02
DC01 has the following services running
"         DC
"         DNS
"         DHCP
"         FSMO Roles
"         Symantec Console
"         Exchange
"         File and Print
"         POP Beamer
"         Antigen
"         Default Server
"         Backup Exec 10d
"         UPS Manager
DC02 is the Oracle database server and we have been instructed to not touch it
I am not recommending adding any further load to the DC01 at this time.  I fear that the existing services will come to a crawl and/or you will be putting too many eggs in one basket.  Also Microsoft Exchange and Microsoft Office should not be on the same machine.  If you application has any hook to office or MAPI, it will be an issue.
Id rather see M&M get a new server, and run Terminal Services stand alone.
2 Solutions
Cláudio RodriguesFounder and CEOCommented:
Many reasons for not doing this:
1. As you pointed out, Microsoft Office does not like Microsoft Exchange when they are both on the same box for many reasons (certain DLLs will get overwritten and troubles will come from that).
2. Security: to logon to the domain controller locally you will need to 'relax' security at the DC level what will open doors for users doing things they are not supposed to to on this DC and possibly on the second one that runs Oracle.
3. Performance: with all these other services running, TS performance will suffer.
4. All eggs in one basket: Microsoft taught us a lesson over the years that when you patch something you may break something else. This means if this machine becomes a TS and a critical patch is released to fix the TS portion, you may break something else like Active Directory, Exchange, etc. So terrible idea.

Resuming, terrible idea and highly not recommended.

Claudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services

Configuring a DC as a Terminal Server requires you to grant "Log on locally" permissions on your domain controller to any user who needs to use the TS service.  The escalation of privilege attack whereby a user with log on locally on a DC can elevate their own privileges to that of a Domain Admin is well-known, published, and trivial.

If you make your DC a Terminal Server, then you have effectively made every Terminal Server user in your organization a Domain Admin.

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now