• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1110
  • Last Modified:

Problems with a 2008 srv with DC role AND Terminal server

I have a single server setup, a Windows 2008 server, x64: The quest for this setup is a single server which holds AD and users able to use it as a terminal server.

The Server holds serveral roles: Active directory,Terminal Services, Print, File, IIS

My problem is that only administrators can log onto the server from thin clients or desktops using Remote desktop. if a normal user tries to log in the following error appears: "To log on to this remote computer, you must be granted Allow log on through terminal services right. By default yada yada yada" the error msg goes on and on.

The user im trying to log in with, is endeed within the "remote dekstop users" group. Remote dekstop is enabled on the server. During the installation of the terminal server role, i actually added a security group called "Terminal server users" and gave the group permission to remote dekstop users.

As soon as i add the user to the administrators group in the ad - the user can log in with remote dekstop - no problem at all.

I have added 5 2008 TS CAL's USER - The Licensing server is in per user mode. Licens server is activated.

Is there any known conflict with a single 2008 server running both AD as primary DC and Terminal server?

Anyone got any clues on what i could try and do to fix this so that the users can log in?
0
jjlp
Asked:
jjlp
  • 6
  • 4
  • 4
2 Solutions
 
zelron22Commented:
First, unless you really have no option you really should not run a DC as a terminal server and let users have access to it.

That being said, the problem is likely that the users do not have the right to logon locally.  This is assigned through the local security policy or in this case, probably needs to be assigned through GP because the Default Domain Controller GP will specify who can log on locally.

Second, I recommend against using a 64 bit operating system for terminal server, because you'll have all sorts of trouble getting printer drivers to work.

0
 
Darius GhassemCommented:
In 2008 there are extra security provisions put in place for DCs which cause access to the server by non domain admins restricted. Did you installed Terminal Server Services not just the Terminal server Licensing?

Giving users access to DC is a big security hole and problem. I would install Hyper-V then install a VM that will be used as a TS Server.

The recommend way to install Hyper-V is a base install of 2008 but since you have already made it a DC you can just install the Hyper-V service which I have done before in this type of situtation. This will be your best bet when it comes to having a TS server that is seperate from your DC.

0
 
Darius GhassemCommented:
Also, the Remote Desktop Group needs access to the Domain Controller GP which isn't in the local policy you must give this group access in that policy.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
jjlpAuthor Commented:
Did you installed Terminal Server Services not just the Terminal server Licensing? I installed Both

I realize that this isnt the ideal situation having a dc and terminal server in the same installation, however as it is now, its my only option.

Dariusq:Also, the Remote Desktop Group needs access to the Domain Controller GP which isn't in the local policy you must give this group access in that policy ----> Can you tell me how to do that?
0
 
jjlpAuthor Commented:
Im running this on a HP ML350 G5 -

I actually tried to install HyperV, i got as far as having created a Virtuel machine. I never got it started, Hyperv error was that hypervisor wasnt running. It said that i should enable in bios. I found something in the bios about intel virtuel, i enabled that, but still no luck - still said that hypervisor wasnt running.

Any idea on that Dariusq?
0
 
jjlpAuthor Commented:
Its called Intel(R) Virtualization Technology - the option i enabled in bios. Did me however no good :(
0
 
zelron22Commented:
Is your BIOS up to date?
0
 
jjlpAuthor Commented:
ya Bios is up to date
0
 
jjlpAuthor Commented:
Found out, i needed to enable No-Execute Memory in bios aswell. Then hypervisor startet.

Any chance on someone telling me how to grant remote desktop users access to the Domain controller policy
0
 
Darius GhassemCommented:
Go to Group Policy Management then find your Domain Controller Policy then from there you can find the local policy settings.
0
 
Darius GhassemCommented:
I still think Hyper-V is going to your best bet with performance and security. Another good thing about Hyper-V is that you can just copy the VM over to another if you want to migrate. You don't have reinstall.
0
 
zelron22Commented:
Best practice: don't modify the default domain controller policy.  Using the GMPC, create a new policy, and under computer configuration, expand security, and user rights, and add domain users (or if you only have some users that need to access the TS, a group that contains those users) to the logon locally right.

If you haven't already, I would make it very clear to your boss that this is risky, and if someone messes with your server, opens the way for a virus, anything like that, you may end up in a DR scenario where no one has access to anything until you restore the server.
0
 
zelron22Commented:
...and I suggest that in order to may sure you CYA.  :)
0
 
jjlpAuthor Commented:
I added the my security group to the Local security option -> allow log on through terminal services. Then the users was able to log in
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 6
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now