Remote Desktop Windows 2003 Member server

I upgraded a small office last night from one windows 2003 domain controller to a new Windows 2008 small business server.  Since the Small Business server HAS to be the domain controller, I demoted the W2K3 server to a member server, and attached it to the new domain.  

1st problem: The demoted Windows 2003 server is running an SQL database, and now the client machines can no longer connect to the sql database.  Yet, if I am at the console of the server, I can run the database software just fine.

2nd problem:  There is a remote office that used to use remote desktop to connect into the server and use the SQL database.  Now, remote desktop does not connect to this server any longer.  Could this connectivity problem have anything to do with the server being demoted, and maybe the terminal services aren't running any longer?  Locally, the client machines can remote desktop the server, but we can't do it from the outside any longer.  I checked the port forwarding in the router, and everything is looking appropriate.  It's as if the demoted W2K3 server is no longer accepting outside remote desktop connections.

Any ideas?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don S.Commented:
Being demoted from a DC to a member server will remove all of the domain administrator ACLs from the server in favor of the local administrator.  You will need to explicitly add domain permissions to terminal services and SQL
jbobstAuthor Commented:
Thanks for the help dons6718.  Can you point me to, or tell me how to exactly assign the explicit domain permissions?

jbobstAuthor Commented:
The SQL problem asside, this remote desktop connection thing is really puzzling me.  Why would remote desktop work internally on the LAN from a workstation machine to the demoted server, but when I try to come in from the outside network to the public IP address...I cannot get through?  If it was a permissions thing, wouldn't the LAN remote desktop connections not work as well?

By the way, I have three port forwarding to the server and two others pointed to other static IP workstation machines.  I can remote into the workstation machines running XP Pro, but can't get to the server remotely any longer.
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Don S.Commented:
Did the IP address of the server change?  Is there any IP filtering on the interface?  Is IPsec running?
jbobstAuthor Commented:
Just figured out the remote desktop thing...I apparently turned on the Windows Firewall/Internet connection sharing service last night.  I turned that off, now I can connect, but I can't log in with "regular" user accounts...only the administrator account.  But, only one administrator account can be in use...which it until I figure out how to allow the other user accounts to have access to terminal services, they can't log in as themselves.  Is there a built in terminal services group in Windows 2008 small business server I need to make the users members of or is it not that easy?
Henrik JohanssonSystems engineerCommented:
Add the users to the local Remote Desktop Users group on the member server to grant them RDP access.
You also have a group with same name on domain level, but the domain group is only a "local" group shared between DCs and isn't available for usage on member servers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbobstAuthor Commented:
Thanks, that did the trick!  I was adding them to the domain group, but that didn't work.  Found the local group and added the users to that and it works now.  

By the way, maybe this needs a new question thread, but: Is there a way to add domain users as "local admins" on a member server?  On their XP Pro machines, I make them local admins so they can install programs and such.  This is a very small office, and security is not a big deal, when it comes to user accounts.  Second, how many remote desktop sessions can that member server have at one time?  We typically will max out at three, but I was curious how many it will allow.

Finally, do I need to have the "role" of terminal server installed on my Small Business server (domain controller)?  I thought that was the problem earlier today, and added that role, but it wants some sort of activation process to take place.  I thought that servers had an included 5 cal terminal service license built in, but I think I am just really confused about it all.

Henrik JohanssonSystems engineerCommented:
Terminal Server role only nead to be installed on the server acting as TS in application mode that shall allow more than 2 simultanious sessions. The SBS doesn't nead the role if it shall only be accessible for 2 admin sessions.
A TS in application mode must be aware of a TSLS with installed TS-CALs. See technet-article about howto configure the preferred TSLS.
Also be aware that a TS has a grace period of 120 days before the TSLS is required.

The number of simultanious connections on TS in app.mode is by default unlimited (as long as resources in RAM+CPU etc is enough...), but can be configured in tscc.msc -> RDP-tcp Properties -> Network Adapter -> Maximum number of connections
If server is setup for remote admin mode (without the TS role installed), the maximum number of sessions is only 2 (+1 for the console session) and can't be changed.

The mangagement of adding a domain groups to local group on clients can be handled through Restricted Groups functionality. A good blog about it can be found at
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.