terminal services role installation on 2008 domain controller

I want to install terminal services on 2008 domain controller. It is planned for a company of 4 local users and 1 remote user with possible 2-3 more remote users in the future.
What i'm asking is:
a. For the 1st user - can I avoid installing TS role, and only add the remote user to remote access group?
b. What precautions I have to take in consideration when installing this configuration? What can go wrong when doing it?
gilsolutionsAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
oBdAConnect With a Mentor Commented:
Let's start with b.:
Don't do it. Invest into a (not too expensive) dedicated terminal server. A terminal server is basically nothing more than a multi-user *workstation*. A workstation with end-user applications installed is way more likely having to be reinstalled than a server is. Do you want to find yourself in a position having to restore your complete AD just because a user application has gone haywire? How expensive is it for your company if your DC goes down for a day because a user surfed from the DC to a website with malware on it?
That aside, it's a lot easier to attack a DC when you're already logged on to it; and any user application you install can increase the attack surface of your DC, while decreasing the stability of the system.
If hardware is an issue, install a free version of a virtualization solution (VMWare, XenServer, whatever) and run a virtualized DC and a virtualized terminal server on it.

As far as a. is concerned: on a terminal server, every user application has to be installed in installation mode (which, obviously, isn't possible if the TS role hasn't been added yet). If you're allowing users to access a server through the administrative RDP session, any user software you have installed so far will have to be uninstalled and reinstalled after adding the terminal server role, to avoid possible multi-user issues.

So did I say "don't run terminal services on a DC" yet? I might have, but you actually can't say it often enough.
0
 
gentle0000Commented:
Hi,

When you want to give access to a server to more than 2 users concurrently you have to use the TS Role. TS Role is the Full version of Remote Desktop Feature. So you can not avoid using the TS Role in your case.

After the Installation of TS Role you will have to grant access to users to the TS Server. Then you will use the Remote Access Group to grant access to the users.

And something else. When the TS Role is Installed, it is bracing up any Remote Desktop Connection on the Server. So you can not distinguish which users Connect to Remote Desktop and which connect to TS Role, all connections are the same.

With Regards

0
 
gilsolutionsAuthor Commented:
thanks,
Does that means that if i have only 1 or 2 remote users, it can work without TS role?
What permissions, except for being able to rdp, i have to give the remote user to prevent unsafe file security popups?
0
 
gentle0000Commented:
Hi again,

That exactly what is means.
With 1 or 2 users Concurrently you do not need to Install TS Role.

It is not clear to me if you are referring to Security Messages which pop ups with the RDP Connections, but if you are, this is a matter of the RDP version you will use.

To make it more clear.
If you make a RDP Connection from a Windows Vista or Windows 7 which support the new version of RDP (with NLA - Network Level Authentication) there will be no Security Errors. But if you make a RDP Connection from a XP Machine then there is nothing you can do (as far as i know) to make them stop.

With Regards,
0
 
gilsolutionsAuthor Commented:
i installed the ts role over the dc, and it works nice. i'm aware to the security issue, but had no budget for more this time.
0
All Courses

From novice to tech pro — start learning today.