Solved

terminal services role installation on 2008 domain controller

Posted on 2010-11-10
5
821 Views
Last Modified: 2012-05-10
I want to install terminal services on 2008 domain controller. It is planned for a company of 4 local users and 1 remote user with possible 2-3 more remote users in the future.
What i'm asking is:
a. For the 1st user - can I avoid installing TS role, and only add the remote user to remote access group?
b. What precautions I have to take in consideration when installing this configuration? What can go wrong when doing it?
0
Comment
Question by:gilsolutions
  • 2
  • 2
5 Comments
 
LVL 2

Expert Comment

by:gentle0000
ID: 34100820
Hi,

When you want to give access to a server to more than 2 users concurrently you have to use the TS Role. TS Role is the Full version of Remote Desktop Feature. So you can not avoid using the TS Role in your case.

After the Installation of TS Role you will have to grant access to users to the TS Server. Then you will use the Remote Access Group to grant access to the users.

And something else. When the TS Role is Installed, it is bracing up any Remote Desktop Connection on the Server. So you can not distinguish which users Connect to Remote Desktop and which connect to TS Role, all connections are the same.

With Regards

0
 

Author Comment

by:gilsolutions
ID: 34100948
thanks,
Does that means that if i have only 1 or 2 remote users, it can work without TS role?
What permissions, except for being able to rdp, i have to give the remote user to prevent unsafe file security popups?
0
 
LVL 2

Expert Comment

by:gentle0000
ID: 34101327
Hi again,

That exactly what is means.
With 1 or 2 users Concurrently you do not need to Install TS Role.

It is not clear to me if you are referring to Security Messages which pop ups with the RDP Connections, but if you are, this is a matter of the RDP version you will use.

To make it more clear.
If you make a RDP Connection from a Windows Vista or Windows 7 which support the new version of RDP (with NLA - Network Level Authentication) there will be no Security Errors. But if you make a RDP Connection from a XP Machine then there is nothing you can do (as far as i know) to make them stop.

With Regards,
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 34110378
Let's start with b.:
Don't do it. Invest into a (not too expensive) dedicated terminal server. A terminal server is basically nothing more than a multi-user *workstation*. A workstation with end-user applications installed is way more likely having to be reinstalled than a server is. Do you want to find yourself in a position having to restore your complete AD just because a user application has gone haywire? How expensive is it for your company if your DC goes down for a day because a user surfed from the DC to a website with malware on it?
That aside, it's a lot easier to attack a DC when you're already logged on to it; and any user application you install can increase the attack surface of your DC, while decreasing the stability of the system.
If hardware is an issue, install a free version of a virtualization solution (VMWare, XenServer, whatever) and run a virtualized DC and a virtualized terminal server on it.

As far as a. is concerned: on a terminal server, every user application has to be installed in installation mode (which, obviously, isn't possible if the TS role hasn't been added yet). If you're allowing users to access a server through the administrative RDP session, any user software you have installed so far will have to be uninstalled and reinstalled after adding the terminal server role, to avoid possible multi-user issues.

So did I say "don't run terminal services on a DC" yet? I might have, but you actually can't say it often enough.
0
 

Author Closing Comment

by:gilsolutions
ID: 34131868
i installed the ts role over the dc, and it works nice. i'm aware to the security issue, but had no budget for more this time.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now