Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

terminal services role installation on 2008 domain controller

Posted on 2010-11-10
5
Medium Priority
?
829 Views
Last Modified: 2012-05-10
I want to install terminal services on 2008 domain controller. It is planned for a company of 4 local users and 1 remote user with possible 2-3 more remote users in the future.
What i'm asking is:
a. For the 1st user - can I avoid installing TS role, and only add the remote user to remote access group?
b. What precautions I have to take in consideration when installing this configuration? What can go wrong when doing it?
0
Comment
Question by:gilsolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 2

Expert Comment

by:gentle0000
ID: 34100820
Hi,

When you want to give access to a server to more than 2 users concurrently you have to use the TS Role. TS Role is the Full version of Remote Desktop Feature. So you can not avoid using the TS Role in your case.

After the Installation of TS Role you will have to grant access to users to the TS Server. Then you will use the Remote Access Group to grant access to the users.

And something else. When the TS Role is Installed, it is bracing up any Remote Desktop Connection on the Server. So you can not distinguish which users Connect to Remote Desktop and which connect to TS Role, all connections are the same.

With Regards

0
 

Author Comment

by:gilsolutions
ID: 34100948
thanks,
Does that means that if i have only 1 or 2 remote users, it can work without TS role?
What permissions, except for being able to rdp, i have to give the remote user to prevent unsafe file security popups?
0
 
LVL 2

Expert Comment

by:gentle0000
ID: 34101327
Hi again,

That exactly what is means.
With 1 or 2 users Concurrently you do not need to Install TS Role.

It is not clear to me if you are referring to Security Messages which pop ups with the RDP Connections, but if you are, this is a matter of the RDP version you will use.

To make it more clear.
If you make a RDP Connection from a Windows Vista or Windows 7 which support the new version of RDP (with NLA - Network Level Authentication) there will be no Security Errors. But if you make a RDP Connection from a XP Machine then there is nothing you can do (as far as i know) to make them stop.

With Regards,
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 34110378
Let's start with b.:
Don't do it. Invest into a (not too expensive) dedicated terminal server. A terminal server is basically nothing more than a multi-user *workstation*. A workstation with end-user applications installed is way more likely having to be reinstalled than a server is. Do you want to find yourself in a position having to restore your complete AD just because a user application has gone haywire? How expensive is it for your company if your DC goes down for a day because a user surfed from the DC to a website with malware on it?
That aside, it's a lot easier to attack a DC when you're already logged on to it; and any user application you install can increase the attack surface of your DC, while decreasing the stability of the system.
If hardware is an issue, install a free version of a virtualization solution (VMWare, XenServer, whatever) and run a virtualized DC and a virtualized terminal server on it.

As far as a. is concerned: on a terminal server, every user application has to be installed in installation mode (which, obviously, isn't possible if the TS role hasn't been added yet). If you're allowing users to access a server through the administrative RDP session, any user software you have installed so far will have to be uninstalled and reinstalled after adding the terminal server role, to avoid possible multi-user issues.

So did I say "don't run terminal services on a DC" yet? I might have, but you actually can't say it often enough.
0
 

Author Closing Comment

by:gilsolutions
ID: 34131868
i installed the ts role over the dc, and it works nice. i'm aware to the security issue, but had no budget for more this time.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question