Solved

terminal services role installation on 2008 domain controller

Posted on 2010-11-10
5
822 Views
Last Modified: 2012-05-10
I want to install terminal services on 2008 domain controller. It is planned for a company of 4 local users and 1 remote user with possible 2-3 more remote users in the future.
What i'm asking is:
a. For the 1st user - can I avoid installing TS role, and only add the remote user to remote access group?
b. What precautions I have to take in consideration when installing this configuration? What can go wrong when doing it?
0
Comment
Question by:gilsolutions
  • 2
  • 2
5 Comments
 
LVL 2

Expert Comment

by:gentle0000
ID: 34100820
Hi,

When you want to give access to a server to more than 2 users concurrently you have to use the TS Role. TS Role is the Full version of Remote Desktop Feature. So you can not avoid using the TS Role in your case.

After the Installation of TS Role you will have to grant access to users to the TS Server. Then you will use the Remote Access Group to grant access to the users.

And something else. When the TS Role is Installed, it is bracing up any Remote Desktop Connection on the Server. So you can not distinguish which users Connect to Remote Desktop and which connect to TS Role, all connections are the same.

With Regards

0
 

Author Comment

by:gilsolutions
ID: 34100948
thanks,
Does that means that if i have only 1 or 2 remote users, it can work without TS role?
What permissions, except for being able to rdp, i have to give the remote user to prevent unsafe file security popups?
0
 
LVL 2

Expert Comment

by:gentle0000
ID: 34101327
Hi again,

That exactly what is means.
With 1 or 2 users Concurrently you do not need to Install TS Role.

It is not clear to me if you are referring to Security Messages which pop ups with the RDP Connections, but if you are, this is a matter of the RDP version you will use.

To make it more clear.
If you make a RDP Connection from a Windows Vista or Windows 7 which support the new version of RDP (with NLA - Network Level Authentication) there will be no Security Errors. But if you make a RDP Connection from a XP Machine then there is nothing you can do (as far as i know) to make them stop.

With Regards,
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 34110378
Let's start with b.:
Don't do it. Invest into a (not too expensive) dedicated terminal server. A terminal server is basically nothing more than a multi-user *workstation*. A workstation with end-user applications installed is way more likely having to be reinstalled than a server is. Do you want to find yourself in a position having to restore your complete AD just because a user application has gone haywire? How expensive is it for your company if your DC goes down for a day because a user surfed from the DC to a website with malware on it?
That aside, it's a lot easier to attack a DC when you're already logged on to it; and any user application you install can increase the attack surface of your DC, while decreasing the stability of the system.
If hardware is an issue, install a free version of a virtualization solution (VMWare, XenServer, whatever) and run a virtualized DC and a virtualized terminal server on it.

As far as a. is concerned: on a terminal server, every user application has to be installed in installation mode (which, obviously, isn't possible if the TS role hasn't been added yet). If you're allowing users to access a server through the administrative RDP session, any user software you have installed so far will have to be uninstalled and reinstalled after adding the terminal server role, to avoid possible multi-user issues.

So did I say "don't run terminal services on a DC" yet? I might have, but you actually can't say it often enough.
0
 

Author Closing Comment

by:gilsolutions
ID: 34131868
i installed the ts role over the dc, and it works nice. i'm aware to the security issue, but had no budget for more this time.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question