Link to home
Create AccountLog in
Avatar of vegasdev
vegasdev

asked on

Optimal Domain Controller Setup for Remote Desktop Logins

Hello,

I'm trying to determine the optimum configuration for our domain controller for our network.  We have 6 servers that are running Windows 2003 in a terminal services pool that allow our clients access to our hosted desktop application.  The domain controller is Windows 2008 Enterprise server.

When the user logs in, our application automatically runs - they have no access to the desktop or any other applications.  Essentially, the RDP session is used to maintain session state to the application and backend database.  I want to continue to have this as the option, I don't want the user to have to click to load the application or have access to any other applications when logged in.

I've tried several different configurations, but it appears that user profiles are being created on each of the 6 terminal services and is quickly using up disk space.  These profiles are not used by our application and if there is a better way of having a single profile per user shared across all terminal servers?  All users also have access or our network storage server if saving unique user profiles there would make sense.

Thanks for your input and suggestions!

Mitch
ASKER CERTIFIED SOLUTION
Avatar of Justin Owens
Justin Owens
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of eeeznutz
eeeznutz

As far as the domain controller is concerned, you just want to have it as reasonably "close" to your RDP servers as possible. Ideally in the same data center, but it really depends on your network. The same goes for your NFS server if you chose to use roaming profiles - make sure the network latency isn't too high, otherwise logins could be slow.
Avatar of vegasdev

ASKER

All servers are in the same datacenter so latency won't be a problem.

More specifically, I'm looking for the best way to configure the Domain Controller for these logins.  I'd like to have the users that login to use our application be assigned a specific group and that group be configured so the bare minimum to achieve the login and launch of our application.
If all of the users are in the same AD domain, put them all into a Global Group or Domain Local group, and then setup the access based on the group membership. That way all the rights are managed in one place (the group membership).
Avatar of Dusty Thurman
Just to be clear:

These are clients, not employees. They are already logging into their own domain. From there, they access your network via RDP to the application you are hosting for them.

I am assuming that you currently have some form of VPN for them to authenticate to your network? Or am I misunderstanding and it is all the same domain / network?

Creating this DC is so that they will not have the user profiles on the TS servers?
@sifuedition:

Correct, these are clients, not employees.  They may or may not have their own domain they are logged into.  We are not concerned with anything on their local client machine except for their Printer.  They can access the client application via RDP, no VPN.  

Each of these clients will have their own userid/password that will log into our domain.

In this setup, I'm wondering if we need to just have Terminal Service profiles or mandatory roaming profiles?  And where should these profiles reside?  

What is happening is the profiles are being created on each of the 6 Terminal Servers and as we continue to grow, eating up tremendous amount of disk space.  It seems to me this is a waste and the profile data (which none of it is being used by the launched application) could be saved in a central location?  
So the group strategy I specified will apply, since they are using your domain for authentication. Now that said, have you had a look at what's causing the profiles to be so big? It sounds like these 6 Terminal Servers are setup for load balancing, so roaming profiles will likely be your best option. If the profiles get huge, then you have another issue - copying everything during login, which could be very slow. Have a look at the profiles and see what's in there. Maybe a scheduled task to delete everything inside the profile is an option if they really aren't needed.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
@PeteJThomas

Sorry my post wasn't clearer. I dislike roaming at all, but I didn't not mean to imply that negated the need for roaming from the thread description. Just saying that not deleting the cached profile always seems to lead to issues.