Hyper-V server and active directory
Hi,
I have inherited a Windows 2012 R2 Server running Hyper-V. Currently, there is only one VM, for simplicity I'll call this VM1. The former tech set up VM1 with AD and also has up to 10 users remotely log into that VM to work remotely using remote desktop services port forwarding 3389. Besides the obvious security concerns of port 3389 open to the server--shouldn't separate VMs be set up? Am I right that it's a security concern to have Remote Desktop Services and AD running on the same server or is that old school thinking? I'm thinking that they should have a VM that does RDS and another VM that is their AD server. They're running several SQL databases on this VM as well. There's 40 GB RAM allocated for this VM. Please let me know the security concerns and also performance concerns with this setup? Thanks!
I have inherited a Windows 2012 R2 Server running Hyper-V. Currently, there is only one VM, for simplicity I'll call this VM1. The former tech set up VM1 with AD and also has up to 10 users remotely log into that VM to work remotely using remote desktop services port forwarding 3389. Besides the obvious security concerns of port 3389 open to the server--shouldn't separate VMs be set up? Am I right that it's a security concern to have Remote Desktop Services and AD running on the same server or is that old school thinking? I'm thinking that they should have a VM that does RDS and another VM that is their AD server. They're running several SQL databases on this VM as well. There's 40 GB RAM allocated for this VM. Please let me know the security concerns and also performance concerns with this setup? Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Lee, I read your article on Server Sharing Services and it was very helpful and informative. Thanks for sharing that article with me. I work with many small businesses (15 or less workstations and a Windows 2012 Hyper-V server is most common) and many of them use Quickbooks. Quickbooks doesn't work well unless the user has local admin rights. This would make a bad situation even worse if the Quickbooks Database Manager (server) was running on the DC as well since you would have to give the Quickbooks users local admin rights, correct? They should have a VM for DC but could they run the Quickbooks (5 users) on the server running RDS? Or is that a bad idea? I'm trying to avoid advising them to purchase another license for Server 2012 R2 if possible. But this would mean they're running their SQL DB and Quickbooks (another SQL DB) on the same server they're running RDS. The DC would be running on a separate VM. Thanks for your help!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your comment Alan. I work with many very small businesses (less than 10 workstations and a server if you're lucky) and most of them use Quickbooks because that's what their accountant recommended for them. Some of them break free from the cult-like claws that Intuit has created and others get sucked in even deeper by going to the Enterprise version. I work with a company that's using Sage 100 and they want to move to Quickbooks. Most of the small businesses will end up running Quickbooks on the RDS VM and having a second VM for AD.
It's funny that you mentioned switching from Quickbooks. I've spoke to a few customers in the past month about switching and both customers said that they can't switch as their accountant only supports Quickbooks. Keep in mind, these are small "mom and pop" business that may have been in business for 30 years and used the same accountant for 30 years. Some old habits die hard and Intuit is counting on that.
It's funny that you mentioned switching from Quickbooks. I've spoke to a few customers in the past month about switching and both customers said that they can't switch as their accountant only supports Quickbooks. Keep in mind, these are small "mom and pop" business that may have been in business for 30 years and used the same accountant for 30 years. Some old habits die hard and Intuit is counting on that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's a good point Lee. I can't remember the exact function I was having an issue with but when I gave the user local admin rights, the error message went away. This was using Quickbooks 2015. I use Quickbooks as well (since 1994) but I have some key users that don't want me to change it out. I was looking at Freshbooks as an alternate.
At one place I had to change permissions on a single file and then no error and functionality work fine. Sometimes you might need to do a little investigating to figure out why it needs admin rights and then correct the issues found (where possible - that's definitely not ALWAYS possible).
@Lee (Sorry Matt!):
I have generally found that if I investigate I can find a way around almost any application that appears to want admin rights.
Reality is that it really only needs rights to certain folders or registry keys, and once you work out which ones, you can keep the users as LUA and give them what they need.
However, it can be difficult sometimes!
Alan.
@Matt:
Agreed on the small businesses and their accountants. I am actually a qualified accountant (originally) too, but I don't do annual accounts / tax stuff any more, and I know quite a few older guys that refuse to try to 'get' Xero or anything like it. They will grow old and retire with their clients, and then the old accounting systems like QuickBooks will die (as they already are).
Some accountants I know, now *insist* that their clients use Xero, and if they don't already, and won't swap, then they can't be a client. Now I think about it, I guess that's really no different that the old duffers!
Alan.
I have generally found that if I investigate I can find a way around almost any application that appears to want admin rights.
Reality is that it really only needs rights to certain folders or registry keys, and once you work out which ones, you can keep the users as LUA and give them what they need.
However, it can be difficult sometimes!
Alan.
@Matt:
Agreed on the small businesses and their accountants. I am actually a qualified accountant (originally) too, but I don't do annual accounts / tax stuff any more, and I know quite a few older guys that refuse to try to 'get' Xero or anything like it. They will grow old and retire with their clients, and then the old accounting systems like QuickBooks will die (as they already are).
Some accountants I know, now *insist* that their clients use Xero, and if they don't already, and won't swap, then they can't be a client. Now I think about it, I guess that's really no different that the old duffers!
Alan.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
EE requested assistance in closing this question.
ASKER
Thanks for your comments and suggestions. This validates my initial thoughts on their setup. I will perform an onsite inspection of their setup and equipment tomorrow so I'll let you know what I find. Thanks!