Windows 2008 TS in Windows 2000 AD

August 19, 2008

Hello everyone,

I am working with a client to upgrade their Windows 2000 based network to

Windows 2008. I am a bit constricted on the number of servers that I can

have and had to make certain sacrifices forcing me to run Terminal Services

on a Windows 2008 Domain Controller. I realize that's not recommended

practice, but it's better then running a DC on a heavily used SQL and Apps

server.

I ran adprep with /forestprep and /domainprep /gpprep switches on the

Windows 2000 AD environment successfully. I was able to add a Windows 2008

DC that will also be the new Terminal Server. The dcpromo process

completed successfully. Dcdiag and manual checks do not return any errors.

I have not yet transferred any FSMO roles to the new Windows 2008 DC.

When I went to install the Terminal Server role on the Windows 2008 DC, I

ran into a few problems. I noticed that the Built-in "Terminal Server

License Servers" group did not get created and I cannot use the Windows 2008

TS License Service (same box) to manage user CALs. I thought that it

wasn't a big deal since the client is fully licensed and Windows 2008 still

doesn't enforce user CAL limits for Terminal Services. I ran into further

problems when I attempted to allow non-administrators to connect through

Terminal Services. The Built-in "Remote Desktop Users" group did not get

created in AD either.

I tried to bypass the lack of Remote Desktop Users group using a GPO to add

the appropriate members to the Remote Desktops Group through Restricted

Groups to no avail. I also tried editing the TS config to allow another

group user access. Finally, I tried another GPO to give users the right

Allow Logon through Terminal Services. None of this worked and users

cannot connect, receiving an error message stating "access to create session

is denied." This must be a change in Vista/Windows 2008 since these steps

work fine in a Windows 2003 AD environment.

To solve the lack of Terminal Server License Servers group, I tried to

manually create one. This obviously didn't work since the Built-in groups

have fixed SIDs. I then tried to use ldeifde and csvde to export these two

groups from a 2003 AD domain (another client) and import them into the 2000

domain. Neither ldeifde or csvde would allow me to import GUID or SID

values. This attempt also failed.

I have been searching online and cannot find any solutions to these issues.

Please help.

August 20, 2008

RE: Windows 2008 TS in Windows 2000 AD

I would run AD on a SQL Server or anything alse before running it on a

Terminal Server. There are both security and performance reasons not to do

what you are doing, and this is why MSFT intentionally disables this

functionality on SBS.

If you're using Server 2008 why don't you utilize Hyper-V to virtualize your

servers and consolidate a bit. A DC doesn't need a full piece of server

hardware.

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

SE, West Coast USA & Canada

Quest Software, Provision Networks Division

Virtual Client Solutions

http://www.provisionnetworks.com

"Ketchup" wrote:

> Hello everyone,

>

> I am working with a client to upgrade their Windows 2000 based network to

> Windows 2008. I am a bit constricted on the number of servers that I can

> have and had to make certain sacrifices forcing me to run Terminal Services

> on a Windows 2008 Domain Controller. I realize that's not recommended

> practice, but it's better then running a DC on a heavily used SQL and Apps

> server.

>

> I ran adprep with /forestprep and /domainprep /gpprep switches on the

> Windows 2000 AD environment successfully. I was able to add a Windows 2008

> DC that will also be the new Terminal Server. The dcpromo process

> completed successfully. Dcdiag and manual checks do not return any errors.

> I have not yet transferred any FSMO roles to the new Windows 2008 DC.

>

> When I went to install the Terminal Server role on the Windows 2008 DC, I

> ran into a few problems. I noticed that the Built-in "Terminal Server

> License Servers" group did not get created and I cannot use the Windows 2008

> TS License Service (same box) to manage user CALs. I thought that it

> wasn't a big deal since the client is fully licensed and Windows 2008 still

> doesn't enforce user CAL limits for Terminal Services. I ran into further

> problems when I attempted to allow non-administrators to connect through

> Terminal Services. The Built-in "Remote Desktop Users" group did not get

> created in AD either.

>

> I tried to bypass the lack of Remote Desktop Users group using a GPO to add

> the appropriate members to the Remote Desktops Group through Restricted

> Groups to no avail. I also tried editing the TS config to allow another

> group user access. Finally, I tried another GPO to give users the right

> Allow Logon through Terminal Services. None of this worked and users

> cannot connect, receiving an error message stating "access to create session

> is denied." This must be a change in Vista/Windows 2008 since these steps

> work fine in a Windows 2003 AD environment.

>

> To solve the lack of Terminal Server License Servers group, I tried to

> manually create one. This obviously didn't work since the Built-in groups

> have fixed SIDs. I then tried to use ldeifde and csvde to export these two

> groups from a 2003 AD domain (another client) and import them into the 2000

> domain. Neither ldeifde or csvde would allow me to import GUID or SID

> values. This attempt also failed.

>

> I have been searching online and cannot find any solutions to these issues.

> Please help.

>

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

Patrick, thanks. I was actually going to run Vmware ESX and create two TS

servers. That would have been ideal.(not a big fan Microsoft

virtualization, not yet) However, I saw too many people complaining about

stability and performances of Terminal Services in virtualized environments.

I can't virtualize the SQL box. It's already an x64 box with 8 GB of RAM

and 4 CPUs. I need all I can get from that.

I am actually running the same config on a Windows 2000 Server in this

network. It took a while to create a good security template to take care

of the security issues, but it works. I have not noticed any performances

issues with an average of 30-40 concurrent connections. This is a

relatively small network (about 50-60 users). I can't use the SQL server

box as a DC for too many reasons, one of which being a violation of terms

with one of the app vendors.

The two Windows 2000 boxes are actually decent machines. I will use them

as DCs once I complete the migration and can recore them. Until then, I

really do have to run this configuration, I believe.

Finally, I don't think that even if I did have a separate DC, it would solve

the problem of these missing Built-in groups. That's really the root of my

problems. It seems to be something related to adprep / dcpromo from

Windows 2000 AD to Windows 2008 AD.

"Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message

news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...

>I would run AD on a SQL Server or anything alse before running it on a

> Terminal Server. There are both security and performance reasons not to

> do

> what you are doing, and this is why MSFT intentionally disables this

> functionality on SBS.

>

> If you're using Server 2008 why don't you utilize Hyper-V to virtualize

> your

> servers and consolidate a bit. A DC doesn't need a full piece of server

> hardware.

>

> --

> Patrick C. Rouse

> Microsoft MVP - Terminal Server

> SE, West Coast USA & Canada

> Quest Software, Provision Networks Division

> Virtual Client Solutions

> http://www.provisionnetworks.com

>

> "Ketchup" wrote:

>

>> Hello everyone,

>>

>> I am working with a client to upgrade their Windows 2000 based network to

>> Windows 2008. I am a bit constricted on the number of servers that I

>> can

>> have and had to make certain sacrifices forcing me to run Terminal

>> Services

>> on a Windows 2008 Domain Controller. I realize that's not recommended

>> practice, but it's better then running a DC on a heavily used SQL and

>> Apps

>> server.

>>

>> I ran adprep with /forestprep and /domainprep /gpprep switches on the

>> Windows 2000 AD environment successfully. I was able to add a Windows

>> 2008

>> DC that will also be the new Terminal Server. The dcpromo process

>> completed successfully. Dcdiag and manual checks do not return any

>> errors.

>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.

>>

>> When I went to install the Terminal Server role on the Windows 2008 DC, I

>> ran into a few problems. I noticed that the Built-in "Terminal Server

>> License Servers" group did not get created and I cannot use the Windows

>> 2008

>> TS License Service (same box) to manage user CALs. I thought that it

>> wasn't a big deal since the client is fully licensed and Windows 2008

>> still

>> doesn't enforce user CAL limits for Terminal Services. I ran into

>> further

>> problems when I attempted to allow non-administrators to connect through

>> Terminal Services. The Built-in "Remote Desktop Users" group did not get

>> created in AD either.

>>

>> I tried to bypass the lack of Remote Desktop Users group using a GPO to

>> add

>> the appropriate members to the Remote Desktops Group through Restricted

>> Groups to no avail. I also tried editing the TS config to allow another

>> group user access. Finally, I tried another GPO to give users the right

>> Allow Logon through Terminal Services. None of this worked and users

>> cannot connect, receiving an error message stating "access to create

>> session

>> is denied." This must be a change in Vista/Windows 2008 since these

>> steps

>> work fine in a Windows 2003 AD environment.

>>

>> To solve the lack of Terminal Server License Servers group, I tried to

>> manually create one. This obviously didn't work since the Built-in

>> groups

>> have fixed SIDs. I then tried to use ldeifde and csvde to export these

>> two

>> groups from a 2003 AD domain (another client) and import them into the

>> 2000

>> domain. Neither ldeifde or csvde would allow me to import GUID or SID

>> values. This attempt also failed.

>>

>> I have been searching online and cannot find any solutions to these

>> issues.

>> Please help.

>>

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

The built-in groups are local groups and aren't created because it's a DC.

A DC cannot have local groups like a typical member server.

Out of curiousity have you tried giving users the Log on Locally right as

well as the other right you assigned?

Now that you have a new DC up and running, why can't you take one of the

other DC's and rebuild it to a TS box?

--

Jeff Pitsch

Microsoft MVP - Terminal Services

"Ketchup" <ketchup@ketchup.com> wrote in message

news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...

> Patrick, thanks. I was actually going to run Vmware ESX and create two

> TS servers. That would have been ideal.(not a big fan Microsoft

> virtualization, not yet) However, I saw too many people complaining about

> stability and performances of Terminal Services in virtualized

> environments. I can't virtualize the SQL box. It's already an x64 box

> with 8 GB of RAM and 4 CPUs. I need all I can get from that.

>

> I am actually running the same config on a Windows 2000 Server in this

> network. It took a while to create a good security template to take care

> of the security issues, but it works. I have not noticed any

> performances issues with an average of 30-40 concurrent connections.

> This is a relatively small network (about 50-60 users). I can't use the

> SQL server box as a DC for too many reasons, one of which being a

> violation of terms with one of the app vendors.

>

> The two Windows 2000 boxes are actually decent machines. I will use them

> as DCs once I complete the migration and can recore them. Until then, I

> really do have to run this configuration, I believe.

>

> Finally, I don't think that even if I did have a separate DC, it would

> solve the problem of these missing Built-in groups. That's really the

> root of my problems. It seems to be something related to adprep /

> dcpromo from Windows 2000 AD to Windows 2008 AD.

>

> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message

> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...

>>I would run AD on a SQL Server or anything alse before running it on a

>> Terminal Server. There are both security and performance reasons not to

>> do

>> what you are doing, and this is why MSFT intentionally disables this

>> functionality on SBS.

>>

>> If you're using Server 2008 why don't you utilize Hyper-V to virtualize

>> your

>> servers and consolidate a bit. A DC doesn't need a full piece of server

>> hardware.

>>

>> --

>> Patrick C. Rouse

>> Microsoft MVP - Terminal Server

>> SE, West Coast USA & Canada

>> Quest Software, Provision Networks Division

>> Virtual Client Solutions

>> http://www.provisionnetworks.com

>>

>> "Ketchup" wrote:

>>

>>> Hello everyone,

>>>

>>> I am working with a client to upgrade their Windows 2000 based network

>>> to

>>> Windows 2008. I am a bit constricted on the number of servers that I

>>> can

>>> have and had to make certain sacrifices forcing me to run Terminal

>>> Services

>>> on a Windows 2008 Domain Controller. I realize that's not recommended

>>> practice, but it's better then running a DC on a heavily used SQL and

>>> Apps

>>> server.

>>>

>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the

>>> Windows 2000 AD environment successfully. I was able to add a Windows

>>> 2008

>>> DC that will also be the new Terminal Server. The dcpromo process

>>> completed successfully. Dcdiag and manual checks do not return any

>>> errors.

>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.

>>>

>>> When I went to install the Terminal Server role on the Windows 2008 DC,

>>> I

>>> ran into a few problems. I noticed that the Built-in "Terminal Server

>>> License Servers" group did not get created and I cannot use the Windows

>>> 2008

>>> TS License Service (same box) to manage user CALs. I thought that it

>>> wasn't a big deal since the client is fully licensed and Windows 2008

>>> still

>>> doesn't enforce user CAL limits for Terminal Services. I ran into

>>> further

>>> problems when I attempted to allow non-administrators to connect through

>>> Terminal Services. The Built-in "Remote Desktop Users" group did not

>>> get

>>> created in AD either.

>>>

>>> I tried to bypass the lack of Remote Desktop Users group using a GPO to

>>> add

>>> the appropriate members to the Remote Desktops Group through Restricted

>>> Groups to no avail. I also tried editing the TS config to allow another

>>> group user access. Finally, I tried another GPO to give users the right

>>> Allow Logon through Terminal Services. None of this worked and users

>>> cannot connect, receiving an error message stating "access to create

>>> session

>>> is denied." This must be a change in Vista/Windows 2008 since these

>>> steps

>>> work fine in a Windows 2003 AD environment.

>>>

>>> To solve the lack of Terminal Server License Servers group, I tried to

>>> manually create one. This obviously didn't work since the Built-in

>>> groups

>>> have fixed SIDs. I then tried to use ldeifde and csvde to export these

>>> two

>>> groups from a 2003 AD domain (another client) and import them into the

>>> 2000

>>> domain. Neither ldeifde or csvde would allow me to import GUID or SID

>>> values. This attempt also failed.

>>>

>>> I have been searching online and cannot find any solutions to these

>>> issues.

>>> Please help.

>>>

>

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

Jeff, thank you. I haven't tried giving the Logon Locally right. I am not

sure why, I guess I just didn't think of that. I will do that today.

Shouldn't the built-in groups on a DC become Domain Built-in groups? I

know for a fact this happens in Windows 2003. I have the groups in my AD

that are in the Built-in OU and are of Built-in Local security context. I

am not even running Terminal Services. The Remote Desktops Users still

applies to Domain Controllers for just plain-old RDP. Arguably, the

Terminal Server License Server should be on a DC.

As far as rebuilding the other servers, it's not that simple. I have two

older boxes, running Win2k. One of them is a TS & DC. The other is a SQL

& DC box. Both are currently being used for their TS and SQL functions.

I need to move those functions over to the new boxes running Win2k8. Only

once I do that, can I move the DC functions around. The only reason I even

introduced a Win2k8 DC is because I needed it to hold the TS License Server.

The Win2k DC cannot issue TS licenses to Win2k8 TS servers.

Thanks!

Ketchup

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...

> The built-in groups are local groups and aren't created because it's a DC.

> A DC cannot have local groups like a typical member server.

>

> Out of curiousity have you tried giving users the Log on Locally right as

> well as the other right you assigned?

>

> Now that you have a new DC up and running, why can't you take one of the

> other DC's and rebuild it to a TS box?

>

> --

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

> "Ketchup" <ketchup@ketchup.com> wrote in message

> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...

>> Patrick, thanks. I was actually going to run Vmware ESX and create two

>> TS servers. That would have been ideal.(not a big fan Microsoft

>> virtualization, not yet) However, I saw too many people complaining

>> about stability and performances of Terminal Services in virtualized

>> environments. I can't virtualize the SQL box. It's already an x64 box

>> with 8 GB of RAM and 4 CPUs. I need all I can get from that.

>>

>> I am actually running the same config on a Windows 2000 Server in this

>> network. It took a while to create a good security template to take

>> care of the security issues, but it works. I have not noticed any

>> performances issues with an average of 30-40 concurrent connections. This

>> is a relatively small network (about 50-60 users). I can't use the SQL

>> server box as a DC for too many reasons, one of which being a violation

>> of terms with one of the app vendors.

>>

>> The two Windows 2000 boxes are actually decent machines. I will use

>> them as DCs once I complete the migration and can recore them. Until

>> then, I really do have to run this configuration, I believe.

>>

>> Finally, I don't think that even if I did have a separate DC, it would

>> solve the problem of these missing Built-in groups. That's really the

>> root of my problems. It seems to be something related to adprep /

>> dcpromo from Windows 2000 AD to Windows 2008 AD.

>>

>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message

>> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...

>>>I would run AD on a SQL Server or anything alse before running it on a

>>> Terminal Server. There are both security and performance reasons not to

>>> do

>>> what you are doing, and this is why MSFT intentionally disables this

>>> functionality on SBS.

>>>

>>> If you're using Server 2008 why don't you utilize Hyper-V to virtualize

>>> your

>>> servers and consolidate a bit. A DC doesn't need a full piece of server

>>> hardware.

>>>

>>> --

>>> Patrick C. Rouse

>>> Microsoft MVP - Terminal Server

>>> SE, West Coast USA & Canada

>>> Quest Software, Provision Networks Division

>>> Virtual Client Solutions

>>> http://www.provisionnetworks.com

>>>

>>> "Ketchup" wrote:

>>>

>>>> Hello everyone,

>>>>

>>>> I am working with a client to upgrade their Windows 2000 based network

>>>> to

>>>> Windows 2008. I am a bit constricted on the number of servers that I

>>>> can

>>>> have and had to make certain sacrifices forcing me to run Terminal

>>>> Services

>>>> on a Windows 2008 Domain Controller. I realize that's not recommended

>>>> practice, but it's better then running a DC on a heavily used SQL and

>>>> Apps

>>>> server.

>>>>

>>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the

>>>> Windows 2000 AD environment successfully. I was able to add a Windows

>>>> 2008

>>>> DC that will also be the new Terminal Server. The dcpromo process

>>>> completed successfully. Dcdiag and manual checks do not return any

>>>> errors.

>>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.

>>>>

>>>> When I went to install the Terminal Server role on the Windows 2008 DC,

>>>> I

>>>> ran into a few problems. I noticed that the Built-in "Terminal Server

>>>> License Servers" group did not get created and I cannot use the Windows

>>>> 2008

>>>> TS License Service (same box) to manage user CALs. I thought that it

>>>> wasn't a big deal since the client is fully licensed and Windows 2008

>>>> still

>>>> doesn't enforce user CAL limits for Terminal Services. I ran into

>>>> further

>>>> problems when I attempted to allow non-administrators to connect

>>>> through

>>>> Terminal Services. The Built-in "Remote Desktop Users" group did not

>>>> get

>>>> created in AD either.

>>>>

>>>> I tried to bypass the lack of Remote Desktop Users group using a GPO to

>>>> add

>>>> the appropriate members to the Remote Desktops Group through Restricted

>>>> Groups to no avail. I also tried editing the TS config to allow

>>>> another

>>>> group user access. Finally, I tried another GPO to give users the

>>>> right

>>>> Allow Logon through Terminal Services. None of this worked and users

>>>> cannot connect, receiving an error message stating "access to create

>>>> session

>>>> is denied." This must be a change in Vista/Windows 2008 since these

>>>> steps

>>>> work fine in a Windows 2003 AD environment.

>>>>

>>>> To solve the lack of Terminal Server License Servers group, I tried to

>>>> manually create one. This obviously didn't work since the Built-in

>>>> groups

>>>> have fixed SIDs. I then tried to use ldeifde and csvde to export

>>>> these two

>>>> groups from a 2003 AD domain (another client) and import them into the

>>>> 2000

>>>> domain. Neither ldeifde or csvde would allow me to import GUID or SID

>>>> values. This attempt also failed.

>>>>

>>>> I have been searching online and cannot find any solutions to these

>>>> issues.

>>>> Please help.

>>>>

>>

>

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

You don't need a DC to host a license server. It's very easy through GPO

and TS Config to configure the TS box to point to the license server. If

the only reason you put up the DC was for the license service, remove the DC

role and go for straight TS with the licensing feature. In fact, I'd

rebuild that box just to be 100% safe but the point being get rid of the DC

role if it's not needed and it's not.

--

Jeff Pitsch

Microsoft MVP - Terminal Services

"Ketchup" <ketchup@ketchup.com> wrote in message

news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...

> Jeff, thank you. I haven't tried giving the Logon Locally right. I am

> not sure why, I guess I just didn't think of that. I will do that today.

>

> Shouldn't the built-in groups on a DC become Domain Built-in groups? I

> know for a fact this happens in Windows 2003. I have the groups in my AD

> that are in the Built-in OU and are of Built-in Local security context. I

> am not even running Terminal Services. The Remote Desktops Users still

> applies to Domain Controllers for just plain-old RDP. Arguably, the

> Terminal Server License Server should be on a DC.

>

> As far as rebuilding the other servers, it's not that simple. I have two

> older boxes, running Win2k. One of them is a TS & DC. The other is a

> SQL & DC box. Both are currently being used for their TS and SQL

> functions. I need to move those functions over to the new boxes running

> Win2k8. Only once I do that, can I move the DC functions around. The

> only reason I even introduced a Win2k8 DC is because I needed it to hold

> the TS License Server. The Win2k DC cannot issue TS licenses to Win2k8 TS

> servers.

>

> Thanks!

> Ketchup

>

> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...

>> The built-in groups are local groups and aren't created because it's a

>> DC. A DC cannot have local groups like a typical member server.

>>

>> Out of curiousity have you tried giving users the Log on Locally right as

>> well as the other right you assigned?

>>

>> Now that you have a new DC up and running, why can't you take one of the

>> other DC's and rebuild it to a TS box?

>>

>> --

>> Jeff Pitsch

>> Microsoft MVP - Terminal Services

>>

>> "Ketchup" <ketchup@ketchup.com> wrote in message

>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...

>>> Patrick, thanks. I was actually going to run Vmware ESX and create two

>>> TS servers. That would have been ideal.(not a big fan Microsoft

>>> virtualization, not yet) However, I saw too many people complaining

>>> about stability and performances of Terminal Services in virtualized

>>> environments. I can't virtualize the SQL box. It's already an x64 box

>>> with 8 GB of RAM and 4 CPUs. I need all I can get from that.

>>>

>>> I am actually running the same config on a Windows 2000 Server in this

>>> network. It took a while to create a good security template to take

>>> care of the security issues, but it works. I have not noticed any

>>> performances issues with an average of 30-40 concurrent connections.

>>> This is a relatively small network (about 50-60 users). I can't use

>>> the SQL server box as a DC for too many reasons, one of which being a

>>> violation of terms with one of the app vendors.

>>>

>>> The two Windows 2000 boxes are actually decent machines. I will use

>>> them as DCs once I complete the migration and can recore them. Until

>>> then, I really do have to run this configuration, I believe.

>>>

>>> Finally, I don't think that even if I did have a separate DC, it would

>>> solve the problem of these missing Built-in groups. That's really the

>>> root of my problems. It seems to be something related to adprep /

>>> dcpromo from Windows 2000 AD to Windows 2008 AD.

>>>

>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in

>>> message news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...

>>>>I would run AD on a SQL Server or anything alse before running it on a

>>>> Terminal Server. There are both security and performance reasons not

>>>> to do

>>>> what you are doing, and this is why MSFT intentionally disables this

>>>> functionality on SBS.

>>>>

>>>> If you're using Server 2008 why don't you utilize Hyper-V to virtualize

>>>> your

>>>> servers and consolidate a bit. A DC doesn't need a full piece of

>>>> server

>>>> hardware.

>>>>

>>>> --

>>>> Patrick C. Rouse

>>>> Microsoft MVP - Terminal Server

>>>> SE, West Coast USA & Canada

>>>> Quest Software, Provision Networks Division

>>>> Virtual Client Solutions

>>>> http://www.provisionnetworks.com

>>>>

>>>> "Ketchup" wrote:

>>>>

>>>>> Hello everyone,

>>>>>

>>>>> I am working with a client to upgrade their Windows 2000 based network

>>>>> to

>>>>> Windows 2008. I am a bit constricted on the number of servers that I

>>>>> can

>>>>> have and had to make certain sacrifices forcing me to run Terminal

>>>>> Services

>>>>> on a Windows 2008 Domain Controller. I realize that's not

>>>>> recommended

>>>>> practice, but it's better then running a DC on a heavily used SQL and

>>>>> Apps

>>>>> server.

>>>>>

>>>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the

>>>>> Windows 2000 AD environment successfully. I was able to add a

>>>>> Windows 2008

>>>>> DC that will also be the new Terminal Server. The dcpromo process

>>>>> completed successfully. Dcdiag and manual checks do not return any

>>>>> errors.

>>>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.

>>>>>

>>>>> When I went to install the Terminal Server role on the Windows 2008

>>>>> DC, I

>>>>> ran into a few problems. I noticed that the Built-in "Terminal

>>>>> Server

>>>>> License Servers" group did not get created and I cannot use the

>>>>> Windows 2008

>>>>> TS License Service (same box) to manage user CALs. I thought that it

>>>>> wasn't a big deal since the client is fully licensed and Windows 2008

>>>>> still

>>>>> doesn't enforce user CAL limits for Terminal Services. I ran into

>>>>> further

>>>>> problems when I attempted to allow non-administrators to connect

>>>>> through

>>>>> Terminal Services. The Built-in "Remote Desktop Users" group did not

>>>>> get

>>>>> created in AD either.

>>>>>

>>>>> I tried to bypass the lack of Remote Desktop Users group using a GPO

>>>>> to add

>>>>> the appropriate members to the Remote Desktops Group through

>>>>> Restricted

>>>>> Groups to no avail. I also tried editing the TS config to allow

>>>>> another

>>>>> group user access. Finally, I tried another GPO to give users the

>>>>> right

>>>>> Allow Logon through Terminal Services. None of this worked and users

>>>>> cannot connect, receiving an error message stating "access to create

>>>>> session

>>>>> is denied." This must be a change in Vista/Windows 2008 since these

>>>>> steps

>>>>> work fine in a Windows 2003 AD environment.

>>>>>

>>>>> To solve the lack of Terminal Server License Servers group, I tried to

>>>>> manually create one. This obviously didn't work since the Built-in

>>>>> groups

>>>>> have fixed SIDs. I then tried to use ldeifde and csvde to export

>>>>> these two

>>>>> groups from a 2003 AD domain (another client) and import them into the

>>>>> 2000

>>>>> domain. Neither ldeifde or csvde would allow me to import GUID or

>>>>> SID

>>>>> values. This attempt also failed.

>>>>>

>>>>> I have been searching online and cannot find any solutions to these

>>>>> issues.

>>>>> Please help.

>>>>>

>>>

>>

>

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

I need the DC for more then just the license server. I realize that having

a TS and DC on the same box is a bad idea. I will fix that once I complete

migration. (I can always move DCs around.)

I really don't think that's the problem in my case. I have seen a couple

of posts online that indicate similar issues with lack of Built-in groups

when upgrading directly from Windows 2000 to Windows 2008. It seems that

Microsoft didn't quite finish testing in this case. I am quite sure that

the groups would be there if the upgrade was from Windows 2003 to Windows

2008.

Is there a way I can create these groups (Terminal Server License Servers

and Remote Desktop Users) in Active Directory? Should I run forestprep and

domain prep once more? Or should I use Windows 2003 version of forestprep

and adprep first?

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

news:O4wdYDsAJHA.908@TK2MSFTNGP03.phx.gbl...

> You don't need a DC to host a license server. It's very easy through GPO

> and TS Config to configure the TS box to point to the license server. If

> the only reason you put up the DC was for the license service, remove the

> DC role and go for straight TS with the licensing feature. In fact, I'd

> rebuild that box just to be 100% safe but the point being get rid of the

> DC role if it's not needed and it's not.

>

> --

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

> "Ketchup" <ketchup@ketchup.com> wrote in message

> news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...

>> Jeff, thank you. I haven't tried giving the Logon Locally right. I am

>> not sure why, I guess I just didn't think of that. I will do that

>> today.

>>

>> Shouldn't the built-in groups on a DC become Domain Built-in groups? I

>> know for a fact this happens in Windows 2003. I have the groups in my

>> AD that are in the Built-in OU and are of Built-in Local security

>> context. I am not even running Terminal Services. The Remote Desktops

>> Users still applies to Domain Controllers for just plain-old RDP.

>> Arguably, the Terminal Server License Server should be on a DC.

>>

>> As far as rebuilding the other servers, it's not that simple. I have

>> two older boxes, running Win2k. One of them is a TS & DC. The other is

>> a SQL & DC box. Both are currently being used for their TS and SQL

>> functions. I need to move those functions over to the new boxes running

>> Win2k8. Only once I do that, can I move the DC functions around. The

>> only reason I even introduced a Win2k8 DC is because I needed it to hold

>> the TS License Server. The Win2k DC cannot issue TS licenses to Win2k8 TS

>> servers.

>>

>> Thanks!

>> Ketchup

>>

>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

>> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...

>>> The built-in groups are local groups and aren't created because it's a

>>> DC. A DC cannot have local groups like a typical member server.

>>>

>>> Out of curiousity have you tried giving users the Log on Locally right

>>> as well as the other right you assigned?

>>>

>>> Now that you have a new DC up and running, why can't you take one of the

>>> other DC's and rebuild it to a TS box?

>>>

>>> --

>>> Jeff Pitsch

>>> Microsoft MVP - Terminal Services

>>>

>>> "Ketchup" <ketchup@ketchup.com> wrote in message

>>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...

>>>> Patrick, thanks. I was actually going to run Vmware ESX and create

>>>> two TS servers. That would have been ideal.(not a big fan Microsoft

>>>> virtualization, not yet) However, I saw too many people complaining

>>>> about stability and performances of Terminal Services in virtualized

>>>> environments. I can't virtualize the SQL box. It's already an x64 box

>>>> with 8 GB of RAM and 4 CPUs. I need all I can get from that.

>>>>

>>>> I am actually running the same config on a Windows 2000 Server in this

>>>> network. It took a while to create a good security template to take

>>>> care of the security issues, but it works. I have not noticed any

>>>> performances issues with an average of 30-40 concurrent connections.

>>>> This is a relatively small network (about 50-60 users). I can't use

>>>> the SQL server box as a DC for too many reasons, one of which being a

>>>> violation of terms with one of the app vendors.

>>>>

>>>> The two Windows 2000 boxes are actually decent machines. I will use

>>>> them as DCs once I complete the migration and can recore them. Until

>>>> then, I really do have to run this configuration, I believe.

>>>>

>>>> Finally, I don't think that even if I did have a separate DC, it would

>>>> solve the problem of these missing Built-in groups. That's really the

>>>> root of my problems. It seems to be something related to adprep /

>>>> dcpromo from Windows 2000 AD to Windows 2008 AD.

>>>>

>>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in

>>>> message news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...

>>>>>I would run AD on a SQL Server or anything alse before running it on a

>>>>> Terminal Server. There are both security and performance reasons not

>>>>> to do

>>>>> what you are doing, and this is why MSFT intentionally disables this

>>>>> functionality on SBS.

>>>>>

>>>>> If you're using Server 2008 why don't you utilize Hyper-V to

>>>>> virtualize your

>>>>> servers and consolidate a bit. A DC doesn't need a full piece of

>>>>> server

>>>>> hardware.

>>>>>

>>>>> --

>>>>> Patrick C. Rouse

>>>>> Microsoft MVP - Terminal Server

>>>>> SE, West Coast USA & Canada

>>>>> Quest Software, Provision Networks Division

>>>>> Virtual Client Solutions

>>>>> http://www.provisionnetworks.com

>>>>>

>>>>> "Ketchup" wrote:

>>>>>

>>>>>> Hello everyone,

>>>>>>

>>>>>> I am working with a client to upgrade their Windows 2000 based

>>>>>> network to

>>>>>> Windows 2008. I am a bit constricted on the number of servers that

>>>>>> I can

>>>>>> have and had to make certain sacrifices forcing me to run Terminal

>>>>>> Services

>>>>>> on a Windows 2008 Domain Controller. I realize that's not

>>>>>> recommended

>>>>>> practice, but it's better then running a DC on a heavily used SQL and

>>>>>> Apps

>>>>>> server.

>>>>>>

>>>>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the

>>>>>> Windows 2000 AD environment successfully. I was able to add a

>>>>>> Windows 2008

>>>>>> DC that will also be the new Terminal Server. The dcpromo process

>>>>>> completed successfully. Dcdiag and manual checks do not return any

>>>>>> errors.

>>>>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.

>>>>>>

>>>>>> When I went to install the Terminal Server role on the Windows 2008

>>>>>> DC, I

>>>>>> ran into a few problems. I noticed that the Built-in "Terminal

>>>>>> Server

>>>>>> License Servers" group did not get created and I cannot use the

>>>>>> Windows 2008

>>>>>> TS License Service (same box) to manage user CALs. I thought that

>>>>>> it

>>>>>> wasn't a big deal since the client is fully licensed and Windows 2008

>>>>>> still

>>>>>> doesn't enforce user CAL limits for Terminal Services. I ran into

>>>>>> further

>>>>>> problems when I attempted to allow non-administrators to connect

>>>>>> through

>>>>>> Terminal Services. The Built-in "Remote Desktop Users" group did not

>>>>>> get

>>>>>> created in AD either.

>>>>>>

>>>>>> I tried to bypass the lack of Remote Desktop Users group using a GPO

>>>>>> to add

>>>>>> the appropriate members to the Remote Desktops Group through

>>>>>> Restricted

>>>>>> Groups to no avail. I also tried editing the TS config to allow

>>>>>> another

>>>>>> group user access. Finally, I tried another GPO to give users the

>>>>>> right

>>>>>> Allow Logon through Terminal Services. None of this worked and

>>>>>> users

>>>>>> cannot connect, receiving an error message stating "access to create

>>>>>> session

>>>>>> is denied." This must be a change in Vista/Windows 2008 since these

>>>>>> steps

>>>>>> work fine in a Windows 2003 AD environment.

>>>>>>

>>>>>> To solve the lack of Terminal Server License Servers group, I tried

>>>>>> to

>>>>>> manually create one. This obviously didn't work since the Built-in

>>>>>> groups

>>>>>> have fixed SIDs. I then tried to use ldeifde and csvde to export

>>>>>> these two

>>>>>> groups from a 2003 AD domain (another client) and import them into

>>>>>> the 2000

>>>>>> domain. Neither ldeifde or csvde would allow me to import GUID or

>>>>>> SID

>>>>>> values. This attempt also failed.

>>>>>>

>>>>>> I have been searching online and cannot find any solutions to these

>>>>>> issues.

>>>>>> Please help.

>>>>>>

>>>>

>>>

>>

>

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

An inplace upgrade from Windows 2000 to Windows 2008 is not a

supported upgrade path. Documented here:

Guide for Upgrading to Windows Server 2008

http://technet.microsoft.com/en-us/library/cc755199.aspx

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

"Ketchup" <ketchup@ketchup.com> wrote on 20 aug 2008 in

microsoft.public.windows.terminal_services:

> I need the DC for more then just the license server. I realize

> that having a TS and DC on the same box is a bad idea. I will

> fix that once I complete migration. (I can always move DCs

> around.)

>

> I really don't think that's the problem in my case. I have

> seen a couple of posts online that indicate similar issues with

> lack of Built-in groups when upgrading directly from Windows

> 2000 to Windows 2008. It seems that Microsoft didn't quite

> finish testing in this case. I am quite sure that the groups

> would be there if the upgrade was from Windows 2003 to Windows

> 2008.

>

> Is there a way I can create these groups (Terminal Server

> License Servers and Remote Desktop Users) in Active Directory?

> Should I run forestprep and domain prep once more? Or should I

> use Windows 2003 version of forestprep and adprep first?

>

> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

> news:O4wdYDsAJHA.908@TK2MSFTNGP03.phx.gbl...

>> You don't need a DC to host a license server. It's very easy

>> through GPO and TS Config to configure the TS box to point to

>> the license server. If the only reason you put up the DC was

>> for the license service, remove the DC role and go for straight

>> TS with the licensing feature. In fact, I'd rebuild that box

>> just to be 100% safe but the point being get rid of the DC role

>> if it's not needed and it's not.

>>

>> --

>> Jeff Pitsch

>> Microsoft MVP - Terminal Services

>>

>> "Ketchup" <ketchup@ketchup.com> wrote in message

>> news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...

>>> Jeff, thank you. I haven't tried giving the Logon Locally

>>> right. I am not sure why, I guess I just didn't think of

>>> that. I will do that today.

>>>

>>> Shouldn't the built-in groups on a DC become Domain Built-in

>>> groups? I know for a fact this happens in Windows 2003. I

>>> have the groups in my AD that are in the Built-in OU and are

>>> of Built-in Local security context. I am not even running

>>> Terminal Services. The Remote Desktops Users still applies

>>> to Domain Controllers for just plain-old RDP. Arguably, the

>>> Terminal Server License Server should be on a DC.

>>>

>>> As far as rebuilding the other servers, it's not that simple.

>>> I have two older boxes, running Win2k. One of them is a TS &

>>> DC. The other is a SQL & DC box. Both are currently being

>>> used for their TS and SQL functions. I need to move those

>>> functions over to the new boxes running Win2k8. Only once I

>>> do that, can I move the DC functions around. The only reason

>>> I even introduced a Win2k8 DC is because I needed it to hold

>>> the TS License Server. The Win2k DC cannot issue TS licenses

>>> to Win2k8 TS servers.

>>>

>>> Thanks!

>>> Ketchup

>>>

>>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

>>> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...

>>>> The built-in groups are local groups and aren't created

>>>> because it's a DC. A DC cannot have local groups like a

>>>> typical member server.

>>>>

>>>> Out of curiousity have you tried giving users the Log on

>>>> Locally right as well as the other right you assigned?

>>>>

>>>> Now that you have a new DC up and running, why can't you take

>>>> one of the other DC's and rebuild it to a TS box?

>>>>

>>>> --

>>>> Jeff Pitsch

>>>> Microsoft MVP - Terminal Services

>>>>

>>>> "Ketchup" <ketchup@ketchup.com> wrote in message

>>>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...

>>>>> Patrick, thanks. I was actually going to run Vmware ESX

>>>>> and create two TS servers. That would have been ideal.(not

>>>>> a big fan Microsoft virtualization, not yet) However, I saw

>>>>> too many people complaining about stability and performances

>>>>> of Terminal Services in virtualized environments. I can't

>>>>> virtualize the SQL box. It's already an x64 box with 8 GB

>>>>> of RAM and 4 CPUs. I need all I can get from that.

>>>>>

>>>>> I am actually running the same config on a Windows 2000

>>>>> Server in this network. It took a while to create a good

>>>>> security template to take care of the security issues, but

>>>>> it works. I have not noticed any performances issues with

>>>>> an average of 30-40 concurrent connections. This is a

>>>>> relatively small network (about 50-60 users). I can't use

>>>>> the SQL server box as a DC for too many reasons, one of

>>>>> which being a violation of terms with one of the app

>>>>> vendors.

>>>>>

>>>>> The two Windows 2000 boxes are actually decent machines. I

>>>>> will use them as DCs once I complete the migration and can

>>>>> recore them. Until then, I really do have to run this

>>>>> configuration, I believe.

>>>>>

>>>>> Finally, I don't think that even if I did have a separate

>>>>> DC, it would solve the problem of these missing Built-in

>>>>> groups. That's really the root of my problems. It seems

>>>>> to be something related to adprep / dcpromo from Windows

>>>>> 2000 AD to Windows 2008 AD.

>>>>>

>>>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com>

>>>>> wrote in message

>>>>> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...

>>>>>>I would run AD on a SQL Server or anything alse before

>>>>>>running it on a

>>>>>> Terminal Server. There are both security and performance

>>>>>> reasons not to do

>>>>>> what you are doing, and this is why MSFT intentionally

>>>>>> disables this functionality on SBS.

>>>>>>

>>>>>> If you're using Server 2008 why don't you utilize Hyper-V

>>>>>> to virtualize your

>>>>>> servers and consolidate a bit. A DC doesn't need a full

>>>>>> piece of server

>>>>>> hardware.

>>>>>>

>>>>>> --

>>>>>> Patrick C. Rouse

>>>>>> Microsoft MVP - Terminal Server

>>>>>> SE, West Coast USA & Canada

>>>>>> Quest Software, Provision Networks Division

>>>>>> Virtual Client Solutions

>>>>>> http://www.provisionnetworks.com

>>>>>>

>>>>>> "Ketchup" wrote:

>>>>>>

>>>>>>> Hello everyone,

>>>>>>>

>>>>>>> I am working with a client to upgrade their Windows 2000

>>>>>>> based network to

>>>>>>> Windows 2008. I am a bit constricted on the number of

>>>>>>> servers that I can

>>>>>>> have and had to make certain sacrifices forcing me to run

>>>>>>> Terminal Services

>>>>>>> on a Windows 2008 Domain Controller. I realize that's

>>>>>>> not recommended

>>>>>>> practice, but it's better then running a DC on a heavily

>>>>>>> used SQL and Apps

>>>>>>> server.

>>>>>>>

>>>>>>> I ran adprep with /forestprep and /domainprep /gpprep

>>>>>>> switches on the Windows 2000 AD environment successfully.

>>>>>>> I was able to add a Windows 2008

>>>>>>> DC that will also be the new Terminal Server. The

>>>>>>> dcpromo process completed successfully. Dcdiag and

>>>>>>> manual checks do not return any errors.

>>>>>>> I have not yet transferred any FSMO roles to the new

>>>>>>> Windows 2008 DC.

>>>>>>>

>>>>>>> When I went to install the Terminal Server role on the

>>>>>>> Windows 2008 DC, I

>>>>>>> ran into a few problems. I noticed that the Built-in

>>>>>>> "Terminal Server

>>>>>>> License Servers" group did not get created and I cannot

>>>>>>> use the Windows 2008

>>>>>>> TS License Service (same box) to manage user CALs. I

>>>>>>> thought that it

>>>>>>> wasn't a big deal since the client is fully licensed and

>>>>>>> Windows 2008 still

>>>>>>> doesn't enforce user CAL limits for Terminal Services.

>>>>>>> I ran into further

>>>>>>> problems when I attempted to allow non-administrators to

>>>>>>> connect through

>>>>>>> Terminal Services. The Built-in "Remote Desktop Users"

>>>>>>> group did not get

>>>>>>> created in AD either.

>>>>>>>

>>>>>>> I tried to bypass the lack of Remote Desktop Users group

>>>>>>> using a GPO to add

>>>>>>> the appropriate members to the Remote Desktops Group

>>>>>>> through Restricted

>>>>>>> Groups to no avail. I also tried editing the TS config to

>>>>>>> allow another

>>>>>>> group user access. Finally, I tried another GPO to give

>>>>>>> users the right

>>>>>>> Allow Logon through Terminal Services. None of this

>>>>>>> worked and users

>>>>>>> cannot connect, receiving an error message stating "access

>>>>>>> to create session

>>>>>>> is denied." This must be a change in Vista/Windows 2008

>>>>>>> since these steps

>>>>>>> work fine in a Windows 2003 AD environment.

>>>>>>>

>>>>>>> To solve the lack of Terminal Server License Servers

>>>>>>> group, I tried to

>>>>>>> manually create one. This obviously didn't work since

>>>>>>> the Built-in groups

>>>>>>> have fixed SIDs. I then tried to use ldeifde and csvde

>>>>>>> to export these two

>>>>>>> groups from a 2003 AD domain (another client) and import

>>>>>>> them into the 2000

>>>>>>> domain. Neither ldeifde or csvde would allow me to

>>>>>>> import GUID or SID

>>>>>>> values. This attempt also failed.

>>>>>>>

>>>>>>> I have been searching online and cannot find any solutions

>>>>>>> to these issues.

>>>>>>> Please help.

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

And Vera KNOCKS it out of the ballpark once again!

sorry Vera, baseball reference there.....

--

Jeff Pitsch

Microsoft MVP - Terminal Services

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns9B00CBC675523veranoesthemutforsse@207.46.248.16...

> An inplace upgrade from Windows 2000 to Windows 2008 is not a

> supported upgrade path. Documented here:

>

> Guide for Upgrading to Windows Server 2008

> http://technet.microsoft.com/en-us/library/cc755199.aspx

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Ketchup" <ketchup@ketchup.com> wrote on 20 aug 2008 in

> microsoft.public.windows.terminal_services:

>

>> I need the DC for more then just the license server. I realize

>> that having a TS and DC on the same box is a bad idea. I will

>> fix that once I complete migration. (I can always move DCs

>> around.)

>>

>> I really don't think that's the problem in my case. I have

>> seen a couple of posts online that indicate similar issues with

>> lack of Built-in groups when upgrading directly from Windows

>> 2000 to Windows 2008. It seems that Microsoft didn't quite

>> finish testing in this case. I am quite sure that the groups

>> would be there if the upgrade was from Windows 2003 to Windows

>> 2008.

>>

>> Is there a way I can create these groups (Terminal Server

>> License Servers and Remote Desktop Users) in Active Directory?

>> Should I run forestprep and domain prep once more? Or should I

>> use Windows 2003 version of forestprep and adprep first?

>>

>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

>> news:O4wdYDsAJHA.908@TK2MSFTNGP03.phx.gbl...

>>> You don't need a DC to host a license server. It's very easy

>>> through GPO and TS Config to configure the TS box to point to

>>> the license server. If the only reason you put up the DC was

>>> for the license service, remove the DC role and go for straight

>>> TS with the licensing feature. In fact, I'd rebuild that box

>>> just to be 100% safe but the point being get rid of the DC role

>>> if it's not needed and it's not.

>>>

>>> --

>>> Jeff Pitsch

>>> Microsoft MVP - Terminal Services

>>>

>>> "Ketchup" <ketchup@ketchup.com> wrote in message

>>> news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...

>>>> Jeff, thank you. I haven't tried giving the Logon Locally

>>>> right. I am not sure why, I guess I just didn't think of

>>>> that. I will do that today.

>>>>

>>>> Shouldn't the built-in groups on a DC become Domain Built-in

>>>> groups? I know for a fact this happens in Windows 2003. I

>>>> have the groups in my AD that are in the Built-in OU and are

>>>> of Built-in Local security context. I am not even running

>>>> Terminal Services. The Remote Desktops Users still applies

>>>> to Domain Controllers for just plain-old RDP. Arguably, the

>>>> Terminal Server License Server should be on a DC.

>>>>

>>>> As far as rebuilding the other servers, it's not that simple.

>>>> I have two older boxes, running Win2k. One of them is a TS &

>>>> DC. The other is a SQL & DC box. Both are currently being

>>>> used for their TS and SQL functions. I need to move those

>>>> functions over to the new boxes running Win2k8. Only once I

>>>> do that, can I move the DC functions around. The only reason

>>>> I even introduced a Win2k8 DC is because I needed it to hold

>>>> the TS License Server. The Win2k DC cannot issue TS licenses

>>>> to Win2k8 TS servers.

>>>>

>>>> Thanks!

>>>> Ketchup

>>>>

>>>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

>>>> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...

>>>>> The built-in groups are local groups and aren't created

>>>>> because it's a DC. A DC cannot have local groups like a

>>>>> typical member server.

>>>>>

>>>>> Out of curiousity have you tried giving users the Log on

>>>>> Locally right as well as the other right you assigned?

>>>>>

>>>>> Now that you have a new DC up and running, why can't you take

>>>>> one of the other DC's and rebuild it to a TS box?

>>>>>

>>>>> --

>>>>> Jeff Pitsch

>>>>> Microsoft MVP - Terminal Services

>>>>>

>>>>> "Ketchup" <ketchup@ketchup.com> wrote in message

>>>>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...

>>>>>> Patrick, thanks. I was actually going to run Vmware ESX

>>>>>> and create two TS servers. That would have been ideal.(not

>>>>>> a big fan Microsoft virtualization, not yet) However, I saw

>>>>>> too many people complaining about stability and performances

>>>>>> of Terminal Services in virtualized environments. I can't

>>>>>> virtualize the SQL box. It's already an x64 box with 8 GB

>>>>>> of RAM and 4 CPUs. I need all I can get from that.

>>>>>>

>>>>>> I am actually running the same config on a Windows 2000

>>>>>> Server in this network. It took a while to create a good

>>>>>> security template to take care of the security issues, but

>>>>>> it works. I have not noticed any performances issues with

>>>>>> an average of 30-40 concurrent connections. This is a

>>>>>> relatively small network (about 50-60 users). I can't use

>>>>>> the SQL server box as a DC for too many reasons, one of

>>>>>> which being a violation of terms with one of the app

>>>>>> vendors.

>>>>>>

>>>>>> The two Windows 2000 boxes are actually decent machines. I

>>>>>> will use them as DCs once I complete the migration and can

>>>>>> recore them. Until then, I really do have to run this

>>>>>> configuration, I believe.

>>>>>>

>>>>>> Finally, I don't think that even if I did have a separate

>>>>>> DC, it would solve the problem of these missing Built-in

>>>>>> groups. That's really the root of my problems. It seems

>>>>>> to be something related to adprep / dcpromo from Windows

>>>>>> 2000 AD to Windows 2008 AD.

>>>>>>

>>>>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com>

>>>>>> wrote in message

>>>>>> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...

>>>>>>>I would run AD on a SQL Server or anything alse before

>>>>>>>running it on a

>>>>>>> Terminal Server. There are both security and performance

>>>>>>> reasons not to do

>>>>>>> what you are doing, and this is why MSFT intentionally

>>>>>>> disables this functionality on SBS.

>>>>>>>

>>>>>>> If you're using Server 2008 why don't you utilize Hyper-V

>>>>>>> to virtualize your

>>>>>>> servers and consolidate a bit. A DC doesn't need a full

>>>>>>> piece of server

>>>>>>> hardware.

>>>>>>>

>>>>>>> --

>>>>>>> Patrick C. Rouse

>>>>>>> Microsoft MVP - Terminal Server

>>>>>>> SE, West Coast USA & Canada

>>>>>>> Quest Software, Provision Networks Division

>>>>>>> Virtual Client Solutions

>>>>>>> http://www.provisionnetworks.com

>>>>>>>

>>>>>>> "Ketchup" wrote:

>>>>>>>

>>>>>>>> Hello everyone,

>>>>>>>>

>>>>>>>> I am working with a client to upgrade their Windows 2000

>>>>>>>> based network to

>>>>>>>> Windows 2008. I am a bit constricted on the number of

>>>>>>>> servers that I can

>>>>>>>> have and had to make certain sacrifices forcing me to run

>>>>>>>> Terminal Services

>>>>>>>> on a Windows 2008 Domain Controller. I realize that's

>>>>>>>> not recommended

>>>>>>>> practice, but it's better then running a DC on a heavily

>>>>>>>> used SQL and Apps

>>>>>>>> server.

>>>>>>>>

>>>>>>>> I ran adprep with /forestprep and /domainprep /gpprep

>>>>>>>> switches on the Windows 2000 AD environment successfully.

>>>>>>>> I was able to add a Windows 2008

>>>>>>>> DC that will also be the new Terminal Server. The

>>>>>>>> dcpromo process completed successfully. Dcdiag and

>>>>>>>> manual checks do not return any errors.

>>>>>>>> I have not yet transferred any FSMO roles to the new

>>>>>>>> Windows 2008 DC.

>>>>>>>>

>>>>>>>> When I went to install the Terminal Server role on the

>>>>>>>> Windows 2008 DC, I

>>>>>>>> ran into a few problems. I noticed that the Built-in

>>>>>>>> "Terminal Server

>>>>>>>> License Servers" group did not get created and I cannot

>>>>>>>> use the Windows 2008

>>>>>>>> TS License Service (same box) to manage user CALs. I

>>>>>>>> thought that it

>>>>>>>> wasn't a big deal since the client is fully licensed and

>>>>>>>> Windows 2008 still

>>>>>>>> doesn't enforce user CAL limits for Terminal Services.

>>>>>>>> I ran into further

>>>>>>>> problems when I attempted to allow non-administrators to

>>>>>>>> connect through

>>>>>>>> Terminal Services. The Built-in "Remote Desktop Users"

>>>>>>>> group did not get

>>>>>>>> created in AD either.

>>>>>>>>

>>>>>>>> I tried to bypass the lack of Remote Desktop Users group

>>>>>>>> using a GPO to add

>>>>>>>> the appropriate members to the Remote Desktops Group

>>>>>>>> through Restricted

>>>>>>>> Groups to no avail. I also tried editing the TS config to

>>>>>>>> allow another

>>>>>>>> group user access. Finally, I tried another GPO to give

>>>>>>>> users the right

>>>>>>>> Allow Logon through Terminal Services. None of this

>>>>>>>> worked and users

>>>>>>>> cannot connect, receiving an error message stating "access

>>>>>>>> to create session

>>>>>>>> is denied." This must be a change in Vista/Windows 2008

>>>>>>>> since these steps

>>>>>>>> work fine in a Windows 2003 AD environment.

>>>>>>>>

>>>>>>>> To solve the lack of Terminal Server License Servers

>>>>>>>> group, I tried to

>>>>>>>> manually create one. This obviously didn't work since

>>>>>>>> the Built-in groups

>>>>>>>> have fixed SIDs. I then tried to use ldeifde and csvde

>>>>>>>> to export these two

>>>>>>>> groups from a 2003 AD domain (another client) and import

>>>>>>>> them into the 2000

>>>>>>>> domain. Neither ldeifde or csvde would allow me to

>>>>>>>> import GUID or SID

>>>>>>>> values. This attempt also failed.

>>>>>>>>

>>>>>>>> I have been searching online and cannot find any solutions

>>>>>>>> to these issues.

>>>>>>>> Please help.

August 20, 2008

Re: Windows 2008 TS in Windows 2000 AD

Not doing an inplace upgrade, but thanks.