Single server scenario workable?

[Guest anthonyx26]

I have some clients who, for budgetary reasons, only have a single server

(WS2008) in their office but would still like to have the benefits and

security of using TS for their employees.

 

Is it possible to configure a single server as a locked down TS (using GPOs)

for use by multiple remote users?

 

It's currently not configured as a domain controller, but I suppose could

be.

 

I realize a single server is not ideal...in fact I always recommend and have

always configured scenarios with at least a separate TS and DC and file

server.

 

- anthonyx26

[Guest Jeff Pitsch]

Re: Single server scenario workable?

 

It is definitely not optimal but it is doable. Just make sure to take

the time to lock it down properly and you should be good to go. I don't

like saying it but I would make it a DC if you could so you have more

flexible options with group policy instead of simply local policy.

 

<shudder> did I just recommend that?

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

anthonyx26 wrote:

> I have some clients who, for budgetary reasons, only have a single

> server (WS2008) in their office but would still like to have the

> benefits and security of using TS for their employees.

>

> Is it possible to configure a single server as a locked down TS (using

> GPOs) for use by multiple remote users?

>

> It's currently not configured as a domain controller, but I suppose

> could be.

>

> I realize a single server is not ideal...in fact I always recommend and

> have always configured scenarios with at least a separate TS and DC and

> file server.

>

> - anthonyx26

>

[Guest Yuri NLD]

RE: Single server scenario workable?

 

Your client can also go to a hosting provider for their terminal server

applications. That is the most secure way. I might have one if your client is

in Europe.

 

However, to come back to your question.

 

At first: you need a DC to lock down. With local policies on a workgroup

server with Terminal Services enabled you will never get the same level of

security as with a GPO.

Small example: all users will see all printers in the workgroup scenario.

 

If, you enable terminal services on a DC you will not have a local Remote

Desktop group, but it will become a global group. This is one example of the

'many small things' that will be different than you use to.

 

Actually I'm not sure if you even are allowed to enable terminal services on

a DC.

If so, you can do it, but there will be more time in developing a good GPO

strategy.

Of course, there a a lot of downside's. I think you know them and otherwise

you van google around. But a budget person only ask: “Is it possible? “ If

you answer: ”Yes.” Than it will be: “Ok, do it with one server.”

 

And even then: make good backups, if the DC fails and can not be restored

you loose everything!

 

Hopefully I gave you something to think about.

Good luck.

All the best,

Yuri

[Guest anthonyx26]

Re: Single server scenario workable?

 

"Yuri NLD" <YuriNLD@discussions.microsoft.com> wrote in message

news:63CDCACB-41E7-4468-9295-F8A3BF3D4A97@microsoft.com...

> Your client can also go to a hosting provider for their terminal server

> applications. That is the most secure way. I might have one if your client

> is

> in Europe.

 

Client is in US and of course since they already have a server they want to

use it.

> At first: you need a DC to lock down. With local policies on a workgroup

> server with Terminal Services enabled you will never get the same level of

> security as with a GPO.

> Small example: all users will see all printers in the workgroup scenario.

 

Agreed...GPOs would definitely work better than local policy.

> If, you enable terminal services on a DC you will not have a local Remote

> Desktop group, but it will become a global group. This is one example of

> the

> 'many small things' that will be different than you use to.

 

Hmmm...probably not hugely relevant if they only have one server.

> Actually I'm not sure if you even are allowed to enable terminal services

> on

> a DC.

 

Anyone know if this is even possible (ie enabling TS on a DC)?

> If so, you can do it, but there will be more time in developing a good GPO

> strategy.

> Of course, there a a lot of downside's. I think you know them and

> otherwise

> you van google around. But a budget person only ask: “Is it possible? “

> If

> you answer: ”Yes.” Than it will be: “Ok, do it with one server.”

 

This is the crux of the problem...if I let out a hint that "yes, it's

possible" then their mind will be set.

> And even then: make good backups, if the DC fails and can not be restored

> you loose everything!

 

This goes w/o saying...definitely many things to consider in this scenario.

 

- anthonyx26

[Guest anthonyx26]

Re: Single server scenario workable?

 

"Jeff Pitsch" <jeff.pitsch.fake@jeffpitschconsulting.com> wrote in message

news:eX4RCEqOJHA.4404@TK2MSFTNGP04.phx.gbl...

> It is definitely not optimal but it is doable. Just make sure to take the

> time to lock it down properly and you should be good to go. I don't like

> saying it but I would make it a DC if you could so you have more flexible

> options with group policy instead of simply local policy.

>

> <shudder> did I just recommend that?

 

Exactly! I think I will have to warn the client away from this

configuration.

 

- anthonyx26

[Guest Jeff Pitsch]

Re: Single server scenario workable?

 

Running TS and DC roles are, unfortunately, quite possible.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

anthonyx26 wrote:

> "Yuri NLD" <YuriNLD@discussions.microsoft.com> wrote in message

> news:63CDCACB-41E7-4468-9295-F8A3BF3D4A97@microsoft.com...

>> Your client can also go to a hosting provider for their terminal server

>> applications. That is the most secure way. I might have one if your

>> client is

>> in Europe.

>

> Client is in US and of course since they already have a server they want

> to use it.

>

>> At first: you need a DC to lock down. With local policies on a workgroup

>> server with Terminal Services enabled you will never get the same

>> level of

>> security as with a GPO.

>> Small example: all users will see all printers in the workgroup scenario.

>

> Agreed...GPOs would definitely work better than local policy.

>

>> If, you enable terminal services on a DC you will not have a local Remote

>> Desktop group, but it will become a global group. This is one example

>> of the

>> 'many small things' that will be different than you use to.

>

> Hmmm...probably not hugely relevant if they only have one server.

>

>> Actually I'm not sure if you even are allowed to enable terminal

>> services on

>> a DC.

>

> Anyone know if this is even possible (ie enabling TS on a DC)?

>

>> If so, you can do it, but there will be more time in developing a good

>> GPO

>> strategy.

>> Of course, there a a lot of downside's. I think you know them and

>> otherwise

>> you van google around. But a budget person only ask: “Is it possible?

>> “ If

>> you answer: ”Yes.” Than it will be: “Ok, do it with one server.”

>

> This is the crux of the problem...if I let out a hint that "yes, it's

> possible" then their mind will be set.

>

>> And even then: make good backups, if the DC fails and can not be restored

>> you loose everything!

>

> This goes w/o saying...definitely many things to consider in this scenario.

>

> - anthonyx26

>

[Guest anthonyx26]

Re: Single server scenario workable?

 

"Jeff Pitsch" <jeff.pitsch.fake@jeffpitschconsulting.com> wrote in message

news:%23UvbHLrOJHA.1164@TK2MSFTNGP02.phx.gbl...

> Running TS and DC roles are, unfortunately, quite possible.

 

Well, so much for that excuse!

 

- anthonyx26