Guest anthonyx26 Posted October 30, 2008 Posted October 30, 2008 I have some clients who, for budgetary reasons, only have a single server (WS2008) in their office but would still like to have the benefits and security of using TS for their employees. Is it possible to configure a single server as a locked down TS (using GPOs) for use by multiple remote users? It's currently not configured as a domain controller, but I suppose could be. I realize a single server is not ideal...in fact I always recommend and have always configured scenarios with at least a separate TS and DC and file server. - anthonyx26
Guest Jeff Pitsch Posted October 30, 2008 Posted October 30, 2008 Re: Single server scenario workable? It is definitely not optimal but it is doable. Just make sure to take the time to lock it down properly and you should be good to go. I don't like saying it but I would make it a DC if you could so you have more flexible options with group policy instead of simply local policy. <shudder> did I just recommend that? Jeff Pitsch Microsoft MVP - Terminal Services anthonyx26 wrote: > I have some clients who, for budgetary reasons, only have a single > server (WS2008) in their office but would still like to have the > benefits and security of using TS for their employees. > > Is it possible to configure a single server as a locked down TS (using > GPOs) for use by multiple remote users? > > It's currently not configured as a domain controller, but I suppose > could be. > > I realize a single server is not ideal...in fact I always recommend and > have always configured scenarios with at least a separate TS and DC and > file server. > > - anthonyx26 >
Guest Yuri NLD Posted October 30, 2008 Posted October 30, 2008 RE: Single server scenario workable? Your client can also go to a hosting provider for their terminal server applications. That is the most secure way. I might have one if your client is in Europe. However, to come back to your question. At first: you need a DC to lock down. With local policies on a workgroup server with Terminal Services enabled you will never get the same level of security as with a GPO. Small example: all users will see all printers in the workgroup scenario. If, you enable terminal services on a DC you will not have a local Remote Desktop group, but it will become a global group. This is one example of the 'many small things' that will be different than you use to. Actually I'm not sure if you even are allowed to enable terminal services on a DC. If so, you can do it, but there will be more time in developing a good GPO strategy. Of course, there a a lot of downside's. I think you know them and otherwise you van google around. But a budget person only ask: “Is it possible? “ If you answer: ”Yes.” Than it will be: “Ok, do it with one server.” And even then: make good backups, if the DC fails and can not be restored you loose everything! Hopefully I gave you something to think about. Good luck. All the best, Yuri
Guest anthonyx26 Posted October 30, 2008 Posted October 30, 2008 Re: Single server scenario workable? "Yuri NLD" <YuriNLD@discussions.microsoft.com> wrote in message news:63CDCACB-41E7-4468-9295-F8A3BF3D4A97@microsoft.com... > Your client can also go to a hosting provider for their terminal server > applications. That is the most secure way. I might have one if your client > is > in Europe. Client is in US and of course since they already have a server they want to use it. > At first: you need a DC to lock down. With local policies on a workgroup > server with Terminal Services enabled you will never get the same level of > security as with a GPO. > Small example: all users will see all printers in the workgroup scenario. Agreed...GPOs would definitely work better than local policy. > If, you enable terminal services on a DC you will not have a local Remote > Desktop group, but it will become a global group. This is one example of > the > 'many small things' that will be different than you use to. Hmmm...probably not hugely relevant if they only have one server. > Actually I'm not sure if you even are allowed to enable terminal services > on > a DC. Anyone know if this is even possible (ie enabling TS on a DC)? > If so, you can do it, but there will be more time in developing a good GPO > strategy. > Of course, there a a lot of downside's. I think you know them and > otherwise > you van google around. But a budget person only ask: “Is it possible? “ > If > you answer: ”Yes.” Than it will be: “Ok, do it with one server.” This is the crux of the problem...if I let out a hint that "yes, it's possible" then their mind will be set. > And even then: make good backups, if the DC fails and can not be restored > you loose everything! This goes w/o saying...definitely many things to consider in this scenario. - anthonyx26
Guest anthonyx26 Posted October 30, 2008 Posted October 30, 2008 Re: Single server scenario workable? "Jeff Pitsch" <jeff.pitsch.fake@jeffpitschconsulting.com> wrote in message news:eX4RCEqOJHA.4404@TK2MSFTNGP04.phx.gbl... > It is definitely not optimal but it is doable. Just make sure to take the > time to lock it down properly and you should be good to go. I don't like > saying it but I would make it a DC if you could so you have more flexible > options with group policy instead of simply local policy. > > <shudder> did I just recommend that? Exactly! I think I will have to warn the client away from this configuration. - anthonyx26
Guest Jeff Pitsch Posted October 30, 2008 Posted October 30, 2008 Re: Single server scenario workable? Running TS and DC roles are, unfortunately, quite possible. Jeff Pitsch Microsoft MVP - Terminal Services anthonyx26 wrote: > "Yuri NLD" <YuriNLD@discussions.microsoft.com> wrote in message > news:63CDCACB-41E7-4468-9295-F8A3BF3D4A97@microsoft.com... >> Your client can also go to a hosting provider for their terminal server >> applications. That is the most secure way. I might have one if your >> client is >> in Europe. > > Client is in US and of course since they already have a server they want > to use it. > >> At first: you need a DC to lock down. With local policies on a workgroup >> server with Terminal Services enabled you will never get the same >> level of >> security as with a GPO. >> Small example: all users will see all printers in the workgroup scenario. > > Agreed...GPOs would definitely work better than local policy. > >> If, you enable terminal services on a DC you will not have a local Remote >> Desktop group, but it will become a global group. This is one example >> of the >> 'many small things' that will be different than you use to. > > Hmmm...probably not hugely relevant if they only have one server. > >> Actually I'm not sure if you even are allowed to enable terminal >> services on >> a DC. > > Anyone know if this is even possible (ie enabling TS on a DC)? > >> If so, you can do it, but there will be more time in developing a good >> GPO >> strategy. >> Of course, there a a lot of downside's. I think you know them and >> otherwise >> you van google around. But a budget person only ask: “Is it possible? >> “ If >> you answer: ”Yes.” Than it will be: “Ok, do it with one server.” > > This is the crux of the problem...if I let out a hint that "yes, it's > possible" then their mind will be set. > >> And even then: make good backups, if the DC fails and can not be restored >> you loose everything! > > This goes w/o saying...definitely many things to consider in this scenario. > > - anthonyx26 >
Guest anthonyx26 Posted October 30, 2008 Posted October 30, 2008 Re: Single server scenario workable? "Jeff Pitsch" <jeff.pitsch.fake@jeffpitschconsulting.com> wrote in message news:%23UvbHLrOJHA.1164@TK2MSFTNGP02.phx.gbl... > Running TS and DC roles are, unfortunately, quite possible. Well, so much for that excuse! - anthonyx26
Recommended Posts