Running TS on Domain Controller

[Guest compsosinc@gmail.com]

What are the considerations and disadvantages of running Terminal

Server on a Domain Controller?

 

We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with

4GB of memory and 3.0GHz Xeon Processor that currently supports 15

clients locally. We want to use the TS capability of this same server

for supporting our 6-8 remote WYSE Thin-clients over a Router-to-

Router VPN.

 

We have read discussions relating to security issues, but if we are

able to lock-down the TS portion, both throught he VPN and the GPO,

how does security become an issue?

 

Any other comments are appreciated -thanks

[Guest Lanwench [MVP - Exchange]]

Re: Running TS on Domain Controller

 

compsosinc@gmail.com wrote:

> What are the considerations and disadvantages of running Terminal

> Server on a Domain Controller?

>

> We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with

> 4GB of memory and 3.0GHz Xeon Processor that currently supports 15

> clients locally. We want to use the TS capability of this same server

> for supporting our 6-8 remote WYSE Thin-clients over a Router-to-

> Router VPN.

>

> We have read discussions relating to security issues, but if we are

> able to lock-down the TS portion, both throught he VPN and the GPO,

> how does security become an issue?

>

> Any other comments are appreciated -thanks

 

Resource contention

Security (no matter what you do via GPO, you're asking for trouble)

Stability

Yaddayaddayadda

 

I would never do it, especially as this is your sole server/DC. Buy another

server for this purpose if you need TS. Your DC is too important and needs

to run reliably; you should be able to reboot a TS box at will without

disrupting anything other than the TS users.

[Guest compsosinc@gmail.com]

Re: Running TS on Domain Controller

 

On Nov 13, 11:46 am, "Lanwench [MVP - Exchange]"

<lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:

> compsos...@gmail.com wrote:

> > What are the considerations and disadvantages of running Terminal

> > Server on a Domain Controller?

>

> > We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with

> > 4GB of memory and 3.0GHz Xeon Processor that currently supports 15

> > clients locally. We want to use the TS capability of this same server

> > for supporting our 6-8 remote WYSE Thin-clients over a Router-to-

> > Router VPN.

>

> > We have read discussions relating to security issues, but if we are

> > able to lock-down the TS portion, both throught he VPN and the GPO,

> > how does security become an issue?

>

> > Any other comments are appreciated -thanks

>

> Resource contention

> Security (no matter what you do via GPO, you're asking for trouble)

> Stability

> Yaddayaddayadda

>

> I would never do it, especially as this is your sole server/DC. Buy another

> server for this purpose if you need TS. Your DC is too important and needs

> to run reliably; you should be able to reboot a TS box at will without

> disrupting anything other than the TS users.

 

Thanks for the reply. We are still considering a separate server for

the TS but want to know the worst-case scenario for not buying a

separate server with regards to setting up the GP. We have read in a

few threads that stat that "you cannot use all the features of the GP

when the TS is also the DC". we are not sure specifically what

features we wil not be able to use. Maybe a better way to phrase our

question is this:

 

1. If TS is installed on the DC, can we setup the GP the same as if

the TS were on a member server? That is, do we lose any capabilities

or functionality with the security lockdown?

 

Thanks again

[Guest Jeff]

Re: Running TS on Domain Controller

 

One thing that comes to mind is in setting up Terminal services in OU's with

GP's on a domain, usually your terminal server has to have local groups setup

correctly, which most scenarios with DC's won't allow local groups. Local

groups on your member server is one thing that gives permissions to connect

remotely.

 

"compsosinc@gmail.com" wrote:

> On Nov 13, 11:46 am, "Lanwench [MVP - Exchange]"

> <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:

> > compsos...@gmail.com wrote:

> > > What are the considerations and disadvantages of running Terminal

> > > Server on a Domain Controller?

> >

> > > We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with

> > > 4GB of memory and 3.0GHz Xeon Processor that currently supports 15

> > > clients locally. We want to use the TS capability of this same server

> > > for supporting our 6-8 remote WYSE Thin-clients over a Router-to-

> > > Router VPN.

> >

> > > We have read discussions relating to security issues, but if we are

> > > able to lock-down the TS portion, both throught he VPN and the GPO,

> > > how does security become an issue?

> >

> > > Any other comments are appreciated -thanks

> >

> > Resource contention

> > Security (no matter what you do via GPO, you're asking for trouble)

> > Stability

> > Yaddayaddayadda

> >

> > I would never do it, especially as this is your sole server/DC. Buy another

> > server for this purpose if you need TS. Your DC is too important and needs

> > to run reliably; you should be able to reboot a TS box at will without

> > disrupting anything other than the TS users.

>

> Thanks for the reply. We are still considering a separate server for

> the TS but want to know the worst-case scenario for not buying a

> separate server with regards to setting up the GP. We have read in a

> few threads that stat that "you cannot use all the features of the GP

> when the TS is also the DC". we are not sure specifically what

> features we wil not be able to use. Maybe a better way to phrase our

> question is this:

>

> 1. If TS is installed on the DC, can we setup the GP the same as if

> the TS were on a member server? That is, do we lose any capabilities

> or functionality with the security lockdown?

>

> Thanks again

>

>

[Guest Jeff]

Re: Running TS on Domain Controller

 

If you insisted on using a DC as a terminal server you would have to edit

your local policy to allow local login rights to your DC for users, which can

be a risk to a security.

 

"compsosinc@gmail.com" wrote:

> On Nov 13, 11:46 am, "Lanwench [MVP - Exchange]"

> <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:

> > compsos...@gmail.com wrote:

> > > What are the considerations and disadvantages of running Terminal

> > > Server on a Domain Controller?

> >

> > > We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with

> > > 4GB of memory and 3.0GHz Xeon Processor that currently supports 15

> > > clients locally. We want to use the TS capability of this same server

> > > for supporting our 6-8 remote WYSE Thin-clients over a Router-to-

> > > Router VPN.

> >

> > > We have read discussions relating to security issues, but if we are

> > > able to lock-down the TS portion, both throught he VPN and the GPO,

> > > how does security become an issue?

> >

> > > Any other comments are appreciated -thanks

> >

> > Resource contention

> > Security (no matter what you do via GPO, you're asking for trouble)

> > Stability

> > Yaddayaddayadda

> >

> > I would never do it, especially as this is your sole server/DC. Buy another

> > server for this purpose if you need TS. Your DC is too important and needs

> > to run reliably; you should be able to reboot a TS box at will without

> > disrupting anything other than the TS users.

>

> Thanks for the reply. We are still considering a separate server for

> the TS but want to know the worst-case scenario for not buying a

> separate server with regards to setting up the GP. We have read in a

> few threads that stat that "you cannot use all the features of the GP

> when the TS is also the DC". we are not sure specifically what

> features we wil not be able to use. Maybe a better way to phrase our

> question is this:

>

> 1. If TS is installed on the DC, can we setup the GP the same as if

> the TS were on a member server? That is, do we lose any capabilities

> or functionality with the security lockdown?

>

> Thanks again

>

>