Single server scenario workable?

  • Thread starter Thread starter anthonyx26
  • Start date Start date
A

anthonyx26

Guest
I have some clients who, for budgetary reasons, only have a single server
(WS2008) in their office but would still like to have the benefits and
security of using TS for their employees.

Is it possible to configure a single server as a locked down TS (using GPOs)
for use by multiple remote users?

It's currently not configured as a domain controller, but I suppose could
be.

I realize a single server is not ideal...in fact I always recommend and have
always configured scenarios with at least a separate TS and DC and file
server.

- anthonyx26
 
Re: Single server scenario workable?

It is definitely not optimal but it is doable. Just make sure to take
the time to lock it down properly and you should be good to go. I don't
like saying it but I would make it a DC if you could so you have more
flexible options with group policy instead of simply local policy.

<shudder> did I just recommend that?

Jeff Pitsch
Microsoft MVP - Terminal Services

anthonyx26 wrote:
> I have some clients who, for budgetary reasons, only have a single
> server (WS2008) in their office but would still like to have the
> benefits and security of using TS for their employees.
>
> Is it possible to configure a single server as a locked down TS (using
> GPOs) for use by multiple remote users?
>
> It's currently not configured as a domain controller, but I suppose
> could be.
>
> I realize a single server is not ideal...in fact I always recommend and
> have always configured scenarios with at least a separate TS and DC and
> file server.
>
> - anthonyx26
>
 
RE: Single server scenario workable?

Your client can also go to a hosting provider for their terminal server
applications. That is the most secure way. I might have one if your client is
in Europe.

However, to come back to your question.

At first: you need a DC to lock down. With local policies on a workgroup
server with Terminal Services enabled you will never get the same level of
security as with a GPO.
Small example: all users will see all printers in the workgroup scenario.

If, you enable terminal services on a DC you will not have a local Remote
Desktop group, but it will become a global group. This is one example of the
'many small things' that will be different than you use to.

Actually I'm not sure if you even are allowed to enable terminal services on
a DC.
If so, you can do it, but there will be more time in developing a good GPO
strategy.
Of course, there a a lot of downside's. I think you know them and otherwise
you van google around. But a budget person only ask: “Is it possible? “ If
you answer: ”Yes.” Than it will be: “Ok, do it with one server.”

And even then: make good backups, if the DC fails and can not be restored
you loose everything!

Hopefully I gave you something to think about.
Good luck.
All the best,
Yuri
 
Re: Single server scenario workable?

"Yuri NLD" <YuriNLD@discussions.microsoft.com> wrote in message
news:63CDCACB-41E7-4468-9295-F8A3BF3D4A97@microsoft.com...
> Your client can also go to a hosting provider for their terminal server
> applications. That is the most secure way. I might have one if your client
> is
> in Europe.

Client is in US and of course since they already have a server they want to
use it.

> At first: you need a DC to lock down. With local policies on a workgroup
> server with Terminal Services enabled you will never get the same level of
> security as with a GPO.
> Small example: all users will see all printers in the workgroup scenario.

Agreed...GPOs would definitely work better than local policy.

> If, you enable terminal services on a DC you will not have a local Remote
> Desktop group, but it will become a global group. This is one example of
> the
> 'many small things' that will be different than you use to.

Hmmm...probably not hugely relevant if they only have one server.

> Actually I'm not sure if you even are allowed to enable terminal services
> on
> a DC.

Anyone know if this is even possible (ie enabling TS on a DC)?

> If so, you can do it, but there will be more time in developing a good GPO
> strategy.
> Of course, there a a lot of downside's. I think you know them and
> otherwise
> you van google around. But a budget person only ask: “Is it possible? “
> If
> you answer: ”Yes.” Than it will be: “Ok, do it with one server.”

This is the crux of the problem...if I let out a hint that "yes, it's
possible" then their mind will be set.

> And even then: make good backups, if the DC fails and can not be restored
> you loose everything!

This goes w/o saying...definitely many things to consider in this scenario.

- anthonyx26
 
Re: Single server scenario workable?

"Jeff Pitsch" <jeff.pitsch.fake@jeffpitschconsulting.com> wrote in message
news:eX4RCEqOJHA.4404@TK2MSFTNGP04.phx.gbl...
> It is definitely not optimal but it is doable. Just make sure to take the
> time to lock it down properly and you should be good to go. I don't like
> saying it but I would make it a DC if you could so you have more flexible
> options with group policy instead of simply local policy.
>
> <shudder> did I just recommend that?

Exactly! I think I will have to warn the client away from this
configuration.

- anthonyx26
 
Re: Single server scenario workable?

Running TS and DC roles are, unfortunately, quite possible.

Jeff Pitsch
Microsoft MVP - Terminal Services

anthonyx26 wrote:
> "Yuri NLD" <YuriNLD@discussions.microsoft.com> wrote in message
> news:63CDCACB-41E7-4468-9295-F8A3BF3D4A97@microsoft.com...
>> Your client can also go to a hosting provider for their terminal server
>> applications. That is the most secure way. I might have one if your
>> client is
>> in Europe.
>
> Client is in US and of course since they already have a server they want
> to use it.
>
>> At first: you need a DC to lock down. With local policies on a workgroup
>> server with Terminal Services enabled you will never get the same
>> level of
>> security as with a GPO.
>> Small example: all users will see all printers in the workgroup scenario.
>
> Agreed...GPOs would definitely work better than local policy.
>
>> If, you enable terminal services on a DC you will not have a local Remote
>> Desktop group, but it will become a global group. This is one example
>> of the
>> 'many small things' that will be different than you use to.
>
> Hmmm...probably not hugely relevant if they only have one server.
>
>> Actually I'm not sure if you even are allowed to enable terminal
>> services on
>> a DC.
>
> Anyone know if this is even possible (ie enabling TS on a DC)?
>
>> If so, you can do it, but there will be more time in developing a good
>> GPO
>> strategy.
>> Of course, there a a lot of downside's. I think you know them and
>> otherwise
>> you van google around. But a budget person only ask: “Is it possible?
>> “ If
>> you answer: ”Yes.” Than it will be: “Ok, do it with one server.”
>
> This is the crux of the problem...if I let out a hint that "yes, it's
> possible" then their mind will be set.
>
>> And even then: make good backups, if the DC fails and can not be restored
>> you loose everything!
>
> This goes w/o saying...definitely many things to consider in this scenario.
>
> - anthonyx26
>
 
Re: Single server scenario workable?

"Jeff Pitsch" <jeff.pitsch.fake@jeffpitschconsulting.com> wrote in message
news:%23UvbHLrOJHA.1164@TK2MSFTNGP02.phx.gbl...
> Running TS and DC roles are, unfortunately, quite possible.

Well, so much for that excuse!

- anthonyx26
 

Similar threads

P
Windows 10 Device Guard and Credential Guard Demystified
Replies
0
Views
370
Priyanka_Pillai
P
I
SameSite=Lax in the new world
Replies
0
Views
361
IIS
I
M
10 Amazon deals you can only get if you subscribe to Prime
Replies
0
Views
110
Maren Estrada
M
M
It’s time to update your Windows Server management strategy!
Replies
0
Views
607
Microsoft Windows Server Team
M
M
First sneak peek of Windows Server, version 1903 Semi-Annual Channel
Replies
0
Views
630
Microsoft Windows Server Team
M
Back
Top