Running TS on Domain Controller

[compsosinc@gmail.com]

What are the considerations and disadvantages of running Terminal
Server on a Domain Controller?

We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with
4GB of memory and 3.0GHz Xeon Processor that currently supports 15
clients locally. We want to use the TS capability of this same server
for supporting our 6-8 remote WYSE Thin-clients over a Router-to-
Router VPN.

We have read discussions relating to security issues, but if we are
able to lock-down the TS portion, both throught he VPN and the GPO,
how does security become an issue?

Any other comments are appreciated -thanks

 

[Lanwench [MVP - Exchange]]

Re: Running TS on Domain Controller

compsosinc@gmail.com wrote:
> What are the considerations and disadvantages of running Terminal
> Server on a Domain Controller?
>
> We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with
> 4GB of memory and 3.0GHz Xeon Processor that currently supports 15
> clients locally. We want to use the TS capability of this same server
> for supporting our 6-8 remote WYSE Thin-clients over a Router-to-
> Router VPN.
>
> We have read discussions relating to security issues, but if we are
> able to lock-down the TS portion, both throught he VPN and the GPO,
> how does security become an issue?
>
> Any other comments are appreciated -thanks

Resource contention
Security (no matter what you do via GPO, you're asking for trouble)
Stability
Yaddayaddayadda

I would never do it, especially as this is your sole server/DC. Buy another
server for this purpose if you need TS. Your DC is too important and needs
to run reliably; you should be able to reboot a TS box at will without
disrupting anything other than the TS users.

 

[compsosinc@gmail.com]

Re: Running TS on Domain Controller

On Nov 13, 11:46 am, "Lanwench [MVP - Exchange]"
<lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
> compsos...@gmail.com wrote:
> > What are the considerations and disadvantages of running Terminal
> > Server on a Domain Controller?
>
> > We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with
> > 4GB of memory and 3.0GHz Xeon Processor that currently supports 15
> > clients locally. We want to use the TS capability of this same server
> > for supporting our 6-8 remote WYSE Thin-clients over a Router-to-
> > Router VPN.
>
> > We have read discussions relating to security issues, but if we are
> > able to lock-down the TS portion, both throught he VPN and the GPO,
> > how does security become an issue?
>
> > Any other comments are appreciated -thanks
>
> Resource contention
> Security (no matter what you do via GPO, you're asking for trouble)
> Stability
> Yaddayaddayadda
>
> I would never do it, especially as this is your sole server/DC. Buy another
> server for this purpose if you need TS. Your DC is too important and needs
> to run reliably; you should be able to reboot a TS box at will without
> disrupting anything other than the TS users.

Thanks for the reply. We are still considering a separate server for
the TS but want to know the worst-case scenario for not buying a
separate server with regards to setting up the GP. We have read in a
few threads that stat that "you cannot use all the features of the GP
when the TS is also the DC". we are not sure specifically what
features we wil not be able to use. Maybe a better way to phrase our
question is this:

1. If TS is installed on the DC, can we setup the GP the same as if
the TS were on a member server? That is, do we lose any capabilities
or functionality with the security lockdown?

Thanks again

 

[Jeff]

Re: Running TS on Domain Controller

One thing that comes to mind is in setting up Terminal services in OU's with
GP's on a domain, usually your terminal server has to have local groups setup
correctly, which most scenarios with DC's won't allow local groups. Local
groups on your member server is one thing that gives permissions to connect
remotely.

"compsosinc@gmail.com" wrote:

> On Nov 13, 11:46 am, "Lanwench [MVP - Exchange]"
> <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
> > compsos...@gmail.com wrote:
> > > What are the considerations and disadvantages of running Terminal
> > > Server on a Domain Controller?
> >
> > > We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with
> > > 4GB of memory and 3.0GHz Xeon Processor that currently supports 15
> > > clients locally. We want to use the TS capability of this same server
> > > for supporting our 6-8 remote WYSE Thin-clients over a Router-to-
> > > Router VPN.
> >
> > > We have read discussions relating to security issues, but if we are
> > > able to lock-down the TS portion, both throught he VPN and the GPO,
> > > how does security become an issue?
> >
> > > Any other comments are appreciated -thanks
> >
> > Resource contention
> > Security (no matter what you do via GPO, you're asking for trouble)
> > Stability
> > Yaddayaddayadda
> >
> > I would never do it, especially as this is your sole server/DC. Buy another
> > server for this purpose if you need TS. Your DC is too important and needs
> > to run reliably; you should be able to reboot a TS box at will without
> > disrupting anything other than the TS users.
>
> Thanks for the reply. We are still considering a separate server for
> the TS but want to know the worst-case scenario for not buying a
> separate server with regards to setting up the GP. We have read in a
> few threads that stat that "you cannot use all the features of the GP
> when the TS is also the DC". we are not sure specifically what
> features we wil not be able to use. Maybe a better way to phrase our
> question is this:
>
> 1. If TS is installed on the DC, can we setup the GP the same as if
> the TS were on a member server? That is, do we lose any capabilities
> or functionality with the security lockdown?
>
> Thanks again
>
>

 

[Jeff]

Re: Running TS on Domain Controller

If you insisted on using a DC as a terminal server you would have to edit
your local policy to allow local login rights to your DC for users, which can
be a risk to a security.

"compsosinc@gmail.com" wrote:

> On Nov 13, 11:46 am, "Lanwench [MVP - Exchange]"
> <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
> > compsos...@gmail.com wrote:
> > > What are the considerations and disadvantages of running Terminal
> > > Server on a Domain Controller?
> >
> > > We have Windows 2003 Std Edition as our DC. It is a Dell PE 2800 with
> > > 4GB of memory and 3.0GHz Xeon Processor that currently supports 15
> > > clients locally. We want to use the TS capability of this same server
> > > for supporting our 6-8 remote WYSE Thin-clients over a Router-to-
> > > Router VPN.
> >
> > > We have read discussions relating to security issues, but if we are
> > > able to lock-down the TS portion, both throught he VPN and the GPO,
> > > how does security become an issue?
> >
> > > Any other comments are appreciated -thanks
> >
> > Resource contention
> > Security (no matter what you do via GPO, you're asking for trouble)
> > Stability
> > Yaddayaddayadda
> >
> > I would never do it, especially as this is your sole server/DC. Buy another
> > server for this purpose if you need TS. Your DC is too important and needs
> > to run reliably; you should be able to reboot a TS box at will without
> > disrupting anything other than the TS users.
>
> Thanks for the reply. We are still considering a separate server for
> the TS but want to know the worst-case scenario for not buying a
> separate server with regards to setting up the GP. We have read in a
> few threads that stat that "you cannot use all the features of the GP
> when the TS is also the DC". we are not sure specifically what
> features we wil not be able to use. Maybe a better way to phrase our
> question is this:
>
> 1. If TS is installed on the DC, can we setup the GP the same as if
> the TS were on a member server? That is, do we lose any capabilities
> or functionality with the security lockdown?
>
> Thanks again
>
>