Windows 2008 TS in Windows 2000 AD

  • Thread starter Thread starter Ketchup
  • Start date Start date
K

Ketchup

Guest
Hello everyone,

I am working with a client to upgrade their Windows 2000 based network to
Windows 2008. I am a bit constricted on the number of servers that I can
have and had to make certain sacrifices forcing me to run Terminal Services
on a Windows 2008 Domain Controller. I realize that's not recommended
practice, but it's better then running a DC on a heavily used SQL and Apps
server.

I ran adprep with /forestprep and /domainprep /gpprep switches on the
Windows 2000 AD environment successfully. I was able to add a Windows 2008
DC that will also be the new Terminal Server. The dcpromo process
completed successfully. Dcdiag and manual checks do not return any errors.
I have not yet transferred any FSMO roles to the new Windows 2008 DC.

When I went to install the Terminal Server role on the Windows 2008 DC, I
ran into a few problems. I noticed that the Built-in "Terminal Server
License Servers" group did not get created and I cannot use the Windows 2008
TS License Service (same box) to manage user CALs. I thought that it
wasn't a big deal since the client is fully licensed and Windows 2008 still
doesn't enforce user CAL limits for Terminal Services. I ran into further
problems when I attempted to allow non-administrators to connect through
Terminal Services. The Built-in "Remote Desktop Users" group did not get
created in AD either.

I tried to bypass the lack of Remote Desktop Users group using a GPO to add
the appropriate members to the Remote Desktops Group through Restricted
Groups to no avail. I also tried editing the TS config to allow another
group user access. Finally, I tried another GPO to give users the right
Allow Logon through Terminal Services. None of this worked and users
cannot connect, receiving an error message stating "access to create session
is denied." This must be a change in Vista/Windows 2008 since these steps
work fine in a Windows 2003 AD environment.

To solve the lack of Terminal Server License Servers group, I tried to
manually create one. This obviously didn't work since the Built-in groups
have fixed SIDs. I then tried to use ldeifde and csvde to export these two
groups from a 2003 AD domain (another client) and import them into the 2000
domain. Neither ldeifde or csvde would allow me to import GUID or SID
values. This attempt also failed.

I have been searching online and cannot find any solutions to these issues.
Please help.
 
RE: Windows 2008 TS in Windows 2000 AD

I would run AD on a SQL Server or anything alse before running it on a
Terminal Server. There are both security and performance reasons not to do
what you are doing, and this is why MSFT intentionally disables this
functionality on SBS.

If you're using Server 2008 why don't you utilize Hyper-V to virtualize your
servers and consolidate a bit. A DC doesn't need a full piece of server
hardware.


--
Patrick C. Rouse
Microsoft MVP - Terminal Server
SE, West Coast USA & Canada
Quest Software, Provision Networks Division
Virtual Client Solutions
http://www.provisionnetworks.com


"Ketchup" wrote:

> Hello everyone,
>
> I am working with a client to upgrade their Windows 2000 based network to
> Windows 2008. I am a bit constricted on the number of servers that I can
> have and had to make certain sacrifices forcing me to run Terminal Services
> on a Windows 2008 Domain Controller. I realize that's not recommended
> practice, but it's better then running a DC on a heavily used SQL and Apps
> server.
>
> I ran adprep with /forestprep and /domainprep /gpprep switches on the
> Windows 2000 AD environment successfully. I was able to add a Windows 2008
> DC that will also be the new Terminal Server. The dcpromo process
> completed successfully. Dcdiag and manual checks do not return any errors.
> I have not yet transferred any FSMO roles to the new Windows 2008 DC.
>
> When I went to install the Terminal Server role on the Windows 2008 DC, I
> ran into a few problems. I noticed that the Built-in "Terminal Server
> License Servers" group did not get created and I cannot use the Windows 2008
> TS License Service (same box) to manage user CALs. I thought that it
> wasn't a big deal since the client is fully licensed and Windows 2008 still
> doesn't enforce user CAL limits for Terminal Services. I ran into further
> problems when I attempted to allow non-administrators to connect through
> Terminal Services. The Built-in "Remote Desktop Users" group did not get
> created in AD either.
>
> I tried to bypass the lack of Remote Desktop Users group using a GPO to add
> the appropriate members to the Remote Desktops Group through Restricted
> Groups to no avail. I also tried editing the TS config to allow another
> group user access. Finally, I tried another GPO to give users the right
> Allow Logon through Terminal Services. None of this worked and users
> cannot connect, receiving an error message stating "access to create session
> is denied." This must be a change in Vista/Windows 2008 since these steps
> work fine in a Windows 2003 AD environment.
>
> To solve the lack of Terminal Server License Servers group, I tried to
> manually create one. This obviously didn't work since the Built-in groups
> have fixed SIDs. I then tried to use ldeifde and csvde to export these two
> groups from a 2003 AD domain (another client) and import them into the 2000
> domain. Neither ldeifde or csvde would allow me to import GUID or SID
> values. This attempt also failed.
>
> I have been searching online and cannot find any solutions to these issues.
> Please help.
>
>
>
>
 
Re: Windows 2008 TS in Windows 2000 AD

Patrick, thanks. I was actually going to run Vmware ESX and create two TS
servers. That would have been ideal.(not a big fan Microsoft
virtualization, not yet) However, I saw too many people complaining about
stability and performances of Terminal Services in virtualized environments.
I can't virtualize the SQL box. It's already an x64 box with 8 GB of RAM
and 4 CPUs. I need all I can get from that.

I am actually running the same config on a Windows 2000 Server in this
network. It took a while to create a good security template to take care
of the security issues, but it works. I have not noticed any performances
issues with an average of 30-40 concurrent connections. This is a
relatively small network (about 50-60 users). I can't use the SQL server
box as a DC for too many reasons, one of which being a violation of terms
with one of the app vendors.

The two Windows 2000 boxes are actually decent machines. I will use them
as DCs once I complete the migration and can recore them. Until then, I
really do have to run this configuration, I believe.

Finally, I don't think that even if I did have a separate DC, it would solve
the problem of these missing Built-in groups. That's really the root of my
problems. It seems to be something related to adprep / dcpromo from
Windows 2000 AD to Windows 2008 AD.


"Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message
news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>I would run AD on a SQL Server or anything alse before running it on a
> Terminal Server. There are both security and performance reasons not to
> do
> what you are doing, and this is why MSFT intentionally disables this
> functionality on SBS.
>
> If you're using Server 2008 why don't you utilize Hyper-V to virtualize
> your
> servers and consolidate a bit. A DC doesn't need a full piece of server
> hardware.
>
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> SE, West Coast USA & Canada
> Quest Software, Provision Networks Division
> Virtual Client Solutions
> http://www.provisionnetworks.com
>
>
> "Ketchup" wrote:
>
>> Hello everyone,
>>
>> I am working with a client to upgrade their Windows 2000 based network to
>> Windows 2008. I am a bit constricted on the number of servers that I
>> can
>> have and had to make certain sacrifices forcing me to run Terminal
>> Services
>> on a Windows 2008 Domain Controller. I realize that's not recommended
>> practice, but it's better then running a DC on a heavily used SQL and
>> Apps
>> server.
>>
>> I ran adprep with /forestprep and /domainprep /gpprep switches on the
>> Windows 2000 AD environment successfully. I was able to add a Windows
>> 2008
>> DC that will also be the new Terminal Server. The dcpromo process
>> completed successfully. Dcdiag and manual checks do not return any
>> errors.
>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.
>>
>> When I went to install the Terminal Server role on the Windows 2008 DC, I
>> ran into a few problems. I noticed that the Built-in "Terminal Server
>> License Servers" group did not get created and I cannot use the Windows
>> 2008
>> TS License Service (same box) to manage user CALs. I thought that it
>> wasn't a big deal since the client is fully licensed and Windows 2008
>> still
>> doesn't enforce user CAL limits for Terminal Services. I ran into
>> further
>> problems when I attempted to allow non-administrators to connect through
>> Terminal Services. The Built-in "Remote Desktop Users" group did not get
>> created in AD either.
>>
>> I tried to bypass the lack of Remote Desktop Users group using a GPO to
>> add
>> the appropriate members to the Remote Desktops Group through Restricted
>> Groups to no avail. I also tried editing the TS config to allow another
>> group user access. Finally, I tried another GPO to give users the right
>> Allow Logon through Terminal Services. None of this worked and users
>> cannot connect, receiving an error message stating "access to create
>> session
>> is denied." This must be a change in Vista/Windows 2008 since these
>> steps
>> work fine in a Windows 2003 AD environment.
>>
>> To solve the lack of Terminal Server License Servers group, I tried to
>> manually create one. This obviously didn't work since the Built-in
>> groups
>> have fixed SIDs. I then tried to use ldeifde and csvde to export these
>> two
>> groups from a 2003 AD domain (another client) and import them into the
>> 2000
>> domain. Neither ldeifde or csvde would allow me to import GUID or SID
>> values. This attempt also failed.
>>
>> I have been searching online and cannot find any solutions to these
>> issues.
>> Please help.
>>
>>
>>
>>
 
Re: Windows 2008 TS in Windows 2000 AD

The built-in groups are local groups and aren't created because it's a DC.
A DC cannot have local groups like a typical member server.

Out of curiousity have you tried giving users the Log on Locally right as
well as the other right you assigned?

Now that you have a new DC up and running, why can't you take one of the
other DC's and rebuild it to a TS box?

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"Ketchup" <ketchup@ketchup.com> wrote in message
news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...
> Patrick, thanks. I was actually going to run Vmware ESX and create two
> TS servers. That would have been ideal.(not a big fan Microsoft
> virtualization, not yet) However, I saw too many people complaining about
> stability and performances of Terminal Services in virtualized
> environments. I can't virtualize the SQL box. It's already an x64 box
> with 8 GB of RAM and 4 CPUs. I need all I can get from that.
>
> I am actually running the same config on a Windows 2000 Server in this
> network. It took a while to create a good security template to take care
> of the security issues, but it works. I have not noticed any
> performances issues with an average of 30-40 concurrent connections.
> This is a relatively small network (about 50-60 users). I can't use the
> SQL server box as a DC for too many reasons, one of which being a
> violation of terms with one of the app vendors.
>
> The two Windows 2000 boxes are actually decent machines. I will use them
> as DCs once I complete the migration and can recore them. Until then, I
> really do have to run this configuration, I believe.
>
> Finally, I don't think that even if I did have a separate DC, it would
> solve the problem of these missing Built-in groups. That's really the
> root of my problems. It seems to be something related to adprep /
> dcpromo from Windows 2000 AD to Windows 2008 AD.
>
>
> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message
> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>>I would run AD on a SQL Server or anything alse before running it on a
>> Terminal Server. There are both security and performance reasons not to
>> do
>> what you are doing, and this is why MSFT intentionally disables this
>> functionality on SBS.
>>
>> If you're using Server 2008 why don't you utilize Hyper-V to virtualize
>> your
>> servers and consolidate a bit. A DC doesn't need a full piece of server
>> hardware.
>>
>>
>> --
>> Patrick C. Rouse
>> Microsoft MVP - Terminal Server
>> SE, West Coast USA & Canada
>> Quest Software, Provision Networks Division
>> Virtual Client Solutions
>> http://www.provisionnetworks.com
>>
>>
>> "Ketchup" wrote:
>>
>>> Hello everyone,
>>>
>>> I am working with a client to upgrade their Windows 2000 based network
>>> to
>>> Windows 2008. I am a bit constricted on the number of servers that I
>>> can
>>> have and had to make certain sacrifices forcing me to run Terminal
>>> Services
>>> on a Windows 2008 Domain Controller. I realize that's not recommended
>>> practice, but it's better then running a DC on a heavily used SQL and
>>> Apps
>>> server.
>>>
>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the
>>> Windows 2000 AD environment successfully. I was able to add a Windows
>>> 2008
>>> DC that will also be the new Terminal Server. The dcpromo process
>>> completed successfully. Dcdiag and manual checks do not return any
>>> errors.
>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.
>>>
>>> When I went to install the Terminal Server role on the Windows 2008 DC,
>>> I
>>> ran into a few problems. I noticed that the Built-in "Terminal Server
>>> License Servers" group did not get created and I cannot use the Windows
>>> 2008
>>> TS License Service (same box) to manage user CALs. I thought that it
>>> wasn't a big deal since the client is fully licensed and Windows 2008
>>> still
>>> doesn't enforce user CAL limits for Terminal Services. I ran into
>>> further
>>> problems when I attempted to allow non-administrators to connect through
>>> Terminal Services. The Built-in "Remote Desktop Users" group did not
>>> get
>>> created in AD either.
>>>
>>> I tried to bypass the lack of Remote Desktop Users group using a GPO to
>>> add
>>> the appropriate members to the Remote Desktops Group through Restricted
>>> Groups to no avail. I also tried editing the TS config to allow another
>>> group user access. Finally, I tried another GPO to give users the right
>>> Allow Logon through Terminal Services. None of this worked and users
>>> cannot connect, receiving an error message stating "access to create
>>> session
>>> is denied." This must be a change in Vista/Windows 2008 since these
>>> steps
>>> work fine in a Windows 2003 AD environment.
>>>
>>> To solve the lack of Terminal Server License Servers group, I tried to
>>> manually create one. This obviously didn't work since the Built-in
>>> groups
>>> have fixed SIDs. I then tried to use ldeifde and csvde to export these
>>> two
>>> groups from a 2003 AD domain (another client) and import them into the
>>> 2000
>>> domain. Neither ldeifde or csvde would allow me to import GUID or SID
>>> values. This attempt also failed.
>>>
>>> I have been searching online and cannot find any solutions to these
>>> issues.
>>> Please help.
>>>
>>>
>>>
>>>
>
>
 
Re: Windows 2008 TS in Windows 2000 AD

Jeff, thank you. I haven't tried giving the Logon Locally right. I am not
sure why, I guess I just didn't think of that. I will do that today.

Shouldn't the built-in groups on a DC become Domain Built-in groups? I
know for a fact this happens in Windows 2003. I have the groups in my AD
that are in the Built-in OU and are of Built-in Local security context. I
am not even running Terminal Services. The Remote Desktops Users still
applies to Domain Controllers for just plain-old RDP. Arguably, the
Terminal Server License Server should be on a DC.

As far as rebuilding the other servers, it's not that simple. I have two
older boxes, running Win2k. One of them is a TS & DC. The other is a SQL
& DC box. Both are currently being used for their TS and SQL functions.
I need to move those functions over to the new boxes running Win2k8. Only
once I do that, can I move the DC functions around. The only reason I even
introduced a Win2k8 DC is because I needed it to hold the TS License Server.
The Win2k DC cannot issue TS licenses to Win2k8 TS servers.

Thanks!
Ketchup


"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...
> The built-in groups are local groups and aren't created because it's a DC.
> A DC cannot have local groups like a typical member server.
>
> Out of curiousity have you tried giving users the Log on Locally right as
> well as the other right you assigned?
>
> Now that you have a new DC up and running, why can't you take one of the
> other DC's and rebuild it to a TS box?
>
> --
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> "Ketchup" <ketchup@ketchup.com> wrote in message
> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...
>> Patrick, thanks. I was actually going to run Vmware ESX and create two
>> TS servers. That would have been ideal.(not a big fan Microsoft
>> virtualization, not yet) However, I saw too many people complaining
>> about stability and performances of Terminal Services in virtualized
>> environments. I can't virtualize the SQL box. It's already an x64 box
>> with 8 GB of RAM and 4 CPUs. I need all I can get from that.
>>
>> I am actually running the same config on a Windows 2000 Server in this
>> network. It took a while to create a good security template to take
>> care of the security issues, but it works. I have not noticed any
>> performances issues with an average of 30-40 concurrent connections. This
>> is a relatively small network (about 50-60 users). I can't use the SQL
>> server box as a DC for too many reasons, one of which being a violation
>> of terms with one of the app vendors.
>>
>> The two Windows 2000 boxes are actually decent machines. I will use
>> them as DCs once I complete the migration and can recore them. Until
>> then, I really do have to run this configuration, I believe.
>>
>> Finally, I don't think that even if I did have a separate DC, it would
>> solve the problem of these missing Built-in groups. That's really the
>> root of my problems. It seems to be something related to adprep /
>> dcpromo from Windows 2000 AD to Windows 2008 AD.
>>
>>
>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message
>> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>>>I would run AD on a SQL Server or anything alse before running it on a
>>> Terminal Server. There are both security and performance reasons not to
>>> do
>>> what you are doing, and this is why MSFT intentionally disables this
>>> functionality on SBS.
>>>
>>> If you're using Server 2008 why don't you utilize Hyper-V to virtualize
>>> your
>>> servers and consolidate a bit. A DC doesn't need a full piece of server
>>> hardware.
>>>
>>>
>>> --
>>> Patrick C. Rouse
>>> Microsoft MVP - Terminal Server
>>> SE, West Coast USA & Canada
>>> Quest Software, Provision Networks Division
>>> Virtual Client Solutions
>>> http://www.provisionnetworks.com
>>>
>>>
>>> "Ketchup" wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> I am working with a client to upgrade their Windows 2000 based network
>>>> to
>>>> Windows 2008. I am a bit constricted on the number of servers that I
>>>> can
>>>> have and had to make certain sacrifices forcing me to run Terminal
>>>> Services
>>>> on a Windows 2008 Domain Controller. I realize that's not recommended
>>>> practice, but it's better then running a DC on a heavily used SQL and
>>>> Apps
>>>> server.
>>>>
>>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the
>>>> Windows 2000 AD environment successfully. I was able to add a Windows
>>>> 2008
>>>> DC that will also be the new Terminal Server. The dcpromo process
>>>> completed successfully. Dcdiag and manual checks do not return any
>>>> errors.
>>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.
>>>>
>>>> When I went to install the Terminal Server role on the Windows 2008 DC,
>>>> I
>>>> ran into a few problems. I noticed that the Built-in "Terminal Server
>>>> License Servers" group did not get created and I cannot use the Windows
>>>> 2008
>>>> TS License Service (same box) to manage user CALs. I thought that it
>>>> wasn't a big deal since the client is fully licensed and Windows 2008
>>>> still
>>>> doesn't enforce user CAL limits for Terminal Services. I ran into
>>>> further
>>>> problems when I attempted to allow non-administrators to connect
>>>> through
>>>> Terminal Services. The Built-in "Remote Desktop Users" group did not
>>>> get
>>>> created in AD either.
>>>>
>>>> I tried to bypass the lack of Remote Desktop Users group using a GPO to
>>>> add
>>>> the appropriate members to the Remote Desktops Group through Restricted
>>>> Groups to no avail. I also tried editing the TS config to allow
>>>> another
>>>> group user access. Finally, I tried another GPO to give users the
>>>> right
>>>> Allow Logon through Terminal Services. None of this worked and users
>>>> cannot connect, receiving an error message stating "access to create
>>>> session
>>>> is denied." This must be a change in Vista/Windows 2008 since these
>>>> steps
>>>> work fine in a Windows 2003 AD environment.
>>>>
>>>> To solve the lack of Terminal Server License Servers group, I tried to
>>>> manually create one. This obviously didn't work since the Built-in
>>>> groups
>>>> have fixed SIDs. I then tried to use ldeifde and csvde to export
>>>> these two
>>>> groups from a 2003 AD domain (another client) and import them into the
>>>> 2000
>>>> domain. Neither ldeifde or csvde would allow me to import GUID or SID
>>>> values. This attempt also failed.
>>>>
>>>> I have been searching online and cannot find any solutions to these
>>>> issues.
>>>> Please help.
>>>>
>>>>
>>>>
>>>>
>>
>>
>
>
 
Re: Windows 2008 TS in Windows 2000 AD

You don't need a DC to host a license server. It's very easy through GPO
and TS Config to configure the TS box to point to the license server. If
the only reason you put up the DC was for the license service, remove the DC
role and go for straight TS with the licensing feature. In fact, I'd
rebuild that box just to be 100% safe but the point being get rid of the DC
role if it's not needed and it's not.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"Ketchup" <ketchup@ketchup.com> wrote in message
news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...
> Jeff, thank you. I haven't tried giving the Logon Locally right. I am
> not sure why, I guess I just didn't think of that. I will do that today.
>
> Shouldn't the built-in groups on a DC become Domain Built-in groups? I
> know for a fact this happens in Windows 2003. I have the groups in my AD
> that are in the Built-in OU and are of Built-in Local security context. I
> am not even running Terminal Services. The Remote Desktops Users still
> applies to Domain Controllers for just plain-old RDP. Arguably, the
> Terminal Server License Server should be on a DC.
>
> As far as rebuilding the other servers, it's not that simple. I have two
> older boxes, running Win2k. One of them is a TS & DC. The other is a
> SQL & DC box. Both are currently being used for their TS and SQL
> functions. I need to move those functions over to the new boxes running
> Win2k8. Only once I do that, can I move the DC functions around. The
> only reason I even introduced a Win2k8 DC is because I needed it to hold
> the TS License Server. The Win2k DC cannot issue TS licenses to Win2k8 TS
> servers.
>
> Thanks!
> Ketchup
>
>
> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...
>> The built-in groups are local groups and aren't created because it's a
>> DC. A DC cannot have local groups like a typical member server.
>>
>> Out of curiousity have you tried giving users the Log on Locally right as
>> well as the other right you assigned?
>>
>> Now that you have a new DC up and running, why can't you take one of the
>> other DC's and rebuild it to a TS box?
>>
>> --
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>> "Ketchup" <ketchup@ketchup.com> wrote in message
>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...
>>> Patrick, thanks. I was actually going to run Vmware ESX and create two
>>> TS servers. That would have been ideal.(not a big fan Microsoft
>>> virtualization, not yet) However, I saw too many people complaining
>>> about stability and performances of Terminal Services in virtualized
>>> environments. I can't virtualize the SQL box. It's already an x64 box
>>> with 8 GB of RAM and 4 CPUs. I need all I can get from that.
>>>
>>> I am actually running the same config on a Windows 2000 Server in this
>>> network. It took a while to create a good security template to take
>>> care of the security issues, but it works. I have not noticed any
>>> performances issues with an average of 30-40 concurrent connections.
>>> This is a relatively small network (about 50-60 users). I can't use
>>> the SQL server box as a DC for too many reasons, one of which being a
>>> violation of terms with one of the app vendors.
>>>
>>> The two Windows 2000 boxes are actually decent machines. I will use
>>> them as DCs once I complete the migration and can recore them. Until
>>> then, I really do have to run this configuration, I believe.
>>>
>>> Finally, I don't think that even if I did have a separate DC, it would
>>> solve the problem of these missing Built-in groups. That's really the
>>> root of my problems. It seems to be something related to adprep /
>>> dcpromo from Windows 2000 AD to Windows 2008 AD.
>>>
>>>
>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in
>>> message news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>>>>I would run AD on a SQL Server or anything alse before running it on a
>>>> Terminal Server. There are both security and performance reasons not
>>>> to do
>>>> what you are doing, and this is why MSFT intentionally disables this
>>>> functionality on SBS.
>>>>
>>>> If you're using Server 2008 why don't you utilize Hyper-V to virtualize
>>>> your
>>>> servers and consolidate a bit. A DC doesn't need a full piece of
>>>> server
>>>> hardware.
>>>>
>>>>
>>>> --
>>>> Patrick C. Rouse
>>>> Microsoft MVP - Terminal Server
>>>> SE, West Coast USA & Canada
>>>> Quest Software, Provision Networks Division
>>>> Virtual Client Solutions
>>>> http://www.provisionnetworks.com
>>>>
>>>>
>>>> "Ketchup" wrote:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> I am working with a client to upgrade their Windows 2000 based network
>>>>> to
>>>>> Windows 2008. I am a bit constricted on the number of servers that I
>>>>> can
>>>>> have and had to make certain sacrifices forcing me to run Terminal
>>>>> Services
>>>>> on a Windows 2008 Domain Controller. I realize that's not
>>>>> recommended
>>>>> practice, but it's better then running a DC on a heavily used SQL and
>>>>> Apps
>>>>> server.
>>>>>
>>>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the
>>>>> Windows 2000 AD environment successfully. I was able to add a
>>>>> Windows 2008
>>>>> DC that will also be the new Terminal Server. The dcpromo process
>>>>> completed successfully. Dcdiag and manual checks do not return any
>>>>> errors.
>>>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.
>>>>>
>>>>> When I went to install the Terminal Server role on the Windows 2008
>>>>> DC, I
>>>>> ran into a few problems. I noticed that the Built-in "Terminal
>>>>> Server
>>>>> License Servers" group did not get created and I cannot use the
>>>>> Windows 2008
>>>>> TS License Service (same box) to manage user CALs. I thought that it
>>>>> wasn't a big deal since the client is fully licensed and Windows 2008
>>>>> still
>>>>> doesn't enforce user CAL limits for Terminal Services. I ran into
>>>>> further
>>>>> problems when I attempted to allow non-administrators to connect
>>>>> through
>>>>> Terminal Services. The Built-in "Remote Desktop Users" group did not
>>>>> get
>>>>> created in AD either.
>>>>>
>>>>> I tried to bypass the lack of Remote Desktop Users group using a GPO
>>>>> to add
>>>>> the appropriate members to the Remote Desktops Group through
>>>>> Restricted
>>>>> Groups to no avail. I also tried editing the TS config to allow
>>>>> another
>>>>> group user access. Finally, I tried another GPO to give users the
>>>>> right
>>>>> Allow Logon through Terminal Services. None of this worked and users
>>>>> cannot connect, receiving an error message stating "access to create
>>>>> session
>>>>> is denied." This must be a change in Vista/Windows 2008 since these
>>>>> steps
>>>>> work fine in a Windows 2003 AD environment.
>>>>>
>>>>> To solve the lack of Terminal Server License Servers group, I tried to
>>>>> manually create one. This obviously didn't work since the Built-in
>>>>> groups
>>>>> have fixed SIDs. I then tried to use ldeifde and csvde to export
>>>>> these two
>>>>> groups from a 2003 AD domain (another client) and import them into the
>>>>> 2000
>>>>> domain. Neither ldeifde or csvde would allow me to import GUID or
>>>>> SID
>>>>> values. This attempt also failed.
>>>>>
>>>>> I have been searching online and cannot find any solutions to these
>>>>> issues.
>>>>> Please help.
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
>
 
Re: Windows 2008 TS in Windows 2000 AD

I need the DC for more then just the license server. I realize that having
a TS and DC on the same box is a bad idea. I will fix that once I complete
migration. (I can always move DCs around.)

I really don't think that's the problem in my case. I have seen a couple
of posts online that indicate similar issues with lack of Built-in groups
when upgrading directly from Windows 2000 to Windows 2008. It seems that
Microsoft didn't quite finish testing in this case. I am quite sure that
the groups would be there if the upgrade was from Windows 2003 to Windows
2008.

Is there a way I can create these groups (Terminal Server License Servers
and Remote Desktop Users) in Active Directory? Should I run forestprep and
domain prep once more? Or should I use Windows 2003 version of forestprep
and adprep first?



"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
news:O4wdYDsAJHA.908@TK2MSFTNGP03.phx.gbl...
> You don't need a DC to host a license server. It's very easy through GPO
> and TS Config to configure the TS box to point to the license server. If
> the only reason you put up the DC was for the license service, remove the
> DC role and go for straight TS with the licensing feature. In fact, I'd
> rebuild that box just to be 100% safe but the point being get rid of the
> DC role if it's not needed and it's not.
>
> --
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> "Ketchup" <ketchup@ketchup.com> wrote in message
> news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...
>> Jeff, thank you. I haven't tried giving the Logon Locally right. I am
>> not sure why, I guess I just didn't think of that. I will do that
>> today.
>>
>> Shouldn't the built-in groups on a DC become Domain Built-in groups? I
>> know for a fact this happens in Windows 2003. I have the groups in my
>> AD that are in the Built-in OU and are of Built-in Local security
>> context. I am not even running Terminal Services. The Remote Desktops
>> Users still applies to Domain Controllers for just plain-old RDP.
>> Arguably, the Terminal Server License Server should be on a DC.
>>
>> As far as rebuilding the other servers, it's not that simple. I have
>> two older boxes, running Win2k. One of them is a TS & DC. The other is
>> a SQL & DC box. Both are currently being used for their TS and SQL
>> functions. I need to move those functions over to the new boxes running
>> Win2k8. Only once I do that, can I move the DC functions around. The
>> only reason I even introduced a Win2k8 DC is because I needed it to hold
>> the TS License Server. The Win2k DC cannot issue TS licenses to Win2k8 TS
>> servers.
>>
>> Thanks!
>> Ketchup
>>
>>
>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
>> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...
>>> The built-in groups are local groups and aren't created because it's a
>>> DC. A DC cannot have local groups like a typical member server.
>>>
>>> Out of curiousity have you tried giving users the Log on Locally right
>>> as well as the other right you assigned?
>>>
>>> Now that you have a new DC up and running, why can't you take one of the
>>> other DC's and rebuild it to a TS box?
>>>
>>> --
>>> Jeff Pitsch
>>> Microsoft MVP - Terminal Services
>>>
>>> "Ketchup" <ketchup@ketchup.com> wrote in message
>>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...
>>>> Patrick, thanks. I was actually going to run Vmware ESX and create
>>>> two TS servers. That would have been ideal.(not a big fan Microsoft
>>>> virtualization, not yet) However, I saw too many people complaining
>>>> about stability and performances of Terminal Services in virtualized
>>>> environments. I can't virtualize the SQL box. It's already an x64 box
>>>> with 8 GB of RAM and 4 CPUs. I need all I can get from that.
>>>>
>>>> I am actually running the same config on a Windows 2000 Server in this
>>>> network. It took a while to create a good security template to take
>>>> care of the security issues, but it works. I have not noticed any
>>>> performances issues with an average of 30-40 concurrent connections.
>>>> This is a relatively small network (about 50-60 users). I can't use
>>>> the SQL server box as a DC for too many reasons, one of which being a
>>>> violation of terms with one of the app vendors.
>>>>
>>>> The two Windows 2000 boxes are actually decent machines. I will use
>>>> them as DCs once I complete the migration and can recore them. Until
>>>> then, I really do have to run this configuration, I believe.
>>>>
>>>> Finally, I don't think that even if I did have a separate DC, it would
>>>> solve the problem of these missing Built-in groups. That's really the
>>>> root of my problems. It seems to be something related to adprep /
>>>> dcpromo from Windows 2000 AD to Windows 2008 AD.
>>>>
>>>>
>>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in
>>>> message news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>>>>>I would run AD on a SQL Server or anything alse before running it on a
>>>>> Terminal Server. There are both security and performance reasons not
>>>>> to do
>>>>> what you are doing, and this is why MSFT intentionally disables this
>>>>> functionality on SBS.
>>>>>
>>>>> If you're using Server 2008 why don't you utilize Hyper-V to
>>>>> virtualize your
>>>>> servers and consolidate a bit. A DC doesn't need a full piece of
>>>>> server
>>>>> hardware.
>>>>>
>>>>>
>>>>> --
>>>>> Patrick C. Rouse
>>>>> Microsoft MVP - Terminal Server
>>>>> SE, West Coast USA & Canada
>>>>> Quest Software, Provision Networks Division
>>>>> Virtual Client Solutions
>>>>> http://www.provisionnetworks.com
>>>>>
>>>>>
>>>>> "Ketchup" wrote:
>>>>>
>>>>>> Hello everyone,
>>>>>>
>>>>>> I am working with a client to upgrade their Windows 2000 based
>>>>>> network to
>>>>>> Windows 2008. I am a bit constricted on the number of servers that
>>>>>> I can
>>>>>> have and had to make certain sacrifices forcing me to run Terminal
>>>>>> Services
>>>>>> on a Windows 2008 Domain Controller. I realize that's not
>>>>>> recommended
>>>>>> practice, but it's better then running a DC on a heavily used SQL and
>>>>>> Apps
>>>>>> server.
>>>>>>
>>>>>> I ran adprep with /forestprep and /domainprep /gpprep switches on the
>>>>>> Windows 2000 AD environment successfully. I was able to add a
>>>>>> Windows 2008
>>>>>> DC that will also be the new Terminal Server. The dcpromo process
>>>>>> completed successfully. Dcdiag and manual checks do not return any
>>>>>> errors.
>>>>>> I have not yet transferred any FSMO roles to the new Windows 2008 DC.
>>>>>>
>>>>>> When I went to install the Terminal Server role on the Windows 2008
>>>>>> DC, I
>>>>>> ran into a few problems. I noticed that the Built-in "Terminal
>>>>>> Server
>>>>>> License Servers" group did not get created and I cannot use the
>>>>>> Windows 2008
>>>>>> TS License Service (same box) to manage user CALs. I thought that
>>>>>> it
>>>>>> wasn't a big deal since the client is fully licensed and Windows 2008
>>>>>> still
>>>>>> doesn't enforce user CAL limits for Terminal Services. I ran into
>>>>>> further
>>>>>> problems when I attempted to allow non-administrators to connect
>>>>>> through
>>>>>> Terminal Services. The Built-in "Remote Desktop Users" group did not
>>>>>> get
>>>>>> created in AD either.
>>>>>>
>>>>>> I tried to bypass the lack of Remote Desktop Users group using a GPO
>>>>>> to add
>>>>>> the appropriate members to the Remote Desktops Group through
>>>>>> Restricted
>>>>>> Groups to no avail. I also tried editing the TS config to allow
>>>>>> another
>>>>>> group user access. Finally, I tried another GPO to give users the
>>>>>> right
>>>>>> Allow Logon through Terminal Services. None of this worked and
>>>>>> users
>>>>>> cannot connect, receiving an error message stating "access to create
>>>>>> session
>>>>>> is denied." This must be a change in Vista/Windows 2008 since these
>>>>>> steps
>>>>>> work fine in a Windows 2003 AD environment.
>>>>>>
>>>>>> To solve the lack of Terminal Server License Servers group, I tried
>>>>>> to
>>>>>> manually create one. This obviously didn't work since the Built-in
>>>>>> groups
>>>>>> have fixed SIDs. I then tried to use ldeifde and csvde to export
>>>>>> these two
>>>>>> groups from a 2003 AD domain (another client) and import them into
>>>>>> the 2000
>>>>>> domain. Neither ldeifde or csvde would allow me to import GUID or
>>>>>> SID
>>>>>> values. This attempt also failed.
>>>>>>
>>>>>> I have been searching online and cannot find any solutions to these
>>>>>> issues.
>>>>>> Please help.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
 
Re: Windows 2008 TS in Windows 2000 AD

An inplace upgrade from Windows 2000 to Windows 2008 is not a
supported upgrade path. Documented here:

Guide for Upgrading to Windows Server 2008
http://technet.microsoft.com/en-us/library/cc755199.aspx

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Ketchup" <ketchup@ketchup.com> wrote on 20 aug 2008 in
microsoft.public.windows.terminal_services:

> I need the DC for more then just the license server. I realize
> that having a TS and DC on the same box is a bad idea. I will
> fix that once I complete migration. (I can always move DCs
> around.)
>
> I really don't think that's the problem in my case. I have
> seen a couple of posts online that indicate similar issues with
> lack of Built-in groups when upgrading directly from Windows
> 2000 to Windows 2008. It seems that Microsoft didn't quite
> finish testing in this case. I am quite sure that the groups
> would be there if the upgrade was from Windows 2003 to Windows
> 2008.
>
> Is there a way I can create these groups (Terminal Server
> License Servers and Remote Desktop Users) in Active Directory?
> Should I run forestprep and domain prep once more? Or should I
> use Windows 2003 version of forestprep and adprep first?
>
>
>
> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
> news:O4wdYDsAJHA.908@TK2MSFTNGP03.phx.gbl...
>> You don't need a DC to host a license server. It's very easy
>> through GPO and TS Config to configure the TS box to point to
>> the license server. If the only reason you put up the DC was
>> for the license service, remove the DC role and go for straight
>> TS with the licensing feature. In fact, I'd rebuild that box
>> just to be 100% safe but the point being get rid of the DC role
>> if it's not needed and it's not.
>>
>> --
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>> "Ketchup" <ketchup@ketchup.com> wrote in message
>> news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...
>>> Jeff, thank you. I haven't tried giving the Logon Locally
>>> right. I am not sure why, I guess I just didn't think of
>>> that. I will do that today.
>>>
>>> Shouldn't the built-in groups on a DC become Domain Built-in
>>> groups? I know for a fact this happens in Windows 2003. I
>>> have the groups in my AD that are in the Built-in OU and are
>>> of Built-in Local security context. I am not even running
>>> Terminal Services. The Remote Desktops Users still applies
>>> to Domain Controllers for just plain-old RDP. Arguably, the
>>> Terminal Server License Server should be on a DC.
>>>
>>> As far as rebuilding the other servers, it's not that simple.
>>> I have two older boxes, running Win2k. One of them is a TS &
>>> DC. The other is a SQL & DC box. Both are currently being
>>> used for their TS and SQL functions. I need to move those
>>> functions over to the new boxes running Win2k8. Only once I
>>> do that, can I move the DC functions around. The only reason
>>> I even introduced a Win2k8 DC is because I needed it to hold
>>> the TS License Server. The Win2k DC cannot issue TS licenses
>>> to Win2k8 TS servers.
>>>
>>> Thanks!
>>> Ketchup
>>>
>>>
>>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
>>> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...
>>>> The built-in groups are local groups and aren't created
>>>> because it's a DC. A DC cannot have local groups like a
>>>> typical member server.
>>>>
>>>> Out of curiousity have you tried giving users the Log on
>>>> Locally right as well as the other right you assigned?
>>>>
>>>> Now that you have a new DC up and running, why can't you take
>>>> one of the other DC's and rebuild it to a TS box?
>>>>
>>>> --
>>>> Jeff Pitsch
>>>> Microsoft MVP - Terminal Services
>>>>
>>>> "Ketchup" <ketchup@ketchup.com> wrote in message
>>>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...
>>>>> Patrick, thanks. I was actually going to run Vmware ESX
>>>>> and create two TS servers. That would have been ideal.(not
>>>>> a big fan Microsoft virtualization, not yet) However, I saw
>>>>> too many people complaining about stability and performances
>>>>> of Terminal Services in virtualized environments. I can't
>>>>> virtualize the SQL box. It's already an x64 box with 8 GB
>>>>> of RAM and 4 CPUs. I need all I can get from that.
>>>>>
>>>>> I am actually running the same config on a Windows 2000
>>>>> Server in this network. It took a while to create a good
>>>>> security template to take care of the security issues, but
>>>>> it works. I have not noticed any performances issues with
>>>>> an average of 30-40 concurrent connections. This is a
>>>>> relatively small network (about 50-60 users). I can't use
>>>>> the SQL server box as a DC for too many reasons, one of
>>>>> which being a violation of terms with one of the app
>>>>> vendors.
>>>>>
>>>>> The two Windows 2000 boxes are actually decent machines. I
>>>>> will use them as DCs once I complete the migration and can
>>>>> recore them. Until then, I really do have to run this
>>>>> configuration, I believe.
>>>>>
>>>>> Finally, I don't think that even if I did have a separate
>>>>> DC, it would solve the problem of these missing Built-in
>>>>> groups. That's really the root of my problems. It seems
>>>>> to be something related to adprep / dcpromo from Windows
>>>>> 2000 AD to Windows 2008 AD.
>>>>>
>>>>>
>>>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com>
>>>>> wrote in message
>>>>> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>>>>>>I would run AD on a SQL Server or anything alse before
>>>>>>running it on a
>>>>>> Terminal Server. There are both security and performance
>>>>>> reasons not to do
>>>>>> what you are doing, and this is why MSFT intentionally
>>>>>> disables this functionality on SBS.
>>>>>>
>>>>>> If you're using Server 2008 why don't you utilize Hyper-V
>>>>>> to virtualize your
>>>>>> servers and consolidate a bit. A DC doesn't need a full
>>>>>> piece of server
>>>>>> hardware.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Patrick C. Rouse
>>>>>> Microsoft MVP - Terminal Server
>>>>>> SE, West Coast USA & Canada
>>>>>> Quest Software, Provision Networks Division
>>>>>> Virtual Client Solutions
>>>>>> http://www.provisionnetworks.com
>>>>>>
>>>>>>
>>>>>> "Ketchup" wrote:
>>>>>>
>>>>>>> Hello everyone,
>>>>>>>
>>>>>>> I am working with a client to upgrade their Windows 2000
>>>>>>> based network to
>>>>>>> Windows 2008. I am a bit constricted on the number of
>>>>>>> servers that I can
>>>>>>> have and had to make certain sacrifices forcing me to run
>>>>>>> Terminal Services
>>>>>>> on a Windows 2008 Domain Controller. I realize that's
>>>>>>> not recommended
>>>>>>> practice, but it's better then running a DC on a heavily
>>>>>>> used SQL and Apps
>>>>>>> server.
>>>>>>>
>>>>>>> I ran adprep with /forestprep and /domainprep /gpprep
>>>>>>> switches on the Windows 2000 AD environment successfully.
>>>>>>> I was able to add a Windows 2008
>>>>>>> DC that will also be the new Terminal Server. The
>>>>>>> dcpromo process completed successfully. Dcdiag and
>>>>>>> manual checks do not return any errors.
>>>>>>> I have not yet transferred any FSMO roles to the new
>>>>>>> Windows 2008 DC.
>>>>>>>
>>>>>>> When I went to install the Terminal Server role on the
>>>>>>> Windows 2008 DC, I
>>>>>>> ran into a few problems. I noticed that the Built-in
>>>>>>> "Terminal Server
>>>>>>> License Servers" group did not get created and I cannot
>>>>>>> use the Windows 2008
>>>>>>> TS License Service (same box) to manage user CALs. I
>>>>>>> thought that it
>>>>>>> wasn't a big deal since the client is fully licensed and
>>>>>>> Windows 2008 still
>>>>>>> doesn't enforce user CAL limits for Terminal Services.
>>>>>>> I ran into further
>>>>>>> problems when I attempted to allow non-administrators to
>>>>>>> connect through
>>>>>>> Terminal Services. The Built-in "Remote Desktop Users"
>>>>>>> group did not get
>>>>>>> created in AD either.
>>>>>>>
>>>>>>> I tried to bypass the lack of Remote Desktop Users group
>>>>>>> using a GPO to add
>>>>>>> the appropriate members to the Remote Desktops Group
>>>>>>> through Restricted
>>>>>>> Groups to no avail. I also tried editing the TS config to
>>>>>>> allow another
>>>>>>> group user access. Finally, I tried another GPO to give
>>>>>>> users the right
>>>>>>> Allow Logon through Terminal Services. None of this
>>>>>>> worked and users
>>>>>>> cannot connect, receiving an error message stating "access
>>>>>>> to create session
>>>>>>> is denied." This must be a change in Vista/Windows 2008
>>>>>>> since these steps
>>>>>>> work fine in a Windows 2003 AD environment.
>>>>>>>
>>>>>>> To solve the lack of Terminal Server License Servers
>>>>>>> group, I tried to
>>>>>>> manually create one. This obviously didn't work since
>>>>>>> the Built-in groups
>>>>>>> have fixed SIDs. I then tried to use ldeifde and csvde
>>>>>>> to export these two
>>>>>>> groups from a 2003 AD domain (another client) and import
>>>>>>> them into the 2000
>>>>>>> domain. Neither ldeifde or csvde would allow me to
>>>>>>> import GUID or SID
>>>>>>> values. This attempt also failed.
>>>>>>>
>>>>>>> I have been searching online and cannot find any solutions
>>>>>>> to these issues.
>>>>>>> Please help.
 
Re: Windows 2008 TS in Windows 2000 AD

And Vera KNOCKS it out of the ballpark once again!

sorry Vera, baseball reference there.....

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9B00CBC675523veranoesthemutforsse@207.46.248.16...
> An inplace upgrade from Windows 2000 to Windows 2008 is not a
> supported upgrade path. Documented here:
>
> Guide for Upgrading to Windows Server 2008
> http://technet.microsoft.com/en-us/library/cc755199.aspx
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Ketchup" <ketchup@ketchup.com> wrote on 20 aug 2008 in
> microsoft.public.windows.terminal_services:
>
>> I need the DC for more then just the license server. I realize
>> that having a TS and DC on the same box is a bad idea. I will
>> fix that once I complete migration. (I can always move DCs
>> around.)
>>
>> I really don't think that's the problem in my case. I have
>> seen a couple of posts online that indicate similar issues with
>> lack of Built-in groups when upgrading directly from Windows
>> 2000 to Windows 2008. It seems that Microsoft didn't quite
>> finish testing in this case. I am quite sure that the groups
>> would be there if the upgrade was from Windows 2003 to Windows
>> 2008.
>>
>> Is there a way I can create these groups (Terminal Server
>> License Servers and Remote Desktop Users) in Active Directory?
>> Should I run forestprep and domain prep once more? Or should I
>> use Windows 2003 version of forestprep and adprep first?
>>
>>
>>
>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
>> news:O4wdYDsAJHA.908@TK2MSFTNGP03.phx.gbl...
>>> You don't need a DC to host a license server. It's very easy
>>> through GPO and TS Config to configure the TS box to point to
>>> the license server. If the only reason you put up the DC was
>>> for the license service, remove the DC role and go for straight
>>> TS with the licensing feature. In fact, I'd rebuild that box
>>> just to be 100% safe but the point being get rid of the DC role
>>> if it's not needed and it's not.
>>>
>>> --
>>> Jeff Pitsch
>>> Microsoft MVP - Terminal Services
>>>
>>> "Ketchup" <ketchup@ketchup.com> wrote in message
>>> news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...
>>>> Jeff, thank you. I haven't tried giving the Logon Locally
>>>> right. I am not sure why, I guess I just didn't think of
>>>> that. I will do that today.
>>>>
>>>> Shouldn't the built-in groups on a DC become Domain Built-in
>>>> groups? I know for a fact this happens in Windows 2003. I
>>>> have the groups in my AD that are in the Built-in OU and are
>>>> of Built-in Local security context. I am not even running
>>>> Terminal Services. The Remote Desktops Users still applies
>>>> to Domain Controllers for just plain-old RDP. Arguably, the
>>>> Terminal Server License Server should be on a DC.
>>>>
>>>> As far as rebuilding the other servers, it's not that simple.
>>>> I have two older boxes, running Win2k. One of them is a TS &
>>>> DC. The other is a SQL & DC box. Both are currently being
>>>> used for their TS and SQL functions. I need to move those
>>>> functions over to the new boxes running Win2k8. Only once I
>>>> do that, can I move the DC functions around. The only reason
>>>> I even introduced a Win2k8 DC is because I needed it to hold
>>>> the TS License Server. The Win2k DC cannot issue TS licenses
>>>> to Win2k8 TS servers.
>>>>
>>>> Thanks!
>>>> Ketchup
>>>>
>>>>
>>>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
>>>> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...
>>>>> The built-in groups are local groups and aren't created
>>>>> because it's a DC. A DC cannot have local groups like a
>>>>> typical member server.
>>>>>
>>>>> Out of curiousity have you tried giving users the Log on
>>>>> Locally right as well as the other right you assigned?
>>>>>
>>>>> Now that you have a new DC up and running, why can't you take
>>>>> one of the other DC's and rebuild it to a TS box?
>>>>>
>>>>> --
>>>>> Jeff Pitsch
>>>>> Microsoft MVP - Terminal Services
>>>>>
>>>>> "Ketchup" <ketchup@ketchup.com> wrote in message
>>>>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...
>>>>>> Patrick, thanks. I was actually going to run Vmware ESX
>>>>>> and create two TS servers. That would have been ideal.(not
>>>>>> a big fan Microsoft virtualization, not yet) However, I saw
>>>>>> too many people complaining about stability and performances
>>>>>> of Terminal Services in virtualized environments. I can't
>>>>>> virtualize the SQL box. It's already an x64 box with 8 GB
>>>>>> of RAM and 4 CPUs. I need all I can get from that.
>>>>>>
>>>>>> I am actually running the same config on a Windows 2000
>>>>>> Server in this network. It took a while to create a good
>>>>>> security template to take care of the security issues, but
>>>>>> it works. I have not noticed any performances issues with
>>>>>> an average of 30-40 concurrent connections. This is a
>>>>>> relatively small network (about 50-60 users). I can't use
>>>>>> the SQL server box as a DC for too many reasons, one of
>>>>>> which being a violation of terms with one of the app
>>>>>> vendors.
>>>>>>
>>>>>> The two Windows 2000 boxes are actually decent machines. I
>>>>>> will use them as DCs once I complete the migration and can
>>>>>> recore them. Until then, I really do have to run this
>>>>>> configuration, I believe.
>>>>>>
>>>>>> Finally, I don't think that even if I did have a separate
>>>>>> DC, it would solve the problem of these missing Built-in
>>>>>> groups. That's really the root of my problems. It seems
>>>>>> to be something related to adprep / dcpromo from Windows
>>>>>> 2000 AD to Windows 2008 AD.
>>>>>>
>>>>>>
>>>>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com>
>>>>>> wrote in message
>>>>>> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>>>>>>>I would run AD on a SQL Server or anything alse before
>>>>>>>running it on a
>>>>>>> Terminal Server. There are both security and performance
>>>>>>> reasons not to do
>>>>>>> what you are doing, and this is why MSFT intentionally
>>>>>>> disables this functionality on SBS.
>>>>>>>
>>>>>>> If you're using Server 2008 why don't you utilize Hyper-V
>>>>>>> to virtualize your
>>>>>>> servers and consolidate a bit. A DC doesn't need a full
>>>>>>> piece of server
>>>>>>> hardware.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Patrick C. Rouse
>>>>>>> Microsoft MVP - Terminal Server
>>>>>>> SE, West Coast USA & Canada
>>>>>>> Quest Software, Provision Networks Division
>>>>>>> Virtual Client Solutions
>>>>>>> http://www.provisionnetworks.com
>>>>>>>
>>>>>>>
>>>>>>> "Ketchup" wrote:
>>>>>>>
>>>>>>>> Hello everyone,
>>>>>>>>
>>>>>>>> I am working with a client to upgrade their Windows 2000
>>>>>>>> based network to
>>>>>>>> Windows 2008. I am a bit constricted on the number of
>>>>>>>> servers that I can
>>>>>>>> have and had to make certain sacrifices forcing me to run
>>>>>>>> Terminal Services
>>>>>>>> on a Windows 2008 Domain Controller. I realize that's
>>>>>>>> not recommended
>>>>>>>> practice, but it's better then running a DC on a heavily
>>>>>>>> used SQL and Apps
>>>>>>>> server.
>>>>>>>>
>>>>>>>> I ran adprep with /forestprep and /domainprep /gpprep
>>>>>>>> switches on the Windows 2000 AD environment successfully.
>>>>>>>> I was able to add a Windows 2008
>>>>>>>> DC that will also be the new Terminal Server. The
>>>>>>>> dcpromo process completed successfully. Dcdiag and
>>>>>>>> manual checks do not return any errors.
>>>>>>>> I have not yet transferred any FSMO roles to the new
>>>>>>>> Windows 2008 DC.
>>>>>>>>
>>>>>>>> When I went to install the Terminal Server role on the
>>>>>>>> Windows 2008 DC, I
>>>>>>>> ran into a few problems. I noticed that the Built-in
>>>>>>>> "Terminal Server
>>>>>>>> License Servers" group did not get created and I cannot
>>>>>>>> use the Windows 2008
>>>>>>>> TS License Service (same box) to manage user CALs. I
>>>>>>>> thought that it
>>>>>>>> wasn't a big deal since the client is fully licensed and
>>>>>>>> Windows 2008 still
>>>>>>>> doesn't enforce user CAL limits for Terminal Services.
>>>>>>>> I ran into further
>>>>>>>> problems when I attempted to allow non-administrators to
>>>>>>>> connect through
>>>>>>>> Terminal Services. The Built-in "Remote Desktop Users"
>>>>>>>> group did not get
>>>>>>>> created in AD either.
>>>>>>>>
>>>>>>>> I tried to bypass the lack of Remote Desktop Users group
>>>>>>>> using a GPO to add
>>>>>>>> the appropriate members to the Remote Desktops Group
>>>>>>>> through Restricted
>>>>>>>> Groups to no avail. I also tried editing the TS config to
>>>>>>>> allow another
>>>>>>>> group user access. Finally, I tried another GPO to give
>>>>>>>> users the right
>>>>>>>> Allow Logon through Terminal Services. None of this
>>>>>>>> worked and users
>>>>>>>> cannot connect, receiving an error message stating "access
>>>>>>>> to create session
>>>>>>>> is denied." This must be a change in Vista/Windows 2008
>>>>>>>> since these steps
>>>>>>>> work fine in a Windows 2003 AD environment.
>>>>>>>>
>>>>>>>> To solve the lack of Terminal Server License Servers
>>>>>>>> group, I tried to
>>>>>>>> manually create one. This obviously didn't work since
>>>>>>>> the Built-in groups
>>>>>>>> have fixed SIDs. I then tried to use ldeifde and csvde
>>>>>>>> to export these two
>>>>>>>> groups from a 2003 AD domain (another client) and import
>>>>>>>> them into the 2000
>>>>>>>> domain. Neither ldeifde or csvde would allow me to
>>>>>>>> import GUID or SID
>>>>>>>> values. This attempt also failed.
>>>>>>>>
>>>>>>>> I have been searching online and cannot find any solutions
>>>>>>>> to these issues.
>>>>>>>> Please help.
 
Re: Windows 2008 TS in Windows 2000 AD

Not doing an inplace upgrade, but thanks.

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9B00CBC675523veranoesthemutforsse@207.46.248.16...
> An inplace upgrade from Windows 2000 to Windows 2008 is not a
> supported upgrade path. Documented here:
>
> Guide for Upgrading to Windows Server 2008
> http://technet.microsoft.com/en-us/library/cc755199.aspx
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Ketchup" <ketchup@ketchup.com> wrote on 20 aug 2008 in
> microsoft.public.windows.terminal_services:
>
>> I need the DC for more then just the license server. I realize
>> that having a TS and DC on the same box is a bad idea. I will
>> fix that once I complete migration. (I can always move DCs
>> around.)
>>
>> I really don't think that's the problem in my case. I have
>> seen a couple of posts online that indicate similar issues with
>> lack of Built-in groups when upgrading directly from Windows
>> 2000 to Windows 2008. It seems that Microsoft didn't quite
>> finish testing in this case. I am quite sure that the groups
>> would be there if the upgrade was from Windows 2003 to Windows
>> 2008.
>>
>> Is there a way I can create these groups (Terminal Server
>> License Servers and Remote Desktop Users) in Active Directory?
>> Should I run forestprep and domain prep once more? Or should I
>> use Windows 2003 version of forestprep and adprep first?
>>
>>
>>
>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
>> news:O4wdYDsAJHA.908@TK2MSFTNGP03.phx.gbl...
>>> You don't need a DC to host a license server. It's very easy
>>> through GPO and TS Config to configure the TS box to point to
>>> the license server. If the only reason you put up the DC was
>>> for the license service, remove the DC role and go for straight
>>> TS with the licensing feature. In fact, I'd rebuild that box
>>> just to be 100% safe but the point being get rid of the DC role
>>> if it's not needed and it's not.
>>>
>>> --
>>> Jeff Pitsch
>>> Microsoft MVP - Terminal Services
>>>
>>> "Ketchup" <ketchup@ketchup.com> wrote in message
>>> news:%23ho3xsrAJHA.2056@TK2MSFTNGP05.phx.gbl...
>>>> Jeff, thank you. I haven't tried giving the Logon Locally
>>>> right. I am not sure why, I guess I just didn't think of
>>>> that. I will do that today.
>>>>
>>>> Shouldn't the built-in groups on a DC become Domain Built-in
>>>> groups? I know for a fact this happens in Windows 2003. I
>>>> have the groups in my AD that are in the Built-in OU and are
>>>> of Built-in Local security context. I am not even running
>>>> Terminal Services. The Remote Desktops Users still applies
>>>> to Domain Controllers for just plain-old RDP. Arguably, the
>>>> Terminal Server License Server should be on a DC.
>>>>
>>>> As far as rebuilding the other servers, it's not that simple.
>>>> I have two older boxes, running Win2k. One of them is a TS &
>>>> DC. The other is a SQL & DC box. Both are currently being
>>>> used for their TS and SQL functions. I need to move those
>>>> functions over to the new boxes running Win2k8. Only once I
>>>> do that, can I move the DC functions around. The only reason
>>>> I even introduced a Win2k8 DC is because I needed it to hold
>>>> the TS License Server. The Win2k DC cannot issue TS licenses
>>>> to Win2k8 TS servers.
>>>>
>>>> Thanks!
>>>> Ketchup
>>>>
>>>>
>>>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
>>>> news:OsskqyqAJHA.528@TK2MSFTNGP06.phx.gbl...
>>>>> The built-in groups are local groups and aren't created
>>>>> because it's a DC. A DC cannot have local groups like a
>>>>> typical member server.
>>>>>
>>>>> Out of curiousity have you tried giving users the Log on
>>>>> Locally right as well as the other right you assigned?
>>>>>
>>>>> Now that you have a new DC up and running, why can't you take
>>>>> one of the other DC's and rebuild it to a TS box?
>>>>>
>>>>> --
>>>>> Jeff Pitsch
>>>>> Microsoft MVP - Terminal Services
>>>>>
>>>>> "Ketchup" <ketchup@ketchup.com> wrote in message
>>>>> news:ufvDJOmAJHA.4440@TK2MSFTNGP06.phx.gbl...
>>>>>> Patrick, thanks. I was actually going to run Vmware ESX
>>>>>> and create two TS servers. That would have been ideal.(not
>>>>>> a big fan Microsoft virtualization, not yet) However, I saw
>>>>>> too many people complaining about stability and performances
>>>>>> of Terminal Services in virtualized environments. I can't
>>>>>> virtualize the SQL box. It's already an x64 box with 8 GB
>>>>>> of RAM and 4 CPUs. I need all I can get from that.
>>>>>>
>>>>>> I am actually running the same config on a Windows 2000
>>>>>> Server in this network. It took a while to create a good
>>>>>> security template to take care of the security issues, but
>>>>>> it works. I have not noticed any performances issues with
>>>>>> an average of 30-40 concurrent connections. This is a
>>>>>> relatively small network (about 50-60 users). I can't use
>>>>>> the SQL server box as a DC for too many reasons, one of
>>>>>> which being a violation of terms with one of the app
>>>>>> vendors.
>>>>>>
>>>>>> The two Windows 2000 boxes are actually decent machines. I
>>>>>> will use them as DCs once I complete the migration and can
>>>>>> recore them. Until then, I really do have to run this
>>>>>> configuration, I believe.
>>>>>>
>>>>>> Finally, I don't think that even if I did have a separate
>>>>>> DC, it would solve the problem of these missing Built-in
>>>>>> groups. That's really the root of my problems. It seems
>>>>>> to be something related to adprep / dcpromo from Windows
>>>>>> 2000 AD to Windows 2008 AD.
>>>>>>
>>>>>>
>>>>>> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com>
>>>>>> wrote in message
>>>>>> news:C13D661A-1DDA-4337-857B-4EF3C6794461@microsoft.com...
>>>>>>>I would run AD on a SQL Server or anything alse before
>>>>>>>running it on a
>>>>>>> Terminal Server. There are both security and performance
>>>>>>> reasons not to do
>>>>>>> what you are doing, and this is why MSFT intentionally
>>>>>>> disables this functionality on SBS.
>>>>>>>
>>>>>>> If you're using Server 2008 why don't you utilize Hyper-V
>>>>>>> to virtualize your
>>>>>>> servers and consolidate a bit. A DC doesn't need a full
>>>>>>> piece of server
>>>>>>> hardware.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Patrick C. Rouse
>>>>>>> Microsoft MVP - Terminal Server
>>>>>>> SE, West Coast USA & Canada
>>>>>>> Quest Software, Provision Networks Division
>>>>>>> Virtual Client Solutions
>>>>>>> http://www.provisionnetworks.com
>>>>>>>
>>>>>>>
>>>>>>> "Ketchup" wrote:
>>>>>>>
>>>>>>>> Hello everyone,
>>>>>>>>
>>>>>>>> I am working with a client to upgrade their Windows 2000
>>>>>>>> based network to
>>>>>>>> Windows 2008. I am a bit constricted on the number of
>>>>>>>> servers that I can
>>>>>>>> have and had to make certain sacrifices forcing me to run
>>>>>>>> Terminal Services
>>>>>>>> on a Windows 2008 Domain Controller. I realize that's
>>>>>>>> not recommended
>>>>>>>> practice, but it's better then running a DC on a heavily
>>>>>>>> used SQL and Apps
>>>>>>>> server.
>>>>>>>>
>>>>>>>> I ran adprep with /forestprep and /domainprep /gpprep
>>>>>>>> switches on the Windows 2000 AD environment successfully.
>>>>>>>> I was able to add a Windows 2008
>>>>>>>> DC that will also be the new Terminal Server. The
>>>>>>>> dcpromo process completed successfully. Dcdiag and
>>>>>>>> manual checks do not return any errors.
>>>>>>>> I have not yet transferred any FSMO roles to the new
>>>>>>>> Windows 2008 DC.
>>>>>>>>
>>>>>>>> When I went to install the Terminal Server role on the
>>>>>>>> Windows 2008 DC, I
>>>>>>>> ran into a few problems. I noticed that the Built-in
>>>>>>>> "Terminal Server
>>>>>>>> License Servers" group did not get created and I cannot
>>>>>>>> use the Windows 2008
>>>>>>>> TS License Service (same box) to manage user CALs. I
>>>>>>>> thought that it
>>>>>>>> wasn't a big deal since the client is fully licensed and
>>>>>>>> Windows 2008 still
>>>>>>>> doesn't enforce user CAL limits for Terminal Services.
>>>>>>>> I ran into further
>>>>>>>> problems when I attempted to allow non-administrators to
>>>>>>>> connect through
>>>>>>>> Terminal Services. The Built-in "Remote Desktop Users"
>>>>>>>> group did not get
>>>>>>>> created in AD either.
>>>>>>>>
>>>>>>>> I tried to bypass the lack of Remote Desktop Users group
>>>>>>>> using a GPO to add
>>>>>>>> the appropriate members to the Remote Desktops Group
>>>>>>>> through Restricted
>>>>>>>> Groups to no avail. I also tried editing the TS config to
>>>>>>>> allow another
>>>>>>>> group user access. Finally, I tried another GPO to give
>>>>>>>> users the right
>>>>>>>> Allow Logon through Terminal Services. None of this
>>>>>>>> worked and users
>>>>>>>> cannot connect, receiving an error message stating "access
>>>>>>>> to create session
>>>>>>>> is denied." This must be a change in Vista/Windows 2008
>>>>>>>> since these steps
>>>>>>>> work fine in a Windows 2003 AD environment.
>>>>>>>>
>>>>>>>> To solve the lack of Terminal Server License Servers
>>>>>>>> group, I tried to
>>>>>>>> manually create one. This obviously didn't work since
>>>>>>>> the Built-in groups
>>>>>>>> have fixed SIDs. I then tried to use ldeifde and csvde
>>>>>>>> to export these two
>>>>>>>> groups from a 2003 AD domain (another client) and import
>>>>>>>> them into the 2000
>>>>>>>> domain. Neither ldeifde or csvde would allow me to
>>>>>>>> import GUID or SID
>>>>>>>> values. This attempt also failed.
>>>>>>>>
>>>>>>>> I have been searching online and cannot find any solutions
>>>>>>>> to these issues.
>>>>>>>> Please help.
 
Re: Windows 2008 TS in Windows 2000 AD

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 20 aug 2008 in
microsoft.public.windows.terminal_services:

> And Vera KNOCKS it out of the ballpark once again!
>
> sorry Vera, baseball reference there.....

No problem, Jeff. I happen to be reading a book where the main person
is a professional baseball player, so I got the idea...
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 

Similar threads

J
Using TLS certificate with Windows 2008 SMTP virtual server
Replies
0
Views
276
JonF2010
J
T
Windows Server OS (2008, 2012, 2016) continues to use the old DNS addresses
Replies
0
Views
272
Todd Eichmann
T
G
Can't patch Sigred DNS flaw on 2008 not R2
Replies
0
Views
294
GlenTech83
G
J
Here’s why Marvel movies are so much more successful than DC, according to a DC writer
Replies
0
Views
73
Jacob Siegal
J
Z
Windows Server 2012 (Custom Windows Service)
Replies
0
Views
384
Zunaid Valley1
Z
Back
Top