Server 2008 with Terminal Service - Active Directory?

[hoemee]

Setting up a Server 2008 (virtual) machine.....going to deploy terminal services....do I want Active Directory on this server as well - if not - how do I add users to the RDP group?

[Steve R Jones]

going to deploy terminal services

For both users or will you be purchaing CAL's for all the other users?

[hoemee]

Actually, already deployed it with 6 CAL's - user based........

[Nude_Lewd_Man]

Hi,

I haven't had much of a play with W2k8, but if it is anything like 2k3 (which I'm sure it is, after all AD is AD...) then you don't need to install AD on the server - as long as you've got it installed on a server in your network...

By all means, you may find that it works better for your setup to have AD installed, but [personally] I wouldn't like to have users able to log into a DC, even if it is only through TS........ YMMV..

[hoemee]

This is new to me......When I went to add Active Directory after adding Terminal Services, Server 2008 gave a warning, saying they do not recommend adding AD with TS installed......and I don't know because I don't have the experience.......I just didn't know how to authorize the users to connect through terminal services......I think I am at the point is this deployment where I have to create a certificate on the 2008 server......

[Nude_Lewd_Man]

I would remove the AD role from that server (presuming you have a separate DC, which would have AD anyway) and try to install TS again. I have done it before, with a (single server) SBS server, at home, but I did have to do a fair amount of 'fiddling' to get it to work properly... and, yes, I did have to wipe it later as it was FUBARed from users clicking the wrong things and - if it wasn't for the fact that I'd removed the "Shutdown" option from the start menu......... (Sorry if the [Enter] didn't work when this gets posted) I think that one thing you may need to do is to create a group in AD that includes all the users who you want to have TS access, then include that group in the TS's "Remote Desktop Users" group.... Let us know how you get on...

[hoemee]

I haven't installed AD yet......we have one SBS 2003 that is a DC and users have been using that server exclusively - primarily for Peachtree. We are planning to use this one exclusively for Peachtree w/terminal services.....this 2008 is a virtual server with GoDaddy...I just don't know how to allow/enable the users to connect with this server through TS. I know we will use remote desktop - but I don't know where to create the accounts that will enable them access on the server and also how this CAL user licensing works.....sorry for my confusion

[Nude_Lewd_Man]

The simplest way would be to use the AD Users and Groups to create a group called TS_Users and then just set up the RDP permissions to that group, rather than manually configure it on a user-by-user basis... The only other thing I can think of off the top of my head right now would be to think about whether users are only going to access it internally or if they're going to be working from outside of the office too...so you can determine whether you need to configure the firewall to forward the relevant post (default is :3389) to that VM or not...

[hoemee]

There's the rub for me...this is a virtual server, hosted on Godaddy......I think it is Arizona somewhere......so - that is why I thought I would need to deploy AD on this virtual box - to add the users...........

[Nude_Lewd_Man]

OIC... I had the impression that it was a VirtualMachine within your LAN... I've never done anything with a TS that wasn't on the LAN, but I would imagine that it should be fine if you set up some form of VPN connection, which would enable you to utilise AD on your SBS and not have to faff about with setting that up on the VM - especially as otherwise you could wind up with issues like passwords not being the same and/or not being able to communicate with a DC to authenticate users...

[hoemee]

Ya - I'm in uncharted waters here I figured I'd just RDP into the remote server....but not sure how to set up the authentications on the remote server.....plus, I've never worked with a remote virtual server or deployment of terminal services......

[Nude_Lewd_Man]

As I mentioned, I really wouldn't go with putting AD onto the server - especially after getting the warning about having AD and TS together...

I would make it a [normal] member server (of your domain) through a VPN connection, then configure it to use the AD of your SBS box in the office.

If your users are only going to access this VM from within the LAN, then you can just leave the connection to use the VPN link, if they're going to be remoting in from elsewhere then you're going to want to set up some form of DNS name and configure whatever firewall device to allow the connections through on the relevant port - just remember that you can only use one port, so if you change the listening port away from the standard, everyone has to use that port...unlike what someone I used to work with thought; they thought it just changed the TS port, not the one we used to access the server remotely... dumbo blocked our access off

[conner1177]

Hi,

I haven't had much of a play with W2k8, but if it is anything like 2k3 (which I'm sure it is, after all AD is AD...) then you don't need to install AD on the server - as long as you've got it installed on a server in your network...

By all means, you may find that it works better for your setup to have AD installed, but [personally] I wouldn't like to have users able to log into a DC, even if it is only through TS........ YMMV..

Just wanted to confirm if you're recommending/suggesting that Terminal Services not be installed on the same server that has AD? I was told by our software vendor who consulted with his MS Specialist that, there shouldn't be an issue, "unless" the user is going to remote into the AD, then that's a "no no". We're looking to implement Windows Server 2012 but I'm sure this will be the same as if we're using 2008

[Nude_Lewd_Man]

It's still early here, but I'm struggling to see a reason for installing Terminal Services on a server if you *aren't* going to 'remote in' to it...