Domain controller question...

By IT Dept_MBSSI ·
If i were to promote a server to a domain controller and, in turn, run the active directory setup, would it affect my ability to run terminal services as necessary? I have clients that use terminal services to remotely access NDCLytec on a centralized server in this building.

Please help!!


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

probably not

by lowlands In reply to Domain controller questio ...

Terminal services will still work on a server even if it is a Domain Controller. However, there might be some interesting problems, and I am not sure how they would work out. By default, only Admins will have access to log on locally to a DC. I assume you now have regular users accessing the server using TS, I am not sure if that'll be messed up after the dcpromo.
Another thing to think about is performance, you'r server will be busier as a DC then it was before.

Collapse -


by IT Dept_MBSSI In reply to probably not

As per my 70-290 text :
"By default, Windows Server 2003 domain controllers are configured to accept terminal services connections only from members of the Administrators group. Even users you have explicitly added to the Remote Desktop Users group are not permitted access. To override this behavior, you must change the effective value of the Allow Log On Through Terminal Services group policy, which lists the Administrators group only, by default. To do this, you can either modify the domain controller's local computer policy or define this same policy in the group policy object (GPO) for an Active Directory object containing the computer, such as Default Domain Controllers Policy GPO."

Therein lies a new issue - if I give our Terminal Services customers Administrative access to a domain controller, wouldn't there be the possibility that someone who knows just enough to be "dangerous" would do something to break it? If I modify the Group Policy, then our REAL Admins won't have the permissions they need either...

Related Discussions

Related Forums