Re: Domains & Authentication
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 06/27/04
- Next message: Herb Martin: "Re: Hard Drive Dilema"
- Previous message: Tim Hines [MSFT]: "Re: Active Directory not working after restore"
- In reply to: JT: "Re: Domains & Authentication"
- Next in thread: JT: "Re: Domains & Authentication"
- Reply: JT: "Re: Domains & Authentication"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 27 Jun 2004 12:19:16 -0400
Howdy, JT!
I can not really tell you what the 'best' way to do anything is. I can
suggest to you how things are normally done! Every environment is a bit
different and only you know best - since it is your environment.
Sometimes there are compelling reasons why you would set things up in a
'different' way. I am not sure that you have one of those compelling
reasons, though.
Your concern is dead-one for the most part! It is a major concern if the
sole domain controller goes down. You essentially have no more AD Forest.
This is why it is recommended to have at least two domain controllers. This
may or may not be an option, however. If you have a smaller environment
then having two domain controllers might not be justifiable ( well, a bit
more difficult to convince the 'money person' that it really is necessary ).
If you are not too far into it ( well, even if you are.... ) I might suggest
that you start all over. By that I mean that you remove the 'Terminal
Server' domain by running dcpromo on that machine - and be sure to check the
"This is the last domain controller...." checkbox. I would then simply
format that server and install everything from scratch.
My suggestion would be to follow the steps that I gave you in my initial
response to your post. Install WIN2000 Server and join it to the domain (
your existing domain where all of the user accounts are ). Keep it as a
member server. It is typically not suggested to install Terminal Server in
Application Mode on a Domain Controller. So, you would now have the one
Domain Controller and the one Member Server ( running the TS ).
I would then take a look at the MSKB Article that I included as a guide to
locking down the TS. However, there are some concepts involved that might
be a bit foreign to you ( apologies if that is not the case ). One of them
is the whole Group Policy thing. Then, there is Group Policy in Loopback -
Replace Mode. This is a rather simple concept - but only after it clicks in
your head. I had a hard time with it at first! There is also the folder
redirection concept.
Have you installed any applications on the TS already? Have your users
already started using it? I am guessing that they have not yet....
Also, do you already make use of Folder Redirection ( typically the My
Documents and Desktop folders )? If you do, you will want to make sure
that - if you do follow the MSKB Article on locking down the TS - that you
redirect the TS users to the same location....
JT, if you have any questions or concerns or need more help we can gladly
go off-line and continue this there. The e-mail address that you see in my
responses is my actual e-mail address. It is better that we stay in the
News Group but if things get too specific to your environment then we can go
off-line. I will gladly help you.
I would probably stay away from the trust in this case!
HTH,
Cary
"JT" <anonymous@discussions.microsoft.com> wrote in message
news:2238d01c45c53$d5012700$a001280a@phx.gbl...
> thx for your reply. I was contemplating on whether to
> join an existing domain only because I was concerned if
> something happened to the PDC, then how would everyone
> authenticate?
>
> Is setting up a trust between the two ok, or would it be
> best to just start all over again and do it the right
> way?
> >-----Original Message-----
> >JT,
> >
> >I am not sure what you are trying to do here. Is there
> a reason that the
> >Terminal Server is in a separate domain? Did it ( the
> separate domain )
> >exist prior to you creating the current domain, or did
> you put it in a
> >separate domain? If the TS is in a separate domain, is
> the server on which
> >you are running TS the Domain Controller - or one of
> them - in that separate
> >domain?
> >
> >Here is how you would normally do things:
> >
> >
> >1) You have your Domain Controller....this is where
> all of your user
> >account objects and computer account objects reside
> >2) You install WIN2000 on a member server and then
> install Terminal
> >Server in Application Mode ( remember that there are two
> modes:
> > Remote Administration and Application Mode )
> >3) You might want to consider looking at the
> following MSKB Article for a
> >guide on how to lock down the TS:
> >
> >http://support.microsoft.com/?id=278295
> >
> >
> >Since your TS is in a different domain from your desired
> user base you might
> >want to consider setting up a trust between the two
> domains...
> >
> >HTH,
> >
> >Cary
> >
> >
> >
> >
> >"JT" <pvtpilot@dtnspeed.ent> wrote in message
> >news:21d2b01c45c4d$9c2c4280$a301280a@phx.gbl...
> >> I have a new W2K Server which will be used as a TS. I
> >> have another W2K that is the main server. What's the
> >> best way to have the TS setup when logging onto
> domains?
> >>
> >> The new TS is its separate domain. All the user's
> >> already exist on the older domain, so is there a way to
> >> automatically join the older domain upon login for
> >> authentication, rather than being prompted to logon
> >> twice....one to the TS and then again to the older
> domain
> >> W2K server?
> >
> >
> >.
> >
- Next message: Herb Martin: "Re: Hard Drive Dilema"
- Previous message: Tim Hines [MSFT]: "Re: Active Directory not working after restore"
- In reply to: JT: "Re: Domains & Authentication"
- Next in thread: JT: "Re: Domains & Authentication"
- Reply: JT: "Re: Domains & Authentication"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
