Re: Terminal Server

Tech-Archive recommends: Fix windows errors by optimizing your registry

"Jeff Pitsch" <jeff@xxxxxxxxxxxxxxxxx> wrote in message
news:upoCZz67FHA.3876@xxxxxxxxxxxxxxxxxxxxxxx
> Find an old workstation and make that the DC. Do NOT put the DC role on
> the terminal server.

Ok. Why not.

We have our other DC running AD, Wins, DNS, and 3 applications and it works
fine. Granted it is not the best setup and that is going to change soon.

But we need to set this up quickly and if the only problem is the load may
slow it down, that's one thing - but if there are other issues, that might
change things. This is a temporary setup that needs to be in place tomorrow
and I don't want to be chasing around for another machine, which we don't
have at the moment if having the DC is just an inconveniance.

BTW, is AD only running on Domain Controllers? Or is it running on member
servers or standalone servers also to allow policies to be set?

Thanks,

Tom
>
> Jeff Pitsch
> http://www.sbcgatekeeper.com
> Your Terminal Services Security Website
>
> "tshad" <tscheiderich@xxxxxxxxxxxxxxx> wrote in message
> news:e$mkkw67FHA.2036@xxxxxxxxxxxxxxxxxxxxxxx
>> "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> message news:Xns9716DE2EA6A19veranoesthemutforsse@xxxxxxxxxxxxxxxx
>>> Tshad, do *not* install Active Directory on the TS!
>>>
>>> I think you and Jeff misunderstood each other:
>>> you write that the machine is "stand-alone", which means a server in
>>> a workgroup. That's why Jeff recommended making it part of a domain.
>>
>> I understood that and I agree with that.
>>>
>>> But it seems that you interpret this to install AD, which means
>>> making it a Domain Controller. That is absolutely *not* recommended!
>>>
>> I agree that it is not recommended - but will it work.
>>
>> We don't have another machine at the moment and won't be getting one for
>> a month or so. It is going to run one application that will be accessed
>> across the web so needs to be in the DMZ. We don't want it to be part of
>> our normal Domain. There will only be a couple of people using it so
>> there shouldn't be much strain.
>>
>> We need to be able to tie it down and AD is the only way to do that
>> reasonably and we already have spent a lot time trying to get what we
>> want to work, which it doesn't (at least not the way we want it to).
>>
>> What I would like to do (and granted it is not the best way) is to make
>> it the DC so I can use AD. Later, we can put another machine there that
>> is a DC and then then demote the TS. I think that will work - but I
>> could be wrong (and wouldn't be the first time).
>>
>> I just don't know if it needs to be a DC before installing TS or can I do
>> it after (which is what it is now)?
>>
>> Thanks,
>>
>> Tom
>>
>>> What you should do (and I believe that this is already your setup) is
>>> to make the Terminal Server a *member* server in an existing domain
>>> (with the AD installed on another server, the DC). Then you can use a
>>> domain wide GPO to lock down your TS, filtered by users and user
>>> groups.
>>>
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>> ___ please respond in newsgroup, NOT by private email ___
>>>
>>> "tshad" <tscheiderich@xxxxxxxxxxxxxxx> wrote on 22 nov 2005 in
>>> microsoft.public.windows.terminal_services:
>>>
>>>> "Jeff Pitsch" <jeff@xxxxxxxxxxxxxxxxx> wrote in message
>>>> news:%23urhPS57FHA.3876@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> You can't block access to explorer because that is the OS
>>>>> shell. If you blocked access to explorer your users wouldn't
>>>>> get a desktop. If this was part of a domain, it would be much
>>>>> easier to control. Local policies are not designed for
>>>>> multiple users. Now saying that if you look around there are
>>>>> policies for hiding and preventing access to the local server
>>>>> drives. Keep in mind that this will affect everyone, admins
>>>>> included. See the advantage of a domain now? Having it part
>>>>> of a domain would allow you to set policies based on
>>>>> users/groups.
>>>>
>>>> Your right and we are in the process of making it and Active
>>>> Directory Domain Controller now.
>>>>
>>>> I actually tried doing as you suggested about the drives and as
>>>> you said it kept everyone from seeing the drives, including
>>>> myself.
>>>>
>>>> Is there any problem installing active directory AFTER Terminal
>>>> Services have been installed?
>>>>
>>>> I know that there are for applications.
>>>>
>>>> Thanks,
>>>>
>>>> Tom
>>>>>
>>>>> Jeff Pitsch
>>>>> http://www.sbcgatekeeper.com
>>>>> Your Terminal Services Security Website
>>>>>
>>>>>
>>>>> "tshad" <tscheiderich@xxxxxxxxxxxxxxx> wrote in message
>>>>> news:uU8B%23c47FHA.636@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>I am running Terminal Server as a Standalone machine - no
>>>>>>active directory.
>>>>>>
>>>>>> I have been using GPO editor to set policies for TS, but can
>>>>>> find no way to prevent users from getting access to the
>>>>>> Windows Explorer.
>>>>>>
>>>>>> Can this be done?
>>>>>>
>>>>>> It seems very limiting, you can prevent some things from the
>>>>>> toolbar, such taking out Windows Security item from Start
>>>>>> button or Remove Disconnect. But you can stop them from using
>>>>>> the start button at all.
>>>>>>
>>>>>> One of the problems is we need to give access to one folder to
>>>>>> put reports into and I though drive redirection would do it,
>>>>>> but I can't seem to get that to work.
>>>>>>
>>>>>> Can it be set to use the Local drive of the person logging on
>>>>>> or to only have access to that drive and not the whole
>>>>>> Terminal Servers drives (or any)?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Tom
>>
>>
>
>


.

Quantcast