Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DC and TS together 2

Status
Not open for further replies.
BlackOmega

BlackOmega

MIS
Nov 20, 2001
8
US
I have a large multi-site network. Rather than using dedicated DCs I am considering putting only a single server at some sites. For example, a smaller site might have a single server that is a DC, Terminal, and file and print server. Does anyone recommend this or rebuke me for even thinking about it? :cool: I am most concerned about TS users actually having a session running on the DC.
 
Sort by date Sort by votes
I would recommend against combining terminal server with other server functions. It would be fine, in a small environment, to share the DC, file, and print server functions. However, keep the TS separate.
 
Upvote 0 Downvote
Thanks Greg. Can you give specific reasons? I have an executive who is looking to shave $$. To shoot it down I need bullet points showing why this is a bad move.
 
Upvote 0 Downvote
Terminal server is VERY resource-intensive on the server. You don't want to bog down the DC with client-side applications consuming all the processing power on the server. Also, for security reasons, I wouldn't allow users to access the DC for terminal server sessions.
 
Upvote 0 Downvote
I would disagree and say that much of the 'resource-intensive' argument really depends on number of users and hardware resources. I don't see the DC role as being especially intensive, not compared to a single user who has decided to use a web browser within their terminal session. Most of the time we're not talking about hardware that just barely meets the minimum specs.

As far as the security issue goes, there's one major problem I have with running TS on a DC, and it might not be a problem for you. I tend to use TS to set up special, locked-down, single-app sessions for users, and I also like to create local accounts on the TS for the users to log in with. That way the users are really playing in a restricted sandbox. When you put TS on a DC, you are forced to give incoming users domain accounts, and you also have to tweak user-rights for those users to allow them log-on access to all domain controllers. The latter is probably a major part of greg013's security concern.

Allowing a few users to run sessions on a DC isn't something I see as particularly dangerous in and of itself, as long as their environment has been properly crafted using policies to greatly narrow the scope of their abilities. The worst that can happen, AFAICS, is that someone will do something to take that particular DC offline and that can happen for all sorts of reasons not related to TS.

I wouldn't rule out doing what you are doing though, consolidating to a single server at small sites. It really costs a lot to license a whole different server and put together adequate hardware. You might even float the idea of not having a DC in certain very small sites with a historically healthy WAN link. It's all a matter of tradeoff.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
340
RRankin355
RRankin355
Leozack
  • Locked
  • Question
MDT TS move computer OU
Replies
0
Views
211
Leozack
Leozack
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
319
DrB0b
DrB0b
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
202
geneg28
geneg28
DrB0b
  • Locked
  • Question
HyperV Virtual Switch and Physical NIC question
Replies
3
Views
279
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top