Domain controller roles

[tim55]

This is a bit of a follow on from a previous question, but worth a separate thread.

I have set up a domain server (2003 SBS) and a separate terminal server (2003 standard) but there is a relationship which I am not sure about. I had the chance to look at another similar setup the other day, although the guy who did it is not available to talk to.

On their setup, they have a 2003 SBS, which I assume must be a domain controller since it was installed before their terminal server, and in any case, I don't believe SBS can be anything but a domain controller?

Their terminal server, however, which is 2000, is also a domain controller (Go to Computer Management and against Local Users and Groups it says so).

So both servers appear to be domain controllers and both are running Active Directory, which gives them access to the group policies I want to play with, (predominantly to lock down the terminal server).

I am aware that you can have back-up domain controllers, but can anyone suggest how these servers have been setup, with both of them running Active Directory?

Thanks.

 

[ScottCr]

The TS was a member of the SBS domain, then dcpromo'd to make it a DC.

There is no restriction with SBS on the number of Domain controllers.

However, it's not really a good idea to have your TS as a DC. (though I'm sure someone will disagree with me )

http://scottcross.blogspot.com

Windows and NT Admin.

 

[ncotton]

I'll back up Scott on the point about setting your Terminal Server as a DC or BDC. Just leave it as it is. But in answer to your question, It will be setup as a standard server promoted to a DC.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[58sniper]

The only real rule about DCs with SBS is that the SBS box must hold all the FSMO roles, and has to be the forest root.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[tim55]

Thanks for the comments everyone, I think I understand this now and even though you suggest that the TS should not be a DC, it onbviously is.

This does raise a question, though. Since a TS is usually a separate server, the implication is that it is best not being a DC, which means it won't have Active Directory.

However, you need Active Directory to enable the use of Group Polices to lock down users of the TS.

So, assuming I am correct in what I have said, how do you lock down users of a TS?

Thanks.

 

[58sniper]

Well, it can be a member server, and AD would still apply.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[JBowser]

The terminal server can be a member of the domain, but not be a domain controller. It will still have access to active directory, just the same way that any workstation in the domain will have access to active directory. I t just will not be the domain controller, but any policy that is configured through active directory and group policy will apply to the terminal server.

Joshua M. Bowser
Systems/Network Engineer

 

[tim55]

...It just will not be the domain controller, but any policy that is configured through active directory and group policy will apply to the terminal server."

Ah, I think I have discovered my fundamental misunderstanding. I assumed that you needed to control group policy actually on the TS, rather than via group policy on the main server. Of course, now I think about it, it makes perfect sense.

Thanks.