Terminal Services (app mode) on a DC

[Atomic]

Hi,

I need to install Terminal Services in Application Mode on a DC. I am not planning to deliver any apps, I just need to enable more than 2 concurrent management sessions.

Can anyone advise me if this is a supported configuration. I notice that Citrix don't support this configuration...

Thanks


KM

 

[GaryAlanDavis]

I have exactly this config working at about 7 branches with no issues. As long as the server hardware is adequate then you will not have issues

 

[Atomic]

Thanks Gary

I have tried this on my testbed. No errors reported. I have added the users to Remote Desktop Users Group, but the login dialogue still informs me that the users need to be members of the Remote Desktop Users Group. I have checked the local policy and enabled allow logon using Terminal Services to the Remote Desktop Users Group but it doesn't want to play. <sigh>

Regards

Martyn

 

[tfg13]

The local policy is fine, but, you are now talking about domain controllers. You'll need to look at the domain controller policy.

 

[Atomic]

Sorry I didn't make it clear.

I have amended the domain controller policy (local policy does not exist on a DC). I have made two changes. Addition of the policy described above and enabled
(in Computer Policy > Admin Templates > Winoze components > Terminal services > allow users to connect remotely using TS.

Still no access though

Thanks for reading/replying though

KM

 

[tfg13]

Atomic, actually, there is a local policy on a DC, but that is not the discussion.....

Anyway, have you refreshed the policy on the DC? Have you looked at the "remote" tab on system properties and ensured that there is a check mark in "Enable remote desktop"? The 2 areas you have checked are:

Computer Policy > Admin Templates > Windows components > Terminal services > allow users to connect remotely using TS.

and

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow logon through Terminal Services.

Correct?

 

[Atomic]

Thanks for the reply tfg.

The two policy settings are as described. When I check the remote tab on the server, the 'Enable Remote Desktop' is ticked and locked (grayed). I can't access the 'Select Remote Users' tab.

I have done a GPUPDATE /force on the DC to ensure that any settings have propagated correctly.

Users - including domain admins have been added into the Remote Desktop Users group as well as individuals. I still can't get it to work..

Regards

Martyn

 

[tfg13]

Hmmmm. The only suggestion I would add is make sure that the DC's are not receiving any GPO's of the domain (they shouldn't by default, but stranger things have happened). I'm interested in the 'enable remote desktop' being grayed out. Have you checked the registry?

HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services
Value named fDenyTSConnections

Set at 0 is enabled
set at 1 is disabled

I would think that maybe creating another GPO and linking it to the DC might help, but I don't understand why these settings in the Domain Controller Policy are getting "overwritten".

After the above, I'm out of ideas.....