Windows Server TechCenter >
Windows Server Forums
>
Terminal Services
>
how to enable TErminal Sewrvices on a Win2008 Domain Controller
how to enable TErminal Sewrvices on a Win2008 Domain Controller
- have everythign installed and ADministrators group can RDP in but the Remote Desktop Users security group cannot RDP into the server and it says tey do not have permission to.
I rememeber on a Windows 2003 Server DC you had to change some of the local domain controller group policies but I cannot find them here on Windows 200 Server.
HELP if any one has a document on this I would greatly appreciate it!!
Answers
- Hi,
Did you get this working? I have installed TS on DCs (2000/2003/2008) many times over the years where appropriate, and there really is not much required to enable it. There must be something set different than default on your server or my earlier instructions would have worked. I can help you figure out the problem, but it is essential that you post the exact error message. Please see here:
Installing Terminal Server on a Domain Controller
http://technet.microsoft.com/en-us/library/cc742817(WS.10).aspx
Thanks.
-TP- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorFriday, November 13, 2009 8:31 AM
- Hi TCCK,
I went ahead and mocked this up on a 2008 DC and it was pretty simple to achieve. Here are my exact steps:
1. I installed the TS role service and rebooted.
2. Then I tried RDPing to the DC using a domain user account. I was denied access and I got this message:
https://cid-7a4c3e570b074961.skydrive.live.com/self.aspx/Photos/TS%20on%20a%202008%20DC/message.bmp
3. Following the message, I made sure the Domain Users group was a member of the Remote Desktop Users Group in ADUC (by default in the Builtin folder):
https://cid-7a4c3e570b074961.skydrive.live.com/self.aspx/Photos/TS%20on%20a%202008%20DC/aduc%20rdusers.bmp
4. Then I opened the Local Security Policy on the DC (Admin Tools, Local Security Policy) and added the Remote Desktop Users Group to this setting: Security Settings | Local Policies | User Rights Assignment | Allow Logon Through Terminal Services (this is the setting TP first referred to and also is mentioned in the link TP provided earlier in this thread):
https://cid-7a4c3e570b074961.skydrive.live.com/self.aspx/Photos/TS%20on%20a%202008%20DC/allow%20logon.bmp
Tested again and all is well. This works.
If you still cannot get this up and running, then I agree that you have something unique going on and would like to know your exact error message. Also please share any event log errors on the server that may be relevant.
Hope to hear from you,
Kristin L. Griffin
Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!)- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorFriday, November 13, 2009 8:31 AM
- It is fixed.
I did the change in Local Security group policy and still did not work so I went digging and I found there were 3 places in the group policy editor I had to make the exact same change not just one like in Win2003 server.
It is fixed and working awesome now.
Danny,
I know this is not recommended setup but when the client refuses to pay for 2 servers because they are cheap and want it all on one unfortunately this is what you have to do, put it all on one server.- Marked As Answer byKristin L. GriffinMVP, ModeratorFriday, November 13, 2009 6:07 PM
All Replies
- TCCK,
Do you get this error? "You do not have access to logon to this Session".
First, I don't recommend this setup.
Than being said, I think the setting you need to change is to add the "Log on Locally" right in the dc policy.
I have not tried this on a 2k8 server, but I know it was the setting you needed to change in 2k.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q247989
Hope this helps,
Kristin L. Griffin
Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) Hi,
Make sure the Remote Desktop Users group is present in the following two places:
1. Local Security User Rights Assignment Allow logon through Terminal Services
- Start--Run--secpol.msc
- In the left pane, Navigate to Security Settings\Local Policies\User rights assignment
- In the right pane, double-click on Allow logon through Terminal Services
- Add the Remote Desktop Users to the list2. RDP-Tcp listener's Security
- Start--Run--tsconfig.msc
- Double-click on RDP-Tcp
- On the Security tab, add Remote Desktop Users
- Make sure that Remote Desktop Users has User and Guest access set to AllowIf your DC will also be a Terminal Server, then you need to add the Terminal Services Role.
Thanks.
-TP
- Proposed As Answer byJeff Pitsch [MVP]MVP, ModeratorMonday, November 09, 2009 8:00 PM
- Proposed As Answer byTP [] Friday, November 06, 2009 8:43 PM
- Unproposed As Answer byTCCK Friday, November 06, 2009 9:43 PM
- done all of this and still cannot login with any account in the Remote Desktop Users security group.
Any otehr suggestions people, I have to have this live Monday AM for my client.
And yes I know TS on a DC is not recommended but all users on this site know the issues and they had it this way on thier 2003 server and no issues. - Please post the precise error message you are receiving.
Thanks.
-TP - Hi,
It's better to install a seperate server for Terminal Services if you want to use this in a production enviroment. If the server becomes unavailabe because of Terminal Server issues then your domain has no primary domain controller if you do not have a secundary domain contoller.
Danny
Now you can follow al the hot TS forum threads on twitter! http://www.twitter.com/mstermserv Founder of www.citrix-guru.com and www.rds-support.eu Linkedin: www.linkedin.com/in/dnyvandam - Hi,
Did you get this working? I have installed TS on DCs (2000/2003/2008) many times over the years where appropriate, and there really is not much required to enable it. There must be something set different than default on your server or my earlier instructions would have worked. I can help you figure out the problem, but it is essential that you post the exact error message. Please see here:
Installing Terminal Server on a Domain Controller
http://technet.microsoft.com/en-us/library/cc742817(WS.10).aspx
Thanks.
-TP- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorFriday, November 13, 2009 8:31 AM
- Hi TCCK,
I went ahead and mocked this up on a 2008 DC and it was pretty simple to achieve. Here are my exact steps:
1. I installed the TS role service and rebooted.
2. Then I tried RDPing to the DC using a domain user account. I was denied access and I got this message:
https://cid-7a4c3e570b074961.skydrive.live.com/self.aspx/Photos/TS%20on%20a%202008%20DC/message.bmp
3. Following the message, I made sure the Domain Users group was a member of the Remote Desktop Users Group in ADUC (by default in the Builtin folder):
https://cid-7a4c3e570b074961.skydrive.live.com/self.aspx/Photos/TS%20on%20a%202008%20DC/aduc%20rdusers.bmp
4. Then I opened the Local Security Policy on the DC (Admin Tools, Local Security Policy) and added the Remote Desktop Users Group to this setting: Security Settings | Local Policies | User Rights Assignment | Allow Logon Through Terminal Services (this is the setting TP first referred to and also is mentioned in the link TP provided earlier in this thread):
https://cid-7a4c3e570b074961.skydrive.live.com/self.aspx/Photos/TS%20on%20a%202008%20DC/allow%20logon.bmp
Tested again and all is well. This works.
If you still cannot get this up and running, then I agree that you have something unique going on and would like to know your exact error message. Also please share any event log errors on the server that may be relevant.
Hope to hear from you,
Kristin L. Griffin
Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!)- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorFriday, November 13, 2009 8:31 AM
- It is fixed.
I did the change in Local Security group policy and still did not work so I went digging and I found there were 3 places in the group policy editor I had to make the exact same change not just one like in Win2003 server.
It is fixed and working awesome now.
Danny,
I know this is not recommended setup but when the client refuses to pay for 2 servers because they are cheap and want it all on one unfortunately this is what you have to do, put it all on one server.- Marked As Answer byKristin L. GriffinMVP, ModeratorFriday, November 13, 2009 6:07 PM
