Remote Access role on PDC?


  • Server 2012 Data Center

    I would like to add Remote Access role to create VPN and DirectAcess with later remote desktop Service. The server is the PDC. Is theer a problem adding this role here. I have a second 2012 STd server as an app server.

    Please advise before I try to add roles.

    John Lenz

    Thursday, February 06, 2014 9:19 PM

All replies

  • your domain controller should be just that, a domain controller and nothing else. 

    you certainly wouldn't want to install remote desktop or vpn roles on a domain controller as this is a huge security risk. Also most VPN / Direct Access solutions require (or at least work much easier and better) with a dual NIC configuration, which is not recommended for a DC. 

    you could look at running these services in a virtual machine - but again, i wouldn't install the Hyper-V role on a DC. 


    Denis Cooper


    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog


    Thursday, February 06, 2014 9:25 PM
  • Microsoft Best Practices (generally) are to avoid installing as many services on a Domain Controller as can be avoided.  If you have a member server to use, go for that.  Configuring a RAS solution on a Domain Controller effectively means your remote users are logging on to the DC - clearly not a good security configuration.

    See the following:

    David Shaw [MSFT]

    Thursday, February 06, 2014 9:32 PM
  • Thanks - I am coming form SBS2008 which had everything on one box.

    John Lenz

    Thursday, February 06, 2014 10:06 PM
  • Indeed. SBS is the only exception because, as you say, it is designed to be a one-box solution.


    Thursday, February 06, 2014 10:41 PM
  • Suggestions, Please...

    The migration from SBS2008 R2 to Server 2012 is not yet complete. I believe my architecture needs a change. Here is what I have now:

    Old server box 2012 std; Xeon quad, max 16 GB RAM, 500GB SDD (O/S),1 TB HD (system backup), 2 TB HD data

     - Symantec endpoint, WSUS (Broken)

    New Server Box 2012 data center; 12 core Xeon, 32 GB Ram, 500 GB SDD (O/S), multiple TB+ HDDs

     - AD

    - DHCP

    - File & Print

    I still need to add Exchange & SharePoint & VPN. We ran into a MS problem in that the 2103 version of Exchange & SharePoint will not run under 2012 R2. The new box originally had R2 but I had to retrograde it to std after it failed and got corrupted.

    It seems that I should have the old box as the PDC. It can run 2012 R2.

    The new box will house (virtual) Exchange 2012, SharePoint 2012, File & print & VPN.

    I currently run 15 domain clients and multiple attached network devices. Can I migrate AD (& DNS) to the old box from the new. I do not want the 3 day break domain/ join domain effort at the workstations.

    Is there a promote/demote process to move domain controllers?

    Your thoughts are much appreciated.

    John Lenz

    Saturday, February 08, 2014 4:09 PM
  • Hi John ,

    In my opinion, you can make the new box as a Hyper-V host, then setup several virtual machines to hold separate server roles.

    In addition, if you have Windows Server 2012 R2, you can experience the new feature, Windows Server Essentials Experience.

    Migrate from Previous Versions to Windows Server 2012 R2 Essentials or Windows Server Essentials Experience

    Regarding migration, you add your Windows Server 2012 as a secondary DC, transfer FSMO roles to it and remove your SBS server.

    Hope this helps.

    Jeremy Wu

    TechNet Community Support

    Sunday, February 09, 2014 2:25 PM
  • Sorry for any confusion, the SBS2008 R2 software became corrupted and I blew it away (removed HDD) and replaced with new 500GB SDD. That is where I have to rebuild to clear the WSUS corruption. When I rebuild, I will make it a  2012 R2 O/S box.

    Then how can I migrate AD/DNS from 2012 data center (new box) to old box with 2012 R2?

    John Lenz

    Sunday, February 09, 2014 6:02 PM