What effects does putting a DC in a new OU have on the domain?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Vera (or anybody else who would like to reply),

I am fairly new to TS, GPO and OU. I have a W2k server setup with TS and
also have a few XP Professional systems that will be using RDP to connect to
the W2k server. I have done some reading here in the group and also looked
up referenced articles. My goal is to make changes to the GPO to secure the
TS sessions that are created and thus the end user does not see certain
things on the server.

What I could use some information on is the OU. I see how to create an OU
but the W2k server that TS is installed on is also a DC in the domain. Can I
still create a TS OU, move the TS server into that OU or will that have an
adverse effect on the domain?

The TS server has multiple functions in the network as we only have a couple
of servers to begin with (print server, some file serving, TS etc.) so I
don’t want to make a change that will cause problems with the server’s other
duties.

Thanks for the assistance and any additional information on OUs that can be
offered up, have a great day!

Dean
 
Personally, I would never do this, and until recently I believed
that it would break things like replication. But a couple of months
ago someone else asked the same question, and it turned out that it
is actually possible.

But I don't think that there is much to gain by this.
The whole idea of putting the TS in a separate OU is to be able to
apply a GPO to the TS only, not to the other servers in the domain.
If you have a single server, then there seems to be no point in
moving it.
Combining the DC role with the TS role is *not* recommended, partly
for this reason. You are severally limited in how you can secure
the TS, and you will have all of your users using the DC as their
personal workstation.

I'd rather combine DC + Print or File Server, and make the TS a
dedicated TS. You'll be much happier!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
 
So for a follow up question then Vera,

I don't see that I will be able to dedicate a server for TS at this point in
time. Just not enough people will be using it and we have limited resources.

I will have three different systems that will be able to use RDP or the TS
Client to access the TS and there will only be one program that is used via
TS. If I am not able to use an OU with a separate GPO to help lock down the
server, what would you suggest be the next course of action to try and secure
the system at least a little (and if possible, take away the abilitie of the
clients to see the server drives or at least make it more difficult for them
to see the drives)?

Thanks again Vera!
 
You will have to use NTFS permissions on the file system to keep
your users away from the system files.
If they will only run a single application, configure this app as
the starting application. That way, users will never see the
desktop of the server. But note that this in itself is *not* enough
to secure your server. If the application has a function to save
files, users will still see the servers file system in the Save
as.. dialog box of the application.
You could also experiment with the "hide drives in my computer"
setting in a GPO, but make sure that any such restrictive GPO does
*not* apply to Administrators. Otherwise there's a considerable
risk of shutting yourself out.

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

I'm sorry, but I have no more detailed advice to give, since I've
never done this. Just be very careful before applying any
restrictions, and make sure that you have a recent image of the
server, in case anything goes wrong.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
 
Back
Top