Integrating Terminal Server into Your Domain Model

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Terminal Server need not be in an Active Directory domain to function, but without a domain architecture, users must have separate accounts on every computer running Terminal Server. This limits manageability and makes it more difficult to administer groups of users.

Integrating with Existing Windows NT 4.0 Domain Structure

If your organization does not currently use Active Directory, you can use an existing Windows NT 4.0 domain, which allows you to take advantage of the new features available in Windows Server 2003 Terminal Server without affecting the production environment. However, limitations apply, such as the existing Security Accounts Manager (SAM) 40,000-objects-per-domain limitation of the Windows NT 4.0 domain model. Administrators have the option of adding Terminal Server–specific attributes to users’ accounts. This adds a small amount of information, typically 1 kilobyte (KB) or less, to a user’s entry in the domain SAM database.

Integrating with the Windows Server 2003 and Windows 2000 Active Directory Infrastructure

This option takes full advantage of Active Directory, giving you the option of applying Group Policy settings to control the Terminal Server environment. Just as you are likely to manage your portable computers or domain controllers in a manner different from your desktop computers, you also manage your terminal servers and Terminal Server users differently. When you define your Active Directory structure, it is recommended that you place your terminal servers in a separate Terminal Services OU. Reserve this OU for Terminal Services computers. Do not include other users or non-Terminal Services computer objects. In addition, if you are deploying load-balanced server farms for Terminal Services, place each farm in a separate OU within the Terminal Services OU. It is also recommended that you place your Terminal Server users in a separate Terminal Server users OU.

In an Active Directory environment, avoid configuring Terminal Server as a domain controller for the following reasons:

• Any user rights policies you apply to such a server apply to all domain controllers in the domain. For example, to use Terminal Services, users must be authorized to log on locally to the server. If the server running Terminal Services is a domain controller, users can log on locally to all domain controllers in the Terminal Services domain, presenting a serious security risk.

• Domain controller functions place a heavy load on system resources and would thus have an effect on the user’s Terminal Server experience.

• By default, enabling Terminal Services sets the server process-scheduling priority to favor interactive applications. The system does not assign top priority to critical domain-level processes such as user count replication, logon requests, logon script replication, and authentication requests.