Installing Terminal Server on a Domain Controller

Applies To: Windows Server 2008

Installing a terminal server on an Active Directory domain controller is not recommended. Allowing users to run programs on a domain controller could create security risks and performance issues.

If the Terminal Server role service is installed on a domain controller, the security settings of the domain controller need to be adjusted to allow users remote access to the server. This remote access is controlled by the "Allow log on through Terminal Services" user rights assignment, which can be configured by using the Group Policy Management Console (GPMC).

On a domain controller, by default, only the Administrators group is granted the "Allow log on through Terminal Services" user right. To allow remote access to the terminal server for users who are not members of the Administrators group, you should grant the Remote Desktop Users group the "Allow log on through Terminal Services" user right.

For more information about using GPMC to configure user rights assignments, see the Windows Server 2008 Group Policy Management Console Help.

Note

Installing the TS Licensing role service on a domain controller is recommended in certain circumstances. If a Terminal Services license server is installed on a domain controller, terminal servers in the same domain as the license server will automatically be able to discover the license server. Because users are not connecting directly to the license server to run programs on the license server, the security risks and performance issues can be mitigated.

For more information about license server discovery and configuring TS Licensing, see the TS Licensing documentation on the Terminal Services page on the Windows Server 2008 TechCenter (https://go.microsoft.com/fwlink/?LinkId=73931).