SysAdmin Talk

Sometimes having a server that “does it all” is quite handy to have around. It may be for testing or development purposes, or perhaps it would be used as a small “all in one” company server. Microsoft do have a Small Business Edition version of Windows Server 2008 (SBS 2008) that can be used for this kind of purpose, but in some cases this solution may be a little overkill. That being said, here is a brief overview of how I configure a single Windows Server 2008 R2 Standard server to provide both a Domain Controller and RDS (formerly Terminal Services) role.

Overview

Start by setting up a clean install of Windows Server 2008 R2. I use the Standard edition for this purpose as I don’t expect its resource requirements to be very high. Once you have your clean install finished and are logged in as the local Administrator, launch the Active Directory installation wizard and configure the server as a Domain Controller.

Start -> Run -> dcpromo -> OK

Go through the Active Directory Installation wizard as briefly detailed below:

• Give your internal domain a name of your choice. Example: “yournamechoice.local”
• Choose a Directory Services restore mode password and note it down.
• When you arrive at the “Set Domain Functional Level” page, select “Windows Server 2008 R2″ from the dropdown list. Among other things, this will allow the “Active Directory Recycle Bin” feature should you wish. If you plan on joining other servers running older versions of Windows to this domain, then choose the correct level to support these older OSes.
• When you are asked about creating a DNS delegation to an existing DNS server, choose to continue the install by selecting “No action is required”. This will be the first DNS server on the domain as it is in theory, a “single” server.
• Finish the wizard off and choose to restart the server once complete.

Next up, we will install the RDS (Remote Desktop Services) role. This is formerly known as the Terminal Services role in previous versions of Windows Server.

Server Manager -> Roles -> Add Roles -> Remote Desktop Services

• Select the “Remote Desktop Session Host” feature.
• The wizard will warn that this is a Domain Controller and that this role is not recommended. We know that Microsoft don’t recommend this configuration, so as long as you are happy with this, select to “Install Remote Desktop Session Host anyway” when prompted.
• Select the “Remote Desktop Licensing” feature.
• Choose “Do not require network level authentication” – this option depends on how you want your security set up.
• Depending on your license model, choose the appropriate option. I almost always use “Per user license model”.
• Choose which Client Experience Features to install. i.e. Audio/Video playback, audio recording redirection and desktop composition.
• Leave the RD Licensing Configuration page on the defaults and continue.
• Complete the installation of this role, and then restart when prompted.

Now we need to activation the RDS Licensing server and install some CALs (Client Access Licenses) so that users can login to this server remotely.

Administrative Tools -> Remote Desktop Services -> Remote Desktop Licensing Manager

• If you don’t see this, you probably don’t have the Licensing role installed. Open Server Manager, Expand Roles, Right-click Remote Desktop Servers, and choose “Add Role Services”. Add the “Remote Desktop Licensing” role service. Go back and open the Remote Desktop Licensing Manager once this role service has been added.
• Right-click the server name, and select “Activate Server”.
• Complete the activation wizard using “Automatic connection” and by entering your details.
• Finish the wizard and leave the selection on to “Start Install Licenses Wizard now”.
• Choose the licensing agreement type that you are using or registered for.
• Product version should be: Windows Server 2008 / Windows Server 2008 R2
• License type should be: Per User CAL (TS or RDS) (That is if you use the per user licensing model)
• Finish the wizard and the RDS User CALs should now be installed and activated.

The next step is to specify your license server.

• Administrative Tools -> Remote Desktop Services -> “Remote Desktop Session Host Configuration”
• Right-click “Remote Desktop License Servers (Not specified)” and select “Properties”
• Ensure that “Per User” is still selected (or the license model you chose), then click the “Add” button and select the server name.
• Click Add, then OK, then OK again to close the window.
• The licensing server should now specified and be able to issue RDS CALs to connecting clients.

Next we need to allow users to login locally (This is required for the RDS role on a Domain Controller). We’ll be modifying group policy now, so open up Group Policy Management (GPMC.msc)

• Edit the “Default Domain Policy”
• Go to: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
• The following two entries will be shown as “Not Defined” -> “Allow logon locally” & “Allow logon through Remote Desktop Services”
• Right click and enable these, specifying the following security groups in each:
• Account Operators; Administrators; Backup Operators; Print Operators; Server Operators; Remote Desktop Users.
• Exit the GP Editor then open a CMD prompt and run “gpupdate /force” You may also wish to restart the server at this point to ensure the policies are applied correctly.

Conclusion

At this point you should now have a server that provides the roles of a Domain Controller and a Remote Desktop Session Host. Active Directory users should be able to use the Remote Desktop Connection client to connect and you will be able to provision software for them to use by installing it via RD-Install mode (found in the Control Panel). The rest of the customization is up to you now, so go wild! If you have any other suggestions or ideas, please leave your comments below.