Terminal Services and Domains

Hi Nick.  I’ve come from a consortium similar to Scenario 1.  All the Tessitura servers and tools were in one consortium domain and each member of the consortium had their own local domain.  (Each consortium member was required to have a Windows Domain and Active Director.)   From there we used Domain trusts so the consortium domain had a one-way incoming trust with each consortium member domain.  We also set up a DNS forwarder on each end of the respective domains.

Once that was in place, each consortium member domain had a “Tess Users” group that they added domain accounts to as their own business rules required, and our consortium domain had a “Master Tess Users” security group that comprised of the TessUsers group of all the other domains.  That gave them rights to the required Tess resources, as well as having the benefit of being able to access those resources with their own internal domain login, Terminal Services included.  It worked really well once, as you mentioned, the firewall rules were worked out.

The whole trust business is explained better than I ever could here:  http://technet.microsoft.com/en-us/library/cc778696(WS.10).aspx

From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Nick Insell
Sent: Wednesday, January 18, 2012 10:37 AM
To: Matt Hilgers
Subject: [Tessitura Technical Forum] Terminal Services and Domains

Hi Guys

We run a Consortium and are very reliant on Terminal Services for access. With the introduction of SQL Server 2008 and also version 11 those users accessing Terminal Services need some level of trust with our main domain to access Domain Security Certificates, Reporting Services and Analysis Services. I'm looking for some advice on the best ways to implement domain security for our Terminal Services machines and also the Users accessing those machines.

We have just had a debate about what is the best solution and where wondering how other venues deal with this problem.  How do you setup your domains (if you don’t mind)?  We are considering one of three scenarios but might be missing something.

Scenario 1 - We have thought about creating a separate domain that all of our Tessitura Servers run under. The terminal service users are also part of that domain so they can access tessitura services. Though all tessitura servers are in a separate V-Lan and firewalled off to protect them. Our organisational domain is trusted by the Tessitura domain to allow access for our users.

Scenario 2 – We setup all of the Terminal Services users and Servers on our organisational domain but control what services can be accessed by V-Lans and Firewalls.  To allow users to authenticate against our Domain in the Terminal Services Zone we create a read only version (RODC) DC server. 

Scenario 3 – We have a domain for our Organisation, One for our Tessitura Servers and One for our Terminal Services Machines.  Both the organisation and the Terminal Services domains are trusted by the Tessitura Domain.

Any suggestions would be very helpful

Many Thanks

Nick

This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!

Hi Nick.  I’ve come from a consortium similar to Scenario 1.  All the Tessitura servers and tools were in one consortium domain and each member of the consortium had their own local domain.  (Each consortium member was required to have a Windows Domain and Active Director.)   From there we used Domain trusts so the consortium domain had a one-way incoming trust with each consortium member domain.  We also set up a DNS forwarder on each end of the respective domains.

Once that was in place, each consortium member domain had a “Tess Users” group that they added domain accounts to as their own business rules required, and our consortium domain had a “Master Tess Users” security group that comprised of the TessUsers group of all the other domains.  That gave them rights to the required Tess resources, as well as having the benefit of being able to access those resources with their own internal domain login, Terminal Services included.  It worked really well once, as you mentioned, the firewall rules were worked out.

The whole trust business is explained better than I ever could here:  http://technet.microsoft.com/en-us/library/cc778696(WS.10).aspx

From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Nick Insell
Sent: Wednesday, January 18, 2012 10:37 AM
To: Matt Hilgers
Subject: [Tessitura Technical Forum] Terminal Services and Domains

Hi Guys

We run a Consortium and are very reliant on Terminal Services for access. With the introduction of SQL Server 2008 and also version 11 those users accessing Terminal Services need some level of trust with our main domain to access Domain Security Certificates, Reporting Services and Analysis Services. I'm looking for some advice on the best ways to implement domain security for our Terminal Services machines and also the Users accessing those machines.

We have just had a debate about what is the best solution and where wondering how other venues deal with this problem.  How do you setup your domains (if you don’t mind)?  We are considering one of three scenarios but might be missing something.

Scenario 1 - We have thought about creating a separate domain that all of our Tessitura Servers run under. The terminal service users are also part of that domain so they can access tessitura services. Though all tessitura servers are in a separate V-Lan and firewalled off to protect them. Our organisational domain is trusted by the Tessitura domain to allow access for our users.

Scenario 2 – We setup all of the Terminal Services users and Servers on our organisational domain but control what services can be accessed by V-Lans and Firewalls.  To allow users to authenticate against our Domain in the Terminal Services Zone we create a read only version (RODC) DC server. 

Scenario 3 – We have a domain for our Organisation, One for our Tessitura Servers and One for our Terminal Services Machines.  Both the organisation and the Terminal Services domains are trusted by the Tessitura Domain.

Any suggestions would be very helpful

Many Thanks

Nick

This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!