Hi Guys
We run a Consortium and are very reliant on Terminal Services for access. With the introduction of SQL Server 2008 and also version 11 those users accessing Terminal Services need some level of trust with our main domain to access Domain Security Certificates, Reporting Services and Analysis Services. I'm looking for some advice on the best ways to implement domain security for our Terminal Services machines and also the Users accessing those machines.
We have just had a debate about what is the best solution and where wondering how other venues deal with this problem. How do you setup your domains (if you don’t mind)? We are considering one of three scenarios but might be missing something.
Scenario 1 - We have thought about creating a separate domain that all of our Tessitura Servers run under. The terminal service users are also part of that domain so they can access tessitura services. Though all tessitura servers are in a separate V-Lan and firewalled off to protect them. Our organisational domain is trusted by the Tessitura domain to allow access for our users.
Scenario 2 – We setup all of the Terminal Services users and Servers on our organisational domain but control what services can be accessed by V-Lans and Firewalls. To allow users to authenticate against our Domain in the Terminal Services Zone we create a read only version (RODC) DC server.
Scenario 3 – We have a domain for our Organisation, One for our Tessitura Servers and One for our Terminal Services Machines. Both the organisation and the Terminal Services domains are trusted by the Tessitura Domain.
Any suggestions would be very helpful
Many Thanks
Nick
Hi Nick,
We're going to be looking at this as well. My hope is that we'll be able to find a way to handle this in our existing domain - perhaps using OUs. It would be nice to avoid the overhead of additional domains. But, we still need to discuss the pros/cons of various options, as you are doing. Maybe we can compare notes as we both work on this.
Thanks!David