Setting up Terminal Server on domain...having issues

[Homerboy]

I'm trying to integrate a Terminal Server machine into an exist network running SBS 2003

Everyone logs into the SBS server, login script runs and drives get mapped.
Terminal server is up and running on Win 2k3 server.

I've created user accounts on the TS machine and they can log in just fine.
However (obviously) their login script from the SBS machine does not run and none of the required drives get mapped.

I'm fairly new to such an arrangement, so please educated me on how to get the users mapped properly when they log into the TS machine.

I can provide more info if you need it too obviously.

Thanks in advance

 

[redbeard1]

The terminal server needs to be joined into the domain as a workgroup/member server. Then log it on as the administrator account for the domain. This should bring the domain user list to the local system so it knows the domain exists. When the TS users logon, they use their domain credentials, not the local user list you created. With the domain logon, they now will have the logon script execute.

 

[redbeard1]

Oh, and you need to add the domain users group, that has the users that you want to access the terminal server, to the terminal servers local users and groups "remote desktop users" group.

 

[RebateMonger]

Truthfully, I haven't looked into your problem, but just in case....

One common error folks make with SBS is NOT using the "Add Server" Wizard in SBS's Server Management. It's easy to forget and manually join the additional Server to the SBS Domain. (Edited: ) If you don't use the Wizard, you'll have problems with the added Server. Use the Wizard and make things easy.

 

[Homerboy]

Originally posted by: RebateMonger
Truthfully, I haven't looked into your problem, but just in case....

One common error folks make with SBS is NOT using the "Add Server" Wizard in SBS's Server Management. It's easy to forget and manually join the additional Server to the SBS Domain. If you do that, you'll have problems. Use the Wizard and make things easy.

I think you meant "If you don't do that, you'll have problems...."

I did add the server in SBS... its listed under Licensing -> Manager Servers. I can admin it from there, checks logs etc no problem, so that "connection" is made.

I'll have to try redbeard1's suggestions now.

 

[Homerboy]

Originally posted by: redbeard1
The terminal server needs to be joined into the domain as a workgroup/member server. Then log it on as the administrator account for the domain. This should bring the domain user list to the local system so it knows the domain exists. When the TS users logon, they use their domain credentials, not the local user list you created. With the domain logon, they now will have the logon script execute.

I dunno I'm missing something here...

The terminal server needs to be joined into the domain as a workgroup/member server.
TS is added to the SBS machine under "Server Computers"

Then log it on as the administrator account for the domain. This should bring the domain user list to the local system so it knows the domain exists.
So, go to the TS machine, log it onto the SBS domain as Administrator and that should "sych" the 2 user lists (for lack of a better phrase)

you need to add the domain users group, that has the users that you want to access the terminal server, to the terminal servers local users and groups "remote desktop users" group.
They are all just part if the default "users" group (there's only 7 employees at the place) so I assume thats what you mean.


Just FYI, the reason I'm actually adding this TS is simply for a small, remote office so they can access some databases, programs, files etc and so that when employees are traveling they can access the network.

 

[RebateMonger]

Where is the logon script located? Is this the SBS Logon Script (SBS_Login_Script.bat), located on the SBS Server at C:\WINDOWS\SYSVOL\sysvol\MyDomain.Local\scripts\ ?

 

[Homerboy]

Originally posted by: RebateMonger
Where is the logon script located? Is this the SBS Logon Script (SBS_Login_Script.bat), located on the SBS Server at C:\WINDOWS\SYSVOL\sysvol\MyDomain.Local\scripts\ ?

Yessir

 

[RebateMonger]

Unfortunately, I only have a couple of client using using a Terminal Server along with SBS, and I don't have Terminal Servers in my office right now. I'd have to install a TS in a Virtual PC window to check things out.

Here's a UseNet posting discussing the problem that you are seeing, but I don't know what version of SBS they're talking about.

 

[redbeard1]

One common error folks make with SBS is NOT using the "Add Server" Wizard in SBS's Server Management.

I have no idea what this does, as I do not recommend SBS for my customers, but that is a rant for another time. That said, I can only assume that it joined that server to the domain. To check this go to: system properties> computer name, and then see if it is in the domain. It should read something like "servername.yourdomain.local". This same place would say if it was only in a workgroup.

It's easy to forget and manually join the additional Server to the SBS Domain.

I've done it manually numerous times with no issues. But then I do not need a wizard to configure servers.

So, go to the TS machine, log it onto the SBS domain as Administrator and that should "synch" the 2 user lists

Sort of... yes. It enables the domain user and group objects to be recognized when you go to add the user group to the TS.

They are all just part if the default "users" group

Some SBS servers put the users under a Organizational Unit named something like "My Business", not under the default users. In the end, as long as you find where the users are, it "shouldn't" matter. I have seen some odd permission restrictions when the users were in the default users group. As part of setting up a server now, I always create a new Organizational Unit and place the users there.

Where is the logon script located?

The reason thay are not getting the script to run is because they are using the local user account credentials on the TS that you created. User logon scripts do not run when you logon to a member server. When you add the domain user group to the Remote Desktop Users group on the TS, and you have the TS logged on with a domain account, such as the domain administrator, then the script will run because they are validating with a domain account.

Just FYI, the reason I'm actually adding this TS is simply for a small, remote office so they can access some databases, programs, files etc and so that when employees are traveling they can access the network.

How are they going to access this over the internet!!?? Are they going to be using VPN software to a firewall to encrypt the traffic? Do they have a VPN between the two offices? Hopefully they are using a firewall, and not just a plain router. How is the RDP going to be redirected in? If all internet RDP traffic is forwarded into the server, instead of being narrowed down to be allowed only from the remote office's IP address, then they better have some strong passwords, as anybody could try and logon on. If they are going to access this from the internet, there is a setting to make RDP only use 128 bit encryption instead of 40 bit.

 

[redbeard1]

On another issue... What is the internet speed at the main office? They should have at least 512meg upload speed, and preferably higher to support decent RDP connections. We had a customer try and get by with their 768k down 128k up internet connection, supporting four users from a remote office. The remote users kept dropping connections, until they upped the main office upped their internet speeds.

We've also had to have a customer speed up the remote offices internet connection as that was causing alot of drops as well.

 

[RebateMonger]

Microsoft: Deploying Windows Server 2003 Terminal Server to Host User Desktops in a Windows Small Business Server 2003 Environment

 

[RebateMonger]

Originally posted by: redbeard1
I have no idea what this does, as I do not recommend SBS for my customers, but that is a rant for another time.

I'd certainly be interested in hearing why you don't recommend SBS for most businesses with 50 or fewer employees. I find it incredibly reliable, easy to manage, and full of tools that most small businesses need. And the software is dirt cheap. The biggest problems I see come from SBS Servers that have been set up in non-standard ways. Usually either by unqualified people or by IT Pros who attempt to configure it manually.

To quote Microsoft:
"Leave the default Active Directory structure as is
Windows SBS provides a default installation experience that doesn?t require a lot of work by the administrator. And when you do need to make changes to your server, Windows SBS provides easy wizards for most tasks. This holds true for the default Active Directory structure.

For example: by default, when users are added to the Windows SBS network using the Add User Wizard, user objects are placed in the ServerName.local.MyBusiness.Users.SBSUsers organizational unit (OU) in Active Directory (where ServerName is the name of the server running Windows SBS). Other functions in Windows SBS expect to find the network users in that OU. Moving users out of the OU or renaming the OU might cause these other functions to fail.

The crucial point here is that you should leave the default Active Directory structure as is, or else proceed with extreme caution."

 

[Homerboy]

Ok here's an new twist (but progress has been made)...

If I log into the TS machine via TS ad Administrator and choose the badgertrim domain (main domain for the network) then it logs me in just fine and maps the drives correctly (PROGRESS!!). However if I choose a user's login like "jsmith" on the TS server and the badgertrim domain who is set up both on the SBS and TS server with identical passwords I get an error msg saying that user name and password are incorrect? I quadruple checked, and login/pass is perfectly fine. I even added "Administrator" rights to jsmith just for testing and no luck.

Suggestions? I think we're almost there though...

 

[Homerboy]

bump for the night folks I guess

 

[redbeard1]

Is the desktop/console of the TS logged onto the domain as the domain administrator?

Did you add the group that the domain users are in, to the TS local Remote Desktop Group?

In the end you should not need the to have the individual users and their passwords in the TS local users group as getting the domain users group added to the Remote Desktop Group on the TS will "bring" those usernames and passwords from the SBS domain.

 

[Homerboy]

before he rips me a new one in this thread, the great and powerful JoeMonkey figured it out for me.... all hail JoeMonkey

/me waits for MOTORBOAT!!!

 

[Joemonkey]

Originally posted by: Homerboy
before he rips me a new one in this thread, the great and powerful JoeMonkey figured it out for me.... all hail JoeMonkey

/me waits for MOTORBOAT!!!

ahem... only the J is capitalized in my username

and for those wondering, he was adding local users to the Remote Desktop Users group rather than domain users... but i forgive him, he's a netware guru at heart, not a Active Directory/Windows/etc. expert