One Active Directory, Multiple Remote Desktop Services (Server 2012 solution)

windows-server-2008 remote-desktop active-directory windows-server-2012 remote-desktop-services

Solution 1:

This is very similar to what we do. We have a single TS Gateway that all our clients enter through. This has connection and resource policies that control which user groups can log on to which servers.

Each company has their own self-contained terminal server. Most companies can only log on to the one TS, but for one particularly large client, they have two. We don't do any clustering of them, just half the users connect to TS1 and the other half connect to TS2.

All the servers sit on the same network segment, and we have very strict ACLs to define who can go where on the network (i.e. nobody can really go anywhere). Our GPO for the RDS servers also greatly restricts where they can go on the server itself.

The biggest issue that we have with this setup is the automated deployment of servers for new clients. Most of the process can be automated (we use ESXi and vSphere, which has powershell integration. Same as Hyper-V does), but I haven't yet found out how to automate the modification of TS Gateway policies.

We also have one very large client who uses our hosted terminal servers. Because I didn't want to bother with managing all their password resets and new accounts myself, we gave them delegation rights over their own OU on the domain. When they started to out-grow that, for political reasons, we gave them their own domain under our forest. That's all worked pretty well so far as well, except you can't use the User must change their password on next logon as this is incompatible with TS Gateway. Same deal when their password expires, they can't log on and someone needs to reset their password manually.

Related

How can we check PowerShell v2.0 is installed on a list of servers?
Manage a Windows 2003 Active Directory Domain with PowerShell?
Cannot administer services on remote Windows machine due to security issue
How can I prevent the locally administered bit being set on network bridge MAC addresses in Windows?
Is there a way for BIND 9 to automatically dump it's cache to a file before terminating and reloading it upon starting
WPA2 Enterprise without a Client-End Certificate
DNS Server Behind NAT
decommissioning WINS
CentOS iscsi initiator has session but there is no block device
Can't reload supervisor with supervisorctl 'reload' command
How to install Ubuntu Server 12.04 in a Virtualbox VM with UEFI boot enabled [closed]
How are the hashes in /etc/shadow generated?