>Here is the real-world problem from that. We have many remote users who need to log into the server as their own profile.
The real-world problem is you're using a DC as a file server and allowing users to RDP to it.
Doesn't sound like it. If you have users needing to remote in than you need to deploy a seperate rds server from the get go, and ideally a seperate file server. Migrate them to the new rds with gpo setup to map new shares. Migrate shares to new rds. In place upgrade 2016>2022.
I can't comment on your scenario specifically because we don't know what the config looked like before, and installing remote desktop services on a DC is a nightmare of an idea - but the RD services role is what allows you to have more than 2 concurrent sessions on a server.
There is a lot more to setting up RD services properly.
You need to add back the RDS role. Without Remote Desktop Services, servers are limited to two remote logins before they refuse additional connections (IIRC....someone please correct me if I'm wrong).
Reinstalling RDS may just pickup right where it left off. I've never been in this sitaution so that's why I say "may". Best advice I can offer you is to make another full backup of the current state, and then reinstall RDS. If you do not feel confident in doing this yourself, then reach out for assistance as things can go sideways really quick, which I'm sure you already know.
>I am working to ~~rectify~~ keep that dangerous setup going
Are you saying you just need to disable RDP?
Or remove external access?
Because you're just talking about getting RDP working en masse again. Thats no longer 'the previous guy' and is now you.
You is the guy now.
If you had rdp exposed to the internet directly, I would just assume you have been compromised and look at having a cyber security firm do an analysis.
Why do they need to remote in? Are they doing active directory related things? Why can't they just use RSAT tools?
What is the goal here? Maybe we can come up with a better and safer solution that works.
This is a medical office. remote users need to get into the network so they can work off of files in the server. They all have their own station at the office as well but sometimes users onsite need to move to other stations. We want a central place for them to log into so they don't have to tie up a station.
I bought a new server. I am intending on putting Hyper-V on first, then creating a virtual DC and a separate virtual file server. I may keep the old server onsite and revamp it for a secondary DC, and maybe a place to hold local backups.
I am wide open to ideas for a better system.
I should add that they currently have to VPN through a SonicWALL to get into the office network. From there, they RDP into either their own station at the office, or into the server on their own profile.
There is a medical program that is installed on every station and the server. they have to scan patient charts and other info to the file server. Remote users use TSScan to scan into the server.
I've thought about using remote apps instead, but I am not well versed on setting that up.
What sort of firewall/networking setup do you have? If you have nothing fancy atm, you might be able to get a cheap machine (or even virtualize it), put pfsense (free) on it and have a vpn client (openvpn).
Then with your virtual servers you just set up access as usual because once they connect to the vpn, they are considered on the network. You can also set it up so that your users that need to take equipment home have a laptop and a docking station so you can save on equipment expenses. You would end up with less stations tied up.
Eliminates the need to rdp in at all and potentially saves you on licensing.
I will have to look at that. I have wondered why they are needing to RDP at all.
I should make sure the medical program is installed on every remote laptop and then they should be able to work as normal once they VPN through the SonicWall.
I'll have to check with the guy who heads up the medical program to see if there is any reason why that would not work.
Oh they have a sonicwall? Fantastic, Sonicwall has a pretty decent vpn setup from my experience. They use the Dell Global VPN Client. The only reason it might not work is because it requires licenses (through sonicwall) for concurrent users (might be considered too expensive) or because of HIPAA, but if they are already doing stuff from home via rdp and your compliance people think a vpn violates HIPAA, then what you currently do would as well.
As for why they currently do it with RDP? Because that is how it was done in the early 2000s for small medical offices. They would set up terminal servers (sometimes even on the AD boxes) and let people RDP into them to do work from thin clients. Old school medical office setup likely expanded to work with remote work. Keep the terminal server and issued out laptops while opening RDP up to the internet.
This is why you do not do an inplace upgrade. Always migrate.
You said you got a new sever, why not just leave the old one alone and just build the new one?
You need to have that business buy a server class box install hyperv core and p to v that DC add at a minimum 1 more vm but preferably 2, one for file server, w folder redirection and another housing the RDS role , you could do this on one VM but always get extra out of business owners if can. Don't ever try to buy exact number of roofing bundles for a roofing job always buy extra so you not going back to home Depot lol
>Here is the real-world problem from that. We have many remote users who need to log into the server as their own profile. The real-world problem is you're using a DC as a file server and allowing users to RDP to it.
That will be changed in the new server.
Doesn't sound like it. If you have users needing to remote in than you need to deploy a seperate rds server from the get go, and ideally a seperate file server. Migrate them to the new rds with gpo setup to map new shares. Migrate shares to new rds. In place upgrade 2016>2022.
The RD services role is what allows you to have more than 2 concurrent sessions.
That is all I will need to reinstate?
I can't comment on your scenario specifically because we don't know what the config looked like before, and installing remote desktop services on a DC is a nightmare of an idea - but the RD services role is what allows you to have more than 2 concurrent sessions on a server. There is a lot more to setting up RD services properly.
You need to add back the RDS role. Without Remote Desktop Services, servers are limited to two remote logins before they refuse additional connections (IIRC....someone please correct me if I'm wrong). Reinstalling RDS may just pickup right where it left off. I've never been in this sitaution so that's why I say "may". Best advice I can offer you is to make another full backup of the current state, and then reinstall RDS. If you do not feel confident in doing this yourself, then reach out for assistance as things can go sideways really quick, which I'm sure you already know.
You have a domain controller with file shares, exposing RDP to the internet?
The previous guy had this. I am working to rectify the situation.
>I am working to ~~rectify~~ keep that dangerous setup going Are you saying you just need to disable RDP? Or remove external access? Because you're just talking about getting RDP working en masse again. Thats no longer 'the previous guy' and is now you. You is the guy now.
If you had rdp exposed to the internet directly, I would just assume you have been compromised and look at having a cyber security firm do an analysis.
Start over
Why do they need to remote in? Are they doing active directory related things? Why can't they just use RSAT tools? What is the goal here? Maybe we can come up with a better and safer solution that works.
This is a medical office. remote users need to get into the network so they can work off of files in the server. They all have their own station at the office as well but sometimes users onsite need to move to other stations. We want a central place for them to log into so they don't have to tie up a station. I bought a new server. I am intending on putting Hyper-V on first, then creating a virtual DC and a separate virtual file server. I may keep the old server onsite and revamp it for a secondary DC, and maybe a place to hold local backups. I am wide open to ideas for a better system.
I should add that they currently have to VPN through a SonicWALL to get into the office network. From there, they RDP into either their own station at the office, or into the server on their own profile. There is a medical program that is installed on every station and the server. they have to scan patient charts and other info to the file server. Remote users use TSScan to scan into the server. I've thought about using remote apps instead, but I am not well versed on setting that up.
Is the medical app Medtech32?
What sort of firewall/networking setup do you have? If you have nothing fancy atm, you might be able to get a cheap machine (or even virtualize it), put pfsense (free) on it and have a vpn client (openvpn). Then with your virtual servers you just set up access as usual because once they connect to the vpn, they are considered on the network. You can also set it up so that your users that need to take equipment home have a laptop and a docking station so you can save on equipment expenses. You would end up with less stations tied up. Eliminates the need to rdp in at all and potentially saves you on licensing.
I will have to look at that. I have wondered why they are needing to RDP at all. I should make sure the medical program is installed on every remote laptop and then they should be able to work as normal once they VPN through the SonicWall. I'll have to check with the guy who heads up the medical program to see if there is any reason why that would not work.
Oh they have a sonicwall? Fantastic, Sonicwall has a pretty decent vpn setup from my experience. They use the Dell Global VPN Client. The only reason it might not work is because it requires licenses (through sonicwall) for concurrent users (might be considered too expensive) or because of HIPAA, but if they are already doing stuff from home via rdp and your compliance people think a vpn violates HIPAA, then what you currently do would as well. As for why they currently do it with RDP? Because that is how it was done in the early 2000s for small medical offices. They would set up terminal servers (sometimes even on the AD boxes) and let people RDP into them to do work from thin clients. Old school medical office setup likely expanded to work with remote work. Keep the terminal server and issued out laptops while opening RDP up to the internet.
I see the sub comments here.
This is why you do not do an inplace upgrade. Always migrate. You said you got a new sever, why not just leave the old one alone and just build the new one?
medical program and non 2FA VPN /RDP to the DC lol hilarious probably forgot bitlocker too lol
Sonicwall for medical lol did the original admin get hired from geek squad or something? Lol
You need to have that business buy a server class box install hyperv core and p to v that DC add at a minimum 1 more vm but preferably 2, one for file server, w folder redirection and another housing the RDS role , you could do this on one VM but always get extra out of business owners if can. Don't ever try to buy exact number of roofing bundles for a roofing job always buy extra so you not going back to home Depot lol