Why is it bad to deploy Remote Desktop Services on a domain controller?

I believe it's generally considered a bad idea because domain controllers are supposed to be the critical heart of your network that store all the keys to your kingdom. So they should be left alone, not mixed with other applications, and not logged into by non-admin users (or even admins on a regular basis) so there's less chance for that critical data to be compromised.

However, in your specific case, it sounds like the only reason AD would exist is to support the installation of RDS since you can't use it outside of the basic remote administration mode unless you also have a domain. So in my opinion, throwing all the roles on a single server to save hosting costs is just fine. You're essentially just replacing the server's local SAM database with the Active Directory database. An attacker that compromises the server and AD is irrelevant because the only thing that uses AD are the services on the server that was compromised. So you wipe it and re-build or restore from backup, no biggie.

The combination of the two services doesn't create some sort of new vulerability on the server as far as I know.

Related videos on Youtube

16 : 34

Complete Guide to setting up Remote Desktop Services in Windows Server 2016

Robert McMillen

244

03 : 43

What is a Windows Domain Controller?

Server Academy

206

10 : 39

42. Install and Configure Remote Desktop Services RDS on Windows Server 2019

MSFT WebCast

83

10 : 47

Allow non-administrators RDP Access to Domain Controller on Windows Server 2016

It System

19

06 : 42

Allow Normal User to remote to Domain Controller running Windows Server 2019

microsoft lab

2

01 : 41

DevOps & SysAdmins: Why is it bad to deploy Remote Desktop Services on a domain controller?

Roel Van de Paar

0

Author by

Adam Butler

Updated on September 18, 2022