I do not generally advise making domain controllers terminal servers (or vice versa) both for performance reasons and because it makes me twitchy to have people running potentially buggy applications and printer drivers on a domain controller. However, it's sometimes necessary. Trouble is, ordinary users are not allowed to log onto domain controllers from a terminal session, and when they try they'll see a nastygram reminding them that The local policy of this system does not permit you to log in interactively.
Way to make the users feel inadequate, guys.
Allowing Joe User to log onto a terminal server that's also a domain controller is a two-step process. First, use the Domain Controller Security Policy tool on the DC in question to change the security policy for the DC to permit users (or Authenticated Users) to log on locally, then refresh the security policy. (Open the Security Settings folder, double-click Local Policies, and then click User Rights Assignment. Click the Log on Locally right, and then click Add.
Browse for the appropriate group, click Add, then OK your way out of the dialog box and refresh the security policy with
secedit /refreshpolicy machine_policy /enforce
Next, go to Terminal Services Configuration and edit the properties for RDP. Turn to the Permissions tab and add Authenticated Users to the list of groups allowed to use RDP. That should allow Joe User to log on.