Upload
api-19972279
View
996
Download
2
Embed Size (px)
Citation preview
The Definitive Guide To
tm
Windows Server 2003 Terminal ServicesGresyon Mitchem
Introduction
IntroductionBy Sean Daily, Series Editor Welcome to The Definitive Guide to Windows Server 2003 Terminal Services! The book you are about to read represents an entirely new modality of book publishing and a major first in the publishing industry. The founding concept behind Realtimepublishers.com is the idea of providing readers with high-quality books about todays most critical IT topicsat no cost to the reader. Although this may sound like a somewhat impossible feat to achieve, it is made possible through the vision and generosity of corporate sponsors such as triCerat, who agree to bear the books production expenses and host the book on its Web site for the benefit of its Web site visitors. It should be pointed out that the free nature of these books does not in any way diminish their quality. Without reservation, I can tell you that this book is the equivalent of any similar printed book you might find at your local bookstore (with the notable exception that it wont cost you $30 to $80). In addition to the free nature of the books, this publishing model provides other significant benefits. For example, the electronic nature of this eBook makes events such as chapter updates and additions, or the release of a new edition of the book possible to achieve in a far shorter timeframe than is possible with printed books. Because we publish our titles in realtimethat is, as chapters are written or revised by the authoryou benefit from receiving the information immediately rather than having to wait months or years to receive a complete product. Finally, Id like to note that although it is true that the sponsors Web site is the exclusive online location of the book, this book is by no means a paid advertisement. Realtimepublishers is an independent publishing company and maintains, by written agreement with the sponsor, 100% editorial control over the content of our titles. However, by hosting this information, triCerat has set itself apart from its competitors by providing real value to its customers and transforming its site into a true technical resource librarynot just a place to learn about its company and products. It is my opinion that this system of content delivery is not only of immeasurable value to readers, but represents the future of book publishing. As series editor, it is my raison dtre to locate and work only with the industrys leading authors and editors, and publish books that help IT personnel, IT managers, and users to do their everyday jobs. To that end, I encourage and welcome your feedback on this or any other book in the Realtimepublishers.com series. If you would like to submit a comment, question, or suggestion, please do so by sending an email to [email protected], leaving feedback on our Web site at www.realtimepublishers.com, or calling us at (707) 539-5280. Thanks for reading, and enjoy! Sean Daily Series Editor
i
Table of Contents Introduction...................................................................................................................................... i Chapter 1: Introduction to Windows Server 2003 Terminal Services.............................................1 Server Roles .....................................................................................................................................1 File Server............................................................................................................................3 Print Server ..........................................................................................................................3 Application Server ...............................................................................................................3 Mail Server...........................................................................................................................4 Terminal Server ...................................................................................................................4 Remote Access/VPN Server ................................................................................................4 Domain Controller ...............................................................................................................4 DNS Server ..........................................................................................................................5 DHCP Server .......................................................................................................................5 Streaming Media Server ......................................................................................................5 WINS Server........................................................................................................................5 Terminal Services Technology ........................................................................................................6 New Answers for Old Challenges....................................................................................................7 Remote Desktop...................................................................................................................7 Compatibility Modes ...........................................................................................................8 RDP 5.2 Protocol Enhancements.........................................................................................9 Remote Desktop Connection Client.......................................................................10 Group PolicyBased Configuration...................................................................................11 ADSI Access to User Parameters ......................................................................................11 Session Directory ...............................................................................................................12 Terminal Services Licensing..........................................................................................................12 Terminal Server Licensing Components ...........................................................................12 License Types ....................................................................................................................13 Installing Terminal Server Licensing.................................................................................14 License Server Discovery ..................................................................................................17 License Assignment ...........................................................................................................19 License Server Administration ..........................................................................................20 License Server Group Policy Settings ...............................................................................21 Summary ........................................................................................................................................22 Chapter 2: Installing and Configuring the Terminal Server Role..................................................23
ii
Table of Contents Terminal Services Deployment Scenarios .....................................................................................23 Desktop Replacement ........................................................................................................24 Remote Access...................................................................................................................25 ASP ....................................................................................................................................26 Installing the Terminal Server Role...............................................................................................26 Configuring the Terminal Server Role ..........................................................................................30 Terminal Services Configuration Administrative Tool .....................................................30 Permission Compatibility.......................................................................................31 Licensing................................................................................................................32 Restrict Each User to One Setting .........................................................................32 Group PolicyBased Configuration...................................................................................37 Additional Configuration Settings .....................................................................................39 Installing and Configuring the Remote Desktop Connection Client .............................................41 Remote Desktop Connection Client...................................................................................41 Remote Desktop Web Connection.....................................................................................43 Remote Desktops Administrative Tool..............................................................................44 Summary ........................................................................................................................................45 Chapter 3: Load Balancing and Session Directory ........................................................................46 Terminal Server Hardware Configuration .....................................................................................46 Hard Disk Configuration....................................................................................................47 Memory..............................................................................................................................50 Processor ............................................................................................................................51 The Bottom Line ................................................................................................................53 Fault Tolerance ..............................................................................................................................53 Load Balancing ..............................................................................................................................55 Microsoft Network Load Balancing ..................................................................................55 Configuring NLB ...................................................................................................56 Third-Party Load Balancers...............................................................................................62 Session Directory ...........................................................................................................................62 Configuring Session Directory ..........................................................................................63 How Session Directory Works...........................................................................................65 Summary ........................................................................................................................................67 Chapter 4: Terminal Services Administration ...............................................................................68
iii
Table of Contents Terminal Server Access Requirements..........................................................................................68 Allow Log On Through Terminal Services .......................................................................68 Permissions on RDP ..........................................................................................................69 RDP Access Levels................................................................................................70 Allow Logon to Terminal Server.......................................................................................72 User Account Configuration ..........................................................................................................73 Home and Profile Directories ............................................................................................75 Terminal Services Profile Path ..............................................................................75 Terminal Services Home Directories.................................................................................77 Configuring User Properties Through the Active Directory Service Interfaces................77 Group Policy Overrides of User Settings...........................................................................79 Managing Terminal Servers in an AD Environment .....................................................................80 Active Directory Users and Computers .............................................................................81 Group Policy Management Console ..................................................................................82 Configuring Terminal Servers with GPOs.........................................................................83 UI Settings .............................................................................................................83 Restricted Groups...................................................................................................86 Standard Group Policy Processing Order ..............................................................86 Loopback Group Policy Processing Order ............................................................88 Enabling Loopback ............................................................................................................90 Resultant Set of Policy...........................................................................................91 Managing User Sessions ................................................................................................................91 Terminal Services Manager ...............................................................................................92 Remote Control..................................................................................................................94 Registry Editing .................................................................................................................95 Command-Line Utilities ....................................................................................................96 Summary ........................................................................................................................................96 Chapter 5: Application Installation and Compatibility..................................................................97 Application Compatibility Mechanisms ........................................................................................97 Terminal Services Logon Scripts.......................................................................................98 USRLOGON.CMD................................................................................................99 Additional Administrative Scripts ...................................................................................103 Application Installation................................................................................................................104
iv
Table of Contents Registry Mapping.............................................................................................................104 INI File Mapping .............................................................................................................106 Install and Execute Modes ...............................................................................................106 Application Compatibility Scripts ...................................................................................107 Examples of Terminal Services Application Installations...............................................108 Simple Installation ...............................................................................................109 Custom Installation ..............................................................................................110 Application Compatibility Script Installation......................................................114 Installing Undocumented Applications............................................................................115 A Real World Example........................................................................................117 Terminal Services Compatibility Flags ...........................................................................121 Installing Applications Through Group Policy............................................................................122 Create a Share ..................................................................................................................122 Create Administrative Installations..................................................................................122 Add the Packages to a GPO .............................................................................................123 Filtering Applications ......................................................................................................124 Reboot the Terminal Servers ...........................................................................................126 Deploying Applications to End Users..........................................................................................127 Summary ......................................................................................................................................127 Chapter 6: Managing Security and Virus Protection ...................................................................128 Viruses, Worms, and Trojan HorsesOh My! ...........................................................................128 Internet Explorer Enhanced Security Configuration....................................................................129 Changes Made by Internet Explorer Enhanced Security Configuration..........................131 Managing Approved ActiveX Controls ...........................................................................133 Implementing Windows Automatic Updates...............................................................................134 Using SUS....................................................................................................................................137 Deploying Service Packs and Hotfixes........................................................................................142 Using Group Policy to Deploy Service Packs .................................................................142 Deploying Hotfixes..........................................................................................................143 Using a ZAP File .................................................................................................144 Using a Shutdown Script .....................................................................................145 Virus Protection Software Best Practices ....................................................................................147 Putting It All Together .................................................................................................................147
v
Table of Contents Example One: Anytown Little Theatre............................................................................147 Example Two: BigBusiness, Inc......................................................................................148 Summary ......................................................................................................................................150 Appendix A: Terminal Services Clients ......................................................................................151 Appendix B: Important URLs......................................................................................................152 Appendix C: Registry Changes....................................................................................................153 Appendix D: Script Reference .....................................................................................................154 USRLOGON.CMD......................................................................................................................154 TSSHUTDN Wrapper..................................................................................................................156 Maintenance Reboot Script..........................................................................................................158 Appendix E: Terminal Services Command Line Reference........................................................160 Change Logon......................................................................................................160 Query Terminal Servers.......................................................................................160 Query Session ......................................................................................................161 Query User ...........................................................................................................161 Query Process ......................................................................................................162 Logoff ..................................................................................................................162 Message................................................................................................................163 Reset Session .......................................................................................................163 Shadow.................................................................................................................164 Terminal Services Profile ....................................................................................164 Terminal Server Shutdown ..................................................................................165 Remote Desktop Client Command Line Parameters: ..........................................165
vi
Copyright Statement
Copyright Statement 2003 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com, Inc. (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtimepublishers.com, please contact us via e-mail at [email protected].
vii
Chapter 1
Chapter 1: Introduction to Windows Server 2003 Terminal ServicesWith the launch of Windows Server 2003 (WS2K3), Microsoft has continued to improve upon Terminal Services. At the launch event, Microsoft focused on the fact that this version of Windows is the most customer driven to date. Terminal Services new features clearly demonstrate this focusthere are certainly several enhancements that I have been hoping for. In this book, I will introduce you to the new features and enhancements in WS2K3 Terminal Services. I will also discuss best practices for configuring and managing Terminal Services with an eye to the new techniques available to systems administrators in WS2K3. As well explore, with Remote Desktop Protocol (RDP) 5.2, Active Directory Service Interfaces (ADSI) access to Terminal Services attributes of user objects, new Group Policy Object (GPO) controls, and Session Directory, we now have the ability to use native Terminal Services as an enterprise-class solution for providing users with Terminal Servicesbased desktops.
Server RolesWhen you install WS2K3, most non-critical subsystems and services are disabled or not installed. The reason for this default configuration is Microsofts new focus on security. Because the system is secure by default, systems administrators can focus on designing systems that perform only desired functions and not worry about server hardening as much. To help enable desired functions, Windows now offers Server Roles, as Figure 1.1 shows.
Figure 1.1: The Manage Your Server wizard.
1
Chapter 1 A role is a server function (for example, mail server, domain controller). A single server can perform more than one role if desired, enabling you to do more with lessthe slogan for WS2K3. When an administrator logs on to a server, the Manage Your Server wizard offers to assist in adding new roles and managing currently installed roles. When adding a new role, the Manage Your Server wizard enables services and performs any security changes required by the role. You can still add and remove services the old-fashioned way through the Add/Remove Windows Components and Services Control Panel applet, but I find that the Manage Your Server Wizard is very useful. (The useable wizard in WS2K3 is quite a change from the one in Windows 2000Win2K; most of us disabled the Win2K Configure Your Server wizard at first boot.) After you add a role, the Manage Your Server wizard provides easy access links to common tools and settings used for each role. Figure 1.2 shows the default roles available in WS2K3 Standard Edition.
Figure 1.2: Default roles available in WS2K3 Standard Edition.
2
Chapter 1
File Server Adding the file server role optimizes the server for network shares and file storage. After adding the file server role, you will be able to set disk space quotas for users, use the indexing service to search for files, and even search for documents in different formats and languages by using the Start menus Search tool or a new Web-based search interface. WS2K3 offers many new features to improve file serving: Shadow copyMaintains byte-level backups of previous versions of documents to allow end users to undo changes made to documents stored on the server. Enhanced Distributed File System (DFS)Lets you create a single logical namespace for multiple shares spanning servers across the enterprise. This functionality keeps your end users from having to memorize the server names for shares they frequently use. WS2K3s DFS also provides a robust file replication service with topology choices not available in Win2K. In addition, WS2K3 servers can host more than one DFS root. Volume shadow copy serviceCreates a point-in-time copy of the original data share. Backup programs can use this copy to make a share appear static while the actual documents are changing. In addition, you can move shadow copies to other servers for backup, testing, and data mining.
Print Server Print servers are used to provide and manage access to printers. The print server role lets you manage printers through a Web browser, send print jobs to a printers URL using the Internet Printing Protocol (IPP), and connect to printers using Point and Print. Microsoft has made several enhancements to printing services in WS2K3: Print cluster supportAutomatically replicates printer drivers to all servers in the cluster Active Directory (AD) enhancementsLets administrators publish printers in AD so that users can search for printers based on location, color, and speed Security enhancementsIncludes new Group Policies that let administrators prevent managed clients from connecting to untrusted print cues and prevent connections to the print spooler if the server is not providing print services
Application Server When you configure a server to be an application server, you are installing Internet Information Services (IIS) 6.0 as well as several optional technologies and services such as COM+ and ASP.NET. Microsoft has optimized IIS 6.0 for Web server reliability, server management and consolidation, faster application development, and increased security.
3
Chapter 1 WS2K3s application server role provides support for new Web services and the .NET platform, including enterprise Universal Description, Discovery, and Integration (UDDI) services as well as Simple Object Access Protocol (SOAP) and Web Services Description Language (WSDL). Application servers are often configured to include: Resource pooling Distributed transaction management Integrated security Failover and application health detection services
Mail Server WS2K3 now offers a Post Office Protocol 3 (POP3) and Simple Mail Transfer Protocol (SMTP) server option. This option lets you manage basic email accounts for your users and enables users to send and retrieve mail from the server. Mail servers provide email transfer and retrieval services. User email can be stored on the server until retrieved by a POP3 client. To utilize the mail server role, you must have: An active Internet connection A registered email domain name A registered mail exchanger (MX) record for your email domain with your Internet Service provider (ISP)
Terminal Server By installing the terminal server role, you enable users to connect to the server to run applications as if the applications were installed on users workstations. I will discuss the installation, configuration, and new features of the terminal server role throughout the book. Unlike Win2K, which immediately grants access to all users when Terminal Services is installed, WS2K3 restricts access by default to administrators only. You must add users or groups to the Remote Desktop Users group to enable access. Remote Access/VPN Server Remote access and virtual private network (VPN) servers provide an entry point into your network for remote users. By using the remote access/VPN server role, you can implement routing protocols for both LAN and WAN environments. This role supports both dial-up connections and VPN connections over the Internet. Domain Controller Domain controllers maintain the AD database. Domain controllers provide authentication services for users and computers and control access to network resources. The domain controller role replaces the DCPROMO tool that Win2K provides. This role lets you add a domain controller to an existing domain, create a new domain in an existing forest, and create a new forest.
4
Chapter 1 DNS Server The Domain Name System (DNS) is the TCP/IP name resolution service that is used on the Internet. DNS lets computers resolve Fully Qualified Domain Names (FQDNs) to IP addresses. The implementation of DNS that WS2K3 includes is a Dynamic DNS (DDNS) service, which means that computers can self register into the DNS database. The WS2K3 implementation of DNS also offers integration with the Windows Internet Naming Service (WINS) server role to allow non-NetBIOS clients to resolve NetBIOS names via DNS. DHCP Server A Dynamic Host Configuration Protocol (DHCP) server will enable your TCP/IP-based clients to be automatically assigned an IP address when needed. The DHCP server can also provide additional network configuration informationDNS server IP addresses, WINS server addresses, and so onto the clients. Having a server with the DHCP role installed greatly reduces the time required to set up and configure clients on your network. Streaming Media Server Streaming media servers provide Windows Media Services to network clients. Windows Media Services manages and delivers Windows Media contentstreaming audio and videoover an intranet or the Internet. WINS Server WINS lets NetBIOS clients resolve computer names to IP addresses. Unlike DNS, which requires that the request include the FQDNs of the target system, WINS is designed to function within an intranet environment, so simple NetBIOS names can be resolved. The WINS database is dynamic, letting clients self-register their names upon receiving an IP address from the DHCP server.Although it is possible to run a Windows network without using NetBIOS or WINS, many utilities still depend on the WINS database. Many record types are available in WINS that are not present in DNS. These types let servers offering specific services (including Terminal Services) be easily identified through browsing. One such utility is the Terminal Server Administration tool. Without a WINS server on the network, you will need to manually specify terminal servers to manage.
5
Chapter 1
Terminal Services TechnologySo what is a terminal server? Windows was designed to be a single-user operating system (OS), meaning only one user could be interactively logged onto a system at a time. Terminal Services breaks that model by implementing a Session Manager layer between the system and user layers. The Session Manager responds to new session requests by creating a separate instance of the Win32 subsystem, WIN32K.SYS, for each session. The Session Manager then executes the client server runtime subsystem, CRSS.EXE, and the windows logon service, WINLOGON.EXE, within the session. Figure 1.3 shows the processes that make up Terminal Services divided up between user mode and kernel mode and indicates whether they are per server or per session.
Figure 1.3: Services that create a multi-user environment.
This process allows multiple user sessions to run simultaneously on a Windows system. Session Manager acts like a maitre d in a restaurant, directing new patrons (clients) to their tables (sessions), then directing the serving staff (applications, services, and resources) to the new table. Session Manager assigns each session a unique ID and address space so that resource and network requests can be directed to the correct user. Another very important component to Terminal Services is RDP. This presentation layer protocol is what allows users to interact with sessions running on a remote server. Without RDP, each user would need to have a console directly connected to the server. RDP functions as a virtual display, keyboard, and mouse on the server. Instead of sending video output to the VGA port, terminal servers redirect it to the video channel in the RDP stack. Doing so transmits the display information across the network and draws it on the clients workstation display. RDP also takes keystrokes and mouse movements at the remote client and transmits them back to the terminal server, where they are processed as if they came from a local keyboard and mouse.
6
Chapter 1 By using Terminal Services, you can install applications on a few servers in a datacenter rather than on hundreds of workstations. You can also take advantage of inexpensive and highly robust solid-state thin clients instead of managing the lifecycle of workstation hardware. If you have an environment that requires personal computers for your end users, you can still leverage terminal servers to centralize network traffic for specific high-bandwidth client/server applications. Many companies also use terminal servers for remote access. Doing so enables the organizations to lock down the majority of the network and allow remote connections to only a few servers. These servers can be easily maintained with the latest security patches, hotfixes, and virus protection.
New Answers for Old ChallengesIf you manage terminal servers in your environment today, you already know many of the challenges that they poseconfiguring user accounts, managing roaming profiles, loadbalancing servers, configuring protocol settings, and managing printing. With WS2K3, many of these tasks become much easier to deal with. Remote Desktop The first change you will notice in WS2K3 Terminal Services is the elimination of Remote Administration Mode. Under Win2K, this mode of Terminal Services is used to enable two remote sessions in addition to the console session for systems administration. This terminology causes a great deal of confusion for systems administrators because enabling Terminal Services does not necessarily make a server a terminal server. Also, Remote Administration Mode causes a server to register as a terminal server in WINS and thereby shows up in the Terminal Server Administration tool. This behavior makes finding your Win2K application terminal servers more difficult. Dont be alarmed, you will still be able to remotely administer your WS2K3 servers. However, instead of installing Terminal Services, you simply enable Remote Desktop. If you have been using Windows XP, you are already familiar with Remote Desktop. Under WS2K3, Remote Desktop allows the creation of two RDP-based virtual sessions as well as a remote connection to the servers console sessionsomething that administrators have been asking for since the release of Win2K. Also, unlike Remote Administration Mode in Win2K, WS2K3 Remote Desktop does not cause the server to be listed in the Terminal Server Administration tool.To force a server with Remote Desktop enabled to show up in the Terminal Server Administration tool, in the registry, change the TSAdvertise value from 0 to 1 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server subkey.
To enable Remote Desktop, go to the System Control Panel applet, select the Remote Tab, and select the Allow users to remotely connect to your computer check box, as Figure 1.4 shows. By default, only members of the local administrators group will be allowed to connect remotely, but you can add users to the Remote Desktop Users group. Keep in mind, however, that enabling Remote Desktop does not enable any application compatibility subsystems, so applications may not function correctly for users other than the installer.
7
Chapter 1
Figure 1.4: Enabling Remote Desktop.
Microsoft has added the ability to connect to and shadow the console session to WS2K3 Terminal Services. To connect to the console session, you can either use the Remote Desktop administration tool or launch the Remote Desktop Connection client with the /console switch. To shadow the console session, use the Terminal Server Administration tool just as you would to shadow any other RDP session.To quickly shadow the console session of a server you are already connected to via RDP, open a command prompt and type
SHADOW 0(that is a zero).
Compatibility Modes Like Win2K, WS2K3 offers two compatibility modes for Terminal Services: Full Security and Relaxed Security. Compatibility modes let you run legacy applications that cannot function under WS2K3s more restrictive file and registry permissions.Ill cover the differences between the modes in Chapter 5.
8
Chapter 1 RDP 5.2 Protocol Enhancements Some of the biggest changes in WS2K3 Terminal Services from previous versions come in the enhancements made to RDP. The protocol now supports several new resource redirection abilities. You might be familiar with some of them if you have been using Windows XPs Remote Desktop ability. These enhancements bring RDP up to par with Citrixs ICA protocol in many ways. You are now able to redirect client drives, audio output, clipboard, ports, time zone, and Windows keys (for example, ALT+TAB). RDP 5.2 even supports smart card authentication. All of these features can be enabled or disabled at the server by the administrator. RDP 5.2 adds support for greater color depthup to 24-bit full colorand screen resolutions up to 1600 1200. Table 1.1 shows a comparison between RDP 5.2 and ICA.Feature Client drive mapping Client clipboard mapping Shadowing Mapping of local client printers Mapping of client network printers Smart card sign on Reconnection of dropped sessions Sound Encryption Compression Client time zone mapping Windows keys Client serial and parallel port mapping Supported client OSs RDP 5.2 Automatically connects to all client local and network drives Automatic Supported Automatic Automatic Supported Automatic Supported Up to 128 bit Automatic Supported Automatic Automatic Win32, Win16, Windows CE, CE.NET, PocketPC, Macintosh TCP/IP Not available natively ICA Automatically connects to client local drives Automatic Supported Automatic Automatic Supported Automatic Supported Up to 128 bit Automatic Supported Requires alternative key combinations Automatic Win32, Win16, Windows CE, PocketPC, MS-DOS, UNIX, Macintosh, Linux, Java TCP/IP, IPX/SPX, NetBEUI Automatic
Transport protocol Seamless WindowsTable 1.1: Comparison of RDP 5.2 and ICA.
9
Chapter 1
Remote Desktop Connection Client Remote Desktop Connection is the new client for RDP 5.2. Remote Desktop Connection supports all of the new features of RDP 5.2. It eliminates the Connection Manager interface and no longer stores connection definitions in the registry. Instead, Remote Desktop Connection supports RDP Filestext files containing connection parameters to connect to a terminal server or Windows XP Remote Desktop. With RDP Files, it is easy to distribute or centrally store common connections for your users. Through the Remote Desktop Connection interface, which Figure 1.5 shows, you can control connection optionsresource redirection, initial program, and window size. There is also a new option called Experience through which you can enable or disable features of the new Aqua interface in Windows XP and WS2K3wallpaper, themes, and menu animationto improve performance over low-bandwidth connections.
Figure 1.5: The Remote Desktop Connection client.
10
Chapter 1
Group PolicyBased Configuration Under WS2K3, you can now centrally configure and manage virtually all Terminal Services parameters via Group Policy. Figure 1.6 shows some of the settings available.
Figure 1.6: Group Policy settings for WS2K3 Terminal Services.
As you can see, Microsoft has provided the centralized control weve always wanted.Ill go over the available settings and recommended usage in Chapter 2.
ADSI Access to User Parameters Under Win2K, the only Terminal Services parameter of a user object that was accessible from the command line was the Terminal Services Profile Path attribute; accessing this attribute required the TSPROF tool. WS2K3 exposes all Terminal Services attributes to ADSI. Using the Windows Script Host (WSH) and your preferred scripting language, you can now easily configure users Terminal Services settings. Ill discuss the ADSI objects and provide some sample scripts in Chapter 4, but for now, here is a list of the available attributes:objUser.ConnectClientDrivesAtLogon objUser.ConnectClientPrintersAtLogon objUser.DefaultToMainPrinter objUser.TerminalServicesInitialProgram objUser.TerminalServicesWorkDirectory objUser.TerminalServicesProfilePath objUser.TerminalServicesHomeDirectory objUser.TerminalServicesHomeDrive objUser.AllowLogon
11
Chapter 1objUser.MaxDisconnectionTime objUser.MaxConnectionTime objUser.MaxIdleTime objUser.BrokenConnectionAction objUser.ReconnectionAction
Session Directory When using WS2K3 Enterprise Edition for terminal servers in a load-balanced environment, you can use the new Session Directory service to provide a single point of entry into the terminal server farm. Session Directory not only acts as a load balancerconnecting users to the least loaded server, but also maintains a database of active sessions in the farm. This feature enables a disconnected user to resume an active session on the same server from which the user was disconnected. When a user connects to the farm through the Session Directory server, Session Directory checks the list of active and disconnected sessions; if the username is found in the database, the connection is directed to the server running the session. Session directory can be used with Microsofts load-balancing service or any third-party load balancer.I will cover Session Directory in depth in Chapter 3.
Terminal Services LicensingFor a terminal server to continue accepting connections after the 120-day trial period, you must configure a Terminal Services Licensing server. WS2K3 adds new options and new layers of complexity to the Terminal Services licensing landscape. To connect to a WS2K3 terminal server, clients will need to be issued new WS2K3 license tokens. These new tokens can only be issued by a WS2K3 Terminal Services License serverWin2K license servers cannot issue these new tokens. Thus, even if your environment already contains a Win2K license server, you will be forced to either upgrade that server to WS2K3 or activate a separate WS2K3 license server. Terminal Server Licensing Components Terminal Services licensing consists of the Microsoft Clearinghouse, one or more WS2K3 Terminal Services Licensing servers, and one or more terminal servers. You access the Microsoft Clearinghouse to activate license servers and obtain license key packs to be installed on the Terminal Services Licensing server. The clearinghouse can be accessed directly over the Internet, through a Web page, or by telephone. A Terminal Services Licensing server can be any edition of WS2K3 with Terminal Services Licensing installed. The Terminal Services Licensing server stores all Terminal Services CAL tokens and tracks the tokens that have been issued to computers or users. All terminal servers must be able to communicate with the Terminal Services Licensing server to issue permanent tokens. If the licensing server has not been activated, it will issue only temporary licenses.
12
Chapter 1 The terminal server is any WS2K3 edition with the terminal server role installed. When a client connects to the terminal server, the server first determines whether the client needs a license token. If so, the server contacts the licensing server and requests a token on the clients behalf, then delivers the token to the client. The first time a client connects to a terminal server in perdevice licensing mode, a temporary token is issued. Temporary licenses are stored on the Terminal Services Licensing server for 90 days. Only at the second connection (within 90 days) is the permanent CAL assigned to the device. The term permanent is not really accurate here, as device tokens are set to expire after a random number of days (between 52 to 89 days). This configuration is designed to recapture CALs that have been issued to devices that are no longer in the environment or have had their OSs re-installed. This behavior was first implemented in Win2K Service Pack 3 (SP3). License Types A WS2K3 Terminal Services Licensing server can manage seven types of license tokens. In addition to supporting the CALs required for connecting to Win2K terminal servers, there are three new types of CALs specific to WS2K3 Terminal Services (the following list shows the three new types as well as the three types that have been supported since Win2K):There are no built-in licenses for WS2K3 Terminal Services. You will need to purchase CALs for all devices or users connecting to these servers regardless of the client OS.
WS2K3 Terminal Server Device CALsWS2K3 terminal servers that are in Per Device licensing mode will request these licenses from the Terminal Services Licensing server. WS2K3 Terminal Server User CALsWS2K3 terminal servers that are in Per User licensing mode will request these licenses. WS2K3 Terminal Server External Connector licensesThese licenses allow unlimited connections to a terminal server running WS2K3 by external users. These licenses are not yet available. Win2K Terminal Services CALsTerminal servers running Win2K will request these licenses from the licensing server for clients running OSs other than Win2K Professional or Windows XP. You only need these licenses if you have terminal servers running Win2K. Win2K Terminal Services Internet Connector licensesThese licenses allow as many as 200 simultaneous anonymous connections to a terminal server running Win2K by nonemployees across the Internet. Win2K Built-In licensesClients that are running Win2K Pro or Windows XP are issued a token from the built-in pool of license tokens when connecting to a terminal server running Win2K.
Figure 1.7 shows the licenses available in the Terminal Server Licensing administration tool. Notice that user CAL tokens are tracked separately from device CAL tokens. User CAL tokens are new in WS2K3. Terminal servers can now be placed into either Per Device or Per User licensing mode. A single Terminal Services Licensing server can serve tokens to terminal servers in any combination of these modes if the proper licenses are installed.
13
Chapter 1
Figure 1.7: License types available in the Terminal Server Licensing administration tool.
Installing Terminal Server Licensing Unless you are working in a single server environment, Terminal Server Licensing should be installed on a separate server from Terminal Services. If you are in a domain environment, you will probably want to install the licensing service on a domain controller, as doing so makes the discovery process easier for the terminal servers. To install Terminal Server Licensing, go to the Add/Remove Programs Control Panel applet, and select Add/Remove Windows Components. In the Windows Components Wizard window, select the Terminal Server Licensing check box, as Figure 1.8 shows.
Figure 1.8: Installing Terminal Server Licensing.
14
Chapter 1 If you are installing Terminal Server Licensing on a server in AD, you are presented with two options for the mode of the server: Domain/Workgroup and Enterprise. The mode selected determines how the licensing service advertises itself to the terminal servers. If you are in a workgroup or non-AD domain, the Enterprise option is not available. I will explain the discovery process in the next section, but for now, you should understand that an Enterprise license server will be discoverable by terminal servers from any trusted domain but only within the same AD site as the licensing server. Whereas, a Domain/Workgroup license server will be discoverable only by terminal servers in the same workgroup or domain, but, depending on the type of domain, may be discoverable across site boundaries. After you install Terminal Server Licensing, the license server must be activated by contacting the Microsoft Clearinghouse. Launch the Terminal Server Licensing administration tool from the Start menu, right-click the server, and click Activate Server. The Terminal Server License Server Activation Wizard will launch, offering you three options for contacting Microsoft. Figure 1.9 shows the options in the wizard: Automatic connectionThis method is the easiest way to activate the licensing server. This method requires that the server running Terminal Server Licensing has Internet connectivity on port 443 (Secure Sockets LayerSSL). Simply fill in the company and contact information, and click Activate. Web BrowserIf the server running Terminal Server Licensing does not have Internet connectivity, you can still activate the server over the Web from another computer. To do so, from a Web browser, go to https://activate.microsoft.com, and fill in the company and contact information as well as the unique Terminal Server Licensing ID number that the activate server wizard provides. The Web site will respond with the activation code that you can then enter into the licensing service. TelephoneIf you do not have Internet connectivity, you can contact the Microsoft Clearinghouse by telephone. Select your country/region in the activate server wizard, and the correct phone number will be displayed. Provide the customer service person your company name, contact information, and server ID code, and they will provide you with the activation code. Be sure to either activate the server while still on the phone with the customer service representative or be very careful to record the activation code accurately.
15
Chapter 1
Figure 1.9: Activating a Terminal Services Licensing server.
After the license server is activated, it will immediately begin to issue temporary Win2K and WS2K3 terminal server tokens, which gives the administrator a 90-day period in which to install the appropriate permanent CALs on the license server so that it can issue permanent tokens.If you are upgrading a Win2K server with Terminal Server Licensing installed to WS2K3, you might need to re-activate the licensing service. To do so, select Re-Activate Server from Advanced in the Actions menu in the Terminal Server Licensing administration tool.
To add a license pack to the license server, right-click the server in the Terminal Server Licensing administration tool, and click Install Licenses. You will have the same connection options as you had to activate the server. If you are installing a retail license pack, the type of license will be automatically selected. If, however, you are installing licenses through a Select, Open, or other Microsoft license agreement, you will have to select which type of licenses you want to add. Figure 1.10 shows the Terminal Server CAL Installation Wizard.
16
Chapter 1
Figure 1.10: Adding licenses to a Terminal Services Licensing server.
License Server Discovery When Terminal Services is started, the server attempts to locate terminal server license servers using a predefined discovery process. The method used is dependant on the server environment and the mode in which the licensing server is configured to run. You can override the discovery process by modifying the registry to point to a specific license server or servers. Under Win2K, you can specify only a single license server in the registry, whereas WS2K3 lets you list multiple preferred license servers. To override the discovery process, add subkeys to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\Li censeServers subkey. Each subkey should be named with the hostname of the license server that you want the terminal server to use. Figure 1.11 shows a registry with two license servers defined.
17
Chapter 1
Figure 1.11: Overriding license server discovery by specifying license servers in the registry.
If you dont predefine license servers in the registry, the discovery process proceeds as follows: workgroup and non-AD domainbased terminal servers send a mailslot broadcast to locate license servers. Thus, only license servers in the same subnet will be discovered. AD-based terminal servers first look for any license servers in Enterprise licensing mode. They do so by performing a Lightweight Directory Access Protocol (LDAP) query for the CN TSEnterprise-License-Server, specifying their own site as the scope. The terminal server then contacts each domain controller within its site looking for a Domain license server. Finally, the terminal server will contact all remaining domain controllers within its domain. Once the discovery process is complete, the terminal server caches all license servers that were discovered in the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Parameters\EnterpriseServe rMulti and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Parameters\DomainLicense ServerMulti. It is important to note that if both Enterprise and Domain license servers are found, the terminal server will always prefer to use the Domain license servereven if a site boundary must be crossed to do so. Also, if no license servers are found, the terminal server will repeat the discovery process once every hour until a license server is found. Once one or more license servers are found, discovery is not repeated until such a time when none of the servers cached in the registry are available.
18
Chapter 1
License Assignment Every time a client connects to a terminal server, the license server is contacted to either validate an existing license or issue a new license. The type of licenses that a terminal server will issue is determined by its licensing modePer Device or Per User. You can set the mode through either the Terminal Services Configuration administration tool or by Group Policy. The default is Per Device mode, unless you are upgrading Win2K terminal server that is in Internet Connector mode, in which case it will default to Per User mode.In order to support both Per User and Per Device tokens, the terminal server must be in Per User mode.
The following steps walk you through the process taken by a terminal server at each client connection:1. Regardless of the licensing mode, the terminal server will first query the client device to
determine whether a device token has been written to the registry. If a token is present, the terminal server will contact the license server indicated in the token to validate the license. If the license is a temporary license, the license server will assign a permanent token at this time, which will be recorded in the client registry.2. If the client device does not have a token, the next step is dependent on the licensing
mode of the terminal server: a. Per-User licensing modeThe terminal server requests credentials from the user and performs authentication. The terminal server will then query the license server to either validate that the user has a token assigned or request a license for the user. The token is stored on the license server. b. Per-Device licensing modeThe terminal server will request a temporary token from the license server and write it to the client registry. After the user has been authenticated, the terminal server instructs the licensing server to mark the temporary token as validated. If the user does not authenticate, the token is immediately returned to the pool of available licenses.3. In either case, if the license server does not have any tokens available, another license
server is contacted. If the first license server is aware of another license server that has licenses available, it will request the token on behalf of the terminal server. If the license server does not know of other license servers in the environment, the terminal server will query the next license server cached in the registry. In most cases, license servers will inform each other when licenses are added to or removed from their pools. This communication allows the license servers to proxy requests for licenses to other licensing servers. This process is called License Token Announcement and occurs in the following scenarios: Between domain license servers within the same domain Between enterprise license servers within the same site and domain From enterprise license servers to domain license servers From Win2K license servers to WS2K3 license servers19
Chapter 1 License Server Administration After your license servers are activated and have licenses installed, there is very little administration to be done. However, there are a few utilities that you should familiarize yourself with in order to troubleshoot any licensing issues that may arise. The Terminal Sever Licensing tool is the primary administration tool. Figure 1.12 shows the interface. This tool is used to activate a license server, install licenses, and view available and assigned license tokens. Through this interface you can view which users and devices have been assigned CAL tokens, the date that the token was assigned, and when it will expire.
Figure 1.12: The Terminal Server Licensing tool interface.
The WS2K3 resource kit contains a command-line interface to the Terminal Server Licensing toolLSREPORT.EXE. With this tool, you can output a list of tokens assigned by a license server. This tool accepts parameters to limit the date range of licenses to include, include only temporary licenses, include the hardware ID of device tokens, and specify which license server or servers to query. Another resource kit utility is the Client License Test ToolTSCTST.EXE. This tool is used to query details about device tokens installed on a given client. The default output includes the name of the license server that issued the token, the scope, the name of the computer, the user that was authenticating when the token was issued, the license ID, and the date range for which the license is valid. When executed with the /A switch, the tool will also include the server certificate version, the licensed product version, the hardware ID, the client platform ID, and the company name in the output. The License Server Viewer ToolLSVIEW.EXE, which Figure 1.13 showsis also included in the resource kit. This GUI-based tool performs a license server discovery process and displays all Terminal Services license servers in the environment. It also identifies the type of license serverDomain or Enterpriseand can create a log with diagnostic information about the discovery process.
20
Chapter 1
Figure 1.13: The License Server Viewer interface.
License Server Group Policy Settings WS2K3 includes several Group Policy settings to control terminal server licensing. With these settings, it is easy to centrally configure license servers and maintain consistency in the environment (Figure 1.14 shows the available settings in the Group Policy Object Editor):
Figure 1.14: The License Server Group Policy settings.
21
Chapter 1 License Server Security GroupBy default, a license server will issue tokens to clients connecting to any terminal server. If you enable this setting, the license server will only respond to requests from terminal servers in the Terminal Services Computers local group. If the licensing server is a domain controller, this is a domain local group. Enabling this setting prevents rogue terminal servers from requesting licenses and lets you enforce separate license pools for groups of terminal servers in your environment. If you have more than one license server providing licenses for a single group of terminal servers, be sure to add the license servers to the group, as they can request licenses on behalf of the terminal servers. Prevent License UpgradeAs you know, a WS2K3 license server can distribute both Win2K terminal server device CALs and WS2K3 terminal server device CALs. If a Win2K terminal server requests a token, and the license server does not have any Win2K terminal server CALs available, it will automatically issue a WS2K3 Per-Device token (if there are any available). This behavior can be prevented by enabling this policy setting. With it enabled, the license server will only issue temporary tokens to clients connecting to Win2K terminal servers. If the clients temporary token has expired, the connection will be refused.
The Terminal Services Computers group is empty be default; be sure to add servers to the group before enabling the policy setting to prevent refused connections.
SummaryIn this chapter, I introduced you to the new role-based model in WS2K3. I also briefly covered the new features of Terminal Services. I will continue to address these enhancements throughout the book. Finally, I went into depth about Terminal Services licensing, as a thorough understanding of licensing is required to maintain a terminal server infrastructure for more than 120 days. In Chapter 2, I will cover the installation and configuration of Terminal Services. I will take you through all the new Group Policy settings for Terminal Services, and show you a few tricks to use to make administrating groups of servers easier.
22
Chapter 2
Chapter 2: Installing and Configuring the Terminal Server RoleThis chapter will take you through the steps of adding the terminal server role to WS2K3. Ill introduce you to the settings used to configure a terminal server via the administrative tools, Group Policy, and registry editor, and even give you a few system tweaks to help improve your servers performance. Finally, I will give you an in-depth look at the Remote Desktop Connection client, and the new version of the Terminal Server Advanced Client (TSAC) Remote Desktop Web Connection. Ill begin by exploring the most common reasons for deploying Terminal Services.
Terminal Services Deployment ScenariosWhat are the biggest challenges you face managing a Windows desktop environment? Answer truthfully, and Im sure these are among your top five: Software deployment Virus protection Software updates
By using Terminal Services, you can greatly reduce the difficulty of these tasks. WS2K3s terminal server role can enable you to centralize software, decrease the number of Windows systems in the environment, and prevent exposure to viruses by centrally managing virus scanner updates and creating a single point of entry for remote access users. There are three basic models for utilizing Terminal Services: Desktop replacementRemove the Windows PC from the users desk, and replace the PC with a thin-client device. Remote accessProvide users in a remote location access to either a complete desktop environment or individual applications over either a WAN link or Remote Access Service (RAS) connection. Application service provider (ASP)Provide access to individual applications to users at their regular workstation without installing the applications locally on users PCs.
23
Chapter 2
Desktop Replacement At its most pervasive implementation, Terminal Services can allow an IT department to completely eliminate PCs from users desks. This model provides many benefits, including elimination of end-node support, rapid deployment of new or upgraded software, reduction in power consumption, and added security. Depending on your corporate IT architecture, desktop replacement can also reduce bandwidth requirements and eliminate the need for servers in remote offices: Elimination of end-node supportWithout PCs on users desks, there is no longer any need to visit the workstation to configure the OS, install or repair software, assist a user in configuring applications, or replace a defective hard drive. A thin-clients OS is burned into ROM, and applications are installed on the terminal servers. Help desk personnel can provide user assistance via remote control of the terminal server session, and users can replace a damaged device by simply plugging in a new one.
Most thin-client devices support auto-configuration via Dynamic Host Configuration Protocol (DHCP) and FTP. You add a URL to a DHCP extension, and when the client boots, the client downloads its configuration from the FTP URL. This setup enables even the least tech-savvy users to set up or replace thin clients.
Rapid deployment of new or upgraded softwareIf you work in a large IT environment, you know how difficult and time consuming deploying software to your users can be. By using Terminal Services and thin clients, you simply install the new software on your servers, and overnight thousands of users will have access to it. There are even thirdparty utilities that will assist you in deploying software to all of your terminal servers at once. Reduction in power consumptionThin-client devices have no moving parts and are completely solid-state, so they typically consume about 10 percent of the power that a normal Wintel PC consumes. With rising electricity costs, this reduced consumption can provide a major cost-savings to your company. Added securityIf a standard PC is stolen, you risk losing important and sensitive data stored on its local hard disk, and you must pay to replace the computer. With the desktop replacement model, there is no data stored on the end-node device, and the cost of replacement is about half that of a normal PC.
There are many players in the thin-client device market (for example, Wyse Technologies Winterm and Neoware EON). These devices can use any embedded OS at their core (Windows CE, embedded Linux, and so on).
There are, however, some potential drawbacks to the desktop replacement model, including limited adaptability to one-off applications, reduction in user settings personalization, and increased initial deployment costs:
24
Chapter 2 Limited adaptability to one-off applicationsIf you have a very small group of users who need an application, with the desktop replacement model, youll no longer have the freedom to install the application on only those users desktops. Youll be forced to integrate the application into your Terminal Services infrastructure. Because of this limitation, the desktop replacement model is best suited to homogeneous computing environments. Reduction in user settings personalizationIf your users are accustomed to personalizing their workstations with wallpaper and screen savers or have the ability to install their own software, youll have a small battle on your hands when theyre restricted from performing some of these customizations. Increased initial deployment costsIf you already have a large user population and each user has a PC, the initial setup costs of purchasing the thin-client devices and the robust servers needed for terminal servers can seem a little overwhelming. However, in the long term, the reduction in TCO will more than make up for the initial investment. Opening a new office or call center is a perfect opportunity to implement the desktop replacement model.
Remote Access If these drawbacks or your corporate culture eliminate desktop replacement as an option, the remote-access model may be a great alternative for you. Most big companies have a large population of remote or nomadic userstelecommuters, executives traveling to satellite offices, and so on. Although laptops provide the ability to work remotely, they dont address the needs of limited-bandwidth connections or remote support. In addition, laptops can be nearly double the cost of a desktop, so your finance department may balk at the thought of providing a laptop for users who only occasionally need remote access to applications. The remote-access model can provide these users with the ability to access individual applications or even a complete corporate desktop from the Internet (by using the Remote Desktop Web Connection, a Web-based version of the Remote Desktop Connection client) or from their home computers. In addition, the reduced bandwidth requirements of RDP provide improved performance when compared with running laptop-based applications over a slow link.Using a terminal server as a portal to the corporate LAN can shield your network from any viruses on the remote computer.
As with any remote-access strategy, you must make security the top priority when considering the remote-access model. Be sure to take the time to educate your network design engineers in the specific needs of the terminal server protocols. In addition, implement a strategy to prevent the abuse of any changes you implement to accommodate the terminal server network traffic.
25
Chapter 2
ASP When looking at a large-scale deployment of a vertical application, there are many factors to consider: Deployment method (Sneakernet, Systems Management ServerSMS, IntelliMirror) Workstation system requirements (RAM, disk space, processing power) Support and back-out plan in case an installation goes awry Bandwidth requirements for client/server or database applications
If the application you are deploying doesnt have complex OLE integration with other applications on the users desktops, the ASP model might be right for you. Terminal servers, especially when implemented with TSAC or a third-party application publishing product, can give you the ability to provide users the applications they need quickly and easily without touching their workstations. In this model, the application is installed on terminal servers, and users launch it via a client application on their desktops or by using a Web browser.Ill go into the details of the ASP model in Chapter 5.
Installing the Terminal Server RoleWhen an administrator logs on to WS2K3, the Manage Your Server Wizard, which Figure 2.1 shows, provides easy access to the tools needed to install, configure, and manage server roles. Here is where we will begin the process of installing the terminal server role.
Figure 2.1: The Manage Your Server wizard.
26
Chapter 2 To start, click the Add or remove a role link to invoke the Configure Your Server wizard, which Figure 2.2 shows. This wizard outlines the preliminary steps to adding a role. Confirm that you are prepared, and click Next.
Figure 2.2: Preliminary steps to installing a role.
The wizard then scans your network connections to determine which roles are compatible, then lists all available roles for your server, as Figure 2.3 shows.
Figure 2.3: Detecting your network settings to determine compatible roles.
27
Chapter 2 In the window that results from the scan (see Figure 2.4), you will select the terminal server role, then click Next.
Figure 2.4: The Configure Your Server wizard.
After warning you that adding this role will automatically reboot your server, the wizard will call the Add/Remove Windows Components Control Panel applet and add the required services. When complete, the system will reboot.There is no option to postpone the reboot when adding a role via the Manage Your Server wizard.
When you log on to the system after the reboot, two windows will be automatically displayed. One window confirms that the terminal server role has been successfully added, as Figure 2.5 illustrates.
28
Chapter 2
Figure 2.5: A successful installation of the terminal server role.
The second window provides a helpful checklist of the common next steps needed to complete the configuration of your terminal server (see Figure 2.6).
Figure 2.6: The common next steps required for configuring a terminal server.
29
Chapter 2
Configuring the Terminal Server RoleAs you can see in Figure 2.6, there are several steps you must take after installing Terminal Services. We explore terminal server licensing in Chapter 1; in this section, Ill discuss how to configure a terminal server.The reference materials available in the Plan your Terminal Server Deployment section of the checklist are very helpful, so read through them.
There are two main tools used to configure a terminal server: the Terminal Services Configuration tool and the Group Policy editor. Terminal Services Configuration Administrative Tool The main tool used to configure a terminal server is the Terminal Services Configuration administrative tool. With this tool, you can set the permission mode for the server, configure performance options, and configure RDP. You can launch Terminal Services Configuration in one of three ways: From the Start menu, under Administrative Tools Directly from the Configure Terminal Server wizard checklist From the Manage Your Server wizard
Under the Server Settings node, which Figure 2.7 shows, you will find six options.
Figure 2.7: The server settings node of the Terminal Services Configuration tool.
30
Chapter 2 Three of these choicesDelete temporary folders on exit, Use temporary folders per session, and Active Desktopyou will most likely leave in the default settings. The following list provides an explanation of these settings: Delete temporary folders on exitEach user on a terminal server is given a temp directory. This folder is found in C:\Documents and Settings\\local settings\temp. If this setting is enabled, the temp folder is purged when the user logs off the server. If you use roaming profiles for your users, and you enable the Delete cached copies of roaming profiles Group Policy setting (a common practice on terminal servers), the Delete temporary folders on exit setting becomes irrelevant as the entire profile directory is deleted at logoff. However, it is a good idea to leave this setting enabled unless you have an application that requires that temp files are persistent across sessions, in which case, you will also need to disable the Group Policy setting as well. Use temporary folders per sessionWith this setting enabled, a new directory is created under the users temp folder for each session the user has on the server. These folders are named with a single digit (\temp\0, \temp\1, and so on). It is a good idea to leave this setting enabled to prevent multiple sessions from interacting. Active DesktopStarting with Windows 98, we have had the ability to embed active content (Web pages, animations, news tickers, and so on) on the Windows desktop. To reduce the number of screen redraws being sent to the client from the terminal server, this setting is disabled by default.
The remaining three settingsLicensing, Permission Compatibility, and Restrict each user to one settingrequire a little more consideration and understanding. These settings are dependent on your environment and the applications you intend to install on the terminal server. Lets begin by looking at permission compatibility. Permission Compatibility In Win2K, you were prompted to select a compatibility mode when installing Terminal Services. The options were Permissions compatible with Windows 2000 Users and Permissions compatible with Terminal Server 4.0 users. In line with Microsofts new focus on security, WS2K3 defaults to Full Security mode. This mode is similar to the Win2K Users mode. Under WS2K3 Full Security mode, non-administrators cannot modify the HKEY_LOCAL_MACHINE registry key nor write files to anywhere on the servers hard drive other than their profile directory. If you encounter applications that will not run under Full Security mode, you may need to change to Relaxed Security mode. Use this option as a last resort, as it opens your server up to inadvertent changes by non-administrators.In Chapter 5, I will go over some alternatives to Relaxed Security mode that you can use to enable some older applications to run on Terminal Services.
31
Chapter 2 Licensing The next setting to address is the licensing mode. This setting controls the type of licenses that the terminal server will request from the license server on behalf of the clients. In most cases, the default setting is Per Device, which means that you will need to install WS2K3 Terminal Server Per Device tokens on your license server. However, if you are upgrading a Win2K terminal server that has Internet Connector Licensing enabled, youll configure this setting to Per User licensing. The mode you select is dependent on your environment. If your environment is one in which each user has multiple devices from which they will connect, Per User licensing may be easier to manage and may even save you some money; whereas, if your users share computers, Per Device licensing may be a better option. Perhaps you manage a call center in which one computer is shared by three users, one in each shift. Per Device licensing would mean you would only need one token to cover three users. If you set the server to Per User licensing, it will also validate and accept connections from devices that have already been issued a Per Device token. Restrict Each User to One Setting The last setting to be considered is Restrict each user to one session. Enabling this setting will prevent users from establishing multiple sessions on the server, which will help conserve resources on the server by only allowing each user to take up the overhead of a single session and run all required applications within that session. Keep in mind that if you are going to be offering direct access to individual applications outside of a desktop environment, your users might need the ability to run more than one application at the same time.Citrix MetaFrame supports session sharing. This functionality lets a user launch multiple published applications on the same server without establishing a separate session for each one.
Figure 2.8 shows the connections node of the Terminal Services Configuration administrative tool. Through this node, you configure timeouts, security, and client resource redirection.
Figure 2.8: The connections node of the Terminal Services Configuration tool.
32
Chapter 2 By default, you will see only one RDP-Tcp connection. If you are using a multi-homed server, you can modify the default connection definition to apply only to one network interface, then create a separate connection definition for your other interfaces. Also, if you have installed Citrix MetaFrame, you will see one or more ICA connections here; it is advisable to use the Citrix Connection Configuration tool to modify settings for the ICA protocol. By right-clicking the connection, you can disable it entirely, rename it, or access its properties. If you are familiar with the Win2K Terminal Services Configuration tool, the WS2K3 tools interface looks quite familiar, with the addition of the new features of RDP 5.2 and the new secure by default model. The General tab of the RDP-Tcp properties (see Figure 2.9) lets you add a comment to the connection and to set the encryption level. WS2K3 offers new encryption options: LowAll data sent from the client to the server is protected by 56-bit encryption. Client Compatible (the default setting)All data sent between the client and the server is protected by encryption based on the maximum key strength supported by the client. HighAll data sent between the client and the server is protected by encryption based on the servers maximum key strength. Clients that do not support this level of encryption cannot connect. FIPS CompliantAll data sent between the client and the server is protected by using Federal Information Processing Standard (FIPS) 140-1 validated encryption methods.
Figure 2.9: The General and Logon Settings tabs of the RDP-Tcp connection properties.
On the Logon Settings tab, which Figure 2.9 also shows, you can control whether to allow users to log on as themselves or specify a single account to automatically log on as users when they connect to the server over RDP. On this tab, you can also select the Always prompt for password option, which prompts the user for a password even if one is cached in the Remote Desktop client.33
Chapter 2
Be careful about setting credentials for automatic logon, as doing so will prevent you from logging on with an administrative account.
Figure 2.10 shows the Sessions and Environment tabs of the RDP connection. In these windows, you set timeouts and reconnection settings as well as an initial program to launch. By default, the settings on both of these tabs are inherited from the parameters set on the user account connecting to the server. If you want to override the user account settings, do so here. The Sessions tab contains timeouts for disconnected, idle, and active sessions. A disconnected session is one in which the user actively disconnects from the server by either closing the connection window without logging off or selecting Disconnect from the Start menu. An idle session is one in which the user has left the connection window open, but has not executed any mouse clicks or keystrokes in a given period of time. When a session loses its network connection or reaches the idle timeout, you can specify whether to immediately end the session or to treat the session as disconnected. The Environment tab lets you specify a specific program to launch when a client connects to the server. You must specify both the path and executable name. If you configure this setting, when any user, including an administrator, connects to the server, the specified program will run instead of a Windows Explorer desktop. Many administrators have made the mistake of thinking that this setting is like the Startup folder in the Start menu, automatically launching a program when the user logs onto the desktop. Such is not the caseconfiguring this setting replaces the Explorer shell with the program specified.
Figure 2.10: The Sessions and Environment tabs of the RDP connection properties.
The next tabs well explore are Remote Control and Client Settings (see Figure 2.11). These control shadowing and client resource redirection, respectively. Once again, these settings inherit their behavior from the user account or Remote Desktop Connection software by default.34
Chapter 2 When an administrator wants to remotely connect to an existing users session to provide support, this action is called shadowing or remote control. On the Remote Control tab, you can keep the default setting of inheriting shadowing settings from the users account attributes, or you can specify your own for this server. If you specify settings here, your options are to enable or disable the requirement for the user to give permission before being shadowed (via a popup window) and to control the level of interaction that the administrator can have with the users sessioneither view only or interact. If you select interact with the users session, the administrator will be able to control the users mouse and enter keystrokes on behalf of the user. You also have the option to disable remote control altogether.Before disabling the Require the users permission setting, be sure to confirm that you are not under a legal obligation to inform users when they are being shadowed. Many states and industries require this communication with users.
The Client Settings tab lets you override the client resource redirection settings specified in the Remote Desktop Connection client software. On this tab, you can enable or disable the redirection of the following client resources: Drives Printers LPT ports COM ports Clipboard Audio
You can also specify whether to default to the main client printer and limit the maximum color depth that a user can request when connecting to the server. Higher color depths can degrade performance over slow connections.
35
Chapter 2
Figure 2.11: The Remote Control and Client Settings tabs of the RDP connection properties.
The Network Adapter and Permissions tabs are dedicated to more server-centric settings (see Figure 2.12). The Network Adapter tab lets you specify whether this set of connection settings applies to all network adapters or, in the case of a multi-homed server, a specific adapter. The Permissions tab is where you control who has the ability to connect to the server using RDP, and what level of rights they have when it comes to accessing virtual channels interacting with other sessions on the server. Figure 2.12 shows both of these tabs. In addition to limiting the RDP connection to one network interface, the Network Adapter tab lets you set a limit on the total number of connections allowed on the specified interface or on the entire server if All network adapters configured with this protocol is selected. If you have more than one network adapter in your server, and you select a specific adapter on this tab, you will be able to create a new connection in the main Terminal Services Configuration window and apply separate settings to it. The Permissions tab is one in which major change has occurred since Win2K. Under Win2K, the default permissions allowed all users from any trusted domain to immediately connect to the server once Terminal Services was enabled. WS2K3 is secure by default and only allows administrators and members of the Remote Desktop Users group to connect. Keep in mind that the Remote Desktop Users group is empty by default, so in order for users to connect to your terminal server, you will need to add them to this group.If you are in an AD domain, you can use the Managed Group setting in Group Policy to control the members of the Remote Desktop Users group.
36
Chapter 2
Figure 2.12: The Network Adapter and Permissions tabs of the RDP connection properties.
Group PolicyBased Configuration WS2K3 has exposed a large number of settings to the Group Policy editor that were not available under Win2K. If your terminal servers are in an AD environment, you will definitely
