Remote Desktop for Administration is the former Terminal Services Remote Administration Mode, with a few improvements, of course. With Windows 2000, Terminal Services is integrated into the operating system as an optional service. It can be installed using Add/Remove Programs, Add/Remove Windows Components, and when installed, the administrator is prompted for the terminal server mode. The two choices are Remote Administration Mode and Application Server Mode. Application Server Mode is designed for installing the server to be used in the role of a traditional terminal server or Winframe/Metaframe server. In this role, applications are to be installed on the box for use by remote users; making these applications available to remote users is the primary purpose of the box. Traditionally, Citrix Metaframe has offered several additional features that make it more worthwhile as an enterprise application hosting solution than Microsoft's terminal server.
Windows 2000 Remote Administration ModeRemote Administration Mode was something new for terminal services introduced in Windows 2000. Installing Terminal Services in Remote Administration Mode allows up to two (free) concurrent connections. Plus, when using terminal server in this mode, you don't have to worry about keeping track of licenses, as you do in Application Server Mode and previous versions of terminal server.
The purpose of Remote Administration Mode is to allow system administrators to remotely access Windows 2000 servers. By installing Terminal Services in Remote Administration Mode, administrators can get much of the same functionality as with third-party applications such as pcAnywhere ”namely access to the server desktop via a graphical interface, right out of the box. This provides for a lower total cost of ownership for managing remote servers. No longer do you have to be physically at the server to perform various types of maintenance, nor do you have to buy expensive third-party software. (Management likes this because it improves the bottom line, but poor administrators no longer have an excuse to fly out to Hawaii for server maintenance ”at least not as often.) Windows Server 2003 Terminal Services ModesWindow Server 2003 no longer has a Terminal Services Remote Administration Mode. The so-called Remote Administration Mode and Application Server Mode are now treated as two separate entities and are installed differently. Under the hood, they are both still technically terminal services ”they just have different names now and are installed differently. The former Remote Administration Mode is now called Remote Desktop for Administration. Windows 2003 Server comes preinstalled with Remote Desktop for Administration (although it is disabled). There is still an optional Windows component for installing terminal services, but it is now called Terminal Server. Installation of this service converts the Remote Desktop for Administration installation into a full-blown Terminal Server (Application Server Mode) installation; uninstalling Terminal Server returns the system to the Remote Desktop for Administration mode. Once again, Remote Desktop for Administration is always installed. It can be enabled simply by selecting Allow Users to Connect Remotely to This Computer in the Remote Desktop section on the Remote tab of the System Properties screen, as shown in Figure 11.1. To highlight this distinction, Windows Server 2003, Web Edition does not have Terminal Server (it cannot be an application server); however, it does have Remote Desktop for Administration, so it can be accessed remotely via a terminal services client. Figure 11.1. Enable Remote Desktop for Administration from the Remote tab of the System Properties dialog box.
When Remote Desktop for Administration is enabled, a security message pops up warning that local accounts might not have passwords and that a port on the firewall might need to be opened to allow communication. This is just an informational message to remind you that enabling Remote Desktop for Administration is a potential security risk because it allows direct access to your machine across the network.
In addition to selecting the check box to enable Remote Desktop, you must also designate who is permitted to use Remote Desktop for Administration. By default, the Administrator account is the only one that has access. To grant additional users (domain or local) permissions to be allowed to connect to the server via Remote Desktop for Administration, click the Select Remote Users button and then simply add the user or group accounts as appropriate. This adds the users on this list to a local group called Remote Desktop Users, which has permissions to log on to the terminal server. New Client(s)Windows Server 2003 has two installed clients that can be used for connecting to Remote Desktop for Administration (or Terminal Server). The Remote Desktop Connection application is found by selecting Start, All Programs, Accessories, Communications ”just like in Windows XP. This is the terminal services client application, and it is used for connecting to a single Terminal Server/Remote Desktop for Administration machine. In fact, Remote Desktop Connection is the same terminal services client application Windows XP uses. This client uses the RDP 5.1 protocol, which provides several enhancements over the previous terminal services. (See "Remote Desktop Protocol 5.1," later in this chapter, for more information.) The other client installed by default is the Remote Desktops MMC, which is installed under Administrative Tools. Although it too uses the RDP 5.1 protocol, the interface limits the configurable options. This console can be particularly useful for enterprise administrators because it has a tree pane view of remote desktop connections, which enables an administrator to create several connections in the left pane and then connect and view them in the right pane. It makes switching between sessions and keeping track of multiple sessions much easier. These connections can also be configured to automatically connect (and even log on, provided the terminal server allows it) when selected. Both clients also have the capability to connect to the server console session. This can be accomplished with the Remote Desktops MMC simply by selecting the Connect to Console check box, as shown in Figure 11.2. You can also connect to the console session via the Remote Desktop Connection application by launching mstsc.exe/console from a command line. The console session is a special session that shows what's actually displayed on the server's monitor (although the physical monitor gets locked when the console session is accessed remotely). With Terminal Server installed (thus putting it in Application Server Mode), applications must be installed via the server console session so that they can be made available for all user sessions. Figure 11.2. Connecting to the terminal server console session using the Remote Desktops console.
Another benefit of the Remote Desktop MMC console is that it is an MMC snap-in. Just like any other MMC snap-in, it can be used to create customized administrative consoles.
Either client can be used for connecting to Windows Server 2003 Remote Desktop for Administration or Terminal Server sessions. In fact, the RDP 5.1 protocol is backward-compatible to previous versions, so these clients can be used to connect to Windows 2000 (RDP 5.0) or even NT Terminal Server 4.0 (RDP 4.0). Of course, you won't get the new features of the RDP 5.1 protocol when connecting to these down-level servers. Similarly, previous versions of the terminal services client can connect to Windows Server 2003 Remote Desktop for Administration or Terminal Server sessions. Although down-level clients can't get the features of the new RDP 5.1 protocol when connecting to a Windows 2000 or NT 4 terminal server, they can get the new features when connecting to Windows Server 2003 by installing the Remote Desktop Connection client application. This client can be installed on the Windows 9x platform (Windows 95, 98 Special Edition, and Millennium) as well as Windows NT 4 and Windows 2000. To install it and thereby gain the new features, simply run the Remote Desktop Connection installation program from the Windows XP CD ( \Support\Tools\msrdpcli.exe ) or download it from http://www.microsoft.com/windowsxp/remotedesktop. A version for Windows CE is available in the Windows CE .NET Platform Builder, and there is even a version available for the Macintosh (http://www.microsoft.com/mac/DOWNLOAD/MISC/RDC.asp). With this Remote Desktop Connection client, you can have a Windows "window" on a Macintosh (although some might consider this blasphemous). One particularly nice feature of the new Remote Desktop client is Full Screen mode, which enables you to use the full screen when connected to a terminal server. Windows 2000 terminal server client sessions show as a window that cannot be maximized. With the Remote Desktop Client, you can expand to full screen, so it feels like you are actually on the box. Additionally, you can configure how control keys (except Ctrl+Alt+Del) function: on the client, on the server, or in Full Screen mode only. With these settings, you can get the same look and feel as if you were on the server ”even the keys behave the same (except Ctrl+Alt+Del, of course).
The last terminal services client, the Remote Desktop Web Client, allows connections to a terminal server via a Web browser, as shown in Figure 11.3. The name is somewhat deceptive because you don't actually install a client. Remote Desktop Web Client is installed on an IIS server and enables machines with IE 5 or better to connect to terminal server sessions. To allow Remote Desktop Web Clients to connect to your terminal server, simply install the Remote Desktop Web Connection component on the server. This component is installed just like any other component, by selecting Add or Remove Programs, Add/Remove Windows Components. After the Windows Components Wizard screen displays, select Web Application Server and click the Details button. On the Web Application Server screen, select Internet Information Services ( IIS ) and click the Details button. Next, select World Wide Web Service and click the Details button. Finally, select Remote Desktop Web Connection , click OK three times, and then click Next . Figure 11.3. Log on to a remote computer using Remote Desktop Web Client.
The Remote Desktop Web Client opens in a browser window, which is obviously different from the normal Remote Desktop Connection Client. However, if you choose to log on in Full Screen mode, the view is just like that of the Remote Desktop client. New AdministrationIn addition to a new name and a new client, terminal services in Windows Server 2003 provides new features for administration. Terminal services settings can be configured with the usual Terminal Services Configuration MMC snap-in and administered with the Terminal Services Manager MMC snap-in. Plus, these settings have now been exposed so they can be configured with Windows Management Instrumentation (WMI) through scripts, the WMIC command line, or Active Directory Services Interface (ADSI). Probably the most useful enhancement is the addition of a number of group policy settings for configuring these terminal services settings, as shown in Figure 11.4. Figure 11.4. Group policy settings for configuring Terminal Services.
Figure 11.4 shows the settings under the Computer Configuration section of Group Policy. In addition, a few group policy settings can be configured under the User Configuration section. A lot of the new terminal services group policy settings are available simply for centrally managing settings previously available in Windows 2000. These settings can still be managed via Terminal Services Configuration (for per-server settings) or Active Directory Users and Computers (for per-users settings). Because many administrators are already familiar with the Windows 2000 settings and enumerating all the available group policy settings is too lengthy, we will concentrate here on the new settings. Just remember that for almost every setting you could configure manually in Windows 2000, you can now configure it with group policy. I will point out a couple of notable exceptions. General Terminal Services PoliciesThe new settings in the main Terminal Services policy section include the following:
Client/Server Data RedirectionThe settings in this new section determine the types of resources that are allowed to be redirected to the client:
Encryption and SecurityThese settings are covered later in this chapter in the section "Security Enhancements." LicensingThese settings are used to configure the behavior of a terminal services license server:
Session DirectoryThese settings are covered later in this chapter in the section "Terminal Server Session Directory." Special SettingsThe following settings cannot be configured via group policy:
In addition to being able to centrally manage terminal server settings with group policy, Windows Server 2003 server provides interfaces for configuration with WMI and ADSI. By querying and manipulating the appropriate objects, the previously listed settings can be configured in batch files or scripts. For more information on WMI or ADSI scripting, see www.microsoft.com/technet/scriptcenter. All these new management interfaces make configuring terminal services and managing them centrally much easier. They can also be used for managing Remote Desktop settings on Windows XP. This is particularly useful for implementing Remote Desktop for Administration throughout your organization. |