Other Terminal Services Enhancements

Finally, let’s briefly talk about three other features of Terminal Services in Windows Server 2008:

• WMI Provider for scripted management of Terminal Services features

• Integrating Windows System Resource Manager with Terminal Services

• Terminal Services Session Broker

Terminal Services WMI Provider

Windows Server 2008 and Windows Vista have many enhancements to WMI compared with previous versions of Microsoft Windows, and we’ve already covered these enhancements earlier in Chapter 4. Let’s hear from our experts on the Terminal Services team concerning these WMI enhancements, including some tips on how to use WMI for managing Terminal Services:

The TS WMI (tscfgwmi) provider offers a rich set of class templates that allows a TS server to be configured remotely or locally. For it to work properly, however, several things need to happen:

1. By default, only user accounts that are part of the administrators group are allowed to read and write WMI properties and methods.

2. There is a User Account Control (UAC) consideration if you use the TS WMI provider locally. Run the script or application that uses TS WMI as an elevated process. If you receive a message that says, “Access Denied (0x80041003), Unspecified Error (0x80004005),” most likely you’re using the TS WMI provider with a protected administrator and the process or application is not being elevated.

   If you are using the TS WMI provider remotely, the user account needs to be a domain user that is part of the local administrators group on the remote machine.

3. If you are using the TS WMI provider remotely, make sure the following firewall exceptions are selected:

   • If the remote machine is in TS Remote Administration mode: File And Printer Sharing, Windows Management Instrumentation (WMI)

   • If the remote machine is in TS Application mode: Terminal Services

     If firewall exceptions are not properly configured, the return error code HRESULT can be WBEM_E_ACCESS_DENIED (0x80041003), RPC Server Is Unavailable (Win32 0x800706ba).

4. 4. Note that in Win2k3/XP, the TS WMI provider is grouped in the root/cimv2 namespace. In Windows Vista/Windows Server 2008, it is grouped in the root/cimv2/TerminalServices namespace. WMI security impersonation level wbemImpersonationLevelImpersonate and security authentication level wbemAuthenticationLevelPktPrivacy settings are also required for Windows Vista/ Windows Server 2008. If an incorrect namespace is specified, the return error code HRESULT is WBEM_E_INVALID_NAMESPACE (0x8004100E).

   TS WMI is also the abstraction layer of the Terminal Services Configuration UI tool (TSConfig.msc). Essentially, TSConfig is a UI tool that uses TS WMI to do the actual work. This also means that TS WMI can be used to troubleshoot errors when using TSConfig. For example, if you get an “Unspecified error” message when using TSConfig, you need to set the Remote Control Setting by writing a small script with TS WMI that uses the Win32_TSRemoteControlSetting class template. If you get the same error with the script, most likely it is a UAC issue.

   Other Tips

   Wbemtest.exe (which comes with Windows Vista/Windows Server 2008 at %windir%\System32\Wbem) is a great tool to use if you want to find out more information about a particular WMI class template and which WMI class templates are available. It can be used to query all class templates within a namespace. It is also able to show a brief description of what a particular property or method does. For example, to list all available class templates for the namespace TerminalServices, follow these steps:

5. Open a cmd shell running as administrator.

6. Type wbemtest.

7. Click the Connect button, connect to the namespace root\cimv2\TerminalServices, select Packet Privacy under Authenticationlevel, and click the Connect button.

8. Under Method Invocation Options, select the Use Amended Qualifiers check box.

9. Click the Enum Classes button, leave the Enter Superclass Name edit box empty, select the Recursive option, and then click the OK button. A Query Result dialog will show up with all the class templates under the TerminalServices namespace.

   Now if you want to know more about remote control settings, all you need to do is double-click on the Win32_TSRemotecontrolSetting within the Query Result list, and a new Object Editor dialog will show up. Clicking on the Show MOF button will give you a brief description concerning each of the Win32_TSRemotecontrolSetting properties and methods.

   For more info on Wbemtest, see http://technet2.microsoft.com/WindowsServer/en/ library/1033.mspx?mfr=true. And please visit http://blogs.msdn.com/ts/archive/2006/10/03/Terminal-Services-_2800_TS_2900_-Remote-Configuration-Primer-Part-1.aspx for a quick primer on the TS WMI provider.

   –Soo Kuan Teo

   Software Development Engineer in Test, Terminal Services

And here’s a sidebar from another expert concerning another new feature of Windows Server 2008-the ability to use WMI to track Terminal Services licensing:

Up until Windows Server 2003, TS Licensing did not have a way to dynamically monitor the usage of licenses. With the WMI providers introduced in Windows Server 2008, you can write scripts that track the number of licenses issued to devices or users. No more worrying about being caught unaware-write a script, put it in as a scheduled task for whatever interval you want the monitoring to happen, and track license usage.

Here are the WMI providers that you can use for tracking Per-Device and Per-User CAL usage:

• For tracking Per-Device license usage, you need to query all the instances of key packs installed on the License Server. To do this, query all instances of Win32_TSLicenseKeyPack. Within each instance, you can get the count of issued vs. available licenses using the properties TotalLicenses and AvailableLicenses.

• For tracking Per-User license count, you can query the most recent report generated or create one if it does not exist. To generate a report, call the static method GenerateReport on the class Win32_TSLicenseReport. This method returns a file name that you can use to go through the details. You can also enumerate existing reports by enumerating instances of the Win32_TSLicenseReport class. The report names are generated based on the date and time. Choose the latest from the set, and then look at the properties InstalledLicenses and LicenseUsageCount to get a number for how many licenses were used up for Per-User licensing.

  –Aruna Somendra

  Program Manager, Terminal Services

Windows System Resource Manager

Windows System Resource Manager (WSRM) is an optional feature of Windows Server 2008 that can be used to control how CPU and memory resources are allocated to applications, services, and processes running on a computer. WSRM is not a feature of Terminal Services, but if you install it on a terminal server you can control allocation of such resources for Terminal Services users and sessions.

WSRM works by using resource allocation policies to manage how computer resources (memory and CPU) are allocated to processes running on the machine. When you install the WSRM feature on a terminal server, you have a choice of two policies you can use:

• Equal_Per_User This means that CPU allocation is divided on an equal-shares basis among all users, and any processes created by the user are able to use as much of the user’s total CPU allocation as might be necessary.

• Equal_Per_Session This policy is new to Windows Server 2008 and means that each user session with its associated processes gets an equal share of the CPU resources of the system.

The usefulness of the new Equal_Per_User resource allocation policy in a Terminal Services environment where WSRM is being used is when you have multiple sessions running for the same user. For example, say you have two sessions running for the same user, and another session running for a second user. In this case, the first two sessions will get same amount of CPU resources allocated as the third session. By contrast, if the Equal_Per_Session policy is being used, the first user will get twice the CPU resources as the second user. Note, however, that the default setting in Windows Server 2008 is for Terminal Services users to be restricted to running only a single session. (You can configure this restriction from the main page of the Terminal Services Configuration snap-in in Server Manager.)

Terminal Services Session Broker

Terminal Services Session Broker (TS Session Broker) is the new Windows Server 2008 name for what used to be called Terminal Services Session Directory, a feature that allows users to automatically reconnect to a disconnected session in a load-balanced Windows Server 2003 terminal server farm. The session directory maintains a list of sessions indexed by user name and terminal server name. It enables the user, after disconnecting a session, to reconnect to the same terminal server where the disconnected session resides so that she can resume working in that session. Furthermore, this reconnection process will work even if the user connects from a different client computer than the one used to initiate the session.

In Windows Server 2003, load balancing for terminal servers can be provided by using either the built-in Network Load Balancing (NLB) component or a third-party load balancing solution. As terminal servers become more and more mission-critical for hosting business applications, doing this becomes more and more important. By combining NLB with Terminal Services Session Directory, Windows Server 2003 terminal server farms can thus provide scale-out capability and also help ensure business continuity.

In Windows Server 2008, Terminal Services Session Directory is now called TS Session Broker and includes out-of-the-box load-balancing capability designed to replace Microsoft NLB; however, Session Broker will continue to work with both NLB and third-party solutions. In addition, while Session Directory required the Enterprise or higher SKU of Windows Server 2003, TS Session Broker is available even in the Standard Edition of Windows Server 2008.

Enabling TS Session Broker is done using the Terminal Services Configuration snap-in. Double-click the Member Of Farm In TS Session Broker link at the bottom of the center Details pane to open a Properties sheet. Then, on the TS Session Broker tab, select the check box labeled Join A Farm In TS Session Broker and fill in the remaining details (you need to do this on all terminal servers in your farm).

With Windows Server 2008, there are two key deployment scenarios for Session Broker:

• Session Broker Load Balancing Session Broker provides a simple-to-deploy load balancing solution for small scale deployments. Create a DNS record for the farm that contains the IP address of the terminal servers in the farm. DNS (or DNS round robin) will direct the initial connection to a server in the farm; however, Session Broker will perform the actual load balancing and direct the user to the least loaded terminal server in the farm (based on number of Windows sessions). The TS Client provides basic failover support for the initial connection, and in the case of a server failure, will automatically try the next entry in the DNS record after a 20 second time-out. Session Broker is capable of detecting server failures and not direct users to a server that is down. Alternatively, NLB or another connection routing mechanism can be used in place of DNS.

• Third-party Load Balancing (or MS NLB) Session Broker can be deployed in the same configuration as Windows Server 2003 Session Directory, using any third-party hardware load balancers.

Finally, with the regular stream of patches and application updates admins are faced with these days, it can be difficult to find a time when a terminal server can be brought offline without interrupting user experience. Starting with Beta 3 of Windows Server 2008, the new Server Draining feature enables planned maintenance for TS Session Broker load balancing farms without interruption of user experience. The following sidebar explains more.

Administrators typically would like to drain their servers to apply security update patches and keep the machine up to date. In this scenario, they would try to prevent new users from logging on to the server; at the same time, they would want to get current users actively using the machine to save their work and log off in a phased manner.

In Windows Server 2003, a very primitive form of server draining is supported by using a command-line tool called chglogon.exe. The chglogon.exe /disable switch prevents any new logons from occurring in the machine. However, it also prevents users who already have disconnected sessions from reconnecting to their disconnected sessions enabling them to log off gracefully and save their work.

In Windows Server 2008, server draining is introduced. This can be enabled by using a command-line tool (new flags to chglogon.exe), using the Terminal Services Configuration tool, and also via WMI. When a server is put in drain mode, new logons are not allowed, but users who already have a disconnected session are allowed to reconnect. In addition, for remote administration purposes, administrators who connect with the /admin switch are allowed to log on, even if drain mode is set. This mode is supported only when the TS role is installed.

We expect that this enhanced drain support will enable IT administrators to patch their servers in a way that causes minimal trouble to all the remote users. Before taking the server down for patching and installing updates, administrators can enable drain mode and then send a message that prompts users to save their work and log off in a day or two!

Also, we have relevant events logged in the Windows event log when somebody is not allowed to log on because the server is in drain mode. We recommend that administrators check the event log for relevant events to determine whether drain mode was indeed the cause for someone to be denied logon from a remote site.

–Sriram Sampath

Development Lead, Terminal Services