Session Directory can use the Windows Load Balancing Service, or a third-party load balancer, and the service can run on any Windows Server 2003-based computer. However,
of the Terminal Server farm must be running Windows Server 2003 Enterprise or Datacenter editions.
Remote Desktop for Administration
The Terminal Services administration mode available in Windows 2000 is called Remote Desktop for Administration in Windows Server 2003. Terminal Services is an integral part of the Windows Server 2003 kernel and is available on every installation. Microsoft recommends enabling Remote Desktop for administration on every Windows Server 2003 system. There is minimal impact on performance, no additional disk space is consumed, and Administrators can access servers in any location.
Enable Remote Desktop for Administration on all Windows Server 2003 System for ease of administration. It has minimal impact on the system.
Remote Desktop Sessions
Windows Server 2003 offers the same two virtual sessions that were available in Window 2000 Terminal Services Remote Administration mode, thus enabling two Administrators to log on
. In addition, with Windows Server 2003, an Administrator can remotely connect to the real console of a server called
To remotely connect as console,
a command window and enter
mstsc -v:servername /F -console
is the RDC executable file,
is the server to connect to,
selects full screen mode, and
indicates connection to the console. You will receive a logon prompt and with successful authentication, be logged on just as if you were sitting at the physical console. Note that when you connect as console, no other
has to be already logged onto the console.
If another user is already connected to the console, you receive this message: "The user
is logged locally on to this computer. The user has been idle for
minutes. The desktop is unlocked. If you continue, this user's session will end and any unsaved data will be lost. Do you want to continue?"
Remote connection to console expands the scope of system administration by allowing remote application installation. Also, tools that will not work in a virtual session can now be run using session 0.
Advantages of Remote Administration
Windows Server 2003 offers new remote administration features:
Less administrative overhead.
Server management via WAN, Virtual Private Network (VPN), or dial-up connection.
Batch jobs such as tape
can be started remotely. The session can be disconnected, and then the Administrator can connect later to check the progress of the job.
Upgrades to applications and to the OS can be done remotely.
Disk defragmenting, system rebooting, and other jobs requiring a console connection can now be done remotely.
Remote Administrators can now perform domain controller (DC) promotion and demotion.
Terminal Services clients can now graphically manage Windows Server 2003 and Windows 2000 servers. Terminal Services
include Windows XP Professional, Windows 2000, Windows NT, Windows 98, Windows 95, Windows for Workgroups, Windows CE.NET, and Macintosh OSX.
A session can be shared by two remote Administrators for collaboration.
The full Remote Desktop Protocol feature set is available, including local and network printing, serial device redirection, file system disk redirection, clipboard mapping, SmartCard redirection, and virtual channel application support.
No Terminal Server Client Access License (CAL) is required to use Remote Desktop for Administration.
Configuring Remote Desktop
With Windows 2000 Server, the Administrator can choose either application server or remote administration mode when installing Terminal Services. With Windows Server 2003, the server can run in both modes simultaneously and they are configured separately.
To enable Remote Desktop for Administration, go to Control Panel, System, and select the Remote tab, as shown in Figure 15.2.
Figure 15.2. Enabling Remote Desktop for Administration.
In Windows Server 2003, Administrators can use one of three
to connect to the console:
Remote Desktop Microsoft Management Console (MMC) snap-in
RDC (mstsc.exe) program with the
Remote Desktop Web Connection pages that set the
By connecting to the console, Administrators can now remotely defragment, reboot, and perform DC promotion and demotion.
Microsoft Remote Desktop Protocol
RDCs use Remote Desktop Protocol 5.2 and can connect to previous versions of Terminal Services as well as Windows Server 2003 systems. Remote Desktop Protocol 5.2 communicates over a TCP/IP network connection and is based on an international standard, multichannel protocol called International Telecommunications Union (ITU) T. 120 protocol, which was first used in Microsoft's NetMeeting conferencing software. This protocol is
for high and low bandwidth connections and supports three levels of encryption. See the "Session Encryption Levels" section in this chapter for more details on encryption.
Remote Desktop Protocol supports the following devices:
16-bit Windows-based computers running Windows for Workgroups with MS TCP/IP-32
32-bit Windows-based computers running Windows 95, Windows 98, Windows NT 3.51, Windows NT 4.0, Windows 2000 Professional, Windows XP Professional, or Windows Server 2003
Windows CE-based handheld professional devices (H/PC Pro 3.0)
Windows CE-based terminals
RDC is built-in to Windows XP and Windows Server 2003. There are several different ways to install RDC in other computers:
Push installation using Microsoft's Systems Management Server.
Policy can publish/assign the Windows Installer-based RDC.
directory on Windows Server 2003 or on Windows 2000.
Install directly from the Windows XP or Windows Server 2003 CD, using the Perform Additional Tasks selection from the CD's autoplay menu. (This does not require installing the OS.)
Download the RDC from http://www.microsoft.com/windowsxp/remotedesktop/.
Session Encryption Levels
High encryption is the default for all terminal sessions. This provides bidirectional security using a 128-bit cipher. However, not all clients support high-level encryption and might not be able to connect. Set the encryption level to Client Compatible to provide the highest encryption level supported by the client.
To change the encryption level, go to Programs, Administrative Tools, and select Terminal Services Configuration. Highlight the RDP-Tcp connection, right-click, and select Properties. The encryption options are listed on the General tab and include Low, Client Compatibility, High, and FIPS Compliant. Figure 15.3 shows the Properties configuration screen.
Figure 15.3. Changing the encryption level.
Remote Desktop for Administration Best Practices
The following are recommendations for use of Remote Desktop for Administration:
Use the console connection rather than another virtual session to remotely administer servers and to install applications. This insures that all pop-up and console messages are displayed. When a remote console session is active, the physical console of the server is automatically locked to prevent eavesdropping.
Before remotely administering a system, check to see whether another administrative session is active. Simultaneous multiple administration can lead to unexpected problems. For example, if two Administrators are trying to reconfigure a disk subsystem at the same time, loss of data can result as well as other unexpected results. The two virtual connections plus console can be used with caution for collaborative operations. To check for the presence of other Administrators, use the Terminal Services Manager Utility under Administrative Tools, or the user command-line utility. The Windows 2000 Server Resource Kit has a system tray icon tool, winsta.exe, which shows the number of active sessions.
Don't use a Remote Administration session to run general desktop applications because they might not perform optimally. To run applications remotely, establish a regular Terminal Services session to make sure the application runs in the correct environment.
Make sure the Remote Desktop session is configured to disconnect when the network connection is broken. This is the default setting and allows any programs that are running to continue execution. If the session is configured to reset when the connection breaks, all processes running will be immediately
, similar to using an End Task to stop an application.
If two remote sessions using different user accounts are in either an active or a disconnected state, a remote Administrator will be locked out of the server. To prevent this from happening, disconnect timeouts can be set. However, critical remote sessions that are disconnected intentionally or
can be inadvertently reset using this method. To avoid this problem, use a shared Administrator account, such as the local machine account, to administer the system. Then, configure this account to not reset if disconnected using the account Properties tab. Be aware that Group Policy settings might override the account Properties tab settings.
Avoid remotely rebooting critical servers unless you have physical access to the server should a problem occur. Something as simple as a floppy disk in the disk drive could prevent a server from rebooting.
The Terminal Services Manager can be used to control another Terminal Services session remotely. The console session cannot be controlled in this manner, but you can send messages to the console session. For more details, refer to the Help in the Terminal Services Manager program.
Configure disconnect timeouts if more than one account is used for remote administration. This will avoid account lockouts, which can occur if a session is active or is dropped.
ProLiant's iLO Now Provides "Terminal Services Pass-through Service" for Windows Remote Console Sessions
ProLiant servers with the iLO Advanced Features Pack enabled can leverage iLO's remote console function to provide Terminal Services pass through of a Windows Remote Desktop Connection to Windows Server.
Beginning with iLO firmware version 1.50, the iLO can leverage the OS functionality of Windows Terminal Services and a remote desktop connection to significantly increase the responsiveness of the graphical remote console. Terminal Services complements the technology within iLO by providing a software-based remote console when the Windows Server OS is functioning normally. In the event the Windows Server OS is not functioning normally, iLO can revert to the hardware-based console at any time. This gives Administrators the performance of an OS-based, graphical remote console with the assurance that the hardware-based iLO remote console is available at all times. The Terminal Services capability is an expansion of the iLO graphical remote console technology; therefore, it is part of the iLO Advanced Feature Pack. The iLO processor
the Terminal Services application using the "HP iLO Pass-through service" (HPLOPTS.EXE) in combination with version 1.50 or later of the iLO firmware, to access the Windows Terminal Services Remote Desktop Protocol.
The HP iLO Pass-through Service for Microsoft Terminal Services, iLO Firmware and Windows Server drivers is available at the HP ProLiant Software and Drivers Web site: http://h18000.www1.hp.com/support/files/server/us/index.html
Once the correct level of firmware, drivers, and the iLO Pass-through Service for Microsoft Terminal Services are installed, system administrators can use the following methods to take advantage of Terminal Services Pass-through using the following procedures:
From a Web browser, connect to the iLO, log in, and access the remote console page and click on the Terminal Services Button to launch a Windows remote console session.
From a remote Windows XP system or Windows Server 2003 system, run the Remote Desktop Connection applet, enter the IP address of the iLO, and click the connect button.
When the administrator
a Terminal Services connection, the iLO remote console applet activates the Terminal Services client application, which connects to iLO on the host server. The iLO device
all the Terminal Services traffic to the managed server and completes the connection between the iLO browser and the Windows OS. Because Terminal Services is OS-based, it has the primitives that tell the OS how to open a window, the
of the window, and so on. Therefore, the Terminal Services application transmits only small amounts of information across the network for improved graphical remote console performance.