Supporting Terminal Servers involves more than just proper configuration; it also involves supporting end users, installing and maintaining applications, and securing and optimizing Terminal Server settings, among other server duties. Using the Terminal Server ManagerThe Terminal Server Manager can be used to manage sessions on a Terminal Server. Process and resource usage on the Terminal Server can be monitored here on a server or per-user basis. When an administrator requires remote control access of a terminal session, she must be running in a terminal session and start the remote control function from within Terminal Server Manager. This tool can also be used to send messages to active session users. Managing the Command-Line Terminal ServicesWindows Server 2003 has many new command-line tools to make Terminal Server administrative tasks much more flexible and scriptable. There are nearly 20 different command-line utilities for Terminal Services. For the complete listing, refer to Windows Server 2003 online help; we've listed a few of the utilities that may prove to be most useful:
Managing Terminal Services Using WMIWindows Server 2003 has a great new Windows Management Instrumentation (WMI) Provider for Terminal Server management. Administrators can create WMI-based scripts to configure and manage Terminal Servers remotely. The WMI Provider allows an administrator to perform almost every task on a Terminal Server that could have been performed using the command-line tools, Terminal Server Manager, or Terminal Services Configuration snap-in. The general description of classes, properties, and methods available in this WMI Provider refer to the comments within the provider file at %SystemRoot\system32\Wbem\tscfgwmi.mof. Supporting and Enabling Terminal Server UsersThe Windows Server 2003 and XP Professional systems contain a local group called Remote Desktop Users. This group and the Administrators group are allowed to log on using Terminal Services by default. When a Windows Server 2003 server joins a domain, the Domain Users group can be made a member of the local Remote Desktop Users group, giving all domain users the right to log on through Terminal Services if desired. You can restrict which users can log on using Terminal Services by performing the following:
When applicable, create a Domain Universal or Global Security group for Terminal Server users and add only this group to the Allow Logon Through Terminal Services setting. Disabling Terminal ServicesTo disable Terminal Services, use local security policy or Group Policy, where applicable, to define the Deny Logon Through Terminal Services setting and apply it to the Everyone group, as shown in Figure 27.13. Figure 27.13. Disabling Terminal Services using Group Policy.Note Defined Group Policy settings for Terminal Services override local security policy settings; they do not complement one another. Remotely Managing a Terminal SessionTerminal Server users may require support for tasks such as mapping to a file share, installing a third-party print driver, or just troubleshooting issues within the terminal session. While using the remote control features of Terminal Services, an administrator can interact with users in active sessions with view-only access or complete remote control functionality. The amount of access given to an administrator during a remote control session can be set by the user, but it can be configured at the server level by the administrator. An administrator can remotely control a user's terminal session only from within a separate terminal session. The remote control command can be initiated using Terminal Server Manager or the command-line tool Shadow.exe. Applying Service Packs and UpdatesApplying service packs and updates on a Terminal Server follows the same strategy as outlined in the previous section "Installing Applications for Terminal Server." Test all service packs and updates in an isolated lab environment prior to production release and always create a backup of the system first to allow for rollback, if necessary. Performing Disaster Recovery on a Terminal ServerBacking up and restoring a Terminal Server follow the same procedures as backing up and restoring a standalone server. Administrators must be sure to back up any local user data, including profiles, and back up the current server system state. The data and system state backup, accompanied with a server build document, are all that an administrator needs to recover the Terminal Server. For detailed steps concerning the creation of server build documents and Windows Server 2003 backup and recovery techniques, refer to Chapter 24, "Documenting a Windows Server 2003 Environment," Chapter 32, "Backing Up a Windows Server 2003 Environment," and Chapter 33, "Recovering from a Disaster." |