Supporting Terminal Services

Supporting Terminal Servers involves more than just proper configuration; it also involves supporting end users, installing and maintaining applications, and securing and optimizing Terminal Server settings, among other server duties.

Using the Terminal Server Manager

The Terminal Server Manager can be used to manage sessions on a Terminal Server. Process and resource usage on the Terminal Server can be monitored here on a server or per-user basis. When an administrator requires remote control access of a terminal session, she must be running in a terminal session and start the remote control function from within Terminal Server Manager. This tool can also be used to send messages to active session users.

Managing the Command-Line Terminal Services

Windows Server 2003 has many new command-line tools to make Terminal Server administrative tasks much more flexible and scriptable. There are nearly 20 different command-line utilities for Terminal Services. For the complete listing, refer to Windows Server 2003 online help; we've listed a few of the utilities that may prove to be most useful:

• tskill.exe This tool can be used to kill hung or stuck processes or applications in any active session without having to connect to the session using remote control.

• Shadow.exe This tool initiates a shadow or remote control session from a command prompt or script.

• Query.exe {Process, Session, Termserver, User} This tool allows the administrator to query a particular server to get a list of current active and inactive sessions and processes.

• TSShutdn.exe This tool allows an administrator to remotely shut down or reboot a Terminal Server. This tool can notify existing users how long before the shutdown occurs.

Managing Terminal Services Using WMI

Windows Server 2003 has a great new Windows Management Instrumentation (WMI) Provider for Terminal Server management. Administrators can create WMI-based scripts to configure and manage Terminal Servers remotely. The WMI Provider allows an administrator to perform almost every task on a Terminal Server that could have been performed using the command-line tools, Terminal Server Manager, or Terminal Services Configuration snap-in. The general description of classes, properties, and methods available in this WMI Provider refer to the comments within the provider file at %SystemRoot\system32\Wbem\tscfgwmi.mof.

Supporting and Enabling Terminal Server Users

The Windows Server 2003 and XP Professional systems contain a local group called Remote Desktop Users. This group and the Administrators group are allowed to log on using Terminal Services by default. When a Windows Server 2003 server joins a domain, the Domain Users group can be made a member of the local Remote Desktop Users group, giving all domain users the right to log on through Terminal Services if desired.

You can restrict which users can log on using Terminal Services by performing the following:

• For a standalone implementation of a Terminal Server, add or remove members from the local Remote Desktop Users group to control Terminal Server logon access.

• For Terminal Servers in a domain, use Group Policy to control logon access by defining the Allow Logon Through Terminal Services setting and add the appropriate groups or users.

When applicable, create a Domain Universal or Global Security group for Terminal Server users and add only this group to the Allow Logon Through Terminal Services setting.

Disabling Terminal Services

To disable Terminal Services, use local security policy or Group Policy, where applicable, to define the Deny Logon Through Terminal Services setting and apply it to the Everyone group, as shown in Figure 27.13.

Figure 27.13. Disabling Terminal Services using Group Policy.

Note

Defined Group Policy settings for Terminal Services override local security policy settings; they do not complement one another.

Remotely Managing a Terminal Session

Terminal Server users may require support for tasks such as mapping to a file share, installing a third-party print driver, or just troubleshooting issues within the terminal session. While using the remote control features of Terminal Services, an administrator can interact with users in active sessions with view-only access or complete remote control functionality. The amount of access given to an administrator during a remote control session can be set by the user, but it can be configured at the server level by the administrator.

An administrator can remotely control a user's terminal session only from within a separate terminal session. The remote control command can be initiated using Terminal Server Manager or the command-line tool Shadow.exe.

Applying Service Packs and Updates

Applying service packs and updates on a Terminal Server follows the same strategy as outlined in the previous section "Installing Applications for Terminal Server." Test all service packs and updates in an isolated lab environment prior to production release and always create a backup of the system first to allow for rollback, if necessary.

Performing Disaster Recovery on a Terminal Server

Backing up and restoring a Terminal Server follow the same procedures as backing up and restoring a standalone server. Administrators must be sure to back up any local user data, including profiles, and back up the current server system state. The data and system state backup, accompanied with a server build document, are all that an administrator needs to recover the Terminal Server. For detailed steps concerning the creation of server build documents and Windows Server 2003 backup and recovery techniques, refer to Chapter 24, "Documenting a Windows Server 2003 Environment," Chapter 32, "Backing Up a Windows Server 2003 Environment," and Chapter 33, "Recovering from a Disaster."