Windows Terminal Services can be centrally administered and configured across your domain from a single console. Four main applications are used to administer your Terminal Services servers and clients:
Terminal Services Manager (Tsadmin.exe) is the main mechanism for managing the various connections to your servers. A typical Terminal Services Manager window is shown in Figure 25-8. From here you can see not only the available terminal servers on your network, but also who is connected to them, which sessions are active, which protocols are being used, and so on.
Figure 25-8. A typical Terminal Services Manager window.
Terminal Services Manager shows all of the servers in your domain. By default, it connects to only a single server at a time, although you can opt to connect to all of the available servers at once. The icons for the current active connection, server, and domain are shown in a different color (green, by default). With Terminal Services Manager, you can view and manage the users, sessions, and processes by network, domain, server, or connection, giving you a comprehensive look at the critical information for your Terminal Services deployment.
You can use Terminal Services Manager to identify all of the servers in your network that are currently active or all of the servers in a particular domain. To find all the servers in a domain, right-click the domain name in the left pane of Terminal Services Manager and select Find Servers In Domain. To find all the servers on your network, right-click All Listed Servers and choose Find Servers In All Domains, shown in Figure 25-9.
CAUTION
Using either of the Find Servers commands causes a domain-wide or network-wide series of broadcast messages. Use this command with caution.
Figure 25-9. The shortcut menu for All Listed Servers in the Terminal Services Manager window.
To manage the processes, sessions, and users connected to a given server, you need to first connect to that server using Terminal Services Manager. To connect to a server, right-click the server's icon in the left pane of Terminal Services Manager and choose Connect. To connect to all the servers in a domain, right-click the domain name in the left pane of Terminal Services Manager, shown in Figure 25-10, and choose Connect To All Servers In Domain. To connect to all the servers on your network, right-click the All Listed Servers icon and choose Connect To All Servers.
Figure 25-10. Connecting to all servers in a domain.
CAUTION
Connecting to all the servers in a domain or network is a network-intensive process and can seriously deteriorate network performance. Under normal circumstances, you should connect only to an individual server.
Terminal Services Manager lets you view and manage each of the connections to your terminal servers, including locally logged on connections that show as a console session. From any nonconsole session that has sufficient permissions, you can forcibly disconnect a session, reset a session entirely, log off a session, view the status of the connection, manage users' sessions, send a message to the display of a connection, use remote control to take control of a session on the connection, and connect to any other session. You can also use Terminal Services Manager to see a variety of information about the processes and status of the connections to a server and even to kill a hung process.
NOTE
Within a console session, the only feature available is Send Message. This makes managing your servers from one of their consoles difficult. If your normal workstation is, in fact, the console of one of your servers, open a terminal session to your own server and work from that—you'll have full capability to manage and control your Terminal Services environment from there.
Disconnecting Sessions When a session is disconnected, all the programs of that session continue to run but the input and output from the session are no longer transmitted to the remote terminal. Disconnecting a session leaves user programs and data in their normal state, protecting them from loss of data. Disconnecting a session doesn't release memory or other resources from the server, and the session continues to be counted as a licensed session.
Any user can disconnect his or her own session, or an administrator with the Full Control privilege can disconnect a session. To disconnect a session using Terminal Services Manager, right-click the session in either pane of Terminal Services Manager and choose Disconnect from the shortcut menu. You'll be prompted for confirmation, shown in Figure 25-11. Click OK and the session will be disconnected.
Figure 25-11. Confirming disconnection of a session.
You can disconnect multiple sessions on multiple servers as well. Simply highlight the sessions in the right pane of Terminal Services Manager and right-click. Choose Disconnect from the menu, click OK in the prompt shown in Figure 25-11, and the sessions will be disconnected. The console where the sessions are being displayed will receive a message like that shown in Figure 25-12. When you click Close in the message, the message box will disappear.
Figure 25-12. The Terminal Services Client Disconnected message box.
REAL WORLD Using Disconnect to Manage Your Sessions from Multiple Locations
Disconnecting from a Terminal Services session has a lot of advantages for the mobile user who may need to connect from a different location or who wants to be able to work in relatively short bursts as time permits. When you disconnect from a session, everything continues to run, just as if you were connected. So when you reconnect to the same server, the session is restored exactly as you left it. Then you can easily return to a project or document exactly where you left off.
Resetting Sessions You can reset a session if the session is your own or if you have the Full Control privilege for sessions. When you reset a session, all work in that session is lost, programs stop running, and memory is freed. To reset a session, right-click the session and choose Reset from the menu. You'll get a warning message. Click OK and the session will be reset.
You can reset multiple sessions by highlighting them in the right pane of Terminal Services Manager, right-clicking them, and selecting Reset. You must have the Full Control privilege for each of these sessions, or they must be your own.
CAUTION
Resetting a session can result in data loss for the user of that session. You should reset a session only when the session has stopped responding or has otherwise malfunctioned.
Logging Off a Session You can log off your own session or log off a user's session if you have the Full Control privilege. Right-click the session in the right pane of Terminal Services Manager and select Log Off from the shortcut menu, shown in Figure 25-13. You'll get a warning that the user's session will be logged off. If you click OK, the session will be logged off. Logging off a session will free up any resources used by that session, returning them for use by other connections.
CAUTION
Logging off a session can result in data loss for users of that session. You should always warn users by sending them a message before logging off their session.
Figure 25-13. The shortcut menu for the Users tab of Terminal Services Manager.
Viewing Processes and Other Information About a Session You can view the active processes in a session and a variety of other information about the session, including which client the session is coming from, the security level, the session resolution, and so forth. To view the active processes in a session, highlight the session in the left pane of Terminal Services Manager and click the Processes tab in the right pane, shown in Figure 25-14. To view information about the same session, click the Information tab in the right pane, shown in Figure 25-15.
You can also use Terminal Services Manager to show all the processes, users, and sessions on a given server, for the whole domain, or for the entire network. The Processes tab is shown in Figure 25-16 for the entire Scribes domain. You can sort the processes by user, session, or server. If you have the Full Control privilege, you can even kill a process from here, although the usual caveats about killing processes apply.
Figure 25-14. The Processes tab of Terminal Services Manager.
Figure 25-15. The Information tab of Terminal Services Manager.
Managing User Sessions You can use Terminal Services Manager to view and manage the user sessions on a particular server or across the entire domain or network. To view all of the users across your entire domain, highlight the domain name in the left pane of Terminal Services Manager and click the Users tab in the right pane. In the left pane, you'll see a list of all the servers in the domain, and the connected users appear in the right pane. You can select any entry in the right pane and send a message to the user's session, disconnect the session, or take control of the user's session for troubleshooting or training.
Figure 25-16. The Processes tab for the entire Scribes domain in Terminal Services Manager.
Sending a Message to a Session You can use Terminal Services Manager to send a message to a particular session. To send a message to all of the sessions on a particular server, however, you need to use the command-line Msg program. To send a message to a particular session or user, follow these steps:
Figure 25-17. The Send Message dialog box of Terminal Services Manager.
You can also use the command-line Msg command to send a message to a particular session or to all the users on a particular server. The Msg command has additional options and functionality over the graphical Terminal Services Manager messaging. The syntax for the Msg command is as follows:
msg {username|sessionname|sessionid|@filename|*} [/SERVER:servername] [/TIME:seconds] [/V] [/W] [message text] |
The options for the Msg command are as follows:
Controlling a Session If you have appropriate permission (Full Control), you can connect to another user's session and remotely control it. The keyboard, mouse, and display will be the same for both your session and the user's session. This gives you the ability to easily troubleshoot a user's session or train the user by walking him or her through the steps of a particular task. Input for the session comes equally from your session and the user's. If the user or protocol settings are set to view only the session, not directly control it, you will see only what the user does on his or her screen, but you won't be able to interact with it using your mouse or keyboard.
By default, when you connect to a user's session using remote control, the user will be notified that you are connecting and asked to confirm the permission. This notification can be turned off on a per-user basis by modifying the user's account in Active Directory. (See Chapter 9 for more on user accounts.) You can also configure this notification on a per-protocol basis for a given server using Terminal Services Configuration (explained shortly).To take control of a user's session, follow these steps:
Figure 25-18. The Remote Control dialog box.
Figure 25-19. The Remote Control Request dialog box.
Until the user confirms permission to connect to his or her session, your session will appear to freeze.
You can also use the Shadow command to take control of a user's session. The Shadow command has the following syntax:
shadow {sessionname|sessionid} [/SERVER:servername] [/V] |
where sessionname and sessionid identify the particular session you want to take control of, and the server defaults to the current server if /SERVER isn't specified. The /V (verbose) option gives additional information about the actions being performed.
Connecting to a Session You can connect to another session on the server you are on if you have the appropriate permission and the other session is either in an active or a disconnected state. You can always connect to a session that is logged on with the same user account as your current logon, or you can connect to another user's session if you have Full Control or User Access permission. You will be prompted for the user's password.
This ability to connect to another session can be a useful tool for both administrators and users. Get home and realize you forgot to finish off that important memo? Log on remotely and connect to your working session at the office and pick up right where you left off. To connect to a session, follow these steps:
Figure 25-20. The Connect Password Required dialog box.
NOTE
You can connect to another session only from a Terminal Services session. You can't connect to or from a console session.
Use the Terminal Services Configuration MMC to change the settings for all connections to a particular server (Figure 25-21). From here, you can change any of the settings listed below:
Figure 25-21. The Terminal Services Configuration MMC.
You can change the properties of the connections from Terminal Services Configuration. By default, the only connection protocol installed is Microsoft Remote Data Protocol (RDP) version 5. Other protocols are available from third parties, including the Independent Computing Architecture (ICA) protocol used by Citrix MetaFrame. All protocols can be configured from this point.
RDP allows you to configure a wide variety of settings for each server (as listed in Table 25-1). Most of these settings are normally controlled by the client, or you can set the server to override the client settings. To set properties for the RDP connections, double-click the RDP-Tcp entry under Connection to open the dialog box shown in Figure 25-22.
Figure 25-22. The RDP-Tcp Properties window.
Table 25-1. Terminal Services Configuration settings for RDP
Tab | Property | Setting | Meaning |
---|---|---|---|
General | Encryption Level | Low | Data from client to server is encrypted using the standard encryption key. |
Medium | Data is encrypted using the standard key in both directions. | ||
High | Data is encrypted in both directions using the maximum key length supported. | ||
Use Standard Windows Authentication | False | Uses alternate authentication package if installed. | |
Logon Settings | Use Client-Provided Logon Information | True | Client determines the logon security user. |
Always Use The Following Logon Information | False | Logon information for all clients uses this same logon information. | |
Always Prompt For Password | False | Client can use embedded password. | |
Sessions | Override User Settings: (disconnected, active, and idle sessions) | False | User settings control termination of disconnected sessions, active session limit, and idle session limit. |
True | Session limits are controlled by the server. | ||
Override User Settings: (session limit action) | False | User settings control session limit behavior. | |
True | Server settings control session limit behavior—disconnect or end the session. | ||
Override User Settings (reconnection) | False | User settings control reconnection. | |
True | Server settings control reconnection. | ||
Environment | Initial Program | False | Client specifies initial program. |
True | All clients are forced to run the program specified. | ||
Client Wallpaper | Disable | Disallows wallpaper on user desktop. | |
Enable | User can display wallpaper on his or her desktop. | ||
Remote Control | Use Remote Control With Default User Settings | True | Settings for remote control are set as part of the user's account data. |
Do Not Allow Remote Control | False | All remote control to sessions on the server is disabled. | |
Use Remote Control With The Following Settings | False | When true, you will override remote control settings for all users connecting to the server. | |
Client Settings | Use Connection Settings From User Settings | True | Printer and drive connections are specified as part of the user's account settings. |
Drive Mapping | Selected | Users aren't permitted to map drives. (Requires ICA protocol.) | |
Windows Printer Mapping | Not selected | Clients can map Windows printers, and mappings are remembered. | |
LPT Port Mapping | Selected | Automatic mapping of client LPT ports is disabled. | |
COM Port Mapping | Selected | Clients can't map printers to COM ports. | |
Clipboard Mapping | Not selected | Clients can map clipboard. | |
Audio Mapping | Selected | Clients can't map audio. (Requires ICA protocol.) | |
Network Adapter | Network Adapter | All | All available network adapters are configured for use with this protocol. |
Connections | Unlimited | There is no limit to the number of connections permitted. | |
Maximum | The maximum number of connections permitted via this adapter. | ||
Permissions | Full Control | Administrators/SYSTEM | Administrators and SYSTEM have Full Control privilege. |
User Access | Users | Query, Logon, Message, and Connect privileges. | |
Guest Access | Guests | Logon privileges only. |
You can create client disks for Windows 2000, Windows NT (x86 and Alpha), Windows 95/98, or Microsoft Windows for Workgroups 3.11. Other clients will require the ICA protocol and you'll need to have Citrix MetaFrame to create client disks for them.
The 32-bit clients require two 3.5 inch 1.44 MB floppy disks, while the Windows for Workgroups clients require four floppy disks. You can use already formatted floppy disks, or the client creator program can format them for you. To create Windows Terminal Services Client floppy disks, follow these steps:
Figure 25-23. The Create Installation Disk(s) dialog box.
Figure 25-24. The Insert Floppy information box.
You can install and run Terminal Services Client on any computer running Windows 2000, Windows NT 4, Windows 95/98, or Windows for Workgroups 3.11. Special clients are also available for other operating systems, including Windows CE and MS-DOS, as well as any client that can run Java. Some of these clients, however, require the use of the Citrix MetaFrame ICA protocol. Special Windows CE-based thin clients are available from a number of manufacturers that allow you to connect to a Windows 2000 Terminal Services server with no hard disk at all—the base operating system and Terminal Services Client are loaded in ROM.
To be able to install Terminal Services Client on a workstation, you'll need to have either a floppy drive available or a network connection to run the installation over the network. In either case, the steps are essentially the same. To install Terminal Services Client using floppy disks, follow these steps:
Figure 25-25. Agreeing to the license agreement.
Figure 25-26. The Terminal Services Client Setup window.
Client Connection Manager allows you to create connections to your Windows Terminal Services servers and save the properties of those connections.
Creating a Connection To create a connection using the Client Connection Manager, follow these steps:
Figure 25-27. The Client Connection Manager Wizard.
Figure 25-28. The Create A Connection screen of the Client Connection Manager Wizard.
Figure 25-29. The Automatic Logon screen of the Client Connection Manager Wizard.
NOTE
Automatic logons may seem like a good idea, but if you have password aging enabled on your network, it can be a major nuisance. We recommend that you leave this option disabled unless you don't require users to periodically change their passwords.
Figure 25-30. The Screen Options screen of the Client Connection Manager Wizard.
Figure 25-31. The Connection Properties screen of the Client Connection Manager Wizard.
Figure 25-32. The Starting A Program screen of the Client Connection Manager Wizard.
Configuring a Connection The only way you can modify an existing connection is to use the Client Connection Manager. To modify a connection, follow these steps:
Figure 25-33. The Icon And Program Group screen of the Client Connection Manager Wizard.
Figure 25-34. Modifying the properties of an existing Client Connection Manager connection.
Figure 25-35. The Properties dialog box for a connection in Client Connection Manager.
On the General tab, you can change the following settings:
On the Connection Options tab, you can change these settings:
On the Program tab, you can change these settings:
Exporting and Importing Connections The connections you create in Client Connection Manager are not, by default, available as a text file, but are stored in each client machine's registry at HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\<connection name>. You can export the settings you created for a particular connection, or for all your connections, to a text file that will let you move it to another user or even another machine. This can vastly simplify the deployment of Terminal Services in a large organization. Unfortunately, there isn't a command-line way to do it, so you'll still have to touch each machine. But at least you will be sure to use a consistent setup across all clients. To export a single connection, follow these steps:
CAUTION
When you export the password as part of exporting a connection, the password is encrypted in the .CNS file, but anyone with access to the file could create a connection with your account. If you export the password, take appropriate precautions against physical access to the file.
To export all of the connections in Client Connection Manager, follow these steps:
To import a connection or connections into Client Connection Manager, use this procedure:
If you have ever created a connection using Client Connection Manager, you'll be prompted to allow overwriting of the default connection. If you click Yes, you'll be prompted to allow automatic replacement of all connections that are duplicates. If you click No, you'll be prompted to preserve existing connections that are duplicates. If you don't allow the automatic replacement, you'll be prompted for each connection.
The Client Connection Manager is a useful tool for creating permanent connections to one or more servers, but if you just want to quickly connect to a server but have no need to preserve the information in a permanent connection to it, you can use Terminal Services Client (Mstsc.exe). To use Terminal Services Client, follow these steps:
Figure 25-36. The Terminal Services Client dialog box.
When you use Terminal Services Client, you will always be prompted to log on to the server to which you are connecting. You will also always log on to the Windows desktop. If you want to create a permanent connection, or one that will run only a particular program, you must use Client Connection Manager to create the connection.