In addition to the "core" Terminal Server functionality, Windows Server 2003 includes features that help you use Terminal Server in the real world. It's worth presenting an overview of these features here, although we'll study each in more depth throughout this book from a design and best practices standpoint.
If you've used previous versions of Terminal Server but are new to Windows Server 2003, you'll notice that several core features have been carried over from earlier products while others are completely new. Out of the box functionality of Terminal Server in Windows Server 2003 has come a long way since Microsoft first introduced the "Terminal Server Edition" of Windows NT Server 4.0 in 1998.
High Color Depth. In Windows Server 2003, The RDC client can now support client sessions with up to 24-bit color. This increases the system's usability with applications that require higher color depth.
Access to Client System Resources. When connected to a Terminal Server session, users can map back to their client's local disk drives, ports, printers, and clipboard, seamlessly integrating remote Terminal Server-based and local client device-based applications.
Client Time Zone Support. Terminal Server 2003 can automatically set the time zone of users' sessions based on the time zone of their client device. In special cases where the client devices do not keep track of local time zones, users can manually set their own time zones from within their server sessions. Time zone support is extremely beneficial in environments where users may be connecting to Terminal Servers from several different times zones for applications that are time sensitive, such as calendaring and email programs.
Printer Driver Management. Printing in server-based computing environments has always posed unique challenges (as you'll see in Chapter 8). One of these is in relation to print drivers. Terminal Server 2003 has several features to make managing print drivers easier.
Print driver mapping capabilities allow you to remap client print driver names to appropriate server print driver names.
Automatic print driver mapping has been enhanced from Windows 2000 to provide better matching in "near-miss" cases.
When a driver match can't be made, the trusted driver path option lets you specify generic print drivers that are pre-approved for use on your Terminal Servers.
Printer Performance. In Terminal Server 2003, the print stream between the server and client is compressed, yielding better printing performance over slow links.
Windows Keys. When using Terminal Server sessions, special key sequences such as Alt-Tab or Ctrl-Esc are sent from the client to the remote session instead of being captured locally by the client. This improves users' experience by allowing them to use familiar key sequences in their sessions.
Load-Balanced Server Clusters. Multiple Terminal Servers can be logically grouped together to form a "Server Cluster." All servers in the cluster can then be used to host user sessions. An important fact about clusters in the Microsoft world is that these are not "true" clusters in the sense of service or application clustering. Rather, "clustering" has become a generic term at Microsoft that now includes Network Load Balancing. In reality, a load-balanced server cluster like this is a group of load-balanced servers using Windows Load Balancing or a third party load-balancer to route user sessions to available servers in the pool. Full Terminal Server clustering and load-balancing is discussed in Chapter 7.
Session Directory. One of the most important new Terminal Server features introduced in Windows Server 2003 is called Session Directory. This feature enables users to be automatically routed to Terminal Servers where they have disconnected sessions. In load-balanced environments with multiple servers, disconnected users can pick up where they left off, and are prevented from having multiple "orphaned" sessions on different servers. The Session Directory is not a load-balancing tool. Rather, it's a simple database that keeps track of which users have which sessions on which servers. However, third-party load-balancing products (and Microsoft's own Network Load Balancing) utilize the Session Directory to deliver a seamless experience to users. Session Directory (and load-balancing in general) is fully covered in Chapter 7.
Web-Based Client. Terminal Services 2003 supports a web-based, scriptable, Active-X Control for connection to Terminal servers. This client can allow users to access servers and server clusters simply by visiting a web page. You can even configure this client to allow administrators to connect to remote server consoles.
Remote Control. As the name implies, this feature allows certain users to remotely control other users' sessions. This capability is most often used for training and support purposes.
Single Session Policy. This Windows policy allows you to limit users to a single session on a particular server or server cluster.
Remote Desktop Users Group. This is a new Windows local group that, by default, is the only user group with the appropriate permissions to logon to the server via Terminal Server connections. As an administrator, this group gives you an easy way to limit access to your servers. In effect, it replaces the inefficient "Allow Login to Terminal Servers" user object property from previous Windows versions (although you can still use that method in Terminal Server 2003 if you prefer). The remote desktop users group allows you to specify user permissions on a server-by-server basis. Furthermore, since it's a local group, you can add global groups to it for easy control in large environments. See Chapter 12 for more information about security and group memberships.
Security Policy Editor. This administrative tool allows you to assign Terminal Server user rights individually or by group membership. You can also use it to allow users to log on to a Terminal Server without having to be a member of the Remote Desktop Users Group.
Software Restriction Policies. These restriction policies replace the annoying Application Security (AppSec) tool used in previous versions of Terminal Server. They let you restrict the applications that can be executed by specified users simplifying the tasks associated with securing a Terminal Server.
Encryption. By default, all connections to Terminal Servers are secured by a bidirectional, 128-bit RC4 encryption algorithm.
Smart Card Authentication. For users connecting from client devices configured to utilize smart cards, their Windows logon credentials can be passed to Terminal Server's when new sessions are established. Full smart card design options are covered in Chapter 12.
Improved Terminal Server Licensing. There are now two different ways to license users for Terminal Server in Windows Server 2003: per user or per device. "Per User" mode assigns a Terminal Server Client Access License (TS CAL) to a specific user account, and that user can log on from as many client devices as he wants. The "Per Device" licensing mode allows you to permanently assign a TS CAL to a specific piece of hardware, and any user may access a Terminal Server with that hardware device. This option lends flexibility in choosing a licensing mode the best fits your environment. (Or, in the case of Microsoft licensing, you can choose the least "worst fit".) Another big licensing change introduced in Windows Server 2003 is the ability to install the Terminal Server Licensing Service on any Windows 2003 server in Active Directory environments. In Windows 2000, this service had to run on a domain controller. See Chapter 4 for all the gory details of Terminal Server licensing.
Group Policy Terminal Server Management. In Windows Server 2003, administrators can configure per-server Terminal Server settings via group policies within Active Directory. This design allows large groups of servers to be managed or configured simultaneously, and helps to reduce administrative overhead for small changes that are required on every server.
Group Policy Templates. Terminal Server Group Policy Templates have been added to Windows 2003. These templates allow you to easily configure and apply server settings across multiple servers simultaneously.
Terminal Services Manager. The Terminal Services Manager tool has been improved from previous versions to allow for easier management of large groups of servers. The improved tool gives direct access to a server by name and can even store a list of "favorite" servers.
Terminal Server Licensing Manager. This tool allows you to manage, add, and activate Terminal Server Client Access Licenses in your environment. It has been completely rewritten for Windows Server 2003, and is now much easier to use.
Windows Management Interface (WMI) Provider. A full WMI provider in Windows Server 2003 allows for completely scripted configuration of Terminal Server settings. WMI aliases have been provided to allow for simple scripting of frequently used tasks.
Active Directory Service Interfaces (ADSI). An ADSI provider allows programmatic access to per-user attributes such as Terminal Service profile settings, home directory settings, and session virtual channel settings. You can now script just about anything in Terminal Server 2003.
Connect to Console Session. In Terminal Server 2003, administrators can connect to the actual server console through a remote RDP session. This is useful when you need to perform tasks that are "not supported" via Terminal Services.