Using Windows Server 2003 Terminal Services

Windows Server 2003 Terminal Services is designed to provide a multiuser environment, which makes it possible for several users to connect to a server and run applications concurrently.

Terminal Services consists of three major components:

• Multiuser server core This is a modified version of the Windows Server 2003 kernel that allows the operating system to support multiple concurrent users and share resources.

• Client software The Remote Desktop Connection (RDC) client software provides the user interface. It can be installed on a PC, a Windows terminal, or a handheld device. It provides the look and feel of the standard Windows interface.

• Remote Desktop Protocol (RDP) This is the protocol that provides communication between the server and the client software. It runs only on TCP/IP.

Windows Terminal Services is designed to distribute the Windows 32-bit desktop to clients that are usually not able to run it. Although for the client it appears that the application is running locally, all processing actually occurs on the server. The only processing that occurs at the client involves displaying the user interface and accepting input from the keyboard and mouse.

Although the application is run on the server, the information needed to control the user interface, such as keystrokes and mouse clicks, is sent over the connection to the client. The data rate of the connection is very small, generally less than 16KB. This makes Terminal Services well suited for low-bandwidth connections, such as low-speed dial-up lines.

The RDP clients supplied with Windows Server 2003 Terminal Services can be used on most Windows PCs and Windows terminals. A 32-bit client is used with Windows 9x, NT, 2000, and XP.

Note: Additional Clients

Clients for the Macintosh and a Terminal Services (not RDC) client for the Pocket PC are not included on the Windows Server 2003 CD-ROM, but they are available for download from the Microsoft website at http://www.microsoft.com/downloads.

The RDC client provides the standard Win32 desktop to users. It is a Windows-based application and runs only on Windows platforms. However, it is a very small application (generally less than 2MB in size) and can run on machines with very limited processor and memory resources.

This client provides the following features:

• Roaming disconnect support This allows a user to disconnect her session and then reconnect to the servereither from the same PC or terminal or from any other PC or terminaland her session resumes just where she left it, without any data loss.

• Multiple login support This allows a user to be connected to multiple sessions simultaneously.

• Local resources are available The RDC 5.1 client allows you to connect to most of the resources attached to the local PC that is running the RDC client. This includes drives, smart cards, printers, and the Clipboard. For instance, files can be opened, saved, and printed to the user's local PC, regardless of whether the application is running locally or remotely.

• Automatic session reconnection If a user is disconnected from the server because of a local problem, such as a communications line failure, the RDC client automatically attempts to reconnect to the user's session on the Terminal Services server.

Terminal Services Advantages and Disadvantages

Terminal Services offers many advantages. Here are a few of them:

• Windows Terminal Services runs Windows applications Most Windows applications run on Terminal Services without any modifications.

• The client is very small This allows the client to run on low-powered terminals or PCs.

• The client can be used with older technology This allows older machines, which would normally be sent to the scrap heap, to be used as clients.

• The responsibility for processing is put in the server room Everything to do with the support of the server and applications is directly controlled by the system administrator in the server room. Users have fewer opportunities to "help" the administrator. This results in fewer problems. In addition, because just about everything is controlled from a centralized location, expensive, time-consuming visits to the desktop are rare.

Terminal Services also has a couple of disadvantages, as follows:

• Hardware Terminal Services requires much more hardware than the typical file and print server needs. You can use lower-end systems for the client, but you have to spend more money on the server.

• Security You must be aware of the security weaknesses introduced with Terminal Services. For example, Terminal Services users are, in effect, given the equivalent of Log On Locally access to your server, so you need to be especially vigilant in limiting access to sensitive files and folders. In addition, because of this level of access, you should never install Terminal Services in Application Server mode on a domain controller.

Environments for Which Terminal Services Is Recommended

Terminal Services is recommended for use in a variety of environments. The following are some examples:

• Harsh environments Terminal Services is very good for harsh environments, such as manufacturing facilities. This allows you to utilize a low-cost Windows terminal that has no moving parts and would normally be susceptible to damage or contamination.

• Remote access Because of the low-bandwidth requirements, remote Terminal Services users usually see the same relative performance as if they were running applications locally. In addition, the remote user doesn't have to have frequent software and hardware updates, because all updates are performed on the server by the administrator(s).

• Public access terminals A Windows terminal used as a kiosk is very secure because Terminal Services allows administrators to lock down applications and system access.

• Customer service Users running a single or a few task-based applications are ideal candidates for Terminal Services because they can be supplied with a low-cost Windows terminal for far less money than a PC, which would likely be overkill for their needs.

• Wireless applications Because of the low-bandwidth requirements, Terminal Services is especially good for providing server applications to wireless users, especially users of handheld devices.

Terminal Services Is Not Recommended For...

Here are some applications for which the use of Windows Terminal Services is not recommended:

• Applications requiring heavy calculations Typical examples are Computer Aided Drafting (CAD) applications.

• Applications that identify users or sessions by IP address or machine name Examples include some terminal-emulator applications.

• Applications with memory leaks or that perform constant keyboard polling These problems are common with older DOS applications.

• Applications using animation Passing screen updates for large, detailed bitmaps uses a lot of bandwidth and takes time for the user to see the painted bitmap.

• Publishing and drawing programs Although the Terminal Services clients supported in Windows Server 2003 can support more than 256 colors, the excess color depth requires more processing and network bandwidth. In addition, all graphics screen updates have to be passed over the connection, which can get pretty slow.

Working with Terminal Services

Terminal Services is available in two modes: Remote Desktop for Administration (formerly called Remote Administration mode) and Application Server mode. Application Server mode configures Windows Server 2003 to operate similar to the previous version of Windows NT Terminal Server 5.0. Remote Desktop for Administration mode is used to provide remote server management. Unlike in Windows 2000, where the Remote Administration mode was an option, the Remote Desktop for Administration mode is automatically installed in Windows Server 2003. However, incoming connections are disabled by default.

Using Terminal Services in Remote Desktop for Administration Mode

The Terminal Services (TS) Remote Administration mode was first available in Windows 2000. The previous version of Windows NT 5.0 Terminal Server did not have this feature. With Windows Server 2003 Terminal Services in Remote Desktop for Administration mode, you are allowed two concurrent sessions, plus a console session to the Windows server. These sessions can be used to remotely access any programs or data on the server.

Using the Terminal Services client is just like working on the server console. The Remote Desktop for Administration mode allows you to have two concurrent TS sessions without any additional Client Access Licenses required. The beauty of the Remote Desktop for Administration mode is that it allows you to manage your server from just about anywhere and from just about any computer. Because the TS client is supported on a variety of Windows platforms, including Windows CE and Pocket PC 2002 and later, you can load the client on any Windows box that you have available and manage your server. Imagine managing your server from your Pocket PC!

In addition, because the RDC connection between the server and the client requires a minimum of bandwidth, you are not limited to a high-speed LAN connection. The Terminal Services client can access the servers via a dial-up connection, the Internet, or even a wireless connection. Again, think about managing your servers from your Pocket PC while sitting on a warm, sandy beach.

Note: Switching Between Terminal Services Modes

Although it is possible to switch from one mode to another, it is necessary to reinstall all applications.

In addition to the two virtual sessions, a new feature in Windows Server 2003 provides the capability to connect to the real console of the server. In the past, a lot of tools and applications could not be run remotely, because they were written to interact directly with "session 0," or the physical server console. Also, most system messages are routed to the console automatically, so if you were trying to manage the server remotely and a pop-up error message was sent, you wouldn't be able to see it.

Working with Terminal Services in Remote Desktop for Administration mode is covered at length in the "Managing Servers Remotely" section of Chapter 5, "Administering Windows Server 2003."

Terminal Services in Application Server Mode

The purpose of Application Server mode in Windows Server 2003 Terminal Services is to enable applications to be shared and managed from a central location. The Terminal Services Application Server mode changes the characteristics of the server. Normally, a server is tuned to give best performance to the background processes that are running. This enables server-type applications, such as databases and mail servers, to perform better. However, when Windows is configured for Terminal Services Application Server mode, the server is tuned to give the best performance to the foreground processes. This is similar to the way a workstation operating system is tuned, because those are the types of tasks the operating system is now handling. With Terminal Services, each user is assigned an individual session of 2GB of virtual memory on the server. Performance depends on the capacity of the server, how many users are logged on, and what applications are running.

The Application Server mode of Terminal Services allows the system administrator to load common applications that can be shared by multiple users. The users can be granted the ability to connect to a specific application or a complete desktop environment.

This can greatly decrease the support costs associated with an organization because there are fewer visits to the end user. There is no need for upgrade visits, and there are fewer visits for application issues because everything is located and controlled centrally.

Unlike Remote Desktop for Administration mode, in which there are only two concurrent connections plus the console allowed, Application Server mode allows you to have an unlimited number of concurrent connections, subject to server capacity and licensing. The number of users supported varies widely, depending on the type of applications in use and the hardware configuration of the server. Typically, on the same hardware, you can support far more users running terminal emulatortype applications than users who are using CAD applications.

To install Terminal Services in Application Server mode, follow the procedure outlined in Step by Step 11.1.

Step by Step 11.1 Installing Terminal Services in Application Server Mode 1. Click Start, All Programs, Control Panel, Add or Remove Programs. 2. Click the Add/Remove Windows Components button in the left pane of the Add or Remove Programs dialog box. 3. The Windows Components Wizard appears. Select the Terminal Server check box. 4. If Internet Explorer Enhanced Security Configuration is enabled (it is enabled by default), you will receive the Configuration Warning prompt. After you read and understand this warning, click the Yes button to continue. 5. This returns you to the Windows Components Wizard. Click the Next button to continue. 6. The Terminal Server Setup warning appears, as shown in Figure 11.1. Read and understand the warnings before clicking the Next button to continue. Figure 11.1. The Terminal Server Setup warning prompt alerts you to the requirements of a Terminal Server. 7. The Terminal Server Setup screen appears. This screen allows you to select the Full Security mode, which is new to Windows Server 2003, or the Relaxed Security mode, which is roughly equivalent to the security on a Windows 2000 Terminal Services server. Click the desired option button, and then click the Next button to continue. 8. The Terminal Server License dialog box appears, as shown in Figure 11.2. You are prompted as to what license server to use. For now, select the option to specify a license server within 120 days. Click the Next button. Figure 11.2. The Terminal Server Setup licensing prompt asks you what license server to use. 9. Next, you are prompted as to whether to use per-device or per-user licensing. Select Per User, and then click Next. 10. When the Completing the Windows Components Wizard screen appears, click the Finish button. You will be prompted to reboot the server.

Terminal Services Licensing

Application Server mode requires that each remote connection have a Windows Server 2003 Terminal Services user or device Client Access License (TS CAL). These licenses are separate from the normal Windows Client Access Licenses (CALs) and must be installed and managed using a Terminal Services licensing server. Terminal Services Licensing Server is an option that is installed from the Add/Remove Programs applet in the Control Panel.

Windows Server 2003 offers two types of Terminal Services licensing servers:

• Enterprise license server An enterprise license server should be used when you have Windows Server 2003 Terminal Services servers located in several domains. This is the default.

• Domain license server A domain license server is used if you want to segregate licensing by domain, or if you're supporting a Windows NT 4.0 domain or a workgroup.

To install a Terminal Services licensing server, follow the procedure outlined in Step by Step 11.2.

Step by Step 11.2 Installing a Terminal Services licensing server 1. Click Start, All Programs, Control Panel, Add or Remove Programs. 2. Click the Add/Remove Windows Components button in the left pane of the Add or Remove Programs dialog box. 3. The Windows Components Wizard appears. Select the Terminal Server Licensing check box. 4. The Terminal Server Licensing Setup screen appears (see Figure 11.3). This screen allows you to choose the type of licensing server to install and the location of the license database. Make a selection and then click the Next button to continue. Figure 11.3. Choose the type of licensing server to install on the Terminal Server Licensing Setup screen. 5. When the Completing the Windows Component Wizard screen appears, click the Finish button.

Note: TS CALS

New with Windows Server 2003 are the concepts of a user Client Access License and a device Client Access License. Separating licensing in this way allows organizations additional license options. For example, if a Terminal Services user connects via multiple devices, such as a PC and a handheld device, the organization would need to purchase a user license instead of a device license. The standard TS CAL is valid only for connections to Windows 2000 Terminal Services servers.

Unlike the Windows 2000 license server, which had to be installed on a domain controller in an Active Directory environment, the Windows Server 2003 Terminal Services license server can be installed on any domain controller, member server, or standalone server. This license server can support an unlimited number of Terminal Services servers, and it can issue Terminal Services 2000 Internet Connector licenses, TS 2003 user CALs, TS 2003 device CALs, and temporary TS CALs. The Internet Connector CALs are for non-employees who connect to your Windows 2000 Terminal Services servers over the Internet. A temporary TS CAL is issued when there are no TS user or device CALs available on the license server. A temporary TS CAL allows the client to connect to the Terminal Services server for 120 days. A Terminal Services server can initially operate for up to 120 days without being serviced by a TS licensing server. However, after this grace period expires, the server no longer accepts any TS connections until it is associated with a valid licensing server.

The new licensing setup is only for Windows Server 2003 Terminal Services. As you can see, it is somewhat different from Microsoft's previous Terminal Services licensing methods. Fortunately, Microsoft has provided a whitepaper that gives an overview of the new licensing rules and processes. It can be obtained from the Microsoft Web site at http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx.

Note: TS External Connector

Another new licensing feature is the Windows Server 2003 Terminal Server External Connector license. This is a license that is purchased to allow an unlimited number of external users access to your Terminal Services server. This replaces the Internet Connector license that was available for Windows 2000 Terminal Services.

Installing Applications

For each user to have his own application configurations, Terminal Services monitors the changes that the application makes to the Registry as the program is being installed, and it watches for changes to the %windir% folder. Once captured, these changes are copied to a home folder that Terminal Services maintains for each user. When the user logs on to Terminal Services, these Registry settings are transferred to the user-specific Registry keys.

To install applications on a Terminal Services server, you must be in Install mode. This can be accomplished by installing programs via the Add/Remove Programs applet in the Control Panel or via the Change User command.

The Change User /install command places Terminal Services in Install mode, so that all user-specific mapping is turned off, and the system can monitor the installation process. After the application is installed, use the Change User /execute command to restore user-specific mapping. This also moves any newly installed user-specific files to the user's home folder.

To install an application on a Terminal Services server in Application Server mode, follow the procedure outlined in Step by Step 11.3.

Although not all applications install or run properly in a multiuser environment, some manufacturers are supplying Terminal Services configuration files so that their applications install properly. An example is Microsoft, which has supplied a transform file with Office 2000 so that it can be properly installed on Terminal Services. This file is named TERMSRVR.MST and is available in the Office 2000 Resource Kit.

Note: Terminal ServicesAware Applications

Current applications may be Terminal Services aware. For example, Office XP or 2003 no longer needs either compatibility scripts or transform files to be installed in Windows Server 2003 Terminal Services.

Microsoft has also supplied several application-compatibility scripts for several common applications that are run after application installation to change their installed configuration to allow them to operate properly in a multiuser environment. These scripts are located in the %systemroot%\Application Compatibility Scripts\Install folder. These scripts are typically run after the initial installation of the application and are used to move user-specific files and configuration information to the user's home folder. These scripts can be run at every logon by adding a reference to them in USRLOGON.CMD, which is run whenever a user logs on to Terminal Services, or via an individual user's Terminal Services logon script. A close examination of these scripts can give you ideas on how to create compatibility scripts for your own applications.

Note: Application Installation in Remote Desktop for Administration Mode

There are no special steps necessary to install applications in Windows Server 2003 TS Remote Desktop for Administration mode.

Managing User Sessions in Terminal Services

Terminal Services comes with a variety of administrative tools. The Terminal Services Manager is the tool that is used to monitor and manage the Remote Desktop sessions. From this tool, the system administrator has the ability to perform the following tasks on a user session:

• Remote control the user session.

• Observe and terminate user processes.

• Reset the session.

• Disconnect the session.

• Connect to the user session.

• Send messages to the user.

As shown in Figure 11.5, when a user connects to a Remote Desktop session, this connection is displayed in the Terminal Services Manager MMC. This view shows the status for all the connections, including the following:

• User The user ID of the user who started the session.

• Session The type of session. This will be either RDP-TCP# or Console. Note that the special listener port is designated as just RDP-TCP.

• State The current state of the connection. This will be Active, Disconnected, or, in the case of the listener session, Listening.

• Type This is the type of connection. It will be either Console or the client version.

• Client Name This is the name of the client machine on which the connection software is running.

• Idle Time This is the time since there was any activity on the connection.

• Logon Time This is the time and date of the initial connection.

Figure 11.5. The Terminal Service Manager MMC, showing the connected sessions.

To manage a user session, right-click the connection from the Sessions tab and select an option from the pop-up menu, as shown in Figure 11.6. Descriptions of the various options are listed in the following sections.

Figure 11.6. The Terminal Service Manager MMC, showing the session-management options.

Note: Terminal Services Manager Restrictions

The Remote Control and Connect to Session features of the Terminal Services Manager tool are available only when the tool is run in a Terminal Services session. These features are not available when the Terminal Services Manager is run from the server console.

Disconnecting and Reconnecting a Session

To disconnect a session, click Disconnect on the Action menu. Disconnecting a session closes the connection between the server and client; however, the user is not logged off and all running programs remain. If the user logs on to the server again, the disconnected session is reconnected to the client. A disconnected session shows Disc in the State field.

To connect to the disconnected session, click the session in Terminal Services Manager and select Connect from the Action menu. The current session is disconnected, and the selected session is connected to your terminal.

Your session must be capable of supporting the video resolution used by the disconnected session. If the session does not support the required video resolution, the operation fails.

Sending Messages

You can send a message to users informing them of problems or asking them to log off the server. To send a message, right-click an active session and then select Send Message from the Action menu. If you select multiple users, the message is sent to each user.

Remote Controlling a User's Session

You can monitor the actions of users by remote controlling their sessions. The remote-controlled session is displayed in the controller's session, and it can be controlled by the mouse and keyboard of the remote control terminal. By default, the user being controlled is asked to allow or deny session remote control. Keyboards, mice, and notification options can be controlled from the Active Directory Users and Computers MMC.

To remote control a session, right-click the session from the Sessions tab and then select Remote Control from the Action menu.

The remote control session must be capable of supporting the video resolution used by the shadowed session. If the remote control session does not support the required video resolution, the operation fails.

Resetting a Session or Connection

You can reset a session in case of an error. Resetting the session terminates all processes running on that session. To reset a user session, right-click the user from the Users tab of the Terminal Services Manager MMC and then select Reset from the Action menu. If you select multiple users, each user session is reset.

Resetting a session may cause applications to close without saving data. If you reset the special RDP-TCP Listener session, all sessions for that server are reset.

Logging Users off the Server

You can forcefully end a user's session by right-clicking the user from within the Users tab and then selecting Logoff from the Action menu. If you select multiple users, each user is logged off.

Caution: Data Loss!

Logging off or resetting a user's session without giving her a chance to close her applications can result in data loss.

Terminating Processes

To end a user or system process, right-click the process from the Process tab and then select Terminate from the Action menu. If you select multiple processes, each process is terminated.

Caution: Termination Instability!

Terminating a user process can result in the loss of data and can also cause the server to become unstable.

Using the Remote Desktop Connection Client

The Remote Desktop Connection client is installed by default on Windows Server 2003. You can open an RDC session by clicking Start, All Programs, Accessories, Communications, Remote Desktop Connection.

This opens the RDC client, as shown in Figure 11.7. In the Computer field, you can type either the IP address or the name of the remote computer to which you want to connect. If you have previously connected to this computer, you can click the drop-down list, and you will see a list of the computers to which you have made connections.

If you do not see the name or IP address listed, and you cannot remember it, you can click <Browse for more...>, and all the Terminal Services servers you are able to connect to will be listed.

Note: Remote Desktop for Administration Mode Doesn't Advertise

By default, only Windows Server 2003 computers running Terminal Services in Application Server mode advertise their presence to the browse list. To enable a Windows Server 2003 server running in Remote Desktop for Administration mode to advertise itself as a Terminal Services server in the browse list, change the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\TSADVERTISE key from 0 to 1.

After selecting a connection, click Connect and you will see the logon prompt for the remote server. Enter the proper credentials, and you will log on to a desktop from the remote server (see Figure 11.8).

Figure 11.8. After you successfully connect remotely, you will see a Remote Desktop window.

From this window, you can run the programs on the remote server, just as if you were sitting in front of the server console. If you would prefer to see the remote desktop in full-screen mode, click the Maximize button in the upper-right corner of the window. When running RDC in full-screen mode, it is hard to tell that this is a virtual session.

When it's time to end your session, you have two choices: You can either log off or disconnect the session. You log off the session by clicking Start, Shutdown, and then Logoff from the Security dialog box. To disconnect the session, select Disconnect from the Security dialog box or click the Close button in the upper-right corner of the window. If you log off a session, any programs running are automatically shut down for you, just as if you were using your own computer. However, if you disconnect a session, any programs that are running remain running. The next time you log in to the server, the session will be just as you left it.

Note: Terminal Services Etiquette

The default configuration of a Terminal Services server is to maintain disconnected sessions indefinitely. However, even when a session is disconnected, it still uses resources on the server. Unless you have a good reason for leaving a session running, such as running a batch job or a long-running database function, it is usually best to log off when you are finished. Logging off allows the server to release the session, and the resources associated with keeping it active will be available for other processes.

Using the Remote Desktop Client

In the previous section, we logged on to a Remote Desktop session using the default settings. However, the RDC client has many configuration options available that allow you to configure it for the optimum performance in many different situations.

To access these settings, open the RDC client and click the Options button. The settings on the General tab allow you to preconfigure the server, username, password, and domain to connect to.

The RDC client also allows you to export your client configuration settings to a file that can be used on other machines. Just click Save As under Connection Settings.

The display settings are available from the Display tab (see Figure 11.9). The screen display can be configured in the following resolutions:

• 640x480

• 800x600

• 1024x768

• 1152x864

• 1280x1024

• 1600x1200

You can also set the color resolution, up to a maximum of True Color (24 Bit); however, the higher the resolution, the more data that has to go over the link between the client and the remote server. You will probably want to keep this as low as possible over low-speed links. It's important to remember that the settings on the Terminal Services server always override the RDC client settings.

There is also an option to display the connection bar when you are in full-screen mode. The icons on the connection bar allow you to quickly minimize or maximize your session. The connection bar appears when you move your mouse to the top of the screen. To always display the connection bar at the top of the screen, click the push pin. The connection bar was shown earlier in Figure 11.8.

Note: Display Characteristics

The maximum values that you can configure the display resolution to will be equal to the settings on your client computer. For example, if the client is configured for 800x600 with 256 colors, you won't be able to configure the RDC session to 1024x768 with 16-bit resolution. The client has to have a desktop resolution either equal to or higher than the RDC session.

The Local Resources tab, shown in Figure 11.10, allows you to configure the interface characteristics of the session, such as sound, keyboard, and device mapping. The Remote Computer Sound option allows you to hear the sounds generated by the remote server session through your local computer. Although this is useful for applications that use sounds as prompts, it's not a good idea to play MP3s over a low-speed connection because sound uses a significant amount of bandwidth. For slow connections, it's recommended that you set this to Do Not Play.

The Local Devices option allows you to specify which of the devices attached to your local computer will be available in your RDC session. This allows you to access your local drives, printers, the Clipboard, or any devices attached to your serial port.

For example, you can cut and paste data from the RDC session to the local computer, and vice versa. You can also copy files from the local drives to the drives of the Windows Server 2003 Terminal Services server, if you have the proper NTFS permissions.

The Keyboard option allows you to specify how the standard Windows key combinations are handled while you are in a remote session. For example, if you are running a remote session and you select the Alt+Tab key combination, the local computer will respond to the keystrokes. You can choose to have the Windows keys assigned to one of the following:

• The local computer

• The remote computer

• The remote computer, only when the session is in full-screen mode

The Programs tab allows you to specify the name and location of a program to run when you connect to the remote session. You will have access only to the program and will not get the Windows desktop. When you close the application, your session will be automatically logged off.

The Experience tab, shown in Figure 11.11, allows you to tailor the performance of your RDC session to the speed of your connection. For example, on a slow dial-up connection, you should turn off all the options except for Bitmap Caching. The Bitmap Caching feature improves performance by using your local disk to cache frequently used bitmaps to reduce the RDP traffic. The visual features listed here greatly affect the amount of data that has to be carried over the link between the server and the client.

You will notice as you select the different connection speeds, different options are selected. These are Microsoft's recommendations for each link speed. You can create your own configuration by selecting Custom. Unless you are connecting locally via a LAN, it's usually best to turn off all the options except for Bitmap Caching.

Configuring Terminal Services Connections

Although the default Terminal Services configuration settings are fine for the average installation, the Terminal Services Configuration MMC allows you to fine tune Terminal Services to provide the best combination of performance and features for your installation. The Terminal Services Connection MMC is used to configure the Remote Desktop ProtocolTransmission Control Protocol (RDP-TCP) used to communicate between the Windows Server 2003 server and the RDC client.

The RDP-TCP connection can be configured by right-clicking the connection entry in the Terminal Services Connection MMC and selecting Properties from the pop-up menu.

From the General tab, shown in Figure 11.12, you can add a comment to describe the connection, configure the encryption level of the connection, or select whether to use Windows authentication. The settings for encryption are as follows:

• Low This setting encrypts the data traveling over the connection using 56-bit encryption. However, only the data sent from the client to the server is encrypted; data sent from the server to the client is not. This option is useful because it encrypts the user password as it is sent from the client to the server.

• Client Compatible This option automatically encrypts all data sent between the client and the server at the maximum key strength supported by the client. This option is useful in an environment where different types of clients are supported.

• High This option encrypts all data using 128-bit encryption. This option can be used in an environment that supports only the RDC client; all other connections will be refused.

• FIPS Compliant This option encrypts all data using the Federal Information Processing Standard (FIPS) encryption algorithms.

  Figure 11.12. The RDP-TCP Properties dialog box, showing the options on the General tab.

  

Note: Per User Settings

The settings described in this section apply to all users. The settings for an individual user can be configured via the Terminal Services tab of the user object in the Active Directory Users and Computers MMC.

The Use Standard Windows Authentication option needs to be selected only in those cases where a third-party authentication mechanism has been installed and you want to use the Windows Standard Authentication method for RDP connections.

From the Logon Settings tab, you can select to have all users automatically log on to the Terminal Services server by using a common username and password that you enter here. In addition, you can select to prompt them for a password when using this common account by selecting the Always Prompt for Password option. The default is for the user to provide logon credentials.

From the Sessions tab, shown in Figure 11.13, you can select the default session timeout and reconnection settings. These settings are used to determine what action, if any, to take for sessions that have been connected longer than a specified time or have been disconnected. The options are as follows:

• End a Disconnected Session This option determines what to do with a disconnected session. A session can become disconnected by a user or because of a communication failure between the server and the RDC client. Even though a session is in the disconnected state, any applications that were running will continue to run. However, these applications will continue to use resources on the server. This option can be used to automatically terminate sessions that remain in a disconnected state for a configured period of time. After the disconnected session is terminated, any resources it was using will be available for other sessions. However, this option can cause the loss of user data if any user files are open when the session is terminated.

• Active Session Limit This setting allows you to configure the maximum time that a session can be active before it is either terminated or disconnected, depending on the setting of the When Session Limit Is Reached or Connection Is Broken option.

• Idle Session Limit This setting allows you to configure the maximum time a session can be idle before it is either terminated or disconnected, depending on the setting of the When Session Limit Is Reached or Connection Is Broken option.

• When Session Limit Is Reached or Connection Is Broken This option allows you to configure the action to take when a session is disconnected or when a session limit is reached. In the case of the session limit being reached, the session is either disconnected or terminated, depending on this setting. When this option is selected, a disconnected session will automatically be terminated.

• Allow Reconnection This option is used only with the Citrix-ICA connection. The default for the RDP-TCP connection in Windows Server 2003 is to allow reconnection from any client when a session is in the disconnected state.

The Sessions tab allows you to override any configuration settings that were made in the user profile, RDC, or Terminal Services client using the options on the tabs of the RDP-TCP Properties dialog box.

The Remote Control tab allows you to configure the Remote Control feature of Windows Server 2003 Terminal Services. The available options are as follows:

• Use Remote Control with Default User Settings This is the default option, and it uses the configuration from the user account to determine whether Remote Control is allowed and how it is configured.

• Do Not Allow Remote Control This option turns off Remote Control for all sessions.

• Use Remote Control with the Following Settings This option turns on Remote Control and is used to select whether the user will be prompted when the administrator attempts to control a remote session, and what level of control the administrator will have.

The Client Settings tab, shown in Figure 11.14, allows you to configure the client experience features of Windows Server 2003 Terminal Services.

The Connection area allows you either to use the connection settings chosen on the Local Resources tab of the RDC client (the default) or to configure the settings individually. These options control whether the various devices configured on the computer that the RDC client is installed on will be available in the RDC session.

The options in the Disable the Following area allow you to enable/disable various actions, such as printing from the RDC session to the printers attached to the client computer on which you are running the RDC client. As shown in Figure 11.15, when drive mapping is enabled, the drives on the local client are available within an RDC session, listed under the Other section.

Figure 11.15. My Computer, showing the mapped client devices listed under Other.

The Network Adapter tab allows you to limit the number of concurrent RDC client connections by network adapter.

The Permissions tab allows you to configure which users or groups are allowed to connect to Windows Server 2003 Terminal Services and what permissions they will have. The recommended method of allowing users to connect to Windows Server 2003 Terminal Services is to add their user accounts to the Remote Desktop Users group. This group has already been granted the necessary permissions, including the Allow Logon Through Terminal Services, which is necessary to connect via a Terminal Services or RDC client.

Exam Alert: Remote Desktop Users Group

Do not confuse the Log on Locally right with the rights granted by adding a user to the Remote Desktop Users group. The Log on Locally right allows users to log on to the server at the console, thereby allowing them direct access to the server. Adding a user to the Remote Desktop Users group allows a user to log on to the server over the network using the Terminal Services interface. The amount of access that members of the Remote Desktop users group have to the server can be strictly controlled by the administrator. Knowing the differences between these two functions is important in the field and for the exam.

In addition to the settings available from the property pages of the RDP-TCP connection are the configuration options listed under the Server Settings folder.

These settings are as follows:

• Delete Temporary Folders on Exit This option deletes all temporary folders created by RDC sessions as they are exited. This option is turned on by default.

• Use Temporary Folders Per Session This option allows you to create a temporary folder for each session. This option is turned on by default.

• Licensing This option allows you to select either per-device or per-user licensing. This option is set to Per Device by default. On a Terminal Services server in Remote Administration for Desktops mode, this attribute is displayed as Remote Desktop and is not configurable.

• Active Desktop This option is used to enable/disable the Active Desktop in RDC sessions. It is disabled by default. This option should not be enabled because the additional overhead required to support Active Desktop in RDC sessions impacts performance.

• Permission Compatibility This option is set to Full Security by default. Full Security is equivalent to the default security settings present on Windows Server 2003. Because most folders and the Registry are locked down, a lot of older applications cannot be installed or run in this configuration. The other option provided is Relaxed Security, which is equivalent to running on a Windows 2000 Terminal Server. For the best security, set this option to Full Security and use only Windows Server 2003compatible applications.

• Restrict Each User to One Session This option keeps users from connecting to multiple sessions via multiple RDC clients. This option is enabled by default.

Managing Windows Server 2003 Terminal Services via Group Policy

Although Windows Server 2003 Terminal Services can be managed using the Terminal Services Connection MMC, if you have multiple Terminal Services servers, this can become a nightmare. Fortunately, Microsoft has included some additions to Group Policy in Windows Server 2003 to support Terminal Services configuration. These policies can be found under the Computer Configuration section of Group Policy, as shown in Figure 11.16.

Figure 11.16. You can configure settings for multiple Terminal Services servers via the Group Policy MMC's Terminal Services folder.

The options available include not only the options from the Terminal Services Manager and the Terminal Services Connection MMC, but also various user interface options applicable in the Terminal Services environment. This simplifies Terminal Services configuration by putting the majority of configuration options in a centralized location.

You should create an Organizational Unit (OU) to hold all your Windows Server 2003 Terminal Services servers, and then configure the Computer Configuration settings in the Group Policy object, instead of configuring each individual server. Group Policies override the settings configured with the Terminal Services Configuration tool.

Note: Only for Windows Server 2003

Group Policy can be used to manage only Windows Server 2003 Terminal Services servers. Windows 2000 and Windows NT Terminal Services are not supported.

Terminal Services Session Directory

Even though you can support quite a few user sessions per processor using Windows Server 2003 Terminal Services, there will always be certain applications that are CPU hogs or that need to be available to a large number of users. You can set up multiple Windows Server 2003 Terminal Services machines and assign groups of users to each one, but this doesn't provide any redundancy. In addition, what if one server has 200 users and is starting to slow down under the load, while another server is loafing along with only 10?

You can use a process called load balancing to spread the application load across two or more servers. This prevents one server from becoming overloaded while another is loafing. This also provides redundancy for your applications because the failure of a single server does not prevent your users from completing their work.

Windows Server 2003 Network Load Balancing is a feature included in all the Microsoft Windows Server 2003 operating systems. The Network Load Balancing (NLB) feature is used to enhance the scalability and availability of mission-critical, TCP/IP-based services such as web, Terminal Services, virtual private networking, and streaming media servers. NLB requires no additional hardware or software components.

NLB works by distributing IP traffic across multiple Windows Server 2003 servers. Load balancing works on the principle that if a server is busy or unavailable, a client connection is routed to the next available server. Unlike clustering, load balancing does not require that you have identical servers. It also does not require any special disk units or other hardware, so it is an economical configuration. However, you are required to install identical applications in exactly the same manner on each server that is to be balanced.

To the client, it looks like a single server is handling requests because the client sees a single virtual IP address and hostname. NLB is also capable of detecting host server failures and automatically redistributing traffic to the surviving servers. NLB can support up to 32 servers in a balanced configuration.

When you set up an NLB configuration, you can either allow the load to be equally distributed among the servers or specify the load percentages for individual servers. By specifying individual load percentages, you can use dissimilar servers in your balanced configuration. Incoming client requests are distributed among the servers according to this configuration.

All the servers in the balanced configuration exchange heartbeat messages, so they know when a server enters or leaves the configuration. When a server is added or leaves the configuration by either configuration change or failure, the other servers automatically adjust and redistribute the workload. In the current version of Windows Server 2003 Network Load Balancing, the load balance is a static percentage and does not change in response to the actual load of the server, as determined by CPU or memory usage.

Most server failures are detected within 5 seconds, and the recovery and redistribution of the workload are accomplished within 10 seconds. However, the RDC client loses its connection and must reconnect. As long as IP affinity, which automatically redirects a client session to the last server it was connected to, is turned on in NLB, this isn't a problem. Because NLB uses the IP address of the client when routing, it can reconnect to a disconnected session. However, in those situations where the user has moved to another computer or received a different IP address via DHCP, the user receives a new session chosen at random from the group of servers.

To solve this dilemma, Microsoft has included the Terminal Services Session Directory Service as a new feature in the Windows Server 2003 Enterprise and Datacenter editions. The Session Directory Service creates a database on a server that contains a record of the current sessions being hosted by a load-balanced cluster of Windows Server 2003 Terminal Services servers. The session directory database indexes the sessions using the username instead of the IP address. This allows disconnected sessions to be reconnected by using the username to look up the location of a disconnected session when the user is trying to log on to the Terminal Services server again. After it is determined which server is hosting the session that the user was disconnected from, his logon is routed to that server.

The Session Directory (SD) doesn't have to be on a server that has Terminal Services installed. In large Windows Server 2003 Terminal Services installations, it's recommended that SD be hosted on a separate high-availability server.

The Session Directory Service is not enabled by default. To enable it, use the procedure outlined in Step by Step 11.4.

After the Session Directory Service is started, you will have to add the Windows Server 2003 Terminal Services servers that you want to use with the service to an OU. After the servers are added to this OU, you will need to use Group Policy to enable SD for the Terminal Services servers in this OU.

To enable SD for a group of servers, use the procedure outlined in Step by Step 11.5.

Step by Step 11.5 Enabling the Session Directory for a group of servers 1. Click Start, All Programs, Administrative Tools, Active Directory Users and Computers. 2. In the right pane, right-click the OU that contains the Windows Server 2003 Terminal Services servers that you want to be controlled by the Session Directory Service. Then select Properties from the pop-up menu. 3. From the Properties dialog box, select the Group Policy tab. Click the Add button to add a new policy. 4. From the Group Policy MMC, shown in Figure 11.18, navigate to the Administrative Templates, Windows Components, Terminal Services, Session Directory folder. Figure 11.18. The Group Policy MMC, showing the options available for the Terminal Services Session Directory. 5. Double-click the Join Session Directory entry, and then select the Enabled option from the Properties dialog box. Click OK. 6. Double-click the Session Directory Server entry and then type in the name of the SD server in the Properties dialog box. Click OK. 7. Double-click the Session Directory Cluster Name entry and then type in a name for the SD cluster in the Properties dialog box. Click OK. 8. Close the Group Policy MMC.

Although it is a best practice to use Group Policy to manage your Terminal Services Session Directory, you can add the servers that are running Terminal Services that you want included in the farm to the Session Directory Computers local group on the server that is designated as the SD server.