Exercises 11.1. Installing Terminal Services in Application Server Mode In this exercise, you will install Terminal Services in Application Server mode and install a sample application. Estimated Time: 40 minutes 1. | Click Start, All Programs, Control Panel, Add or Remove Programs.
| 2. | Click the Add/Remove Windows Components button in the left pane of the Add or Remove Programs dialog box.
| 3. | The Windows Components Wizard appears. Select the Terminal Server check box.
| | | 4. | If Internet Explorer Enhanced Security Configuration is enabled (it is enabled by default), you will receive the Configuration Warning prompt. After you read and understand this warning, click the Yes button to continue.
| 5. | This returns you to the Windows Components Wizard. Click the Next button to continue.
| 6. | The Terminal Server Setup warning appears. Read and understand the warning, and then click the Next button to continue.
| 7. | The Terminal Server Setup screen appears. This screen allows you to select Full Security mode, which is new to Windows Server 2003, or Relaxed Security mode, which is roughly equivalent to the security on a Windows 2000 Terminal Services server. Click the desired option button and then click the Next button to continue.
| 8. | When the Completing the Windows Component Wizard screen appears, click the Finish button. You will be prompted to reboot the server.
| 9. | After the server has rebooted, log on as a member of the Administrators group.
| 10. | Click Start, All Programs, Control Panel, Add or Remove Programs.
| 11. | Click the Add New Programs button in the left pane of the Add or Remove Programs dialog box.
| 12. | Click the CD or Floppy button.
| 13. | When prompted, insert the CD-ROM or floppy disk, and click the Next button to continue.
| 14. | If the application isn't automatically found, click the Browse button and search for it. Click the Next button when you're finished.
| 15. | As the installation starts, a screen appears. Do not click the Next button until the application's installation procedure has been completed.
| 16. | When the Finish Admin Install screen appears, click the Finish button.
|
11.2. Securing a local folder Because all users accessing a Windows Server 2003 Terminal Services in Application Server mode server are granted the Log On Locally right, you will need to use local security to prevent them from accessing certain folders. In this exercise, you will secure a local folder so that only selected users can access its contents. Estimated Time: 40 minutes 1. | Verify that the volume the desired folder is on is an NTFS volume. If it is not, use the CONVERT command to change it to NTFS.
| 2. | Open either My Computer or Windows Explorer. Navigate to the folder on which you want to configure security.
| 3. | Right-click the object and select Properties from the pop-up menu. Click the Security tab on the resulting dialog box.
| | | 4. | From the Security tab, click the Add button.
| 5. | The Select Users or Groups dialog box appears. This dialog box allows you to select either a local or domain user or group to assign permissions to. Enter the user or group and then click OK.
| 6. | This returns you to the Folder Properties dialog box. Note that, by default, the user or group just added has been granted Read and Execute, List Folder Contents, and Read permissions for the folder.
| 7. | In the Permissions section of the Folder Properties dialog box, select the desired permissions and then click the OK button to save.
|
11.3. Configuring the disconnect timeout via Group Policy In this exercise, you will use Group Policy to set the Windows Server 2003 Terminal Services client disconnect timeout. Estimated Time: 20 minutes 1. | Click Start, All Programs, Administrative Tools, Active Directory Users and Computers.
| 2. | In the right pane, right-click the OU that contains the Windows Server 2003 Terminal Servers that you want to be controlled by the Session Directory Service. Then select Properties from the pop-up menu.
| 3. | From the Properties dialog box, select the Group Policy tab. Click the Add button to add a new policy.
| 4. | From the Group Policy MMC, navigate to the Administrative Templates, Windows Components, Terminal Services, Sessions folder.
| 5. | Double-click the item Set Time Limit for Disconnected Sessions in the right pane of the MMC.
| 6. | From the Properties dialog box, select the Enabled option button and then select a time from the End a Disconnected Session drop-down list.
| 7. | Click OK to save. Close the MMC.
|
Exam Questions | 1. | Mary is the network administrator for a loan company. As part of her duties, she built a new Windows Server 2003 server and configured Terminal Services in Application Server mode. Users report that when they try to connect to the Terminal Services server, they receive the following error message: The local policy of this system does not allow you to log on interactively. When Mary attempts to log on to the Terminal Services server from a user's computer, she is able to log on successfully. How can Mary enable the users to log on to the Terminal Services server? 
| A. | Grant the users the right to log on locally. |
| B. | Add the users to the TSUsers group. |
| C. | Grant the users the right to log on over the network. |
| D. | Add the users to the Remote Desktop Users group. |
| | 2. | You are the administrator of a small network. You have configured a Windows Server 2003 server to run Terminal Services in Application Server mode. What is the maximum number of users that can be supported?
| A. | The same amount as the number of Terminal Server licenses that were purchased |
| B. | Two, plus one for the console |
| C. | About 100 on Windows Server 2003 Standard Edition and 200 on Windows Server 2003 Enterprise Edition |
| D. | As many as the performance of the server will support |
| | 3. | You are the administrator of a small network. You have configured a Windows Server 2003 server to run Terminal Services in Application Server mode. What is the proper way to install applications?
| A. | Open Windows Explorer, navigate to the folder where the installation files are stored, and then double-click the MSI file. |
| B. | Open Add/Remove Programs, navigate to the folder where the installation files are stored, and then double-click the MSI file. |
| C. | Open a command prompt and navigate to the folder where the installation files are stored. Enter the command install. Run the MSI file from the command line. |
| D. | Open Windows Explorer and navigate to the folder where the installation files are stored. Open a command prompt, enter the command change mode /install. Then double-click the MSI file in Windows Explorer. |
| | | | 4. | You are the administrator of a small network. You have configured a Windows Server 2003 server to run Terminal Services in Remote Desktop for Administration mode. What is the proper way to install applications?
| A. | Open Windows Explorer, navigate to the folder where the installation files are stored, and then double-click the MSI file. |
| B. | Open Add/Remove Programs, navigate to the folder where the installation files are stored, and then double-click the MSI file. |
| C. | Install the applications just like on any other server. |
| D. | Open Windows Explorer and navigate to the folder where the installation files are stored. Open a command prompt, enter the command change user /install. Then double-click the MSI file in Windows Explorer. |
| | 5. | You have just finished building a new Windows Server 2003 server. Your plan is to manage it remotely using Terminal Services Remote Desktop for Administration mode, just like you've been doing with your Windows 2000 servers. However, when you open the RDC client and try to browse to the new server, you don't see it in the list. What is the most likely cause of the problem?
| A. | A bad network interface card. |
| B. | The personal firewall is blocking the ports for the browse list. |
| C. | Remote Desktop for Administration mode has not been enabled. |
| D. | Windows Server 2003 in Terminal Services Remote Desktop for Administration mode doesn't advertise to the browse list. |
| | 6. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain. All network servers run Windows Server 2003 Standard Edition. A Terminal Services farm is installed on your network. FBM1, the first server in the farm, acts as the session directory server. All terminal servers are operating at maximum capacity. An increasing number of users report slow response times when they use these servers. You need to improve the performance of the terminal server farm. You plan to use a server named FBM4, which has hardware identical to that of the other terminal servers in the farm. First, you add FBM4 to the Session Directory Computers OU. What should you do next?
| A. | Add FBM4 to the Session Directory Computers local group on FBM1. |
| B. | Add FBM4 to the Session Directory Computers global group on FBM1. |
| C. | On FBM4, install the Session Directory service. |
| D. | On FBM4, create a new session directory server. |
| | | | 7. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain. All network servers run Windows Server 2003 Standard Edition. A Terminal Services farm consisting of 10 servers is installed on your network. All Terminal Services servers are located in an OU named FBN-TS. An increasing number of users report slow response times when they use these servers. You notice that there are at least 100 disconnected Terminal Services sessions. You want all your Terminal Services servers to end disconnected sessions after 15 minutes of inactivity. You want to achieve this using the minimal amount of administrative effort. What should you do?
| A. | Log on the console of each terminal server. In the RDP-TCP connection properties, set the End a Disconnected Session option to 15 minutes. |
| B. | Edit the GPO to set the time limit for disconnected sessions to 15 minutes. |
| C. | On each Terminal Server, run the tsdiscon command to disconnect all 100 users. |
| D. | In Active Directory Users and Computers, set the End a Disconnected Session option for all domain user accounts to 15 minutes. |
| | 8. | You are the administrator of a small network. You have configured two Windows Server 2003 servers to run Terminal Services in Application Server mode. You add a domain group named Mechanics to the Remote Desktop Users group on both terminal servers. One week later, you discover that files on both servers were deleted by a user named Mitch, who is a member of the Mechanics group. You need to prevent Mitch from connecting to any of the terminal servers. What should you do?
| A. | On both terminal servers, modify the RDP-TCP connection permissions to assign the DenyUsers Access and the DenyGuest Access permissions to the Mechanics group. |
| B. | On both terminal servers, modify the RDP-TCP connection permissions to assign the DenyUsers Access permissions to the Mechanics group. |
| C. | In the properties of Mitch's user account, disable the Allow Logon to a Terminal Server option. |
| D. | Remove Mitch's user account from the Mechanics group. |
| | | | 9. | You are the network administrator for FlyByNight Airlines. The network consists of a single Active Directory domain running in Windows 2003 interim level. Network servers are a mixture of Windows Server 2003 and Windows NT 4.0. A Terminal Services farm is installed on your network. The TS farm is used to host secure documents. All users in the domain have access to the Terminal Servers by membership in the TS-Secure global group. Your company is hiring 20 summer interns. You need to make sure that the interns can't access the TS farm. What should you do?
| A. | Modify the Default Domain Group Policy object (GPO). Configure a computer-level policy to prevent the temporary employees from connecting to the terminal servers. |
| B. | Modify the Default Domain Group Policy object (GPO). Enable the user-level Terminal Server setting Sets Rules for Remote Control of Terminal Services user sessions. |
| C. | On the Terminal Services Profile tab of the user properties for each account, disable the option to log on to terminal servers. |
| D. | In the security policy for domain controllers, disable the computer-level Terminal Server setting Allow Users to Connect Remotely Using the Terminal Server. |
| E. | None of the above. |
|
Answers to Exam Questions | 1. | D. Although granting the users the right to log on locally will work, this can get unwieldy if there are a large number of users. The proper way is to add the users that need to log on to the Terminal Services server to the Remote Desktop Users group. See the "Configuring Terminal Services Connections" section for more information. | | 2. | A. The number of concurrent Terminal Services connections on all versions of Windows Server 2003 is limited to the number of licenses that are installed. However, performance will suffer as the hardware capacity is reached. See the "Terminal Services in Application Server Mode" section for more information. | | 3. | B. Applications can be installed on a Windows Server 2003 server running in Terminal Services Application Server mode in two ways: from Add/Remove Programs and, after setting the server in Install mode, by entering the command change user /install. See the "Installing Applications" section for more information. | | 4. | C. Applications can be installed on a Windows Server 2003 server running in Terminal Services Remote Desktop for Administration mode just like they would on any other server. This is because it is not a multiuser environment. See the "Installing Applications" section for more information. | | | | 5. | D. Unlike in Windows 2000 Server, Windows Server 2003 Terminal Services servers in Remote Desktop for Administration mode will not be advertised, so they can't be browsed using the RDC client. You will need to enter either the IP address or the server name. See the "Using the Remote Desktop Connection Client" section for more information. | | 6. | A. When a new server is added to a Terminal Services Farm, it must either be added to an OU, if you are managing the farm via Group Policy, or to the Session Directory Computers local group on the server hosting the Session Directory role. Although the service is installed by default on all Windows Server 2003 servers, it should be enabled only on a single server per farm. See the "Terminal Services Session Directory" section for more information. | | 7. | B. Although it is possible to log on to each server and configure the settings manually, it's more efficient to manage settings that will affect all the Terminal Servers via Group Policy. Running the tsdisconn command would drop all current disconnected sessions, but would not prevent more from occurring. Reconfiguring the user accounts would apply only to existing users, not new ones. See the "Managing Windows Server 2003 Terminal Services via Group Policy" section for more information. | | 8. | C. Although removing Mitch from the Mechanics group will work, we don't know what other permissions we would be affecting by doing so. The best way to accomplish our task is to disable TS logons in Mitch's user account. This setting overrides any other permissions to the Terminal Services servers he has been granted. The other solutions would block everyone from logging on to terminal services. See the "Configuring Terminal Services Connections" section for more information | | 9. | E. None of the above. Because the domain is running in the Windows 2003 Interim level, and the TS users are assigned via a global group, it's clear that for any new users to be added to that group, they will have to be assigned manually because at that level, you can't add a group to a global group. Disabling logons via the user account would work, but it's not necessary. See "Configuring Terminal Services Connections" and "The Four Domain Functional Levels" in Chapter 3. |
Suggested Readings and Resources 1. Anderson, Christa. Windows Terminal Services. Sybex, 2002. ISBN 0782128955. 2. Boswell, William. Inside Windows Server 2003. New Riders, 2003. ISBN 0735711585. 3. Madden, Brian. Terminal Services for Windows Server 2003. Brianmadden.Com Publishing Group, 2004. ISBN 0971151040. 4. Matthews, Marty. Windows Server 2003: A Beginners Guide. McGraw-Hill, 2003. ISBN 0072193093. 5. Microsoft Session Directory Whitepaper: http://www.microsoft.com/windowsserver2003/docs/SessionDirectory.doc. 6. Microsoft Terminal Services Overview Whitepaper: http://www.microsoft.com/windowsserver2003/docs/TerminalServerOverview.doc. 7. Microsoft Windows 2003 File Server Best Practices: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/file_srv_bestpractice.asp?frame=true. 8. Minasi, Mark, et al. Mark Minasi's Windows XP and Server 2003 Resource Kit. Sybex, 2003. ISBN 0782140807. 9. Minasi, Mark, et al. Mastering Windows Server 2003 Server. Sybex, 2003. ISBN 0782141307. 10. Shapiro, Jeffrey, et al. Windows Server 2003 Bible. John Wiley & Sons, 2003. ISBN 0764549375. 11. Tritsch, Bernard. Microsoft Windows Server 2003 Terminal Services. Microsoft Press, 2003. ISBN 0735619042. |
