Professor Windows - April 2003
Terminal Services in Windows Server 2003: Improvements and Useful Tips
Adam Overton, Lead Program Manager – Terminal Services, Microsoft Corporation
Eyal Doron, Senior Consultant, Microsoft Israel
We tend to get used to certain technologies in such a way that they seem almost trivial to us. Can you really think back on how you remotely administered your Windows Servers before Windows Terminals Services? Since Windows 2000, Terminal Services has become an important component in the Windows Operating System. Today it is available not only on the Server-side, but also on the client workstations running Windows XP Professional and on PDAs running Pocket PC 2002. We can go Remote anywhere, anytime and on any device.
This column will brief you on the main improvements that are introduced in Windows Server 2003 Terminal Services; it also discusses a collection of tips I've gathered from working with Terminals Services in the field.
This column assumes the reader has knowledge of Terminal Services technologies in general. To read more on Terminal Services Technologies, see the following link: http://www.microsoft.com/windows2000/technologies/terminal/default.asp
Windows Server 2003 Terminal Services Overview
While Windows 2000 Terminal Services had two modes of running Terminal Services, in Windows Server 2003 we now have only one mode (Previously known as Application Mode). You no longer have to go to the Add/Remove programs section just to get remote administration (limited to 2 connections, as usual). The "Remote administration mode" as we knew it is now called "Remote Desktop" or "Remote Desktop for Administration" in Windows Server 2003, and supports the Remote Desktop Protocol (RDP) 5.2 feature set. It also has the ability to provide remote access to the actual console session of the server. You can configure the Remote Desktop for Administration the same as you would in Windows XP Professional, simply by going to My Computer->Properties->Remote tab. These settings are also available through Group Policies. In terms of Security, all traffic in Remote Desktop connections goes through 128-bit encryption.
There were also some significant improvements to the protocol performance. Terminal Services in Windows Server 2003 reduces the amount of network bandwidth required to access data remotely. Using Terminal Server to run an application over bandwidth-constrained connections, such as dial-up or shared WAN links, is today more effective than ever for remotely working with large files, etc., because only a screen view of the data is transmitted, rather than the data itself.
The new Terminal Services client software (Remote Desktop Connection, or RDC) uses RDP 5.2, and many of the local resources are available within the remote session; the client drives, smart cards, audio card, serial ports, printers (including network), and the clipboard. This is really useful, those guys are geniuses. Also, the color depth can be selected from 256 colors (8-bit) to True Color (24-bit), and resolution can be set from 640 x 480 up to 1600 x 1200.
Disconnected sessions are an important area for which Windows Server 2003 has an answer for. Some of you might know this need as "session re-connect". That's when a new feature named SESSION DIRECTORY comes into play.
Windows Server 2003 allows you to create NLB farms easier then ever, embracing a unique, previously owned, Microsoft Application Center tool – NLB Manager: No more remember & write NIC priorities , no more mistakes in handling day to day NLB tasks (for step by step Do-It–Yourself NLB administration – Click Here)
Lost your connection? Your TS session is lost in space? The new session directory service will allow you to reconnect to the exact location you left, and it does not matter whether you approach a single TS farm or Multiple TS farms – round Robin! (More details on how to configure – Click Here).
Another notable change is the new group policy setting that allows you to limit users to a single session. This setting is applied per server.
Tips You Should Know About
Here are some general tips and information related to Terminal Services which are always good to know:
- "Remote Desktops" MMC or tsmmc.msc is a very useful MMC Snap-in for managing multiple machines running terminal services. This simple to use MMC snap-in allows you to manage all your Terminal Servers and Windows XP Pro machines from a single MMC. It is installed through the Windows Server 2003 Administration tools (adminpak.msi).
- Active Directory Remote Control add-on is a cool add-on for Active Directory MMC Snap-ins. This tool opens a Remote Desktop connection from Active Directory MMC snap-ins to computers running Windows Server 2003 or Windows 2000/2003 Terminal Servers or Windows XP Professional. You can download this add-on here.
- In case of need for a Macintosh (MAC) Client for Terminal Services, Try the MAC RDP Client available for download from www.microsoft.com/MAC/download/Misc/RDC.asp
In Windows Server 2003 there are some nice helpful changes you can look for:
In Windows Server 2003's Task Manager there's a new Tab called 'Users' from which you can easily see all the current user sessions connected to this server, and even perform actions on those session from task manager. Simply right-click the required session and choose the action you wish to perform.
A new account policy permission that Allows Login to Terminal Services Only. This new permission gives more granular control than the previous permission, which was "Log On Locally", and allows the user to logon both to terminal session and to the physical console.
Take Real advantage of the loopback processing Policy that allows you to differentiate between the user settings that derive from the user location (OU Policy) and special user settings that will apply only when you logon to a TS .( How to Apply Group Policy Objects to Terminal Services Servers)
You can now perform Smart-Card login to Terminal Server. This is a significant improvement for companies implementing physical access security mechanism in the form of Smart Cards.
You might ask yourself: to where did the Terminal Services Web Client disappear? Well, it's hidden today in the Add/Remove Windows Components, under the World Wide Web components of IIS 6.0. From there you can drill-down, and find and install Remote Desktop Web Administration.
When you are planning scalability for Terminal Services, use the Terminal Services Scalability planning tools. This set of tools is packed in a self-extracting EXE file named tsscalling.exe, which is available with the upcoming Windows Server 2003 Resource Kit (at the time of this writing).
For those of you who love to script around, great news awaits: Terminal Services User Properties are today exposed via ADSI. This means you can bind to an Active Directory User and read as well as write his terminal services properties. Until today the only way to achieve this functionally was to write VC++ code and wrap the WTS APIs as a COM component. As for the WMI provider, it is meant to replace the Windows Terminal Services configuration APIs while the ADSI provider is meant to replace all the Windows Terminal Services APIs that deal with setting Terminal Services properties on user objects. Here's a quick code sample that demonstrates how to use the new ADSI provider to allow/disallow a user to login to Terminal Services:
Here's a quick code sample that demonstrates how to allow/disallow a user to login to Terminal Services:
Set oUser = GetObject("LDAP://cn=User X,cn=users,DC=Dom,DC=com") oUser.AllowLogon = 0 ' 1 = Enabled, 0 = Disabled oUser.SetInfo
For those of you who aren't too skillful in scripting but like the command-line environment, the WMI Command Line tool (WMIC) that was introduced in Windows XP can be used to view Terminal Services WMI information. The relevant classes to look for are those that start with Win32_TS* and Win32_Terminal*. For example, if you need to know the RDP Protocol level a certain server supports, simply run from cmd:
WMIC path Win32_TSGeneralSetting get TerminalProtocol
An output of Microsoft RDP 5.1 means a Windows XP Professional machine.
An output of Microsoft RDP 5.2 means a Windows Server 2003.
That's it for now. I hope these tips and information will help you to deploy Windows Terminal Services more efficiently, and -not less importantly – with more joy and fun!
May the source be with you.
- Windows Terminal Services – White papers
- Terminal Services Community Center
- What's new in Windows Server 2003 Terminal Server
- Remote Desktop Connection software for Windows 9x/ME/NT/2000
- Active Directory Remote Control add-on
For any feedback regarding the content of this column, please write to Microsoft TechNet. Please be aware that a response is not guaranteed.