Windows 2003 Terminal Services
Terminal Services, known to some as an Admin’s best friend, uses RDP (Remote Desktop Protocol), relies on TCP/IP, and falls under the application layer of the ISO 7-layer model. It has been improved by offering more features, greater reliability and scalability in Windows 2003.Terminal Services allow:
- the sharing of applications and desktops over the network
- administrators to take control of, and manage, a computer from their desk
- the centralization and management of applications (constantly keeping them up to date)
The ability to access a terminal server and establish a session via a Pocket PC, for example, is a great feature that would be handy for employees on the move. Terminal Server does not require the client to have a Microsoft Windows operating system in order to connect to it.A 128 bit, RC4 bi-directional encryption method is used to secure the connection. Should the terminal services client not support such a high level of encryption, then lower levels can be set.A few of the most sought after advantages include:
- Automatic re-connection of a disconnected session (useful for wireless connections)
- Smart Card Authentication support
- Automatic re-direction of client local and network mapped drives
- Automatic re-direction of Audio
- 24-bit color mode support
- Session Directory (stores a list of sessions indexed by username and server to allow automatic re-connection from a disconnected session, in a terminal server farm environment)
However, a disadvantage would include the fact that although Windows 2003 and Terminal Server offer load balancing, this can still be improved. The current system is based on network utilization and can handle up to 32 servers.A very important feature which has been implemented is the way in which bandwidth is managed for a terminal services session. It has been improved to provide low-bandwidth connections (such as dial up) with better performance by only transmitting a screen view of the remote computer, rather than the actual data itself.To benefit from these new features, the terminal services client must be using RDP 5.1 (included in Windows XP) and the server must have RDP 5.2 (included in Windows 2003).
Setting up Windows 2003 as a Terminal Server
Open the ‘configure your server’ wizard from Administrative Tools and in the select a role section, choose Terminal Server and click Next twice to confirm your actions. The wizard will then start to install the required files and warn you that the machine will have to be restarted during the installation process. Close any open programs and click OK.The installation will continue for a few minutes before the machine is restarted. After the machine has booted and you logon, you are presented with a confirmation screen that states the computer is now a terminal server.
It is important to take note that a 120-day evaluation period has been allocated for unlicensed clients. If you do not obtain a license within that period then terminal services clients will no longer be able to initiate a session.
This is probably where the most changes have been made. Microsoft have introduced a ‘per user’ license to add to the already familiar ‘per device’ method.To make your machine a terminal server license server you will have to install it separately. This can be done from the windows components wizard section in the add/remove window from the control panel.Once you have installed this option your server will be listed in the terminal server licensing console.
You will have to activate the server before it can start distributing licenses. Activation of the licensing server can be done via a direct connection to the internet, a web browser or over the telephone. The following is a screenshot of the terminal server licensing console demonstrating what you would have to do to start the activation process.This will bring up a wizard asking you to enter details and select options to suite your needs.
Follow the on screen instructions and press Finish when you are done.
Terminal Server Configuration
The two main applications used to configure the terminal server are:(They can both be found in the administrative tools folder in control panel or on the start menu).
- Terminal Services Manager (completely re-written in Windows 2003)
- Terminal Services Configuration
Terminal Services Manager
When you select the server name you can choose to view and manage the Users, Sessions or Processes tab. The green icons indicate that the server is online. If you had to disconnect it, the icons would be gray.The Users tab allows you to see who is connected, how long they have been connected and the state of their connection. If you select a user and right click you can disconnect or reset the user’s session, send a message (which will be displayed as a pop-up message box on the client side), view the status or log the person out of the terminal server session.The Sessions tab permits the viewing and control of the terminal server sessions. You can right click a session and select the status to see the incoming and outgoing data or reset to reset the session.The processes tab shows all the processes that are running and which user they belong to (this is a simplified version of the processes tab found on the windows task manager).Select a user, click the right mouse button and choose ‘end process’ to kill the process.The image below shows the Terminal Services Manager with an active connection initiated by a user (andrew).If you select the RDP-Tcp#12 (username) option you can view the processes and session information specific to that user. Note: The #12 number will be different for each session.‘Favorite servers’ will list all the servers that you have added as a favourite - you can do this by right clicking a server and selecting ‘add to favorites’.You are able to connect to multiple terminal servers by press Actions > Connect to computer. These will be listed in the ‘All Listed Servers’ node.Terminal Services ConfigurationThe screenshot below is that of the Terminal Services Configuration.Any connections that have been setup will be displayed in the connections part of the console. Double click a connection to open the properties page.The following table will describe what actions you may take on each tab.
|General||add a comment, change the encryption level, enable standard windows authentication|
|Logon Settings||select whether or not to always use the same credentials for logging on, enable ‘always prompt for password’|
|Sessions||select whether to override the user’s settings with a set of predefined settings|
|Environment||choose to override settings of a user profile and run a program when the user logs on|
|Remote Control||change the way the remote control facility is used, disable remote control|
|Client Settings||change connection, colour and mappings settings|
|Network Adapter||specify the type of network adapter you want to use and change the connection limit|
|Permissions||specify the user permissions (who has access to the terminal server and who doesn’t)|
The server settings section enables you to modify the settings of the server. Double click a setting from the list to bring up the appropriate window and be given the option to make a change.Each setting shown in the above window is self explanatory. The settings in the list each have an attribute which you can set according to your preferences.Terminal Services give you the opportunity to provide a secure and reliable tool to employees. Microsoft has built on the success of Terminal Server in Windows 2000 and come up with new solutions to meet user’s needs.Better manageability and user friendliness are just two of the improved features worth mentioning. You have just been reading Part one of an article based on terminal services. Part two will be released next week. It will include troubleshooting potential logon problems, terminal services tips and a guide on how to log on to a terminal server from a Windows client.
Windows 2003 Terminal Services (Part 2)
A Windows 2003 Terminal Server can be accessed by a windows client that has Remote Desktop Connection installed or via a web browser (remote desktop web connection).
Troubleshooting Logon Problems
Apart from the obvious logon error of typing in a wrong username or password, there exists two common problems that users come across when logging on. These are shown below.The local policy of this system does not permit you to logon interactively.This error indicates that the group policy of the terminal server does not allow you to logon interactively. The settings will have to be changed from the group policy object editor by your administrator. To do this, open gpedit.msc and navigate to the following section:Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignmentand after double clicking on the “Allow Log on Locally” from the Policy list, choose the user that you want to grant local log on access to and press OK. The image below indicates which section must be clicked on.You do not have access to logon to this session.The error message below means that you do not have access to logon to the terminal services session because your account has not been given the effective permissions from the terminal services manager on the server.To correct this, open the Terminal Services Configuration, double click the RDP option in the main window and go to the permissions tab. Select Add and choose your account before pressing OK and assigning the right permissions to that account. Now attempt to logon again with that user account.
Terminal Services Client Logon - A step-by-step guide
Web ClientThe terminal services web client will allow you to logon to a terminal server from your web browser. This is very handy as it provides quick and easy access from anywhere.Open your web browser and in the address bar type the following details:http://server_name/tswebwhere server_name is the name of the terminal server (this can also be the IP address). If the WWW service and the tsweb website has been started on the server then you will be directed to a page like the one seen below:Enter the name of the server you want to connect to and choose the size of the screen before clicking ‘connect’. If you do not already have the required ActiveX component installed then you will be prompted to install it – click Yes when the window pops up and asks you to confirm the setup. In my example I have chosen for the screen to use a 800x600 display size. The web browser will act as a place holder for the terminal services screen to be displayed, as shown in the following screenshot.Remote Desktop ConnectionRemote Desktop Connection is installed by default on Windows XP- but can also be downloaded as a separate application from the Microsoft website. This is used to initiate a terminal services session from the client side. To open it type mstsc in the run box or navigate to Accessories > Communications on the Start menu. The image below shows the general tab of the Remote Desktop Connection window, which was expanded by pressing the Options >>> button on the original window.In this tab you can save your connection settings for future use, specify which computer you want to connect to and supply the logon credentials. The other tabs are used for performance related options like the display size and colour, speed and placement of resources. Once you have entered the correct logon details press connect to initiate the session. It is likely that you will be asked to re-enter the logon credentials – unless the administrator has disabled the option from the terminal server.
1. If you want to connect to a terminal server via the command prompt you can do so by typing the following: “mstsc -v:servername /F –console”. ‘mstsc’ represents the remote desktop connection executable file, -v specifies which server to connect to, /F is for full screen mode, and –console to indicate that you want to connect to the console.
2. If you need to install a terminal services client for the MAC OS you can download it from here. Once it is setup, (given that you have network access and the right permissions) this will allow you to connect to a windows-based operating system running terminal services from a Macintosh computer.
3. You can allow users to automatically logon to a session without having to type the username and password each time they initiate a connection. To do this two things have to be done.o From the server side, open Group Policy Object Editor (gpedit.msc), double click Administrative Templates > Windows Components > Terminal Services and then choose Encryption and Security. Open the properties box of ‘Always prompt client for password upon connection’ and disable it. o From the client side, open Remote Desktop Connection, and in the general tab enter the logon credentials in the appropriate boxes.
4. The web client can be installed from the Add/Remove windows components. Go to the World Wide Web components section in the IIS 6.0 option. From there you can find and install Remote Desktop Web Administration.
5. Available in the Windows 2003 resource kit is a self-extractable file called tsscalling.exe. This contains a set of tools that will aid with the scalability planning of terminal services.
6. Each application you run uses up valuable resources, which might be needed by other users so close any programs or windows that you are not actively using.
7. If you want to remotely restart a terminal server on the network you can use the tsshutdn command. The syntax is as follows:
tsshutdn wait_time /server: server_name /reboot /powerdown /delay: log_off_time
wait_time is the number of seconds you want to wait before the user is logged off from a session. The default time is 60.
server_name specifies the name of which terminal server you want to shutdown.
log_off_delay is the amount of time to wait, after users have been logged off from the session, before all processes are ended and the computer is shutdown. The default time is 30 seconds.
8. Instead of just disconnecting from a session or closing the remote desktop window, log off – this will free up resources for other users.
9. By default, Terminal Services runs on TCP and UDP port 3389. If for some reason you have to change that you can do so by open the registry editor (regedit.exe) and navigating to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp key. Look for the DWORD PortNumber and edit that to your needs.
10. Run disk defragmenter on the terminal server to keep the disk clean, fast and ‘healthy’. That concludes part two of the Windows 2003 terminal services article.If utilized correctly, terminal services can be a quick, safe and reliable tool that will allow application sharing and remote administration to become part of the package that benefits an organization and allows administrators to be more flexible