Chapter2:ConfiguringTerminalServicesTheTerminalServices(TS)serverroleenablesuserstoconnecttotheserverandrunspecificgraphicalapplications,ortousethefullWindowsdesktop.Thiscapabilityisusefulinavarietyofscenarios,forexample,tocentralizeadministrationofapplications;toexercisegreatercontroloverwhatusersareabletodowithanapplication;toenableusersofanyoftheplatformthatsupporttheremotedesktopwebclienttoaccessaWindowsdesktoporWindowsbasedapplications.TScanlowersupportcostsbecauseyouonlyhavetomaintainandupgradetheapplicationonafewserversratherthanhundredsorthousandsofendusercomputers.ItcanfacilitatenewtypesofsolutionssuchasallowingmobileuserstosecurelyaccessaWindowsdesktopthatislocatedonthecorporatenetworkusingnothingmorethanawebbrowser.Inthischapteryouwilllearnto:

ConfigureWindowsServer2008TerminalServicesRemoteApp(TSRemoteApp). ConfigureTerminalServicesGateway. ConfigureTerminalServicesloadbalancing. ConfigureandmonitorTerminalServicesresources. ConfigureTerminalServiceslicensing. ConfigureTerminalServicesclientconnections. ConfigureTerminalServicesserveroptions.

ConfigureWindowsServer2008TerminalServicesRemoteApp(TSRemoteApp)TSRemoteAppprogramsappeartoberunningontheenduserscomputer:eachhasitsownresizeablewindowandeachappearsasanitemontheTaskbar,buttheyareactuallyrunningonaTSserver.TheuserdoesnothaveaccesstothefullWindowsdesktopontheTSserver,justspecificapplications.TheapplicationscanbeaccessedthroughthefullTSclientorusingtheActiveXbasedclientthatrunswithinawebbrowser.InstallingTerminalServicesThereare5TSroleservices,itisveryimportantthatyouunderstandthefunctionofeachandhowtheyinteractwithoneanother.OnlytheTerminalServerroleserviceisrequiredtoenablebasicRemoteAppfunctionalitybutinstallallfiveonaserverinyourpracticelabalongwithanydependentserverroles.Thefiveroleservicesare:

TerminalServerTScorefunctionalityisprovidedbythisroleserviceincludingtheabilitytohostmultipleWindowsdesktopsessionsforremoteusers.

TSLicensingUsedforinstalling,issuing,andmonitoringtheclientaccesslicenses(CALs)thatarerequiredforeachuserordevicetoconnecttoaterminalserver.

TSSessionBrokerProvidessessionloadbalancingacrossafarmofTSservers,ensuresthatclientsarereconnectedtotheirexistingsessionafterabriefinterruption.

TSGatewayEnablesauthorizedusersworkingremotelytoconnecttoTSserversonthecorporatenetwork.ThisroleservicerequirestheWebServerandNetworkPolicyandAccessServicesserverroles.

TSWebAccessEnablesuserstoaccessTSthroughawebsiteusingawebbrowserandtheActiveXbasedTSclientThisroleservicerequirestheWebServerserverrole.

Theinstallationwizardwillpromptyoutoprovidealotofinformation,proceedthroughthewizardasfollows:1. OntheSpecifyAuthenticationMethodforTerminalServerpageoftheinstallationwizardspecifyRequireNetworkLevel

AuthenticationandclickNext.ThisprovidesahigherlevelofsecuritybyrequiringTSclientstoauthenticatesoonerduringtheprocessofestablishingaconnectiontotheTSserver.ThisrequiresthattheclientsberunningRemoteDesktopConnection(RDC)6.0andanoperatingsystem(OS)thatsupportstheCredentialSecuritySupportProvider(CredSSP)protocol,whichmeansWindowsVistaandWindowsServer2008orWindowsXPwithServicePack3.

2. OntheSpecifyLicensingModepageselectConfigureLaterandclickNext.UnderstandingTSlicensingisanimportantpartofpreparingfortheexam,thereforeitscoveredinitsownsectionlaterinthechapter.

3. Acceptthedefaultsforthenexttwopagesofthewizard,ontheChooseaServerAuthenticationCertificateforSSLEncryptionselectChooseanexistingcertificateforSSLEncryptionifoneisavailable,otherwisechoseCreateaselfsignedcertificateforSSLEncryption,clickNext.

4. OntheCreateAuthorizationPolicyforTSGatewaypagespecifythatyouwillcreatethepolicieslater,authorizationpolicieswillbecoveredlaterinthischapter.

5. Acceptthedefaultsfortheremainingpagesofthewizardandcompletetheinstallation.Atthispointyoumayneedtorestarttheserver.

ForaproductionTSserveryouwouldnowinstalltheapplicationsthatenduserswillbeabletorun,youcanforegothatprocessinyourpracticelab.ConfiguringRemoteAppProgramsShortcutstotheTSmanagementtoolswerecreatedinafoldercalledTerminalServiceswascreatedintheAdministrativeToolsfolder.Fortherestofthechapter,whenIwillaskyoutolaunchanyoftheTStoolsIwillnotspecifythefoldernameiftheshortcutislocatedintheTerminalServicesfolder.ToaddapplicationstotheRemoteAppprogramslistopenTSRemoteAppManager,anddothefollowing:

1. ClickAddRemoteAppProgramsintheActionspane,andclickNextwhenthewizardlaunches.2. SincewehavenotaddedanyenduserapplicationsselectCalculatorandWordpadfromthelistofprogramsandclickNext.3. ClickFinishtocompletethewizard.

Nowyouhavetodecidehowtomaketheprogramsavailabletousers.YoucanrightclickoneachintheRemoteAppProgramslisttoseeseveraloptions,asshowninfigure1:

ShowinTSWebAccesstohavetheapplicationslistedontheTSWebAccesswebsite. Create.rdpFiletogenerateashortcuttotheRDCclientapplicationthatincludesconnectioninformation.Whenauseropensthe

shortcuttheRDCclientwillconnecttotheTSserverandopentheRemoteAppprogram.RemoteDesktopProtocol(RDP)isthenetworkprotocolusedforTScommunication.Youcandistributethe.rdpfilebypostingonasharednetworkfolderorcopyingittoeachuserscomputer.

CreateWindowsInstallerPackagewillalsocreateashortcuttotheRDCclientwiththenecessaryconnectionsettings,however,whenthepackageisinstalledafewotherchangescanbemadesuchasaddingashortcuttotheStartmenu.Youcandistributethepackageusinggrouppolicyorwhateversoftwaremanagementprogramyouuse.

Figure1:ConfiguringRemoteAppDeployment.

ConfiguringTerminalServicesWebAccessRightclickeachprogramandspecifyShowinTSWebAccess,thenopenTSWebAccessAdministration.Thereare3tabsvisible:TheRemoteAppProgramstabcontainsthelistofavailableprograms,clickingononelaunchesthebrowserbasedTSclient.TheRemoteDesktoptabcanbeusedtolaunchthebrowserbasedTSclientwithaccesstoafullWindowsdesktop,iftheTSserverisconfiguredtoallowthattypeofconnection.TheConfigurationTabisusedtospecifywhichTSservertheTSWebAccessserverwillconnectto.NotethatiftheTSWebAccessandTSserverhostingtheRemoteAppprogramsareseparatesystemsthenyoumustaddthecomputeraccountoftheformertotheTSWebAccessComputerssecuritygrouponthelater.WhenuserswhodonothaveadministrativeprivilegesconnecttotheTSWebAccessservertheywillonlyseethefirsttwotabs,asshowninfigure2.ThedefaultURLsarehttp:///tsandhttps:///ts,whereisthefullyqualifieddomainname(FQDN)oftheTSWebAccessserver.

Figure2:ConnectingtoaTSWebAccesswebsite.

TechNetVirtualLabs:TerminalServicesandVirtualizationComingTogetherFordecadessoftwarecompanieshavegivenawayevaluationversionsoftheirproductstohelpshowpotentialcustomersthevalueoftheirsolutions.Microsofthasbeendoingthistoo,manufacturingDVDsandpackagingtheminslimcardboardenvelopesnotterriblyexpensive,Ithinkitshardertoactuallygetthediscsintothehandsoftherightpeople.Evenwhenaninfluentialpersonhasthediscthereislittlecertaintythatshewillspendanhourormoreinstallingandconfiguringtheproductsothatshecanevaluateit.Microsofthastwoprogramsthathelptoovercometheseissues.

TechNetVirtualHardDisks(VHDs)arepreconfiguredvirtualmachinesthatyoucandownloadandlaunchwithinVirtualPCorHyperV,itsagreatwaytofamiliarizeyourselfwithMicrosoftslatestsoftwaresolutions.VHDsareavailableformanyMicrosoftproducts,thedrawbackisthatthedownloadsareverylarge.Ittakesmeadayortwotodownloadmultigigabytefiles.TechNetVirtualLabsiseveneasiertouse,youmerelyselectascenarioandthenaccesstheserversremotelyusingyourwebbrowser.Whathappensinthebackgroundintriguesme.IwasneverinvolvedindesigningorbuildinganyofthevirtuallabssoIdonotknowpreciselywhattheunderlyingarchitectureisbutitseasytodeducethemajorelements.TryoneoutandyouwillseewhatImean.AfteryousignupforyourfirstlabyouarepromptedtoinstallanActiveXcontrol,thenyouwaitafewminuteswhileyourlabisbeingbuilt.IsuspectthatapreconfiguredVHDiscopiedforyouruse,andthenlaunchedonaserverrunningHyperV,andthatyouconnecttoyourownpersonalvirtualmachineusinganActiveXRDPclientthathasbeencustomizedforTechNet.WhenyoufinishyourVHDisdeleted,nomatterhowbadlyyouhackupyourlabitwillnotimpactotherpeopleaccessingthesite.Takealookatbothoftheseprogramsforyourself:

TechNetVirtualHardDisks. TechNetVirtualLabs.

ConfigureTerminalServicesGatewayTheTSGatewayisdesignedsinglepurposeSecureSocketLayer(SSL)VirtualPrivateNetwork(VPN)thatcanbeusedtograntremoteuserssecureaccesstoTSservers.UsersconnectusingwhateverRDCclienttheyprefer,theRDPtrafficisencapsulatedinHypertextTransportProtocol(HTTP),whichisprotectedbySSL/TransportLayerSecurity(TLS).TSGatewaysincreasesecuritybyensuringclientsonlyhaveaccesstothespecificTSserverstheyrequirefortheirjobwithouttheneedtoconfigurefullVPNconnectivity.AcertificatemustbeinstalledontheTSGatewayServer,itisusedforSSL/TLS,youprobablyhaveaselfsignedcertificateinstalledinyourpracticelab,inaproductionenvironmentyoushoulduseacertificategeneratedbyaCertificateAuthority(CA)trustedbythecomputersthatwillbeusedtoaccesstheTSGateway,otherwiseuserswillencounterbrowserwarningsaboutacertificatewhichcannotbevalidated.TheTSGatewayservermustbelongtoanActiveDirectorydomainifyouconfigureauthorizationpoliciesthatrequireusersorclientcomputerstobedomainmembers,orifyouaredeployingaloadbalancedserverfarm.Thenextstepistoconfigureauthorizationpolicies.Therearetwokindsofpolicies,youneedtoconfigureatleastoneofeach:TerminalServicesconnectionauthenticationpolicies(TSCAP)andTerminalServicesresourceauthenticationpolicies(TSRAP).ATSCAPspecifieswhocanconnecttotheTSGatewayserver.YoucanfurtherrestrictinboundconnectionsbyothercriteriasuchaswhethertheircomputerisamemberofaninternalActiveDirectorydomainorwhethertoallowresourceredirectionforPlugandPlaydevices.ATSRAPdefineswhatinternalresourcestheuserscanaccessthroughtheTSGatewayserver.TocreatethesepoliciesopenTSGatewayManagerandclickontheserverinthenavigationtree,thendothefollowing:

1. ExpandtheTSGatewayserverinthenavigationtree,expandthePoliciesfolder,rightclicktheConnectionAuthorizationPoliciesfolder,selectCreateNewPolicy,thenclickCustom.

2. OntheGeneraltab,enteranameforthepolicyandensurethatEnablethispolicyisselected.3. ClicktheRequirementstab,enablethedesiredauthenticationmethod,thenclickAddGrouptoselectwhichgroupsofuserswillbe

allowedtoconnect,asshowninfigure3.Optionally,youcanalsospecifywhichgroupsofcomputersareallowed.

Figure3:DefiningtheTSCAPRequirements.

4. ClicktheDeviceRedirectiontab,youcanspecifywhetherornotdeviceredirectionisallowed.Keepinmindthefactthatthe

enforcementofthispolicyoccursontheclientcomputersodonotthinkofitasarobustsecuritysetting,adeterminedusermaybeabletobypassit.

5. ClickOKtofinishcreatingtheTSCAP.

6. RightclicktheResourceAuthorizationPoliciesfolder,selectCreateNewPolicy,thenclickCustom.7. OntheGeneraltab,enteranameforthepolicy,ensurethatEnablethispolicyisselected,andenteradescriptionifdesired.8. ClicktheUserGroupstabtodefinewhichuserscanconnect.9. ClicktheComputertabtospecifytheinternalcomputersthatcanconnectto.Therearethreeoptions:

a. EnterthenameofadomainsecuritygroupthatincludesthecomputeraccountsfortheappropriateTSservers.b. Createalocalgroupandaddthenamesofthecomputersasshowninfigure4.

Figure4:ConfiguringaNewTSGatewayComputerGroup.

c. Allowuserstoconnecttoanyinternalresource.

10. IftheTSserversareconfiguredtousecustomTCPportsclicktheAllowedPorttabstospecifytheportnumbers.ClickOKtofinishcreatingtheTSRAP.

ThereareafewotherconfigurablesettingsforTSGatewayservers.RightclicktheserverinthenavigationtreeandselectPropertiestoviewthem.Youcanlimitthenumberofsimultaneousconnections,selectadifferentSSLcertificate,configureaTSgatewayserverfarm,andmakeotherchangesusingtheserverspropertiesdialogbox.ToviewactiveconnectionsselecttheMonitoringfolderinthenavigationtree.UsingTSGatewaywithInternetSecurityandAccelerationServerInternetSecurityandAccelerationServer(ISA)canenhancethesecurityforaserverrunningtheTSGatewayroleservicebecauseitcaninspectincomingtrafficbeforeforwardingit.InthisconfigurationtheISAserverisconfiguredasanSSLbridge,thatis,ISAhandlestheestablishmentandmaintenanceoftheSSLtunnelsothatitcanviewthedecryptednetworkpackets.InthisarchitecturetheclientsestablishandSSLconnectionwiththeISAserver,theISAserverdecryptsandinspectsthetraffic,thentheISAserverforwardsacceptabletraffictotheTSGateway.TheconnectionbetweentheISAserverandtheTSGatewaycanrunoverHTTP,forgreatersecurityimplementSSLbetweentheseserverstoo.ToimplementSSLbridgingexporttheSSLcertificatefromtheTSGatewayserver,copyittotheISAServer,theninstallthecertificateontheISAServer.CreateawebpublishingruleontheISAservertoenableaccesstotheTSGatewayserver.WhencreatingthewebpublishingruleyoucanspecifywhethertouseHTTPSHTTPbridgingorHTTPSHTTPSbridging.Exportandimportingthecertificateisalittlecomplicated,todosoperformthefollowing:1.OntheTSGatewayserver,opentheMicrosoftManagementConsolebyclickingStartandthenenteringmmc.2.YoumustmanuallyaddtheCertificatessnapin,clickFile,thenclickAdd/RemoveSnapin.3.SelectCertificatesandclickAdd.4.SpecifyComputeraccountandclickNext.5.SelectthelocalcomputerandclickFinish.6.Inthenavigationtree,expandCertificates(LocalComputer),expandPersonal,thenclickCertificates.7.RightclicktheTSGatewaycertificate,selectAllTasks,andclickExport.IfyouareunsurewhichcertificatetoexportviewtheirpropertiestodeterminewhichmeetstheTSGatewayrequirements.8.Completethewizardtoexportthecertificate.9.CopythecertificatetotheISAserver.10.OntheISAserver,repeatsteps1through6.11.RightclickonPersonal,selectAllTasks,andclickImport.12.Usethewizardtospecifythecopiedfile,whenpromptedtospecifythecertificatestoreselectAutomaticallyselectthecertificatestorebasedonthetypeofcertificate.13.Finishthewizardtocompletetheimportationprocess.

Tip:rememberthatthedefaultfileextensionforcertificatesis.cer,butiftheprivatekeyisalsoexportedthedefaultextensionis.pfxinstead.ConfigureTerminalServicesLoadBalancingTSSessionBrokerprovidesloadbalancingforTSservers,thatis,clientsareevenlydistributedacrossthefarmofserverstominimizetheriskofanybecomingoverloaded.ItmaintainssessionstatedataincludingwhichuserisassociatedwitheachsessionIDandthenameoftheserverservicingthesession.ThismeansthatuserscanautomaticallybereconnectedtotheirexistingTSsessionshouldtheirconnectionterminateunexpectedly.Thearchitectureisstraightforward:someloadbalancingmethodisimplementedindependentlyofTS,twoormoreTSservers,andtheTSSessionBrokerserver.RoundRobinDNSisthesimplestloadbalancingmethod,theDNSrecordthatpointstotheTSserverfarmhasalistofaddresses,oneforeachserverinthefarm.TheDNSserverrespondstoqueriesbycyclingthroughtheaddressessequentially.AftertheclientretrievestheaddressfromtheDNSserveritestablishesanconnectiontotheinitialTSserver.TheinitialTSserverqueriestheTSSessionBrokerservertodeterminewhichTSservertheclientwilluse.Theinitialserverthenredirectstheclienttousetheassignedserver.TheclientthenestablishesafullTSsessiontotheassignedserverandthatserverinformstheTSSessionBrokerofitsnewclientconnection.Thisconceptisillustratedinfigure5.

Figure5:UsingRoundRobinDNSwithTSSessionBroker.

WhenusingDNSroundrobintodistributeconnectionsthenyoumustconfigureDNSrecordsforeachserverinthefarm.However,anyloadbalancingmethodcanbeused,includingtheNetworkLoadBalancingService(NLBS)availablewithWindowsServer2008.ForinformationaboutNLBSseeDeployingServers.MicrosoftpublishedadetailedguideforloadbalancingterminalserviceswithNLBScalledNetworkLoadBalancingStepbyStepGuide:ConfiguringNetworkLoadBalancingwithTerminalServices.TheprocessofinstallingandconfiguringtheTSserverfarmandtheTSSessionBrokerisasfollows:

1. InstallandconfiguretheTSserverrole,desiredroleservices,anduserapplicationsoneachTSserverinthefarm.2. InstalltheTSSessionBrokerroleserviceonanotherserver.3. OntheTSSessionBrokerserver,addeachTSserverinthefarmtothelocalSessionDirectoryComputersgroup.

a. OpenComputerManagement,expandSystemToolsinthenavigationtree,thenexpandLocalUsersandGroups,andselecttheGroupsfolder.

b. DoubleclicktheSessionDirectoryComputersgroupinthedetailspane.c. ClickAdd,thenclickObjectTypes,enabletheComputerscheckboxandclickOK,asshowninfigure6.d.

Figure6:EnablingtheSelectionofComputerAccounts.

4. ConfigureeachTSserverinthefarmusingTerminalServicesConfiguration:a. DoubleclickMemberoffarminTSSessionBrokerandselecttheTSSessionBrokertab.b. SpecifyingthenameorIPaddressoftheTSSessionBrokerserverunderTSSessionBrokerservernameorIPaddress.c. SpecifythenameofthefarmunderFarmnameinTSSessionBroker.d. EnableParticipateinSessionBrokerLoadBalancing.e. AdjustweightifdesiredbychangingthevalueofRelativeweightofthisserverinthefarm.f. SpecifytheIPaddresstobeusedforreconnectionandclickOK,asshowninfigure7.

Figure7:ConfiguringTSSessionBrokerSettings.

MostTSSessionBrokersettingscanbeconfiguredthroughgrouppolicyatthefollowinglocation:ComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices\TSSessionBroker.GrouppolicycansimplifyconfiguringmultipleTSSessionBrokerserverswithidenticalsettings.ThetwosettingsthatcannotbeconfiguredviagrouppolicyaretheIPaddressestobeusedforreconnectionandtherelativeweightofeachserver.FormoreinformationaboutusinggrouppolicyseeCreatingandMaintainingActiveDirectoryObjects.DoesMicrosoftInnovate?SomepunditssharplycriticizeMicrosoftfornotinnovatingbutrathergrowingitstechnologyportfoliothroughacquisitionsandcopyingotherfirmsideas.Inmypersonalopinion,whileitistruethatmanyMicrosofttechnologiesbecameMicrosoftsafterthecompanypurchasedthefirmorlicensedoneoftheirproductsthecompanyishardlyuniqueinthisregard.ItisalsotruethatwhenanothercompanyopensanewmarketsometimesMicrosoftwillbegintocompeteaggressivelywiththemayearortwolater,butagain,numerouscompaniesdothis.IthinktheTerminalServicestechnologyisaninterestingcasethatbringstogetherseveralexamplesrelatingtotheseaccusations.Formedin1989,CitrixSystemslicensedsourcecodeforWindowsNT3.51in1992,uponwhichtheybuiltWinFrame.Releasedin1995,WinFramewastheirmostsuccessfulproductthusfar.ThefirmwasstrugglingtosurvivewhenMicrosoftinvestedsignificantlyinthecompanyandlicensedthetechnologythatbecameWindowsNT4.0TerminalServerEdition,whichwasreleasedin1997.Microsoftpurchasedanothercompany,T.share,fortheRDPusedforcommunicationbetweenTSserversandclients.Citrixhasdonequitewelloverthepast20yearsbycontinuingtomaintainamutuallybeneficialrelationshipwithMicrosoft.CitrixretainedtherighttoextenduponMicrosoftsTSbasedproducts.SofaryouseeexamplesofMicrosoftnotdevelopingtheirowntechnologyfromthegroundup,butthestoryisfarfromcomplete.Microsoftwentontoimprovethecoretechnologyandbuildmanyothersolutionsbaseduponit.SinceacquiringthetechnologyMicrosofthasaddedloadbalancing,RemoteAppapplications,TSGateway,andsophisticateddeviceredirection.MicrosofthasalsocreatedwholenewsolutionsbasedonTSsuchasRemoteAssistancewhereuserssharetheirdesktopwithanotherremoteuserwhocanhelpresolveproblems.TheswitchusercapabilityinWindowsXP,WindowsVista,andWindowsServer2008isanotherTSbasedfeature.WindowsMeetingSpaceisalsobasedonTS.ConfigureTerminalServicesLicensingThepurposeoftheTSLicensingroleserviceistohelptrackclientaccesslicenses(CALs).ItensuresthatyourorganizationdoesnotviolateitspurchaseagreementsbyhavingmoreclientsconnecttotheTSserversthanthenumberoflicensespurchased.WhenaclientconnectstheTSservercheckstoseeifaCALisrequired,ifoneisneededtheTSserverwillrequestitfromtheTSLicensingserver.Ifoneisavailablethelicenseserverwillissueit.TwosimultaneousRemoteDesktopsessionsareallowedforremoteadministrationwithoutrequiringCALsoralicense

server.CALscanbetrackedbyeitheruserormachine.Thereisalsoa120graceperiodthatallowsunlimitedclientconnectivitywithoutrequiringactivationofthelicenseserverorinstallationofCALs.Beforethelicenseserverwillbeginissuinglicensesyoumustactivateit.OpenTSLicensingManager,rightclickontheserverinthenavigationtree,andselectActivateServertolaunchtheActivateServerWizard.Thewizardprovidesthreeactivationmethods.ThesimplestisAutomaticconnection;thelicenseserverrequiresongoingInternetconnectivitytousethismethod.TheWebBrowsermethodallowsyoutoactivatefromanothercomputerthathasInternetconnectivity,thelicenseserverdoesnotrequiresuchconnectivityinthiscase.ThetelephonemethodallowsyoudoactivatebycontactingaMicrosoftcustomerservicerepresentative.OnceactivatedyoucaninstallCALsbutyoumustvalidatethemusingoneofthesethreemethods.ToinstallCALsrightclickontheTSLicensingserverinthenavigationpane,selectInstallLicenses,andcompletethewizard.YouconfigurethelicensingmodeoneachTSserverusingTerminalServicesConfiguration.TodosodoubleclickonTerminalServiceslicensingmodeinthedetailspaneandthenselectPerDeviceorPerUser.YoucanalsospecifyalicenseserverfortheTSservertouse,orallowittoautomaticallydiscoveralicenseserver,asshowninfigure8.Ifthesechoicesaredimmeditsbecausetheyhavebeenconfiguredviagrouppolicy.NotethatperuserCALtrackingisonlysupportedwhentheserversandusersaremembersofanActiveDirectorydomain.Also,thelicenseservermustbeamemberoftheTerminalServerLicenseServersgroupinActiveDirectory,itshouldhavebeenaddedtothegroupautomaticallyduringinstallationoftheroleservice.

Figure8:ConfiguringLicensingforTerminalServices.

YoucanusetheLicensingDiagnosistooltotroubleshootlicensingissues.TolaunchthetoolopenTerminalServicesConfigurationandclickonLicensingDiagnosis in thenavigation tree. Informationabout the servers configurationand license statuswillappear in thedetailspane.Considermy test server forexample, as you can see in figure9 I face twoproblems, the license server isnot activated andnoCALs areavailable.

Figure9:DiagnosingLicensingIssues.

EachCALisvalidforbetween52and89days,thenumberofdaysisdeterminedrandomlywhentheCALisissued.WhenaCALisduetoexpirein7daystheTSserverwillattempttorenewit,again,forbetween52and89days.Ifitcannotconnecttothelicenseserveritwillattemptto

renewtheCALeachtimetheclientlogson.WhenaCALexpiresitisreturnedtothepoolofavailablelicenses.ThishelpsthelicenseservertoautomaticallyrecoverPerDeviceCALsthatarelostwhenthedeviceisnolongerinuseorwhenitsoperatingsystemisreinstalled.Ifthelicenseserveritselfislostthenyoushouldtrytorecoveritusingthemostrecentbackup.Ifnobackupisavailablethenyoumustreinstalltheserver,reactivateit,andcontactthelicenseclearinghousetohavethemissuereplacementCALs.ConfigureandMonitorTerminalServicesResourcesYoumaywanttolimithowmuchmemoryorCPUtimeaparticularapplicationcanconsumeonanyserverthatneedstosupportmanyuserswhoaccessseveraldifferentapplications.ThisisparticularlyimportantonTSserverssustaininglargenumbersofsimultaneoususersessions,asingleuserwhoconsumesalargeportionofsystemresourceswillnegativelyimpactalloftheotherusers.ThereisapowerfultoolforcontrollingresourceusageinWindowsServer2008:WindowsSystemResourceManager(WSRM)AsnotedinMaintainingtheActiveDirectoryEnvironment,WindowsSystemResourceManagerisanoptionalfeatureofWindowsServer2008.TakeaquicklookattheUsingWindowsSystemResourceManagersectioninthatchaptertoinstallthetoolontheTSserverinyourpracticelab.WSRMusesresourceallocationpoliciestocontroltheuseofcomputerresources.WSRMincludestwopoliciesdesignedforTerminalServices.

Equal_Per_UserProcessesareclusteredbyuser,eachclusterhasaccesstothesameproportionofsystemresourcesregardlessofhowmanyapplicationsarerunning.

Equal_Per_SessionProcessesareclusteredbyTSsessions,eachsessionhasaccesstothesameproportionofsystemresources.ToimplementtheEqual_Per_Sessionresourceallocationpolicydothefollowing:

1. OpenWindowsSystemResourceManagerfromtheAdministrativeToolsfolderandspecifyThisComputerwhenpromptedtoconnecttoacomputer.

2. ExpandtheResourceAllocationPoliciesnodeinthenavigationtree.3. RightclickEqual_Per_SessionandclickSetasManagingPolicy.4. IfaconfirmationdialogboxappearsclickOK.

AfterconfiguringWSRMpoliciesyoushouldobserveperformanceoftheTSservertoverifythattheimpactispositive.ClickontheResourceMonitornodeinthenavigationtreetogetstarted.ClicktheAddCountersbutton(thegreenplussymbol)andselecttheTerminalServicesSessioncountersfromthelistofavailablecounters,clickAdd,thenclickOK,asshowninfigure10.Theseincludedozensofcounters,youcanhidesomefromthegraphbydeselectingtheircheckboxundertheShowcolumn.Otherperformancecountersthatwillhelpyouassesstheperformanceimpactoftheresourceallocationpolicyfromahigherlevelarethoserelatedtoprocessorandmemoryutilization.YoucanreviewtheUsingReliabilityandPerformanceMonitorsectioninMaintainingtheActiveDirectoryEnvironmenttorefreshyourmemoryonhowtouseperformancecounters.

Figure10:AddingTerminalServicesSessionPerformanceCounters.

ConfigureTerminalServicesClientConnectionsTherearemanyclientconfigurationsettingsavailable,broadlyspeaking,theyaremanagedinthreedifferentlocations.Mostclientsettingscanbeconfiguredontheclientcomputers.MostclientsettingscanalsobemanagedinActiveDirectoryusinggrouppolicy,afewadditionalsettingscanbeconfiguredontheuseraccountobjects.SomesettingscanbemanagedontheTSservers.ConfiguringClientSettingsontheClient

TherearethreewaysforclientstoconnecttoTSservers.RemoteDesktopConnection(RDC)istheprimaryway.ThereareseveralmethodsforinvokingRDCincludingclickingtheshortcutfromtheStartmenu,doubleclickingacustomized.RDPfile,orbyenteringmstsc.exeatacommandprompt.YoucanalsoconnectusingtheActiveXbasedclientasdiscussedearlierinthechapter.ThethirdwayistousetheRemoteDesktopsMMCsnapin.ThissnapinisincludedwithWindowsServer2008,youcaninstallitonWindowsVistabydownloadingandinstallingtheMicrosoftRemoteServerAdministrationToolsforWindowsVista.ThissnapinisdesignedforadministratorswhohavetoconnecttonumerousserversusingtheRDCbutdontwanttocluttertheirdesktopwithshortcutsforeach.YourightclickontheRemoteDesktopsnodeinthenavigationtreeandselectAddnewconnectiontoaddaservertothelistofserversinthenavigationtree.YourightclickonanyoftheserversandselectConnecttoopenaTSsessionintherighthandpane,asshowninfigure11.

Figure11:UsingtheRemoteDesktopsSnapIn.

AftercreatingaconnectioninRemoteDesktopsyoucanrightclickonitandselectPropertiestocustomizeit.Therearethreetabsforsavinglogoncredentials,specifyingthedesktopsize,configuringdriveredirectionandmakingafewotherchanges.ThereareadditionalcustomizationoptionsavailablewhenyouuseRDC,clickOptionstoseethetabsthatgrantaccesstoallofthem,asshowninfigure12.

Figure12:CustomizingtheRemoteDesktopConnection.

YoucanimproveperformancebyreducingthescreensizeandloweringthecolordepthontheDisplaytab.YoucanfurtheroptimizeperformancebydisablingthegraphicalfeaturesavailableontheExperiencetab.TheLocalResourcestabiswhereyouconfigurewhethertobringsoundfromtheremotecomputertotheclient,howtohandleWindowskeycombinations,andwhatlocalresourcesontheclienttomakeavailableontheserver.Thislastoptionisparticularlyimportantbecauseithassecurityimplications.Ifyouconnecttoaserverunderthecontrolofsomeonewhowantstodoyouharmandyouchoosetomakeyourlocaldiskdrivesavailableontheremoteserverthatmaliciouspersonmaybeabletofigureouthowtoaccessfilesonyourlocalcomputerwithoutyourpermission.Itwouldbeacomplicatedattack,soitsnotanissueinmostsituations,howeveritmaybeafeatureyouwishtodisableinhighsecurityenvironments.TheProgramstabiswhereyou

configurethenameandworkingdirectoryforanapplicationtolaunchafterconnectingtotheTSserver.YoucanconfigureserverauthenticationandTSgatewaysettingsontheAdvancedtab.ConfiguringClientSettingsinActiveDirectoryTherearetwoplacestoconfigureclientsettingsinActiveDirectory.Youcanmodifyacoupleofsettingsbyeditingthepropertiesofeachuseraccountobject.TodosoopenActiveDirectoryUsersandComputers,navigatetothedesiredcontainer,rightclickontheaccountyouwishtomodifyandselectProperties.YoucanconfigurethepathtotheTSuserprofileandtheTShomefolder,asshowninfigure13.

Figure13:ConfiguringtheTerminalServicesProfileforanAccount.

Note:youcanalsoconfiguretheprofileandhomefolderpathsforlocalaccountsbyeditingthepropertiesoftheaccountintheLocalUsersandGroupssnapin.Whenmanaginglargenumbersofusersgrouppolicyisamoreconvenientwaytoconfigureallofthesesettings.ThesesettingsareavailableinthegrouppolicyeditoratComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.Forexample,belowthislocation,navigatetoTerminalServer\DeviceandResourceRedirectiontodisabledriveredirectionandtomanageotherrelatedsettings.Notewellthatsomeofthesettingsareserveroptionswhileothersareclientoptions,readtheirdescriptionscarefullytoensurethatyouunderstandwhichsettingsapplytoclients.UserspecificsettingsforTerminalServicescanbefoundatUserConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.ConfiguringClientSettingsontheServerToconfigureclientsettingsontheTSserveropenTerminalServicesConfiguration,rightclickonRDPtcpbelowConnectionsinthedetailspane,selectProperties,andclicktheClientSettingstab,asshowninfigure14.Youcanconfiguredeviceredirectionandcolordepth,howeverthesesettingsareenforcedontheclient.Althoughtheynormallytakeprecedenceoverthesettingsconfiguredontheclientadetermineduserwithadministrativeprivilegesmaybeabletobypassthem.Ofcourse,onlythemembersoftheinformationtechnologystaffwhoactuallyneedadministrativeprivilegeshavethem,right?Right?

Figure14:ConfiguringClientSettingsontheTSServer.

Important:WhenusersconnecttoadefaultinstallationofaserverviaTerminalServicessomeaspectsofthedesktopandapplicationsavailablewilllookdifferent.ToensureasmootherexperienceforendusersinstalltheDesktopExperiencefeatureusingServerManager.ThiswillinstallapplicationsandfeaturestheywillbefamiliarwithfromWindowsVistasuchasWindowsMediaPlayerandWindowsCalender.ConfigureTerminalServicesServerOptionsToconfigureTSserversettingsopenTerminalServicesConfiguration,rightclickonRDPtcpbelowConnectionsinthedetailspane,andselectProperties.YouconfigureencryptionandauthenticationontheGeneraltab,themostsecurevaluesaretouseSSL(TLS1.0)forthesecuritylayerwithandencryptionlevelofFIPSCompliantandNetworkLevelAuthenticationenabled,asshowninfigure15.However,usingthesevalueswillcauseproblemswitholderversionsofRDC.

Figure15:ConfiguringTerminalServicesEncryption.

UsetheLogonSettingstabtohaveallincomingconnectionslogonwiththesameaccount,howeverusethissettingwithcautionasitincreasestheriskofanunauthorizedpersonaccessingtheserver.YoucanconfiguresessionlimitsontheSessionstabsothatdisconnectedsessions,idle,oractivesessionsareterminatedafterthespecifiedtime.Thiscanhelpensurethatmemoryisnotwastedonsessionsthatarenotbeingused.TheEnvironmenttabisusedtospecifyaprogramtobelaunchedautomaticallyforeachuserwhentheyconnect.Youcanconfigurewhetherremotecontrolisallowed,andifsowhethertheusermustgrantpermissionontheRemoteControltab.Remotecontrolisveryusefulwhentroubleshootingortrainingusers,howeveramaliciousadministratorcouldusethisfeaturetosurreptitiouslyobserveanotheremployeeworkingwithsensitivedata.Thisconcernshouldbelowonyourlistofprioritiesthough,ifyougiveadministrativeprivilegestopeoplewhoarenottrustworthythenyouhavemuchbiggerproblemsthentoworryaboutthanTSremotecontrol.YoucandefinewhichnetworkadapterswilllistenforRDPconnectionrequestsandlimitthenumberofsimultaneousconnectionsontheNetworkAdaptertab.TherearetwowaystospecifywhichusersareabletologintotheTSserverviaRDP:byconfiguringthegroupsandaccountsontheSecuritytabofthisdialogbox,asshowninfigure16,orbyadjustingmembershipintheRemoteDesktopUsersgroup.Thesecondmethodisthepreferredonebecauseitissimplerandlesslikelytoleadtomisconfiguration.

Figure16:ViewingRDPPermissions.

Whenmanaginglargenumbersofserversgrouppolicyisamoreconvenientwaytoconfigurethesesettings.YoucanfindtheminthegrouppolicyeditoratComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.Rememberthatsomeofthesettingsareserveroptionswhileothersareclientoptions,readtheirdescriptionscarefullytoensurethatyouunderstandwhichsettingsapplytoservers.ManagingActiveSessionsToviewandmanageactivesessionsopenTerminalServicesManager.RightclickontheTerminalServicesManagernodeinthenavigationtreetoaddmoreserverstothemanagementlistandtoorganizethemintocustomgroups.Selectaserverinthenavigationtreetoviewtheactivesessions.Therearethreetabsinthedetailspane,makesuretheUserstabisselected.Youcanrightclickonasessiontodisconnectit,takeremotecontrol,resetit,sendtheuserapopupmessage,andforcetheusertologoff.ClicktheSessionstabtoseethelistofsessionsandtheircurrentstatus,rightclickonanytoperformthesametasksnotedforusers.TheProcessestabdisplaysalloftherunningprocessesontheTSserverincludingwhichaccountwasusedtoexecuteit.ItissimilartoTaskManager,butyoucanalsoviewprocessesonremoteterminalservers.RightclickonaprocessandselectEndProcesstoforciblyterminateit.SummaryInmyopinion,TerminalServicesisoneofthebestfeaturesinWindowsServer2008.Itisawesomeformanagingremoteservers,especiallyforsystemsadministratorswhoarenotcomfortableusingthecommandpromptandwritingscripts.Itsalsoagreatwaytocentralizemanagementofenduserapplications.Regardingexampreparation,thistechnologymakesupaconsiderableproportionofthecontentanditsimportantthatyouhaveasolidunderstandingofhowtoimplement,manage,andtroubleshootit.ChapterReviewThissectionpresentsalistofreviewquestionsdesignedtohelpreinforcetheknowledgepresentedearlierinthechapter.Topersuadeyoutoexplorethemanagementtoolsmoredeeplyafewquestionsmayrequireyoutoexaminethosetoolsfurtherratherthanrereadingthechapter.Questions

1. UserscomplainthattheRDCwindowtakesuptoomuchspaceontheirWindowsdesktop.TheyonlyneedtoaccessacoupleofprogramsontheTSserver,buttheystartmenuandotheruserinterfaceelementsofterminalservicesandtheRDCwastevaluablerealestate.Whatshouldyoudotohelptheusers?

a. TelltheuserstorunRDCinfullscreenmode.b. TelltheuserstoreducethescreenresolutionwithintheirRDCsession.c. InstallanadditionalmonitorforeachuserscomputersothattheycanmovetheRDCwindowtoitsownmonitor.d. DeployTSRemoteAppforeachapplication.

2. WhichTerminalServicesroleservicemakesitpossibletodistributeincomingconnectionrequestsacrossseveralTSservers?a. TSWebAccess.b. TSGateway.c. TerminalServer.d. TSSessionBroker.e. NetworkLoadBalancing.

3. IfalicensingmodeandlicenseserverhavenotbeenspecifiedhowmanyconnectionsdoesTSallow?a. 0b. 1c. 2d. 3e. Unlimited.

4. YoudeployaserverwithboththeTerminalServicesandTSWebAccessroleservices.YoucreateseveralRemoteAppprogramsontheserverandconfigurethemtobeshowninTSWebAccess.YouwantremoteuserstobeabletotheapplicationswithouthavingtoestablishadedicatedVPNconnectionsocreateanaccessruleontheperimeterfirewallallowingTCPports80and443totheserver.WhichtwoofthefollowinganswerswilltheremoteuserstoaccesstheRemoteAppprograms?(choose2)

a. CreateanotheraccessruleonthefirewallrulethatallowsportTCPport3389totheserver.b. InstalltheTSGatewayroleontheserverandconfigureappropriateaccesspolicies.c. InstalltheTSSessionBrokerrole.d. DeploytwoadditionalserverswiththeTerminalServicesserverrole,configurethemidenticallytothefirstserver,

configureroundrobinDNStodistributeincomingaccessrequestsacrossallthreeservers.5. YoudeployafarmofTSserversandaTSSessionBrokerserver.Everythingworksgreat,nowyouwanttoenableaccessforremote

userswiththeminimuminvestmentofadditionalresources.TheremoteuserswillneedtoaccesstheTSserversfromjustaboutanylocationimaginablethathasInternetconnectivity.Whatstepsremain?(choose2)

a. InstallanInternetSecurityandAcceleration(ISA)server.b. CreaterulesforTCPport3389thatallowincomingtraffictoaccessthefarmofTSservers.c. InstallTSGatewayonaserver.d. ConfigureappropriateTSResourceAuthorizationPolicies(TSRAP)andTSConnectionAuthorizationPolicies(TSCAP).e. CreateapublishingruleforTerminalServicesthatpointstothefarmofTSservers.

6. YouinstallTerminalServicesandconfigureittoallowaccessfordomainuserswhoareontheinternalnetwork.WindowsVistaclientsareabletoestablishconnectionsandlogontotheWindowsdesktopusingRDCbutWindowsXPclientsareunableto.Whatshouldyoudotoresolvethisquickly?

a. ConfiguretheTSserversothatitwillallowconnectionsfromcomputersthatdonotsupportNetworkLevelAuthentication.b. UpgradetheWindowsXPcomputerstoWindowsVista.c. InstallServicePack3ontheWindowsXPcomputers.d. InstallthelatestversionofRDContheWindowsXPclients.

7. YoudeployaTSserverfarmwithaTSSessionBrokerServerandWindowsNetworkLoadBalancing.YoudeployaTSGatewayserverthatpointstotheserverfarmandconfigureappropriateaddressrecordsontheinternalandexternalDNSservers.UsersareabletoaccesstheTSserverfarmfromthecorporatenetworkhowevertheyareunabletodosowhenworkingremotely.Whatarethemostlikelyreasonsfortheproblem?(pick2)

a. TheWindowsFirewallwithAdvancedSecurityontheTSservershasnotbeenconfiguredtoallowRDPtrafficfromtheTSGatewayserver.

b. TheperimeterfirewallhasnotbeenconfiguredtoallowinboundHTTPtraffictoreachtheTSGatewayserver.c. TheTSRAPandTSCAPpolicieshavenotbeenconfigured.d. TheusersarenotmembersoftheRemoteDesktopUsersgroupontheTSservers.e. TheWindowsFirewallwithAdvancedSecurityontheTSservershasnotbeenconfiguredtoallowRDPtrafficfromthe

remoteusers.8. Youdeployandconfigure4TSserversinafarmwithaTSSessionBrokerServer.YouinstallandconfigureWindowsNetworkLoad

Balancingastheloadbalancingmethod.Afterseveralweeksyourealizethatoneserveristakingabout70%oftheconnectionsandisalwaysrunninglowonsystemresourceswhiletheotherthreeservershaveabout10%eachandhaveagreatdealofCPUpowerandsystemmemorytospare.Whatshouldyoudotoensureallfourserversarebeingusedefficiently?

a. Installadditionalmemoryandprocessorsinthebusiestserver.b. InstalladditionalTSserversinthefarmuntilthebusiestserverisnolongeroverwhelmed.c. Instructtheuserstoconnectdirectlytothethreelessbusyserversbyspecifyingtheiraddressesratherthantheaddress

sharedbythefarm.d. Checktherelativeweightconfigurationofeachserverinthefarmtoensurethattheyaresetappropriately.

9. Whatarethe3waystoactivateTSLicensingservers?(choose3)a. OvertheInternetfromthelicensingserver.b. Bytelephone.c. Bymail.d. Bytelegraph.e. OvertheInternetfromanothercomputer.f. Bypurchasingclientaccesslicensesfromyourauthorizedreseller.

10. YouhaveconfiguredyourTSserverstouseperuserlicensing.WhatshouldyoudotorecoverCALsfromuserswhohavelefttheorganization?

a. Youcannot,youmustpurchaseadditionalCALs.b. Donothing.c. OpenTSLicensingManagerontheserverrunningtheTSLicensingserverrole,rightclickontheserverinthenavigation

treeandselectRecoverExpiredLicenses.d. OpenTerminalServicesConfigurationoneachTSserver,rightclickonRDPTcpinthedetailspain,selectProperties,and

clickReleaseExpiredLicenses.11. YouisrequiredtoenabletheremotecontrolfeatureofTerminalServices?

a. ThefeaturemustbeenabledoneachusersRDCclient.b. ThefeaturemustbeenabledontheTSserver.c. AvalidSSLcertificatemustbeinstalledontheTSserver.d. ThefeatureisnolongeravailableinWindowsServer2008.e. DownloadanddeploytheadvancedRDCclient.

12. WhatarevalidmethodstocontrolwhichusersareabletoaccessTerminalServices?(choose2)a. ConfiguremembershipinthelocalRemoteDesktopUsersgroup.b. ConfiguremembershipinthedomainRemoteDesktopUsersglobalgroup.c. ModifypermissionsontheRDPTcpconnectionforeachTSserverusingTerminalServicesConfiguration.d. ConfigurepoliciesusingWindowsSystemResourceManager.e. OnlyinstallCALsontheclientcomputersthatyouwanttobeabletoaccessTerminalServices.

Answers1. Discorrect.TSRemoteAppwascreatedspecificallytohelpwiththissituationandtomakeusingTSlesscomplexforusers.NeitherA

norBadequatelyresolvetheproblem,andwhileCmaybethemostappealingtotheusersitsalsomoreexpensive.2. Discorrect,althoughNLBScouldbeusedastheloadbalancingmethodinconjunctionwithTSSessionBroker3. Ciscorrect,TSallowstwoconnectionsforremoteadministration.4. AandBarecorrect,allowingport80meansthatHTTPtrafficcantransitthefirewallbuttheRDPtrafficrequiresTCPport3389.You

couldeitheropenthatportorusetheTSGatewayserverroletoencapsulatetheRDPtrafficinHTTPS,whichrequiresTPCport443bydefault.

5. CandDarecorrect,deployingTSGatewaywouldbelessexpensivethandeployingISAServerorafullVPNandTSGatewayisabletotraverseawiderangeofnetworksincludingthosethatusenetworkaddresstranslation(NAT)andproxyservers.TSGatewayrequiresTSRAPandTSCAPpoliciestospecifywhatinboundconnectionsareallowedandwhatresourcescanbeaccessed.

6. Aiscorrect,WindowsXPdoesnotsupportNetworkLevelAuthenticationevenwithSP3andthelatestRDCclient.UsersconnectingfromcomputersrunningWindowsXPwillseethefollowingerrormessage:TheremotecomputerrequiresNetworkLevelAuthentication,whichyourcomputerdoesnotsupport.Forassistancecontactyoursystemadministratorortechnicalsupport.AnswerBwouldresolvetheissuebutitsmoretimeconsumingandthequestionaskedforaquickresolution.

7. BandCarecorrect,theyarethemostlikelycauseofsuchissues.ItspossiblethattheWindowsFirewallontheTSserversisblockingtrafficfromtheTSGateway,butunlikelysincebydefaultsuchtrafficisallowed,thereforeAiswrong.Disincorrectbecausethegroupmembershipisclearlynottheissuesinceuserscanconnectfromthecorporatenetwork.EiswrongbecausetheremoteusersconnectthroughtheTSGateway,theydonotconnectdirectlytotheTSservers.

8. Discorrect,itappearsthatsomeoneconfiguredtherelativeweightofthebusyserverwithavalue10timesgreaterthantheothers.Sincethedefaultvalueforrelativeweightis100itsprobablethatthebusyserverwassetto1000.

9. A,B,andEarecorrect,apologiesformysadattemptathumorinanswerD.10. Biscorrect,eachCALisgrantedarandomperiodofvalidityfrom52to89days.Whenauserconnectswithalicensethatiswithin7

daysofexpirationtheTSserverwillattempttorenewit.ACALwillautomaticallyexpireandbereturnedtotheCALpoolifthesystemorusertowhichitisassignedstopsusingit.

11. Biscorrect,remotecontrolcanbeenabledoneachserverbyconfiguringthepropertiesfortheRDPTcpconnectioninTerminalServicesConfigurationorviaGroupPolicy.

12. AandCarecorrect.Biswrongbecausethereisnosuchdomaingroup;DandEareincorrectbecause,well,neitherprocedureispossible.