Get documents about "Windows_2003_Whats_new_Terminal_Services_Technical
Document Sample
Windows 2003 What’s new in
Terminal Services ?
Ruben Spruijt - PQR Diensten 1
Upgrading Concerns
Upgrading from Microsoft Windows NT® 4.0 Terminal
Server to Windows 2003 Server -blocked
In Windows NT 4.0 Terminal Server - compatibility scripts
modified permissions on registry, security, folders, etc.
• Some were done on a Windows 2000 server
During upgrade, the security template applied to an
application server does not reset the ACLs
Best to do a clean installation on the server in Full Security
Mode
Ruben Spruijt - PQR Diensten 2
New Client User Interface MSTSC
• Experience tab
• Optimize wallpaper, visual
styles, etc. for speed of
network connection
• Full screen connection bar
• No Connection Manager:
save connection settings
from client user interface
• /migrate
• Greater color depth and
screen resolution - high
color (24 bit)
Ruben Spruijt - PQR Diensten 3
Remote Desktop for Administration
Remote Desktop for administration is installed automatically
Two concurrent remote connections plus console session
• (mstsc/console)
By default, it is toggled off
• System properties in Control Panel
• “Allow Users to Connect remotely to this computer” on the Remote tab
Does not require licenses
Remote Desktop Connection tool is available for download for earlier
versions of Windows http://www.microsoft.com/windowsxp/remotedesktop/
Ruben Spruijt - PQR Diensten 4
Remote Desktop Snap-in
Used for network administration
• Multiple computers in one window
• Connect to console
• Local Group Policies and Default.rdp settings affect connection
settings
Help Desk users - Remote Assistance
Ruben Spruijt - PQR Diensten 5
Installing Terminal Services for
Application Hosting
Installed using Add/Remove Programs
Previously installed applications must be reinstalled for multisession
access
All members of the Local Users group are copied into the Remote
Desktop Users group
Security mode for the Terminal Server connections
• Windows 2000/Windows 2003 Server permissions mode
(full security)
• Windows NT 4.0/Terminal Server Edition permissions compatibility mode (relaxed security)
Unattended installation
[Components]
TerminalServer = On
[TerminalServices]
LicensingMode = PerDevice
Ruben Spruijt - PQR Diensten 6
Terminal Server Advertising
Windows 2003 - Only Terminal Servers in Application
Server mode
Windows 2000 - All servers with Terminal Services
installed
To prevent a Terminal Services-based computer from
advertising, set the following registry key :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server
REG_DWORD value: TSAdvertise
• 0 disables and 1 enables advertising
Ruben Spruijt - PQR Diensten 7
The Remote Desktop Users Group
Remote logon permissions
• Use TSCC.msc to give users or groups the appropriate rights
• By default, the Remote Desktop Users local group is empty
Restricted groups
• Add remote desktop users to the restricted groups
• Security templates MMC snap-in
Security features
• Per network adapter connection permissions
• Custom rights assignment
• Remote interactive right
• May be administered using Security Policy Editor
Ruben Spruijt - PQR Diensten 8
Redirection Features
Enabled by using virtual channels
• Local Drive
• Audio
• Time
• Smart Card
• Port (LPT/COM)
• Printer
Ruben Spruijt - PQR Diensten 9
Virtual Channels
Virtual channel permissions
Permissions to use capabilities introduced through virtual
channels can be set in the Terminal Server Client
Configuration tool
Virtual Channel permissions
• TSCC.MSC snap-in - RDP properties
• On the Permissions tab, click Advanced
• Select the group or account and then View/Edit
• Allow or deny virtual channels
Virtual channels setting effects all redirection
Ruben Spruijt - PQR Diensten 10
Local Drive Redirection
Local file system available to the Remote Desktop session
Local drives appear in My Computer
• <driveletter>\ on tsclient
• From command line or run line: \\tsclient\<driveletter>
Disable per server
• Terminal Services Group Policies
• Terminal Services Configuration
Disable on individual client
• On the Local Resources tab, click Local devices, and then click to select
the “Disk drives” check box
• Group Policies will override this selection
Must be Windows XP or Windows .NET
Ruben Spruijt - PQR Diensten 11
Audio Redirection
Possible settings:
• Bring to this computer
• Do not play
• Leave at the remote computer
Mid and midi files are not transferable with audio
redirection
Following must apply:
• Both the Terminal Server and the client have a sound card
• The client is set to “Bring to this Computer”
• The TSCC.MSC - allows audio mapping
Ruben Spruijt - PQR Diensten 12
Advantages of Audio Redirection
Audio mixing
• If there are multiple applications - the resulting stream is an audio
mix of the different streams
Minimized performance impact of the audio stream
input/output (I/O) on the RDP session
• Renegotiates sound stream quality if network bandwidth changes
• No user interaction
• Best to disable sound redirection on a very slow network
Ruben Spruijt - PQR Diensten 13
Time Zone Redirection
Allow Time Zone Redirection Group Policy setting
• Terminal Services uses the server base time on the Terminal
Server and the client time zone information to calculate the
time on the session
• Session time = server base time + client time zone
• Client time zone must be set correctly
Client version support:
• Windows XP client
• Windows .NET Server client
• Windows CE 4.0
Ruben Spruijt - PQR Diensten 14
Using Smart Cards with Terminal Server
Require strong credentials
Must have Microsoft Active Directory® deployed
Client computers must be running a Microsoft client
operating system with built-in Smart Card support
• Windows XP or Windows 2000
• Most devices are running Windows CE .NET 4
• Smart card readers on the client computers
• Uses trusted X.509v3 certificates that are stored on a smart card
Ease of deployment
Ruben Spruijt - PQR Diensten 15
Port Redirection
LPT and COM port redirection
• Bar code readers or scanners
• USB redirection is only possible with installed local printers
By default, no FireWire or IEEE 1394 ports redirected
However, can enable FireWire port redirection on clients by enabling
all ports to be redirected
• Registry on the client computer:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server
Client\Default\AddIns\RDPDR
New DWORD Value.
FilterQueueType
Value FFFFFFFF
For more information about filtering port redirection, see article 302361,
“Multifunction Printers That Use DOT4 Ports Are Not Redirected By Using
Remote Desktop”
http://support.microsoft.com/default.aspx?scid=kb;en-us;302361
Ruben Spruijt - PQR Diensten 16
Com Port Redirection
Win32® COMM APIs open communication ports -
CreateFile against COM port
The CreateFile automatically maps from application’s
session DOS Device namespace to the correct client-side
device
Without writing any adjusting server-side code
Ruben Spruijt - PQR Diensten 17
Printer Redirection
Redirected printers in the Printers folder in the following
format:
• <client printer name> on <server name> (from client computer
name) in Session <number>.
Local port redirection
Network printers redirected
Ruben Spruijt - PQR Diensten 18
Managing Printers
Enabled by default
Group Policies
• Computer Configuration\
Windows
Components\Terminal
Services\Client/Server data
redirection
Individual remote desktop
connection
• Local Resources tab
Terminal Services Configuration
• Client Settings tab
Allowing/disallowing virtual
channels
Bidirectional printing is not supported
Ruben Spruijt - PQR Diensten 19
Printer Data Stored on the Client
Client disconnects
• The printer queue is deleted from the server
• Incomplete or pending print jobs are lost
Configuration data for those printers, however, is stored in
the client’s registry:
• Automatic - HKEY_CURRENT_USER\Software\Microsoft\
Terminal Server Client\Default\AddIns\RDPDR.SYS\<printer
queue name> \AutoPrinterCacheData
• Manual - HKEY_CURRENT_USER\Software\Microsoft\Terminal
Server Client\Default\AddIns\RDPDR.SYS\<printer queue
name> \PrinterCacheData
Retain same settings to different terminal servers
Ruben Spruijt - PQR Diensten 20
Driver String Mapping for Printer
Queues
The Terminal Server has only the 2003 version of the driver
When there is no matching driver on the server end:
Event ID: 1111 Driver drivername required for printer printertype is unknown.
Event ID: 1105 Printer security information for the
printername/clientcomputername/Session number could
not be set.
Event ID: 1106 The printer could not be installed.
Install a driver on the server that matches the print queue attached to
the client machine
The client-side and the server-side driver names must match
• Client-side driver shipped post 2003 – new OEM driver
• OEM supplied driver
• Can create a custom .inf file. Ntprint.inf
239088, “Windows 2000 Terminal Services Server Logs Events 1111, 1105, and 1106”
Ruben Spruijt - PQR Diensten 21
Automatic Reconnection
RDP layers over TCP
Re-authenticate – no user credentials
Enable automatic reconnection
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services
DWORD value: fDisableAutoReconnect
1= on 0= off
• Default.rdp File - autoreconnection enabled:i:1
1= enabled
0= disabled
Auto-reconnection cookie is flushed and regenerated any
time the user logs in
New cookie at hourly intervals
Ruben Spruijt - PQR Diensten 22
Using Group Policy vs. TSCC.msc
Group Policies
• Remote Desktop Users group
• Individual computers Local Group
Policy
• Groups of computers Terminal Server
organizational unit
TSCC.msc snap-in
• RDP connection parameters
• Connection permissions
• Single Terminal Server and its users
• Cannot configure remote server
Settings that are set only by using
TSCC.msc
• Licensing Mode
• Disable Active Desktop
Ruben Spruijt - PQR Diensten 23
Management – GP and WMI
New Group Policy settings
• Extensive set of polices
• Both computer and user configuration settings
• Control permissions using Remote Desktop Users group
• “Restricted Groups” in Security Templates MMC
• Software Restriction Policies
New WMI provider
• Full read/write
• Nearly all Terminal Server Settings
• Terminal Server Configuration, APIs, and command lines
• WMIC: Command line interface to WMI
• RDAccount; RDPermissions; RDToggle; RDNic
RDTOGGLE To Enable/ Disable TS connections:
wmic /node:"ServerName" /user:"DomainName\administrator"
/password:"password" RDToggle where ServerName="ServerName" call
SetAllowTSConnections 1
Ruben Spruijt - PQR Diensten 24
Terminal Services Group Policies
• Keep-Alive Messages
• Single remote session
• Remote Desktop Wallpaper
• Limit number of connections
• Limit maximum color depth
• Allows users to connect remotely
• Do not allow local administrators to customize permissions
• Remove Windows Security item from Start menu
• Remove Disconnect item from Shut Down dialog
• Set path for TS Roaming Profiles
• TS User Home Directory
• Sets rules for remote control of Terminal Services user sessions
• Start a program on connection
Ruben Spruijt - PQR Diensten 25
More Group Policies
Client/server data redirection
• Time zone Temporary folders
• Clipboard • Do not use temp folders per
• Smart Card session
• Audio • Do not delete temp folder upon
• COM port exit
• Printer redirection
Sessions
• LPT port redirection
• Drive redirection
• Time limit for disconnected
• Default printer • Time limit for active
Encryption and security • Time limit for active but idle
• Always prompt for password • Reconnection from original
• Encryption level client only
• Terminate session when time
limits reached
Ruben Spruijt - PQR Diensten 26
Session Directory
Users reconnect to the correct disconnected session within a farm
• Farm seems like one server to users
A service that runs on any server
• Farmed TS servers: must be Enterprise Server
• Session directory server: any server SKU
• Possible to cluster Session Directory server using MSCS
• Session Directory is not a load balancer
A database of user sessions across servers
• Redirects farm connections to correct server
• Used with load balanced farms
• The Session Directory database resides in
%systemroot%\system32\tssesdir\
• This location is not configurable
Ruben Spruijt - PQR Diensten 27
Installation and Configuration
Two components
• Session Directory Host server
• “Client” servers - Terminal Servers configured to talk with Session
Directory
Host server not required to be a Terminal Server
May service multiple load balanced farms – cluster name is
the identifier
Very small CPU, memory, and hard disk requirements
Minimum level for clients - Remote Desktop client 5.1
Ruben Spruijt - PQR Diensten 28
Server Configuration
Host server configuration must be done
using the Computer Management MMC
Start the Terminal Services Session
Directory Service – set to “Automatic”
start
The group that is created is named "Session Directory Computers"
• Empty by default
• Add computer accounts
• Do not run the Session Directory service on a domain controller –
group will be a domain local group
Ruben Spruijt - PQR Diensten 29
Client Configuration – TSCC.msc
Server settings
• Cluster name
• Session Directory server name or IP
address
• Cluster name must be uniform across the
cluster
• Terminal Server IP address redirection
“All network adapters configured with this protocol"
Session Directory redirection may not work properly if
one of the NICs on the server is not accessible to users
Use only one network adapter for each Session Directory
If a Terminal Services connection is required on
additional network cards, create one new connection
per network adapter
Ruben Spruijt - PQR Diensten 30
Client Configuration – Group Policies
Computer Configuration / Administrative Templates /
Terminal Services / Session Directory
• Terminal Server IP Address Redirection
• Join Session Directory
• Session Directory Server
• Session Directory Cluster Name
Best to put farmed Terminal Servers in an organizational
unit, with Group Policies applied to the organizational unit
Ruben Spruijt - PQR Diensten 31
Session Directory Overview
(User Session Previously on TS-3)
1. User connects to
cluster. Session Directory
2. Load Balancer Cluster
routes user to least
TS-1
loaded server, TS-1.
UserId
Domain
Cluster TS-2
3. TS-1 checks the Session
Directory for existing session.
5. Client reconnects
4. TS-3, as session owner, is to existing session TS-3. User Session
communicated to the client.
Ruben Spruijt - PQR Diensten 32
TS-3
Session Directory Event Logs
1001 “The RPC call to join Session Directory to This TS server is not a member of the SD server
<SD SERVER NAME> got Access Denied.” ―Session Directory Computers‖ group.
1002 “Session Directory service on server <SD Session Directory service on the SD server is not
SERVER NAME> is not available.” started
1003 “Session Directory server name <SD SERVER Cannot find the specified SD server.
NAME> is invalid.”
1004 ―Tssdjet calling TSSDRpcServerOffline failed The SD service is stopped or restarted.
with %.‖
1007 ―The server failed to join Session Directory 0x5: Access denied. You can see this error if TS
because RpcMgmtInqServerPrincName failed with and SD are in different domains and the two
error code %1.‖ domains are not trusted.
0x6BB: Server too busy. Normally, you see this
when SD service is restarted and all TS servers
try to join the SD at the same time. The
following attempts to join the SD should
succeed.
1005 ―The server successfully joined the Session This is a success event.
Directory %1.‖
Ruben Spruijt - PQR Diensten 33
Session Directory Logging
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tssdis
• DWORD value: TraceOutputMode
• 0 (no output)
• 3 (output to log file)
Tssdis.log in the System32 folder
Contains the following entries:
• Session Directory service started/stopped
• Computer joins/leaves session directory
• User logs in / logs out
• User disconnects / reconnects
• Session Directory-related event log messages
Ruben Spruijt - PQR Diensten 34
Upgrading Licensing from Windows
2000
Can mix Windows 2000 and Windows 2003 Servers
• Windows 2000 cannot issue 2003 Licenses
• A 2003 License Server will issue licenses to both
• Must have a 2003 License Server for 2003 Terminal Services CALs
Windows 2003 Server requires a new version of TS CAL
• Clients cannot connect with a Windows 2000 TS CAL
• License Server will automatically replace Windows 2000 CAL
• Can enable or prevent upgrade on Windows 2000 connection
• TSCC.msc or Group Policy; “Prevent Automatic License Upgrade”
License Server Security Group
• Local group created - Terminal Services computers
• Prevent license upgrade
Ruben Spruijt - PQR Diensten 35
More Licensing
Terminal Server Licensing Wizard redesigned to improve usability
Re-issuance is automatic/built-in
Secure licensing mode
• Off by default
• Controlled through Group Policy
• “Terminal Services Licensing” local group
• Both Terminal Servers and License Servers
Best to use high availability configuration
• Example: Two license servers per device
• LS1: 1,000 CALs installed
• LS2: Zero CALs installed
• LS1 is used until there is a problem, then LS2 issues temporary licenses
Ruben Spruijt - PQR Diensten 36
Licensing: Not Optional
License Service is always required
• Grace period provides time for this (~120 days)
• TS never supplies licenses
Discovery process
• Broadcast in workgroup or TS4 domain
• Active Directory® enumeration in Windows 2000 and Windows .NET
domain
• New – optional registry key – specify multiple machine names
• Like KB article 239107, “Establishing Preferred Windows 2000 Terminal
Services License Server,” but now works for multiple names
• New – LS may be deployed on any member server
• Enterprise LS are discovered automatically
• Domain LS are not
Ruben Spruijt - PQR Diensten 37
New Licensing Options for the
Server/CAL Model
1. User CALs 2. External Connector
Customers will have the option of The External Connector license will be
acquiring Device or User CALs to an option for licensing access to the
license access to the server software. server software by users other than
employees or independent contractors
— for example, business partners or
customers.
Benefits: Benefits:
Flexible for customers Simple
Economical for users with multiple Cost-effective
devices Eliminates need to count non-
Consistent across many employees
server/CAL products Consistent across many
server/CAL products
Ruben Spruijt - PQR Diensten 38
Key Elements of User CAL
1. Products: Will apply to most
Today’s Model
products licensed on
• Device CALs server/CAL basis
• Acquire a CAL for every device
accessing the server software
2. Pricing: 1 User CAL = 1 Device
CAL
3. Choice: Will be able to acquire:
New Model • Device CALs only
• Option of User or Device CALs • User CALs only
• Acquire a CAL for every User or • Mix of Device and User
Device accessing the server CALs
software
Ruben Spruijt - PQR Diensten 39
Choosing Between User and Device CALs
Choice between Device CALs and User CALs is likely based
on two factors:
May prefer Device CALs if... May prefer User CALs if...
1. Economic Less expensive to acquire Less expensive to acquire
factors Device CALs User CALs
Fewer devices than Fewer users than devices
users For example, information
For example, call center worker with multiple
or factory floor devices (PCs, PDAs, cell
phones)
Easier to track devices Easier to track users
2. Ease of
For example, asset For example, purchasing
management management systems systems are tightly linked
are set up to track with HR processes
devices
Ruben Spruijt - PQR Diensten 40
Helping Choose Between User and
Device CALs
Administrators may choose between Device CALs and
User CALs based on two factors:
Economic Considerations Management Considerations
Users Easier to track devices if:
Asset management
systems are set to track
Devices devices
Acquire: 2 User CALs 4 User CALs
(cheaper or or
Easier to track users if:
option
highlighted) 6 Device CALs 2 Device CALs Purchasing systems are
tightly linked with HR
processes
Examples: Office workers Call center
with multiple Factory
devices – PC, floor
laptop, PDA
Ruben Spruijt - PQR Diensten 41
Key Elements of the External Connector
Today’s Model 1. Products: External Connector
Internet Connector for Windows will apply to most products
Server and Terminal Services licensed on server/CAL basis
Covers customers’ devices that does not offer per
Excludes business partners’ processor option
devices
No solution for some other products 2. Pricing: One price per
(for example, Exchange Server)
product, independent of
edition
New Model
3. Choice: Customer will be able
External Connector license to choose for non-
Covers all users except
employees and independent
employees:
contractors — for example, • EC
customers and partners
Provides an unlimited number of
• Individual CALs
users access to a copy of the Spruijt - PQR Diensten
Ruben 42
server software and/or services
Choosing Between EC and CALs
May choose between EC and individual Device, or User CALs for business
partners or customers based on two factors:
May prefer EC if... May prefer individual CALs if...
1. Economic Less expensive to acquire EC Less expensive to acquire
factors Company has many individual CALs
partners or customers Company has few partners
For example, large number or customers
of authenticating customers Partners or customers
access many copies of the
server software
2. Ease of Easier to track EC Easier to track individual CALs
management Difficult to count partners or Easy to count partners or
customers customers
For example, identity or Difficult to count number of
number of partners or copies of server software
customers changes
Ruben Spruijt - PQR Diensten
frequently 43
External Connector: Definitions and
Examples
“Employees and
Independent Contractors” “Other”
Definition: Person that performs work for the Any person other than a person
company as an employee or in that performs work for the
any other capacity such as an company as an employee,
independent contractor, agent, independent contractor, agent,
vendor, or service provider. vendor, service provider – for
example, a business partner or
Employees customer.
Vendors
Examples: Independent contractors Business partners
Consultants Customers
Agents Alumni
Faculty
Staff
Currently enrolled students
Ruben Spruijt - PQR Diensten 44
Summary: Comparison of EC and CAL
Licensing
1 User CAL = One employee accessing all copies of
server software (for example, Exchange) from
unlimited number of devices
1 Device CAL = Unlimited number of users accessing
all copies of server software from one device
1 External Connector = Unlimited number of business
partners or customers accessing one copy of server
software
Ruben Spruijt - PQR Diensten 45
Questions ?
Ruben.spruijt@pqr.nl
Ruben Spruijt - PQR Diensten 46
Related docs
Other docs by H0e7Tt
