Remote Desktop is an essential new feature
in Windows 2003 that actually is not that new. It is the same thing
as running Terminal Services in Administration mode on
a Windows 2000 server. Remote Desktop allows administrators to manage
the server remotely without having to walk to the server room. It
is installed by default on Windows 2003, but not enabled by default.
Remote Desktop relies upon the Terminal Services service,
which will start automatically when Remote Desktop is enabled.
Remote Desktop can be enabled on the Remote
tab of the System Properties depicted below:
If you click the Select Remote Users button, you can specify users that should be allowed remote access in addition to the administrators. Users you add on the Remote tab of the System Properties are actually added to a default group called Remote Desktop Users. Members of this special group are granted the user right Allow log on through Terminal Services on the local computer. Remember that although they logon remotely, they are working on this computer locally, as if they were sitting in front of it. If they were physically sitting in front of it, they would not be able to log on. In Windows 2000, users needed the right to log on locally to logon remotely on a terminal server.
The client component, which enables users to connect
to a computer running Remote Desktop, is appropriately called Remote
Desktop Connection. (It was called Terminal Services Client
before Windows XP/2003.) Remote Desktop Connection requires a LAN,
VPN, or dial-up connection that supports the Remote Desktop
Remote Assistance allows a user to request
help from a remote user over the Internet. The user in need for
assistance sends an invitation (by Messenger, E-mail, or file) to
an expert. If the expert accepts the invitation, he or she can establish
a remote session to view the user's screen and chat with the user,
and optionally, control mouse and keyboard input.
Remote Assistance is disabled by default on Windows
2003 servers and can be enabled on the Remote tab of the
System Properties (see image in Remote Desktop section
above). The Remote Assistance Settings, accessible thru
the Advanced button on the Remote tab, allow you to put limitations
on the use of Remote Assistance and the expiration period of invitations.
Remote Assistance invitations can be send in three
- Email - The recipient (helper/expert) will receive a message with
an attachment called 'RCBuddy.msrcincident'. When the recipient
executes that file, a remote session will be established. The user
requesting help will have to accept the session before the remote
user can view the screen and/or control the computer.
- File - This option allows you to save the invitations on a floppy
disk for example, or better, compress and encrypt it and then email
- Messenger - The process for Messenger is very similar and somewhat
easier as remote assistance can be requested directly from Messenger,
during a chat session with a help desk for example.
All three options are available from the Help
and Support center in Windows XP (click Invite a friend
to connect to your computer with Remote Assistance).
Although the Terminal Services service
is installed by default to allow Remote Desktop and Remote Assistance
connections, it allows for only two concurrent user connections.
You will need to install Terminal Server to serve a larger
number of users. Windows 2003 Terminal Server allows users to work
on the server remotely. Remote users can run applications, store
data, and access the network on the Terminal Server, while using
minimal resources of their local computer.
Terminal Server can be installed through the Add/Remove
Windows Components option in the Add and Remove Programs
wizard. You can use it without purchasing client licenses for
a period of 120 days. After this initial grace period, Terminal
Server requires a separate terminal services client license for
each connected client . To issue licenses to clients, you need to
install a Terminal Server Licensing server (which should
be installed on a different server than the Terminal Server). Before
the license server can issue client licenses, you must activate
it though the Microsoft Clearinghouse by using the Terminal
Server License Server Activation Wizard.
When you install Terminal Server, you must choose
between Full Security, which denies applications on the
server access to the registry and system files, or Relaxed Security,
which allows access to the registry and system files and may be
required for older applications you want to share on the Windows
2003 terminal server. If you choose Full Security and an application
fails to run, you can change the setting by using the Terminal
Server Configuration tool. Applications that were installed
previously need to be reinstalled after installing Terminal Server
in order to work properly for multiple users.
The 70-290 and 70-292 exam, for which these TechNotes
are written, mention "Troubleshoot Terminal Services"
and "Diagnose and resolve issues related to…" in
the exam objectives (see list at the bottom). However, to be able
to troubleshoot Terminal Services, and to be able to answer the
corresponding exam questions, you need to know how to configure
a Windows 2003 Terminal Server, because an incorrect configuration
is usually the cause of the problem. If you are sure the TCP/IP
connection is working properly, and licensing is not an issue (yet),
you should check the configuration starting with the security settings.
Terminal Server requires the same security settings
as Remote Desktop; users need the right to log on remotely
on the server. The easiest way to assign this right to users is
to add them to the local Remote Desktop Users group on
the terminal server. By default, that would suffice to allow a user
to use the terminal server, hence it is fairly simple to implement.
However, there are many settings available to fine-tune the configuration
of the terminal server. This allows you to tailor the terminal server
to your needs, but when used incorrectly, these settings can prevent
a successful connection or limit the user’s ability to use
the terminal server.
There are two primary tools in Windows 2003 that you can use to
configure settings related to Terminal Services. The first is the
Active Directory Users and Computers snap-in (or the Local
User and Groups snap-in if the Terminal Server is not in a
domain), which allows you to configure settings for individual users
and configure group policies. The second is the Terminal Services
Configuration snap-in, which allows you to override user profile
settings and configure settings for the connection that serves the
Let’s start with the Active Directory
Users and Computers snap-in. The following four tabs of a user’s
Properties allow you to configure settings related to terminal
Terminal Services Profile
The Profile Path allows you to configure a roaming or mandatory
profile for the user.
The Terminal Services Home options allow you to specify
a unique home directory for every user that logs on to the terminal
server. If you configured a profile or home directory on the Profile
tab of the user’s Properties and you want to them
to use the same settings when logged on to the terminal server,
there’s no need to add them again on the Terminal Services
The most important option on this tab is the Allow
logon to terminal server option. This option is enabled by
default, and can be disabled to make an exception for this particular
user. For example, if you add the global group Finance to the Remote
Desktop Users local group on the terminal server, and you want to
make an exception for user Joe who is a member of the Finance group,
you can disable the option Allow logon to terminal server
in Joe’s profile. If there are multiple terminal servers in
the domain, Joe won’t be able to log on to any of them.
The settings on the Environment tab override the settings
configured in the Remote Desktop Connection client software.
The Starting program option allows you to specify a program
that should be executed at logon, i.e. a login script. The Client
devices settings allow you to control if local drives and printers
are available in the terminal server session. Note that the Connect
client drives at logon applies only to ICA clients. For users
using the Remote Desktop Connection client you will need
to configure the client software to map the local drives. This will
be covered in more detail later on.
The Remote control tab settings dictate if, and how, an
administrator can control a user’s terminal server session
remotely. By default, remote control is enabled and requires the
user’s permission. The level of control defaults to Interact
with the session, which allows an administrator to join in
on the user’s terminal server session to provide support.
To remote control a session, the administrator must start a remote
session with the terminal server, start the Terminal Services
Manager admin tool, right-click the user’s session and
select Remote Control.
The Sessions tab allows you to configure session limits
for terminal server sessions.
You can set three different limits for terminal server sessions:
- End a disconnected session – When a user disconnects
from a terminal server session without logging off, the session
including running programs will remain open on the server. This
allows the user to reconnect, and find his remote desktop as he
left it. In a large environment with many users, this can quickly
lead to degrading performance on the server.
- Active session limit – This setting allows you
to specify the limit for active session, during which a user is
actively using the terminal server.
- Idle session limit – This settings allows you to
specify the limit for idle sessions, during which there is no user
activity on the terminal server.
The maximum settings are 49 days and 17 hours.
You can configure the terminal server to disconnect or end sessions
when the active or idle session limit is reached. If you choose
to end sessions, the user may lose data in running programs. By
default, a user can reconnect to a disconnected session from any
client. If you select the option From originating client only in
the Allow reconnection section, the user can reconnect to a disconnected
session only from the computer the session was originally initiated.
All the settings above that are configured in Active Directory
Users and Computers, can also be configured on a server level
by using the Terminal Services Configuration snap-in on
the terminal server to set the properties for the default RDP-Tcp
connection. The following image shows the Sessions tab
of the RDP-Tcp Properties. As you can see, it allows you
to override user settings configured in the user’s properties.
This is also the case for the other tabs discussed previously. Session
limits are usually configured here, instead of on a per-user basis.
Remote Desktop Connection
If you are certain the server-side is configured
correctly and is not the cause of the problem, you should check
the Remote Desktop Connection client settings. Remote
Desktop Connection is installed by default on Windows XP and
Windows 2003 and can be found under All Programs|Accessories|Communications
in the Start menu.
By default, it opens in a minimized form, quickly allowing access
to a terminal server. A user can select <Browse for more…>
from the drop-down list to browse the network for terminal servers,
or type in the name of the server they want to connect.
When you click the Options button, an
arsenal of settings becomes available. On the General tab,
depicted below, you can configure the logon settings and save a
connection and its settings to an .rdp file. This also allows administrators
to create preconfigured connection files.
Other mentionable settings are the Local devices
settings on Local Resources tab. These settings allow users
to map local disks, printers and serial ports on the terminal server.
For example, if the option Disk drives is enabled, the
user will be able to access its client’s local disk drives
from the terminal server session. This allows a user to use an application
on the terminal server, but store the data on local disk drives.
Remote Desktop Connection and Remote
Assistance rely on the Terminal Services service and
the Remote Desktop Protocol (RDP). When the terminal server
is protected by a firewall, the port for RDP (3389) must be open
to allow a successful connection.