MCSA/MCSE 2003 - 70-290 TechNotes:
Remote Administration and Terminal Server

REMOTE ADMINISTRATION

Remote Desktop

Remote Desktop is an essential new feature in Windows 2003 that actually is not that new. It is the same thing as running Terminal Services in Administration mode on a Windows 2000 server. Remote Desktop allows administrators to manage the server remotely without having to walk to the server room. It is installed by default on Windows 2003, but not enabled by default. Remote Desktop relies upon the Terminal Services service, which will start automatically when Remote Desktop is enabled.

Remote Desktop can be enabled on the Remote tab of the System Properties depicted below:

If you click the Select Remote Users button, you can specify users that should be allowed remote access in addition to the administrators. Users you add on the Remote tab of the System Properties are actually added to a default group called Remote Desktop Users. Members of this special group are granted the user right Allow log on through Terminal Services on the local computer. Remember that although they logon remotely, they are working on this computer locally, as if they were sitting in front of it. If they were physically sitting in front of it, they would not be able to log on. In Windows 2000, users needed the right to log on locally to logon remotely on a terminal server.

The client component, which enables users to connect to a computer running Remote Desktop, is appropriately called Remote Desktop Connection. (It was called Terminal Services Client before Windows XP/2003.) Remote Desktop Connection requires a LAN, VPN, or dial-up connection that supports the Remote Desktop Protocol (RDP).


Remote Assistance

Remote Assistance allows a user to request help from a remote user over the Internet. The user in need for assistance sends an invitation (by Messenger, E-mail, or file) to an expert. If the expert accepts the invitation, he or she can establish a remote session to view the user's screen and chat with the user, and optionally, control mouse and keyboard input.

Remote Assistance is disabled by default on Windows 2003 servers and can be enabled on the Remote tab of the System Properties (see image in Remote Desktop section above). The Remote Assistance Settings, accessible thru the Advanced button on the Remote tab, allow you to put limitations on the use of Remote Assistance and the expiration period of invitations.

Remote Assistance invitations can be send in three different ways:
- Email - The recipient (helper/expert) will receive a message with an attachment called 'RCBuddy.msrcincident'. When the recipient executes that file, a remote session will be established. The user requesting help will have to accept the session before the remote user can view the screen and/or control the computer.
- File - This option allows you to save the invitations on a floppy disk for example, or better, compress and encrypt it and then email it.
- Messenger - The process for Messenger is very similar and somewhat easier as remote assistance can be requested directly from Messenger, during a chat session with a help desk for example.

All three options are available from the Help and Support center in Windows XP (click Invite a friend to connect to your computer with Remote Assistance).


TERMINAL SERVER

Although the Terminal Services service is installed by default to allow Remote Desktop and Remote Assistance connections, it allows for only two concurrent user connections. You will need to install Terminal Server to serve a larger number of users. Windows 2003 Terminal Server allows users to work on the server remotely. Remote users can run applications, store data, and access the network on the Terminal Server, while using minimal resources of their local computer.

Terminal Server can be installed through the Add/Remove Windows Components option in the Add and Remove Programs wizard. You can use it without purchasing client licenses for a period of 120 days. After this initial grace period, Terminal Server requires a separate terminal services client license for each connected client . To issue licenses to clients, you need to install a Terminal Server Licensing server (which should be installed on a different server than the Terminal Server). Before the license server can issue client licenses, you must activate it though the Microsoft Clearinghouse by using the Terminal Server License Server Activation Wizard.

When you install Terminal Server, you must choose between Full Security, which denies applications on the server access to the registry and system files, or Relaxed Security, which allows access to the registry and system files and may be required for older applications you want to share on the Windows 2003 terminal server. If you choose Full Security and an application fails to run, you can change the setting by using the Terminal Server Configuration tool. Applications that were installed previously need to be reinstalled after installing Terminal Server in order to work properly for multiple users.

The 70-290 and 70-292 exam, for which these TechNotes are written, mention "Troubleshoot Terminal Services" and "Diagnose and resolve issues related to…" in the exam objectives (see list at the bottom). However, to be able to troubleshoot Terminal Services, and to be able to answer the corresponding exam questions, you need to know how to configure a Windows 2003 Terminal Server, because an incorrect configuration is usually the cause of the problem. If you are sure the TCP/IP connection is working properly, and licensing is not an issue (yet), you should check the configuration starting with the security settings.

Terminal Server requires the same security settings as Remote Desktop; users need the right to log on remotely on the server. The easiest way to assign this right to users is to add them to the local Remote Desktop Users group on the terminal server. By default, that would suffice to allow a user to use the terminal server, hence it is fairly simple to implement. However, there are many settings available to fine-tune the configuration of the terminal server. This allows you to tailor the terminal server to your needs, but when used incorrectly, these settings can prevent a successful connection or limit the user’s ability to use the terminal server.

There are two primary tools in Windows 2003 that you can use to configure settings related to Terminal Services. The first is the Active Directory Users and Computers snap-in (or the Local User and Groups snap-in if the Terminal Server is not in a domain), which allows you to configure settings for individual users and configure group policies. The second is the Terminal Services Configuration snap-in, which allows you to override user profile settings and configure settings for the connection that serves the remote clients.

Let’s start with the Active Directory Users and Computers snap-in. The following four tabs of a user’s Properties allow you to configure settings related to terminal services.

Terminal Services Profile

The Profile Path allows you to configure a roaming or mandatory profile for the user.
The Terminal Services Home options allow you to specify a unique home directory for every user that logs on to the terminal server. If you configured a profile or home directory on the Profile tab of the user’s Properties and you want to them to use the same settings when logged on to the terminal server, there’s no need to add them again on the Terminal Services Profile tab.

The most important option on this tab is the Allow logon to terminal server option. This option is enabled by default, and can be disabled to make an exception for this particular user. For example, if you add the global group Finance to the Remote Desktop Users local group on the terminal server, and you want to make an exception for user Joe who is a member of the Finance group, you can disable the option Allow logon to terminal server in Joe’s profile. If there are multiple terminal servers in the domain, Joe won’t be able to log on to any of them.

Environment

The settings on the Environment tab override the settings configured in the Remote Desktop Connection client software. The Starting program option allows you to specify a program that should be executed at logon, i.e. a login script. The Client devices settings allow you to control if local drives and printers are available in the terminal server session. Note that the Connect client drives at logon applies only to ICA clients. For users using the Remote Desktop Connection client you will need to configure the client software to map the local drives. This will be covered in more detail later on.

Remote Control

The Remote control tab settings dictate if, and how, an administrator can control a user’s terminal server session remotely. By default, remote control is enabled and requires the user’s permission. The level of control defaults to Interact with the session, which allows an administrator to join in on the user’s terminal server session to provide support. To remote control a session, the administrator must start a remote session with the terminal server, start the Terminal Services Manager admin tool, right-click the user’s session and select Remote Control.

Sessions

The Sessions tab allows you to configure session limits for terminal server sessions.
You can set three different limits for terminal server sessions:
- End a disconnected session – When a user disconnects from a terminal server session without logging off, the session including running programs will remain open on the server. This allows the user to reconnect, and find his remote desktop as he left it. In a large environment with many users, this can quickly lead to degrading performance on the server.
- Active session limit – This setting allows you to specify the limit for active session, during which a user is actively using the terminal server.
- Idle session limit – This settings allows you to specify the limit for idle sessions, during which there is no user activity on the terminal server.

The maximum settings are 49 days and 17 hours. You can configure the terminal server to disconnect or end sessions when the active or idle session limit is reached. If you choose to end sessions, the user may lose data in running programs. By default, a user can reconnect to a disconnected session from any client. If you select the option From originating client only in the Allow reconnection section, the user can reconnect to a disconnected session only from the computer the session was originally initiated.


All the settings above that are configured in Active Directory Users and Computers, can also be configured on a server level by using the Terminal Services Configuration snap-in on the terminal server to set the properties for the default RDP-Tcp connection. The following image shows the Sessions tab of the RDP-Tcp Properties. As you can see, it allows you to override user settings configured in the user’s properties. This is also the case for the other tabs discussed previously. Session limits are usually configured here, instead of on a per-user basis.


Remote Desktop Connection

If you are certain the server-side is configured correctly and is not the cause of the problem, you should check the Remote Desktop Connection client settings. Remote Desktop Connection is installed by default on Windows XP and Windows 2003 and can be found under All Programs|Accessories|Communications in the Start menu.

By default, it opens in a minimized form, quickly allowing access to a terminal server. A user can select <Browse for more…> from the drop-down list to browse the network for terminal servers, or type in the name of the server they want to connect.

When you click the Options button, an arsenal of settings becomes available. On the General tab, depicted below, you can configure the logon settings and save a connection and its settings to an .rdp file. This also allows administrators to create preconfigured connection files.

Other mentionable settings are the Local devices settings on Local Resources tab. These settings allow users to map local disks, printers and serial ports on the terminal server. For example, if the option Disk drives is enabled, the user will be able to access its client’s local disk drives from the terminal server session. This allows a user to use an application on the terminal server, but store the data on local disk drives.

Remote Desktop Connection and Remote Assistance rely on the Terminal Services service and the Remote Desktop Protocol (RDP). When the terminal server is protected by a firewall, the port for RDP (3389) must be open to allow a successful connection.


 
Current related exam topics for the 70-290 exam:

Managing and Maintaining Access to Resources

Troubleshoot Terminal Services.
- Diagnose and resolve issues related to Terminal Services security.
- Diagnose and resolve issues related to client access to Terminal Services.

Managing and Maintaining a Server Environment

Manage servers remotely.
- Manage a server by using Remote Assistance.
- Manage a server by using Terminal Services remote administration mode.


Date: Thursday, November 27, 2004
TechExams.Net
Author: Johan Hiemstra
MCSE NT4 MCSA 2000/2003
CCNA CCDA CNA Security+ CWNA