Remote Desktop is an essential new
feature in Windows 2003 that actually is not that new. It
is the same thing as running Terminal Services in Administration
mode on a Windows 2000 server. Remote Desktop allows
administrators to manage the server remotely without having
to walk to the server room. It is installed by default on
Windows 2003, but not enabled by default. Remote Desktop relies
upon the Terminal Services service, which will start
automatically when Remote Desktop is enabled.
Remote Desktop can be enabled on the Remote
tab of the System Properties depicted below:
If you click the Select Remote Users button, you can specify users that should be allowed remote access in addition to the administrators. Users you add on the Remote tab of the System Properties are actually added to a default group called Remote Desktop Users. Members of this special group are granted the user right Allow log on through Terminal Services on the local computer. Remember that although they logon remotely, they are working on this computer locally, as if they were sitting in front of it. If they were physically sitting in front of it, they would not be able to log on. In Windows 2000, users needed the right to log on locally to logon remotely on a terminal server.
The client component, which enables users
to connect to a computer running Remote Desktop, is appropriately
called Remote Desktop Connection. (It was called
Terminal Services Client before Windows XP/2003.)
Remote Desktop Connection requires a LAN, VPN, or dial-up
connection that supports the Remote Desktop Protocol (RDP).
Remote Assistance allows a user
to request help from a remote user over the Internet. The
user in need for assistance sends an invitation (by Messenger,
E-mail, or file) to an expert. If the expert accepts the invitation,
he or she can establish a remote session to view the user's
screen and chat with the user, and optionally, control mouse
and keyboard input.
Remote Assistance is disabled by default
on Windows 2003 servers and can be enabled on the Remote
tab of the System Properties (see image in Remote
Desktop section above). The Remote Assistance Settings,
accessible thru the Advanced button on the Remote tab, allow
you to put limitations on the use of Remote Assistance and
the expiration period of invitations.
Remote Assistance invitations can be send
in three different ways:
- Email - The recipient (helper/expert) will receive a message
with an attachment called 'RCBuddy.msrcincident'. When the
recipient executes that file, a remote session will be established.
The user requesting help will have to accept the session before
the remote user can view the screen and/or control the computer.
- File - This option allows you to save the invitations on
a floppy disk for example, or better, compress and encrypt
it and then email it.
- Messenger - The process for Messenger is very similar and
somewhat easier as remote assistance can be requested directly
from Messenger, during a chat session with a help desk for
All three options are available from the
Help and Support center in Windows XP (click Invite
a friend to connect to your computer with Remote Assistance).
Although the Terminal Services service
is installed by default to allow Remote Desktop and Remote
Assistance connections, it allows for only two concurrent
user connections. You will need to install Terminal Server
to serve a larger number of users. Windows 2003 Terminal Server
allows users to work on the server remotely. Remote users
can run applications, store data, and access the network on
the Terminal Server, while using minimal resources of their
Terminal Server can be installed through
the Add/Remove Windows Components option in the Add
and Remove Programs wizard. You can use it without purchasing
client licenses for a period of 120 days. After this initial
grace period, Terminal Server requires a separate terminal
services client license for each connected client . To issue
licenses to clients, you need to install a Terminal Server
Licensing server (which should be installed on a different
server than the Terminal Server). Before the license server
can issue client licenses, you must activate it though the
Microsoft Clearinghouse by using the Terminal
Server License Server Activation Wizard.
When you install Terminal Server, you must
choose between Full Security, which denies applications
on the server access to the registry and system files, or
Relaxed Security, which allows access to the registry
and system files and may be required for older applications
you want to share on the Windows 2003 terminal server. If
you choose Full Security and an application fails to run,
you can change the setting by using the Terminal Server
Configuration tool. Applications that were installed
previously need to be reinstalled after installing Terminal
Server in order to work properly for multiple users.
The 70-290 and 70-292 exam, for which these
TechNotes are written, mention "Troubleshoot Terminal
Services" and "Diagnose and resolve issues related
to…" in the exam objectives (see list at the bottom).
However, to be able to troubleshoot Terminal Services, and
to be able to answer the corresponding exam questions, you
need to know how to configure a Windows 2003 Terminal Server,
because an incorrect configuration is usually the cause of
the problem. If you are sure the TCP/IP connection is working
properly, and licensing is not an issue (yet), you should
check the configuration starting with the security settings.
Terminal Server requires the same security
settings as Remote Desktop; users need the right to log
on remotely on the server. The easiest way to assign
this right to users is to add them to the local Remote
Desktop Users group on the terminal server. By default,
that would suffice to allow a user to use the terminal server,
hence it is fairly simple to implement. However, there are
many settings available to fine-tune the configuration of
the terminal server. This allows you to tailor the terminal
server to your needs, but when used incorrectly, these settings
can prevent a successful connection or limit the user’s
ability to use the terminal server.
There are two primary tools in Windows 2003 that you can use
to configure settings related to Terminal Services. The first
is the Active Directory Users and Computers snap-in
(or the Local User and Groups snap-in if the Terminal
Server is not in a domain), which allows you to configure
settings for individual users and configure group policies.
The second is the Terminal Services Configuration
snap-in, which allows you to override user profile settings
and configure settings for the connection that serves the
Let’s start with the Active Directory
Users and Computers snap-in. The following four tabs
of a user’s Properties allow you to configure
settings related to terminal services.
Terminal Services Profile
The Profile Path allows you to configure a roaming
or mandatory profile for the user.
The Terminal Services Home options allow you to specify
a unique home directory for every user that logs on to the
terminal server. If you configured a profile or home directory
on the Profile tab of the user’s Properties
and you want to them to use the same settings when logged
on to the terminal server, there’s no need to add them
again on the Terminal Services Profile tab.
The most important option on this tab is
the Allow logon to terminal server option. This option
is enabled by default, and can be disabled to make an exception
for this particular user. For example, if you add the global
group Finance to the Remote Desktop Users local group on the
terminal server, and you want to make an exception for user
Joe who is a member of the Finance group, you can disable
the option Allow logon to terminal server in Joe’s
profile. If there are multiple terminal servers in the domain,
Joe won’t be able to log on to any of them.
The settings on the Environment tab override the
settings configured in the Remote Desktop Connection
client software. The Starting program option allows
you to specify a program that should be executed at logon,
i.e. a login script. The Client devices settings allow you
to control if local drives and printers are available in the
terminal server session. Note that the Connect client
drives at logon applies only to ICA clients. For users
using the Remote Desktop Connection client you will
need to configure the client software to map the local drives.
This will be covered in more detail later on.
The Remote control tab settings dictate if, and how,
an administrator can control a user’s terminal server
session remotely. By default, remote control is enabled and
requires the user’s permission. The level of control
defaults to Interact with the session, which allows
an administrator to join in on the user’s terminal server
session to provide support. To remote control a session, the
administrator must start a remote session with the terminal
server, start the Terminal Services Manager admin
tool, right-click the user’s session and select Remote
The Sessions tab allows you to configure session
limits for terminal server sessions.
You can set three different limits for terminal server sessions:
- End a disconnected session – When a user
disconnects from a terminal server session without logging
off, the session including running programs will remain open
on the server. This allows the user to reconnect, and find
his remote desktop as he left it. In a large environment with
many users, this can quickly lead to degrading performance
on the server.
- Active session limit – This setting allows
you to specify the limit for active session, during which
a user is actively using the terminal server.
- Idle session limit – This settings allows
you to specify the limit for idle sessions, during which there
is no user activity on the terminal server.
The maximum settings are 49 days and 17 hours.
You can configure the terminal server to disconnect or end
sessions when the active or idle session limit is reached.
If you choose to end sessions, the user may lose data in running
programs. By default, a user can reconnect
to a disconnected session from any client. If you select the
option From originating client only in the Allow reconnection
section, the user can reconnect to a disconnected session
only from the computer the session was originally initiated.
All the settings above that are configured in Active Directory
Users and Computers, can also be configured on a server
level by using the Terminal Services Configuration
snap-in on the terminal server to set the properties for the
default RDP-Tcp connection. The following image shows
the Sessions tab of the RDP-Tcp Properties.
As you can see, it allows you to override user settings configured
in the user’s properties. This is also the case for
the other tabs discussed previously. Session limits are usually
configured here, instead of on a per-user basis.
Remote Desktop Connection
If you are certain the server-side is configured
correctly and is not the cause of the problem, you should
check the Remote Desktop Connection client settings.
Remote Desktop Connection is installed by default
on Windows XP and Windows 2003 and can be found under All
Programs|Accessories|Communications in the Start
By default, it opens in a minimized form, quickly allowing
access to a terminal server. A user can select <Browse
for more…> from the drop-down list to browse
the network for terminal servers, or type in the name of the
server they want to connect.
When you click the Options button,
an arsenal of settings becomes available. On the General
tab, depicted below, you can configure the logon settings
and save a connection and its settings to an .rdp file. This
also allows administrators to create preconfigured connection
Other mentionable settings are the Local
devices settings on Local Resources tab. These
settings allow users to map local disks, printers and serial
ports on the terminal server. For example, if the option Disk
drives is enabled, the user will be able to access its
client’s local disk drives from the terminal server
session. This allows a user to use an application on the terminal
server, but store the data on local disk drives.
Remote Desktop Connection and Remote
Assistance rely on the Terminal Services service
and the Remote Desktop Protocol (RDP). When the terminal
server is protected by a firewall, the port for RDP (3389)
must be open to allow a successful connection.