windows 2003 what s new in terminal services l.
Download
Skip this Video
Download Presentation
Windows 2003 What’s new in Terminal Services ?

Loading in 2 Seconds...

play fullscreen
1 / 46

Windows 2003 What’s new in Terminal Services ? - PowerPoint PPT Presentation


  • 150 Views
  • Uploaded on

Windows 2003 What’s new in Terminal Services ?. Upgrading Concerns . Upgrading from Microsoft Windows NT® 4.0 Terminal Server to Windows 2003 Server -blocked In Windows NT 4.0 Terminal Server - compatibility scripts modified permissions on registry, security, folders, etc.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows 2003 What’s new in Terminal Services ?' - ulla


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
upgrading concerns
Upgrading Concerns
  • Upgrading from Microsoft Windows NT® 4.0 Terminal Server to Windows 2003 Server -blocked
  • In Windows NT 4.0 Terminal Server - compatibility scripts modified permissions on registry, security, folders, etc.
    • Some were done on a Windows 2000 server
  • During upgrade, the security template applied to an application server does not reset the ACLs
  • Best to do a clean installation on the server in Full Security Mode

Ruben Spruijt - PQR Diensten

new client user interface mstsc
New Client User Interface MSTSC
  • Experience tab
    • Optimize wallpaper, visual styles, etc. for speed of network connection
  • Full screen connection bar
  • No Connection Manager: save connection settings from client user interface
    • /migrate
  • Greater color depth and screen resolution - high color (24 bit)

Ruben Spruijt - PQR Diensten

remote desktop for administration
Remote Desktop for Administration
  • Remote Desktop for administration is installed automatically
  • Two concurrent remote connections plus console session
    • (mstsc/console)
  • By default, it is toggled off
    • System properties in Control Panel
    • “Allow Users to Connect remotely to this computer” on the Remote tab
  • Does not require licenses
  • Remote Desktop Connection tool is available for download for earlier versions of Windows http://www.microsoft.com/windowsxp/remotedesktop/

Ruben Spruijt - PQR Diensten

remote desktop snap in
Remote Desktop Snap-in
  • Used for network administration
    • Multiple computers in one window
    • Connect to console
    • Local Group Policies and Default.rdp settings affect connection settings
  • Help Desk users - Remote Assistance

Ruben Spruijt - PQR Diensten

installing terminal services for application hosting
Installing Terminal Services for Application Hosting
  • Installed using Add/Remove Programs
  • Previously installed applications must be reinstalled for multisession access
  • All members of the Local Users group are copied into the Remote Desktop Users group
  • Security mode for the Terminal Server connections
      • Windows 2000/Windows 2003 Server permissions mode (full security)
      • Windows NT 4.0/Terminal Server Edition permissions compatibility mode (relaxed security)
  • Unattended installation

[Components]

TerminalServer = On

[TerminalServices]

LicensingMode = PerDevice

Ruben Spruijt - PQR Diensten

terminal server advertising
Terminal Server Advertising
  • Windows 2003 - Only Terminal Servers in Application Server mode
  • Windows 2000 - All servers with Terminal Services installed
  • To prevent a Terminal Services-based computer from advertising, set the following registry key :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server

REG_DWORD value: TSAdvertise

      • 0 disables and 1 enables advertising

Ruben Spruijt - PQR Diensten

the remote desktop users group
The Remote Desktop Users Group
  • Remote logon permissions
    • Use TSCC.msc to give users or groups the appropriate rights
    • By default, the Remote Desktop Users local group is empty
  • Restricted groups
    • Add remote desktop users to the restricted groups
    • Security templates MMC snap-in
  • Security features
    • Per network adapter connection permissions
    • Custom rights assignment
    • Remote interactive right
      • May be administered using Security Policy Editor

Ruben Spruijt - PQR Diensten

redirection features
Redirection Features
  • Enabled by using virtual channels
    • Local Drive
    • Audio
    • Time
    • Smart Card
    • Port (LPT/COM)
    • Printer

Ruben Spruijt - PQR Diensten

virtual channels
Virtual Channels
  • Virtual channel permissions
  • Permissions to use capabilities introduced through virtual channels can be set in the Terminal Server Client Configuration tool
  • Virtual Channel permissions
    • TSCC.MSC snap-in - RDP properties
      • On the Permissions tab, click Advanced
      • Select the group or account and then View/Edit
      • Allow or deny virtual channels
  • Virtual channels setting effects all redirection

Ruben Spruijt - PQR Diensten

local drive redirection
Local Drive Redirection
  • Local file system available to the Remote Desktop session
  • Local drives appear in My Computer
    • <driveletter>\ on tsclient
    • From command line or run line: \\tsclient\<driveletter>
  • Disable per server
    • Terminal Services Group Policies
    • Terminal Services Configuration
  • Disable on individual client
    • On the Local Resources tab, click Local devices, and then click to select the “Disk drives” check box
    • Group Policies will override this selection
  • Must be Windows XP or Windows .NET

Ruben Spruijt - PQR Diensten

audio redirection
Audio Redirection
  • Possible settings:
    • Bring to this computer
    • Do not play
    • Leave at the remote computer
  • Mid and midi files are not transferable with audio redirection
  • Following must apply:
    • Both the Terminal Server and the client have a sound card
    • The client is set to “Bring to this Computer”
    • The TSCC.MSC - allows audio mapping

Ruben Spruijt - PQR Diensten

advantages of audio redirection
Advantages of Audio Redirection
  • Audio mixing
    • If there are multiple applications - the resulting stream is an audio mix of the different streams
  • Minimized performance impact of the audio stream input/output (I/O) on the RDP session
    • Renegotiates sound stream quality if network bandwidth changes
    • No user interaction
    • Best to disable sound redirection on a very slow network

Ruben Spruijt - PQR Diensten

time zone redirection
Time Zone Redirection
  • Allow Time Zone Redirection Group Policy setting
    • Terminal Services uses the server base time on the Terminal Server and the client time zone information to calculate the time on the session
      • Session time = server base time + client time zone
      • Client time zone must be set correctly
  • Client version support:
    • Windows XP client
    • Windows .NET Server client
    • Windows CE 4.0

Ruben Spruijt - PQR Diensten

using smart cards with terminal server
Using Smart Cards with Terminal Server
  • Require strong credentials
  • Must have Microsoft Active Directory® deployed
  • Client computers must be running a Microsoft client operating system with built-in Smart Card support
    • Windows XP or Windows 2000
    • Most devices are running Windows CE .NET 4
    • Smart card readers on the client computers
    • Uses trusted X.509v3 certificates that are stored on a smart card
  • Ease of deployment

Ruben Spruijt - PQR Diensten

port redirection
Port Redirection
  • LPT and COM port redirection
    • Bar code readers or scanners
    • USB redirection is only possible with installed local printers
  • By default, no FireWire or IEEE 1394 ports redirected
  • However, can enable FireWire port redirection on clients by enabling all ports to be redirected
    • Registry on the client computer:

HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\AddIns\RDPDR

New DWORD Value.

FilterQueueType

Value FFFFFFFF

  • For more information about filtering port redirection, see article 302361, “Multifunction Printers That Use DOT4 Ports Are Not Redirected By Using Remote Desktop”

http://support.microsoft.com/default.aspx?scid=kb;en-us;302361

Ruben Spruijt - PQR Diensten

com port redirection
Com Port Redirection
  • Win32® COMM APIs open communication ports - CreateFile against COM port
  • The CreateFile automatically maps from application’s session DOS Device namespace to the correct client-side device
  • Without writing any adjusting server-side code

Ruben Spruijt - PQR Diensten

printer redirection
Printer Redirection
  • Redirected printers in the Printers folder in the following format:
    • <client printer name> on <server name> (from client computer name) in Session <number>.
  • Local port redirection
  • Network printers redirected

Ruben Spruijt - PQR Diensten

managing printers
Managing Printers
  • Enabled by default
  • Group Policies
    • Computer Configuration\ Windows Components\Terminal Services\Client/Server data redirection
  • Individual remote desktop connection
    • Local Resources tab
  • Terminal Services Configuration
    • Client Settings tab
  • Allowing/disallowing virtual channels
  • Bidirectional printing is not supported

Ruben Spruijt - PQR Diensten

printer data stored on the client
Printer Data Stored on the Client
  • Client disconnects
    • The printer queue is deleted from the server
    • Incomplete or pending print jobs are lost
  • Configuration data for those printers, however, is stored in the client’s registry:
    • Automatic - HKEY_CURRENT_USER\Software\Microsoft\ Terminal Server Client\Default\AddIns\RDPDR.SYS\<printer queue name> \AutoPrinterCacheData
    • Manual - HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\AddIns\RDPDR.SYS\<printer queue name> \PrinterCacheData
  • Retain same settings to different terminal servers

Ruben Spruijt - PQR Diensten

driver string mapping for printer queues
Driver String Mapping for Printer Queues
  • The Terminal Server has only the 2003 version of the driver
  • When there is no matching driver on the server end: Event ID: 1111 Driver drivername required for printer printertype is unknown.

Event ID: 1105 Printer security information for the printername/clientcomputername/Session number could not be set. Event ID: 1106 The printer could not be installed.

  • Install a driver on the server that matches the print queue attached to the client machine
  • The client-side and the server-side driver names must match
    • Client-side driver shipped post 2003 – new OEM driver
    • OEM supplied driver
    • Can create a custom .inf file. Ntprint.inf

239088, “Windows 2000 Terminal Services Server Logs Events 1111, 1105, and 1106”

Ruben Spruijt - PQR Diensten

automatic reconnection
Automatic Reconnection
  • RDP layers over TCP
  • Re-authenticate – no user credentials
  • Enable automatic reconnection
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

DWORD value: fDisableAutoReconnect

1= on 0= off

    • Default.rdp File - autoreconnection enabled:i:1

1= enabled

0= disabled

  • Auto-reconnection cookie is flushed and regenerated any time the user logs in
  • New cookie at hourly intervals

Ruben Spruijt - PQR Diensten

using group policy vs tscc msc
Using Group Policy vs. TSCC.msc
  • Group Policies
    • Remote Desktop Users group
    • Individual computers Local Group Policy
    • Groups of computers Terminal Server organizational unit
  • TSCC.msc snap-in
    • RDP connection parameters
    • Connection permissions
    • Single Terminal Server and its users
    • Cannot configure remote server
  • Settings that are set only by using TSCC.msc
    • Licensing Mode
    • Disable Active Desktop

Ruben Spruijt - PQR Diensten

management gp and wmi
Management – GP and WMI
  • New Group Policy settings
    • Extensive set of polices
    • Both computer and user configuration settings
    • Control permissions using Remote Desktop Users group
      • “Restricted Groups” in Security Templates MMC
    • Software Restriction Policies
  • NewWMI provider
    • Full read/write
    • Nearly allTerminal Server Settings
      • Terminal Server Configuration, APIs, and command lines
    • WMIC: Command line interface to WMI
      • RDAccount; RDPermissions; RDToggle; RDNic

RDTOGGLE To Enable/ Disable TS connections:

wmic /node:"ServerName" /user:"DomainName\administrator" /password:"password" RDToggle where ServerName="ServerName" call SetAllowTSConnections 1

Ruben Spruijt - PQR Diensten

terminal services group policies
Terminal Services Group Policies
  • Keep-Alive Messages
  • Single remote session
  • Remote Desktop Wallpaper
  • Limit number of connections
  • Limit maximum color depth
  • Allows users to connect remotely
  • Do not allow local administrators to customize permissions
  • Remove Windows Security item from Start menu
  • Remove Disconnect item from Shut Down dialog
  • Set path for TS Roaming Profiles
  • TS User Home Directory
  • Sets rules for remote control of Terminal Services user sessions
  • Start a program on connection

Ruben Spruijt - PQR Diensten

more group policies
Client/server data redirection

Time zone

Clipboard

Smart Card

Audio

COM port

Printer redirection

LPT port redirection

Drive redirection

Default printer

Encryption and security

Always prompt for password

Encryption level

Temporary folders

Do not use temp folders per session

Do not delete temp folder upon exit

Sessions

Time limit for disconnected

Time limit for active

Time limit for active but idle

Reconnection from original client only

Terminate session when time limits reached

More Group Policies

Ruben Spruijt - PQR Diensten

session directory
Session Directory
  • Users reconnect to the correct disconnected session within a farm
    • Farm seems like one server to users
  • A service that runs on any server
    • Farmed TS servers: must be Enterprise Server
    • Session directory server: any server SKU
    • Possible to cluster Session Directory server using MSCS
    • Session Directory is not a load balancer
  • A database of user sessions across servers
    • Redirects farm connections to correct server
    • Used with load balanced farms
    • The Session Directory database resides in %systemroot%\system32\tssesdir\
      • This location is not configurable

Ruben Spruijt - PQR Diensten

installation and configuration
Installation and Configuration
  • Two components
    • Session Directory Host server
    • “Client” servers - Terminal Servers configured to talk with Session Directory
  • Host server not required to be a Terminal Server
  • May service multiple load balanced farms – cluster name is the identifier
  • Very small CPU, memory, and hard disk requirements
  • Minimum level for clients - Remote Desktop client 5.1

Ruben Spruijt - PQR Diensten

server configuration
Server Configuration
  • Host server configuration must be done using the Computer Management MMC
  • Start the Terminal Services Session Directory Service – set to “Automatic” start
  • The group that is created is named "Session Directory Computers"
    • Empty by default
    • Add computer accounts
    • Do not run the Session Directory service on a domain controller – group will be a domain local group

Ruben Spruijt - PQR Diensten

client configuration tscc msc
Client Configuration – TSCC.msc
  • Server settings
    • Cluster name
    • Session Directory server name or IP address
    • Cluster name must be uniform across the cluster
    • Terminal Server IP address redirection
  • “All network adapters configured with this protocol"
    • Session Directory redirection may not work properly if one of the NICs on the server is not accessible to users
    • Use only one network adapter for each Session Directory
  • If a Terminal Services connection is required on additional network cards, create one new connection per network adapter

Ruben Spruijt - PQR Diensten

client configuration group policies
Client Configuration – Group Policies
  • Computer Configuration / Administrative Templates / Terminal Services / Session Directory
    • Terminal Server IP Address Redirection
    • Join Session Directory
    • Session Directory Server
    • Session Directory Cluster Name
  • Best to put farmed Terminal Servers in an organizational unit, with Group Policies applied to the organizational unit

Ruben Spruijt - PQR Diensten

slide32

UserId

Domain

Session Directory Overview(User Session Previously on TS-3)

1. User connects to cluster.

Session Directory

2. Load Balancer Cluster routes user to least loaded server, TS-1.

TS-1

Cluster

TS-2

3. TS-1 checks the Session Directory for existing session.

4. TS-3, as session owner, is communicated to the client.

5. Client reconnects to existing session TS-3.

User Session

Ruben Spruijt - PQR Diensten

TS-3

session directory event logs
Session Directory Event Logs

Ruben Spruijt - PQR Diensten

session directory logging
Session Directory Logging
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tssdis
      • DWORD value: TraceOutputMode
      • 0 (no output)
      • 3 (output to log file)
  • Tssdis.log in the System32 folder
  • Contains the following entries:
    • Session Directory service started/stopped
    • Computer joins/leaves session directory
    • User logs in / logs out
    • User disconnects / reconnects
    • Session Directory-related event log messages

Ruben Spruijt - PQR Diensten

upgrading licensing from windows 2000
Upgrading Licensing from Windows 2000
  • Can mix Windows 2000 and Windows 2003 Servers
    • Windows 2000 cannot issue 2003 Licenses
    • A 2003 License Server will issue licenses to both
    • Must have a 2003 License Server for 2003 Terminal Services CALs
  • Windows 2003 Server requires a new version of TS CAL
    • Clients cannot connect with a Windows 2000 TS CAL
    • License Server will automatically replace Windows 2000 CAL
    • Can enable or prevent upgrade on Windows 2000 connection
      • TSCC.msc or Group Policy; “Prevent Automatic License Upgrade”
  • License Server Security Group
    • Local group created - Terminal Services computers
    • Prevent license upgrade

Ruben Spruijt - PQR Diensten

more licensing
More Licensing
  • Terminal Server Licensing Wizard redesigned to improve usability
  • Re-issuance is automatic/built-in
  • Secure licensing mode
    • Off by default
    • Controlled through Group Policy
    • “Terminal Services Licensing” local group
      • Both Terminal Servers and License Servers
  • Best to use high availability configuration
    • Example: Two license servers per device
      • LS1: 1,000 CALs installed
      • LS2: Zero CALs installed
      • LS1 is used until there is a problem, then LS2 issues temporary licenses

Ruben Spruijt - PQR Diensten

licensing not optional
Licensing: Not Optional
  • License Service is always required
    • Grace period provides time for this (~120 days)
    • TS never supplies licenses
  • Discovery process
    • Broadcast in workgroup or TS4 domain
    • Active Directory® enumeration in Windows 2000 and Windows .NET domain
    • New – optional registry key – specify multiple machine names
      • Like KB article 239107, “Establishing Preferred Windows 2000 Terminal Services License Server,” but now works for multiple names
    • New – LS may be deployed on any member server
      • Enterprise LS are discovered automatically
      • Domain LS are not

Ruben Spruijt - PQR Diensten

new licensing options for the server cal model
New Licensing Options for the Server/CAL Model

1. User CALs

2. External Connector

  • Customers will have the option of acquiring Device or User CALs to license access to the server software.
  • Benefits:
    • Flexible for customers
    • Economical for users with multiple devices
    • Consistent across many server/CAL products
  • The External Connector license will be an option for licensing access to the server software by users other than employees or independent contractors — for example, business partners or customers.
  • Benefits:
    • Simple
    • Cost-effective
    • Eliminates need to count non-employees
    • Consistent across many server/CAL products

Ruben Spruijt - PQR Diensten

key elements of user cal
Key Elements of User CAL
  • Products: Will apply to most products licensed on server/CAL basis
  • Pricing: 1 User CAL = 1 Device CAL
  • Choice: Will be able to acquire:
    • Device CALs only
    • User CALs only
    • Mix of Device and User CALs

Today’s Model

  • Device CALs
  • Acquire a CAL for every device accessing the server software

New Model

  • Option of User or Device CALs
  • Acquire a CAL for every User or Device accessing the server software

Ruben Spruijt - PQR Diensten

choosing between user and device cals
Choosing Between User and Device CALs

Choice between Device CALs and User CALs is likely based on two factors:

May prefer Device CALs if...

May prefer User CALs if...

Economic factors

Ease of management

Less expensive to acquire Device CALs

  • Fewer devices than users
  • For example, call center or factory floor

Easier to track devices

  • For example, asset management systems are set up to track devices
  • Less expensive to acquire User CALs
    • Fewer users than devices
    • For example, information worker with multiple devices (PCs, PDAs, cell phones)
  • Easier to track users
    • For example, purchasing systems are tightly linked with HR processes

Ruben Spruijt - PQR Diensten

helping choose between user and device cals

2 User CALs

or

6 Device CALs

4 User CALs

or

2 Device CALs

Helping Choose Between User and Device CALs

Administrators may choose between Device CALs and User CALs based on two factors:

Economic Considerations

Management Considerations

Easier to track devices if:

    • Asset management systems are set to track devices
  • Easier to track users if:
    • Purchasing systems are tightly linked with HR processes

Users

Devices

Acquire:

(cheaper

option

highlighted)

Examples:

  • Office workers with multiple devices – PC, laptop, PDA
  • Call center
  • Factory floor

Ruben Spruijt - PQR Diensten

key elements of the external connector
Key Elements of the External Connector

Today’s Model

  • Products: External Connector will apply to most products licensed on server/CAL basis that does not offer per processor option
  • Pricing: One price per product, independent of edition
  • Choice: Customer will be able to choose for non-employees:
    • EC
    • Individual CALs
  • Internet Connector for Windows Server and Terminal Services
    • Covers customers’ devices
    • Excludes business partners’ devices

No solution for some other products (for example, Exchange Server)

New Model

  • External Connector license
    • Covers all users except employees and independent contractors — for example, customers and partners
  • Provides an unlimited number of users access to a copy of the server software and/or services

Ruben Spruijt - PQR Diensten

choosing between ec and cals
Choosing Between EC and CALs
  • May choose between EC and individual Device, or User CALs for business partners or customers based on two factors:

May prefer EC if...

May prefer individual CALs if...

Economic factors

Ease of management

Less expensive to acquire EC

  • Company has many partners or customers
  • For example, large number of authenticating customers

Easier to track EC

  • Difficult to count partners or customers
  • For example, identity or number of partners or customers changes frequently

Less expensive to acquire individual CALs

  • Company has few partners or customers
  • Partners or customers access many copies of the server software

Easier to track individual CALs

  • Easy to count partners or customers
  • Difficult to count number of copies of server software

Ruben Spruijt - PQR Diensten

external connector definitions and examples
External Connector: Definitions and Examples

“Employees and

Independent Contractors”

“Other”

Definition:

Examples:

  • Person that performs work for the company as an employee or in any other capacity such as an independent contractor, agent, vendor, or service provider.
    • Employees
    • Vendors
    • Independent contractors
    • Consultants
    • Agents
    • Faculty
    • Staff
    • Currently enrolled students
  • Any person other than a person that performs work for the company as an employee, independent contractor, agent, vendor, service provider – for example, a business partner or customer.
    • Business partners
    • Customers
    • Alumni

Ruben Spruijt - PQR Diensten

summary comparison of ec and cal licensing
Summary: Comparison of EC and CAL Licensing
  • 1 User CAL = One employee accessing all copies of server software (for example, Exchange) from unlimited number of devices
  • 1 Device CAL = Unlimited number of users accessing all copies of server software from one device
  • 1 External Connector = Unlimited number of business partners or customers accessing one copy of server software

Ruben Spruijt - PQR Diensten

questions
Questions ?

Ruben.spruijt@pqr.nl

Ruben Spruijt - PQR Diensten