This is a preliminary document and may be changed
substantially prior to final commercial release of the software described
herein.
The information contained in this document represents the
current view of Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This document is for informational purposes only. MICROSOFT
MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without
the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks,
copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any license
to these patents, trademarks, copyrights, or other intellectual property.
© 2003 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows
NT, and the Windows logo, are either registered trademarks or trademarks of
Microsoft Corporation in the United
States and/or other countries.
The names of actual companies and products mentioned herein
may be the trademarks of their respective owners.
Contents
Remote Desktop for Administration and Terminal Server are
features of Microsoft® Windows® Server 2003. They provide the Windows graphical
user interface to remote devices over local area network (LAN), wide area
network (WAN), or Internet connections. All of the application processing is
performed at the server, and only data from devices such as the display
monitor, keyboard, and mouse are transmitted between the server and the client
computer.
Terminal Services Modes and Clients
Terminal Services may be enabled in one of two modes:
·
‘Terminal Server’ mode (formerly Application
Server mode in Windows 2000 Server).
·
‘Remote Desktop for Administration’ (formerly
Remote Administration mode).
Terminal Server mode
allows multiple remote clients to simultaneously access Windows-based
applications that run on the server. This is the traditional Terminal Server
deployment.
Remote Desktop for
Administration is used to remotely manage Windows Server 2003 servers. This
mode is designed to provide operators and administrators with remote access to
typical back-end servers and domain controllers. The administrator has access
to the graphical user interface-based tools that are available in the Windows
environment, even if he or she is not using a Windows-based computer to
administer the server.
Remote Desktop for Administration allows for the management
of servers from any location without affecting server performance or
application compatibility. In addition to the console session, up to two remote
administration sessions are supported, Since this is meant as a single-user
remote access solution, no Terminal Server Client Access License (CAL) is
required to use Remote Desktop for Administration.
The most recent
Terminal Services client is included with Windows Server 2003 and is also
shipped with Microsoft Windows XP Professional. A Macintosh Remote Desktop
Connection client is also available. Other non-Windows clients require a
third-party add-on.
Remote Desktop for Administration—Features
and Benefits
Remote Desktop for
Administration includes the following features and benefits:
·
Graphical administration of Windows Server 2003
and Windows 2000 servers from any Terminal Services client. (Clients are
available for computers running Windows for Workgroups, Windows 95, Windows 98,
Windows CE 2.11, Windows CE.NET, Windows NT®, Windows 2000, Windows XP Professional, and
Macintosh OS-X.)
·
Remote upgrades, reboots, and promotion and
demotion of domain controllers.
·
Access to servers over low-bandwidth
connections, with up to 128-bit encryption.
·
Roaming disconnect support. (This support
enables data-sensitive or time-consuming tasks to be completed successfully if
the remote session is disconnected deliberately, or due to network problems.)
·
Remote application installation and
execution—with fast access to local disks and media (For example, when copying
large files and virus scans).
·
Negligible performance impact on the server, and
no impact on application compatibility.
·
Two remote administrators can share a session
for collaboration purposes.
·
Remote Desktop Protocol (RDP) feature set. This
includes local and network printing; file system redirection, clipboard mapping
(cut, copy and paste); smart card redirection; serial device redirection; and
support for any RDP virtual channel applications.
Terminal Services Integration
The Terminal Services component of the Windows Server 2003
family is tightly integrated into the kernel and is available on every Windows
Server 2003 installation. Enabling Remote Desktop for Administration requires
no additional disk space and has a minimal impact on performance. It requires
only about 2 megabytes (MB) of server memory and has a negligible impact on CPU
usage. Performance is only affected when a remote session is logged on, similar
in cost to the console.
It is for these reasons that Microsoft recommends enabling
Remote Desktop for Administration on every Windows Server 2003 computer and
domain controller. This will provide substantial flexibility and responsiveness
in administering an organization’s servers, regardless of their location.
This section illustrates how to enable Remote Desktop for
Administration, along with how to change session encryption levels.
Enabling Remote Desktop for Administration
Terminal Server mode and Remote Desktop for Administration
are now separately configurable components in Windows Server 2003, and
provide more flexible options for administration.
Remote Desktop for Administration
Remote Desktop for Administration is installed by default in
Windows Server 2003, but for security reasons comes preconfigured as disabled.
It can be enabled through the System
control panel’s Remote Tab as shown
in Figure 1 below.
Figure 1. Enabling Remote Desktop for Administration
In addition to the two virtual sessions that are available
in Windows 2000 Terminal Services Remote Administration mode, an administrator
can also remotely connect to the real console of a server with the Remote
Desktop for Administration feature in Windows Server 2003. Tools that would not
work in a virtual session before, because they interacted with ‘session 0’,
will now work remotely. Some applications will not install unless using the
console session.
Changing the Session Encryption Levels
By default, all Terminal Services sessions connect using
high encryption, which provides bi-directional security using a 128-bit cipher.
However, some older versions of the Terminal Services client do not support
this high level of encryption. Clients that do not support this level of
encryption will not be able to connect. Therefore, the encryption level can be
set to “client compatible” to provide the highest encryption level supported by
the client. Both levels use the standard RSA RC4 encryption.
Changing the encryption level is performed within the Terminal Services Configuration
utility, located under All Programs,
Administrative Tools. Open the Properties
dialog box of the Microsoft RDP 5.2 protocol type in the Connections
folder, as shown in Figure 2 below, and click the General tab. This
reveals the Encryption level box, which can be changed between high and client
compatible.
Figure 2. Changing the encryption level
The new Terminal Services client, called the Remote Desktop
Connection (RDC), uses the latest advances of Microsoft Remote Desktop Protocol
(RDP) 5.2 to provide substantial improvements over previous releases. RDC can
be used to connect to previous versions of Terminal Services as well.
The Remote Desktop Connection software communicates over a
TCP/IP network connection using RDP 5.2. This protocol is based on the
International Telecommunications Union’s (ITU) T.120 protocol, an
international, standard, multi-channel protocol used first in Microsoft
NetMeeting®
conferencing software. It is tuned for high and low bandwidth environments and
also supports three levels of encryption.
Devices Supported
RDC supports the following devices:
·
16-bit Windows-based computers running Windows
for Workgroups with MS TCP/IP-32.
·
32-bit Windows-based computers running Windows
95, Windows 98, Windows NT 3.51, Windows NT 4.0, Windows 2000 Professional,
Windows XP Professional, or Windows Server 2003.
In addition, there is RDC support for the following devices:
·
Windows CE-based Handheld Professional devices
(H/PC Pro 3.0).
·
Windows CE-based terminals.
Installing Remote
Desktop Connection
Remote Desktop Connection is built into Windows XP and
Windows Server 2003, and it can be installed on other computers by several
methods.
·
Use tools such as Microsoft Systems Management
Server or Windows 2000 Group Policy to publish/assign the Windows
Installer-based RDC.
·
Share the %systemroot%\system32\clients\tsclient\win32
directory on Windows Server 2003. (This can also be done with Windows 2000
Server.)
·
Install directly from the Windows XP or Windows
Server 2003 CD, using the ‘Perform Additional Tasks’ selection from the CD’s
autoplay menu. (This does not require installing the operating system.)
Connection Improvements
The previously separate Connection Manager has been fully
integrated into RDC. This allows users and administrators to save connection
settings files and use them locally or deploy them to other users. Saved
passwords are securely encrypted and can only be decrypted on the original
computer.
Remote Desktop Connection supports automatic restoration of
interrupted network connections. Should the connection drop while an
administrator is in the middle of a process, RDC will reconnect to the session
without losing the administrator’s place, so that mission-critical processes
can be finished.
Enhanced Interface
Remote sessions using Remote Desktop Connection are
high-color and full-screen, with a connection bar to allow quick switching
between the remote session and the local desktop. The remote connection can be
customized to suit your needs, with options for display, local resources,
programs, and experience. The Experience settings allow you to choose your
connection speed and graphic options, such as themes or menu and window
animation, in order to optimize performance for lower-bandwidth connections.
Client Resource Redirection
Client resource redirection is available to clients on
Windows Server 2003 or Windows XP Professional, and offers a variety of data
redirection types. To maximize security, each type of redirection can be
enabled or disabled separately by either the client or the server. Also, a
security alert is displayed when file system, port, or smart card redirection
is requested, allowing the user to refuse the redirection or even cancel the
connection if desired.
Remote Desktop Connection allows audio feedback, such as
“error” or “new mail” notifications, to be redirected to the client. Key
combinations such as Alt-Tab and Control-Escape are sent to the remote session
by default, while Control-Alt-Delete is always handled by the client computer,
maintaining the security of the server. Time zone information can also be
redirected to the server from clients, enabling one server to handle multiple
users across different time zones. Applications with calendar features can also
take advantage of time zone redirection.
File System Redirection
Copying files between the client and server is easier than
ever. Client drives, both local and network, are now available within the
server session. Users can access their own local drives and transfer files
between client and server without having to leave the remote session.
Port and Printer Redirection
Both local and network printers installed on the client are
also available in the remote session, with easier-to-read names. Client serial
ports can also be mounted so that software on the server can access the
connected hardware. Clients that recognize smart cards—Windows 2000, Windows
XP, and Windows CE .NET—can provide the smart card credentials for log on to a
Windows Server 2003 remote session.
For best results with Remote Desktop for Administration, it
is necessary to fully understand how Remote Desktop for Administration works
and how best to utilize its functionality. The following considerations should
be taken into account when using Remote Desktop for Administration.
Connect to the Console
With Windows Server
2003, administrators can now remotely connect to the console session (session
0). Although an administrator can connect to another virtual session, it is a
best practice to connect directly to the console session. This will enable the administrator
to interact with the server just as if he or she were at the physical server.
All pop-ups and messages that may only appear on the console of the server will
be visible remotely using Remote Desktop for Administration as long as the
administrator is in the console session. For security, when an administrator
remotely connects to the console session remotely, the physical console of the
server will automatically lock to prevent eavesdropping.
Coordinate
Remote Administration Tasks with Other Administrators
Remote administration mode is not meant to provide a managed
multi-user experience. The two remote connections plus the console allow
collaborative operation, but should not be used to support general access by
multiple simultaneous administrators. In particular, ensure that administrators
don’t run potentially destructive applications at the same time. For instance,
two administrators trying to reconfigure the disk subsystem can undermine each
other’s work, or worse, destroy data. The presence of other administrators can
be checked for using the Terminal Services Manager utility
(Programs/Administrative Tools) or the quser command line
utility. A special tool, which provides a system tray icon showing the number
of active sessions, is available in the Windows 2000 Server Resource Kit to
help with this need.
Remote Administration Is Not Application Serving
Many general office applications require special
installation, install scripts, or environment management to perform well in a
remote session. Terminal Services provides these when you install Terminal
Server, but they are not available for Remote Desktop for Administration. For
general desktop and application remote access requirements, use a dedicated
server with Terminal Server installed.
Configure the Remote Desktop Session to Disconnect when
Connection is Bro ken
This is the default setting when you enable Remote Desktop
for Administration, and is especially important if you perform system updates
over unreliable network connections (for example, dial-up connections). If a
session is interrupted due to a network problem, the session will go into a
disconnect state and continue executing whatever processes the session was
running at the time. If the session is configured to reset when the connection
breaks, all processes running in that session will be abruptly terminated, a
process which is similar to stopping an application using End Task.
Configure Disconnect and Reset Timeouts
Because it is not possible to log on to more than two remote
sessions, remote administrators may find themselves locked out of a server if
there are two remote sessions (using different user accounts) that are either
in an active or disconnected state. When configuring disconnect timeouts, it is
critical that sessions that were accidentally or deliberately disconnected do
not get reset prematurely. For this reason, it may be useful to perform remote
administration tasks that should not be accidentally reset using a shared administrator
account, such as a local machine account. This account can be configured not to
reset after it is disconnected, using the account Properties tab.
Note Group Policy
settings may override settings in the user account Properties tab.
Information on disconnect and reset timeouts can be found in
the product documentation.
Avoid Tasks that Require Reboots
Although tasks that require reboots at their completion (for
example, system upgrades, domain controller promotion) work perfectly well from
within a Remote Desktop session, be aware that something as simple as a floppy
disk in the drive or a bad boot sector on the disk could prevent the server
from restarting. Therefore, it is advisable not to remotely reboot mission
critical servers unless you have the ability to physically intervene at the server
should a problem occur.
Administrator Collaboration
Using the Terminal Services Manager, it is possible to
control another Terminal Services session remotely.
Note It is not
possible to perform any administrative actions with the console session in this
manner, although messages can be sent to the console session.
For more details, refer to the Help in the Terminal Services
Manager program.
The following is a limited sample of the administration
tools that can help you manage remote sessions:
Connecting to the Console
To connect to the
console, administrators can choose one of the following methods:
·
Use the Remote Desktop Microsoft Management
Console (MMC) snap-in.
·
Run the Remote Desktop Connection (mstsc.exe)
program with the /console switch.
·
Create Remote Desktop Web Connection pages that
set the ConnectToServerConsole property.
Terminal
Services Group Policy
Group Policy can be
used to administer Terminal Services for computers running Windows server
operating systems. Terminal Services group policies can configure Terminal
Services connection settings, set user policies, configure terminal server
clusters, and manage Terminal Services sessions.
Remote
Desktops MMC
The Remote Desktops
Microsoft Management Console (MMC) Snap-in enables administrators to host
multiple Terminal Services connections. It is also useful for managing many
servers that are running the Windows Server 2003 family or Windows 2000 Server .
A navigable tree
display allows administrators to view, control, and quickly switch between
multiple sessions from a single window, as shown in Figure 3 below. As with the
Remote Desktop Connection tool, the remote computers can be configured to run
specific programs upon connecting, and to redirect local drives to appear in
the remote session. Logon information and client screen area also can be
configured from the snap-in. Administrators can create remote connections to
the console session of a computer running Windows server operating systems, as
well.
Figure 3. Remote
Desktops MMC
Terminal
Services Manager
This utility, tsadmin.exe, is used to manage Terminal
Services users, sessions, and processes on any server running Terminal Services
on the network. Using this tool, you can connect and disconnect, log off,
reset, and remotely control sessions. You can also use it to connect to other
servers in trusted domains, to manage sessions on a remote server, send
messages to users or log them off, and terminate processes.
Terminal Services Configuration
This utility, tscc.msc, is used to change the default
encryption settings, and to configure reset and disconnect timeouts. To
configure reset and disconnect timeouts for individual accounts, use the
Sessions tab of the user’s Account Properties page. Many of the settings
can also be set with Terminal Services Group Policy or Windows Management
Instrumentation, in which case Terminal Services configuration settings are
overridden.
Event Viewer
Use Event Viewer, eventvwr.msc, to look for events that may
have occurred as pop-up dialogs on the server console.
Command-line Utilities
Command-line
utilities include the following:
Query User
This command line utility, quser, lists active and
disconnected users.
Disconnect
This command line utility, tsdiscon, disconnects the
session, a procedure analogous to turning off the monitor while leaving the
computer running. Disconnect is also accessible through the Start/Shutdown list
box. To reconnect to the session, simply log on to the server again as the same
user using the Remote Desktop Connection.
Using Remote Desktop for Administration for remotely
managing computers running Windows Server 2003 can greatly reduce
administrative overhead in any Windows Server 2003 environment.
Administrators can access servers from anywhere: be it
inside the computer room, or from halfway around the world over a WAN, VPN, or
dial-up connection. They can start time-consuming batch processing jobs like
tape backups, disconnect, and then dial-in to the corporate network at a later
time to check the progress.
Server application and operating system upgrades can be
completed remotely, as well as tasks that are not usually possible unless the
administrator is sitting at the console—for example, domain controller
promotion/demotion and disk defragmentation.
Server file system tasks, such as copying large files and
virus scanning, are much more efficient when performed within a Terminal
Services session, rather than using utilities that are executed on a client
computer. And administration tasks are quicker and more intuitive than using
command-line utilities, although it is still possible to open up a command
shell.
See the following resources for further information:
·
Managing
Terminal Servers Using Microsoft Operations Manager and Microsoft Systems
Management Server at www.microsoft.com
/windowsserver2003/techinfo/overview/tsmomsms.mspx
·
Terminal
Services in Windows Server 2003 at http://www.microsoft.com/windowsserver2003/technologies/terminalservices/default.mspx
For the latest information about Windows Server 2003, see
the Windows Server 2003 Web
site at http://www.microsoft.com/windowsserver2003.
No comments:
Post a Comment