Managing and Maintaining a Microsoft Windows Server 2003

Managing and Maintaining a Microsoft Windows Server 2003
2 Administering Microsoft
Windows Server 2003
Exam Objectives in this Chapter:
■
■
Manage servers remotely
❑
Manage a server by using Remote Assistance
❑
Manage a server by using Terminal Services remote administration mode
❑
Manage a server by using available support tools
Troubleshoot Terminal Services
❑
Diagnose and resolve issues related to Terminal Services security
❑
Diagnose and resolve issues related to client access to Terminal Services
Why This Chapter Matters
Microsoft Windows Server 2003 administrative tools, called snap−ins, enable you
to manage user accounts, modify computer software and service settings, install
new hardware, and perform many other tasks. The Microsoft Management Console (MMC) provides the framework within which these snap-ins operate.
Although the default consoles delivered with Windows Server 2003 contain one
or more snap-ins related to a single task, MMCs can be customized to fit the exact
needs of the administrator and the task at hand. Many MMC snap-ins also support
remote administration, allowing you to connect to and manage another computer
without requiring “sneaker net” (a physical visit to the other computer).
Windows Server 2003 provides several other important options for remote systems management. When you require more control than you can achieve using
the remote connection supported by MMC snap-ins, you can leverage Remote
Desktop For Administration and Remote Assistance. Remote Desktop For Administration opens a session that gives you complete control of a remote system as if
you were logged on locally at the computer’s console. Remote Desktop is akin to
“remote control” software such as PCAnywhere or Virtual Network Computer
(VNC), but it is fully integrated and supported with Microsoft Windows XP and
Windows Server 2003. Remote Assistance is used to connect to an existing session
on a remote computer, allowing you to view or even control what another user is
doing in that session. Remote Assistance is particularly useful for user support
scenarios, when you need to see and help a user.
2-1
2-2
Chapter 2
Administering Microsoft Windows Server 2003
Finally, Windows Server 2003 supports traditional Terminal Services functionality
so that multiple users can connect to and open sessions on a single server. Terminal Services and the Remote Desktop client reduce the costs of support and
management because the installation and configuration of applications is performed only once: on the terminal server itself. User desktops act as “terminals”
and require only an operating system and the Remote Desktop client. In fact,
users can connect to a terminal server using a hardware-based or software-based
thin client. This chapter will explore each of these options for administration and
support of local and remote systems.
Lessons in this Chapter:
■
Lesson 1: The Microsoft Management Console . . . . . . . . . . . . . . . . . . . . . . .2-3
■
Lesson 2: Managing Computers Remotely with the MMC . . . . . . . . . . . . . . . .2-9
■
Lesson 3: Managing Servers with Remote Desktop For Administration . . . . . 2-13
■
Lesson 4: Using Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
■
Lesson 5: Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Before You Begin
To perform the practices related to the objectives in this chapter, you must have
■
A computer that has Windows Server 2003 installed and operating. To follow the
examples directly, your server should be named Server01 and function as a
domain controller in the contoso.com domain.
■
A configured and functioning Transmission Control Protocol/Internet Protocol
(TCP/IP) network to which your console and remote administrative target computers can connect (for administration of remote computers).
■
A second computer running Windows Server 2003, named Server02 and configured as a member server in the contoso.com domain.
Lesson 1
The Microsoft Management Console
2-3
Lesson 1: The Microsoft Management Console
The administrative framework of Windows Server 2003 is the MMC. The MMC provides
a standardized, common interface for one or more tools, called snap-ins, that are specialized for individual tasks. The default administrative tools in Windows Server 2003
are MMCs with one or more snap-ins suited to a specific purpose. The Active Directory
Users And Computers administrative tool, for example, is an MMC with the Active
Directory Users And Computers snap-in.
After this lesson, you will be able to
■ Configure an MMC with individual snap-ins
■ Configure an MMC with multiple snap-ins
■ Save an MMC in Author or User mode
Estimated lesson time: 15 minutes
The MMC
The MMC provides a two-paned framework consisting of a console tree pane, also
called a scope pane, and a details pane. The MMC menus and a toolbar provide commands for manipulating the parent and child windows, snap-ins, and the console itself.
Navigating the MMC
An empty MMC is shown in Figure 2-1. Note that the console has a name and that there
is a Console Root. This Console Root will contain any snap-ins that you choose to
include.
f02nw01
Figure 2-1
An empty MMC
2-4
Chapter 2
Administering Microsoft Windows Server 2003
Each console includes a console tree, console menu and toolbars, and the details pane.
The contents of these will vary, depending on the design and features of the snap-in
you use. Figure 2-2 shows a populated MMC with two snap-ins loaded.
f02nw02
Figure 2-2 A populated MMC
Using the MMC Menus and Toolbar
Although each snap-in will add its unique menu and toolbar items, there are several
key menus and commands that you will use in many situations that are common to
most snap-ins, as shown in Table 2-1.
Table 2-1
Common MMC Menus and Commands
Menu
Commands
File
Create a new console, open an existing console, add or remove snap-ins
from a console, set options for saving a console, the recent console file list,
and an exit command
Action
Varies by snap-in but generally includes export, output, configuration, and
help features specific to the snap-in
View
Varies by snap-in, but includes a customize option to change general console
characteristics
Favorites
Allows for adding and organizing saved consoles
Window
Open a new window, cascade, tile, and switch between open child windows
in this console
Help
General help menu for the MMC as well as loaded snap-in help modules
Lesson 1
The Microsoft Management Console
2-5
Extending the MMC with Snap-Ins
Each MMC contains a collection of one or more tools called snap−ins. A snap-in
extends the MMC by adding specific management capability and functionality. There
are two types of snap-ins: stand-alone and extension.
Stand-Alone Snap-Ins
Stand−alone snap−ins are provided by the developer of an application. All administrative tools for Windows Server 2003, for example, are either single snap-in consoles or
consoles with a combination of snap-ins useful to a particular task. The File Server
Management console (Filesvr.msc), for example, contains snap-ins to facilitate the configuration, monitoring, and optimization of file server storage and shares.
Extension Snap-Ins
Extension snap−ins, or extensions, are designed to work with one or more stand-alone
snap-ins. When you add an extension, Windows Server 2003 places the extension into
the appropriate location within the stand-alone snap-in.
Many snap-ins can act as a stand-alone snap-in or extend the functionality of other
snap-ins. For example, the Event Viewer snap-in can operate as a stand-alone snap-in,
as in the Event Viewer console, and is an available extension for the Computer Management snap-in.
Building a Customized MMC
You can combine one or more snap-ins to create customized MMCs, which you can
then use to consolidate the tools you require for administration.
To create a customized MMC:
1. Click Start, and then select Run.
2. In the Open text box, type mmc and then click OK. A blank MMC will appear.
3. Select the File menu, and then select Add/Remove Snap-In. The Add/Remove
Snap-In dialog box appears with the Standalone tab active. Note that no snap-ins
are loaded.
4. Click Add to display the Add Stand-alone Snap-In dialog box. Locate the snap-in
you want to add, and then click Add. Many snap-ins prompt you to specify
whether you wish to focus the snap-in on the local computer or another computer
on the network.
5. When you have added all the snap-ins you require, close the dialog boxes.
6. To save the customized MMC, select the File menu and then select Save.
2-6
Chapter 2
Administering Microsoft Windows Server 2003
Off the Record Spend a few minutes analyzing your daily tasks and group them by type of
function and frequency of use. Build two or three customized consoles that contain the tools
that you use most often. You will save quite a bit of time not needing to open, switch among,
and close tools as often.
Console Options
Console options determine how an MMC operates in terms of what nodes in the console tree may be opened, what snap-ins may be added, and what windows may be created. You configure console options in the Options dialog box, which you can open by
clicking Options on the File menu.
Author Mode
When you save a console in Author mode, which is the default, you enable full access
to all of the MMC functionality, including:
■
Adding or removing snap-ins
■
Creating windows
■
Creating taskpad views and tasks
■
Viewing portions of the console tree
■
Changing the options on the console
■
Saving the console
User Modes
If you plan to distribute an MMC with specific functions, you can set the desired User
mode and then save the console. By default, consoles will be saved in the Administrative Tools folder in the users’ profile. Table 2-2 describes the user modes that are available for saving the MMC.
Table 2-2
MMC User Modes
Type of User Mode Description
Full Access
Allows users to navigate between snap-ins, open windows, and access all
portions of the console tree.
Limited Access,
Multiple Windows
Prevents users from opening new windows or accessing a portion of the
console tree but allows them to view multiple windows in the console.
Limited Access,
Single Window
Prevents users from opening new windows or accessing a portion of the
console tree and allows them to view only one window in the console.
Lesson 1
The Microsoft Management Console
2-7
Note
MMCs, when saved, have an *.msc extension. Active Directory Users And Computers, for example, is named Dsa.msc (Directory Services Administrator.msc).
Tip
Create administrative consoles for your administrators by saving customized consoles,
optionally in a restricted User mode, and distributing the resulting .msc files. Any snap-in
used in a custom console must be installed on the system. This means, for example, that you
must have installed the Windows Server 2003 administrative tools, Adminpak.msi, on a system for a console with the Active Directory Users And Computers snap-in to function.
Practice: Building and Saving Consoles
In this practice, you will create, configure, and save an MMC.
Exercise 1: An Event Viewer Console
1. Click Start, and then click Run.
2. In the Open text box, type mmc, and then click OK.
3. Maximize the Console1 and Console Root windows.
4. From the File menu, choose Options to view the configured console mode.
In what mode is the console running?
5. Verify that the Console Mode drop-down list box is in Author mode, and then
click OK.
6. From the File menu, click Add/Remove Snap-In.
The Add/Remove Snap-In dialog box appears with the Standalone tab active. Note
that there are no snap-ins loaded.
7. In the Add/Remove Snap-In dialog box, click Add to display the Add Standalone
Snap-In dialog box.
8. Locate the Event Viewer snap-in, and then click Add.
The Select Computer dialog box appears, allowing you to specify the computer
you want to administer. You can add the Event Viewer snap-in for the local computer on which you are working, or if your local computer is part of a network,
you can add Event Viewer for a remote computer.
9. In the Select Computer dialog box, select Local Computer, and then click Finish.
2-8
Chapter 2
Administering Microsoft Windows Server 2003
10. In the Add Standalone Snap-In dialog box, click Close, and then in the Add/Remove
Snap-Ins dialog box, click OK.
Event Viewer (Local) now appears in the console tree. You may adjust the width
of the console tree pane and expand any nodes that you want to view.
11. On your own, add a snap-in for Device Manager (local).
12. Save the MMC as MyEvents.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What is the default mode when creating an MMC?
2. Can a snap-in have focus on both the local computer and a remote computer
simultaneously?
3. If you want to limit the access of a snap-in, how do you construct the MMC that
contains the snap-in?
Lesson Summary
The MMC is a powerful framework for organizing and consolidating administrative
snap-ins. The hierarchical display, similar to that of Windows Explorer, offers a familiar
view of snap-in features in a folder-based paradigm. There are two types of snap-ins,
stand-alone and extension, with extensions appearing and behaving within the MMC
based on the context of their placement. Any console can be configured to work in
either of two modes, Author or User, with the User mode supporting various levels of
restricted functionality in the saved console.
Lesson 2
Managing Computers Remotely with the MMC
2-9
Lesson 2: Managing Computers Remotely with the MMC
In Lesson 1, you learned that you can build a customized MMC with snap-ins that are
focused on remote computers. In addition, many snap-ins allow you to change the
focus of the snap-in by right-clicking the snap-in in the console tree and choosing a
command such as Connect To Another Computer, Connect To Domain, Connect To
Domain Controller, and so forth. Using the MMC to remotely manage another system
(as shown in Figure 2–3) can save you the time and cost of a physical visit to the
computer.
f02nw03
Figure 2-3
Connecting to a user’s computer with the Computer Management console
After this lesson, you will be able to
■ Construct an MMC to manage a computer remotely
Estimated lesson time: 10 minutes
Setting Up the Snap-in for Remote Use
To connect to and manage another system using the Computer Management console,
you must launch the console with an account that has administrative credentials on the
remote computer. If your credentials do not have sufficient privileges on the target
computer, snap-ins will load, but they either will function in read-only mode or will not
display any information.
2-10
Chapter 2
Administering Microsoft Windows Server 2003
Tip
You can use Run As, or secondary logon, to launch a console with credentials other
than those with which you are currently logged on.
When you’re ready to manage a remote system, you may open an existing console
with the appropriate snap-in loaded or configure a new MMC and configure the remote
connection when you add the snap-in. To remotely manage a system using the existing
Computer Management console, for example, follow these steps:
1. Open the Computer Management console by right-clicking My Computer and
choosing Manage from the shortcut menu.
2. Right-click Computer Management in the console tree and choose Connect To
Another Computer.
3. In the dialog box shown in Figure 2-4, type the name or IP address of the computer
or browse the network for the remote computer, and then click OK to connect.
f02nw04
Figure 2-4 Setting the Local/Remote Context for a snap-in
Once connected, you can perform administrative tasks on the remote computer.
When you connect to a remote system using the MMC, you connect using remote procedure calls (RPCs). If the remote system has Windows Firewall enabled, the default
firewall configuration will prevent inbound RPC traffic. To enable remote administration using the MMC, configure the firewall exception for remote administration. This
exception opens TCP ports 135 and 445 and adds program exceptions for Svchost.exe
and Lsass.exe to allow hosted services to open additional, dynamically assigned ports,
typically in the range of 1024 to 1034. It also enables a computer to receive unsolicited
incoming Distributed Component Object Model (DCOM) and RPC traffic.
To configure this exception, open the local or a domain-based Group Policy Object
(GPO) and navigate to the Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall node. Then open the Domain Profile,
which specifies firewall configuration when a system is connected to the domain. In
the details pane, double-click the Windows Firewall: Allow Remote Administration
Lesson 2
Managing Computers Remotely with the MMC
2-11
Exception policy setting. Enable the policy and specify the IP addresses from which
remote administration will be allowed.
For more information about working with GPOs, consult the Windows Help And Support Center and the online help in the Group Policy Management Console and the
Group Policy Object Editor consoles.
Practice: Adding a Remote Computer for Management (Optional)
Note
This practice requires that you have a computer available for remote connection, and
that you have administrative privileges on that computer.
Exercise 1: Connecting Remotely with the MMC
In this exercise, you will modify an existing MMC to connect to a remote computer.
1. Open the saved MMC from the exercise in Lesson 1 (MyEvents).
2. From the File menu, click Add/Remove Snap-In.
3. In the Add/Remove Snap-In dialog box, click Add to display the Add Standalone
Snap-In dialog box.
4. Locate the Computer Management snap-in, and then click Add.
5. In the Computer Management dialog box, select Another Computer.
6. Type the name or IP address of the computer, or browse the network for it, and
then click Finish to connect.
7. Click Close in the Add Standalone Snap-In dialog box, and then click OK to load
the Computer Management snap-in to your MyEvents console.
You can now use the management tools to administer the remote computer.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What credentials are required for administration of a remote computer using
the MMC?
2-12
Chapter 2
Administering Microsoft Windows Server 2003
2. Can an existing MMC snap-in be changed from local to remote context, or must a
snap-in of the same type be loaded into the MMC for remote connection?
3. Are all functions within a snap-in used on a local computer usable when connected remotely?
Lesson Summary
Many MMC snap-ins support the ability to connect either to the local computer or to
remote computers. You can establish the connection to a remote computer when the
snap-in is added to a console or after it is added by right-clicking an existing snap-in
and choosing Connect. You must have administrative privileges on the target system to
use snap-ins to manage a remote computer. In addition, if the Windows Firewall is
enabled, you must configure the exception for remote administration; otherwise,
inbound connections will be blocked.
Lesson 3
Managing Servers with Remote Desktop For Administration
2-13
Lesson 3: Managing Servers with Remote Desktop For
Administration
The Windows 2000 Server family introduced a tightly integrated suite of tools and technologies that enabled Terminal Services for both remote administration and application
sharing. The evolution has continued: Terminal Services is now an integral, default
component of the Windows Server 2003 family, and Remote Desktop has been
improved and positioned as an out-of-the-box capability, so that with one click, a computer running Windows Server 2003 will allow two concurrent connections for remote
administration. By adding the Terminal Server component and configuring appropriate
licensing, an administrator can further extend the technologies to allow multiple users
to run applications on the server. In this lesson, you will learn how to enable Remote
Desktop For Administration.
After this lesson, you will be able to
■ Configure a server to enable Remote Desktop For Administration
■ Assign users to the appropriate group to allow them to administer servers remotely
■ Connect to a server using Remote Desktop For Administration Connection
Estimated lesson time: 15 minutes
Enabling and Configuring Remote Desktop For Administration
The Terminal Services service enables Remote Desktop, Remote Assistance, and Terminal Server for application sharing. The service is installed by default on Windows
Server 2003 and configured to support Remote Desktop For Administration. Remote
Desktop For Administration allows only two concurrent remote connections and does
not include the application sharing components of Terminal Server. Therefore, Remote
Desktop For Administration operates with very little overhead on the system and with
no additional licensing requirements. You must install other components—Terminal
Server and the Terminal Server Licensing service—using Add Or Remove Programs.
Note Because Terminal Services and its dependent Remote Desktop For Administration are
default components of Windows Server 2003, every server has the capability to provide
remote connections to its console. The term “terminal server” now therefore refers specifically to a computer running Windows Server 2003 that provides application sharing to multiple users through addition of the Terminal Server component. Terminal Server is discussed in
detail in Lesson 5.
2-14
Chapter 2
Administering Microsoft Windows Server 2003
All the administrative tools required to configure and support client connections and to
manage Terminal Services are installed by default on every computer running Windows
Server 2003. Each of the tools and their functions are described in Table 2-3.
Table 2-3
Default Components of Terminal Server and Remote Desktop
Installed Software
Purpose
Terminal Services
Configuration
Setting properties on the Terminal Server, including session, network,
client desktop, and client remote control settings
Terminal Services
Manager
Sending messages to connected Terminal Server clients, disconnecting
or logging off sessions, and establishing remote control or shadowing
of sessions
Remote Desktop Client Installation of the Windows Server 2003 or Windows XP Remote DeskInstallation Files
top Client application. The 32-bit Remote Desktop client software can
be installed from %Systemroot%\System32\Clients\Tsclient\Win32 of
the Terminal Server.
Terminal Services
Licensing
Configuration of licenses for client connections to a terminal server.
This tool is not applicable for environments that use only Remote
Desktop For Administration.
To enable Remote Desktop connections on a computer running Windows Server 2003,
open the System properties from Control Panel. In the Remote tab, select Allow Users
To Connect Remotely To This Computer.
Note
If the Terminal Server is a Domain Controller, you must also configure the Group Policy on the Domain Controller to allow connection through Terminal Services to the Remote
Desktop Users group. By default, Domain Controllers allow only members of the Administrators group to log on using Terminal Services. Member servers will allow Terminal Services
connections by the Remote Desktop Users group by default.
Remote Desktop Connection
Remote Desktop Connection is the client-side software used to connect to a server in
the context of either Remote Desktop or Terminal Server modes. There is no functional
difference from the client perspective between Remote Desktop For Administration
and Terminal Server.
On computers running Windows XP and Windows Server 2003, Remote Desktop Connection is installed by default, though it is not easy to find in its default location in the
All Programs\Accessories\Communications program group on the Start menu.
Lesson 3
Managing Servers with Remote Desktop For Administration
2-15
For other platforms, Remote Desktop Connection can be installed from the Windows
Server 2003 CD or from the client installation folder (%Systemroot%\System32\Clients
\Tsclient\Win32) on any computer running Windows Server 2003. The .msi-based
Remote Desktop Connection installation package can be distributed to Windows 2000
systems using Group Policy or SMS.
Tip
It is recommended that you update previous versions of the Terminal Services client to
the latest version of Remote Desktop Connection. Doing so will provide the most efficient,
secure and stable environment possible through improvements such as a revised user interface, 128-bit encryption, and alternate port selection.
Figure 2-5 shows the Remote Desktop client configured to connect to Server01 in the
contoso.com domain.
f02nw05
Figure 2-5
Remote Desktop client
Configuring the Remote Desktop Client
You can control many aspects of the Remote Desktop connection from both the client
and server sides. Table 2-4 lists configuration settings and their use. You manage clientside configuration in the Remote Desktop Connection client. You configure server-side
settings using the Terminal Services Configuration console. The vast majority of serverside settings are found within the Properties dialog box for the RDP-Tcp connection.
Any setting that conflicts between the configuration of the server and the client is
resolved using the server’s setting.
2-16
Chapter 2
Administering Microsoft Windows Server 2003
Table 2-4
Remote Desktop Settings
Setting
Function
Client Settings
General
Options for the selection of the computer to which connection should be
made, the setting of static log on credentials, and the saving of settings for
this connection.
Display
Controls the size of the Remote Desktop client window, color depth, and
whether control-bar functions are available in full-screen mode.
Local Resources
Options to bring sound events to your local computer, in addition to standard mouse, keyboard, and screen output. How the Windows key combinations are to be interpreted by the remote computer (for example,
ALT+TAB), and whether local disk, printer, and serial port connections
should be available to the remote session.
Programs
Set the path and target folder for any program you want to start, once the
connection is made.
Experience
Categories of display functions can be enabled or disabled based on available bandwidth between the remote and local computers. Items include
showing desktop background, showing the contents of the window while
dragging, menu and window animation, themes, and whether bitmap
caching should be enabled (this transmits only the changes in the screen
rather than repainting the entire screen on each refresh period).
Server Settings
Logon Settings
Static credentials can be set for the connection rather than using those
provided by the client.
Sessions
Settings for ending a disconnected session, session limits and idle timeout,
and reconnection allowance can be made here to override the client settings.
Environment
Overrides the settings from the user’s profile for this connection for starting a program upon connection. Path and target settings set here override
those set by the Remote Desktop Connection.
Permissions
Allows for additional permissions to be set on this connection.
Remote Control
Specifies whether remote control of a Remote Desktop Connection session
is possible, and if it is, whether the user must grant permission at the initiation of the remote control session. Additional settings can restrict the
remote control session to viewing only, or allow full interactivity with the
Remote Desktop client session.
Client Settings
Overrides settings, from the client configuration, controls color depth, and
disables various communication (I/O) ports.
Network
Adapters
Specifies which network cards on the server will accept Remote Desktop
For Administration connections.
General
Sets the encryption level and authentication mechanism for connections to
the server.
Lesson 3
Managing Servers with Remote Desktop For Administration
2-17
Tip
You may also establish connections for Remote Desktop For Administration using the
Remote Desktops snap-in or the Mstsc.exe command. Both of these clients support connecting to the console session (Session 0) of a server, which is identical to the session you
would receive if you logged on interactively to the server. A console session enables you to
perform actions that are restricted in other Remote Desktop For Administration sessions
(Sessions 1 or 2).
Terminal Services Troubleshooting
When using Remote Desktop For Administration, you are creating a connection to a
session running on the server. There are several potential causes of failed connections
or problematic sessions:
■
Network failures Errors in standard TCP/IP networking can cause a Remote
Desktop connection to fail or be interrupted. If DNS is not functioning, a client
might not be able to locate the server by name. If routing is not functioning, or the
Terminal Services port (by default, port 3389) misconfigured on either the client or
the server, the connection will not be established.
■
Firewall settings Remote Desktop and Terminal Services use TCP port 3389 by
default. Any firewall on the server, or between the server and the client, must keep
TCP port 3389 open. You may add the port as a port exception or enable the preconfigured exception for Remote Desktop.
■
Credentials Users must belong to the Administrators or Remote Desktop
Users group to successfully connect to the server using Remote Desktop For
Administration.
!
Exam Tip
Examine group membership if access is denied when establishing a Remote
Desktop For Administration connection. In earlier versions of Terminal Server, you had to be a
member of the Administrators group to connect to the server, although special permissions
could be established manually. Now you can be a member of the Remote Desktop Users
groups on member servers and workstations. Domain controllers require you to be a member
of the Administrators group. In the “real world,” you can grant the right to log on through Terminal Services to any user or group through Group Policy. You cannot increase the default
limit of two concurrent connections of Remote Desktop For Administration.
■
Policy Domain controllers will allow connections through Remote Desktop only
to administrators. You must configure the domain controller security policy to
allow connections for all other remote user connections.
■
Too many concurrent connections If sessions have been disconnected without being logged off, the server might consider its concurrent connection limit
2-18
Chapter 2
Administering Microsoft Windows Server 2003
reached even though there are not two human users connected at the time. An
administrator might, for example, close a remote session without logging off. If
two more administrators attempt to connect to the server, only one will be allowed
to connect before the limit of two concurrent connections is reached. Use Terminal
Services Manager to view and log off any open, idle, and unnecessary sessions.
See Also
For more on Terminal Services and the Remote Desktop client, see Lesson 5.
Practice: Installing Terminal Services and Running Remote
Administration
In this practice, you will configure Server01 to enable Remote Desktop For Administration connections. You will then optimize Server01 to ensure availability of the connection when the connection is not in use, and you will limit the number of simultaneous
connections to one. You then run a remote administration session from Server02 (or
another remote computer).
If you are limited to one computer for this practice, you can use the Remote Desktop
client to connect to Terminal Services on the same computer. Adjust references to a
remote computer in this practice to that of the local computer.
Exercise 1: Configure the Server for Remote Desktop
In this exercise, you will enable Remote Desktop connections, change the number of
simultaneous connections allowed to the server, and configure the disconnection settings for the connection.
1. Log on to Server01 as Administrator.
2. Open the System properties from Control Panel.
3. On the Remote tab, enable Remote Desktop. Close System Properties.
4. Open the Terminal Services Configuration console from the Administrative Tools
folder.
5. On the tscc (Terminal Services Configuration\Connections) MMC, right-click the
RDP-Tcp connection in the details pane, and then click Properties.
6. On the Network Adapter tab, change the Maximum Connections to 1.
7. On the Sessions tab, select both of the Override User Settings check boxes, and
make setting changes so that any user session that is disconnected, by any means,
or for any reason, will be closed in 15 minutes, that has no Active session time
limit, and that will be disconnected after 15 minutes of inactivity.
Lesson 3
Managing Servers with Remote Desktop For Administration
2-19
❑
End a disconnected session: 15 minutes
❑
Active session limit: never
❑
Idle session limit: 15 minutes
❑
When session limit is reached or connection is broken: Disconnect from session
This configuration will ensure that only one person at a time can be connected to
the Terminal Server, that any disconnected session will be closed in 15 minutes,
and that an idle session will be disconnected in 15 minutes. These settings are useful to prevent a session that is disconnected or idle making the Remote Desktop
For Administration connection unavailable.
Exercise 2: Connect to the Server with the Remote Desktop Client
1. On Server02 (or another remote computer, or from Server01 itself if a remote computer is not available), open Remote Desktop Connection (from the Accessories,
Communications program group) and connect to and log on to Server01.
2. On Server01, open the Tsadmin.exe (Terminal Services Manager) MMC. You
should see the remote session connected to Server01.
3. Leave the session idle for 15 minutes, or close the Remote Desktop client without
logging off the Terminal Server session, and the session should be disconnected
automatically in 15 minutes.
You have now logged on to Server01 remotely and can perform any tasks on the Server01
computer that you could accomplish while logged on interactively at the console.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. How many simultaneous connections are possible to a Terminal Server running in
Remote Administration mode? Why?
2. What would be the best way to give administrators the ability to administer a
server remotely through Terminal Services?
a. Don’t do anything; they already have access because they are administrators.
2-20
Chapter 2
Administering Microsoft Windows Server 2003
b. Remove the Administrators from the permission list on the Terminal Server
connection, and put their administrator account in the Remote Desktop For
Administration Group.
c. Create a separate, lower-authorization user account for Administrators to use
daily, and place that account in the Remote Desktop For Administration
Group.
3. What tool is used to enable Remote Desktop on a server?
a. Terminal Services Manager
b. Terminal Services Configuration
c. System properties in Control Panel
d. Terminal Services Licensing
Lesson Summary
Administrators and members of the Remote Desktop Users group have the ability to
connect to a server using Remote Desktop Connection. Terminal Services is installed
on Windows Server 2003 by default and allows up to two Remote Desktop For Administration connections simultaneously. The Remote Desktop Connection client, a default
component of Windows XP and Windows Server 2003, can be installed on any 32-bit
Windows platform from the Windows Server 2003 installation CD or (after sharing the
directory) from any computer running Windows Server 2003. Configuration of Remote
Desktop For Administration connections is accomplished through settings on the client
(Remote Desktop Connection) and server (Terminal Services Configuration). Key settings for the connections can be overridden by the server.
Lesson 4
Using Remote Assistance
2-21
Lesson 4: Using Remote Assistance
Computer users, particularly users without much technical expertise, often have configuration or usage issues that are difficult for a support professional or even a friend
or family member to diagnose and fix over the telephone. Remote Assistance provides
a way for users to get the help they need and makes it easier and less costly for corporate help desks to assist their users.
After this lesson, you will be able to
■ Enable a computer to accept requests for Remote Assistance
■ Use one of the available methods to request and establish a Remote Assistance session
Estimated lesson time: 30 minutes
Introducing Remote Assistance
With Remote Assistance, available on Windows Server 2003 and Windows XP, an
administrator or support representative can connect remotely to a user’s computer, chat
with the user, and either view all the user’s activities or take control of the keyboard
and mouse.
Note
In Microsoft interfaces and documentation, the person connecting to a client using
Remote Assistance is referred to as an expert or a helper.
Remote Assistance can eliminate the need for administrative personnel to travel to a
user’s location for any of the following reasons:
■
Technical support A system administrator or help desk operator can use
Remote Assistance to connect to a remote computer to modify configuration
parameters, install new software, or troubleshoot user problems.
■
Troubleshooting By connecting in Read-Only mode, an expert can observe a
remote user’s activities and determine whether improper procedures are the
source of problems the user is experiencing. The expert can also connect in interactive mode to try to re-create the problem or to modify system settings to resolve
it. This is far more efficient than trying to give instructions to inexperienced users
over the telephone.
■
Training Trainers and help desk personnel can demonstrate procedures to
users right on their systems without having to travel to their locations.
2-22
Chapter 2
Administering Microsoft Windows Server 2003
Configuring Remote Assistance
To receive remote assistance, the computer running Windows Server 2003 or Windows XP
must be configured to use the Remote Assistance feature in one of the following ways:
■
Using system properties Open System from Control Panel and click the Remote
tab. Then select the Turn On Remote Assistance And Allow Invitations To Be Sent
From This Computer check box.
Note
By clicking the Advanced button in the Remote tab in the System Properties dialog
box, the user can specify whether to let the expert take control of the computer or simply view
activities on the computer. The user can also specify the amount of time that the invitation for
remote assistance remains valid.
■
Using group policies In a local or domain-based GPO, navigate to Computer
Configuration, Administrative Templates, System, Remote Assistance, and enable
the Solicited Remote Assistance policy.
Note
The Solicited Remote Assistance policy also enables you to specify the degree of control the expert receives over the client computer, the duration of the invitation, and the
method for sending e-mail invitations.
Creating an Invitation for Assistance
To receive remote assistance, a client must issue an invitation and send it to a particular
expert. The client can send the invitation to the expert using Microsoft Windows Messenger or e-mail, or he or she can send it as a file. Figure 2-6 shows the screen in Help
And Support Center used to invite someone for assistance.
Lesson 4
Using Remote Assistance
2-23
f02nw06
Figure 2-6
The Remote Assistance invitation screen in the Help And Support Center
Security Alert
If the user chooses to send an e-mail or file request for Remote Assistance, a password will be required as a shared secret for the Remote Assistance session.
The user should set a strong password and let the expert know what the password is in a
separate communication such as a telephone call or secure e-mail.
To use the Windows Messenger service for your Remote Assistance connection, you
must have the expert’s Windows Messenger user name in your contact list. Windows
Messenger will display the expert’s status as online or offline. Figure 2-7 illustrates
making a request for Remote Assistance using Windows Messenger.
f02nw07
Figure 2-7
Note
Making a request for Remote Assistance
The indicator of online status in the Remote Assistance help window is not dynamic;
you must therefore refresh the screen to see an accurate status update.
2-24
Chapter 2
Administering Microsoft Windows Server 2003
For a successful request through e-mail, both computers must be using a Messaging
Application Programming Interface (MAPI)–compliant e-mail client.
As a third option, you can save the invitation as a file and transfer that file to the expert
through removable storage media or as an e-mail attachment, in which case the
requirement for MAPI e-mail clients is removed.
When a user initiates an invitation for Remote Assistance, the client sends an encrypted
ticket based on XML to the expert, who is prompted to accept the invitation.
Accepting an Invitation for Assistance
On accepting an invitation to provide Remote Assistance, the expert can begin to connect to the remote computer. The user is notified that the expert is establishing a connection and is prompted to confirm the Remote Assistance session. Then the expert is
able to view the remote computer’s session directly. The expert and user can chat
online to solve the user’s problem and files can be transferred. If the expert requests
control, and if configuration allows the expert to take control, the user is again
prompted to confirm the request.
Note
Remote Assistance does not provide a mechanism through which administrators can
“spy” on a user session. Any connection by the expert must be confirmed by the user.
Offering Remote Assistance to a User
You can also configure Remote Assistance so that you can initiate troubleshooting
without receiving an invitation from the user. This highly useful option enables support
personnel to initiate Remote Assistance sessions while responding to a user’s help desk
call without requiring the user to send an invitation.
To support this workflow, you must enable the Offer Remote Assistance Local Group
Policy setting on the target (user’s) local computer. The policy setting is located in the
Computer Configuration, Administrative Templates, System, Remote Assistance container and is labeled Offer Remote Assistance. Enable the policy and specify the individual user accounts for the helpers who are allowed to offer Remote Assistance
without first receiving an invitation. Enter the accounts in the form domain\username
and be sure that the helpers are members of the local Administrators group on computers to which they will establish Remote Assistance connections.
Tip
The Offer Remote Assistance policy enables you to specify the names of users or
groups that can function as experts and choose whether those experts can perform tasks or
just observe.
Lesson 4
Using Remote Assistance
2-25
A helper can now initiate Remote Assistance to a user’s computer, providing that the
credentials supplied match those of a helper defined in the target computer’s policy. To
offer remote assistance without an invitation, open the Help And Support Center, click
Tools, and then click Help And Support Center Tools. Next, click Offer Remote Assistance. Figure 2-8 illustrates the Help And Support Center Tools interface. Type the
name or IP address of the target computer and then click Connect. If several users are
logged on, choose a user session. Then click Start Remote Assistance.
f02nw08
Figure 2-8
The Help And Support Center Tools
The user receives a pop-up box showing that the help desk person is initiating a
Remote Assistance session. The user accepts the offer of assistance, and Remote Assistance can proceed.
Securing Remote Assistance
Because an expert offering remote assistance to another user can perform virtually any
activity on the remote computer that the local user can, this feature can be a significant
security hazard. An unauthorized user who takes control of a computer using Remote
Assistance can cause almost unlimited damage. However, Remote Assistance is
designed to minimize the dangers. Some protective features of Remote Assistance are
the following:
■
Invitations No person can connect to another computer using Remote Assistance unless that person has received an invitation from the client. Clients can
configure the effective life spans of their invitations in minutes, hours, or days to
prevent experts from attempting to connect to the computer later.
■
Interactive connectivity When an expert accepts an invitation from a client
and attempts to connect to the computer, a user must be present at the client
2-26
Chapter 2
Administering Microsoft Windows Server 2003
console to grant the expert access. You cannot use Remote Assistance to connect
to an unattended computer.
■
Client-side control The client always has ultimate control over a Remote
Assistance connection. The client can terminate the connection at any time by
pressing the ESC key or by clicking Stop Control (ESC) in the client-side Remote
Assistance page.
■
Remote control configuration Using the System Properties dialog box or
Remote Assistance group policies, users and administrators can specify whether
experts are permitted to take control of client computers. An expert who has readonly access cannot modify the computer’s configuration in any way using Remote
Assistance. The group policies also enable administrators to grant specific users
expert status so that no one else can use Remote Assistance to connect to a client
computer, even with the client’s permission.
Firewall Constraints to Remote Assistance
Remote Assistance runs on top of Terminal Services technology, which means it must
use the same port used by Terminal Services: TCP port 3389. Remote Assistance will
not work when outbound traffic from port 3389 is blocked. In addition, other exceptions must be made. In Windows XP, the Windows Firewall has a preconfigured exception for Remote Assistance that you can enable. To configure the exceptions on
Windows Server 2003 or using Group Policy, enable the following exceptions:
■
TCP Port 135
■
%WINDIR%\SYSTEM32\Sessmgr.exe
■
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
■
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
In addition, there are several other firewall-related concerns, particularly in relation to
Network Address Translation (NAT).
■
!
Remote Assistance supports Universal Plug and Play (UPnP) to Traverse Network
Address Translation devices. This is helpful on smaller, home office networks, as
Windows XP Internet Connection Sharing (ICS) supports UPnP. However, Windows
2000 ICS does not support UPnP.
Exam Tip
Watch for questions that use Windows 2000 ICS for remote assistance from a
big, corporate help desk to a small satellite office. Because Windows 2000 ICS does not support UPnP, Remote Assistance problems will abound.
■
Remote Assistance will detect the Internet IP address and TCP port number on the
UPnP NAT device and insert the address into the Remote Assistance encrypted
Lesson 4
Using Remote Assistance
2-27
ticket. The Internet IP address and TCP port number will be used to connect
through the NAT device by the helper or requester workstation to establish a
Remote Assistance session. The Remote Assistance connection request will then
be forwarded to the client by the NAT device.
■
Remote Assistance will not connect when the requester is behind a non-UPnP NAT
device when e-mail is used to send the invitation file. When sending an invitation
using Windows Messenger, a non-UPnP NAT device will work if one client is
behind a NAT device. If both the helper and requester computers are behind nonUPnP NAT devices, the Remote Assistance connection will fail.
If you are using a software-based personal firewall or NAT in a home environment, you
can use Remote Assistance with no special configurations.
Note
The Windows Messenger Service itself relies upon port 1863 being open.
Practice: Using Remote Assistance through Windows Messenger
This practice requires either a partner or a second computer for establishing the
Remote Assistance session. Server01 and Server02 should have Windows Messenger
installed and configured with two distinct accounts. If you are limited to a single computer for this practice, you may establish a Remote Assistance session using two separate Windows Messenger accounts configured on the same computer, but you will not
be able to perform screen control.
1. From Server02 (or another computer), open Windows Messenger and log on to
your Messenger Account #2.
2. From the Windows Messenger logged on as Messenger Account #1, choose Ask
For Remote Assistance from the Actions menu.
3. In the Ask for Remote Assistance dialog box, choose the Messenger Account #2,
and then click OK.
4. There will now be a sequence of requests and acknowledgments between the two
Windows Messenger Applications. Choose Accept or OK in each query to establish the Remote Assistance session.
5. Initially, the Remote Assistance session is in Screen View Only mode. To take control of the novice’s computer, you must select Take Control at the top of the
Remote Assistance window. The novice user must Accept your attempt to take
over the computer.
Note
Either the novice or expert can end control or disconnect the session at any time.
2-28
Chapter 2
Administering Microsoft Windows Server 2003
Whether or not the expert takes over the novice’s computer, screen view, file transfer,
and live chat are enabled.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. How is Remote Assistance like Remote Desktop For Administration? How is it
different?
2. What are the benefits of Remote Assistance?
3. Which of the following are firewall-related constraints relating to Remote Assistance?
a. Port 3389 must be open
b. NAT cannot be used
c. Internet Connection Sharing is not possible
d. You cannot use Remote Assistance across a Virtual Private Network (VPN)
Lesson Summary
Remote Assistance is a mutual arrangement: the user can ask an expert for help or, if
properly configured through Group Policy, the expert can initiate a help session. In
either case, the user must actively agree to the establishment of the session and can
always give to and remove control of the user’s desktop from the expert. At no time
can the expert take control of the user’s desktop unannounced. Remote Assistance is
built upon Terminal Services and uses the interface of the help system and Windows
Messenger to allow for session initiation, chat, screen viewing, screen control, and file
transfer. The technology of Terminal Services and Remote Assistance is so closely tied
that both services use the same network port, 3389, which must be open through any
firewall for the Remote Assistance session to succeed.
Lesson 5
Terminal Server
2-29
Lesson 5: Terminal Server
In Lesson 3, you learned how to use Terminal Services, specifically Remote Desktop
For Administration, to connect to a server session from a remote client. You learned
that Remote Desktop For Administration is installed on every server running Windows
Server 2003 by default and that, once it is enabled using the System application in Control Panel, a server will support two concurrent connections from users who belong to
the Rem3ote Desktop Users group.
Windows Server 2003 Terminal Services also supports providing applications to multiple users running concurrent sessions. This feature, similar to the Terminal Services
Application Server mode of Windows 2000 Server, is now called Terminal Server. In
this lesson, you will learn about Terminal Server and the unique issues related to supporting and troubleshooting a Terminal Server environment.
After this lesson, you will be able to
■ Install Terminal Server to support multiuser applications
■ Deploy the Remote Desktop Connection client
■ Configure and manage remote desktop sessions
■ Troubleshoot Terminal Server
Estimated lesson time: 30 minutes
Installing and Configuring a Terminal Server Environment
There are several key considerations related to the deployment of a Terminal Server
environment.
The Terminal Server Component
Terminal Server can be installed by using the Add/Remove Windows Components Wizard, which is found in Add/Remove Programs, or by choosing the Configure Your
Server Wizard from the Manage Your Server page. It is best practice to configure standalone member servers as terminal servers, not as domain controllers. Hardware recommendations can be found in the Help And Support Center.
Applications
Because applications on a terminal server will be provided to multiple users, perhaps
concurrently, certain registry keys, files, and folders must be installed on a terminal
server differently from how they would be installed on a server that is not a terminal
server. Always use the Add/Remove Programs tool in Control Panel to install an application on a terminal server. Add/Remove Programs will automatically switch the terminal
2-30
Chapter 2
Administering Microsoft Windows Server 2003
server into installation mode prior to starting the application’s setup routine. While in
installation mode, the terminal server manages the configuration of the application
appropriately so that the application can run in multiuser mode.
Occasionally, an application, patch, or other installation-related process cannot be initiated by using Add/Remove Programs. For example, a vendor might provide an
online update capability for its application, and such a capability cannot be started
from Add/Remove Programs. In such cases, open the command shell and use the
Change User/Install command prior to invoking the installation or patch process.
Once the process has completed, use the Change User/Execute command. Also note
that some applications require compatibility scripts to modify their installation behavior on a terminal server.
It is best practice to install Terminal Server prior to installing any applications that will
be run in multiuser mode. Similarly, prior to removing Terminal Server from a server,
you should uninstall all applications that were installed in multiuser mode. If you must
install additional applications on an existing terminal server, be sure to reset (log off)
any current user sessions using Terminal Server Connections and to disable new connections by typing change logon /disable on the command line. Once applications
have been installed, type change logon /enable on the command line to allow new
connections once again. The Remote tab of System Properties, shown in Figure 2-9,
will also allow you to enable and disable Terminal Services connections.
F02nw09
Figure 2-9 The Remote tab of System Properties
When installing Terminal Server, you will be given the choice of Full Security and
Relaxed Security. Full Security, the default, protects certain operating system files, registry keys, and shared program files. Older applications might not function in this more
secure configuration, at which point you might choose Relaxed Security. The setting
can be changed at any time using the Server Settings in the Terminal Services Configuration console, shown in Figure 2-10.
Lesson 5
Terminal Server
2-31
F02nw10
Figure 2-10
Server Settings in the Terminal Services Configuration console
Many administrators misunderstand the use of the Terminal Services Home Folder. This
setting, which can be configured as part of the user account, as shown in Figure 2-11,
or through Group Policy, determines the location of a folder that is used by Terminal
Services to store user-specific files for multiuser applications. It does not affect the storage location for user data files. By default, the Terminal Services Home Folder is created as a folder called Windows in the user’s profile. To manage where user data is
stored, configure the user’s standard Home Folder setting in the Profile tab of the user
account, or use the best practice of redirecting the My Documents folder.
F02nw11
Figure 2-11
The Terminal Services Home Folder setting of a user account
Installation of the Remote Desktop Connection Client
The Remote Desktop Connection client (Mstsc.exe) is installed by default on all computers running Windows Server 2003 and Windows XP. The client supports all 32-bit Windows platforms, and can be installed with Group Policy on Windows 2000 systems, or
with other software deployment methods on earlier platforms. Once installed, the client
can be tricky to locate in the Start menu. Look in the Accessories program group under
Accessories, and then create a shortcut to the client in a more accessible location.
2-32
Chapter 2
Administering Microsoft Windows Server 2003
Licensing
After a 120-day evaluation period, connections to a computer running Terminal Server
will not be successful unless the terminal server can obtain a client license from a Terminal Server License Server. Therefore, as part of your Terminal Server deployment,
you must install a Terminal Server License Server, preferably on a server that is not a
terminal server.
Use Add/Remove Programs to install Terminal Server Licensing. You will be asked
whether the server should be an Enterprise License Server or a Domain License Server.
An Enterprise License Server is the most common configuration, and the server can
provide licenses to terminal servers in any Windows 2000 or Windows Server 2003
domain within the forest. Use a Domain License Server when you want to maintain a
separate license database for each domain or when terminal servers are running in a
workgroup or a Microsoft Windows NT 4 domain.
Once installed, Terminal Server Licensing is managed with the Terminal Server Licensing console in Administrative Tools. The first task you will perform is activating the Terminal Server License Server by right-clicking the Terminal Server License Server and
choosing Activate Server. Once the server has been activated, client license packs must
be installed. The Help And Support Center includes detailed instructions for this process. Terminal Server Licensing supports two types of client access licenses (CALs): Per
Device and Per Session. Both types of CALs can be managed by the same Terminal
Server License Server.
Note
Terminal Server Licensing is maintained separately from server and client access
licenses (CALs) for Windows Server 2003. Terminal Server CALs are licenses for the connection to a user session on a terminal server; you must still consider licensing requirements for
applications that users access within their session. Consult the applications’ End User
License Agreements (EULAs) to determine appropriate licensing for applications hosted on a
terminal server.
Managing and Troubleshooting Terminal Server
Several tools exist that can configure terminal servers, Terminal Services user settings,
Terminal Services connections, and Terminal Services sessions. These include Group
Policy Editor, Terminal Services Configuration, Active Directory Users And Computers,
and the Remote Desktop Connection client itself. This section will help you understand
the use of each tool, and the most important configuration settings, by examining the
creation, use, and deletion of a user session.
Lesson 5
Terminal Server
2-33
Points of Administration
There are several processes that occur as a user connects to a terminal server; and at
each step, there are opportunities to configure the behavior of the connection.
The Remote Desktop Connection client allows 32-bit Windows platforms to connect to
a terminal server using the Remote Desktop Protocol (RDP). The client has been greatly
improved over earlier versions of the Terminal Services client and now includes a wider
variety of data redirection types (including file system, serial port, printer, audio, and
time zone) and supports connections in up to 24-bit color. The client includes numerous settings that configure the connection and the user’s experience. Some of those settings are shown in Figure 2-12. Settings are saved Remote Desktop Connection (.rdp)
files that can easily be opened for future connections or distributed to other users as a
connection profile. Settings in the .rdp file or the Remote Desktop Connection client
affect the current user’s connection to the specified terminal server.
F02nw12
Figure 2-12
The Remote Desktop Connection client
When a user connects to a terminal server, the server will examine the Terminal Services properties of the user’s account to determine certain settings. If Terminal Services
user accounts are stored on the terminal server, the Local Users and Groups snap-in
will expose Terminal Services settings in the Properties of user accounts. More commonly, user accounts are in Active Directory directory service, in which case the Active
Directory Users And Computers snap-in exposes Terminal Services settings in the Environment, Remote Control, and Terminal Services Profile tabs within the user properties
dialog box, as shown previously in Figure 2-11. Settings in the user account will override settings in the Remote Desktop client.
A client connects to the terminal server by specifying the server’s name or IP address.
The terminal server receives the connection request through the specified network
adapter. This connection is represented by a connection object, which is visible in the
2-34
Chapter 2
Administering Microsoft Windows Server 2003
Terminal Services Configuration console, as shown in Figure 2-13. The connection
object’s properties configure settings that affect all user connections through the network adapter. Settings in the connection will override client requested settings and settings in the user account.
F02nw13
Figure 2-13
!
Terminal Services Configuration
Exam Tip
A terminal server’s RDP-Tcp connection properties, accessible through Terminal
Services Configuration, will override client and user account settings for all user sessions
through the connection on that individual terminal server.
Windows Server 2003 Group Policy includes numerous computer-based and userbased policies to control Terminal Services. Configurations specified by GPOs will
override settings in the Remote Desktop Connection client, in the user account, or on
the RDP-Tcp connections of terminal servers. Of course, those settings will apply only
to the users or computers within the scope of the organizational unit (OU) to which the
GPO is linked. In an environment consisting only of terminal servers running one of
the Windows Server 2003 family operating systems, Group Policy will enable Terminal
Services configuration with the least administrative effort. Terminal Services group policies do not apply to terminal servers running earlier versions of Windows.
Once a user session has been enabled, the Terminal Services Manager administrative
tool can be used to monitor users, sessions, and applications on each terminal server.
Terminal Services Manager can also be used to manage the server and to connect to,
disconnect from, or reset user sessions or processes.
Before continuing the examination of Terminal Server configuration options and tools,
take a moment to memorize the order of precedence for configuration settings:
1. Computer-level group policies. Most Terminal Services configuration can be set by
GPOs linked to an OU in which terminal server computer objects are created.
These policies override settings made with any other tool.
Lesson 5
Terminal Server
2-35
2. User-level group policies.
3. Configuration of the terminal server or the RDP-Tcp connection using the Terminal
Services Configuration tool. Although this tool is server- and connection-specific,
and therefore cannot specify a single configuration as Group Policy can, this tool
can configure Windows 2000 terminal servers. In addition, there are times when a
configuration between terminal servers or between connections should be different. Terminal Services Configuration is the tool to manage such a scenario.
4. User account properties configured with the Active Directory Users And Computers snap-in.
5. Remote Desktop Connection client configuration.
Connection Configuration
A user’s ability to connect and log on to a terminal server is determined by a number
of factors, each of which, if not functioning properly, produces a unique error message:
■
The connection on the terminal server must be accessible. If the client cannot
reach the server using TCP/IP, or if the terminal server’s RDP-Tcp connection is
disabled, a particularly uninformative error message appears that indicates that the
client cannot connect to the server.
Note
If you use Windows Firewall, or any other firewall, be sure to open TCP port 3389.
Windows Firewall includes a preconfigured exception for Remote Desktop that performs the
same configuration.
■
Remote Desktop must be enabled. The ability of a terminal server to accept new
connections can be controlled in the Remote tab of the System properties dialog
box or by using the change logon /disable and change logon /enable commands.
If logon has been disabled, an error message appears indicating that terminal
server sessions are disabled or that remote logons are disabled.
■
The server must have available connections. The properties of the connection—
the default RDP-Tcp connection, for example—determine the number of available
connections in the Network Adapter tab, as shown in Figure 2-14. If sufficient connections are not available, an error message appears that indicates that a network
error is preventing connection.
2-36
Chapter 2
Administering Microsoft Windows Server 2003
F02nw14
Figure 2-14 The Network Adapter tab of the RDP-Tcp Properties dialog box
■
Encryption must be compatible. The default allows any client to connect to a terminal server without regard to its encryption capability. If you modify the encryption requirements for a connection by using the Encryption Level list in the
General tab of the connection properties, as shown in Figure 2-15, clients that are
not capable of that encryption mode will not be allowed to connect.
F02nw15
Figure 2-15 The General tab of the RDP-Tcp Properties dialog box
■
The user must have sufficient connection permissions. As shown in Figure 2-16,
the Remote Desktop Users group has User Access permissions, which gives the
group sufficient permissions to log on to the server. The access control list (ACL)
of the connection can be modified to control access in configurations that differ
from the default. Refer to the Help And Support Center for more information. If a
user does not have sufficient permission to the connection, an error message will
appear that indicates that the user does not have access to the session.
Lesson 5
Terminal Server
2-37
F02nw16
Figure 2-16
■
The Permissions tab of the RDP-Tcp Properties dialog box
The user must have the user logon right to log on to the terminal server. Windows
Server 2003 separates the right required to log on locally to a server from the right
required to log on to a server using a remote desktop connection. The user rights
Allow Log On Through Terminal Services, as shown in Figure 2-17, and Deny Log
On Through Terminal Services can be used to manage this right, using either local
policy or Group Policy. On member servers, the local Administrators and Remote
Desktop Users groups have the right to log on through Terminal Services. On
domain controllers, only Administrators have the right by default. If a user does
not have sufficient logon rights, an error message will appear that indicates that
the policy of the terminal server does not allow logon.
F02nw17
Figure 2-17
■
The Allow Log On Through Terminal Services user right
The user must belong to the correct group or groups. Assuming you have managed connection permissions and the right to log on through Terminal Services by
assigning rights and permissions to a group, the user attempting to connect to the
terminal server must be in that group. With the default configuration of Terminal
2-38
Chapter 2
Administering Microsoft Windows Server 2003
Server on a member server, users must be members of the Remote Desktop Users
group to connect to a terminal server.
■
The Allow Logon To Terminal Server check box must be selected. The user
account’s Terminal Services Profile tab, as shown in Figure 2-11, indicates that the
user is allowed to log on to a terminal server. If this setting is disabled, the user
will receive an error message indicating that the interactive logon privilege has
been disabled. This error message is easy to confuse with insufficient user logon
rights; however, in that case the error message indicates that the local policy of the
server is not allowing logon.
Note A terminal server has one RDP-Tcp connection by default and can have only one connection object per network adapter, but if a terminal server has multiple adapters, you can
create connections for those adapters. Each connection maintains properties that affect all
user sessions connected to that server connection.
Device Redirection
Once a user has successfully connected, Windows Server 2003 and the Remote Desktop client provide a wide array of device redirection options, including:
■
Audio redirection, which allows audio files played within the Terminal Server session to be played by the user’s PC. This feature is specified on the Local Resources
tab of the Remote Desktop Connection client, as shown in Figure 2-12. However,
audio redirection is disabled by default in the Client Settings tab of the RDP-Tcp
Properties dialog box, as shown in Figure 2-18. Audio redirection can be specified
by a GPO.
F02nw18
Figure 2-18 The RDP-Tcp Properties dialog box Client Settings tab
■
Drive redirection, which allows the user to access drives that are local to the user’s
PC from within the Remote Desktop session. Local drives are visible in My Com-
Lesson 5
Terminal Server
2-39
puter under the Other group, as shown in Figure 2-19. This option is disabled by
default, and can be enabled in the Local Resources tab of the Remote Desktop client. Terminal Server Configuration can override the client setting and disable drive
redirection from the properties of the connection. These settings can also be specified by Group Policy. The user account’s Connect Client Drives At Logon setting
does not affect drive redirection using the Remote Desktop Connection client; it is
meant to manage drive redirection for Citrix’s Integrated Computing Architecture
(ICA) clients.
F02nw19
Figure 2-19
■
My Computer in a Remote Desktop session showing redirected client drives
Printer redirection, which allows the user to access printers that are local to the
user’s workstation, as well as network printers that are installed on the user’s
workstation, from within the Remote Desktop session. The Printers And Faxes
folder will display printers that are installed on the terminal server as well as the
client’s redirected printers, as shown in Figure 2-20.
F02nw20
Figure 2-20
The Printers And Faxes folder shows a client’s redirected printer
Like drive redirection, printer redirection is specified in the Local Resources tab of
the Remote Desktop Connection client. Printer redirection can be disabled by
properties of the RDP-Tcp connection. Printer redirection will also be disabled if
2-40
Chapter 2
Administering Microsoft Windows Server 2003
the Connect Client Printers At Logon setting is not enabled in the user account
properties, as shown in Figure 2-21. Selecting this option in the user account does
not cause printer redirection; the client must specify redirection in the Local
Resources tab. But if disabled, the user account setting will override the client setting. The user account properties also provide a Default To Main Client Printer setting which, if enabled while printer redirection is in effect, will set the default
printer in the Remote Desktop session to the same printer set as default on the
user’s workstation. If the Default To Main Client Printer setting is disabled, the
Remote Desktop session will use the default printer of the terminal server computer. Printer redirection settings can be specified by a GPO.
F02nw21
Figure 2-21 The Environment tab of a user’s properties dialog box
■
Serial Port redirection, which allows a user to launch an application within a terminal server session that uses a device, such as a barcode reader, attached to the
serial port of the user’s workstation. This feature is also in the Local Resources tab
of the client and can be disabled in the properties of the RDP-Tcp connection.
Serial port redirection can be specified by a GPO.
■
LPT and COM port mapping, which allows a user to install a printer within the
Terminal Server session that maps to a printer attached to an LPT or COM port on
the user’s workstation. This method of printer redirection is not necessary with
Windows Server 2003 and the Remote Desktop Connection client, which support
printer redirection in a much simpler way as described above. LPT and COM port
mapping is, however, still done by default. The RDP-Tcp connection properties
can disable port mapping, as can a GPO.
■
Clipboard mapping, which allows the user to copy and paste information between
a Remote Desktop session and the client’s workstation. This feature is enabled by
default in the Remote Desktop Connection client and cannot be changed within
the client’s user interface (UI). The RDP-Tcp connection properties can disable
clipboard mapping, as can a GPO.
Lesson 5
Terminal Server
2-41
Managing Sessions and Processes
The Terminal Services Manager console provides the capability to monitor and control
sessions and processes on a terminal server. You can disconnect, log off, or reset a user
or session, send a message to a user, or end a process launched by any user. Task Manager can also be used to monitor and end processes; just be certain to select the Show
Processes From All Users check box. If a terminal server’s performance is lethargic, use
Terminal Server Manager or Task Manager to look at the processes being run by all
users to determine if one process has stopped responding and is consuming more than
its fair share of processor time.
Managing User Sessions
A variety of settings determine the behavior of a user session that has been active, idle,
or disconnected for a time. These settings can be configured in the Sessions tab of the
RDP-Tcp Properties dialog box in the Terminal Services Configuration console, shown
in Figure 2-22. The settings can also be configured with Group Policy.
F02nw22
Figure 2-22
The Sessions tab of the RDP-Tcp Properties dialog box
Load-Balancing Terminal Servers
In previous implementations of Terminal Services, it was difficult to load-balance terminal servers. Windows Server 2003 Enterprise and Datacenter Editions introduce the
ability to create server clusters, which are logical groupings of terminal servers. When
a user connects to the cluster, the user is directed to one server. If the user’s session is
disconnected and the user attempts to reconnect, the terminal server receiving the connection will check with the Session Directory to identify which terminal server is hosting the disconnected session and will redirect the client to the appropriate server.
2-42
Chapter 2
Administering Microsoft Windows Server 2003
To configure a terminal server cluster, you need
■
A load-balancing technology such as Network Load Balancing (NLB) or DNS
round-robin. The load-balancing solution will distribute client connections to each
of the terminal servers.
■
A Terminal Services Session Directory. You must enable the Terminal Services Session Directory, which is installed by default on Windows Server 2003 Enterprise and
Datacenter Editions, using the Services console in Administrative Tools. It is best
practice to enable the session directory on a server that is not running Terminal
Server. The Terminal Services Session Directory maintains a database that tracks
each user session on servers in the cluster. The computer running the session directory creates a Session Directory Computers local group, to which you must add the
computer accounts of all servers in the cluster.
■
Terminal server connection configuration. Finally, you must direct the cluster’s
servers to the session directory. This process involves specifying that the server is
part of a directory, the name of the session directory server, and the name for the
cluster, which can be any name you wish as long as the same name is specified for
each server in the cluster. These settings can be specified in the Server Settings
node of Terminal Server Configuration, or they can be set using a GPO applied to
an OU that contains the computer objects for the cluster’s terminal servers.
When a user connects to the cluster, the following process occurs:
1. When the user logs on to the terminal server cluster, the terminal server receiving
the initial client logon request sends a query to the session directory server.
2. The session directory server checks the username against its database and sends
the result to the requesting server as follows:
!
❑
If the user has no disconnected sessions, logon continues at the server hosting the initial connection.
❑
If the user has a disconnected session on another server, the client session is
passed to that server and logon continues.
❑
When the user logs on to a new or disconnected session, the session directory
is updated.
Exam Tip Be sure to know the pieces that are required to establish a terminal server cluster. Should you decide to implement a terminal server cluster within your enterprise, you can
refer to the Help And Support Center for detailed instructions for doing so.
Lesson 5
Terminal Server
2-43
Remote Control
Terminal Server allows an administrator to view or take control of a user’s session. This
feature not only allows administrators to monitor user actions on a terminal server, but
also acts like Remote Assistance, allowing a help desk employee to control a user’s session and perform actions that the user is able to see as well.
To establish remote control, both the user and the administrator must be connected to
terminal server sessions. The administrator must open the Terminal Server Manager
console from the Administrative tools group, right-click the user’s session, and choose
Control. By default, the user will be notified that the administrator wishes to connect to
the session and can accept or deny the request.
Important Remote Control is available only when using Terminal Server Manager within a
terminal server session. You cannot establish remote control by opening Terminal Server
Manager on your PC.
Remote control settings include the ability to remotely view and remotely control a session, as well as whether the user should be prompted to accept or deny the administrator’s access. These settings can be configured in the user account properties in the
Remote Control tab, as shown in Figure 2-23, and can be configured by the properties
of the RDP-Tcp connection, which will override user account settings. Group Policy
can also be used to specify remote control configuration.
F02nw23
Figure 2-23
The Remote Control tab of a user’s properties dialog box
In addition to enabling remote control settings, an administrator must have permissions
to establish remote control over the terminal server connection. Using the Permissions
2-44
Chapter 2
Administering Microsoft Windows Server 2003
tab of the RDP-Tcp Properties dialog box, you can assign the Full Control permission
template or, by clicking Advanced, assign the Remote Control permission to a group, as
shown in Figure 2-24.
F02-24
Figure 2-24
The Remote Control permission
See Also
For more information about implementing Terminal Server in a production environment, be sure to read Microsoft Windows Server 2003 Terminal Services by Bernhard
Tritsch (Microsoft Press, 2004).
Practice: Preparing Terminal Server
In this practice, you will install Terminal Server on Server02, configure a user account
to enable Terminal Server logon, and configure device redirection. To perform this
practice, you will need a second computer installed with Windows Server 2003, named
Server02, and belonging to the contoso.com domain.
Exercise 1: Installing Terminal Server
1. Log on to Server02.
2. Open Add/Remove Programs from Control Panel.
3. Click Add/Remove Windows Components to open the Windows Components
Wizard.
4. Select the Terminal Server check box.
A Configuration Warning appears, reminding you that the Internet Explorer
Enhanced Security Configuration will restrict users’ Web access.
5. Click Yes, and then click Next.
A message appears discussing the installation of applications on a terminal server.
Lesson 5
Terminal Server
2-45
6. Click Next, ensure that Full Security is selected, and then click Next.
7. On the Terminal Server Setup page, select I Will Specify A License Server Within
120 Days, and then click Next.
8. Select Per User Licensing Mode and click Next.
The Configuring Components page appears while Terminal Server is installed.
9. Click Finish.
10. Restart Server02.
Exercise 2: Configuring Terminal Server Users
1. Log on to Server01 as Administrator.
2. Open Active Directory Users And Computers.
3. Create a user account in the Users container named Lorrin Smith-Bates.
You might already have an account for Lorrin Smith-Bates if you have worked
through lessons in other chapters. Write down the username and password
assigned to this account; you will be logging on as Lorrin Smith-Bates in the next
exercise.
4. Create a global security group account in the Users container named Contoso Terminal Server Users.
5. Add Lorrin Smith-Bates to the Contoso Terminal Server Users group.
6. Add the Contoso Terminal Server Users group to the Print Operators group.
Because Lorrin is a user, he would not be able to log on to Server01, a domain
controller. For the purposes of this practice, Lorrin needs the right to log on locally
to Server01, and nesting his account in the Print Operators group is an easy way
to achieve that goal.
7. Log off of Server01.
8. Log on to Server02 as Administrator.
9. Click Start, right-click My Computer, and choose Manage.
10. Expand the Local Users And Groups snap-in in the console tree.
11. Select the Groups node.
12. Double-click Remote Desktop Users in the details pane.
13. Add the Contoso Terminal Server Users group as a member.
Exercise 3: Logging On to Terminal Server with Device Redirection
1. Log on to Server01 as Lorrin Smith-Bates.
2-46
Chapter 2
Administering Microsoft Windows Server 2003
2. Open Remote Desktop Connection from the All Programs\Accessories\Communications program group.
3. In the Computer box, type server02.contoso.com and click Connect.
4. In the Remote Desktop session, log on to Server02 as Lorrin Smith-Bates.
5. Open My Computer and note that the drives shown are the drives on Server02.
6. In the Remote Desktop session, log off Server02.
7. Open Remote Desktop Connection again and click the Options button.
8. Click the Local Resources tab, select the Disk Drives check box, and click Connect.
9. A Security Warning appears. Click OK.
10. In the Remote Desktop session, log on to Server02 as Lorrin Smith-Bates.
11. Open My Computer, and note that you now see the drives on Server01 in the
group called Other.
12. In the Remote Desktop session, log off of Server02.
13. Do not log off of Server01. Log directly on to Server02 as Administrator.
14. On Server02, open the Terminal Services Configuration console from the Administrative Tools folder.
15. Select Connections in the console tree.
16. Double-click RDP-Tcp in the details pane.
17. In the Client Settings tab, select the Drive Mapping check box, and click OK to
close the RDP-Tcp Properties dialog box.
18. On Server01, still logged on as Lorrin, open Remote Desktop Connection.
19. Ensure that server02.contoso.com is entered as the computer and, in the Local
Resources tab, that the Disk Drives check box is still selected.
20. Click Connect, and log on to Server02 as Lorrin Smith-Bates. Click OK to close the
Security Warning message box.
21. Open My Computer.
Local drives are no longer redirected. The setting you configure in the properties
of the RDP-Tcp connection overrides client settings.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
Lesson 5
Terminal Server
2-47
1. You have enabled Remote Desktop connections on Server02, a member server in
the contoso.com domain. Terminal Server is installed on Server02. You want
Danielle Tiedt to be able to connect using the Remote Desktop Connection client.
What additional configuration must first be performed on Server02?
2. You have enabled Remote Desktop connections on Server01, a domain controller
in the contoso.com domain. Terminal Server is installed on Server01. You want
Terry Adams to be able to connect using the Remote Desktop Connection client.
Terry is a member of the Remote Desktop Users group on Server01. What additional configuration must first be performed for Terry to successfully connect?
3. Name three locations where you can configure Terminal Server settings that will
override settings on the Remote Desktop Connection client.
Lesson Summary
■
Terminal Server provides applications in a multiuser environment. Those applications must be installed using Add Or Remove Programs or the Change User
command.
■
For a user to successfully connect, Remote Desktop connections must be enabled
on the server, the server’s connection (for example, the RDP-Tcp connection) must
allow connections for a group to which the user belongs, the user must be in a
group that is granted the right Allow Logon Through Terminal Services, and the
user account must Allow Logon To Terminal Server. On a member server, all the
appropriate permissions are configured by default for the Remote Desktop Users
group, so you must simply enable Remote Desktop connections and add the user
to that group.
■
A domain controller’s security policy does not, by default, grant the Allow Logon
Through Terminal Services user right.
■
Various Terminal Server settings can be configured on the client, in the user
account, on the connection, or on the server. Most of these settings can additionally be configured through Group Policy for terminal servers running Windows
Server 2003.
2-48
Chapter 2
Administering Microsoft Windows Server 2003
■
Windows Server 2003 and the Remote Desktop Connection client support device
redirection including audio devices, printers, and disks.
■
To load-balance terminal servers, you must configure a load-balancing technology
such as NLB or DNS round-robin, enable the Terminal Services Session Directory
on a server, add computer accounts for the servers to the directory server’s Session
Directory Computers local group, and configure the servers to belong to the cluster through Terminal Server Configuration or Group Policy.
You can monitor and remotely control a user’s Terminal Services session by connecting
to the terminal server with the Remote Desktop Connection client, opening Terminal
Server Manager, right-clicking the user session, and choosing Remote Control.
Case Scenario Exercise
As part of the remote administration of your enterprise, your company has enabled
Remote Assistance on each computer. Your sales representatives travel frequently and
use laptops to perform their work while they travel.
On your internal network, you use Windows Messenger for spontaneous communication with your clients, and for Remote Assistance. However, you disallow Instant Messenger traffic across the Internet by closing port 1863 at the firewall.
You want to perform Remote Assistance for your remote users, but cannot connect to
them with Windows Messenger to determine whether they are online.
Is Remote Assistance possible for your remote users? If so, how would you accomplish it?
Troubleshooting Lab
You are trying to connect to a server running Windows Server 2003 in your environment with a Remote Desktop Connection but consistently get the message shown in
Figure 2-25 when attempting to connect.
f02nw25
Figure 2-25 Error Logon Message when connecting to the Remote Desktop For Administration console
Lesson 5
Terminal Server
2-49
You have checked settings on the server and confirmed the following:
■
You are a member of the Remote Desktop Users group.
■
You are not a member of the Administrators group.
■
You are able to connect to share points on the computer running Terminal Server,
and the computer responds affirmatively to a ping.
What other settings will you check on the computer running Terminal Server to troubleshoot this problem?
Chapter Summary
■
MMCs are the common, system tool interface in Windows Server 2003.
■
Snap-ins are individual tools that can be loaded into an MMC.
■
Some snap-ins can be used to configure remote computers; others are limited to
local computer access.
■
MMCs can be saved in either Author (full access) or User (limited access) modes.
The mode of an MMC does not empower or disable a user from being able to do
that which he or she has authorization and access to do through permission sets.
■
Remote Desktop For Administration allows for the same administration of a server
from a remote location as if logged on to the local console interactively.
■
Remote Desktop For Administration, for desktop operating systems, is available
only with Windows XP.
■
Remote Assistance is like Remote Desktop For Administration for the desktop,
allowing remote viewing and control of Windows XP desktop computers.
■
Remote Assistance will also work on a computer running Windows Server 2003.
■
Two users are required for Remote Assistance to be viable: one user at the target
desktop, and the expert helper at another computer. Both must agree on the control actions taken during the session, and the session can be ended by either party
at any time.
2-50
Chapter 2
Administering Microsoft Windows Server 2003
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional practice and review the “Further Reading” sections in Part 2 for pointers to more information about topics covered by the exam objectives.
Key Points
■
MMCs are the containers for snap-ins.
■
Snap-ins can be used in either local or remote context but cannot be connected to
both the local and remote computers simultaneously.
■
Snap-ins can be combined in a single console to suit administrative preference.
■
MMCs can be saved in User mode to restrict their configuration, but the ability to
perform tasks with the tool is governed by permissions, not by limitations placed
on a particular MMC. If a user has sufficient privilege to administer a computer, the
user can create MMCs with any snap-in.
■
Remote Desktop For Administration requires permissions to attach with the Remote
Desktop client. By default, this permission is granted only to Administrators.
■
Remote Assistance is a two-way, agreed session. At no time can an expert take
unauthorized control of a user’s computer.
■
Port 3389, the same port used by Remote Desktop For Administration, must be
open at the firewall for Remote Assistance sessions to be established.
Key Terms
Remote Assistance vs. Remote Desktop For Administration Remote Assistance
allows a remote control session to be established from an expert user as invited by
a novice user. The credentials for authentication are supplied in the form of a
shared secret password created within the invitation by the novice. Remote Desktop For Administration involves only one user connected remotely to a computer
running the Terminal Server service and configured to allow Remote Desktop connections by the user.
Microsoft Management Console (MMC) Remote Desktop For Administration Credentials and server configuration required for Remote Desktop For Administration
connections.
Questions and Answers
2-51
Questions and Answers
Page
2-8
Lesson 1 Review
1. What is the default mode when you create an MMC?
The default mode for an MMC is Author mode.
2. Can a snap-in have focus on both the local computer and a remote computer
simultaneously?
No. Snap-ins can be configured to connect to the local computer, or a remote computer, but not
both simultaneously.
3. If you want to limit the access of a snap-in, how do you construct the MMC that
contains the snap-in?
Save the console in one of the User modes, depending on the level of limitation you want.
Page
2-11
Lesson 2 Review
1. What credentials are required for administration of a remote computer using the
MMC?
You must have administrative credentials on the remote computer to perform remote
administration.
2. Can an existing MMC snap-in be changed from local to remote context, or must a
snap-in of the same type be loaded into the MMC for remote connection?
A snap-in’s context might be changed by accessing the properties of the snap-in. A snap-in does
not have to be reloaded to change its configuration.
3. Are all functions within a snap-in used on a local computer usable when connected remotely?
No, not all functionality is available. The Device Manager component in the Computer Management snap-in, for example, can be used only to view remote computer configurations; no
changes can be made to the remote computer’s device configuration.
Page
2-19
Lesson 3 Review
1. How many simultaneous connections are possible to a Terminal Server running in
Remote Administration mode? Why?
Three; two remote connections and one at the console (but that’s not fair, is it?). Technically,
then, two is the limit because the application-sharing components are not installed with Terminal Server configured in Remote Desktop mode for remote administration.
2. What would be the best way to give administrators the ability to administer a
server remotely through Terminal Services?
2-52
Chapter 2
Administering Microsoft Windows Server 2003
a. Don’t do anything; they already have access because they are administrators.
b. Remove the Administrators from the permission list on the Terminal Server
connection, and put their administrator account in the Remote Desktop For
Administration Group.
c. Create a separate, lower-authorization user account for Administrators to use
daily, and place that account in the Remote Desktop For Administration Group.
The correct answer is c. It is a best practice to log on using an account with minimal credentials, then to launch administrative tools with higher-level credentials using Run As.
3. What tool is used to enable Remote Desktop on a server?
a. Terminal Services Manager
b. Terminal Services Configuration
c. System properties in Control Panel
d. Terminal Services Licensing
The correct answer is c.
Page
2-28
Lesson 4 Review
1. How is Remote Assistance like Remote Desktop For Administration? How is it
different?
Remote Assistance allows for remote control of a computer as if the user were physically at the
console, as does a connection to a Terminal Server through Remote Desktop For Administration.
Remote Desktop For Administration is controlled solely by the directory of accounts, either local
or domain, that is configured for the Terminal Server connections on that computer. Remote
Assistance requires a “handshake” of sorts between the user and the expert helper.
2. What are the benefits of Remote Assistance?
The user does not have to have an expert on site to receive assistance. The difficulty of solving
a problem over the telephone is removed.
3. Which of the following are firewall-related constraints relating to Remote Assistance?
a. Port 3389 must be open.
b. NAT cannot be used.
c. Internet Connection Sharing is not possible.
d. You cannot use Remote Assistance across a Virtual Private Network (VPN).
The correct answer is a.
Page
2-46
Lesson 5 Review
1. You have enabled Remote Desktop connections on Server02, a member server in
the contoso.com domain. Terminal Server is installed on Server02. You want
Questions and Answers
2-53
Danielle Tiedt to be able to connect using the Remote Desktop Connection client.
What additional configuration must first be performed on Server02?
Add Danielle Tiedt to the local Remote Desktop Users group on Server02.
2. You have enabled Remote Desktop connections on Server01, a domain controller
in the contoso.com domain. Terminal Server is installed on Server01. You want
Terry Adams to be able to connect using the Remote Desktop Connection client.
Terry is a member of the Remote Desktop Users group on Server01. What additional configuration must first be performed for Terry to successfully connect?
Configure a GPO, such as the Default Domain Controllers GPO, so that the user right Allow
Logon Through Terminal Services is configured and assigned to the Remote Desktop Users
group.
3. Name three locations where you can configure Terminal Server settings that will
override settings on the Remote Desktop Connection client.
The properties of user objects in Active Directory, the properties of the terminal server connection (for example, RDP-Tcp connection), and Terminal Services group policies.
Page
2-48
Case Scenario Exercise
Is Remote Assistance possible for your remote users? If so, how would you accomplish it?
You must use one of the alternate methods of requesting Remote Assistance.
■
The E-Mail Method Send an e-mail to the expert through Help And Support Tools. When the
expert accesses the link in the e-mail, the expert will be able to establish a Remote Assistance session.
■
File Method Create a Remote Assistance file through Help And Support Tools. E-mail the
file to the expert, or have the expert access it through a file share point. When the expert
accesses the link within the file, the expert will be able to establish a Remote Assistance
session.
In both methods, it is highly recommended that you create a password for the Remote Assistance session, and give the expert the password in a secure fashion so that your Remote
Assistance session cannot be accessed by an unauthorized person.
Page
2-48
Troubleshooting Lab
What other settings will you check on the computer running Terminal Server to troubleshoot this problem?
It is likely that the Terminal Server in question is a domain controller, and that the Default
Domain Controller Group Policy has not been enabled to allow remote connections by the
Remote Administrative Users group. The Local Group Policy on domain controllers forbids nonadministrator remote connections, and must be changed. The easiest way to change the Local
Policy is to override it with a change to the Default Domain Controller Group Policy.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement