You are previewing Windows Server® 2008 Terminal Services Resource Kit.
O'Reilly logo
Windows Server® 2008 Terminal Services Resource Kit

Book Description

In-depth and comprehensive, this RESOURCE KIT delivers the information and resources you need to plan, deploy, administer, and support Windows Server 2008 Terminal Services and server-based applications and clients. You get authoritative guidance direct from those who know the technology best an internationally recognized expert and her peers on the Windows Server 2008 Terminal Services team at Microsoft. You also get essential resources on the companion CD, including scripts and author extras, to help you deploy and manage Terminal Services and server-based applications. If you re serious about Windows Server 2008 Terminal Services, this is the resource you ll use to optimize results from your deployment.

Table of Contents

  1. Windows Server® 2008 Terminal Services Resource Kit
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. A Note Regarding Supplemental Files
    3. Acknowledgments
    4. Foreword
    5. Introduction
      1. What’s New in Terminal Services in Windows Server 2008?
      2. How This Book Is Structured
      3. Document Conventions
        1. Reader Aids
        2. Sidebars
        3. Command-Line Examples
      4. Companion Media
        1. Links
        2. Add-on Tools
        3. Management Scripts
      5. Resource Kit Support Policy
    6. 1. Introducing Terminal Services in Windows Server 2008
      1. Where Did Terminal Server Come From?
      2. What Can You Do with Terminal Services?
        1. Improve Security for Remote Users
        2. Enable Remote Work
        3. Bringing Windows to PC-Unfriendly Environments
        4. Supporting Green Computing
      3. Terminal Services for Windows Server 2008: The Big Picture
        1. The Changing Character of Terminal Server Usage
          1. Supporting Telecommuters and Mobile Workers
          2. Using Public Computers
          3. Integrated Desktop and Remote Workspaces
          4. Working from Branch Offices
          5. Larger Server Farms
        2. Cool New Stuff for Terminal Services in Windows Server 2008
          1. Getting the Really Big Picture with Multi-Monitor Support
          2. Broader Support for Client-Side Device Redirection
          3. Single Sign-On
          4. Eliminating Printer Drivers
          5. Terminal Services RemoteApp
        3. Terminal Services Roles in Windows Server 2008
          1. Terminal Server
          2. Terminal Services Web Access
          3. Terminal Services Session Broker
          4. Terminal Services Gateway
          5. Terminal Services Licensing
      4. Understanding the Windows Server 2008 TS Environment
        1. The Client Connection
        2. Authenticating Servers and Client Machines with Certificates
        3. Displaying RemoteApps for Terminal Services Web Access
        4. Updating User and Computer Settings
      5. New Functionality for Terminal Services Partners
        1. Terminal Services APIs
          1. Session Administration APIs
          2. Client/Server Communication APIs
          3. Virtual Channel APIs
          4. User Configuration APIs
        2. Windows Management Instrumentation
          1. Terminal Server Configuration Classes
          2. Terminal Services Session Broker Classes
          3. Terminal Services Gateway Classes
          4. Terminal Services Licensing Server Classes
          5. Terminal Services RemoteApp Classes
      6. Summary
      7. Additional Resources
    7. 2. Planning the Terminal Server Ecosystem
      1. Know Your Terminal Server
      2. Understanding Key Terminal Server Internals
        1. How Does the Terminal Server Dole Out Processor Cycles?
        2. How Do Terminal Servers Maximize Memory Efficiency?
          1. Understanding User-Mode and Kernel-Mode Virtual Address Space
          2. The Role of the Memory Manager
          3. Mapping Virtual Memory to Physical Memory
          4. How Virtual Memory Is Supported
          5. Memory Sharing and Copy-on-Write
        3. How Can I Use More Than 4 GB of RAM?
          1. Physical Address Extension
          2. Address Windowing Extensions
        4. How Does Disk Performance Affect a Terminal Server?
          1. Arranging Data Storage
          2. Understanding the System Cache
          3. How Does RAID Affect Disk Performance?
            1. Disk Mirroring
            2. Stripe Sets with Parity
      3. Determining System Requirements for Terminal Servers
        1. Defining Acceptable Performance
        2. Designing a Live Test
          1. Root the Test in Reality
          2. Generate Typical User Behavior
        3. Executing the Tests
          1. Using the Reliability And Performance Monitor
            1. Collecting the Data
            2. Reviewing the Data
        4. The Alternative to Full Testing: Extrapolation
        5. Other Sizing Questions
          1. What About Sizing Other Terminal Services Roles?
          2. Can I Run Terminal Services in a Virtual Machine?
      4. Supporting Client Use Profiles
        1. PC or Thin Client?
        2. What’s the Best License Model?
        3. What Applications Can I Run on a Terminal Server?
        4. What Version of Remote Desktop Connection Do I Need?
        5. What Server Role Services Do I Need to Support My Business?
      5. Summary
      6. Additional Resources
    8. 3. Installing the Core Terminal Server Environment
      1. How Terminal Servers Work
        1. Services Supporting Terminal Services
        2. Creating and Supporting a Terminal Session
          1. Key Terminal Services Processes Loaded at Boot Time
          2. Creating a New Session
          3. Enabling User Logons to the New Session
          4. Creating the Base Environment in Each Session
          5. Passing Data Between Client and Server
            1. Session Structure
            2. Identifying Processes
            3. Communicating Between Session and Terminal Server
          6. Putting It All Together
      2. Installing a Terminal Server
      3. Essential Terminal Server Configuration
        1. Allocating System Resources with Windows System Resource Manager
          1. Installing WSRM
          2. Configuring WSRM for Per-Session
          3. Excluding Processes from Management
        2. Enabling Plug and Play Redirection with the Desktop Experience
        3. Adjusting Server Settings with Terminal Services Configuration
          1. General Session Settings
          2. Terminal Server Licensing Settings
            1. Terminal Services Licensing Mode
            2. License Server Discovery Mode
          3. Protocol-Specific Settings
      4. License Servers
        1. How License Servers Assign TS CALs
        2. Setting Up the License Server
          1. Installing the License Server
          2. Activating the License Server
          3. Installing TS CALs
          4. Changing the Scope of the License Server
            1. Adding a License Server to Active Directory: The Easy Way
            2. Adding a License Server to Active Directory: The Painful Method
        3. Reporting on TS CAL Usage
        4. Revoking TS CALs
        5. Restricting Access to TS CALs
        6. Using the Licensing Diagnosis Tool
      5. Summary
      6. Additional Resources
    9. 4. Creating the User Work Environment
      1. How Profiles Work
        1. User Profile and the Registry
        2. How Profile Changes Are (Not) Merged
        3. Profile Contents External to the Registry
      2. Design Guidelines for User Profiles
        1. Choose Between Roaming and Mandatory Profiles
        2. Use Folder Redirection
        3. Prevent Users from Losing Files
        4. Speed Up Logons by Reducing the Data to Copy
          1. Caching Roaming Profiles
        5. Storing Profiles
      3. Using Roaming Profiles with Terminal Services
        1. Converting an Existing Local Profile to a Roaming Profile
        2. Using Group Policy to Manage Roaming Profiles
          1. Creating Group Policy Objects to Work with Terminal Server Users and Computers
          2. Fine-Tuning GPOs with Security Filtering
          3. The Ins and Outs and Ins of Loopback Policy Processing
        3. Using Group Policy to Define the Roaming Profile Share
        4. Speeding Up Logons with Small Profiles
          1. Limiting Profile Size
          2. Removing Cached User Profiles on Terminal Servers
            1. Using Group Policy to Delete Cached Profiles
            2. Manually Deleting Cached Profiles
          3. The Consequences of Deleting a Profile Folder from Explorer
        5. Centralizing Personal Folders with Folder Redirection
        6. Sharing Personal Folders Between Local and Remote Environments
        7. Sharing Folders Between Windows Server 2003 and Windows Server 2008 Roaming Profiles
      4. Setting Standards with Mandatory Profiles
        1. Converting Existing Roaming Profiles to Mandatory Profiles
        2. Creating a Single Mandatory Profile
        3. Creating a Safe Read-Only Desktop
      5. Profile and Folder Redirection Troubleshooting Tips
      6. Summary
      7. Additional Resources
    10. 5. Fine-Tuning the User Experience
      1. Remoting Infrastructure
        1. Virtual Channels and the Remote Client Experience
        2. The Plug and Play Device Redirection Framework
        3. Printing Architecture
          1. The Legacy Printing Model for Terminal Services
            1. Enumerating Printers in the Remote Session
            2. Printing from a Remote Session
          2. The New Easy Print Architecture
      2. Moving the Client Experience to the Remote Session
        1. Which Client Devices Can You Add to the Remote Session?
        2. Pros and Cons of Redirecting Resources
        3. Printing from Terminal Services
          1. Using TS Easy Print
          2. When TS Easy Print Isn’t an Option: Distributing Drivers to Terminal Servers
            1. Deploy Printer Drivers Using Group Policy
            2. The Print Management Console
          3. Managing Print Settings with Group Policy
        4. Redirecting Time Zones
      3. Locking Down the Terminal Server
        1. Restricting Device and Resource Redirection
          1. Restrict Device and Resource Redirection Using Group Policy
          2. Restrict Device and Resource Redirection Using ADUC
          3. Restrict Device and Resource Redirection Using TS Configuration Tool
        2. Prevent Users from Reconfiguring the Server
          1. Restricting Access to the Control Panel
          2. Restrict Printer Driver Installation
          3. Prevent Access to the Registry
          4. Prevent Access to Windows Automatic Updates
        3. Close Back Doors to Executables
          1. Restrict Access to Start Menu and Networking Items
          2. Remove Icons from the Desktop
          3. Restrict Access to CD-ROM and Floppy Drives
          4. Prevent Access to the Command Prompt
          5. Remove Access to Task Manager
          6. Restrict Access to Internet Explorer and the Internet
        4. Restrict Access to System Drives
        5. Prevent Users from Running Unwanted Applications
          1. Using Software Restriction Policies
        6. Keeping the Terminal Server Available
          1. Allow or Deny Access to the Terminal Server
          2. Limit the Number of Terminal Server Connections
          3. Setting Session Time Limits
      4. Remote Control of User Sessions
      5. Summary
      6. Additional Resources
    11. 6. Installing and Publishing Applications
      1. Installing Applications on a Terminal Server
        1. Which Applications Will Work?
          1. Application Installation
          2. Concurrent Resource Usage
          3. Privacy Issues
          4. Performance Issues
          5. Device Redirection
        2. Storing Application-Specific Data
        3. Avoiding Overwriting User Profile Data
          1. Edit the Shadow Key Time Stamps
          2. Removing Sections from Shadow Keys
          3. Selectively Disabling Registry Writes
        4. Populating the Shadow Key
      2. Understanding TS RemoteApps Internals
        1. Server-Side Components
        2. Client-Side Components
        3. TS RemoteApps and Monitor Spanning
      3. Publishing Applications on a Terminal Server
        1. Using TS RemoteApp Manager to Create TS RemoteApps
          1. Adding Applications to the Allow List
          2. Editing RemoteApp Properties
            1. Choose an Appropriate Program Name
            2. Enable Integration with TS Web Access
            3. Don’t Change the Alias
            4. Adding Command-Line Arguments
            5. Editing the Application Icon
          3. Editing Distribution Options
            1. Terminal Server Tab
            2. TS Gateway Tab
            3. Digital Signature Tab
            4. Common RDP Settings Tab
            5. Custom RDP Settings Tab
          4. Maintaining Allow List Consistency Across the Farm
          5. Distributing RemoteApps
            1. Distributing RDP Files
            2. Distributing MSI Files
          6. Ending TS RemoteApp Sessions
      4. Terminal Services Web Access
        1. Installing the TS Web Access Role
        2. Associating TS Web Access with a Terminal Server
        3. TS Web Access Web Site Placement and Access Options
          1. Internal-Only URL
          2. External-Only URL
          3. Both Internal and External URLs
        4. Using TS Web Access
          1. Connecting to Other Desktops from TS Web Access
          2. Configuring TS Web Access Remote Desktop Connection Options
          3. Understanding Public and Private Mode
        5. Customizing TS Web Access
          1. Customizing the RDC Client Update Settings
          2. Changing TS RemoteApp Display
      5. Summary
      6. Additional Resources
    12. 7. Multi-Server Deployments and Securing Terminal Server Connections
      1. Securing RDP Connections
        1. Core Security Concepts
          1. RDP Encryption Levels
            1. Low Security
            2. High Security
            3. FIPS-Compliant Security
          2. Authenticating Server Identity
          3. Authenticating Client Identity with Network Level Authentication (NLA)
          4. Speeding Logons with Single Sign-on
          5. The Credential Security Service Provider
            1. How Terminal Servers Use CredSSP
            2. Managing the CredSSP Store
          6. Understanding Network Access Protection
            1. Core NAP Concepts
            2. How NAP Supports TS Gateway
        2. Configuring the Security Settings on the Terminal Server
          1. Configuring Connection Security Using the Terminal Services Configuration Tool
            1. Server Authentication
            2. Encryption Levels
            3. Network Level Authentication
          2. Configuring Connection Security Using Group Policy
            1. Server Authentication
            2. Encryption Levels
      2. Understanding Session Broker
        1. Distributing Sessions in a Farm
        2. What Is Session Broker?
        3. How Does Session Broker Work?
        4. Setting Up Session Broker
          1. Installing the TS Session Broker Role Service
          2. Configure Terminal Servers to Work with Session Broker
            1. Using Terminal Services Configuration to Join a Farm
            2. Using Group Policy to Join a Farm
      3. Enabling Remote Access Using TS Gateway
        1. How TS Gateway Works
        2. Enabling TS Gateway Authorization Policies
        3. Preparing to Install TS Gateway
          1. Installing and Configuring TS Gateway
        4. Configuring TS Gateway Options
          1. Creating and Maintaining TS Gateway Authorization Policies
            1. Creating a TS CAP
            2. Creating a TS RAP
            3. Modifying an Existing Authorization Policy
          2. Using Group Policy to Control TS Gateway Authentication Settings
          3. Enabling Access to a Terminal Server Farm
          4. Limiting Simultaneous Connections to TS Gateway
          5. Choosing an SSL Certificate to Use with TS Gateway
          6. Bypassing TS Gateway for Internal Connections
          7. Auditing TS Gateway Events
          8. Monitoring and Managing Active TS Gateway Connections
        5. Implementing TS Gateway
          1. TS Gateway: Inside the Private Network
          2. Using TS Gateway with SSL Bridging
        6. Creating a Redundant TS Gateway Configuration
          1. Creating a Fault-Tolerant TS Gateway Farm
            1. Dealing with TS Gateway Split SSL Connections
            2. Maintaining Identical Settings Across a TS Gateway Farm
            3. Using a Central NPS to Store TS CAPs
            4. Install NPS
            5. Direct the TS Gateway Servers to the NPS
            6. Configure TS Gateway Servers As RADIUS Clients
            7. Enable Access Request Forwarding
            8. Enable NPS to Trust the TS Gateway Servers
            9. Recreate TS CAPs on the NPS
          2. Configuring a Central TS RAP Store
        7. Using Network Access Protection with TS Gateway
          1. Configuring NAP Clients
        8. Troubleshooting Declined Connections to TS Gateway
      4. Summary
      5. Additional Resources
    13. 8. Managing the Terminal Server Runtime Environment
      1. Introducing Terminal Server Management Tools
        1. Terminal Services Manager
        2. Command-Line Tools
        3. Connecting Remotely to Servers for Administration Purposes
        4. Managing Terminal Servers from Windows Vista
      2. Organizing Terminal Servers in Terminal Services Manager
      3. Monitoring and Terminating Processes
        1. Monitoring Application Use
        2. Terminating Applications
      4. Monitoring and Ending User Sessions
        1. Switching Between Sessions
        2. Closing Orphaned Sessions
          1. Disconnecting Sessions
          2. Terminating Sessions
      5. Providing Help with Remote Control
        1. Enabling Remote Control via Group Policy
        2. Enabling Remote Control via Terminal Services Configuration
        3. Shadowing a User Session
        4. Troubleshooting Session Shadowing
      6. Preparing for Server Maintenance
        1. Disabling New Logons
        2. Sending Messages to Session Users
        3. Shutting Down and Restarting Terminal Servers
      7. Applying TS Management Tools
        1. Differentiating RemoteApp Sessions from Full Desktop Sessions
        2. Auditing Application Usage
          1. Get the Terminal Server Names
          2. List Processes on the Terminal Servers
          3. Extract the Application Name
          4. Record Application Instances and E-Mail Alerts
        3. Auditing User Logons
        4. Closing Unresponsive Applications
      8. Summary
      9. Additional Resources
    14. 9. Terminal Services Ecosystem Management
      1. The Case for Standardization
      2. Principles of Change Management
        1. Change Management Challenges
        2. Implementing Change Management Best Practices
          1. First, Do No Harm
          2. Who Can Make Changes?
          3. Who Authorizes Changes?
          4. What Is the Change Review Process?
          5. When Can Changes Be Made?
          6. How Do You Test Changes?
          7. How Do You Revert Change?
          8. How Do You Track Change Success and Failure?
          9. Inventory the Terminal Servers
            1. Role Inventory
            2. Hardware Inventory
            3. Software Inventory
            4. Business Asset Inventory
          10. Create a Provisioning Process
            1. Group Policy
            2. Golden Image Libraries
            3. Server Provisioning Tools
          11. Enable Improvement
        3. Backing Out Changes
        4. Demonstrating Configuration Compliance
      3. What Server Roles Need to Be Backed Up?
        1. A Quick Overview of Backup Tools in Windows Server 2008
          1. Making Roles Redundant
          2. Backing Up and Restoring TS Web Access
          3. Backing Up and Restoring TS Gateway
          4. Backing Up NPS and Centralized TS CAPs
          5. Effects of Losing a TS License Server
        2. Backing Up and Restoring TS License Server
          1. Background: How TS CALs Are Tied to a Server
          2. TS License Server Recovery Methods Requiring TS CAL Reissuance
          3. Recovering a TS License Server Using Windows Server Backup
      4. Adding Capacity
        1. Measuring Server Stress
        2. What Roles Can You Virtualize?
      5. Summary
      6. Additional Resources
    15. A. About the Authors
      1. Christa Anderson
      2. Kristin L. Griffin
    16. B. System Requirements
    17. C. Additional Resources for IT Professionals from Microsoft Press
      1. Windows Server
      2. Windows Client
      3. SQL Server 2005
      4. Exchange Server 2007
      5. Scripting
    18. D. More Great Resources for IT Professionals from Microsoft Press
      1. Administrator’s Pocket Consultant
      2. Administrator’s Companion
      3. Resource Kit
      4. Self-Paced Training Kit
    19. Index
    20. SPECIAL OFFER: Upgrade this ebook with O’Reilly