Use Windows Terminal Services to remotely administer workstations

Windows always used to lag behind UNIX in remote administration capabilities. You always needed third-party software, such as PC Anywhere or VNC, to remotely administer a Windows server. But with Windows 2000, Microsoft has added a remote administration option, the thin client software known as Terminal Services. You can install Terminal Services on top of the base operating system in all versions of Windows 2000, with the exception of the Professional edition.

Terminal Services in Windows 2000 has two operating modes: Application mode and Remote Administration mode. In Remote Administration mode, Microsoft lets you run up to two concurrent Terminal Services sessions without incurring any additional licensing fees or significantly taxing the server’s resources.

Terminal Services can also help you breathe new life into older PCs. You can use Terminal Services to run client software on a low-end machine by making use of the server's resources rather than the client's. Basically, the software executes on the server hardware, and only the screen updates are sent over the network to the client machine. This allows an older, slower computer to run a state-of-the-art software package.

In this Daily Drill Down, I'll concentrate on using Terminal Services in Remote Administration mode to remotely manage a Windows 2000 server.

Server installation of Terminal Services
Installing the server component of Windows 2000 Terminal Services is very simple. All you need is a Windows 2000 CD or the network or local path to the Windows 2000 Server installation files. You'll install Terminal Services via the Configure Your Server utility in the Administrative Tools folder on the Start menu.

Click on Start | Programs | Administrative Tools | Configure Your Server. From the list of options at the left-hand side of the screen, choose Application Server. Choose Terminal Services from the submenu that comes up. In the right-hand pane, scroll to the bottom of the page and click on Start The Windows Components Wizard. When the Windows Components Wizard appears, scroll to the bottom of the list, choose Terminal Services, and click Next. You'll need to choose a Terminal Services mode. To allow a server to be remotely managed without installing a full application server and without incurring additional licensing fees to Microsoft, choose Remote Administration mode. Click Next, and Windows will install the Terminal Services components. You'll then be prompted for the location of the Windows 2000 installation files. Be prepared with the Windows 2000 CD or a network or local location for these files. After the installation completes, you'll need to restart Windows.

Note: User logons
Before users can log on to a Terminal server, they must be allowed to do so. This is allowed by default when a user is created. But if, for some reason, the default setting has been disabled, simply check the box labeled Allow Logon To Terminal Server on the Terminal Services Profile tab of the user’s profile page.

The final step in the server installation is either to share out the installed installation files on the Terminal Services server or create a set of installation disks for the Terminal Services client.

To share out the installation files as they were installed during the Terminal Services setup, share the %systemroot%\system32\clients\tsclient\net directory on the server. In this folder are full installations for both the 16- and 32-bit versions of the client, and they don't require the use of floppies.

To create a set of floppy disks for the client:
  1. Choose Start | Programs | Administrative Tools | Terminal Services Client Utility.
  2. Choose Terminal Services for (16- or 32-bit) x86 machines from the list of services, select a destination drive, and then click OK.

You’ve now installed Terminal Services, and you can use it to remotely manage your Windows 2000 server.

Installing and using the Terminal Services client
Now that you’ve installed the Terminal Services server, it’s time to set up a PC to handle remote management of the server. You’ll do this by installing the Terminal Services client that was created in the server installation portion of this process.

Either use the installation disks (if you created them) or attach to the network share described above to install the appropriate version of the Terminal Services client. Follow the instructions on the screen to complete the installation. The Terminal Services client installation includes a Terminal Services manager, which allows you to keep track of all of your Terminal servers in one place. I’ll first look at the Terminal Services manager in detail, and then I’ll examine a sample Terminal Services session.

To start the Terminal Services manager, choose Start | Programs | Terminal Services Client | Terminal Services Manager. This will call up the Client Connection Manager dialog box shown in Figure A.

Figure A

To set up a new Terminal Services session, choose File | New Connection and click Next. Type in a name for the new connection—something descriptive, such as the server name, is generally a good idea. For my example, I'll use the nameTechRepublic Article. Next, type in an IP address or local server name. I'll use a server name rather than an IP address. In this example, SCOTT-2KS is a local server (Figure B).

Figure B

Click Next, and you'll be asked to provide information that will automatically allow you to log on to the server. I personally avoid this option since my desktop PC is not in a secure location, and I don't want just anyone to be able to log on to one of my servers as an administrative user. In my example, I'll leave this option blank. Click Next, and on the Screen Options menu, you'll choose how you want to view the client screen. There are two options to choose from:
  • Screen Resolution—Choose the resolution at which you'd like to view the session. I highly recommend choosing a resolution that is equal to or lower than that of the managing PC. If you don't, you can't view the entire session on one screen, and you'll have to use scroll bars to navigate.
  • Full Screen—If you'd like to only view the server console and not see your local machine behind the window, choose this option.

Click Next for the connection options. Connection options allow you to either choose to use data compression for slow links or to cache frequently used bitmaps to the local disk to allow for faster communication. Click Next for the Starting A Program option, which allows you to specify a program that is launched automatically upon a successful connection to the server. This is handy if you have a specific administrative task that needs to be performed regularly on a server. If this is the case, you can create two shortcut connections in the Client Service Manager—one for general server administration and one that launches a regularly used program.

The next dialog box displays the icon and program group options, which are self-explanatory. Make your selections, and then click Next to continue. Click Finish to complete the process of creating an entry in the Terminal Services manager.

Connecting with the Terminal Services manager
To connect to the server, simply double-click the desired entry in the Terminal Services manager. Terminal Services operates on TCP port 3389, which you'll need to allow if there's a firewall between you and the managed server. At the logon screen, type in the username and password of a user that is allowed to use Terminal Services. Once you've been authenticated, you'll see what appears to be the console of the Windows 2000 Server on your screen. However, be careful—this is not the actual physical console of the server. It’s nothing more than a virtual console that closely mimics the actual console (Figure C).

Figure C

From this virtual console, you can do almost anything that you'd normally be able to do if you were at the server console or if you were using another program, such as VNC or PC Anywhere, with one significant exception: You can't manage services that need to interact directly with the desktop. This console is a virtual console and not the physical console. Many services that interact with the desktop are designed to redirect their output to the physical console and know nothing of the virtual console. Some services, such as Microsoft’s SQL Server service agents, are designed to work with a virtual console, but you'll need to administer others with something other than Terminal Services. In addition, don't rely on pop-up messages to notify you in the event of a problem on the server, since they may not work in Terminal Services. Instead, keep your eye on the Event Viewer.

Ending your session
There are several ways to end the Terminal Services session. Go to Start | Shut Down and choose one of the following:
  • Log Off The Server—This is the preferred way of ending a session since it logs off the current user and disconnects the remote session for another user. Remember, there are only two Terminal Services sessions allowed at one time when the service is running in Remote Administration mode.
  • Disconnect—If you plan to come back to the session, simply disconnect from it. Any programs that you started will remain running in the session. After you sign in, you'll be brought back to where you left off. Bear in mind that this keeps the connection locked so that it's unavailable to other users.
  • Shut Down—You can shut down the server from within a Terminal Services session. This will effectively end your session and power down the server, so use it with care! I've chosen this option by mistake before, and the server had to be powered back on.
  • Restart—Like Shut Down, use it with care. It will also end your session and will power down and restart the server, just as if you'd chosen the option from the actual server console.

Using the Terminal Services Advanced Client
Microsoft has moved the functionality of the Terminal Services client to a Web-based ActiveX package, which you can download from Microsoft's Web site. This addition to Terminal Services on the server allows a user to remotely administer any Terminal Services server using only Internet Explorer—no client program is required. This is especially useful for traveling administrators who don't have laptops or who need to use public computers for remote administration.

To enable this feature, you must install an additional package on any server with IIS installed. When IIS is set up and configured, you should run the installation package you downloaded and follow the instructions to install the advanced client. Once you've installed the advanced client on the server, start any recent version of Internet Explorer and browse to http://<server>/tsweb. On the Terminal Services Advanced Client logon screen, you'll be asked for the server that you want to connect to as well as the screen size you want (Figure D). At this point, you’ll see screens very similar to those you’d see if you were using the 32-bit client.

Figure D

Security is a concern
Finally, with the security problems inherent in IIS, the security-conscious administrator will want to carefully weigh the risks before deciding to install the Terminal Services Advanced Client package. Giving anyone with Internet Explorer the potential to manage a server certainly carries risk. Requiring the Terminal Services client at least offers some small measure of security in that it’s not easily available to a would-be attacker.

Using Windows 2000 Terminal Services in Remote Administration mode lets you handle most remote administration functions without the need for third-party software. If you can live with the minor drawbacks, this free tool provides a consistent Web-based application for administering servers.

Editor's Picks