SolutionBase: Administering Terminal Services in Windows Server 2003

Terminal Services adds a whole new level of duties for a network adminstrator. Here's how to perform some common administration tasks.

Terminal Services under Windows Server 2003 provides you with a great way to provide consistent, easily administered services and software to your users. With your initial implementation out of the way, you can start the day-to-day administration of these services so your users can be productive. Here are some of the common administration tasks that you should know how to accomplish in Terminal Services under Windows Server 2003 with Windows XP clients.

Choose a security mode

Terminal Services can run in two different security modes, each providing a different level of security. The first mode, relaxed security mode, uses permissions compatible with Windows NT 4.0 Terminal Server Edition. In this mode, the Terminal Server User's security descriptor is applied to a number of registry keys, as well as to each member of the Users group. The consequence is that any user can change files and registry settings at various places through the system, which is not a desirable situation.

For that reason, it is recommended that you use full security mode. However, this works only if applications are written in such a way that they can run in the context of a normal user, without having to resort to the Terminal Server User account. When testing new applications, always start your testing in full security mode and change to relaxed security mode only if you have a critical application that requires it.

Changing modes

You can change the security mode by which Terminal Services operates by going to Start | Administrative Tools | Terminal Services Configuration. Click Server Settings in the left pane and double-click the Permission Compatibility option in the settings column. You'll see the Permission Compatibility Window shown in Figure A.

Figure A

The Permission Compatibility window

Select the appropriate security option from this window and click OK to continue.

Installing new software

Installing new software is a little more complex on a terminal server than on a stand-alone PC, but accomplishes the same goal. Applications on a terminal server absolutely require more testing and should be installed before you have users using the server, when possible. When that's not possible, you must install new applications only when there are no users connected to the server.

While you can install new software in Terminal Services by using the command line, the preferred method is to use the Add Or Remove Programs option in Control Panel. However, there are times when the command line option is the best way to go. The Control Panel option is discussed first below, and the command line option will be presented a little later.

Use Add Or Remove Programs

As the preferred method, you should use the Add Or Remove Programs Control Panel applet to install new programs whenever possible. Go to Start | Control Panel | Add Or Remove Programs and select Add New Programs from the list of options at the left side of the screen. For this example, I will install Office 2003 into Terminal Services. Since Office 2003 is CD-based, click the CD Or Floppy button in the main window, shown in Figure B.

Figure B

Add a new program to the terminal server using the Add Or Remove Programs applet.

The Add Or Remove Programs applet asks you to insert the new product's first disk or CD into the server, then it attempts to locate the installation program. If it doesn't find the right program, click the Browse button to find it manually. In this example, the Office 2003 installer is found at D:\setup.exe.

At this point, the installation proceeds as it would if you installed the software on a stand-alone PC. However, notice that the Add Or Remove Programs applet stays open in the background with a window indicating that you should press Next after the program has completed installation. I won't go over the complete Office installation here since you've probably seen it before, but will note that I opted to install only the Word and Excel components for the example.

After the Office installation is complete, click the Next button in the Add Or Remove Programs wizard. You will get a screen with nice big letters indicating that you should either finish the Add Or Remove Programs wizard or cancel it, but only after the installation has completed, and without regard for whether or not it was successful. If you're told that you have to restart the computer after the installation, make sure to close out the wizard with either Finish or Cancel before rebooting, as shown in Figure C.

Figure C

Click Finish or Cancel, depending on whether the installation was successful.

Since the Office 2003 installation on my server was successful, I clicked Finish.

Use the command line

The command line option is useful in situations when you're unable to use Control Panel to install new software. A good example of this is software installation from a Web site where there is no direct executable. Before installing the software, go to the command line and type change user /install to force the login session to require the software to be installed into the systemroot. When you are done, use the command change user /execute to restore the session to execute mode.

If you are unsure which mode the system is in, use the change user /query command to find out.

For this example, I installed Jasc's Paint Shop Pro 8 application using the command line method.

User administration

With applications ready to go, you need to make sure your users can actually access them. Add the users to the Remote Desktop Users group to accomplish this. Use Active Directory Users And Computers for domain servers or the Computer Management application for stand-alone servers. Alternatively, for systems that are not domain controllers, you can use the Select Remote Users button on the Remote tab in System Properties. For domain controllers, this button is disabled, so you must use one of the other methods.

Use the application

And now, for the real test: Does it work? To make this determination, you need to connect to the Terminal Services server. When you connect to a Terminal Services server, you can use just a single application, or you can provide the user with a full desktop based on Windows Server 2003 from which they can launch applications just as they normally would. This is the way that the Remote Desktop For Administration function works in Windows Server 2003 and is well documented. For this example, I will show you how to launch one of your newly installed applications.

From Windows XP, go to Start | All Programs | Accessories | Communication | Remote Desktop Connection. You will get a window that asks for the name of the machine to which you would like to connect. If you provide a machine name, the client will connect to that machine and prompt you for login credentials, after which you'll get a desktop, unless the administrator has created a different profile for you.

Click the Options button to expand this window beyond just the server name. You'll see five tabs:

  • General
  • Desktop
  • Local Resources
  • Programs
  • Experience

The General tab, shown in Figure D, lets you provide the Terminal Services server name along with an appropriate user name, password, and domain. You can also opt to save the password so you are automatically connected to the Terminal Services server.

Figure D

The Remote Desktop Client General tab

Use the Display tab, shown in Figure E, to determine the resolution and number of colors that will be used for the connection. The more colors you use and the bigger the screen, the more data that has to be sent over the network. For slow connections, use lower settings.

Figure E

The Remote Desktop Client Display tab

You continue to make use of certain local devices from inside your remote connection by enabling or disabling options on the Local Resources tab, shown in Figure F. For example, if you want to have access to your local floppy drive from inside the connection, click the Disk Drives option on this tab.

Figure F

The Remote Desktop Client Local Resources tab

The Programs tab, shown in Figure G, provides you with the ability to start a specific program upon successful connection to a Terminal Services server. Just specify the path to the program and, optionally, a starting folder.

Figure G

The Remote Desktop Client Programs tab

Terminal services connection performance is somewhat dependent on which features you enable on the Experience tab, shown in Figure H. For slower connections and slower Terminal Services servers, disable some of these options. If you have sufficient bandwidth and faster servers, you can enable these options.

Figure H

The Remote Desktop Client Experience tab

When you're done, you can save this information to a shortcut on your desktop by clicking the Save As button on the General tab.

When you're ready to start the program, double-click the shortcut on the desktop, or press the Connect button from the shortcut. If you have opted to share local disk drives, you'll get a warning indicating that this is a potential security problem unless you fully trust the computer.

In Figure I, you can see Paint Shop Pro running successfully over a Terminal Services remote desktop connection. I configured it with my username and password, so I just need to double-click the shortcut and Paint Shop Pro loads. Since I provided the path to Paint Shop Pro as a part of the connection, when I exit the program, Terminal Services also logs me out.

Figure I

Paint Shop Pro 8 running on Terminal Services

Terminal Services Manager

The Terminal Services Manager application is the place where you manage connections to the server. When you initially open Terminal Services Manager (Start | Administrative Tools | Terminal Services Manager), and select your server, you're shown a list of all the server's active connections, as shown in Figure J.

Figure J

A list of connections to Windows Server 2003

Notice that the Administrator account at the top of the list is shown in green with a session of Console listed. This means exactly what it says—the Administrator is currently logged in to the physical server console. Beneath that connection is an RDP connection to the terminal server that is currently active. Right-click the connection to get a menu of options, including an option to disconnect the user immediately, send the user a message, reset a connection, get the status of the connection, or log the user off.

In the left-hand pane, click an active RDP connection to see a list of processes in use by that particular connection. See Figure K.

Figure K

A list of processes in the current connection

Click the Information tab to get other details, such as the name of the client from which the connection originates, as shown in Figure L.

Figure L

Other information about the current connection

You can also get certain session information by clicking the server name and selecting the Sessions tab, as shown in Figure M.

Figure M

A list of current sessions