Terminal Services in Windows Server 2003 Service Pack 1

Applies To:Windows Server 2003 with SP1
What does Terminal Services do?
On Windows Server 2003 operating systems, theTerminal Server feature gives users at client computers throughoutyour
network access to Windows-based programs installed on terminal servers.With Terminal Server,you can providea single
point of installation thatallows multiple users access to Windows Server 2003 operating system desktops, wherethey can run
programs, savefiles,and use network resources,all from a remotelocation,as if theseresources wereinstalled on their own
computers.
Terminal Services is ideal for rapidly deploying Windows-based applications to computing devices across an enterprise—
especially applications thatarefrequently updated, infrequently used, or hard to manage.Terminal Server lets you deliver
Windows-based applications, or the Windows desktop itself, to virtually any computing device—including thosethat cannot
run Windows.
Windows Server 2003 Service Pack 1 includes several new features designed to maximize both thespeed and efficiency of
Terminal Services administration,and thesecurity of communications between Terminal Services clients and servers.
Who does this feature apply to?
Thefeatures described here will be of interest to Terminal Server client users as well as IT professionals who deploy and
configureTerminal Services.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
New fallback printer driver capability
Detailed Description
With therelease of Windows Server 2003 with Service Pack 1 (SP1),you can makelocal printing moreaccessiblefor Terminal
Server clients by configuring Terminal Services to default to a printer driver compatible with PostScript (PS) or Printer Control
Language(PCL).The new fallback printer driver capability is exceptionally useful if a terminal server does not havea printer
driver installed that matches theTerminal Server client user’s specific printer brand and model.
A new Group Policy setting, Terminal Server fallback printer driver behavior,allows you to specify thelocation and file
name of a fallback printer driver, in theevent that no printer drivers installed on a terminal server arecompatible with thelocal
printer for aTerminal Server client.
By default, theTerminal Server fallback printer driver is disabled. If theterminal server does not havea printer driver that
matches theclient’s printer, no printer will beavailablefor theterminal server session.
If thefallback printer driver is enabled,Terminal Server’s default behavior is to locatea suitable printer driver. If oneis not
found, theclient user cannot printTerminal Server session documents to a local printer.The Group Policy setting allows you to
select one of four options to modify Terminal Server printing behavior:
Do nothing if one is not found.This is the default setting. In theevent of a printer driver mismatch, theserver
attempts to find a suitable driver. If oneis not found, theclient’s printer is unavailable during theTerminal Server session.
Default to PCLif one is not found. If no suitable printer driver can befound,Terminal Server uses the Hewlett-Packard
compatible Printer Control Language(PCL) fallback printer driver.
Default to PS if one is not found. If no suitable printer driver can befound,Terminal Server uses the Adobe PostScript
(PS) fallback printer driver.
Show both PCL and PS if one is not found. In theevent that no suitable driver can befound, show both PS-based and
PCL-based fallback printer drivers.
If this setting is disabled or not configured,Terminal Server does not usea fallback printer driver.
Printing Terminal Server session documents may still be disabled for someclient computers, if thefallback printer driver’s
vendors have deviated from PS or PCL specifications.
Note
If the Group Policy setting Do not allow client printer redirection is enabled,any configuration for the Terminal Server
fallback printer driver behavior policy setting is ignored,and thefallback driver is disabled.
Why is this change important?
This changesimplifies local printing for Terminal Server client users.The new Group Policy setting allows client users to print
documents locally, if the printer driver installed on theterminal server to which they’reconnected is incompatible with their
local printers, provided their printers arecompatible with either a PCL or a PS printer driver.
Authentication and encryption for Terminal Services connections
Detailed description
In Windows Server 2003 SP1,you can enhancethesecurity of Terminal Server by configuring Terminal Services connections
to useSecureSockets Layer (SSL)/Transport Layer Security (TLS) 1.0 for server authentication,and to encrypt terminal server
communications.Theversion used by Terminal Services in Windows Server 2003 SP1 is TLS 1.0.
Server prerequisites
For SSL (TLS) authentication to work correctly, theterminal server must meet both thefollowing prerequisites:
Theterminal server must berunning Windows Server 2003 SP1.
You must obtain a certificatefor theterminal server.To obtain a certificate, use one of thefollowing methods:
Visit the Web sitefor your certification authority.For example,visit http://servername/certsrv.
Run the Windows Server 2003 Certificate Request Wizard or the Windows 2000 Server Certificate Request
Wizard.
Obtain a certificatefrom a third-party certification authority,and then manually install thecertificate.
If you plan to obtain a certificate by using thecertification authority Web site or the Certificate Request Wizard,a publickey
infrastructure(PKI) must beconfigured correctly to issueSSL-compatible X.509 certificates to theterminal server.Each
certificate must beconfigured as follows:
Thecertificateis a computer certificate.
Theintended purpose of thecertificateis server authentication.
Thecertificate has a corresponding privatekey.
Thecertificateis stored in theterminal server’s personal store. You can view this store by using the Certificates snap-in.
Thecertificate has a cryptographic service provider (CSP) that can be used for theSSL (TLS) protocol (for example
Microsoft RSA SChannel Cryptographic Provider).
For moreinformation, see Microsoft CryptographicService Providers (http://go.microsoft.com/fwlink/?LinkID=40983).
Client prerequisites
In order for SSL (TLS) authentication to function correctly,clients must meet thefollowing prerequisites:
Clients must run Windows 2000 or Windows XP.
Clients must be upgraded to usethe Remote Desktop Protocol (RDP) 5.2 (Windows Server 2003) client. You can install
this client-side Remote Desktop Connection package by using the
%systemdrive\system32\clients\tsclient\win32\msrdpcli.msi file.The msrdpcli.msi fileis located on Windows
Server 2003 terminal servers. Installing this filefrom theterminal server installs the 5.2 version of Remote Desktop
Connection to the %systemdrive\Program files\Remote Desktop folder on the destination computer.For more
information, see Remote Desktop Connection for Windows Server 2003 [5.2.3790] (http://go.microsoft.com/fwlink/?
LinkID=41068).
Clients must trust theroot of theserver’s certificate.That is,clients must havethecertificate of thecertification authority
(CA) that issued theserver certificatein their Trusted Root Certification Authorities store. You can view thecertificate by
using the Certificates snap-in.
Important
Because RDP runs on port 3389, when using SSL (TLS) to secure RDP,SSL (TLS) will run on port 3389.
Why is this change important?
By default,Terminal Server uses native Remote Desktop Protocol (RDP), which provides dataencryption, but does not provide
authentication to verify theidentity of a terminal server.
For moreinformation aboutTerminal Services and security protocol settings, seethefollowing:
Configure Authentication and Encryption (http://go.microsoft.com/fwlink/?LinkId=45407)
How to configurea Windows Server 2003 terminal server to useTLS for server authentication
(http://go.microsoft.com/fwlink/?LinkId=64593)
New Group Policy settings for Terminal Services Licensing
Detailed Description
Windows Server 2003 SP1 includes new Group Policy settings for Terminal Services Licensing described as follows.
Set the Terminal Server licensing mode
The new Group Policy setting Set the Terminal Server licensing mode determines thetype of Terminal Server clientaccess
license(CAL) a device or user requires to connect to a terminal server.
When this setting is enabled,you can choose one of thefollowing two licensing modes:
Per User:Each user connecting to theterminal server requires a Per User Terminal Server CAL.
Per Device:Each deviceconnecting to theterminal server requires a Per DeviceTerminal Server CAL.
If you enablethis policy setting, thelicensing modethatyou specify overrides thelicensing modespecified during setup, or in
Terminal Services Configuration (TSCC.msc).
If you disable or do not configurethis policy setting,Terminal Services uses thelicensing modespecified during setup or found
in TSCC.msc.
To configuretheTerminal Services licensing mode on a specific terminal server using TSCC.msc, see ConfiguretheTerminal
Server licensing mode(http://go.microsoft.com/fwlink/?LinkId=45592) in theTerminal Services Help.
Use the specified Terminal Server license servers policy setting
The Group Policy setting Use the specified Terminal Server license servers determines whether terminal servers must first
attempt to locateTerminal Server licenseservers thatarespecified in this policy setting beforeattempting to locatelicense
servers elsewhere on the network.
During theautomatic discovery process, terminal servers attempt to contact licenseservers in thefollowing order:
1. Enterpriselicenseservers or domain licenseservers thatarespecified in theLicenseServers registry key.
2. Enterpriselicenseservers thatarespecified in Active Directory.
3. Domain licenseservers.
If you enablethis policy setting, terminal servers attempt to locatelicenseservers thatarespecified in this setting, before
following theautomatic licenseserver discovery process.
If you disable or do not configurethis policy setting, terminal servers follow theautomatic licenseserver discovery process.
You can configurea specific terminal server to locateaTerminal Server licenseserver using TSCC.msc.For moreinformation,
seeSet preferred Terminal Server licenseservers (http://go.microsoft.com/fwlink/?LinkId=45410) in theTerminal Server
Licensing Help.
Show ToolTips for licensing problems on Terminal Server policy setting
This Group Policy setting allows you,after successfully logging on to a terminal server as an administrator, to display ToolTips
that show any licensing problems with theterminal server,and also display theexpiration date of theterminal server’s
licensing grace period. If this Group Policy setting is not configured,ToolTip display is defined by registry settings.
Why is this change important?
Specifying the name of a preferred licensing server in Group Policy saves timeand may eliminateroadblocks to successful
configuration of your terminal servers.With the name of a specific licensing server added to Group Policy,Terminal Services
does not need to search the network for a licensing server.
Using ToolTips to view Terminal Server licensestatistics ata glancespeeds administration tasks. By configuring Group Policy
to show ToolTips for Terminal Server licenses,you do not need to open the Properties dialog box for specific licenses to view
status and expiration information.
Allowing administrators to configurea global Terminal Server licensing mode makes it possiblefor them to implement unified
license policies regardless of theconfiguration of Terminal Services client computers.With the new Group Policy setting,
differences in configuration between terminal servers and clients can beresolved by defining a global policy that overrides
other settings.
For moreinformation aboutTerminal Server Licensing, seethefollowing:
Terminal Server Licensing (http://go.microsoft.com/fwlink/?LinkId=45409)
Set preferred Terminal Server licenseservers (http://go.microsoft.com/fwlink/?LinkId=45410)
Update to Group Policy setting for starting a program on connection to a terminal server
Detailed Description
The Group Policy setting Start a program on connection configures Terminal Services to run a specified program
automatically when a client connects to a terminal server.
By default,Terminal Services sessions provideaccess to thefull Windows desktop, unless theserver administrator has
otherwisespecified using this policy setting, or unless the user has specified during configuration of theclient connection.
Enabling this Group Policy setting overrides the Start program settings made by theserver administrator or user.The Start
menu and Windows Desktop are not displayed,and when the user exits the program, theTerminal Server session is
automatically logged off.
If the Start a program on connection policy setting is enabled,Terminal Services sessions automatically run thespecified
program and usethespecified working folder (or the program default folder, if a working folder is not specified) as the
working folder for the program.
If this policy setting is disabled or not configured,Terminal Services sessions start with thefull desktop, unless theserver
administrator or client user specifies otherwise.
Note
This setting appears in both Computer Configuration and User Configuration. If both settings areconfigured, the
Computer Configuration setting overrides local user settings.
You can configurea specific terminal server to starta program when a client successfully logs on using TSCC.msc.For more
information, seeSpecify a program to startautomatically when a user logs on (http://go.microsoft.com/fwlink/?linkid=64608)
in theTerminal Services Configuration Help.
Why is this change important?
Beforetherelease of Windows Server 2003 with Service Pack 1 (SP1), this policy setting could only beedited in Group Policy if
thecomputer was a domain controller,and it was necessary to access Group Policy by opening Active Directory Users and
Computers. Now,you can modify the Start program on connection policy setting in Group Policy for thelocal policy object,
meaning thatyou can configurethis policy setting for individual terminal servers within a domain.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Thefollowing tablelists the Group Policy settings that havechanged for Terminal Services in Windows Server 2003 with SP1,
and provides their locations in Group Policy.
Setting name Location Default
value
Possible values
Terminal Server Fallback Printer
Driver Behavior
AdministrativeTemplates\Windows Components\Terminal
Services\Client/Server data redirection
Not
configured
Enabled, disabled,
not configured
Set theTerminal Server licensing
mode
AdministrativeTemplates\Windows Components\Terminal
Services
Not
configured
Enabled, disabled,
not configured
Usethespecified Terminal Server
licenseservers
AdministrativeTemplates\Windows Components\Terminal
Services
Not
configured
Enabled, disabled,
not configured
Show ToolTips for licensing
problems on Terminal Server
AdministrativeTemplates\Windows Components\Terminal
Services
Not
configured
Enabled, disabled,
not configured
Starta program on connection AdministrativeTemplates\Windows Components\Terminal
Services
Not
configured
Enabled, disabled,
not configured