Terminal Services in Windows Server 2003 Service Pack 1

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Terminal Services in Windows Server 2003 Service Pack 1

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 weeks, 1 day ago.

  • Author
    Posts
  • #2221

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    What does Terminal Services do?
    On Windows Server 2003 operating systems, theTerminal Server feature gives users at client computers throughoutyour
    network access to Windows-based programs installed on terminal servers.With Terminal Server,you can providea single
    point of installation thatallows multiple users access to Windows Server 2003 operating system desktops, wherethey can run
    programs, savefiles,and use network resources,all from a remotelocation,as if theseresources wereinstalled on their own
    computers.
    Terminal Services is ideal for rapidly deploying Windows-based applications to computing devices across an enterprise—
    especially applications thatarefrequently updated, infrequently used, or hard to manage.Terminal Server lets you deliver
    Windows-based applications, or the Windows desktop itself, to virtually any computing device—including thosethat cannot
    run Windows.
    Windows Server 2003 Service Pack 1 includes several new features designed to maximize both thespeed and efficiency of
    Terminal Services administration,and thesecurity of communications between Terminal Services clients and servers.
    Who does this feature apply to?
    Thefeatures described here will be of interest to Terminal Server client users as well as IT professionals who deploy and
    configureTerminal Services.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    New fallback printer driver capability
    Detailed Description
    With therelease of Windows Server 2003 with Service Pack 1 (SP1),you can makelocal printing moreaccessiblefor Terminal
    Server clients by configuring Terminal Services to default to a printer driver compatible with PostScript (PS) or Printer Control
    Language(PCL).The new fallback printer driver capability is exceptionally useful if a terminal server does not havea printer
    driver installed that matches theTerminal Server client user’s specific printer brand and model.
    A new Group Policy setting, Terminal Server fallback printer driver behavior,allows you to specify thelocation and file
    name of a fallback printer driver, in theevent that no printer drivers installed on a terminal server arecompatible with thelocal
    printer for aTerminal Server client.
    By default, theTerminal Server fallback printer driver is disabled. If theterminal server does not havea printer driver that
    matches theclient’s printer, no printer will beavailablefor theterminal server session.
    If thefallback printer driver is enabled,Terminal Server’s default behavior is to locatea suitable printer driver. If oneis not
    found, theclient user cannot printTerminal Server session documents to a local printer.The Group Policy setting allows you to
    select one of four options to modify Terminal Server printing behavior:
    Do nothing if one is not found.This is the default setting. In theevent of a printer driver mismatch, theserver
    attempts to find a suitable driver. If oneis not found, theclient’s printer is unavailable during theTerminal Server session.
    Default to PCLif one is not found. If no suitable printer driver can befound,Terminal Server uses the Hewlett-Packard
    compatible Printer Control Language(PCL) fallback printer driver.
    Default to PS if one is not found. If no suitable printer driver can befound,Terminal Server uses the Adobe PostScript
    (PS) fallback printer driver.
    Show both PCL and PS if one is not found. In theevent that no suitable driver can befound, show both PS-based and
    PCL-based fallback printer drivers.
    If this setting is disabled or not configured,Terminal Server does not usea fallback printer driver.
    Printing Terminal Server session documents may still be disabled for someclient computers, if thefallback printer driver’s
    vendors have deviated from PS or PCL specifications.
    Note
    If the Group Policy setting Do not allow client printer redirection is enabled,any configuration for the Terminal Server
    fallback printer driver behavior policy setting is ignored,and thefallback driver is disabled.
    Why is this change important?
    This changesimplifies local printing for Terminal Server client users.The new Group Policy setting allows client users to print
    documents locally, if the printer driver installed on theterminal server to which they’reconnected is incompatible with their
    local printers, provided their printers arecompatible with either a PCL or a PS printer driver.
    Authentication and encryption for Terminal Services connections
    Detailed description
    In Windows Server 2003 SP1,you can enhancethesecurity of Terminal Server by configuring Terminal Services connections
    to useSecureSockets Layer (SSL)/Transport Layer Security (TLS) 1.0 for server authentication,and to encrypt terminal server
    communications.Theversion used by Terminal Services in Windows Server 2003 SP1 is TLS 1.0.
    Server prerequisites
    For SSL (TLS) authentication to work correctly, theterminal server must meet both thefollowing prerequisites:
    Theterminal server must berunning Windows Server 2003 SP1.
    You must obtain a certificatefor theterminal server.To obtain a certificate, use one of thefollowing methods:
    Visit the Web sitefor your certification authority.For example,visit http://servername/certsrv.
    Run the Windows Server 2003 Certificate Request Wizard or the Windows 2000 Server Certificate Request
    Wizard.
    Obtain a certificatefrom a third-party certification authority,and then manually install thecertificate.
    If you plan to obtain a certificate by using thecertification authority Web site or the Certificate Request Wizard,a publickey
    infrastructure(PKI) must beconfigured correctly to issueSSL-compatible X.509 certificates to theterminal server.Each
    certificate must beconfigured as follows:
    Thecertificateis a computer certificate.
    Theintended purpose of thecertificateis server authentication.
    Thecertificate has a corresponding privatekey.
    Thecertificateis stored in theterminal server’s personal store. You can view this store by using the Certificates snap-in.
    Thecertificate has a cryptographic service provider (CSP) that can be used for theSSL (TLS) protocol (for example
    Microsoft RSA SChannel Cryptographic Provider).
    For moreinformation, see Microsoft CryptographicService Providers (http://go.microsoft.com/fwlink/?LinkID=40983).
    Client prerequisites
    In order for SSL (TLS) authentication to function correctly,clients must meet thefollowing prerequisites:
    Clients must run Windows 2000 or Windows XP.
    Clients must be upgraded to usethe Remote Desktop Protocol (RDP) 5.2 (Windows Server 2003) client. You can install
    this client-side Remote Desktop Connection package by using the
    %systemdrive\system32\clients\tsclient\win32\msrdpcli.msi file.The msrdpcli.msi fileis located on Windows
    Server 2003 terminal servers. Installing this filefrom theterminal server installs the 5.2 version of Remote Desktop
    Connection to the %systemdrive\Program files\Remote Desktop folder on the destination computer.For more
    information, see Remote Desktop Connection for Windows Server 2003 [5.2.3790] (http://go.microsoft.com/fwlink/?
    LinkID=41068).
    Clients must trust theroot of theserver’s certificate.That is,clients must havethecertificate of thecertification authority
    (CA) that issued theserver certificatein their Trusted Root Certification Authorities store. You can view thecertificate by
    using the Certificates snap-in.
    Important
    Because RDP runs on port 3389, when using SSL (TLS) to secure RDP,SSL (TLS) will run on port 3389.
    Why is this change important?
    By default,Terminal Server uses native Remote Desktop Protocol (RDP), which provides dataencryption, but does not provide
    authentication to verify theidentity of a terminal server.
    For moreinformation aboutTerminal Services and security protocol settings, seethefollowing:
    Configure Authentication and Encryption (http://go.microsoft.com/fwlink/?LinkId=45407)
    How to configurea Windows Server 2003 terminal server to useTLS for server authentication
    (http://go.microsoft.com/fwlink/?LinkId=64593)
    New Group Policy settings for Terminal Services Licensing
    Detailed Description
    Windows Server 2003 SP1 includes new Group Policy settings for Terminal Services Licensing described as follows.
    Set the Terminal Server licensing mode
    The new Group Policy setting Set the Terminal Server licensing mode determines thetype of Terminal Server clientaccess
    license(CAL) a device or user requires to connect to a terminal server.
    When this setting is enabled,you can choose one of thefollowing two licensing modes:
    Per User:Each user connecting to theterminal server requires a Per User Terminal Server CAL.
    Per Device:Each deviceconnecting to theterminal server requires a Per DeviceTerminal Server CAL.
    If you enablethis policy setting, thelicensing modethatyou specify overrides thelicensing modespecified during setup, or in
    Terminal Services Configuration (TSCC.msc).
    If you disable or do not configurethis policy setting,Terminal Services uses thelicensing modespecified during setup or found
    in TSCC.msc.
    To configuretheTerminal Services licensing mode on a specific terminal server using TSCC.msc, see ConfiguretheTerminal
    Server licensing mode(http://go.microsoft.com/fwlink/?LinkId=45592) in theTerminal Services Help.
    Use the specified Terminal Server license servers policy setting
    The Group Policy setting Use the specified Terminal Server license servers determines whether terminal servers must first
    attempt to locateTerminal Server licenseservers thatarespecified in this policy setting beforeattempting to locatelicense
    servers elsewhere on the network.
    During theautomatic discovery process, terminal servers attempt to contact licenseservers in thefollowing order:
    1. Enterpriselicenseservers or domain licenseservers thatarespecified in theLicenseServers registry key.
    2. Enterpriselicenseservers thatarespecified in Active Directory.
    3. Domain licenseservers.
    If you enablethis policy setting, terminal servers attempt to locatelicenseservers thatarespecified in this setting, before
    following theautomatic licenseserver discovery process.
    If you disable or do not configurethis policy setting, terminal servers follow theautomatic licenseserver discovery process.
    You can configurea specific terminal server to locateaTerminal Server licenseserver using TSCC.msc.For moreinformation,
    seeSet preferred Terminal Server licenseservers (http://go.microsoft.com/fwlink/?LinkId=45410) in theTerminal Server
    Licensing Help.
    Show ToolTips for licensing problems on Terminal Server policy setting
    This Group Policy setting allows you,after successfully logging on to a terminal server as an administrator, to display ToolTips
    that show any licensing problems with theterminal server,and also display theexpiration date of theterminal server’s
    licensing grace period. If this Group Policy setting is not configured,ToolTip display is defined by registry settings.
    Why is this change important?
    Specifying the name of a preferred licensing server in Group Policy saves timeand may eliminateroadblocks to successful
    configuration of your terminal servers.With the name of a specific licensing server added to Group Policy,Terminal Services
    does not need to search the network for a licensing server.
    Using ToolTips to view Terminal Server licensestatistics ata glancespeeds administration tasks. By configuring Group Policy
    to show ToolTips for Terminal Server licenses,you do not need to open the Properties dialog box for specific licenses to view
    status and expiration information.
    Allowing administrators to configurea global Terminal Server licensing mode makes it possiblefor them to implement unified
    license policies regardless of theconfiguration of Terminal Services client computers.With the new Group Policy setting,
    differences in configuration between terminal servers and clients can beresolved by defining a global policy that overrides
    other settings.
    For moreinformation aboutTerminal Server Licensing, seethefollowing:
    Terminal Server Licensing (http://go.microsoft.com/fwlink/?LinkId=45409)
    Set preferred Terminal Server licenseservers (http://go.microsoft.com/fwlink/?LinkId=45410)
    Update to Group Policy setting for starting a program on connection to a terminal server
    Detailed Description
    The Group Policy setting Start a program on connection configures Terminal Services to run a specified program
    automatically when a client connects to a terminal server.
    By default,Terminal Services sessions provideaccess to thefull Windows desktop, unless theserver administrator has
    otherwisespecified using this policy setting, or unless the user has specified during configuration of theclient connection.
    Enabling this Group Policy setting overrides the Start program settings made by theserver administrator or user.The Start
    menu and Windows Desktop are not displayed,and when the user exits the program, theTerminal Server session is
    automatically logged off.
    If the Start a program on connection policy setting is enabled,Terminal Services sessions automatically run thespecified
    program and usethespecified working folder (or the program default folder, if a working folder is not specified) as the
    working folder for the program.
    If this policy setting is disabled or not configured,Terminal Services sessions start with thefull desktop, unless theserver
    administrator or client user specifies otherwise.
    Note
    This setting appears in both Computer Configuration and User Configuration. If both settings areconfigured, the
    Computer Configuration setting overrides local user settings.
    You can configurea specific terminal server to starta program when a client successfully logs on using TSCC.msc.For more
    information, seeSpecify a program to startautomatically when a user logs on (http://go.microsoft.com/fwlink/?linkid=64608)
    in theTerminal Services Configuration Help.
    Why is this change important?
    Beforetherelease of Windows Server 2003 with Service Pack 1 (SP1), this policy setting could only beedited in Group Policy if
    thecomputer was a domain controller,and it was necessary to access Group Policy by opening Active Directory Users and
    Computers. Now,you can modify the Start program on connection policy setting in Group Policy for thelocal policy object,
    meaning thatyou can configurethis policy setting for individual terminal servers within a domain.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    Thefollowing tablelists the Group Policy settings that havechanged for Terminal Services in Windows Server 2003 with SP1,
    and provides their locations in Group Policy.
    Setting name Location Default
    value
    Possible values
    Terminal Server Fallback Printer
    Driver Behavior
    AdministrativeTemplates\Windows Components\Terminal
    Services\Client/Server data redirection
    Not
    configured
    Enabled, disabled,
    not configured
    Set theTerminal Server licensing
    mode
    AdministrativeTemplates\Windows Components\Terminal
    Services
    Not
    configured
    Enabled, disabled,
    not configured
    Usethespecified Terminal Server
    licenseservers
    AdministrativeTemplates\Windows Components\Terminal
    Services
    Not
    configured
    Enabled, disabled,
    not configured
    Show ToolTips for licensing
    problems on Terminal Server
    AdministrativeTemplates\Windows Components\Terminal
    Services
    Not
    configured
    Enabled, disabled,
    not configured
    Starta program on connection AdministrativeTemplates\Windows Components\Terminal
    Services
    Not
    configured
    Enabled, disabled,
    not configured

You must be logged in to reply to this topic.