Section 7.1: Terminal Services Components
The Terminal Services service in Windows Server 2003 supports three separate components: Remote Desktop for Administration; Remote Assistance; and the terminal server role. Remote Desktop for Administration and Remote Assistance are installed with the installation of Windows XP Professional and Windows Server 2003 by default, but in a disabled state, while the terminal server role is not installed with the default installation of Windows Server 2003 and must be installed through the Add/Remove Windows Components in the Add or Remove Programs application in Control Panel. Both Remote Desktop for Administration and Remote Assistance can be enabled on the Remote tab of the System Properties windows in Control Panel.
7.1.1: Remote Desktop for Administration
Remote Desktop for Administration enables remote server administration over a TCP/IP network. It is installed with the operating system by default, but is disabled. Once Remote Desktop for Administration is enabled, members of the administrators group can connect and use it by default, while non-administrators must be specifically granted access. You can accomplish this by adding the user accounts that require access to the Remote Desktop Users group on the server. This can be done through Computer Management in Administrative Tools, or through the System Properties window in Control Panel.
To grant a user access using Computer Management, do the following:
• Click on the START button to display the Start Menu
• Point to ALL PROGRAMS
• Click on ADMINISTRATIVE TOOLS
• Then click on COMPUTER MANAGEMENT
• In the console tree, expand the systems tools node
• Expand the local users and groups node
• Expand the groups node
• In the details pane, right-click the remote desktop users group to open the Remote
Desktop Users Properties window
• From the pop-up menu, select add to group
• Then click the ADD button
• Click on the advanced button to locate the user accounts to which you wish to grant access
• Click on the FIND NOW button
• Select the users accounts to which you wish to grant access
• Then click OK
• Click OK again to close the Select Users windows
• Finally, click OK to close the Remote Desktop Users Properties window
To grant a user access using the System Properties window, do the following:
• Click on the START button to display the Start Menu
• Click on CONTROL PANEL
• In Control Panel, click on system to open the System Properties window
• Click on the remote tab
• In the Remote Desktop section of the Remote tab, click the select remote users button to open the Remote Desktop Users dialog box
• In the Remote Desktop Users dialog box, click add
• Click on the advanced button to locate the user accounts to which you wish to grant access
• Click on the FIND NOW button
• Select the users accounts to which you wish to grant access
• Then click OK
• Click OK again to close the Select Users windows
• Finally, click OK to close the System Properties window
Remote Desktop for Administration allows a maximum of two concurrent connections for the purposes of remotely administering the server. By default, when a Terminal Services client connects to this component, a new session is created and a copy of the Windows Server 2003 desktop is displayed in a window on the client computer.
This copy of the desktop is not the actual server desktop, called the console session that you would see at the actual server. Thus, when you connect to the server using Terminal Services you will not see the console by default, and will not see any popup messages form server-based applications that are capable of delivering messages only to the server's primary console session. You also will not see any applications that might be running on the console session, unless you use a Terminal Services client that uses at least version 5.1 of the Remote Desktop Protocol (RDP) to run a remote console session. However, only a single console session can run at a time, therefore, the console screen on the actual server is locked when the remote session is established.
Terminal Services allows a maximum of two concurrent Remote Desktop connections without requiring licensing for those connections.
7.1.2: Web-Based Administration
A new feature in Windows Server 2003 is the capability to perform Remote Administration from any Microsoft Internet Explorer 5.0 or later browser without a locally installed client. This allows you to connect to and remotely administer a server using Terminal Services from any client system that is capable of running Microsoft Internet Explorer 5.0 or later. This feature uses the Remote Desktop Web Connection utility, which consists of an ActiveX component that is downloaded to the client browser and sample Web pages that the client uses to connect to. The Remote Desktop Web Connection utility, however, requires that Internet Information Services 6.0 be installed on the server.
7.1.3: Remote Assistance
Remote Assistance is installed with the operating system by default but is disabled. Thus, it must be enable before it can be used. Remote Assistance allows a user at one computer to ask for assistance from a user at another computer, on the network or across the Internet. This request for assistance can be made through Windows Messenger, e-mail, or through a transferred file. The assistant can also offer remote assistance without receiving an explicit request if Group Policy settings are configured to enable offering of remote assistance and the assistant is listed in the Offer Remote Assistance policy, or is a local administrator. However, the user requiring assistance must grant the assistant permission to take over the user's computer.
When an assistant receives a request for assistance, he or she can initiate a connection to the requesting user's computer. Once connected, the assistant is able to view the actual desktop and applications that are in use on the requesting user's computer. In addition, a special application is launched on the requesting user's computer that allows the user to chat with the assistant and control the session. In addition, files can be transferred easily between the two through the Remote Assistance interface. Remote Assistance on the requesting user's computer can also be configured to allow the assistant to interact with the requesting user's desktop and applications on the requesting user's compute. This allows both the requesting user and the remote assistant to control the computer at the same time. The RDP protocol is used during this session so that only screen updates are sent to the client, i.e. the assistant, while keystrokes and mouse movements are sent back to the server, i.e., the user requesting assistance.
Remote Assistance requires that both computers be running Windows XP Professional or Server 2003. In addition, Remote Assistance invitations can require that the assistant provide a password, to prevent an impostor from connecting to the computer while pretending to be the assistant. You can also specify the amount of time for which a Remote Assistance invitation will remain valid. Users also have the option to turn off the Remote Assistance feature entirely.
Only one Remote Desktop session at a time can connect to a Windows XP Professional system. In addition, when you connect via Remote Desktop to a Windows XP Professional computer, you will see all the applications that are running on the desktop of that Windows XP computer.
7.1.3.1: Requesting Assistance
A user can use three methods to request assistance by sending an invitation using Remote Assistance: the invitation can be sent using Windows Messenger; e-mail; or a transferred file.
To create an invitation, do the following:
• Click on the START button to display the Start Menu
• Click on HELP AND SUPPORT CENTER
• Click on the INVITE A FRIEND TO CONNECT TO YOUR COMPUTER USING REMOTE assistance link under Ask for assistance
• On the following screen, click the invite someone to help you link
• On the following screen, select the method that you want to use in asking for assistance
7.1.3.2: Using Windows Messenger to Request Assistance
Windows Messenger is installed in Windows XP by default, but not in Windows Server 2003. If you do not have Windows Messenger installed, you begin the installation process from the Help and Support Center by clicking on the DOWNLOAD WINDOWS MESSENGER link. This will open an Internet Explorer window with a Web page that displays the latest version of Windows Messenger for download. On the Web page, click the download now button. Then, when the Save As dialog box opens, click the open button. After the download has completed, click yes in the Security Warning dialog box that appears.
When installation has completed, the application will launch and ask you to sign in. If you have a username and password provided by your administrator, or a valid Microsoft .NET Passport account, click the CLICK HERE TO SIGN IN link in the Windows Messenger window. The CLICK HERE TO SIGN IN link will open up the .NET Passport Wizard, which will associate a .NET Passport account with your Windows user account.
When you use Windows Messenger for Remote Assistance, the invitation travels through a messaging server infrastructure that can include the Internet, or can work with Microsoft Exchange Server within the LAN. After the invitation messages have been exchanged, the actual RDP connection attempt and subsequent session take place directly between the two computers.
If Messenger is installed, the user from whom you wish to solicit assistance must be on the network and logged on to his or her Windows Messenger client. If this is the case, you can click the name of the contact from whom you want to solicit assistance, followed by the invite this person link. You can also request assistance from within the Windows Messenger application, by double-clicking a contact to establish a conversation with him or her and then selecting the ask for remote assistance link. In either event, the user you sent the invitation to can then click the accept link in his or her Windows Messenger window to initiate the connection, or click the decline link to reject it.
However, invitations for assistance do not stay valid indefinitely. They have an expiration time, which is set to one hour by default. If the user from whom you wish to solicit assistance neither accepts nor declines the invitation before the invitation expires, he or she will be unable to establish a connection in response to the invitation. The user sending the request can alter the expiration time of the invitations he or she sends, from 1 minute to 99 days. To modify the default expiration time, do the following:
• Click on the START button to display the Start Menu
• Click on CONTROL PANEL
• In Control Panel, click on system to open the System Properties window
• Click on the remote tab
• In the Remote Assistance section of the Remote tab, click the advanced button to open the Remote Assistance Setting dialog box
• In the Invitations section of the Remote Assistance Setting dialog box, select the desired number and interval from the appropriate drop down lists
• Then click OK to close the Remote Assistance Setting dialog box
• Click OK to close the System Properties window
7.1.3.3: Using E-Mail to Request Assistance
You must first have a default mail client configured on the Windows Server 2003 computer before you can use e-mail to send a Remote Assistance invitation. To create a Remote Assistance invitation using e-mail, select the e-mail option after clicking on the invite a friend to connect to your computer using REMOTE ASSISTANCE link and the INVITE SOMEONE TO HELP YOU link in HELP AND SUPPORT CENTER. This will allow you to set the expiration time for the invitation, and to set a password require that the recipient to required to use. The password is required by default but can be disabled by clearing the REQUIRE THE RECIPIENT TO USE A PASSWORD check box.
When the recipient receives an invitation for remote assistance, a short e-mail message entitled "you have received A remote assistance invitation" appears in his or her inbox. This message contains a link that the recipient must click. When the recipient clicks the link, his or her browser will open to a page on Microsoft's Web site. The entire process of the two computers finding each other using this method takes place through Microsoft's Web site. In addition, e-mail-based remote assistance depends on a Remote Assistance Server Control that is downloaded during the process. When the recipient visit the site, a Security Warning dialog box will appear and he or she will be prompted to specify whether he or she wants to install the Remote Assistance Server Control.
If the recipient selects yes, the control will download and the page will load. If the recipient is accessing the Web page from a Windows XP Professional or Windows Server 2003 computer, he or she will see a start remote assistance button in the middle of the Web page. When he or she clicks this button, a small Remote Assistance dialog box appears requesting the password associated with the invitation. After the recipient enters the password, he or she must click the yes button to begin the connection.
7.1.3.4: Using a Saved File to Request Assistance
The third method that you can use to request assistance is to use a saved file that is transferred to the user from whom you want to solicit assistance. To create a Remote Assistance invitation using a transferred file, select the save information as a file (advanced) option after clicking on the invite a friend to CONNECT TO YOUR COMPUTER USING REMOTE ASSISTANCE link and the INVITE SOMEONE TO HELP YOU link in Help and Support Center. This opens a page which contains an enter your name text box into which you type your name and an option that allows you to set expiration time for the invitation. This method also requires that the recipient to use a password by default, but you can disable this requirement by clearing the require the recipient to use a password check box.
Once you have entered all the required information, a save invitation button is activated. Clicking this button brings up the Save As dialog box on which you can specify a name and location for the file. The file will be saved with an .msrcincident extension. The file can now be transferred to the user from whom you wish to solicit assistance.
When the user from whom you wish to solicit assistance receives the .msrcincident file, he or she can open it by double-clicking the file. This action opens a Remote Assistance dialog box, requesting the password associated with the invitation. After the assistant enters in the password, he or she must click the yes button to initiate the connection.
7.1.4: Terminal Server Role
The Terminal Services Role provides remote access to a server through terminal emulation software, which sends keystrokes and mouse movements to the server and allows clients to execute applications, process data, and store data on the server. Thereafter the Terminal server returns the display to the client. The terminal emulation software can run on a number of client hardware devices, such as a personal computer, a Handheld PC (H/PC), or a terminal. This also allows remote control of servers and centralized application management, and minimizes the network requirements between the server and client.
The Terminal Services Role involves the creation of several components that works together. These components include a presentation layer protocol called the Remote Desktop Protocol (RDP) and a core architectural component called the Multi-Win.
The Multi-Win component enables more than one user to be logged in locally. It is a core component of Terminal Services and is used in Remote Desktop for Administration, Remote Assistance, and the terminal server role. The creation of Multi-Win enabled remote users to log on and use the server as if they were local users. The Multi-Win component also keeps each user's system and application settings separate, even when many are logged on concurrently. This enables remote users to launch and use applications on the remote system. When you establish a terminal server session, by default you see a copy of the desktop from the server to which you have connected. When you double-click an icon within this session and launch an application, it launches in your session on the server. It uses the server's processor, the server's memory, and accesses the server's hard disk. Only images of the screen transfer to the local computer; the application files never leave the server.
Note: Each client computer that accesses Terminal server that is used in terminal server role must have the Terminal Services Client Access License as well as the Windows 2003 Client Access License. You are, however, allowed to run Terminal Services in terminal server role for 120 days without using any license. Thereafter the service will fail.
The Remote Desktop Protocol (RDP) is responsible for transferring the screen information from the server to the client and the cursor movements and keystrokes from the client to the client session on the server. Windows XP and Windows Server 2003 use RDP version 5.1, while Windows 2000 uses RDP v5.0 and Windows NT 4.0 uses RDP v4.0.
RDP uses encryption to protect the information that is sent between the terminal server and the client computer and uses port 3389 to transfer this information.
7.1.4.1: Installing the Terminal Services Role
You can use Add/Remove Windows Components in the Add or Remove Programs application in Control Panel, or the Manage Your Server utility in Administrative Tools to install Terminal Server on a Windows Server 2003 computer. To install Terminal Server through the Manage Your Server utility, do the following:
• Click on the START button to display the Start Menu
• On the Start Menu click on ALL PROGRAMS
• Click on ADMINSTRATIVE TOOLS
• Click on MANAGE YOUR SERVER
• Click the ADD OR REMOVE A ROLE link to open the Configure Your Server Wizard
• Then, click next to open the Configuration Options page
• Select the custom configuration radio button
• Then click next to open the Server Role page
• Click TERMINAL SERVER to highlight the role in the list
• Then click next to open the Summary of Selections page
• Click next again to install Terminal Services
• On the dialog box that appears to inform you that the server will reboot automatically as part of the installation process, click OK
• The Configure Your Server Wizard will installs Terminal Services and will reboot the computer
• Log on to the computer as an administrator
• Then click the FINISH button on the Configure Your Server Wizard
7.1.4.2: Installing Terminal Server Licensing
After you have installed the Terminal Server role, you must install Terminal Server licensing. If you fail to do so, all Terminal Server connections will be rejected starting 120 days after the first client logs on. Microsoft recommends that you install Terminal Server licensing on a server that does not host the terminal server role. The terminal server licensing component must be added using Add or Remove Programs from Control Panel. To install the terminal server licensing component, do the following:
• Click on the START button to display the Start Menu
• On the Start Menu click on CONTROL PANEL
• Click on ADD OR REMOVE PROGRAMS
• Click the add/remove WINDOWS components button to open the Windows Components Wizard
• In the Components list, scroll down to select the terminal server licensing check box
• Then click NEXT to open the Terminal Server Licensing Setup page
• On the Terminal Server Licensing Setup page, select the way you will use this license server on your network
• You can also specify where you would like to place the license database in the install LICENSE SERVER DATABASE AT THIS LOCATION text box
• Then click next to open the Configuring Components page
• When prompted, insert the Windows 2003 installation CD in the CD-ROM drive
• On the Completing the Windows Component Wizard page, click the FINISH button
After you have installed the licensing component, you must add client license key packs and activate the license server. Client license key packs enable the license server to issue licenses to terminal server clients. Clients cannot connect to the Terminal Server without a license after the 120 day evaluation period.
7.1.4.3: Installing Applications for Terminal Services
Applications for use via Terminal Services should be installed after Terminal Server. This can be performed through the Add or Remove Programs wizard in Control Panel. When using the Add/Remove Programs wizard, select the Change User Option and click All users with common applications settings for universal access or Install applications setting for this user only. Applications installed prior to Terminal Services would need to be reinstalled or properly configured.