Windows 2000 Terminal Services
Terminal services may be provided by Windows 2000 server computers. Terminal services can allow remote computers to run desktops and applications on a server as though it is running locally. This is similar to the functionality provided by X on UNIX and Linux platforms. Keystrokes and mouse action information is sent from the client to the server over the network and visual display information is sent back to the client from the server. Terminal services offer the following advantages:
- Since the computing is done on the server side, the terminal computer can be an older PC that is not powerful and it does not even require a hard drive.
- Administration of applications is easier since they are run on the server only.
- Users on the client computers cannot accidently misconfigure their computers, since there is virtually nothing to configure.
- Remote administration - The terminal server may be remotely managed, but applications cannot be run remotely.
- Application server - The terminal server may be remotely managed, and applications can be run remotely.
No license is required for remote administration mode, but licensing is required for application server mode. The application server mode will run for 90 days without a license. Licensing is done on a per seat basis which means there must be a license for each computer that will access the terminal server. To set up licensing:
- Use the "Add/Remove Programs" control panel applet to install "Terminal Services Licensing". It contacts the Microsoft Clearinghouse database to verify licensing.
- Select either "Your entire enterprise" or "Your domain or workgroup" for the license option.
- Windows 2000 Server license
- Windows 2000 Server client access license for each computer to connect.
- Windows 2000 Professional license or Windows 2000 Terminal Services Client Access License (TSCAL) for each client.
Additional licenses that may be purchased:
- Windows 2000 terminal Services Internet Connector License - For up to 200 users to connect over the internet.
- Work at Home Terminal Services Client Access License - For each user using the Terminal Services to work from home.
Terminal Services licensing uses the Microsoft Clearinghouse database to verify licensing.
The control panel "Add/Remove Programs" applet is used to install terminal services. Select "Add/Remove Windows Components", and select "terminal Services". Set up terminal services in remote administration mode or application server mode during installation. Another option is to make permissions compatible with Windows 2000 users or make permissions compatible with Terminal Server 4.0 users. The former setting is more secure, but most legacy applications won't run with that setting. If running in application server mode, the recommended server hardware includes:
- 600Mhz or faster microprocessor
- 512MB or more RAM
- Large hard drive
Components that are installed when Terminal Services is installed:
- Client Creator Files - Has a wizard for creating installation disks for clients.
- Enable Terminal Services - Used to turn terminal services on and off on the server.
Win16 on Win32 (WOW) is used to translate 16 bit applications to a 32 bit operating environment by terminal services. Running 16 bit windows or MS-DOS applications is not recommended since it will cost additional processing power and memory due to the overhead of rinning the Win16 or DOS virtual machines.
Additional Administrative Tools from Terminal Services Installation
- Terminal Services Client Creator - Used to create terminal services client boot disks.
- Terminal Services Configuration - Allows management of terminal services setup.
- Terminal Services Licensing - Management of client access licences (CALs).
- Terminal Services Manager - Allows session and process monitoring.
Applications to be used with terminal services must be installed after terminal services is installed. The applications must be installed in a multiuser format and on an NTFS partition. Terminal Services must be in "Install Mode" when an application is being installed. Once applications are installed, to run applications from terminals, Terminal Services must be in "Execute Mode". The control panel "Add/Remove Programs" applet is used to install the applications. Procedure:
- Install all applications.
- Start the control panel "Add/Remove Programs" applet.
- Select "All Users Begin With Common Application Settings".
- Follow the installation prompts.
- Run scripts in the SystemRoot\Application Compatibility Scripts\Install directory on the Windows 2000 Terminal server computer. There are scripts for several common applications, and these scripts optimize the applications to run with the terminal server. They add multiuser support, modify CPU intensive features, and modify the registry as required.
- Log off, then log on.
- Configure applications to use lower intensity video settings for maximum performance.
- For better performance turn off application features that run in the background.
- Remove the capability for applications to start other applications since this costs memory and performance.
The Change User command prompt command can also be used to install applications, but should be used to set up or confirm multiuser access capability for the application.
The most secure terminal services permissions mode is "permissions compatible with Windows 2000 users".
The Terminal Services Client uses Remote Desktop Protocol (RDP) to connect to the server. Supported client systems:
- Windows 2000
- Windows 95, 98, Me
- Windows NT 3.51 or 4.0
- Windows for Workgroups 3.11
The Terminal Services Client creator was installed with the Terminal Services. This can be used to create a floppy disk for Win32 or Win16 systems to get the Terminal Services Client to the client machines. Another method is to share the terminal services directory in SystemRoot\system32\clients\tsclient\net\Win32 or Win16 and access the software across the network. The Windows for Workgroups system must use the Win16 folder.
Terminal Services Command line utilities
|change logon||Used to disable, enable, or check the status of logons|
|change port||Modify DOS com ports or query for the status of ports.|
|change user||Change .ini file mapping for the current user. Applicable change user parameters are install, execute, and query.|
|cprofile||Remove user's profile file associations|
|dbgtrace||Enable or disable debug tracing|
|flattemp||Enable or disable temporary flat directories|
|logoff||End a client session|
|msg||Send a message to a client|
|query process||Display process information|
|query session||Display terminal services session information|
|query termserver||Display terminal server list|
|query user||Display logged on user list with information. Like "who" in UNIX.|
|register||Register a program|
|reset session||Reset or delete a terminal session.|
|shadow||Monitor or remotely control a Terminal Service session|
|tscon||Start a Terminal Services session|
|tsdiscon||End a Terminal Services session|
|tskill||Terminate a Terminal Server process|
|tsprof||Change a user profile path or copy user information|
|tsshutdn||Shut down a terminal server.|
Terminal Services Manager
The Terminal Services Manager is a graphical based administrative tool used to manage terminal services. It is used on the terminal server or on a client during a session. It will perform the same functions as the command set listed above. The most important functions include using remote control and monitoring and managing terminal services usage. The remote control ability will allow the administrator to take over a user's session. The user's remote control tab of the user's properties dialog box in "Active Directory Users and Computers" determines if the administrator can remotely control a user's session. Additionally it allows:
- Finding a terminal services server remotely.
- Making, managing, controlling, and ending sessions.
- Connecting to another session.
- Posting messages to sessions.
Terminal Services Configuration Tool
This is the Administrative Tool called "Terminal Services Configuration". To open the RDP-Tcp properties sheet, click on connections, right click on "RDP-Tcp", and select "Properties". The properties RDP-Tcp properties dialog box tabs are:
- General - Can set the encryption level of the terminal session.
- Logon Settings
- Sessions - Can override user settings that are set in Active Directory Users and Computers. The maximum length of a session and idle session may be set here. Sessions may be manually disconnected. Also reconnection parameters may be set so it is only possible to reconnect from the original connecting client.
- Remote Control
- Client Settings - Can disable or enable print mapping, clipboard mapping, and LPT port mapping.
- Network Adapter - The the number of possible connections.
- Permissions - Set the permissions for users' access to connections.
Terminal Services can be used to remotely administer the server computer, but Microsoft recommends setting the following parameters:
- Disconnected or idle sessions end after five minutes.
- Override user settings so the session must end when the session limit is reached.
- Disable wallpaper to save memory.
- Set the encryption level to high.
- Set the maximum number of connections to 1.
- Change the registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server to 0.
- Disable print mapping, clipboard mapping, and LPT port mapping.
User Settings for Terminal Services
These are settings in Active Directory Users and Computers that affect user Terminal Services sessions.
- Open "Active Directory User's and Computers"
- Right clock on the user to be configured for terminal services and select "Properties".
- The User's Properties Dialog box will open.
User's Properties Dialog box Tabs:
- Sessions - The maximum length of a session and idle session may be set here. Sessions may be manually disconnected. Also reconnection parameters may be set so it is only possible to reconnect from the original connecting client.
- Remote control - Can allow a users session to be remotely controlled. It can be configured to require the user's permission and allow the session to be view or allow interaction in the session.
- Terminal Services Profile - The user terminal services profile and terminal services home directory are set here.
The client can end a session by using the hot key combination that they selected.