Tagged: Remote Desktop

MCTS 70-646 Plan server management strategies

Plan server management strategies

Server Manager Console

Displays the roles and features that are installed on that particular computer.


servermanagercmd is the command line version of server manager but Microsoft are pushing Windows PowerShell and the ServerManager module instead.

Microsoft Management Console

Microsoft Management Snap-ins are available for all roles and features that are installed; some roles will require Remote Server Administration Toolkit (RSAT) to be installed e.g. Active Directory users and computers etc.

Emergency Management Services (EMS)

EMS allows you to connect to a system via serial using telnet or similar (Hyper terminal). EMS can be used when a computer has frozen or locked up on start up or shutdown; may be a runaway process has made the computer unresponsive.

EMS must be enabled before you need to use it, ideally before it is deployed into production. EMS is enabled using BCDEDIT.

Remote Desktop

Remote Desktop allows members of the administrators and remote desktop users group to remotely connect; this doesn’t apply to domain controllers though, only administrators can connect remotely.

Remote desktop for administration allows two concurrent connections. If the computer you’re connecting to has Remote Desktop Services installed then use /admin to connect to an administrative session; if Remote Desktop Services is not installed then /admin is not needed.

You must be a member of the local administrators group to connect to an administrative session.

More information here

PowerShell Remoting

PowerShell remoting improves classic remoting functionality; classic remoting uses remoting built into the cmdlets, the remoting technology is generally (RPC) Remote Procedure Call and (DCOM) Distributed COM. Classic remoting also uses transparent authentication i.e. it uses the credentials used to run the PowerShell code.

You can identity classic remoting cmdlets using

Get-Help * -Parameter ComputerName

Alternatively you can use:

Get-Command Where-Object {$_.Parameters.Keys -contains ‘ComputerName’ -and $_.Parameters.Keys -notcontains ‘Sessions’}

The alternative command will filter out Windows PowerShell remoting cmdlets.

Windows PowerShell remoting uses the WinRM service to execute PowerShell code in a separate session on the remote system; Windows PowerShell remoting is enabled by running Enable-PSRemoting from an elevated prompt. Enable-PSRemoting starts the WinRM service if it is not running, sets up a listener on TCP 5985 and creates a firewall exception for inbound connections.

Windows PowerShell remoting uses Kerberos Authentication by default but if you’re using a peer-to-peer network or connecting to hosts outside of your trusted domain you’ll need to define a trusted host or connect via HTTPS.

Trusted hosts can be added to the trustedhosts file using

Set-Item wsman:\localhost\client\trustedhosts * -Force

Windows PowerShell remoting uses either invoke-command, Enter-PSSession or New-PSSession; New-PSSession allows you to use implicit remoting with the help of Enter-PSSession whereas invoke-command is explicit remoting.

Remote Administration Tools for Non-Administrators

In general non-administrators should be provided with MMC console snapins to administer servers rather than giving non-administrators remote desktop access.

Another method would be Telnet; Telnet is ideal for low bandwidth connections. Telnet Server can be configured by running tlntadmn.exe once the feature has been installed.

Windows Event Logs

More on Windows Event logs can be found here.

MCTS 70-646 Plan application servers and services

Plan application servers and services

Planning Remote Desktop Infrastructure

Remote Desktop Services has the following benefits:

  • User workstations run a minimal amount of software.
  • Data is centralised i.e. may be at HQ rather at the branch office.
  • The host operating system updates, anti-virus and anti-spyware updates are deployed at the Remote Desktop session host server.
  • Application updates are performed centrally.

Depending on the number of users and the applications hosted you may need one or more RD session host servers in one or more locations e.g. a heavily utilised, high bandwidth application used by 20 branch office staff would more than likely warrant a RD session host server at the branch office, whereas 10 users running a word processing application would probably be accessed across the WAN.

Planning RD session host server software

Application compatibility is paramount if you’re to successfully deploy remote applications.

Applications should be installed using change usermode but most applications will auto detect they’re being installed on a RD session server.

Applications which are RD compatible have the following characteristics

  • Multi user
  • Application configuration should be saved to the users profile
  • No users can write to the HKLM registry key

RD licensing

Licensing server scopes

  • Workgroup
    • only available to workgroup computers, workgroup servers and clients can discover the licence server automatically
  • Domain
    • Domain RD session host computers and clients can automatically acquire Client Access Licences.
  • Forest
    • Forest RD session host computers and client can automatically acquire Client Access Licences; this is the recommended for central licence management.

licence server activation installs a digital certificate to validate the server ownership and identity. The methods of activation are:

  • Automatic (requires SSL)
  • Web browser (must browse to a web page) – cannot be used with deactivation
  • Telephone

Temporary licenses are valid for 90 days

Licence types

  • Device – assigned to a device; can be reclaimed 52 to 89 days after being issued. 20% of licenses issued to a particular operating system can be revoked at any one time.
  • User – assigned to a user; user CALs are not enforced by RD licensing.

RD licence server backup

When a licence server has been restored any unissued licenses will need re-validating.

A Windows Server 2008 R2 licence server is backwards compatible with Windows Server 2008, Windows Server 2003 and Windows 2000 Server Terminal Services session host servers.

RD Session Host Configuration

Configuration of the RD session host is performed within the RD session host configuration > RDP-TCP > Properties window.

The default security layer is negotiate; negotiate will use SSL if a certificate is installed, the default encryption level is client compatible; client compatible negotiates an encryption level that both the client and server support. High encryption uses 128 bit encryption and is supported by RDC 5.2 client software. Low encryption only encrypts data between client and server.

The no. of sessions and the network adapter which RDS will respond on is configured within the network adapter tab.

When performing maintenance the user logon mode should be changed to ‘prevent new logons’ within the RD session host configuration > edit settings.

One of the most important configurations is connection and session configuration as these directly affect the capacity of the RD session host. Session configuration determines when Active, Idle or disconnected sessions should be disconnected or ended respectively.

Group Policy objects

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/RD Session Host to configure Connections, device and resource redirection, licensing, printer redirection, profiles, remote session environment, security, session limits, temporary folders and RD connection broker.

RD Web Access

This role service allows client to connect to a RD session host via a browser. The role service requires IIS and the Windows Process Activation service.

Compatible clients are XP SP2 and later.

RD Connection broker

This role service maintains user sessions within a database, so if a user is disconnected they will be reconnected. RD connection broker is used in conjunction with DNS round robin, Microsoft NLB or hardware load balancers which support RD connection broker routing tokens. If you’re using a hardware load balancer then then RD connection broker should use token redirection not IP address redirection.

Connection broker can only load balance Windows Server 2008 or 2008 R2 Terminal / Remote Desktop session host servers. Connection broker requires clients be using at least RDC 5.2.

The RD session servers must be made a member of the Session Directory computers group.

RD gateway server

RD Virtualisation Host

This role service allows you to present Hyper-V virtual machines as virtual desktops via Remote Desktop Services.

Monitoring RDS

RDS can be monitored using either performance monitor (perfmon) or (WSRM) Windows System Resource Manager.

Performance monitor provides a number of counters to track memory and processor usage per session and active, inactive and total sessions.

WSRM provides a means of distribute the load evenly e.g

  • Equal_Per_User ensures each user is allocated equal resources; useful when users can have more than one session.
  • Weighted_Remote_Sessions allow processes to be grouped according to the priority assigned to the user account.
  • Equal_Per_Session ensures each session is allocated equal resources; should be used in conjunction with limiting users to a single session.