Configuring Remote Desktop Services
Configure RemoteApp and Remote Desktop Web Access
Single sign-on allows user to connect to terminal server sessions without having to repeatedly enter their credentials; particularly significant when using terminal services remote applications. Single sign-on requires the policy setting Allow Delegating Saved Credentials be configured; this is used with the Windows Credential Manager, whereas Allow Delegating Default Credentials uses the user credential for that local session. Both policies require server defined e.g. TERMSRV/ServerName or TERMSRV/*.
RemoteApp is known as presentation virtualisation i.e. it presents only the application output to the end users computer.
Remote Applications are added to RemoteApp through the TSRemoteApp Manager > Add RemoteApp Programs > tick the check box next to the application.
If the end user initiates multiple application via RemoteApp only one session is used; RemoteApp applications can be deployed to clients using a RDP shortcut; RDP shortcuts can be signed using digital certificates, these certificates are used to determine which groups or users can run use the RDP shortcut. Windows installer packages and TS Web Access are other deployment methods; the deployment of RemoteApps are configured through the RemoteApp deployment settings.
TS Web Access allows clients to initiate sessions via their web browser; in the background TS Web Access uses the Remote Desktop Connection (RDC) client software to establish a TS session.
The client operating system requ
RemoteApp connections hosted on TS Web Access can only target one terminal services server; this terminal services server is the datasource. The datasource can be configured via TS Web Access page > Configuration tab > TS Web Access properties. If the terminal services server is not the same computer as the TS Web Access computer then add the computer account of the TS Web Access computer to the TS Web Access Computers security group on the terminal services server.
Configure Remote Desktop Gateway (RD Gateway)
The RD gateway enables end users to connect from their home computer to work workstation or terminal server over SSL. The RD Gateway server makes an standard RDC connection to the workstation or terminal server over TCP 3389.
RD gateway server require a SSL certificate from either a public or trusted internal CA; the certificate must match the FQDN of the RD gateway.
The RD Gateway relies on the Web Server, RPC over HTTP proxy and Network Policy and Access Services roles.
The RD gateway requires two policy types defining:
- TS CAP – this specifies which users and computers can make connections to the RD gateway server
- TS RAP – this specifies which resources can be accessed via the RD Gateway server.
Using Network Access Protection (NAP) you can ensure clients connecting through the RD gateway server have up-to-date Antivirus and Anti-spyware.
The final piece is configuring the client to use the RD Gateway; this setting can be configured in the advanced tab of the client software.
Configure Remote Desktop Connection Broker
Terminal services session broker is used to map user sessions to a particular session host. The session broker can be used with round robin DNS or NLB to distribute the requests; session broker also has draining functionality for placing session hosts in maintenance. Session broker can only be used with Windows Server 2008 terminal servers.
TS session broker tokens are only supported by a few hardware load balancers such as F5, Cisco and radware.
Configure and monitor Remote Desktop resources
Windows System Resource Manager (WSRM*) is used to distribute resources more evenly between users, sessions, processes and IIS Application Pools by default when WSRM is installed on a terminal server which is experiencing resource contention.
Fair share CPU scheduling is new to Windows Server 2008 R2; this functionality dynamically distributes the CPU time across all sessions based on the no. of active sessions and load of each session.
WSRM also has accounting which can track how processes are running on Windows Server 2008 consume resources. WSRM accounting can be configured per-user, per-application or per-session; this can be used to better tune terminal services.
Terminal Services Manager can be used to see which processes are being used across the entire terminal server.
To track Remote Desktop application resource usage monitor the process object.
Remote Desktop applications can be managed i.e. ended using tskill processId /server:[server name] /id:[session id]
* WSRM policies can be exported and deployed to other servers where WSRM is installed.
Configure Remote Desktop licensing
A terminal services requires a licence server to operate, if a licence server is not available then you have a 120-day grace period where clients can connect. A terminal services licence server which is yet to be activated can only issue temporary CALs; these CALs are valid for 90 days.
If you deploy a licence server within a workgroup then the licence server is scoped to that workgroup, all terminal servers within the workgroup will automatically detect the licence server. If you was to join a workgroup computer to the domain which was running terminal services licensing the scope would be upgraded to domain scope. Domain scope is used with Active Directory domains but these licence server are not discoverable; you would need to point a terminal server at the licence server. Forest scoped licence servers are discoverable because their location information is published in Active Directory.
Terminal services licensing server will only respond to session host servers which are members of the Terminal Server Computers group local to where the Remote Desktop licence server is installed.
The system state and c:\windows\system32\lserver directory should be backed up on the terminal services licence server in order to recover successfully.
Terminal server CALs
- Per user CALs – issued to user accounts, allows that user account to connect to any terminal server within the scope of the licence server from any device.
- Per device CALs – issued to a device / computer. These licenses are revoked after 62 – 89 days but are reissued when the device reconnects.
Configure Remote Desktop Session Host
The terminal services configuration tool is used to configure the RD session host, alternatively these settings can be configured via Group Policy.
- User logon mode
- allow all connections (default)
- allow re-connections but prevent new logons – generally used for maintenance
- allow re-connections but prevent new logons until the server has been restarted – generally used for maintenance
- Authentication – link
- RDP security – native RDP encryption
- Negotiate (default) – negotiates compatible encryption supported by both server and client
- SSL (TLS 1.0) – authentication and encryption over SSL; requires a public certificate or a certificate deployed from an internal CA.
- FIPS compliant – high encryption level; client which do not support this encryption level cannot connect.
- High – 128 bit encryption when all clients are using remote desktop connection clients
- Client compatible – uses the maximum encryption compatible with the client; generally used with legacy clients
- Low – 56 bit encryption from client to server; unencrypted from server to client.
- Network Level Authentication – link
- not available if RDP security is selected
- requires remote desktop connection client 6.0
- client operating system must support (CredSSP) Credential Security Support Provider
- Terminal server must be Windows Server 2008
- Logon settings
- determines whether the credentials entered at logon or a general account will be used to authorise what actions that user can perform.
- defined how long a session can last, when disconnected sessions are ended etc.
- Remote control
- defined what remote control functionality is available for that particular user; this by default is defined in Active Directory. If Do not allow remote control or use remote control with the following settings is selected these override Active Directory.
- Full control – granted to the administrators group by default
- User access – granted to the remote desktop users group by default. Allows users to connect to disconnected sessions.
- Guest access – granted to the remote desktop users group by default. Only allows new sessions
The above can be configured using Group Policy objects located at Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\
Display data prioritisation ensures that the display, keyboard and mouse virtual channel data is given a higher priority over print and file services. The default ratio is 70:30 in favour of display, keyboard and mouse. To change this ratio modify the registry (DWORD 32bit) values under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD\
- FlowControlDisable – 1 or 0 (0 by default). If disabled data is handled first-in-first-out (FIFO)
- FlowControlDisplayBandwidth – up to 255 (70 by default) – display, keyboard and mouse
- FlowControlChannelBandwith – up to 255 (30 by default) – file, print etc.
- FlowControlChargePostCompression – determines whether flow control bandwidth allocation be calculated on pre or post compression; by default it is pre-compression.
Terminal Services will create a profile when the user first logs on, user profiles have a tendency to consume lots of space. You can combat this in two ways firstly implement the File System Resource Monitor (FSRM) or if your organisation uses roaming profiles then it is strongly advised that terminal server specific profiles be used; these profiles are tailored to terminal services and stop profile corruption.
User home directories should redirected to a file server and not included as part of the user profile.
Command line tools:
- change.exe – changes terminal services logon settings
- logoff.exe – logs of a user session
- qappsrv.exe – displays a list of terminal servers in the domain
- query.exe – displays a list of terminal servers, processes and sessions.
- shadow.exe – initiates remote control.
- /edit file.rdp – used to edit the remote desktop configuration file
- /span – will span the terminal services session across multiple monitors
- /migrate – migrate client connection manager (Windows 2000) files to .rdp files.
Terminal Services IP virtualisation is used to assign an IP address per session or per application. This functionality has a number of benefits; one when software hosted on the terminal server is listening on a particular port, with only one IP address this will not scale. Two, ISP will benefits as they can track user usage more easily. IP Virtualisation requires DHCP to allocate IP addresses to clients; the IP addresses must be on the same subnet as the terminal server. The default IP virtualisation mode is per program; if no programs are defined then IP virtualisation isn’t used.
RemoteFX gives end users the ability to watch full-motion video and silver light animations and run 3D applications all with local-like performance over a terminal services connection. NOTE: Aero doesn’t work on terminal services because the RemoteFX driver only works with the Hyper-V vGPU.
New features in Windows Server 2008 R2
New virtualisation role for Remote Desktop Services called RD Virtualisation Host; this role is installed on one or more Hyper-V hosts to present virtual desktops over RD Web Access.
Virtual desktop can be mapped one-to-one or shared; one-to-one mappings are persistent and are allocated to specific users. Shared virtual desktops use user profiles and folder direction which are non-persistent.
Application can be presented over RD Web Access for users; the user gets the application interface only rather than a full desktop. Applications can be assigned to specific users but by default Authenticated Users can access all RemoteApps.