Terminal Services and Group Policy Administration
Small Business Server 2000 provides strong administration tools that let the technology consultant work on-site or off-site for the customer. These tools include Terminal Services, Microsoft® NetMeeting®, and Group Policy, the subjects of this chapter.
Remote Administration with Terminal Services
By running Terminal Services on a computer with Microsoft Small Business Server 2000 and an appropriately configured Terminal Services client installed, the technology consultant can manage the network either on-site or off-site, speeding customer response time.
Introducing Terminal Services
Terminal Services is installed and configured in remote administration mode as part of Small Business Server 2000 Setup. The underlying Windows 2000 Server operating system is modified to support a multi-session kernel. This enables multiple computing sessions to run simultaneously on the same computer. Each session runs as a virtual computer with its own memory space. Access to the processors is managed by Microsoft Windows® 2000 in a time-sliced, priority-based fashion.
Terminal Server also facilitates a remote control connection. Compare this to the traditional remote node connection facilitated by Routing and Remote Access Service (RRAS). In Terminal Services’ remote control scenario, the technology consultant interacts with the “desktop” of the Small Business Server computer. All features and functions are available, but only screens depicting the desktop activity, keystrokes, and mouse movements are passed between the server and the remote client.
Note Because Terminal Services transmits only screen images between the server and remote client, additional network traffic such as broadcast-based activity, packets sent to node address FFFFFFFF, is not forwarded. A traditional remote node connection that uses RRAS enables broadcast traffic to be sent to the remote client. The form of traffic filtering used by Terminal Services results in significantly higher remote communications performance than node-based RRAS connections under most connection scenarios.
Small Business Server 2000 supports Terminal Services in remote administration mode, not application mode. Remote administration mode is designed to minimize the impact on the operating system and the server computer by limiting the number of concurrent connections. Likewise, it is not recommended that Terminal Services run in application mode on Small Business Server 2000 because the demand on the server resources is considered too great.
Terminal Services Scenarios
The following are common Terminal Services scenarios in Small Business Server.
Remote Administration
Terminal Services is intended primarily to enable the Small Business Server 2000 technology consultant to connect to the customer’s server from remote locations. For example, the technology consultant might maintain a business office separate from customer locations. He or she might also be traveling and could perform remote administration from a laptop computer.
Note The recommended way to make a remote connection to Terminal Services occurs in two stages. First, a connection to the customer’s local area network must be established. The two most common methods for connecting are dialing in to the Small Business Server computer running the RRAS by modem and connecting through a virtual private network (VPN) session (using RRAS) over the Internet. After a remote connection has been established, the Terminal Services client application on the remote computer is used to establish a Terminal Services session. Note that a VPN session for an Internet-based connection is not required but is recommended to increase security.
On-site Remote Desktop Administration
If the small business customer site is dispersed over several floors or significant distances, such as a manufacturing plant or a car dealership, the technology consultant can use a client computer to perform on-site remote administration.
Same Server Terminal Service Sessions
Before deploying new applications or desktop settings (such as Group Policy-based settings), it is often wise to perform tests. One such test is to install the Terminal Services client directly on the server computer and run a Terminal Services session for testing purposes.
Note This may place a significant workload on the Small Business Server computer.
Application Mode
Some small businesses can benefit from having a second Windows 2000 Server computer for users to use for Terminal Services sessions. The computer could be used for such applications as an accounting program, a tax preparation program, or a business database. One benefit of running applications through a Terminal Services session is that the session can persist despite a lost connection. For example, if a tax preparer was working from home after hours to prepare tax returns, and the remote connection was lost during this session, the completed work would not be lost. When reconnected, the tax preparer would be returned to the previous Terminal Services session, with the work in progress displayed on the screen.
Another scenario includes thin clients, which are typically cheaper to deploy and maintain. A second server can also be used to enforce Terminal Services profiles and use Group Policy. One example of using a thin client in conjunction with Terminal Services profiles and Group Policy is retail point-of-sale. Here, a thin client acts as a cash register, and employees cannot misuse the computer system.
Note The technology consultant should implement Terminal Services in application mode on a second, power server-class computer running as a non-domain controller Windows 2000 Server. Terminal Services session running on the Small Business Server 2000 computer is designed to run in remote administration mode, not application mode.
Web-based Remote Administration
Using a Microsoft ActiveX® control, a Terminal Services session can run on an Internet Explorer Web page. This lets the technology consultant gain access to the server from any desktop without needing to install the Terminal Services client.
It is also possible to expose the ActiveX control to the Internet, allowing the technology consultant to log on from any computer connected to the Internet and running the Internet Explorer browser. However, this is not considered a best practice because it potentially exposes the Small Business Server network to the Internet in unintended ways.
Configuring Terminal Services
Terminal Services is installed and deployed in remote administration mode by default in Small Business Server 2000. This is different from a standard Windows 2000 Server installation, in which Terminal Services is not installed by default.
Power users and administrators are granted access to Terminal Services and have permission to log on to the Terminal Services server. Users are not granted this permission by default.
Terminal Services is primarily configured and managed with two tools: Terminal Services Manager and Terminal Services Configuration.
Terminal Services Manager
Terminal Services Manager is a tool that enables you to monitor the logon status of remote users at a glance. It also enables you to observe which resources, such as open files, a remote user is using. Terminal Services Manager is shown in Figure 16.1.
Figure 16.1 Terminal Services Manager
You can use Terminal Services Manager to send messages to or disconnect Terminal Services users. This is useful when the occasional Terminal Services session does not properly terminate. The Terminal Services Manager is accessed from the Administrative Tools program group, not from the Small Business Server consoles.
To start Terminal Services Manager
· Click Start, point to Programs, point to Administrative Tools, and then click Terminal Services Manager.
Terminal Services Configuration
This tool is less frequently used than Terminal Services Manager and is used primarily to configure the Remote Desktop Protocol (RDP) and server settings, such as specific Terminal Services computer-based Group Policy.
To use Terminal Services Configuration
1. Click Start, point to Programs, point to Microsoft Small Business Server, and then click Small Business Server Administrator Console.
2. In the Console Tree, click Terminal Services Configuration.
3. In the Details Pane, configure Server Settings.
Terminal Services Configuration can also be accessed from the Configure Access for Terminal Services link in the Small Business Administrator Console To Do List.
Terminal Services Configuration is shown in Figure 16.2.
Figure 16.2 Terminal Services Configuration
Terminal Services uses RDP as its communication protocol. This is a stable protocol suite that is optimized for remote session connectivity. It is integrated with Windows 2000 Server down to the kernel level. RDP is configured on the RDP-tcp Properties dialog box, which is displayed when you right-click the RDP-tcp protocol in the Connections folder and then click Properties. The RDP-tcp Properties dialog box is shown in Figure 16.3.
Figure 16.3 RDP protocol configurations include session settings
Client and Server Interaction with Terminal Services
The first step in Terminal Services client and server interaction is to create client disks. The client disks are used to set up the Terminal Services client-side application that enables a session between the client and server. Follow these two procedures to create the client disks.
To create Terminal Services client disks from a network share point
1. From a client computer, navigate using My Network Places (Windows 2000 or Windows Me) or Network Neighborhood (Windows 98 and Windows 95, Microsoft Windows NT®) to the Small Business Server computer.
2. Open the TSClient shared folder.
3. Open the net folder.
4. If your client computer is 32-bit, open the win32 folder. If your computer is 16-bit, such as Windows 3.x, open the win16 folder.
5. Run Setup.exe.
6. On the Terminal Services Client Setup page, click Continue.
7. On the Name and Organization Information page, type a name and organization, and then click OK. To confirm the name and organization, click OK.
8. On the License Agreement page, click I Agree.
9. Click the setup button.
10. Click OK in the dialog box that appears. You have now installed the Terminal Services client on a client computer.
To create Terminal Services client disks at the server computer
1. Click Start, point to Administrative Tools, and then click Terminal Services Client Creator.
2. In the Create Installation Disk(s) box, select the appropriate client environment (16-bit Windows or 32-bit Windows), and then click OK.
Note The 16-bit option requires four floppy disks. The 32-bit option requires two floppy disks.
3. Label and insert the first floppy disk, and then click OK.
4. Insert additional floppy disks as instructed, and then click OK.
5. In the Network Client Administrator box, click OK to acknowledge the end of the client disk creation process.
You can use the floppy disks you have just formatted to install the Terminal Services client on a client computer.
To install Terminal Services on a client computer
1. Insert the first Terminal Services client setup disk into the floppy disk drive. From the command line, type a:\setup, where a denotes the floppy disk drive.
2. On the Welcome page, click Continue.
3. Type a user and organization name in the Name and Organization Information field.
4. Click OK to proceed, and then click OK to confirm the user and organization name.
5. In License Agreement, click I Agree.
6. In the Terminal Services Client Setup box, click the large setup button. Change the installation folder, if necessary.
7. Click Yes to confirm that all users will have the same initial Terminal Services client-side settings.
8. When asked, insert the remaining disks, and then click OK.
9. Click OK when notified that the Terminal Services client setup was successful.
With Terminal Services running on the server and the Terminal Services client software installed on the client computer, you are ready to initiate a Terminal Services session. You should have a network connection to the server computer running Terminal Services (this could occur through the local network or with a dial-up or Internet VPN connection through RRAS).
To start a Terminal Services session
1. At the client computer, click Start, point to Terminal Services Client, and then click Terminal Services Client.
2. In the Server field, select the Terminal Services server or type in the Internet Protocol (IP) address of a Terminal Services server. Modify the screen area (800X600 minimum recommended), and then click Connect.
3. Type your Windows 2000 user name and password when the Log On to Windows dialog box appears in the Terminal Services session window. Click OK.
You can also create a Terminal Services client connection setting that retains the server name, screen resolution, user name, and password. Each time an administrator or power user wants to connect to Terminal Services on the Small Business Server computer, the client connection is initiated, saving time and keystrokes.
To use Client Connection Manager
1. On the client computer that has the Terminal Services client installed, click Start, point to Programs, point to Terminal Services Client, and then click Client Connection Manager.
2. On the File menu, click New Connection to start the Client Connection Manager Wizard.
3. Click Next.
4. Type a connection name in the Connection Name field on the Create a Connection page.
5. Type a Terminal Services server name or IP address in the Server name or IP address field, and then click Next.
6. On the Automatic Logon page, type domain logon credentials.
7. Type the logon account name in the User name field, type a password for the logon account name in the Password field, type a logon domain name in the Domain field, and then click Next.
8. On the Screen Options page, select a screen resolution. The minimum screen size recommended for sufficient desktop space in the Terminal Services session is 800 X 600. Click Next.
9. On the Connection Properties page, click Enable data compression if you plan to work over a slow WAN link (such as a modem).
10. Click Cache Bitmaps if you want to save frequently used bitmaps to your local hard disk, and then click Next.
11. On the Starting a Program page, select Start the following program if you want to start a program or script at Terminal Services session logon. Click Next.
12. On the Icon and Program Group page, confirm or change the icon in the Icon field and program group in the Program group field, and then click Next.
13. Click Finish, and then start the connection from the Terminal Services Client program group.
You may now log onto and create a Terminal Services session. You will interact with the Small Business Server computer as if you were sitting at the actual console. For example, you might view the Microsoft Active Directory™ directory service Users and Computers console, as shown in Figure 16.4, to modify a user account.