Using the Terminal Services Configuration Tool A listener connection (also called the RDP-Tcp connection) must be configured and exist on the server for clients to successfully establish Terminal Services sessions to that server. Administrators use the Terminal Services Configuration tool to create new listener connections and configure the ones that currently exist.This tool can also be used to configure connections for ICA (Citrix) clients using IPX, SPX, Asynchronous, or NetBIOS as well as TCP. Finally, the Configuration tool is also used to configure some server policy settings. Microsoft recommends that you use Group Policy to configure Terminal Services connection settings, if possible. However, the Configuration tool enables you to specify settings separately for multiple connections on the same computer – something that you can’t do with Group Policy.You can also use the Configuration tool for terminal servers that run pre-Windows Server 2003 oper- ating systems. Understanding Listener Connections Listener connections can be configured for RDP only over TCP/IP, and only one listener can be configured for each network interface card (NIC) in the Terminal Services computer. By default, the RDP-Tcp listener is created that is bound to all of the NICs in the server. If the server has more than one NIC, an administrator can configure the default listener connection to only be associated with one NIC, and create new listener connections for each of the other NICs in the Terminal Services computer.You must be a member of the Administrators group, or be delegated the authority, in order to create new listener connections. Creating new listener connections might be desirable if each NIC is attached to a separate seg- ment, and only certain users should be enabled to access the Terminal Services computer from each segment. Permissions can be granted within the listener connection that specify who can and cannot connect. By default, all users are configured to connect using terminal servers. If you disable this in a user’s properties, he or she will not be able to access any Terminal Services. If you want to enable a 956 Chapter 27 • Managing and Troubleshooting Terminal Services Figure 27.12 The Processes Tab in Terminal Services Manager 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 956 user to connect, but only from one segment that is attached to the terminal server, you can use the permissions associated with a listener connection to accomplish this. In truth, it’s pretty unusual for people to create their own listener connections, so the following section focuses on how to configure existing ones. All of the settings that relate to configuring lis- tener connections also relate to settings you provide when you create one.You should also note that the term “listener connection” is an older term that is not used in Windows 2003.The Windows 2003 documentation refers to it as an RDP-TCP connection. We’re using it here because there is no distinction made in the Windows Server 2003 Help files between a connection as configured in the Terminal Services Configuration tool, and a connection made from a client to Terminal Services running on a server. While we’ll be using the term “listener connection” to help you keep them straight, the exam may not be so kind. Modifying the Properties of an Existing Connection To modify an existing listener connection, open the Terminal Services Configuration tool from the Administrative Tools folder in the Windows Start | Programs menu, and follow these steps: 1. In the tree view on the left pane of the Configuration tool, click the Connections node. 2. Existing listener connections should appear in the Results pane on the right side of the screen. 3. The default listener connection that is created during installation is entitled RDP-Tcp. Right-click this (or any other listener connection you may have) and click Properties. This will open a multi-tabbed dialog box with which you can configure the settings for this connection. We will discuss each tab in detail in the following sections. The most important thing to remember is that every property you set affects all users who connect through the listener connection. Many of the property settings for a listener connection can also be set at the client and user account property levels. By default, the listener connections are almost always set to default to the client– or user-level setting.This is to give you greater granularity of control. If you change these settings to be applied at the listener connection level, the client and user account-level settings will be ignored. Now let’s look at each of the tabs in the RDP-Tcp Properties dialog box. Keep in mind that you must be an administrator, or be delegated the proper authority, to change the settings we discuss in the following sections. The General tab This tab identifies the connection type (RDP-Tcp) and RDP version number.There is a Comment text box in which you can store information for administrative purposes. More importantly, this tab enables you to specify the level of encryption that will be required for connection to Terminal Services.The default encryption setting is Client Compatible.This setting attempts to use the maximum level of encryption allowed on the client. If you have multiple clients that use different encryption levels, this is the preferred setting.The other possible settings are: Managing and Troubleshooting Terminal Services • Chapter 27 957 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 957 ■ Low (56 bit) ■ High (128 bit) ■ FIPS Compliant. All encryption levels use RC4 encryption. If you select High, any client that does not support 128-bit encryption will be unable to connect.The same will be true if you select Low and the client cannot support 56-bit encryption. FIPS stands for Federal Information Processing Standard and should be used where required for work with the government. If the System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing Group Policy has been enabled, you will not be able to change the encryption level using the Configuration tool. Remember that Group Policy settings take prece- dence over settings made with the Configuration tool. The bottom of the tab contains a check box entitled Use standard Windows authentication. It is not checked by default and under normal circumstances, selection of this check box is not required. However, if you have installed a third-party authentication provider, but you want to use Windows authentication for Terminal Services connections instead of the third-party provider, check this box. The General tab is shown in Figure 27.13. The Logon Settings tab All Terminal Services clients are capable of providing log-on information to the Terminal Services computer.Typically, this includes a user name, password, and domain.The default setting on this tab, Use client-provided logon information, ensures that the credentials passed from the client are accepted at the server. If no credentials are passed, or incorrect credentials are passed, the user will be prompted for valid log-on information. 958 Chapter 27 • Managing and Troubleshooting Terminal Services Figure 27.13 The General Tab in the RDP-Tcp Connection’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 958 The other major option on this page is entitled Always use the following logon informa- tion:. When selected, it enables the User name:, Domain:, Password:, and Confirm password: text boxes. Information entered in these fields will be used for logon.This will enable users to log on to the server automatically, without providing credentials. It is important to remember that settings done at the listener connection level affect everyone who connects using the NIC or NICs to which it is bound. As a result, if this option is enabled, everyone attempting to establish a session through this listener connection will be logged on with the same cre- dentials.This will make it virtually impossible to audit “who did what” later. If the credentials typed into these text boxes are incorrect, the users will still be prompted for valid log-on information. It is usually best for automatic log-on credentials to be set at the client level. The last setting on this page is entitled Always prompt for password. If it is selected, the password in the Password: and Confirm password: fields will be ignored and the user will be prompted to supply a valid password.The Logon Settings tab is displayed in Figure 27.14. The Sessions tab The Sessions tab enables you to control how long a user may remain actively connected to a session and how long a disconnected session should be allowed to remain on the Terminal Services com- puter. Even though they are not active, disconnected sessions can use substantial resources on the Terminal Services computer because applications are still running on them. Depending on your environment, it may be advisable to terminate them after a specific period of time. By default, most of the settings on this page are configured to use the user account property set- tings and several settings are grayed out.This can be overridden by selecting the check box next to Override user settings. When user settings are overridden, several settings are no longer grayed out; these include: ■ End a disconnected session: Used to specify the amount of time a disconnected ses- sion can remain running on the Terminal Services computer. Managing and Troubleshooting Terminal Services • Chapter 27 959 Figure 27.14 The Logon Settings Tab in the RDP-Tcp Connection’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 959 ■ Active session limit: Used to specify the amount of time an actively used session can remain connected and in use. ■ Idle session limit: Used to specify the amount of time an idle session can remain con- nected to the Terminal Services computer. Each of these settings has a drop-down box that follows it.The drop-down box contains a range from Never (the default) to 2 days. If you select Never, sessions will be allowed to continue indefi- nitely. If the setting you prefer is not listed in the box, you can type it in and it will be added. For instance, if you type in 5 days, a new entry (5 days) will appear in the box and be selected. Just be certain to follow the correct format when typing it in, as shown in the other entries (<number> <minutes/hours/days>). The next configuration item on the screen is When a session limit is reached or connection is broken:.This setting contains two possible options and relates to the Active session limit: and Idle session limit: settings. When one of these limits is reached, you can choose to have the user dis- connected from the session, but leave the session running until the End disconnected session: limit is reached by choosing the radio button next to the Disconnect user from session option. Or, you can chose to simply have the session terminated by selecting the radio button next to End session.If you do this, applications that are running will be shut down and data may be lost. The final setting on this tab is Allow reconnection:.You can use it to specify whether a user can reconnect to a session only from the original client that was used to establish it (From pre- vious client) or from any client (From any client).This setting can be used only with ICA (Citrix) clients. If you do not have ICA clients, this option will be grayed out. Remember that all of these time limits apply to all users who log on to the terminal server using this connection. Also remember that all of these settings can also be made using Group Policy (Microsoft’s recommended method). The Sessions tab is shown in Figure 27.15. 960 Chapter 27 • Managing and Troubleshooting Terminal Services Figure 27.15 The Sessions Tab in the RDP-Tcp Connection’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 960 The Environment Tab This tab can be used to specify that upon connection, the user should see only a running applica- tion, instead of receiving the default desktop. It can also be used to provide a custom shell or run a batch script, which in turn calls the desktop. By default, the setting is configured to be inherited from the client or user account properties. If you override the client and user settings at the listener connection level, two previously grayed out text boxes become activated: ■ Program path and file name: is used to enter the full path to the program, including the name of the executable file. ■ The Start in: text box is where you can enter a working directory for the application if it requires one.This is often the same folder that contains the executable. The Environment Tab is shown in Figure 27.16. The Remote Control Tab As mentioned in the Terminal Services Manager section of the chapter, remote control is a feature that enables an administrator to connect to, view, and interact with a user’s session. It is ideal for remote troubleshooting or educating a user on the proper way to do something without leaving your desk. The default setting on this tab is Use remote control with user default settings, which accepts the remote control configuration settings stored in the properties of a user’s account.The second option on this tab, Do not allow remote control, blocks any use of remote control and should be used in secure environments where this might be necessary. Finally, you can select the third option to both enable remote control and customize its settings at the listener connection level, instead of at the user property level.This setting is entitled Use remote control with the following settings: and when chosen it activates a number of options. As with all listener-level Managing and Troubleshooting Terminal Services • Chapter 27 961 Figure 27.16 The Environment Tab in the RDP-Tcp Connection’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 961 configurations, these settings will apply to all users who connect to the terminal server using this connection. You can choose to enable remote control of a session with or without the user’s permission by selecting or deselecting the check box next to Require user’s permission. If this box is checked, a message will be displayed on the client, requesting permission to view or control the session. You can specify the level of control you have over the sessions by selecting the radio button next to the appropriate option.The first option, View the session, enables you to see the user’s desktop but does not enable you to provide any input to it.The second option, Interact with the session, enables you to view the desktop and provide cursor and keyboard input. Any changes you make to the Remote Control settings won’t apply to sessions that are already connected when you make the changes. The Remote Control tab is shown in Figure 27.17. The Client Settings Tab Remember that when you connect to a Terminal Services session, you are really working on the server.The desktop that is displayed on your local system reflects what is happening on the server. When you open Windows Explorer, the local drives displayed are actually the server’s disk drives. The Client Settings tab contains a number of settings that can be used to make your local client resources (disk drives, printers, bar code scanner, etc.) also available from within your session. As with many of the settings on these tabs, some of the configuration items default to settings at the user account property level.To override these settings at the listener connection level (that is, for all users using this connection), clear the check box next to Use connection settings from user settings.The settings include the following: ■ Connect client drives at logon Makes your mapped local client’s drives accessible from within Windows Explorer, Save As, and Open windows in the session. Note that this 962 Chapter 27 • Managing and Troubleshooting Terminal Services Figure 27.17 The Remote Control Tab in the RDP-Tcp Connection’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 962 option is available for clients running any edition of Windows Server 2003; it is not sup- ported for other clients. ■ Connect client printers at logon Makes the mapped printers installed in your local client’s Printers folder accessible within the session. ■ Default to main client printer Makes the default printer in the session the same as the default printer that is specified on the client computer. If you don’t select this option, the default printer for the session will be the server’s default printer. It is important to realize that these settings can cause substantial additional bandwidth to be used. When you access client drives from within your session, the data must transfer from the client system to the Terminal Services computer. Likewise, when you print to a client-attached printer from within a session, the print job must transfer from the Terminal Services computer to your local client. In most cases, these transfers occur outside the RDP protocol and can consume substantial additional bandwidth. The next section on this tab contains the Limit Maximum Color Depth drop-down box. This can be used to specify the maximum color bit depth settings that will be available for con- necting clients and overrides the settings in the client software. Even if a client asks to use a higher setting in a session, and is capable of doing so, it will not be allowed.The higher the bit depth set- tings, the more bandwidth consumed.The available settings are: 8, 15, 16, and 24 bit. The final section on the tab is entitled Disable the following:, and contains settings that enable you to prevent certain types of communication from occurring between the client and server or being made available within the session.The options include the following: ■ Drive mapping Blocks connection to and use of client drives from within a session.You might be asking yourself how this differs from the previous similar setting. If Connect client drives at logon is not selected, the drives will not be added to the session upon connection, but this does not prevent them from being manually added later. Disabling them here prevents this. Drive mapping is enabled by default. ■ Windows printer mapping Blocks connection to and use of client printers from within Windows. If you want to block all use of client printers, you should also be sure to disable LPT port mapping and COM port mapping.The Windows printer map- ping setting will not prevent someone from connecting to the client printer manually at the command prompt using LPT port mapping or COM port mapping. Printer mapping is enabled by default. ■ LPT port mapping Blocks connection to and use of devices connected to the LPT ports on the local client computer and makes these ports unavailable in the port list of the Add Printer Wizard. LPT port mapping is enabled by default. ■ COM port mapping Blocks connection to and use of devices (including printers) con- nected to the COM ports on the local client computer and makes COM ports unavailable in the port list of the Add Printer Wizard. COM port mapping is enabled by default. ■ Clipboard mapping Prevents clipboard synchronization between the remote session and the local client operating system. Although clipboard mapping can be very convenient, it Managing and Troubleshooting Terminal Services • Chapter 27 963 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 963 can be very bandwidth intensive and may be too resource intensive for a thin client envi- ronment. When enabled, it essentially results in a shared clipboard between the session running on the Terminal Services system and the local operating system, which can be used for copying and pasting data between applications on the local machine and applica- tions on the terminal server. When data is copied to one of the clipboards, it is transferred across the network to the other machine (note that you do not have full clipboard func- tionality between the local computer and terminal server; you can only copy and paste data, not files and folders). ■ Audio mapping Prevents the transmission of audio information from the Terminal Services computer to the local client’s audio subsystem. Audio mapping is disabled (the box is checked) by default. The Network Adapter Tab As mentioned previously, only one listener connection can be associated with each NIC in the Terminal Services computer. However, by default one listener connection is associated with all NICs in the system. On this tab, you can specify with which NIC the listener connection is associated. The top of the tab has a Network Adapter: drop-down box, which contains an entry for each NIC as well as an entry for All network adapters configured for this protocol. Remember that by default, there is only one set of protocols enabled, RDP over TCP/IP.The lower portion of the tab enables you to specify the maximum number of sessions that can connect to this listener connection at any given time. If you have not installed the terminal server role, the maximum number in this box is 2 (which is the limit for Remote Desktop for Administration). If the terminal server role is installed, you can select Unlimited connections or set a number in the Maximum connections box to prevent overloading the terminal server. The Permissions Tab As we mentioned earlier, you can set access permissions on each listener connection.This is accom- plished using settings contained in the Permissions tab.The tab contains a standard Windows access control list, but the permissions available differ from those found elsewhere and are shown in Table 27.2. It’s important to note that by clicking the Advanced button, you can set specialized permis- sions and enable auditing for Terminal Services connections. 964 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 964 Table 27.2 Standard Permissions Standard Permission What the Permission Allows Full Control Lets you query to find out information about a session. Lets you change connection parameters. Lets you terminate a session using Reset. Lets you take control of another user’s session. Lets you log on to a session that is running on the server. Lets you log off another user from an existing session. Lets you send a message to another user within an existing session. Lets you connect to an existing session. Lets you disconnect another user’s session. Lets you use virtual channels to provide access to client devices from a program on the server. Service Lets the service query to find out information about a session. Lets the service send a message to another session. User Access Lets you log on to a session that is running on the server. Lets you query to find out information about a session. Lets you send messages to another user within an existing session. Lets you connect to an existing session. Guest Access Lets you log on to a session that is running on the server. Terminal Services Configuration Server Settings The Server Settings node in Terminal Services Configuration controls a number of server-wide settings that affect all sessions running on the server. In an Active Directory environment, these set- tings can also be configured using Group Policy. If configured in both Group Policy and within Terminal Services Configuration, the Group Policy settings will take precedence. To configure these settings, click the Server Settings node in the tree view in the left pane of the Terminal Services Configuration tool.The configuration options, described below, will appear in the Results pane on the right side of the screen.To configure one of the options, right-click it and select Properties from the context menu. If the option is a simple Yes/No setting, the context menu will contain whichever selection is the opposite of the current configuration setting and can be changed from this menu. ■ Delete temporary folders on exit Deletes a session’s temporary folder when the user logs off.This setting is configured to Yes by default. Managing and Troubleshooting Terminal Services • Chapter 27 965 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 965 . working on the server .The desktop that is displayed on your local system reflects what is happening on the server. When you open Windows Explorer, the local drives displayed are actually the server s. Makes the default printer in the session the same as the default printer that is specified on the client computer. If you don’t select this option, the default printer for the session will be the server s. connection, open the Terminal Services Configuration tool from the Administrative Tools folder in the Windows Start | Programs menu, and follow these steps: 1. In the tree view on the left pane of the Configuration