■ Use temporary folders per session Creates a separate temporary folder for each new user session created on the server.This typically does not need to remain on the server after the session has been terminated.This setting is configured to Yes by default. ■ Licensing Allows for the administrator to configure the server as a terminal server or Remote Desktop for Administration computer.This setting is configured to Remote Desktop for Administration if the terminal server role has not been installed. If it has, this setting reflects the licensing choice made when you installed the terminal server role (per Device or per User) and can be changed here. ■ Active Desktop Enables the use of Active Desktop technologies in Terminal Services sessions.These desktops can use considerably more bandwidth than traditional desktops. This setting is configured to be enabled by default. ■ Permission Compatibility Full security is the only choice available for Remote Desktop for Administration. A second mode, Relaxed Security, is added when the terminal server role is installed on the server, which loosens security to accommodate older Windows computers and legacy applications.This is configured as Full Security by default. ■ Restrict each user to one session Can be used to ensure that users do not establish more than one session to a Terminal Services system. Savvy users may be able to work around this setting by specifying a different program to start upon connection for each dif- ferent session. User Account Extensions Windows 2003 user accounts contain four property tabs that are designed for the control of the Terminal Services session at the user level.The tabs are entitled Terminal Services Profile, Sessions, Environment, and Remote Control.The same tabs exist in domain and local user accounts.The same tabs are present whether the Terminal Services computer is configured for Remote Desktop for Administration or the terminal server role.You can use these dialog boxes to control Terminal Services settings on a per-user basis.The settings you make here will apply only to that user account. To access these tabs, right-click the user account you wish to configure in either the Active Directory Users and Computers, Computer Management, or Local Users and Groups MMC snap-in. From the context menu, select Properties and click the appropriate tab. The Terminal Services Profile Tab The bottom of the Terminal Services Profile tab contains perhaps the most important check box contained on any of the Terminal Services property tabs, Allow logon to terminal server.This check box is selected by default on all user accounts and enables any user to log on and use either Remote Desktop for Administration (if his or her account is added to the Remote Desktop Users list) or the terminal server. If you want to prevent a single user from accessing Terminal Services, simply clear this check box in the user’s account properties. 966 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 966 The top section of this tab enables you to specify a separate profile and home directory for use when the user is logged on to a Terminal Services session. By default, these are blank.That means that the effective settings come from the Profile tab in the user’s properties.The Profile tab was originally intended to be used to specify the profile and home directory locations when the user is logged on locally. Many companies leave the Terminal Services Profile tab blank, allowing the set- tings on the user’s Profile tab to be the effective settings whether the user is logged on locally or with Terminal Services. Because the user’s profile contains that user’s desktop settings, sometimes a user can get confused when logging on to a session and finding a different desktop than when logged on locally. Likewise, if the user saves files to the home directory all day long and then is con- nected to a different home directory when using Terminal Services, this can be confusing. Figure 27.18 shows the Terminal Services Profile tab on a user’s account properties. The Sessions Tab The Sessions tab in the user’s properties contains many of the same settings that we saw while we were examining the Terminal Services Configuration tool. At that level, they applied to all users connecting over a specified connection to the server. Here they apply to only one user.Thus, if the Override user settings check box is selected on any of the settings at the connection level, those that are set here at the user level are ignored. Likewise, if the defaults are left in place at the connec- tion level, the configurations in the user’s properties are the effective settings. The settings on this tab include the following: ■ End a disconnected session (select a duration from Never to 2 days) ■ Active session limit (select a duration from Never to 2 days) ■ Idle session limit (select a duration from Never to 2 days) Managing and Troubleshooting Terminal Services • Chapter 27 967 Figure 27.18 The Terminal Services Profile Tab in a User’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 967 ■ When a session limit is reached or broken: ■ Disconnect from session ■ End session ■ Allow reconnection: ■ From any client ■ From originating client only Again, the settings on this tab affect only the user whose properties are being modified. However, they perform the exact same actions as described in the Terminal Services Configuration section.This tab is displayed in Figure 27.19. The Environment Tab As with the Sessions tab, the settings on the Environment tab in the user’s properties are identical to several settings we’ve already seen in the Terminal Services Configuration tool. As with the Sessions tab, when overridden at the connection level or by Group Policy, the settings on this tab are ignored. However, by default they are the effective settings.The top section of the tab contains the Start the following program at logon check box, which is not selected by default. When selected, the Program file name: and Start in: text boxes are enabled.The Program file name: text box corresponds to the Program path and file name: text box on the Environment tab in the Terminal Services Configuration tool. Likewise, the Start in: text box is identical to the box of the same name on that tab in Terminal Services Configuration. Refer to the Terminal Services Configuration section of this chapter for more information about how to use these. 968 Chapter 27 • Managing and Troubleshooting Terminal Services Figure 27.19 The Sessions Tab in a User’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 968 The lower section of the Environment tab in the user’s properties also contains settings iden- tical to several we’ve already discussed in the section on the Client Settings tab in the Terminal Services Configuration tool.These include the following: ■ Connect client drives at logon ■ Connect client printers at logon ■ Default to main client printer Again, by default the user’s settings are effective unless overridden with the Terminal Services Configuration tool or by Group Policy.The Environment tab is shown in Figure 27.20. The Remote Control Tab As with the previous two tabs, the settings on the Remote Control tab also mirror those in the Terminal Services Configuration tool and were described in that section of this chapter.As with the other settings, the default is for the settings at the user property level to be effective. As we saw ear- lier, these settings can be overridden at the connection level using Terminal Services Configuration if desired, or by Group Policy.The following settings are available at the user property level: ■ Enable remote control ■ Require user’s permission ■ Level of control: ■ View the user’s session ■ Interact with the session For more detailed information on each of these settings, refer to the Terminal Services Configuration section of the chapter.The Remote Control tab is shown in Figure 27.21. Managing and Troubleshooting Terminal Services • Chapter 27 969 Figure 27.20 The Environment Tab 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 969 Using Group Policies to Control Terminal Services Users There are over 900 group policy settings in Windows 2003, of which approximately 50 relate specif- ically to Terminal Services components.There are separate settings that can be applied at the com- puter and user levels, as well as separate settings for Terminal Services and RA. Virtually all of the actions performed by these settings have already been described, because similar settings exist on many of the tabs and property sheets we’ve already discussed. Terminal services settings can be found in the following locations within the Group Policy Object Editor: ■ Computer Configuration | Administrative Templates | Windows Components | Terminal Services ■ Computer Configuration | Administrative Templates | System | Remote Assistance ■ User Configuration | Administrative Templates | Windows Components | Terminal Services Some of the key Group Policy settings that have not already been covered else- where in this chapter include the following: ■ Deny log off of an administrator logged in to the console session, which can be used to prevent the automatic logoff of the administrator currently using the Terminal Services computer’s console session by another administrator attempting to connect to it. Remember that by default, only one administrator can be logged on and viewing the con- sole session at a time. When an administrator attempts to connect, by default any currently connected administrator is logged off and all unsaved work is lost. It is also important to note that the console session is the only one that cannot be used with Remote Control, in either View Only or Interaction mode. 970 Chapter 27 • Managing and Troubleshooting Terminal Services Figure 27.21 The Remote Control Tab in a User’s Properties 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 970 ■ Remove Windows Security item from Start menu, which can be used to control how a user may terminate his or her session.The Windows Security dialog is the dialog box that comes up on a local system when you use the key combination CTRL + ALT + DEL. Because this key combination is never redirected to a remote session, Microsoft puts a link to it on the Start menu in a session.The Windows Security dialog box contains buttons for locking the remote desktop, logging off, shutting down (if you have the appro- priate permissions and this is not grayed out, it will shut down the Terminal Services com- puter not the local computer), changing your password, and accessing Task Manager on the Terminal Services computer. It may be appropriate in your environment to remove this link for security or log-off control purposes. However, even if this link is not present, the key combination CTRL + ALT + END can be used to bring up the Windows Security dialog box within the terminal session. ■ Remove Disconnect option from Shut Down dialog, which enables you to remove the disconnect option from the Shut Down Windows dialog box.This dialog box appears when you select Shut Down from the Windows Start menu or Windows Security dialog box. It is important to note that removing this option from the Shut Down dialog does not prevent someone from disconnecting.The user can still click the X button in the top righthand corner of the Remote Desktop window to disconnect. There are many more Group Policy templates that can be used to control Terminal Services. For some settings, Group Policy is the only way to configure a particular setting. For example, you can specify whether to allow time zone redirection, prevent license upgrade, or enable users to offer remote assistance. Using the Terminal Services Command-Line Tools In addition to the graphical tools and clients described earlier, Windows 2003 also provides a number of command-line utilities for both administrators and end users to manage connections.The primary benefit of these command-line tools is that they can be used in scripts to automate Terminal Services tasks.The basic set of commands, as listed in the Windows Server 2003 Help files, is described in Table 27.3. Table 27.3 Terminal Services Command-Line Tools Command Description change logon Temporarily disables logons to a terminal server change port Used to change COM port mappings for MS-DOS program compati- bility change user Changes the .ini file mapping for the current user Cprofile Removes user-specific file associations from a user profile Flattemp Enables or disables flat temporary directories Logoff Logs off a user from a session and deletes the session from the server Msg Sends a message to a user or group of users Managing and Troubleshooting Terminal Services • Chapter 27 971 Continued 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 971 Table 27.3 Terminal Services Command-Line Tools Command Description Mstsc Displays the Remote Desktop Connection to establish a connection with a terminal server query process Displays information about processes running on a terminal server query session Displays information about sessions on a terminal server query termserver Displays a list of all terminal servers on the network query user Displays information about user sessions on a terminal server Register Registers applications to execute in a global context on the system reset session Resets a session to known initial values Shadow Monitors another user’s session Tscon Connects to another existing terminal server session Tsdiscon Disconnects a client from a terminal server session Tskill Ends a process Tsprof Copies user configuration and changes profile path Tsshutdn Shuts down a terminal server Use Terminal Services Manager to Reset a Session 1. Open Terminal Services Manager from Administrative Tools in the Windows Start | Programs menu. 2. If necessary, expand the This Computer node. 3. If necessary, expand the node that corresponds to the name of your Windows 2003 server. 4. Right-click the session you wish to terminate. 5. In the context menu that appears, select Reset. 6. Close Terminal Services Manager. Troubleshooting Terminal Services Troubleshooting Terminal Services components is never an easy task.The complexity of Terminal Services often makes for strange occurrences, which are difficult to track down so this section con- tains a number of troubleshooting tips you can use to find and solve Terminal Server problems. The most important keys to understanding how to troubleshoot Terminal Services come from all the background knowledge presented in this chapter. Knowing how it all works is essential to troubleshooting problems quickly and effectively. 972 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 972 Not Automatically Logged On A common problem occurs when you want to be able to automatically log on to the server, but you’re still prompted for your user credentials when you connect to the terminal server.There are a number of possible causes and solutions. If you are using a Windows NT 4.0 Terminal Services client, be aware that these clients are not always able to detect and pass on the underlying system logon credentials to the Windows Server 2003 terminal server even if your system logon credentials are the same as those for the terminal server. In the NT 4.0 Client Connection Manager, configure Automatic logon on the General tab in the Properties box for the connection. Enter the appropriate logon credentials in the User name, Password and Domain text boxes. If you are using a Windows 2000 TS client or the RDC client, it is possible that you entered the incorrect credentials on the General tab. If you mistyped the user name or password, the ter- minal server will not be able to verify your credentials and will prompt you for the correct ones. The solution is to edit the User name, Password, and/or Domain text box(es) on the General tab of the client utility. Another possibility is that your client settings are configured correctly, but Group Policy is con- figured to require users to enter at least part of the credentials (the password). Group Policy settings override client settings.The only way to correct this is to remove the Group Policy setting that is enforcing this restriction. “This Initial Program Cannot Be Started” Occasionally a client may receive a message stating,“This initial program cannot be started.”At the client level, a user can specify that program be launched when they connect to a server instead of receiving a desktop. Likewise, an administrator can specify this at the connection level for all users that connect to a specific listener connection. Finally, this can also be set in Group Policy. The error may be caused by something as simple as an input error.You should first check to ensure that the path and executable names specified are correct. If you have entered them incor- rectly, they will be pointing to a file that does not exist.This will make it impossible for Windows Server 2003 to launch the application. Another possibility is that the correct permissions are not set on the executable file. If Windows cannot access the file, it will not be able to launch the program for you.You should verify that the appropriate read and execute permissions are applied to both the file and the working directory (if specified). If neither of these two possible solutions resolves the issue, the application may have become corrupt.Try to launch the application from the server console. If it will not open, you may need to uninstall and reinstall the application. Clipboard Problems Ordinarily, when you copy text to the clipboard in a session, it is synchronized with the local clipboard on the client. Because the text is available on each clipboard, it should be available to paste into local applications as well as applications running remotely in a session.You should note that it works the same way when you copy text to the clipboard locally. It is synchronized with the clipboard running in your Terminal Services session and can be used in either local or remote applications. Managing and Troubleshooting Terminal Services • Chapter 27 973 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 973 Microsoft states that there are instances in which text that is copied to the clipboard in a remote session is unable to be pasted into an application on the local client. Currently, there is no fix avail- able for this problem. First, try to reinstall the client application you are using. If it is still malfunc- tioning, try to uninstall the client application and reinstall it. License Problems For remote administration, licenses come built in to the Windows Server 2003.The terminal server role, however, requires the installation and proper configuration of the terminal server licensing component. Because of this, license problems typically relate only to the terminal server role. If you receive messages similar to those below, you have license component problems. ■ The remote session was disconnected because there are no terminal server client access licenses available for this computer. Please contact the server administrator. ■ The remote session was disconnected because there are no Terminal Server License Servers available to provide a license. Please contact the server administrator. Error messages such as these can indicate several different types of issues. First, verify that the license server is online and able to communicate on the network. It’s also important to verify name resolution during this step. Next, ensure that the license server component has been activated prop- erly. Check event logs on the license server and look for more subtle problems than simple connec- tivity checks will not spot. Verify that the license server has a sufficient number of valid client licenses for your network, and that the licenses are valid.The terminal server draws licenses from the license server so you should also ensure that these two servers can communicate with each other. Finally, don’t forget to check the clients. It is possible that the clients never received a valid license. By default, clients often receive temporary licenses that expire after 90 days and prevent further connections. If they did receive full licenses, the licenses may have become corrupt and need to be replaced or overwritten. 974 Chapter 27 • Managing and Troubleshooting Terminal Services 301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 974 975 Index 3DES (strong encryption algorithm), 820 401 errors, 926 404 errors, 923–924 4GB tuning (4GT), 245 503 errors, 925 6to4 tunneling, 753 802.11 wireless standards, 851, 862 A .aas files, 607 ABR (area border router), 769 access control in Active Directory, 364–368 restricting logon hours, computers, 396–397 role-based, 367 SIDs and, 376–377 access control entries (ACEs), 355, 377–379 access control lists (ACLs), 364, 731 accessing group account properties, 410–415 server over Internet, 33 shared resources over networks, 329 account policies in security templates, 82 accounts cluster service, 215 computer. See computer accounts lockout policies, 436–437 passwords. See passwords troubleshooting, 429 unnecessary, removing, 73 user. See user accounts ACEs (access control entries), 355, 377–379 ACLS (access control lists), 364, 731 activation wizard, 15 Active Directory access control in, 364–368 administrative tools, using, 347 authentication, 368–369 availability, 627–630, 649–658 backing up and restoring, 640–649 -based IPSec policies, 812 configuring DNS servers for use with, 491–494 configuring Group Policy SUS server redirection, 102–104 creating user objects in, 389–390 data store, 323 database. See AD database database, modifying, 628–629 defining password policies, 433–437 described, 321 development of, 322 distinguished names and, 62 distribution of services information, 508–509 Domains and Trusts tool, 496 extensions, 344 forest and domain functionality, 449–465 functional levels described, 370–372 Global Catalog. See Global Catalog group accounts. See group accounts hierarchical structure, 325 implementing security and access control, 363–369 installing, 331–334 -integrated zone replication scope, 679–682 logical vs. physical components, 341–347 managing with ntdutil, 362 master roles, 342–344 moving objects in, 425–428 namespace hierarchy, 381 naming scheme, 328–329 new features, 3–4, 370–374 and organizational units (OUs), 340 performing maintenance tasks, 631–640 protecting your data, 326–327 quotas, 452 relationship of sites to other components, 510–511 replication in, 324 Replication Monitor, 525–527 schemas. See schemas and server roles, 54–55 setting permissions on objects, 366 structure overview, 334–335 supporting with BIND, 694 Active Directory Domains and Trusts console described, using, 351–354 raising domain and forest functionality, 373–374 raising levels with, 371 Active Directory GPO Editor, 611–621 Active Directory Installation Wizard (ADIW), managing DCs with, 532–533 Active Directory Installation Wizard (DCPROMO), 55, 331, 466, 470–471 Active Directory Object Manager tool, 427 Active Directory Sites and Services console, 354 Active Directory Users and Computers tool (ADUC) creating computer accounts with, 417–418 creating group accounts with, 408–409 creating, managing OUs, 500–503 creating user accounts with, 388–393 described, using, 349–351 managing user accounts with, 385 moving account objects with, 425–426 new feature, 3–4 Active Server Pages (ASP) and HTTP, 58 AD database availability. See Active Directory defragmenting, 631–633 monitoring, 636–640 moving, 633–635 semantic database analysis, 653–655 Add or Remove Programs applets, 899 addiag.exe, 625 adding IIS, 59–60 objects to Active Directory, 358 printer drivers, 39–40 snap-ins from console, 348 snap-ins to MMC, 89–91 adjacencies and routers, 768 administration Active Directory user accounts, 375–376 configuring remote control (Terminal Services), 961–962 deciding which tool to use, 37 developing authentication strategies, 431 and DNS namespace design, 666 IIS 6.0, 905–920 MMC management tools, 347 policy-based, 327 print management tasks, 38 privileges for IIS installation, 896 remote. See remote administration role-based, 367 301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 975 . in the Windows Start | Programs menu. 2. If necessary, expand the This Computer node. 3. If necessary, expand the node that corresponds to the name of your Windows 2003 server. 4. Right-click the. administration, licenses come built in to the Windows Server 2003 .The terminal server role, however, requires the installation and proper configuration of the terminal server licensing component. Because. that these clients are not always able to detect and pass on the underlying system logon credentials to the Windows Server 2003 terminal server even if your system logon credentials are the same