271_70-292_01.qxd 36 8/21/03 12:40 PM Page 36 Chapter • Managing Users, Computers, and Groups EXAM 70-292 OBJECTIVE Creating and Managing User Accounts 1.2 Up to this point, we have discussed groups only Groups can be used to collect large numbers of accounts for ease of administration Networks exist to make the sharing of informa1.2.1 tion easier As in the previous discussion of groups, the following sections examine user 1.2.2 accounts from the perspective of an Active Directory domain environment Before discussing creating and managing user accounts, let’s examine the default user accounts that are found in the Windows Server 2003 environment Default User Accounts Several default user accounts are created during the installation of Windows Server 2003 and the creation of an Active Directory domain.Table 1.6 lists the most common default user accounts that are created, although several more may be created depending on the specific applications and services installed on the computer Table 1.6 The Default User Accounts User Name User Description Administrator A built-in account that is provided for administering the computer and domain This account is a member of the following groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners, and Schema Admins A built-in account that is used for guest access to the computer and domain This account is a member of the following groups: Domain Guests and Guests The guest account is disabled by default A built-in account that is used to allow anonymous access to Internet Information Services (IIS) resources This account is a member of the following groups: Domain Users and Guests A built-in account that is used by IIS to start out-of-process applications This account is a member of the following groups: Domain Users and IIS_WPG A built-in account that serves as the Kerberos Key Distribution Center (KDC) service account This account is a member of the Domain Users group A built-in account that is used for the Help and Support Service This account is a member of the following groups: Domain Users and HelpServicesGroup The SUPPORT account is disabled by default Guest IUSR_computername IWAM_computername krbtgt SUPPORT_xxxxxxxx www.syngress.com 271_70-292_01.qxd 8/21/03 12:40 PM Page 37 Managing Users, Computers, and Groups • Chapter Managing and Modifying User Accounts It is fairly safe to say that, in most cases, a network administrator will work with user accounts on a daily basis in most networks Users are the lifeblood of a network—the very reason the network exists is to provide information and other resources to users in a secure and efficient way As such, there are several common tasks to perform when administering user accounts: I Creating new user accounts I Resetting a user account password I Copying a user account I Disabling or enabling a user account I Configuring user account properties I Deleting user accounts I Assigning user rights and permissions to a user account Each of these tasks is discussed in the following sections.We will also examine using two additional command line-based utilities to perform bulk import and export of Active Directory information, including user accounts EXAM 70-292 Creating New User Accounts OBJECTIVE 1.2.1 Creating a new user accounts one at a time is one that can be accomplished from either the 1.2.2 Active Directory Users and Computer console or from the command line.The process to create a new user account from the Active Directory Users and Computers console is detailed in Exercise 1.11 EXERCISE 1.11 CREATING A NEW USER ACCOUNT USERS AND COMPUTERS WITH ACTIVE DIRECTORY Open the Active Directory Users and Computers console Expand the console tree until you locate the location in which you wish to create the new user In our example, we are going to create a new user in the Sales Organizational Unit Right-click on the node where you want to create the new user and select New | User The New Object – User dialog box opens Supply the user’s name and logon name and click Next to continue www.syngress.com 37 271_70-292_01.qxd 38 8/21/03 12:40 PM Page 38 Chapter • Managing Users, Computers, and Groups Figure 1.30 Creating a New User Account In the next window, as seen in Figure 1.31, supply the password for the user Good practice dictates that the password assigned here be a temporary one by selecting the User must change password at next logon option, which is selected by default If you are creating an account that is not to be used yet, network security can be increased by disabling it at this time After entering your selections, click Next to continue Figure 1.31 Specifying Password Related Items You will be given the chance to review your configuration from a summary page If all is well, click Finish to create the user You can click Back to go back and make changes as required Alternatively, user accounts can be created one at a time from the command-line using the dsadd command.The specific context to be used to create a new account is: dsadd user UserDN [-UPN UPN] [-samid SAMName] -pwd {Password|*} The UserDN and SAMName modifiers have been previously explained.The UPN modifier specifies the users User Principal Name (UPN), such as user@mydomain.com; the pwd modifier specifies the account password, or if set as * specifies that you want to be www.syngress.com 271_70-292_01.qxd 8/21/03 12:40 PM Page 39 Managing Users, Computers, and Groups • Chapter prompted to enter the password Figure 1.32 demonstrates using the dsadd command to create a new user, Roger Smith, in the Sales OU using the following command: dsadd user "CN=Roger Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" -UPN rogersmith@corp.mcsaworld.com -samid rogersmith -pwd * Figure 1.32 Creating a New User from the Command Line As seen in the example, we exercised the ability to specify a password at the time of account creation A quick check of the Sales OU would determine that the new user, Roger Smith, was in fact created as indicated here It should be noted that many other attributes of the user object that could have been supplied with the dsadd command were left out in this example Appendix A has a complete listing and explanation of the available dsadd options Resetting the User Account Password It happens more than any administrator wants to talk about: resetting user passwords In some organizations with particularly challenging password complexity requirements, this can become a burden on network administrators Even in those organizations where the password policies are not nearly as stringent, users will still forget their passwords Additionally, the network administrator will oftentimes need to reset the password on an expired or locked out user account Fortunately, you can you quickly and easily reset a user’s password from within the Active Directory Users and Computers console as discussed in Exercise 1.12 EXERCISE 1.12 RESETTING USER PASSWORDS WITH ACTIVE DIRECTORY USERS AND COMPUTERS Open the Active Directory Users and Computers console Expand the console tree until you locate the user in question Right-click on the user and select Reset Password from the context menu to open the Reset Password dialog box seen in Figure 1.33 www.syngress.com 39 271_70-292_01.qxd 40 8/21/03 12:40 PM Page 40 Chapter • Managing Users, Computers, and Groups Figure 1.33 Resetting User Passwords Does Not Require You to Know the Current Password Enter the new password For enhanced security, select the User must change password at next logon option Click OK to reset the user’s password A user’s password can also be easily reset from the command-line using the dsmod command with the following syntax: dsmod user UserDN -pwd NewPassword -mustchpwd {yes|no} The –mustchpwd modifier denotes whether or not the user will be forced to change their password during the next logon attempt Figure 1.34 demonstrates using the dsmod command to reset the password of user Roger Smith using the following command: dsmod user "CN=Roger Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" -pwd * -mustchpwd yes Figure 1.34 Resetting the User Account Password from the Command-Line Again, the password was supplied interactively during the reset procedure Also, the user will be forced to change their password the next time they logon to the domain Appendix A has a complete listing and explanation of the available dsmod options www.syngress.com 271_70-292_01.qxd 8/21/03 12:40 PM Page 41 Managing Users, Computers, and Groups • Chapter Head of the Class Delegating Administrative Authority Although referenced several times in this chapter, you may be wondering exactly what delegation is when it comes to Active Directory It works the same way in Active Directory as it does in real life Say, for example, that you are the department head in a large manufacturing conglomerate You have thousands of people who work for you and an administrative assistant that helps to keep you on track, making sure that you get the things done that you need to You might, in many cases, delegate some of your authority to your administrative assistant to allow them to handle some things for you and take some of the burden off your shoulders This also allows a continuity of operations to a certain degree should you be unavailable for a period of time Active Directory works the same way Users have specific user rights that are assigned to them through their membership in certain groups Users can have specific explicit user rights configured on their accounts individually The Delegation of Control Wizard allows you to easily and accurately delegate administrative responsibility to groups and users For example, it is fairly common for members of the help desk staff to be delegated the ability to reset users passwords This saves the higher-level network administrators from being burdened with low-level administrative tasks This delegation can be easily accomplished in three easy steps: Create a new group called Password Reset Place all applicable help desk member user accounts in the newly created group Run the Delegation of Control Wizard to delegate the right to reset user passwords to the Password Reset group Copying a User Account Many organizations have standardized the way that they create and configure user accounts by creating an account template An account template is nothing more than a user account that has been created and configured in a specific fashion and then used to create new accounts without the administrative burden of needing to configure each new account in a similar fashion Although the need for this is somewhat offset by the diligent usage of groups and configuring rights and permissions on the group level, there may be the need to copy a user account, creating a new user account with the same features except that the new user account will posses a different SID User accounts can be copied from the Active Directory Users and Computers by performing the steps outlined in Exercise 1.13 www.syngress.com 41 271_70-292_01.qxd 42 8/21/03 12:40 PM Page 42 Chapter • Managing Users, Computers, and Groups EXERCISE 1.13 COPYING USER ACCOUNTS FROM ACTIVE DIRECTORY USERS AND COMPUTERS Open the Active Directory Users and Computers console Expand the console tree until you locate the user in question Right-click on the user and select Copy from the context menu to open the Copy Object – User dialog box as seen in Figure 1.35 Figure 1.35 Copying a User Account to Create a New User Account You will need to supply the same information for the copy process as you did when creating a new user account By default, only the most common attributes are copied during the user account copy process.These include log on hours, workstation restrictions, and account expiration date You can modify which attributes are copied to the newly created user from the Active Directory Schema snap-in.This is, however, beyond the scope of the 70-292 exam.There is no corresponding command line alternative for copying user accounts Disabling or Enabling A User Account A network administrator may need to disable a user account for any number of reasons Commonly, they will disable user accounts when the user is gone for an extended period of time, or as a security measure to keep unused accounts from becoming a weakness in their network security plan.The administrator can quickly disable a user account from the Active Directory Users and Computers console by right-clicking on the account and selecting Disable Account from the context menu Similarly, they can enable a disabled user account by right-clicking on the account and selecting Enable Account.They can also www.syngress.com 271_70-292_01.qxd 8/21/03 12:40 PM Page 43 Managing Users, Computers, and Groups • Chapter disable or enable a user account from the Account tab on the Properties dialog page as seen in Figure 1.36 Figure 1.36 Disabling a User Account from the Properties Dialog Box An account can also be disabled or enabled from the command-line using the dsmod command with the following syntax: dsmod user UserDN -disabled {yes|no} Figure 1.37 demonstrates using the dsmod command to disable the user account of Roger Smith using the following command: dsmod user "CN=Roger Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" -disabled yes Figure 1.37 Disabling the User Account from the Command-Line EXAM WARNING Be aware that disabling a user account only prevents it from being used—it does not alter or otherwise change the user account in any other way Network administrators should always disable newly created user accounts if they are being prestaged and will not be used immediately Additionally, they should always disable user accounts for users that are currently on vacation or otherwise not logging into www.syngress.com 43 271_70-292_01.qxd 44 8/21/03 12:40 PM Page 44 Chapter • Managing Users, Computers, and Groups the network Disabled user accounts serve to increase the overall security of the network by preventing these unused (and typically unmonitored) accounts from being subjected to password guessing and other attacks Configuring User Account Properties When user accounts are created using the Active Directory Users and Computers console or using the minimum required command syntax of the dsadd command, many user attributes and information items still need to be configured Most of these items can be configured using the dsadd command at the time of account creation, or the dsmod command after the fact.The following sections examine the configuration process entirely from the Active Directory Users and Computers console Within Active Directory Users and Computers, locate the user account that you wish to configure account properties for and double-click it to open the Properties dialog box as seen in Figure 1.38 NOTE The Remote Control, Terminal Services Profile, COM+, Dial-in, Environment, and Sessions tabs contain configuration options that are beyond the scope of the 70292 exam and will not be examined here The General Tab The General tab of the account Properties dialog box, seen in Figure 1.38, allows the network administrator to configure basic user information such as first and last name, display name, a description of the account, office location, telephone number, e-mail address, and Web page information Figure 1.38 Configuring the General User Account Properties www.syngress.com 271_70-292_01.qxd 8/21/03 12:40 PM Page 45 Managing Users, Computers, and Groups • Chapter The Address Tab The Address tab of the account Properties dialog box, seen in Figure 1.39, allows the network administrator to configure a complete mailing address for the user Figure 1.39 Configuring the Address User Account Properties The Account Tab The Account tab of the account Properties dialog box, seen in Figure 1.40, allows the network administrator to modify account attributes such as the logon name, the pre-Windows 2000 log-on name, logon hours, logon location restrictions, account expiration date, and several other account options Figure 1.40 Configuring the Account User Account Properties The account options that can be configured are explained in detail in Table 1.7 www.syngress.com 45 271_70-292_02.qxd 8/21/03 1:32 PM Page 95 Managing and Maintaining Terminal Services Access • Chapter I Client Compatible Data sent between the client and server is encrypted at the maximum key strength that the client supports I High Data sent between the client and server is encrypted using strong 128-bit encryption I Federal Information Processing Standard (FIPS) Compliant Data sent between the client and the server is encrypted using the FIPS encryption algorithms The Logon Settings Tab The Logon Settings tab, as seen in Figure 2.18, allows the network administrator to configure how log-on credentials are supplied to the session Figure 2.18 The Logon Settings Tab of the RDP-Tcp Properties Dialog Box Selecting the Use client-provided logon information option specifies that logon credentials are to be retrieved from the client, such as through Remote Desktop Connection or the Client Connection Manager Selecting the Always use the following logon information option specifies a fixed set of logon credentials that are to be used for making connections Selecting the Always prompt for password option specifies that the user is to always be prompted for a password even if a password is configured The Sessions Tab The Sessions tab, as seen in Figure 2.19, allows the network administrator to override client-configured settings associated with time limits and session maintenance www.syngress.com 95 271_70-292_02.qxd 96 8/21/03 1:32 PM Page 96 Chapter • Managing and Maintaining Terminal Services Access Figure 2.19 The Sessions Tab of the RDP-Tcp Properties Dialog Box Selecting the Override user settings option specifies that the settings configured in the other sections of the tab are to override the settings that are configured via Group Policy for time limits Selecting the second Override user settings option specifies that the settings configured below it are to override the settings that are configured via Group Policy for the action that is to occur when a session limit is reached or a connection is broken Selecting the third Override user settings option allows the network administrator to configure from where clients will be allowed to reconnect to an existing session The Environment Tab The Environment tab, as seen in Figure 2.20, allows the network administrator to override the settings that are configured via Group Policy for the initial program path and file name Figure 2.20 The Environment Tab of the RDP-Tcp Properties Dialog Box www.syngress.com 271_70-292_02.qxd 8/21/03 1:32 PM Page 97 Managing and Maintaining Terminal Services Access • Chapter The Remote Control Tab The Remote Control tab, as seen in Figure 2.21, allows the network administrator to configure the remote control settings for this connection Figure 2.21 The Remote Control Tab of the RDP-Tcp Properties Dialog Box Selecting the Use remote control with default user setting option specifies that remote control settings are to be retrieved from Group Policy Selecting the Do not allow remote control option specifies that remote control is not to be allowed on this connection Selecting the Use remote control with the following settings option specifies that remote control is to be allowed with the settings the network administrator configures below it The Require user’s permission option specifies that the user must give permission allowing the session to be remotely controlled.The View the session option specifies that the remote user can view the session, but not control it.The Interact with the session option specifies that the remote user can control the remote users session The Client Settings Tab The Client Settings tab, as seen in Figure 2.22, allows the network administrator to configure settings relating to the user’s experience during the Terminal Server connection www.syngress.com 97 271_70-292_02.qxd 98 8/21/03 1:32 PM Page 98 Chapter • Managing and Maintaining Terminal Services Access Figure 2.22 The Client Settings Tab of the RDP-Tcp Properties Dialog Box The User connection settings from user setting option specifies that the connection settings are to be retrieved from the Group Policy configuration.The Limit Maximum Color Depth option limits the maximum color depth for the remote clients; this setting can be used to reduce required bandwidth for screenshots.The network administrator can also select to disable additional options, further controlling the bandwidth usage The Network Adapter Tab The Network Adapter tab, as seen in Figure 2.23, allows the network administrator to configure which network adapters are to be used for the connection and how they are to behave Figure 2.23 The Network Adapter Tab of the RDP-Tcp Properties Dialog Box www.syngress.com 271_70-292_02.qxd 8/21/03 1:32 PM Page 99 Managing and Maintaining Terminal Services Access • Chapter The network administrator can select all network adapters that are configured for RDP-Tcp or a specific adapter from the Network adapter drop-down list.They can also configure the maximum number of connections that are to be allowed using the Unlimited connections and Maximum connections options The Permissions Tab The Permissions tab, as seen in Figure 2.24, provides the standard NT File System (NTFS) permissions setting dialog that allows the network administrator to control which users can connect to the Terminal Server and what level of permissions they are to have Figure 2.24 The Permissions Tab of the RDP-Tcp Properties Dialog Box Configuring Server Settings with the Terminal Services Configuration Console The RDP-Tcp properties are not the only thing that can be configured from the Terminal Service Configuration console.The network administrator can also configure several server settings from the Server Settings node, as seen in Figure 2.25 www.syngress.com 99 271_70-292_02.qxd 100 8/21/03 1:32 PM Page 100 Chapter • Managing and Maintaining Terminal Services Access Figure 2.25 Configuring the Terminal Service Server Settings The following settings are available for configuration: I Delete Temporary Folders on Exit Specifies whether temporary folders are to be deleted upon disconnecting from a session I Use Temporary Folders per Session Specifies whether a new set of temporary folders should be created for each session I Licensing Specifies whether Terminal Server licensing is to be per device or per user I Active Desktop Specifies whether or not the Active Desktop is to be allowed for remote connections I Permission Compatibility Specifies the permission compatibility mode that the Terminal Server is to operate in as configured previously and has the following options: Full Security and Relaxed Security (discussed previously) I Restrict Each User to One Session Specifies whether or not users should be limited to one concurrent session at a time I Session Directory Allows the network administrator to enable and configure the Terminal Server Session Directory, as seen in Figure 2.26 Refer back to the “Terminal Server Session Directory” section of this chapter for more information www.syngress.com 271_70-292_02.qxd 8/21/03 1:32 PM Page 101 Managing and Maintaining Terminal Services Access • Chapter Figure 2.26 Configuring the Terminal Server Session Directory Settings Using the Terminal Services Manager Console The Terminal Services Manager console, as seen in Figure 2.27, allows the network administrator to view information about and manage Terminal Servers that are in trusted domains.They can monitor users, sessions, and applications on each server and perform various management actions from this console Figure 2.27 Configuring the Terminal Server Session Directory Settings www.syngress.com 101 271_70-292_02.qxd 102 8/21/03 1:32 PM Page 102 Chapter • Managing and Maintaining Terminal Services Access EXAM 70-292 OBJECTIVE Advanced Terminal Server Configuration via Group Policy 2.1 2.1.1 2.1.2 Although the Terminal Services Configuration console can be used to implement basic Terminal Services settings, using Group Policy may yield better results while providing a wealth of additional configuration options.Terminal Services options are located in both the Computer Configuration and User Configuration sections of a Group Policy Object (GPO) Terminal Services Computer Options The Terminal Services node of the Computer Configuration section of a GPO, as seen in Figure 2.28, has several advanced configuration options that the network administrator may find useful (and necessary) for maintaining and managing a Terminal Server Figure 2.28 Configuring the Terminal Services Computer Options in Group Policy The following options are available to configure Terminal Services from the Computer Configuration section: I Computer Configuration\Administrative Templates\Windows Components\Terminal Services node: Keep-Alive Messages Automatic reconnection Restrict Terminal Services users to a single remote session Enforce Removal of Remote Desktop Wallpaper Deny log off of an administrator logged in to the console session Limit number of connections Limit maximum color depth www.syngress.com 271_70-292_02.qxd 8/21/03 1:32 PM Page 103 Managing and Maintaining Terminal Services Access • Chapter Allow users to connect remotely using Terminal Services Do not allow local administrators to customize permissions 10 Remove Windows Security item from Start menu 11 Remove Disconnect item from Shut Down dialog 12 Set path for Terminal Services Roaming Profiles 13 Terminal Services User Home Directory 14 Sets rules for remote control of Terminal Services user sessions 15 Start a program on connection I Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Client/Server data redirection node: Allow Time Zone Redirection Do not allow clipboard redirection Do not allow smart card device redirection Allow audio redirection Do not allow COM port redirection Do not allow client printer redirection Do not allow LPT port redirection Do not allow drive redirection Do not set default client printer to be default printer in a session I Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Encryption and Security node: Always prompt client for password upon connection Set client connection encryption level I Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\RPC Security Policy node: Secure Server (Require Security) I Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Licensing node: License Server Security Group Prevent license upgrade I Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Temporary folders node: www.syngress.com 103 271_70-292_02.qxd 104 8/21/03 1:32 PM Page 104 Chapter • Managing and Maintaining Terminal Services Access Do not use temp folders per session Do not delete temp folder upon exit I Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Session Directory node: Terminal Server IP Address Redirection Join Session Directory Session Directory Server Session Directory Cluster Name I Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Sessions node: Set time limit for disconnected sessions Set time limit for active sessions Set time limit for idle sessions Allow reconnection from original client only Terminate session when time limits are reached TEST DAY TIP You should not stress over being able to remember all of the available Terminal Services options presented here Instead, be aware of their existence and purpose The Terminal Services node of the User Configuration section of a GPO, as seen in Figure 2.28, has many more advanced configuration options that the network administrator may use to maintain and manage a Terminal Server Figure 2.29 Configuring the Terminal Services User Options in Group Policy www.syngress.com 271_70-292_02.qxd 8/21/03 1:32 PM Page 105 Managing and Maintaining Terminal Services Access • Chapter The following options are available to configure Terminal Services from the User Configuration section: I User Configuration\Administrative Templates\Windows Components\Terminal Services node: Start a program on connection Remote control settings I User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions node: Set time limit for disconnected sessions Set time limit for active sessions Set time limit for idle sessions Allow reconnection from original client only Terminate session when time limits are reached EXAM 70-292 OBJECTIVE Terminal Server Licensing 2.1.2 To fully understand Terminal Services, the network administrator must know how to license it and utilize the licensing services on the server.This can be very confusing if they have never worked with Terminal Services before.With the release of Microsoft Windows Server 2003, they need to understand the nuances associated with Terminal Services licensing so as not to wind up without the proper licensing they need I Every Windows Server 2003 Terminal Server must possess a valid Windows Server License I A Terminal Server Client Access License (TS CAL) is required to connect to a Terminal Server with a remote graphical user interface (GUI) session, except for a console session.This is a major change from Terminal Services in Windows 2000, when every Windows 2000 and Windows XP client was automatically granted a TS CAL by default I TS CALs are now available in Per User and Per Device options to coincide with the Windows CAL options available with the release of Windows Server 2003 A TS Device CAL permits one device used by any user to conduct Windows Sessions on any of the servers A TS User CAL permits one user using any device to conduct Windows Sessions on any of the servers Any combination of TS Devices and TS User CALs can be used at the same time on a single server www.syngress.com 105 271_70-292_02.qxd 1:32 PM Page 106 Chapter • Managing and Maintaining Terminal Services Access I The Terminal Server External Connector (TS-EC) License can be purchased to enable external users to access a company’s Terminal Servers, without the need to purchase individual TS CALs for them or their devices One TS-EC license must be purchased for every Terminal Server that is accessible to the external user An example of an external user is a person who is not an employee or similar personnel of the company or its affiliates.The TS-EC License replaces the TS Internet Connector license in Windows 2000 NOTE As of this writing, this is the current licensing plan in effect for Terminal Services We have kept this short because the licensing plans may change, and often To make sure you are 100 percent compliant, you should visit the Microsoft main licensing page to check the most current information when you plan on licensing a production server You can use the following URLs for more information: www.microsoft.com/ windowsserver2003/howtobuy/licensing/ts2003.mspx, www.microsoft.com/ windowsserver2003/howtobuy/licensing/overview.mspx, and https://activate microsoft.com Using the Terminal Server Licensing Tool Now that you are aware of the specifics of Windows Server 2003 Terminal Services licensing, you are ready to move on and examine the Terminal Server Licensing console You must install Terminal Server Licensing if you have not done so already, by performing the steps outlined in Exercise 2.03 New & Noteworthy 106 8/21/03 Selecting Enterprise or Domain Licensing Before you install your Terminal Server License Server, you should ensure that you understand the different server types that you can choose from: Enterprise License Server or Domain License Server The Enterprise License Server is appropriate if your network is comprised of several domains The Enterprise License Server can provide licenses for the Terminal Servers located in any domain in the enterprise, provided the domain is a Windows Server 2003 or Windows 2000 domain Terminal Servers poll Active Directory every 60 minutes looking for an Enterprise License Server, even when one has been previously located The Domain License Server is appropriate if you must maintain a separate license server for each domain in your enterprise The drawback to this method is that Terminal Servers can access Domain License Servers only if they are in the same domain as the license server If your network still has Windows NT 4.0 domains or Continued www.syngress.com 271_70-292_02.qxd 8/21/03 1:32 PM Page 107 Managing and Maintaining Terminal Services Access • Chapter workgroups, then the domain license server is the only type you will be able to use Terminal Servers search for a Domain License Server every 15 minutes until they find one After the Domain License Server is located, the Terminal Servers will search for it every hours EXERCISE 2.03 INSTALLING TERMINAL SERVER LICENSING Click Start | Settings | Control Panel | Add or Remove Programs to open the Add or Remove Programs applet Click the Add/Remove Windows Components button to start the Windows Components Wizard When the Windows Components Wizard opens, scroll down and select Terminal Server Licensing Click Next to continue You will be prompted to specify the scope of the licensing server, as seen in Figure 2.30 You can create the licensing server for either the entire enterprise or only for your domain or workgroup Click Next to continue Figure 2.29 Configuring the Licensing Server Scope Click Finish when prompted to close the Windows Components Wizard www.syngress.com 107 271_70-292_02.qxd 108 8/21/03 1:32 PM Page 108 Chapter • Managing and Maintaining Terminal Services Access TEST DAY TIP If you are only using Remote Desktop for Administration, then you will not need a Terminal Server License Server for these connections After installation, the Terminal Server Licensing console can be found in the Administrative Tools folder by clicking Start | Programs | Administrative Tools | Terminal Server Licensing.The Terminal Server Licensing console is seen in Figure 2.31 Figure 2.31 The Terminal Services Licensing Console The installation of the Terminal Server Licensing console does not actually grant you any licenses Exercise 2.04 outlines the process by which you will activate your Terminal Server Licensing server, by acquiring and installing TS CALs from the Microsoft Clearinghouse Once the TS Licensing server is installed, the following three steps must occur to activate the Terminal Services Licensing server Activate your Terminal Server Licensing server by requesting a special digital certificate from the Microsoft Clearinghouse that allows the license server to securely install TS CALs Connect to the Microsoft Clearinghouse and acquire TS CAL tokens Distribute TS CAL tokens to requesting clients EXERCISE 2.04 ACTIVATING YOUR TERMINAL SERVER LICENSING SERVER Open the Terminal Server Licensing console by clicking Start | Programs | Administrative Tools | Terminal Server Licensing Right-click on the licensing server you want to activate and select Activate Server from the context menu The Terminal Server License www.syngress.com 271_70-292_02.qxd 8/21/03 1:32 PM Page 109 Managing and Maintaining Terminal Services Access • Chapter Server Activation Wizard starts After reading the important text contained on the Welcome page of the Wizard, click Next to continue On the Connection method dialog box, as seen in Figure 2.32, you must select the connection method you want to use Selecting the Automatic connection option allows the server to automatically connect to the Microsoft Clearinghouse and complete the procedure You can also select to use your Web browser or a Telephone to active the licensing server After making your selection, click Next to continue Figure 2.32 Selecting the Connection Method NOTE If you are still using a pre-release version of Windows Server 2003 such as RC2, you will not be able to connect to the Microsoft Clearinghouse servers to acquire Terminal Services licensing until you have installed the Release to Manufacturing (RTM) version of Windows Server 2003 Continue with the licensing process as prompted by the Wizard One Terminal Server Licensing Server can provide TS CALs for multiple Terminal Servers; however, you may want to install the licensing server component on a server that is not actively providing Terminal Services in order to increase performance www.syngress.com 109 ... B, C 11 D B 12 C B 13 A, B, C, D A 14 B, D B 15 C B www.syngress.com 71 27 1 _70 -29 2_ 01.qxd 8 /21 /03 12: 40 PM Page 72 271 _70 -29 2_ 02. qxd 8 /21 /03 1: 32 PM Page 73 Chapter MCSA/ MCSE 70 -29 2 Managing and... www.syngress.com 57 27 1 _70 -29 2_ 01.qxd 58 8 /21 /03 12: 40 PM Page 58 Chapter • Managing Users, Computers, and Groups EXAM 70 -29 2 OBJECTIVE Importing and Exporting Active Directory Data 1.1.5 1 .2. 2 1 .2. 3 Realizing... see MCSA/ MCSE Exam 70 -29 1 Study Guide & DVD Training System: Implementing, Managing, and Maintaining a Windows Server 20 03 Network Infrastructure, Syngress Publishing 20 03, ISBN: 1-931836- 92- 2