 Some people, meaning only some users can’t print and some can. If some people can’t print, the problem likely has to do with the permissions, application soft- ware, or the network. Perform the following actions:  Check the network using a computer in the same subnet as the people having the problem. See if you can ping the printer’s IP address. At the command line, type ping PrinterIP, where PrinterIP is the IP address of the printer. If you can’t ping the printer’s IP address from any system on the subnet, a switch or routing between the user’s computer and the printer might be bad or disconnected. This happens a lot if local switches/hubs are under people’s desks.  Check the printer permissions and the permissions on the spool folder to see if the groups of which the users are members have appropriate access. If the permissions are set incorrectly, the spooling won’t work. See “Confi gur- ing Print Spool, Logging, and Notifi cation Settings” on page 889 and the Troubleshooting sidebar “Check permissions on the spool folder” on page 881.  Check the print processor. Windows 95, Windows 98, and Windows Me clients can print only if the print processor uses the RAW data type. See “Viewing the Print Processor and Default Data Type” on page 901.  Check the application being used for printing. The application might be incorrectly confi gured or the default printer might not be what users think it is.  Check the error message generated when printing. If the client gets an error stating it must install a print driver when connecting to a printer, this means the correct drivers are installed on the server but aren’t avail- able to the client. Additionally, Windows 95, Windows 98, and Windows Me clients do not automatically check for updated drivers and must be updated manually. See “Installing and Updating Print Drivers on Clients” on page 894.  One person, meaning only one user can’t print. If only one person can’t print, the problem likely has to do with application software, the user’s computer, or per- missions. Start with the user’s computer and perform the following actions:  Check the application being used for printing. The application might be incorrectly confi gured, or the default printer might not be what the user thinks it is.  Check the user’s computer. The Print Spooler service must be running for the user to print. The computer must have suffi cient temporary space to generate the initial spool fi le. The computer must have other essential services confi gured. The list goes on. Essentially, it is better if you restart the computer if you suspect the problem has to do with that computer specifi cally.  Check to make sure the user’s computer can connect over the network to other resources. Try pinging the router or the printer in question. Printer Maintenance and Troubleshooting 917 Chapter 27 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.  Check the error message generated when printing. If the client gets an error stating it must install a print driver when connecting to a printer, this means the correct drivers are installed on the server but aren’t available to the client. See “Installing and Updating Print Drivers on Clients” on page 894. If the client gets an “Access Denied” error, this is a permissions issue.  Check the printer permissions and the permissions on the spool folder to see if the user or groups of which the user is a member have appropriate access. If the permissions are set incorrectly, the spooling won’t work. See “Confi guring Print Spool, Logging, and Notifi cation Settings” on page 889 and the Troubleshooting sidebar “Check permissions on the spool folder” on page 881. Resolving Garbled or Incorrect Printing If the printer prints garbled or incorrect pages, this can be a sign that the printer is incorrectly confi gured. You should check the print driver and the print processor set- tings. You might want to reinstall the print driver as discussed in “Viewing and Con- fi guring Print Drivers” on page 887. You might want to change the print processor data type to RAW or EMF to see if this clears up the problem. See “Viewing the Print Proces- sor and Default Data Type” on page 901. To resolve this problem, check the following:  Ensure that the complete document is transferred to the printer before printing starts by selecting the Start Printing After Last Page Is Spooled option. See “Con- fi guring Print Spooling” on page 900.  Try using the RAW data type or the EMF data type to see if this clears up the problem. See “Viewing the Print Processor and Default Data Type” on page 901.  Try removing any separator page that is used, because this might be setting the printer page description language incorrectly. See “Confi guring Separator Pages” on page 902.  Try clearing the Enable Advanced Printing Features check box on the Advanced tab. This disables metafi le spooling. Windows 95, Windows 98, and Windows Me clients use SMB connections and spool RAW-formatted fi les to the print server. See “Confi guring Print Spooling” on page 900. Chapter 27 918 Chapter 27 Managing and Maintaining Print Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. T erminal Services lets users run Microsoft Windows–based applications on a remote server. When users run an application on a terminal server, the execution and pro- cessing take place on the server, and only the data from devices such as the display, keyboard, and mouse are transmitted over the network. A client logged on to a terminal server and running applications remotely is said to be using a virtual session. Although there may be dozens or hundreds of users simultaneously logged on to a terminal server, users see only their own virtual sessions. Using Terminal Services You can use Terminal Services to rapidly deploy and centrally manage Windows-based applications. One advantage of this method is that you can be sure that all users are running the same version of an application and that they can do so from any computer. Another advantage is that organizations with older computers running earlier ver- sions of Windows can get more mileage out of their computers by having users run applications on terminal servers instead of locally on their desktops. Terminal Services involves these key elements:  Terminal Services clients  Terminal Services servers  Terminal Services licensing Terminal Services Clients Within the organization, the primary client used to establish connections to a terminal server is the Remote Desktop Connection (RDC) client. This client comes installed on the Microsoft Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 operating systems and is available for installation on other versions of Windows as well. For details on the use and features of this client, see “Supporting Remote Desktop Connection Clients” on page 613. Using Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . 919 Designing the Terminal Services Infrastructure . . . . . . 927 Setting Up Terminal Services . . . . . . . . . . . . . . . . . . . . . 936 Using the Terminal Services Configuration Tool . . . . . . 957 Configuring RemoteApps . . . . . . . . . . . . . . . . . . . . . . . . 966 Using Terminal Services Manager . . . . . . . . . . . . . . . . . 975 Managing Terminal Services from the Command Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978 Other Useful Terminal Services Commands . . . . . . . . . 980 Configuring Terminal Services Per-User Settings . . . . . 981 CHAPTER 28 Deploying Terminal Services 919 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. By sending only the data required for I/O devices to and from the server, Terminal Ser- vices signifi cantly reduces the amount of data transferred between a client and a server. This reduces the amount of network bandwidth used, allowing Terminal Services to operate in low-bandwidth environments. In addition, users are able to optimize per- formance based on the speed of their connection. On a 28.8 Kbps modem, a user has only the essential features to ensure the best overall performance possible. As a user goes from a 28.8 Kbps modem connection to a LAN connection at 10 Mbps or higher, Windows features are automatically added to enhance the user experience. Admin- istrators can also confi gure Terminal Services to restrict the additional features. For example, if hundreds of users are using a terminal server, you might need to restrict enhancements to ensure the overall performance of the server. If you don’t do this and the terminal server is overworked, it might fail. For access to remote applications from the Internet or the enterprise intranet, Microsoft provides several new options for Windows Server 2008:  Terminal Services Remote Application (RemoteApp) is a program that a user accesses remotely through Terminal Services and appears as if it is running on the user’s local computer. Thus, instead of being presented to the user on the desktop of the remote terminal server, a RemoteApp runs in its own resiz- able window and has its own entry o n the taskbar. Although each RemoteApp appears to be separate on the desktop, multiple RemoteApps running on the same desktop share the same Terminal Services session.  Terminal Services Gateway (TS Gateway) enables authorized users to connect to network resources from any Internet-connected device that can run the Remote Desktop Connection client. TS Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish secure, encrypted connections between remote users and network resources. Network resources available through TS gateways include terminal servers as well as computers with Remote Desktop enabled. Because TS gateways operate over HTTPS, they can be used to easily traverse fi rewalls and NATs.  TS Web Access, which provides access to terminal servers through a Web browser. The default TS Web Access Web page includes a customizable frame and Web part. This page provides clickable links to the available programs des- ignated as Remote Applications (RemoteApps). When you install TS Web Access, Windows installs Internet Information Services (IIS) 7.0 as well and uses IIS 7.0 to provide access to your RemoteApps. These options allow you to deploy Terminal Services in many additional ways and to improve the overall experience for end users. However, TS Gateway and TS Web Access can greatly increase the overall complexity of a Terminal Services implementation. Because of these additional complexities, you might want to consider having separate Terminal Services installations, as follows:  One or more installations that’ll be used internally only with standard options, such as the RDC client and RemoteApps. For ease of reference throughout this Chapter 28 920 Chapter 28 Deploying Terminal Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. chapter, I will refer to servers with this type of installation as standard terminal servers when I need to differentiate between the two types of installations.  One or more installations that’ll be used for Internet-based or intranet-based access with TS Gateway and TS Web Access. For ease of reference throughout this chapter, I will refer to servers with this type of installation as Web access or gateway terminal servers when I need to differentiate between the two types of installations. In this way, you ensure that there are separate environments with separate require- ments and separate procedures. Terminal Services Servers It’s very easy to set up a standard terminal server. What isn’t so easy is getting the infrastructure right before you do so and maintaining the installation after it’s in place. Before you install Terminal Services, it is essential to plan the environment and to deploy Terminal Services before you install applications on the terminal server. After you deploy Terminal Services, you will confi gure the environment, install applications, and make those applications available to remote users. The features for the Remote Desktop Connection client were discussed in “Supporting Remote Desktop Connection Clients” on page 613. For Windows Server 2008, there are many standard features and enhancements as well. The administration tools for Termi- nal Services include the following:  Terminal Services Manager Terminal Services Manager, shown in the following screen, is the primary tool for managing terminal servers and client connections. Unlike previous versions, the current version doesn’t automatically enumerate all the terminal servers that are available. Instead, it gives direct access to a local server if it is running Terminal Services and allows you to selectively enumer- ate servers and add servers to a list of favorites for easier management. In a large installation with many terminal servers, this makes Terminal Services Manager more responsive. Note It is important to note that certain features of Terminal Services Manager work only when you run the tool from a client. For example, if you run Terminal Services Manager on a terminal server, you won’t be able to use the Remote Control and Connect features. Note It is important to note that certain features of Terminal Services Manager work only when you run the tool from a client. For example, if you run Terminal Services Manager on a terminal server, you won’t be able to use the Remote Control and Connect features. Using Terminal Services 921 Chapter 28 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.  TS Licensing Manager TS Licensing Manager, shown in the following screen, is used to install licenses and activate a Terminal Services license server. The enhanced interface makes it easier to install licenses and to activate or deactivate license servers.  Terminal Services Confi guration Terminal Ser vices Confi guration, shown in the following screen, is used to manage terminal server connections as well as global and default server settings. Terminal server connections and the Remote Desktop Protocol (RDP) are what allow users to establish remote connections to a terminal server. Server settings also enable you to easily set terminal server policy. A key policy is the single session policy, which, when activated, limits a user to a single session, whether the session is active or not.  TS RemoteApp Manager TS RemoteApp Manager, shown in the following screen, confi gures RemoteApps as well as deployment settings that apply to RemoteApps. After you’ve confi gure a terminal server, you can copy the list of RemoteApp Chapter 28 922 Chapter 28 Deploying Terminal Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. programs and deployment settings from that server to another using export and import tasks.  TS Gateway Manager TS Gateway Manager, shown in the following screen, is used to confi gure authorization policies that control access to network resources according to group membership. You use Terminal Services connection authori- zation policies (TS CAPs) to specify who can connect to a TS Gateway server, and Terminal Services resource authorization policies (TS RAPs) to specify the inter- nal network resources to which users can connect through a TS Gateway server.  TS Web Access Administration TS Web Access Administration, shown in the following screen, provides access to the IIS server hosting the Web applications required for Web access to Terminal Services, including a primary TS application and two RPC proxy applications. Similar to what a user sees, you can view the list of available RemoteApp programs or connect to remote desktops to which you have access. Using Terminal Services 923 Chapter 28 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. You can access the Terminal Services administration tools on the Administrative Tools\ Terminal Services menu. To access a tool, click Start, All Programs, Administrative Tools, Terminal Services, and then select the desired tool, such as Terminal Services Manager. Terminal Services has important changes for security as well. For internal access, you have the option of adding users and groups to the Remote Desktop Users group. This is a standard group for which you can confi gure membership in Active Directory Users And Computers. By adding the Domain Users group to the Remote Desktop Users group, you allow all authenticated users to use Terminal Services. If instead you were to add the special group Everyone, anyone with access to the network could use Terminal Services. For Internet-based or intranet-based access, you can specify TS Gateway user groups that can access Terminal Services using RDP over HTTPS. No standard groups are created for you, so you should consider what groups you might need as part of your deployment plans and then create these groups in Active Directory Users And Comput- ers. For example, you might want to create a group called External TS Users. To grant Internet-based or intranet-based access, you would then add specifi c groups or users as members of this group. To enhance security you typically would not want to make the Domain Users or Everyone groups members of your special external access group or groups. Terminal Services supports 128-bit encryption as well as encryption compliant with the Federal Information Processing Standard (FIPS). Using 128-bit encryption ensures a high level of encryption, which provides powerful protection of the data sent between a Terminal Services client and a server. FIPS encryption is added to provide compliance with FIPS 140-1 and FIPS 140-2, which are standards for Security Requirements for Cryptographic Modules, a necessity for some organizations. Terminal Services printing has been enhanced in Windows Server 2008 with the addi- tion of the Terminal Services Easy Print driver and a Group Policy setting that enables you to redirect only the default client printer. The Terminal Services Easy Print driver allows users to reliably print from a RemoteApp program or from a terminal server desktop session to the correct printer confi gured for use on their client computers. It Chapter 28 924 Chapter 28 Deploying Terminal Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. also enables users to have a much more consistent printing experience between local and remote sessions. The Redirect Only The Default Client Printer setting in Group Policy allows you to specify whether the default client printer is the only printer that is redirected in Termi- nal Services sessions, which helps to limit the number of printers that the spooler must enumerate, therefore improving terminal server scalability. Note To use the Terminal Services Easy Print driver, clients must be running Remote Desktop Connection (RDC) client version 6.1 or later and have Microsoft .NET Framework 3.0 Service Pack 1 (SP1) installed. Note also that the terminal server fallback printer driver is not included with Windows Server 2008. Although the Specify Terminal Server Fallback Printer Driver Behavior setting still exists in Group Policy, it cannot be used with terminal servers running Windows Server 2008. Terminal Services Licensing A Terminal Services license server is required to set up Terminal Services (see Figure 28-1). The license server, responsible for issuing licenses and tracking their usage, maintains a pool of all available licenses. The assigned licenses are also tracked so that they can be validated. Terminal Services requires that you get offi cial licenses from Microsoft and activate them through the Microsoft Clearinghouse. Terminal Services license server Microsoft Clearinghouse License pack activation Terminal server License pool License Terminal Services Client Session Figure 28-1 Terminal Services implementation with a license server. Note To use the Terminal Services Easy Print driver, clients must be running Remote Desktop Connection (RDC) client version 6.1 or later and have Microsoft .NET Framework 3.0 Service Pack 1 (SP1) installed. Note also that the terminal server fallback printer driver is not included with Windows Server 2008. Although the Specify Terminal Server Fallback Printer Driver Behavior setting still exists in Group Policy, it cannot be used with terminal servers running Windows Server 2008. Using Terminal Services 925 Chapter 28 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The fi rst time a client connects to a terminal server, the terminal server checks for a license. If the client has a license, the terminal server validates it and allows the cli- ent to connect. If the client doesn’t have a license, the terminal server locates a license server (using a network broadcast in workgroups or through Active Directory in domains) and requests a new license. If that license server doesn’t have a license to offer, the client is not allowed to connect. Note For the fi rst 120 days after deployment, clients can be granted a temporary license if an activated license server is not available. After this grace period, Terminal Services will stop serving unlicensed clients. Provided that the server has a license, it will give the license to the terminal server, which in turn issues it to the client. Client access licenses provided by Terminal Ser- vices are issued per device or per user, so the way licensing works depends on the licensing confi guration—which can be mixed and matched as necessary. With per- device licensing, the license is valid only for a particular computer and will be validated in the future to the globally unique identifi er (GUID) of the machine on which the cli- ent is running. With per-user licensing, the license is valid only for that user and will be validated in the future to the GUID of the user’s account. Note Terminal Services client access licenses are issued per device or per user only. They are not available in per-server mode because Windows sessions are not allowed in per-server mode. An issued license is valid for a period of 52 to 89 days; the interval is assigned ran- domly. When the client later disconnects or logs off the terminal server, the license is not returned to the pool. The expiration date serves to return unused licenses to the license pool. Each time a client connects to a terminal server, the expiration date of its license is checked. If the current date is within seven days of the expiration date, the license server renews the license for another 52 to 89 days. If a client doesn’t log back on to the terminal server before its license expires, the license is returned to the license pool, which makes it available to other clients. TS Licensing for Windows Server 2008 now includes the ability to track the issuance of TS Per User CALs in TS Licensing Manager. If the terminal server is in Per User licens- ing mode, the user connecting to it must have a TS Per User CAL. If the user does not have the required TS Per User CAL, the terminal server will contact the license server to get the CAL for the user. After the license server issues a TS Per User CAL to the user, you can track the issuance of the CAL in TS Licensing Manager. Note For the fi rst 120 days after deployment, clients can be granted a temporary license if an activated license server is not available. After this grace period, Terminal Services will stop serving unlicensed clients. Note Terminal Services client access licenses are issued per device or per user only. They are not available in per-server mode because Windows sessions are not allowed in per-server mode. Chapter 28 926 Chapter 28 Deploying Terminal Services Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Terminal Services Server 2003 In addition, Windows Server 2008 is more effective at using faster processors and system buses This again gives Windows Server 2008 significant advantages over Windows 2000 Server and some advantage over Windows Server 2003 Because remote serving of applications is both processor-intensive and memoryintensive, the most significant limits on the number of users a server can support... a TS Session Broker, all servers in the farm must be running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter A multi -server environment is more complex to set up than a single -server environment To configure Terminal Services in a multi -server environment, you must follow these steps: 1 Install the operating system on your designated server and configure the server so it is optimized... license was waived if the device accessing the terminal server was running the same or later version of an equivalent desktop operating system For example, a client running Windows XP Professional could access a Windows 2000 terminal server without needing a Terminal Services client access license With the release of Windows Server 2003 and Windows Server 2008, all clients are required to have a Terminal... in a single -server environment is much easier than deploying Terminal Services in a multi -server environment In a single -server deployment, a group of clients always connects to the same server, so that although your organization might have three terminal servers, Group A always uses Server 1, Group B always uses Server 2, and Group C always uses Server 3, as shown in Figure 28-3 A single -server configuration... this is because the Windows Server 2008 kernel provides better use of the 32-bit virtual address space Because a terminal server must allocate virtual resources for all users who are logged on, whether they are active or in a disconnected state, the improved memory handling in Windows Server 2008 gives it significant advantages over Windows 2000 Server and some advantage over Windows Please purchase PDF... In a single -server Terminal Services environment, the terminal server and the Terminal Services license server can be the same system In a multi -server Terminal Services environment, you probably don’t want one of the terminal servers to be a license server as well If you have a separate TS Session Broker server, however, you might want to make this server the Terminal Services license server as well... code necessary for the license server is the product ID Installing a Terminal Services License Server The way you configure a server to be a Terminal Services license server depends on the server s current configuration: On a server that doesn’t have any Terminal Services role services installed, you can configure the server as a license server using the Add Roles Wizard In Server Manager, select the Roles... Terminal Services Infrastructure TS Session Broker server 935 Terminal Server 1 Sessions Terminal Server 2 Session Client 1 Client 2 Terminal Server 3 Client 3 Client N Figure 28-4 A multi -server Terminal Services deployment 5 Add each terminal server in the farm to the local Session Directory Computers group on the TS Session Broker server 6 Configure a terminal server to join a farm in TS Session Broker... approximate number of sessions as compared to a server with a weight of 100 With round robin DNS, the TS Session Broker directs new session requests to terminal servers in the farm in round robin fashion As an example, in a four -server farm, the first request is directed to Server 1, the second to Server 2, the third to Server 3, the fourth to Server 4, the fifth to Server 1, and so on If you want to use DNS... the Name box, type the terminal server farm name The farm name is the virtual name that clients will use to connect to the terminal server farm Do not use the name of an existing server 4 In the IP Address box, type the IP address of a terminal server in the farm and then click Add Host By default, DNS round robin is enabled when using Microsoft DNS with Windows Server 2008 To check the status of DNS . Session Broker, all servers in the farm must be running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. A multi -server environment is. a Windows 2000 terminal server without needing a Terminal Services client access license. With the release of Windows Server 2003 and Windows Server 2008,