Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
different port for RDP traffic.
NOTE
Only clients using RDP version 5.1 or later can connect to the nonstandard port. Also,
after the port is changed, the RD Session Host server or RD Virtualization Host server
must be restarted.
Supporting Remote Desktop Services
Supporting Remote Desktop Services involves more than just proper configuration; it also
involves supporting end users, installing and maintaining applications, and securing and
optimizing Remote Desktop settings, among other server duties.
982
CHAPTER 25
Remote Desktop Services
Using the Role Administration Tools
For the Remote Desktop Services role, a number of different role administration tools can
be used to manage the role and its role services. When the role or role service is installed,
its corresponding Role Administration Tool is also installed. However, in some cases, an
administrator might want to manage a role service using a remote Windows Server 2008
R2 or Windows 7 machine. In these cases, using Server Manager, an administrator can
install the Remote Server Administration Tools for the Remote Desktop Services role and
all of its corresponding role services.
Using the Remote Desktop Services Manager
The Remote Desktop Services Manager (tsadmin.msc) can be used to manage sessions on a
Remote Desktop Session Host server. Process and resource usage on the RD Session Host
server can be monitored here on a server or per-user basis. Also when an administrator
wants to remote control an existing Remote Desktop session, he or she can complete this
task from within the Remote Desktop Services Manager. Lastly, this tool can also be used
to send messages to active session users, disconnect, reset, or log off sessions.
Managing RDS Using the Command Line
ptg
In Windows Server 2008 R2, a number of command-line tools make Remote Desktop
Services administrative tasks much more flexible and scriptable. For a complete listing of
these commands, refer to the Windows Server 2008 R2 and the Windows Server 2008
online help. A few of the more useful commands are as follows:
. tskill.exe—This tool can be used to kill hung or stuck processes or applications in
any active session without having to connect to the session using remote control.
. Shadow.exe—This tool initiates a shadow or remote control session from a command
prompt or script.
. Query.exe {Process, Session, Termserver, User}—This tool allows the adminis-
trator to query a particular server to get a list of current active and inactive sessions
and processes.
Remotely Managing a Remote Desktop Session
Remote Desktop users might require support for tasks such as mapping to a file share,
installing a third-party printer driver, or just troubleshooting issues within the terminal
session. While using the remote control features of Remote Desktop Services, an adminis-
trator can interact with users in active sessions with view-only access or complete remote
control functionality. The amount of access given to an administrator during a remote
control session can be set by the user, but it can be configured at the server level by the
administrator.
An administrator can remotely control a user’s session only from within a separate Remote
Desktop session. The remote control command can be initiated using Remote Desktop
Services Manager or the command-line tool Shadow.exe.
Supporting Remote Desktop Services
983
Managing Remote Desktop Services with PowerShell
When the Remote Desktop Services role is installed, a PowerShell provider is also installed
that allows administrators to manage Remote Desktop settings using PowerShell. Once
installed, and a PowerShell console is opened, administrators can access the resulting
RDS: drive to manage a number of different settings that are organized into the following
directories:
.
RDSConfiguration—
Contains settings that apply to the RD Session Host role
service
.
Gateway—
Contains settings that apply to the RD Gateway role service
.
LicenseServer—
Contains settings that apply to the RD Licensing role service
.
ConnectionBroker—
Contains settings that apply to the RD Connection Broker
role service
.
RemoteApps—
Contains a list of published applications and their settings
.
RDFarms—
Contains settings that apply to RD Session Host server farms
25
Group Policy for RD Session Host Servers
ptg
Group Policy contains several Remote Desktop Services user and computer settings to
configure Remote Desktop sessions. An administrator can modify existing group policies
or create new group policies to manage Remote Desktop Services machine and user
settings. These Group Policy Objects (GPOs) can then be applied to RD Session Host
servers, virtual machines, or users located in an Active Directory site, domain, or organiza-
tional unit (OU) or based on a GPO filter.
Group Policy is the preferred method of standardizing Remote Desktop Services configura-
tions throughout Active Directory because user and machine configurations can be centrally
administered. Because so many Remote Desktop Services settings are available in Group
Policy, the following list outlines where Remote Desktop Services settings can be found:
. Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment—User rights assignment can allow logon
through Remote Desktop Services as well as deny logon through Remote Desktop
Services, depending on the configuration setting.
. Computer Configuration\Administrative Templates\Windows Components\Remote
Desktop Services—Almost all Remote Desktop Services settings can be configured
here. Settings here override user or client configurations and also override settings
made in the User Configuration section of Group Policy.
. User Configuration\Administrative Templates\Windows Components\Remote
Desktop Services—User session settings can be configured in this section. Settings
here override user or client configurations.
A simple and effective way to manage the GPOs for your RD Session Host servers is to
create an OU for your RD Session Host servers and apply GPOs to the OU. Enabling the
984
CHAPTER 25
Remote Desktop Services
Computer Configuration\Administrative Templates\System\Group Policy\User Group
Policy Loopback Processing mode is very important if you want the user-context GPO
settings to take effect. The loopback processing can be set to either merge or replace.
Merging allows existing domain-based GPOs to merge with the ones for Remote Desktop
Services, whereas the replace option overrides all other settings and the Remote Desktop
Service–specific settings are only applied.
Applying Service Packs and Updates
Applying service packs and updates on an RD Session Host server or virtual machine should
follow the same strategy as outlined in the previous section “Installing Applications.” Test
all service packs and updates in an isolated lab environment prior to production release and
always create a backup of the system first to allow for rollback, if necessary.
Performing Disaster Recovery
The steps for backing up and restoring an RD Session Host server or virtual machine
should follow the same procedures as backing up and restoring a standalone server.
Administrators must be sure to back up any local user data, including profiles, and back
up the current server System State. The data and System State backup, accompanied with a
server build document, are all that an administrator needs to recover the RD Session Host
ptg
server or virtual machine. For detailed steps concerning the creation of server build docu-
ments and Windows Server 2008 R2 backup and recovery techniques, refer to Chapter 22,
“Documenting a Windows Server 2008 R2 Environment,” Chapter 30, “Backing Up the
Windows Server 2008 R2 Environment,” and Chapter 31, “Recovering from a Disaster.”
Windows Server 2008 R2 Remote Desktop Services is a flexible tool that can be used to
provide administrative, server-based computing, and virtual desktop functionality.
Depending on the needs of your organization, Remote Desktop Services can be deployed
to meet needs that range from centralized administration to remote access for business-
critical applications. With features like RD Web Access, RD RemoteApp, RD Gateway, RD
Virtualization Host, and so on, the ease and simplicity of using Remote Desktop Services
has never been more compelling.
Remote Desktop Services enables users and system administrators alike to perform job
functions productively from the office or remotely with simplicity.
Best Practices
985
The following are best practices from this chapter:
. Drain Remote Desktop connections when performing scheduled maintenance on an
RD Session Host server.
. When an RD Session Host server or virtual machine is due for an operating system
upgrade, if possible replace the server with a clean build and test all applications,
instead of performing in-place upgrades to avoid server or application failures.
. Place your RD Session Host and RD Virtualization Host servers where they can be
readily accessed by the clients that will primarily be using them.
. Whenever possible, choose applications that have been tested and certified by the
vendor to run on Windows Server 2008 R2 Remote Desktop Services.
. For optimum performance for multitiered applications, install two or more network
cards on an RD Session Host server and configure the server to use one exclusively
for RDC client connectivity and the others for back-end server communication.
25
. Use Group Policy to limit client functionality as needed to enhance server security,
and if increased network security is a requirement, consider requiring clients to run
ptg
sessions in 128-bit high encryption mode.
. When possible, try to never install the Remote Desktop Services role and then host
applications on a domain controller.
. It is recommended that applications always be grouped together based on usage. If
an application behaves badly or isn’t certified to run Remote Desktop Services, it
should be separated to dedicated servers in a farm.
. Try to treat RD Session Host servers as nodes that are dispensable. As such, try to
always build your RD Session Host servers using the same hardware and install the
same applications on them.
This page intentionally left blank
ptg
IN THIS CHAPTER
Windows Server 2008
. Managing Desktops and
Servers
R2 Administration Tools
. Operating System Deployment
Options
for Desktops
. Windows Server 2008 R2
Windows Deployment Services
. Installing Windows Deployment
Services (WDS)
Windows Server 2008 R2 contains several services and
features that can be leveraged to simplify desktop and user
. Creating Discover Images
management for an organization’s computer and network
. Creating Custom Installations
infrastructure. Effectively managing an organization’s
Using Capture Images
computer and network infrastructure requires the ability to
support users locally and from remote locations; to perform
. General Desktop
Administration Tasks
remote configuration and administration of servers, work-
stations, and networking services and applications; and to
deploy or replace servers and workstations when systems
ptg
fail or are replaced with new hardware.
When a computer and network infrastructure utilizes
Windows Server 2008 R2 systems and Active Directory
Domain Services (AD DS), many of the included services
and features can simplify administrative tasks. For example,
domain group policies can be created and applied to differ-
ent sets of users and computers to automatically deploy
printers, configure wireless networking, redirect user folders
to server shares, set default security policies, and much
more. Having an Active Directory infrastructure allows orga-
nizations to deploy a role called Windows Deployment
Services. Windows Deployment Services (WDS) provides
administrators with the ability to deploy Windows Server
2008, Windows Server 2008 R2, Windows 7, Windows
Vista, and other legacy operating systems such as Windows
Server 2003 and Windows XP Professional to servers and
workstations (both physical and virtual machines) across
the network from a central console using unicast or multi-
cast communications. There are several requirements to
make the WDS deployment process work, but, essentially, a
system is booted up using PXE boot, connects to the WDS
system, selects an installation image, and the operating
system is deployed across the network automatically.
988
CHAPTER 26
Windows Server 2008 R2 Administration Tools for Desktops
Setting up and creating custom operating system deployments that suit a particular orga-