Windows Server 2008 R2 Remote Desktop Services Resource Kit - Microsoft Press (2010) PDF

www.it-ebooks.
info
PUBLISHED BY
M crosoft Press
A D v s on of M crosoft Corporat on
One M crosoft Way
Redmond, Wash ngton 98052-6399
Copyr ght © 2010 by Chr sta Anderson
A r ghts reserved No part of the contents of th s book may be reproduced or transm tted n any form or by any
means w thout the wr tten perm ss on of the pub sher
L brary of Congress Contro Number 2010934986
Pr nted and bound n the Un ted States of Amer ca
M crosoft Press books are ava ab e through bookse ers and d str butors wor dw de For further nformat on
about nternat ona ed t ons, contact your oca M crosoft Corporat on off ce or contact M crosoft Press
Internat ona d rect y at fax (425) 936-7329 V s t our Web s te at www m crosoft com/mspress Send comments to
ms nput@m crosoft com
M crosoft and the trademarks sted at http //www m crosoft com/about/ ega /en/us/Inte ectua Property/
Trademarks/EN-US aspx are trademarks of the M crosoft group of compan es A other marks are property of
the r respect ve owners
The examp e compan es, organ zat ons, products, doma n names, e-ma addresses, ogos, peop e, p aces, and
events dep cted here n are fict t ous No assoc at on w th any rea company, organ zat on, product, doma n name,
e-ma address, ogo, person, p ace, or event s ntended or shou d be nferred
Th s book expresses the author’s v ews and op n ons The nformat on conta ned n th s book s prov ded w thout
any express, statutory, or mp ed warrant es Ne ther the authors, M crosoft Corporat on, nor ts rese ers, or
d str butors w be he d ab e for any damages caused or a eged to be caused e ther d rect y or nd rect y by
th s book
Acquisitions Editor: Mart n De Re

Developmental Editor: Karen Sza
Project Editor: Va er e Woo ey and Megan Sm th-Creed
Editorial Production: Custom Ed tor a Product ons, Inc
Technical Reviewer: A ex Jusch n; Techn ca Rev ew serv ces prov ded by Content Master, a member of CM
Group, Ltd
Cover: Cover Des gn Tom Draper Des gn; I ustrat on Todd Daman
Body Part No X17-21601
www.it-ebooks.info
I dedicate this book to my family, who has always been supportive, always pushes me to do
my very best I can do, and always has a “Go team!” waiting when I really need one.
—Chr sta
I dedicate this book to Elizabeth Nelson Lyda and Michael B. Smith for taking me under your
wing back in the day, and for always believing in me. You were great mentors and are great
friends.
—Kr st n
www.it-ebooks.info
www.it-ebooks.info
Contents at a Glance
Acknowledgments xv
Introduction xvii
CHAPTER 1 Introducing Remote Desktop Services 1

CHAPTER 2 Key Architectural Concepts for Remote Desktop Services 39
CHAPTER 3 Deploying a Single Remote Desktop Session Host Server 117
CHAPTER 4 Deploying a Single Remote Desktop Virtualization
Host Server 175
CHAPTER 5 Managing User Data in a Remote Desktop Services
Deployment 225
CHAPTER 6 Customizing the User Experience 291
CHAPTER 7 Molding and Securing the User Environment 363
CHAPTER 8 Securing Remote Desktop Protocol Connections 401
CHAPTER 9 Multi-Server Deployments 423
CHAPTER 10 Making Remote Desktop Services Available from
the Internet 507
CHAPTER 11 Managing Remote Desktop Sessions 589
CHAPTER 12 Licensing Remote Desktop Services 643
Index 677
www.it-ebooks.info
www.it-ebooks.info
Contents
Acknowledgments xv
Introduction xvii
Chapter 1 Introducing Remote Desktop Services 1

Where D d RDS Come From? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
C tr x Mu t W n 2
W ndows NT, Term na Server Ed t on 2
W ndows 2000 Server 3
W ndows Server 2003 3
W ndows Server 2008 4
W ndows Server 2008 R2 and RDS 4
The Evo v ng Remote C ent Access Exper ence 6
What Can You Do w th RDS?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
mproved Secur ty for Remote Users 8
Prov s on ng New Users Rap d y 9
Enab ng Remote Work 9
Br ng ng W ndows to PC Unfr end y Env ronments 10
Bus ness Cont nu ty and D saster Recovery 11
Support ng Green Comput ng 11
mproved Command L ne Support 12
RDS for W ndows Server 2008 R2: New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Chang ng Character of RD Sess on Host Usage 13
New RDS Techno ogy n W ndows Server 2008 R2 19
RDS Ro es n W ndows Server 2008 R2 24
How Other Serv ces Support RDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
The C ent Connect on 33
Host ng VMs 34
Authent cat ng Servers w th Cert ficates 34
Enab ng WAN Access and D sp ay ng Remote Resources 34
Updat ng User and Computer Sett ngs 35
Funct ona ty for RDS Scr pters and Deve opers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
What do you think of this book? We want to hear from you!

M crosoft s nterested n hear ng your feedback so we can cont nua y mprove our
books and earn ng resources for you. To part c pate n a br ef on ne survey, p ease v s t:
microsoft.com/learning/booksurvey
vii
www.it-ebooks.info
Chapter 2 Key Architectural Concepts for Remote Desktop
Services 39
Know Your App cat on De very System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
RD Sess on Host Servers 40
RD V rtua zat on Host Servers 40
Re evant W ndows Server 2008 R2 nterna s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
W ndows Server 2008 R2 s 64 B t On y 41
How Does an RD Sess on Host Server Do e Out Processor
Cyc es? 43
How Do RD Sess on Host Servers Use Memory More
Effic ent y? 45
How Does D sk Affect App cat on De very? 56
How Does V rtua zat on Affect Resource Usage? 59
Determ n ng System Requ rements for RD Sess on Host Servers . . . . . . . . . . . . . . . 66
Des gn ng a L ve Test 69
Execut ng the Tests 70
Us ng the RD Load S mu at on Too 77
An A ternat ve to Fu Test ng: Extrapo at on 91
Other S z ng Quest ons 95
Support ng C ent Use Profi es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
C ent Hardware: PC or Th n C ent? 99
What s the Best L cense Mode ? 100
What App cat ons Can Run on an RD Sess on Host Server? 101
What Vers on of Remote Desktop Connect on Do Need? 109
What Ro e Serv ces Do Need to Support My Bus ness? 114
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Chapter 3 Deploying a Single Remote Desktop Session Host Server 117

How RD Sess on Host Servers Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Serv ces Support ng RD Sess on Host 117
Creat ng and Support ng a Sess on 119
nsta ng an RD Sess on Host Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
nsta ng an RD Sess on Host Server Us ng the Adm n strat ve
Too s nterface 134
nsta ng an RD Sess on Host Server from the Command L ne 142
Essent a RD Sess on Host Configurat on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
A ocat ng Processor T me 145
Enab ng P ug and P ay Red rect on w th the Desktop Exper ence 150
Adjust ng Server Sett ngs w th Remote Desktop Configurat on 150
nsta ng App cat ons on an RD Sess on Host Server. . . . . . . . . . . . . . . . . . . . . . . . 164
Wh ch App cat ons W Work? 165
Stor ng App cat on Spec fic Data 168
Avo d ng Overwr t ng User Profi e Data 170
Popu at ng the Shadow Key 171
viii Contents
www.it-ebooks.info
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Chapter 4 Deploying a Single Remote Desktop Virtualization Host

Server 175
What s VD ?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
How M crosoft VD Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
The Centra Ro e of the RD Connect on Broker 179
D scover ng a VM 181
Broker ng a Connect on 182
Orchestrat ng a VM 184
Connect ng to a VM Poo 185
Connect ng to a D sconnected Sess on 186
Ro ng Back a VM 186
Connect ng to a Persona Desktop 187
nsta ng Support ng Ro es for VD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
nsta ng the RD V rtua zat on Host 190
nsta ng RD V rtua zat on Host Ro e Serv ce v a W ndows PowerShe 192
nsta ng RD Connect on Broker 193
Configur ng RD Web Access 195
Configur ng the RD Connect on Broker Server 197
Sett ng Up VMs 203
Creat ng Poo s 209
Ass gn ng Persona Desktops 212
Configur ng Persona and Poo ed VM Propert es 216
Us ng RemoteApp for Hyper V for App cat on Compat b ty. . . . . . . . . . . . . . . . . 218
Configur ng RemoteApp on Hyper V 220
Can You Use RemoteApp for Hyper V Without RDS? 222
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Chapter 5 Managing User Data in a

Remote Desktop Services Deployment 225
How Profi es Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Types of Profi es 227
How Profi es Are Created 228
Profi e Contents Externa to the Reg stry 233
Stor ng Profi es 239
Prov d ng a Cons stent Env ronment 241
Des gn Gu de nes for User Profi es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Ba ance F ex b ty and Lockdown 243
Use Fo der Red rect on 244
Compartmenta ze When Necessary 244
Prevent Users from Los ng F es on the Desktop 245
Up oad Profi e Reg stry Sett ngs n the Background 246
Contents ix
www.it-ebooks.info
Speed Up Logons 246
Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces. . . . . . . . . . . . . . . . . . 248
Creat ng a New Roam ng Profi e 248
Convert ng an Ex st ng Loca Profi e to a Roam ng Profi e 254
Custom z ng a Defau t Profi e 255
Us ng Group Po cy to Manage Roam ng Profi es 257
Us ng Group Po cy to Define the Roam ng Profi e Share 267
Speed ng Up Logons 268
Centra z ng Persona Data w th Fo der Red rect on 275
Shar ng Persona Fo ders Between Loca and Remote Env ronments 278
Shar ng Fo ders Between W ndows Server 2003 and W ndows Server 2008
R2 Roam ng Profi es 279
Sett ng Standards w th Mandatory Profi es 281
Convert ng Ex st ng Roam ng Profi es to Mandatory Profi es 283
Creat ng a S ng e Mandatory Profi e 284
Creat ng a Safe Read On y Desktop 286
Decrease Logon T mes w th Loca Mandatory Profi es 286
Profi e and Fo der Red rect on Troub eshoot ng T ps. . . . . . . . . . . . . . . . . . . . . . . . . 287
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
CHAPTER 6 Customizing the User Experience 291

How Remot ng Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
What Defines the Remote C ent Exper ence? 293
The Foundat on of RDP: V rtua Channe s and PDUs 296
Bas c Graph cs Remot ng 299
Advanced Graph cs Remot ng 305
Mov ng the C ent Exper ence to the Remote Sess on. . . . . . . . . . . . . . . . . . . . . . . . 307
Wh ch C ent Dev ces Can You Add to the Remote Sess on? 307
Pros and Cons of Red rect ng Resources 313
Dev ce and F e System Red rect on 314
P ay ng Aud o 326
How the RDC Vers on Affects the User Exper ence or Doesn t 330
Pr nt ng w th RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Pr nt ng to a D rect y Connected Pr nter 335
Pr nt ng v a Red rected Pr nters 337
Pr nt ng from Remote Desktop Serv ces 344
When You Cannot Use RD Easy Pr nt 350
Contro ng Pr nter Red rect on 354
Troub eshoot ng Pr nt ng ssues 358
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Chapter 7 Molding and Securing the User Environment 363

Lock ng Down the Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
x Contents
www.it-ebooks.info
Restr ct ng Dev ce and Resource Red rect on 365
Prevent ng Users from Reconfigur ng the Server 367
Prevent ng Access to the Reg stry 368
C os ng Back Doors on RD Sess on Host Servers 369
Contro ng L brar es 375
Prevent ng Users from Runn ng Unwanted App cat ons . . . . . . . . . . . . . . . . . . . . . 376
Us ng Software Restr ct on Po c es 378
Us ng AppLocker 381
Creat ng a Read On y Start Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Keep ng the RD Sess on Host Server Ava ab e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
A ow ng or Deny ng Access to the RD Sess on Host Server 393
L m t ng the Number of RD Sess on Host Server Connect ons 393
Sett ng Sess on T me L m ts 394
Tak ng Remote Contro of User Sess ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Chapter 8 Securing Remote Desktop Protocol Connections 401

Core Secur ty Techno og es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Transport Layer Secur ty 402
Credent a Secur ty Serv ce Prov der 405
Us ng RDP Encrypt on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Understand ng Encrypt on Sett ngs 409
Choos ng Encrypt on Sett ngs 410
Authent cat ng Server dent ty (Server Authent cat on). . . . . . . . . . . . . . . . . . . . . . . 410
Estab sh ng a Kerberos Farm dent ty 411
Creat ng Test Cert ficates for a Server Farm 411
Authent cat ng C ent dent ty w th Network Leve Authent cat on (NLA). . . . . . . 415
Speed ng Logons w th S ng e S gn on 416
Configur ng the Secur ty Sett ngs on the RD Sess on Host Server . . . . . . . . . . . . . 417
Configur ng Connect on Secur ty Us ng RD Sess on Host Configurat on 417
Configur ng Connect on Secur ty Us ng Group Po cy 419
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Chapter 9 Multi-Server Deployments 423

Key Concepts for Mu t Server Dep oyments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
RD Sess on Host Farms 424
RemoteApp nterna s 424
Server S de Components 426
C ent S de Components 427
RemoteApp Programs and Mu t p e Mon tors 428
Creat ng and Dep oy ng a Farm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Contents xi
www.it-ebooks.info
D str but ng n t a Farm Connect ons 432
Connect on Broker ng n a Farm Scenar o 433
RDS Farm Connect on Broker ng n Act on 434
Dep oy ng RD Sess on Host Farms 439
Perm t RD Sess on Host Servers to Jo n RD Connect on Broker 440
Jo n RD Sess on Host Servers to a Farm 447
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager. . . . . . . . . . . 454
Add ng App cat ons to the A ow L st 455
Configur ng G oba RemoteApp Dep oyment Sett ngs 457
Ed t ng RemoteApp Propert es 464
Ma nta n ng A ow L st Cons stency Across the Farm 469
Configur ng T meouts for RemoteApp Sess ons 471
S gn ng A ready Created RDP F es 472
Sett ng S gnature Po c es 474
D str but ng RemoteApp Programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
D str but ng RDP F es 475
D str but ng MS F es 476
De ver ng RemoteApp Programs and VMs Through RD Web Access. . . . . . . . . . 478
RD Web Access Sources 478
nsta ng the RD Web Access Ro e Serv ce 481
Configur ng RD Web Access 482
Custom z ng RD Web Access 488
Troub eshoot ng RD Web Access Perm ss ons 496
Us ng the RD Web Access Webs te 497
Us ng RemoteApp And Desktop Connect ons 502
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Chapter 10 Making Remote Desktop Services Available from the Internet

507
How RD Gateway Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Understand ng RD Gateway Author zat on Po c es 509
RD Gateway Requ rements 510
nsta ng RD Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
nsta ng RD Gateway Us ng W ndows PowerShe 515
Creat ng and Ma nta n ng RD Gateway Author zat on Po c es 515
Creat ng an RD CAP 516
Creat ng an RD RAP 519
Mod fy ng an Ex st ng Author zat on Po cy 521
Configur ng RD Gateway Opt ons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Tun ng RD Gateway Propert es 522
Us ng RD Gateway Computer Groups to Enab e Access to a Server Farm 530
Bypass ng RD Gateway for nterna Connect ons 533
Us ng Group Po cy to Contro RD Gateway Authent cat on Sett ngs 533
Mon tor ng and Manag ng Act ve RD Gateway Connect ons 534
xii Contents
www.it-ebooks.info
Creat ng a Redundant RD Gateway Configurat on. . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Us ng NLB to Load Ba ance RD Gateway Servers 537
Prevent ng Sp t SSL Connect ons on RD Gateway 542
Ma nta n ng dent ca Sett ngs Across an RD Gateway Farm 543
Us ng NAP w th RD Gateway 554
Troub eshoot ng Dec ned Connect ons 573
P ac ng RD Web Access and RD Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
RD Web Access for Externa Access 576
RD Gateway ns de the Pr vate Network 578
RD Gateway n the Per meter Network 579
RD Gateway n the nterna Network and Br dged 581
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Chapter 11 Managing Remote Desktop Sessions 589

ntroduc ng RD Sess on Host Management Too s. . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
The Remote Desktop Serv ces Manager 591
Command L ne Too s 595
Connect ng Remote y to Servers for Adm n strat ve Purposes 598
Manag ng RD Sess on Host Servers from W ndows 7 599
Organ z ng Servers and VMs n the Remote Desktop Serv ces Manager. . . . . . . . 600
Mon tor ng and Term nat ng Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Mon tor ng App cat on Use 603
Term nat ng App cat ons 604
Mon tor ng and End ng User Sess ons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Sw tch ng Between Sess ons 606
C os ng Orphaned Sess ons 608
Prov d ng He p w th Remote Contro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Enab ng Remote Contro v a Group Po cy 612
Enab ng Remote Contro v a RD Sess on Host Configurat on 614
Shadow ng a User Sess on 615
Troub eshoot ng Sess on Shadow ng 617
Prepar ng for Server Ma ntenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
D sab ng New Logons 619
Send ng Messages to Users 621
Shutt ng Down and Restart ng RD Sess on Host Servers 624
App y ng RDS Management Too s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
D fferent at ng RemoteApp Sess ons from Fu Desktop Sess ons 631
Aud t ng App cat on Usage 633
Aud t ng User Logons 639
C os ng Unrespons ve App cat ons 640
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Contents xiii
www.it-ebooks.info
Chapter 12 Licensing Remote Desktop Services 643
The RDS L cens ng Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
RDS L cens ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
VD L cens ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
L cense Track ng and Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
How RD L cense Servers Ass gn RDS CALs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Sett ng Up the RDS L cens ng nfrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
nsta ng RD L cense Server 652
RD L cense Server Connect on Methods 653
Act vat ng the L cense Server 653
Background: How RDS CALs Are T ed to an RD L cense Server 657
Add ng L cense Servers to AD DS 660
nsta ng RDS CALs 660
Configur ng RD Sess on Host Servers to Use RD L cense Servers 662
Configur ng RD L cense Servers to A ow Commun cat on From
RD Sess on Host Servers 663
M grat ng RDS CALs from One L cense Server to Another. . . . . . . . . . . . . . . . . . . . 663
Rebu d ng the RD L cense Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Back ng Up an RD L cense Server and Creat ng Redundancy. . . . . . . . . . . . . . . . . . 665
Manag ng and Report ng L cense Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Revok ng RDS CALs 670
Restr ct ng Access to RDS CALs 671
Prevent ng L cense Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Us ng the L cens ng D agnos s Too . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
ndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
What do you think of this book? We want to hear from you!

M crosoft s nterested n hear ng your feedback so we can cont nua y mprove our
books and earn ng resources for you. To part c pate n a br ef on ne survey, p ease v s t:
xiv Contents
www.it-ebooks.info
Acknowledgments
T h s book sn’t the work of just two peop e We owe many thanks to the com-
b ned efforts of a ot of peop e at M crosoft, our terr fic set of ed tors, and the
greater commun ty (A th s sa d, any errors n th s book are the so e respons b ty
of the authors )
One of the best th ngs about work ng at M crosoft s that a ot of very smart (and
very he pfu ) peop e work there, and we are gratefu for the ns ghts of these peop e
Throughout th s book, you’ find D rect from the Source s debars contr buted by
members of the product team We a so extend our heartfe t thanks to the members
of the product team who sat down w th us to exp a n the finer deta s of how
someth ng worked From the Remote Desktop V rtua zat on (RDV) team, we’d ke
to thank N raj Agarwa a, James Baker, Ara Bernard , Tad Brockway, V kash Bucha,
Yuvraj Budhraja, Hammad Butt, Rommy Channe, Mun ndra Das, S v a Doomra,
Sam m Erdogan, Rajesh Ganta, Cost n Hag u, A Henr quez, Trav s Howe, O ga
Ivanova, Gop kr shna Kannan, Sergey Kuz n, Rob Le tman, Raghu L ngampa y, Meher
Ma akapa , Benjam n Me ster, Ranjana Rath nam, Rajesh Rav ndranath, Ray Reskus ch,
Sr ram Sampath, Bhaskar Swarna, and Janan Venkateswaran Even peop e from other
teams got nvo ved Many thanks to Ky e Beck, Jeff Heatton, M chae K eef, T mothy
Newton, Mark Russ nov ch, Tom Sh nder, Makarand Patwardhan, Bohdan Ve ushchak,
Pau Vo osen, and Jon Wojan for your nva uab e ass stance We’d a so ke to thank
Chr sta’s manager, Ashw n Pa ekar, for h s support dur ng th s project
RDS expert se sn’t m ted to peop e at M crosoft, e ther Remote Desktop
Serv ces MVPs as we as MVPs and experts from other d sc p nes a so p tched n
to contr bute D rect from the F e d s debars and exp a n the ntr cac es of re ated
techno og es Many thanks go to Jan que Carbone, Br an Eh ert, Ross Harvey,
He ge K e n, Russ Kaufmann, Shay Levy, Br an Madden, Patr ck Rouse, Greg Sh e ds,
M chae Sm th, and M tch Tu och
The great team at M crosoft Press had a huge hand n turn ng th s project from
an dea nto the book you ho d n your hands We’d ke to thank Mart n De Re at
M crosoft Press for ask ng us to wr te the first ed t on of the book n the first p ace,
Megan Sm th-Creed at Custom Ed tor a Product ons, Inc , for great ed t ng and
project management on th s ed t on, and A ex Jusch n for tech ed t ng the book
The rest of the ed tor a team at Custom Ed tor a Product ons, Inc , d d a terr fic
job of copyed t ng and proofing th s text Thank you a !
F na y, we’d ke to thank our fr ends and fam es for the r support dur ng
th s b g project We cou dn’t have done t w thout you We prom se to ta k about
someth ng e se now
xv
www.it-ebooks.info
www.it-ebooks.info
Introduction
W e come to the Windows Server 2008 R2 Remote Desktop Services Resource
Kit! Th s s a deta ed techn ca resource for p ann ng, dep oy ng, and run-
n ng M crosoft Remote Desktop Serv ces (RDS) Because some features of RDS
are brand new, th s book s va uab e both for those comp ete y new to RDS and
those who have used Term na Serv ces ( ts former name) n prev ous vers ons of
M crosoft W ndows
W th n th s resource k t, you’ find n-depth nformat on about the mprove-
ments n RDS ntroduced n W ndows Server 2008 R2 Th s book comb nes under-
y ng arch tectura concepts w th pract ca hands-on nstruct ons that a ow you to
set up a work ng RDS ecosystem, understand why t’s work ng, and g ve you some
gu dance about how to fix t when t’s not You’ a so find deta ed nformat on
and task-based gu dance on manag ng a aspects of RDS, nc ud ng dep oy ng
RD Sess on Host servers, ntegrat ng RDS ro e serv ces w th other key parts of the
W ndows Server 2008 R2 operat ng system, and extend ng the reach of RDS to
outs de the corporate network F na y, the compan on med a nc udes add t ona
too s and documentat on that you can use to manage and troub eshoot RDS ro e
serv ces A though we ment on some th rd-party too s n the course of th s book,
th s book s fundamenta y about runn ng RDS us ng on y the too s found n the
operat ng system You can do what we’ve done here us ng only W ndows Server
2008 R2 Nor do we get nto extens ve d scuss on of any of the th rd-party too s
that many peop e use w th nat ve Remote Desktop Serv ces For examp e, many
peop e w th h gh-comp ex ty RDS dep oyments use management software from
C tr x or Quest or other RDS partners, but we don’t d scuss t here because t’s not
nc uded w th the operat ng system
ON THE COMPANION MEDIA See the team partner page at

http://www.microsoft.com/windowsserver2008/en/us/rds-partners.aspx
for a list of companies that make products complementing or expanding
on Remote Desktop Services in Windows Server 2008 R2.
What’s New in Remote Desktop Services in

Windows Server 2008 R2?
Remote Desktop Serv ces n W ndows Server 2008 R2 took a ot of the mprove-
ments added n W ndows Server 2008 and added the features peop e had asked
for Want nat ve support for VDI? It’s added to RD Connect on Broker Want
xvii
www.it-ebooks.info
fewer ogons, secur ty fi ter ng, s mp fied d scovery of ava ab e app cat ons and
v rtua mach nes (VMs)? It’s n the new vers on of RD Web Access Want to address
prob ems d scovered v a Network Access Po c es (NAP), not just shut peop e out
of the network? It’s n the new ed t on of RD Gateway Want mproved app cat on
compat b ty? See RD Sess on Host for IP address v rtua zat on and dynam c fa r
share schedu ng that proact ve y prevents one sess on from tak ng a the proces-
sor cyc es Want to stop nsta ng pr nter dr vers on both sess ons and VMs? Easy
Pr nt now works for both v rtua zat on opt ons
For those who went stra ght to W ndows Server 2008 R2 from W ndows Server
2003, et’s take a ook at what the new features add to the former mode of a
term na server and a cense server
Simplified Application Delivery and Display

Term na Serv ces n W ndows Server 2003 presented a remote app cat ons from
a desktop, comp ete y separat ng the d sp ay of oca and remote app cat ons
RemoteApp programs ( ntroduced n W ndows Server 2008) aunch from a server,
but ntegrate w th the oca desktop so they ook ke they’re runn ng oca y
Not on y do the app cat ons ntegrate better w th the oca desktop, they’re
eas er to find and d str bute, thus mak ng t eas er to support a arger and more
comp ex dep oyment One of the ssues n enab ng remote access s how to get
the most comp ete and up-to-date set of remote resources to your user base Th s
s espec a y true when you’re prov d ng access to nd v dua app cat ons, not to a
fu desktop Us ng RDS Web Access, you can present nks to nd v dua app ca-
t ons or to ent re desktops and know that these nks w a ways be up to date In
W ndows Server 2008 R2, RD Web Access can present RemoteApp programs from
more than one farm as we as VMs It a so, however, supports secur ty fi ter ng
so that you can manage an aggregated source for a remote resources but on y
d sp ay to peop e the ones they shou d use
Improved Farm Support

The Sess on D rectory serv ce n W ndows Server 2003 offered the beg nn ng of
farm support, but was on y ava ab e for Enterpr se SKUs and d dn’t nc ude any
oad ba anc ng— t just kept track of where connect ons had gone In W ndows
Server 2008 R2, RD Connect on Broker s ava ab e on the Standard SKU, supports
oad ba anc ng, and can broker connect ons to both sess ons and VMs
xviii ntroduct on
www.it-ebooks.info
Secure Internet Access
One of the key benefits of Remote Desktop Serv ces s ts ab ty to support mob e
workers We had a great (and extreme y t nerant) tech ed tor, RDS MVP A ex
Jusch n, for th s ed t on of the book He’s got a great descr pt on of how he used
Remote Desktop Serv ces wh e comp et ng h s part
In your book you can mention that I have been reviewing your
book all over the world using the RDP protocol to connect to my
home in Dublin via 3G or WiFi . I’ve worked while on a smelly
Kebap Bus in Poland, in a freezing hotel in Latvia, while being
driven in a high-end coach in Estonia, on the ferry to England, in
a pub in Ireland, on a train going down the coast from Belfast,
while tasting wine in France, sitting in a nice Brasserie on the
island of Jersey, eating Belgian chocolate in Brussels, on a plane
to Germany, on a bench with a beautiful view in Zurich, in a café
near the Berlin Wall, in a prison in Finland (ok, hotel, but it used
to be a prison), and on the highest point of Germany (Zugspitze).
In W ndows Server 2003, Term na Serv ces d dn’t support secure Internet ac-
cess except across v rtua pr vate networks In W ndows Server 2008 R2, Remote
Desktop Serv ces supports connect v ty over Secure Sockets Layer (SSL) v a RD
Gateway RD Gateway a ows you to set up d fferent ru es for oca and remote
access and does not requ re any c ent-s de setup Introduced n W ndows Server
2008, n R2, RD Gateway now enforces dev ce and resource red rect on dec s ons
made at the gateway and supports NAP remed at on
Simpler and Broader Device Redirection

RDS assumes that a ot of peop e w be work ng from computers w th oca re-
sources, and that those peop e won’t want to be cut off from the r resources when
they’re work ng n the r sess on or VM It a so assumes that the server adm n s-
trators don’t want to spend more t me than necessary mak ng these resources
ava ab e
A though pr nter red rect on, as t’s been known n ear er vers ons of Term na
Serv ces, st works as t d d, Easy Pr nt, ntroduced n W ndows Server 2008, he ps
s mp fy pr nter red rect on Rather than requ r ng adm n strators to nsta pr nter
dr vers on the server, Easy Pr nt a ows red rected pr nters to use the dr vers a -
ready nsta ed on the c ent computer In W ndows 2008 R2, RD Easy Pr nt works
w th even more pr nter types and works from both sess ons and VMs
ntroduct on xix
www.it-ebooks.info
Part of the r ch remote work exper ence s us ng oca dev ces Support for
oca dev ces has been expanded through the P ug and P ay Dev ce Red rect on
Framework, ntroduced n W ndows Server 2008
Simplified License Management

Per-user cens ng was ntroduced n W ndows Server 2003 but d dn’t nc ude any
track ng, so you cou dn’t eas y te f you were n comp ance W ndows Server
2008 R2 a ows you to track Per-User RDS CAL usage Add t ona y, the L cens ng
D agnost cs feature can he p you reso ve cens ng ssues W ndows 2008 R2 RD
L cense servers can now m grate censes from one server to another w thout the
he p of the M crosoft C ear nghouse Th s can be done even f a cense server s
out of comm ss on
Th s s on y a part a st of new features—Chapter 1, “Introduc ng Remote
Desktop Serv ces,” descr bes the Remote Desktop Serv ces features n W ndows
Server 2008 R2, and the rest of the book exp a ns how to use them But these are
some of the h gh ghts that show how the ro e has expanded n management and
user exper ence
ON THE COMPANION MEDIA The authors will post data that is rel-
evant to the Windows Server 2008 R2 Remote Desktop Services Resource
Kit on the book’s blog, located at http://blog.kristinlgriffin.com/. You can
find this link on the companion media.
How This Book Is Structured

Our goa n wr t ng th s book s to he p you set up a work ng Remote Desktop
Serv ces farm, as we as VDI poo ed and persona VMs us ng a the p eces n the
operat ng system, wh e understand ng the greater context of the c rcumstances
under wh ch Remote Desktop Serv ces s usefu , how t works, and how W ndows
Server 2008 R2 compares to prev ous vers ons Th s book has twe ve chapters
■ Chapter 1, “Introduc ng Remote Desktop Serv ces,” exp a ns where RDS
came from and how t has evo ved as a p atform, what new features are
ava ab e n th s atest terat on, and what you can accomp sh w th th s new
vers on of the product It a so exp a ns how other serv ces support RDS
■ Chapter 2, “Key Arch tectura Concepts for Remote Desktop Serv ces,” d ves
nto RDS nterna s and re evant W ndows Server 2008 R2 nterna s It a so
shows you how to determ ne the hardware and software you w need to
support th s product n your env ronment
xx ntroduct on
www.it-ebooks.info
■ Chapter 3, “Dep oy ng a S ng e Remote Desktop Sess on Host Server,”
shows you how RD Sess on Host servers work, and how to nsta and con-
figure th s ro e serv ce
■ Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server,”
exp a ns what VDI s, how M crosoft VDI works, and how to nsta and con-
figure a RD V rtua zat on Host and the support ng ro es
■ Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep oy-
ment,” d scusses the d fferent types of profi es that work w th RDS and how
to dep oy and troub eshoot user profi e so ut ons and fo der red rect on
■ Chapter 6, “Custom z ng the User Exper ence,” d scusses how remot ng
works, promot ng good c ent exper ence n the remote sess on, and how
to pr nt from RDS sess ons
■ Chapter 7, “Mo d ng and Secur ng the User Env ronment,” exp a ns why
you shou d ock down the RDS env ronment and how you shou d do t, and
descr bes how to prov de remote ass stance to users from w th n the user
sess on
■ Chapter 8, “Secur ng Remote Desktop Protoco Connect ons,” d scusses
RDP encrypt on, server and c ent authent cat on, and how to configure
secur ty sett ngs on the RD Sess on Host server
■ Chapter 9, “Mu t -Server Dep oyments,” ntroduces key concepts for mu t -
server dep oyments, shows how to create RD Sess on Host farms, and ex-
p a ns how to pub sh app cat ons and d sp ay resources through RD Web
Access
■ Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the Internet,”
shows you how to nsta and configure RD Gateway to prov de access to
RemoteApps, desktop sess ons, and poo ed and persona VMs to users
ocated outs de the corporate network
■ Chapter 11, “Manag ng Remote Desktop Sess ons,” shows you how to
mon tor and term nate processes and users sess ons runn ng on an RD
Sess on Host server, how to prov de he p w th remote contro , and how to
dra n RD Sess on Host servers for ma ntenance
■ Chapter 12, “L cens ng Remote Desktop Serv ces,” d scusses the new RDS
cens ng parad gm, nc ud ng both RDS and VDI cens ng Th s chapter ex-
p a ns how censes are tracked and enforced; how RD L cense server ass gn
RDS CALs; how to nsta , configure, and ma nta n RDS L cense servers; how
to d agnose cens ng ssues w th the L cens ng D agnos s too ; and how to
m grate censes from one server to another
ntroduct on xxi
www.it-ebooks.info
Document Conventions
The fo ow ng convent ons are used n th s book to h gh ght spec a features or
usage
Reader Aids
The fo ow ng reader a ds are used throughout th s book to po nt out usefu deta s
READER AID MEANING
Caut on Warns you that fa ure to take or avo d a spec fied act on
can cause ser ous prob ems for users, systems, data nteg-
r ty, and so on
Note Underscores the mportance of a spec fic concept or
h gh ghts a spec a case that m ght not app y to every
s tuat on
On the Ca s attent on to a re ated scr pt, too , temp ate, job a d,
Compan on Med a or URL on the compan on CD that he ps you perform a
task descr bed n the text
Sidebars
The fo ow ng s debars are used throughout th s book to prov de added ns ght,
t ps, and adv ce concern ng d fferent Remote Desktop Serv ces features
NOTE Sidebars are provided by individuals in the industry as examples

for informational purposes only and may not represent the views of their
employers. No warranties, express, implied, or statutory, are made as to the
information provided in sidebars.
SIDEBAR MEANING
D rect from Contr buted by experts from the product group who pro-
the Source v de “from-the-source” ns ght nto how Remote Desktop
Serv ces works, best pract ces, and troub eshoot ng t ps
D rect from Contr buted by experts externa to the product group
the F e d who have rea -wor d exper ence work ng w th Remote
Desktop Serv ces Some experts are M crosoft fie d eng -
neers; others are M crosoft MVPs or other experts
How It Works Prov des un que g mpses of Remote Desktop Serv ces
features and how they work
xxii ntroduct on
www.it-ebooks.info
Command-Line Examples
The fo ow ng sty e convent ons are used n document ng command- ne examp es
throughout th s book
STYLE MEANING
Bold font Used to nd cate user nput (characters that you type
exact y as shown)
Italic font Used to nd cate var ab es for wh ch you need to sup-
p y a spec fic va ue (for examp e, file name can refer to
any va d fi e name)
Monospace font Used for code samp es and command- ne output
%Var ab eName% Used for env ronment var ab es
Companion Media
In add t on to the book tse f, you a so get a CD that conta ns some great too s
and other resources System requ rements for runn ng the CD are at the back of
th s book The CD nc udes the fo ow ng resources
Links
The compan on med a nc udes many nks to URLs that ead to more nformat on
about Remote Desktop Serv ces-re ated top cs, Remote Desktop Serv ces
resources, partner web s tes, and more Some of the URLs are referenced
throughout the book and some are not
Management Scripts
On the compan on med a, you w find a co ect on of scr pts ustrat ng ways
to work w th Remote Desktop Serv ces us ng W ndows PowerShe and VBScr pt
We’ve a so nc uded st ngs n re evant ocat ons n the book so that you can bet-
ter understand how these scr pts support the funct ona ty you’re ook ng for A -
though these scr pts are ntended as samp es nstead of fin shed products, they do
usefu work such as a ow ng you to eas y determ ne the shadow ng perm ss ons
on a server or prov d ng app cat on-usage meter ng not prov ded n the GUI
Find Additional Content Online As new or updated mater a becomes ava -

ab e that comp ements your book, t w be posted on ne The type of mater a
you m ght find nc udes updates to book content, art c es, nks to compan on
content, errata, samp e chapters, and more Th s webs te s ava ab e at
http://go.microsoft.com/fwlink/?LinkId=203980 and s updated per od ca y
ntroduct on xxiii
www.it-ebooks.info
Support for This Book
Every effort has been made to ensure the accuracy of th s book As correct ons
or changes are co ected, they w be added the O’Re y Med a webs te To find
M crosoft Press book and med a correct ons
1. Go to http://microsoftpress.oreilly.com
2. In the Search box, type the ISBN for the book, and c ck Search
3. Se ect the book from the search resu ts, wh ch w take you to the book’s
cata og page
4. On the book’s cata og page, under the p cture of the book cover, c ck
V ew/Subm t Errata
If you have quest ons regard ng the book or the compan on content that are
not answered by v s t ng the book’s cata og page, p ease send them to M crosoft
Press by send ng an ema message to mspinput@microsoft.com
We Want to Hear from You

We we come your feedback about th s book P ease share your comments and
deas v a the fo ow ng short survey
http://www.microsoft.com/learning/booksurvey
Your part c pat on w he p M crosoft Press create books that better meet your
needs and your standards
NOTE We hope that you will give us detailed feedback via our survey. If
you have questions about our publishing program, upcoming titles, or
Microsoft Press in general, we encourage you to interact with us via Twitter
at http://twitter.com/MicrosoftPress. For support issues, use only the email
address shown above.
xxiv ntroduct on
www.it-ebooks.info
CHAPTER 1
Introducing Remote
Desktop Services
■ Where D d RDS Come From? 2
■ What Can You Do w th RDS? 7
■ RDS for W ndows Server 2008 R2: New Features 12
■ How Other Serv ces Support RDS 32
■ Funct ona ty for RDS Scr pters and Deve opers 35
Y ou m ght be read ng th s book for any of a number of reasons Perhaps you’re an o d

hand at M crosoft Term na Server and are nterested n see ng what Remote Desk-
top Serv ces (RDS) n M crosoft W ndows Server 2008 R2 can do for you You m ght have
nsta ed W ndows Server 2008 R2 and are now nterested n what a these web accesses,
gateways, and Remote Desktop Sess on Host servers do Maybe you have heard about
RDS and are nterested n how you m ght benefit by ncorporat ng t nto your env ron-
ment For that matter, you m ght be wonder ng how RDS compares to other remote
access techno og es n W ndows Server 2008 R2
Wh chever reason you have to be nterested n RDS, th s book s for you
Th s chapter sets the stage for the rest of the book To understand the evo ut on of M -
crosoft Term na Serv ces (now ca ed Remote Desktop Serv ces), you have to understand
where t came from and the ecosystem n wh ch t operates To understand what you can
do w th the ro es and ro e serv ces, you have to understand the essent a goa s of RDS n
W ndows Server 2008 R2 and the scenar os that t’s des gned for And, because RDS sn’t
an end n tse f but a p ece of the broader W ndows nfrastructure, you’ see how RDS
ro es nteract w th other techno og es, ke W ndows Server 2008 Hyper-V and IIS
After read ng th s chapter, you’ understand the fo ow ng
■ Why Term na Serv ces s now known as Remote Desktop Serv ces
■ What W ndows Server 2008 R2 nc udes for support ng a RDS env ronment
■ What scenar os the RDS ro e serv ces are ntended to support
■ What k nds of new techno ogy enab e those new scenar os
■ How RDS ro e serv ces nteract w th each other
www.it-ebooks.info
■ How RDS ro e serv ces depend on other W ndows Server ro es
■ What app cat on programm ng nterfaces (APIs) ex st for deve opers to use, and what
are some examp es of the k nds of features that deve opers can add to RDS
Where Did RDS Come From?

If you’re ook ng at RDS for the first t me w th W ndows Server 2008 R2, you’d hard y recog-
n ze ts ear est ncarnat ons L ke W ndows Server tse f, RDS has changed a lot over the years
and has become much more comprehens ve It’s not mportant to go through an exhaust ve
feature st for each ed t on, but t’s usefu to see how mu t -user W ndows has deve oped
s nce ts ncept on n the m d-1990s
Citrix MultiWin
The or g na Mu t W n arch tecture was des gned not by M crosoft but by C tr x, who censed
the M crosoft W ndows NT 3 51 source code from M crosoft to create mu t -user W ndows
[Mu t W n was or g na y go ng to be based on IBM Operat ng System/2 (OS/2) when M cro-
soft was part of the OS/2 project, but W ndows won ] C tr x created ts own product ca ed
W nFrame, wh ch was a mu t -user vers on of W ndows NT 3 51 and tota y separate from the
operat ng system that M crosoft produced
A First Experience with Multi-User Windows
C hrista first experienced multi-user Windows through WinFrame 1.7 in 1997 at

an IBM training center in New York’s Hudson River Valley. Training lasted mul-
tiple days, so there were hotel rooms in the training center. Originally, the training
center provided a PC in each guest room, and staff had to deal with the mainte-
nance headaches of that setup. But by that training session in 1997, they’d moved
to setting up thin clients (connected to the WinFrame servers) in all guest rooms so
that guests could check email and work from their rooms. When attendees checked
in, a script automatically created a user account for that person. This is all com-
mon now, of course, but at the time, it was heady stuff and a big change from the
desktop-centric model of Windows.
Windows NT, Terminal Server Edition

W nFrame was bu t on W ndows NT 3 51 M crosoft censed Mu t W n back from C tr x n
1995 and p ugged th s mu t -user core nto the W ndows NT 4 0 base operat ng system to
make a new product W ndows Server w th mu t -user capab t es The resu t was W ndows
NT 4 0 Term na Server Ed t on C tr x no onger prov ded a stand-a one product but re eased
MetaFrame, wh ch ran on top of Term na Server Ed t on ( n much the same way that C tr x
XenApp runs on W ndows Server now) and added some new features and management too s
2 Chapter 1 ntroduc ng Remote Desktop Serv ces
www.it-ebooks.info
Term na Server Ed t on was very much a start ng po nt The operat ng system was pretty
bas c, to put t m d y A most every nsta at on of Term na Server Ed t on ran MetaFrame
on top of t, because the base product d d tt e more than prov de a mu t -user operat ng
system Even bas c funct ona ty such as c pboard mapp ng was not nc uded The fact that
Term na Server Ed t on and the core operat ng system were d fferent products wasn’t great
for e ther M crosoft or ts customers M crosoft had to dea w th two sets of operat ng system
serv ce packs, and customers had to purchase a separate product to test server-based com-
put ng and jugg e two d fferent serv ce packs that were not re eased at the same t me On
the p us s de, when there was a prob em w th Serv ce Pack 6 (SP6) for W ndows NT 4 0, t was
so ved by the t me SP6 for Term na Server Ed t on was re eased
Windows 2000 Server

The first rea breakthrough n Term na Serv ces was n M crosoft W ndows 2000 Server For
the first t me, Term na Serv ces was a server ro e n the base server operat ng system, not a
separate product Why d d th s matter? There are severa reasons F rst, the game of jug-
g ng ncompat b e serv ce packs for s ng e-user and mu t -user operat ng systems was over
Second, there was a fundamenta change n the way that server-based comput ng and remote
access were perce ved Before W ndows 2000, f you wanted to manage a W ndows server
from the graph ca user nterface (GUI), you genera y sat down n front of t—there was no
capab ty for remote management us ng M crosoft Remote Desktop Protoco (RDP) The
prob em was that there s a m t to the number of servers that you can s t n front of dur ng
the day, espec a y when those servers are n d fferent bu d ngs—or even n d fferent c t es
W ndows 2000 Server ntroduced Remote Adm n strat on as an opt ona component, a ow ng
server adm n strators to manage servers even when they weren’t s tt ng n front of them Not
on y d d th s make server adm n strat on a ot eas er, t a so came to the a d of Term na Ser-
v ces, because t gave peop e a good use case for remote usage and mu t -user comput ng
Hav ng Term na Serv ces n App cat on Server mode ava ab e n the core operat ng
system a so meant that try ng Term na Server for users requ red comparat ve y tt e effort—
sett ng up a bas c p ot cou d be done w th as tt e effort as nsta ng the ro e n App cat on
Server mode and ett ng peop e use Notepad In add t on, because RDP n W ndows 2000
Server added some bas c funct ona ty such as c ent pr nter red rect on and a shared c p-
board between oca and remote sess ons, try ng Term na Server and gett ng a fee for how
users cou d benefit from shared comput ng was poss b e even w th on y the too s n the core
operat ng system
Windows Server 2003

The next b g step was M crosoft W ndows Server 2003, wh ch took some of the dec s ons
made n the W ndows 2000 Server t meframe to the r next og ca conc us ons If Remote
Adm n strat on s a good th ng, why shou d t be an opt ona component? Instead, enab e
t for a W ndows server ro es and make t an opt on for the c ent And a though the bas c
funct ona ty n W ndows 2000 Term na Server s usefu , t doesn’t prov de a suffic ent y r ch
Where D d RDS Come From? Chapter 1 3
www.it-ebooks.info
c ent exper ence Let’s enab e dr ve mapp ng, fu co or, sound, and other features that were
prev ous y poss b e on y w th th rd-party products, so that the remote exper ence can be a ot
more ke the oca desktop exper ence
Another b g change to W ndows Server 2003 was n management W ndows 2000 term na
servers cou d be managed on y s ng y You cou d configure them remote y, but not co ect ve y
W ndows Server 2003 ntroduced some Group Po cy sett ngs for configur ng and manag ng
term na servers, and Term na Server Manager supported management of remote servers
Windows Server 2008

M crosoft W ndows Server 2008 represented a b g breakthrough n Term na Serv ces func-
t ona ty Prev ous vers ons of Term na Serv ces had nc uded on y two ro es the term na
server and a cense server
NOTE Although Windows Server 2003 included the Session Directory Server for basic
farm support, this role was available only in the Enterprise Edition and was not widely
deployed.
If your needs extended beyond remote access to a fu desktop on the oca area network
(LAN), then you needed th rd-party add t ons to the ro e to he p you fu fi them W th W n-
dows Server 2008, Term na Serv ces ga ned the fo ow ng advantages
■ V sua ntegrat on between oca y and remote y runn ng app cat ons
■ A web nterface for present ng app cat ons on the term na servers nd v dua y
■ A secure gateway to enab e support for secure access v a the Internet
■ A sess on broker to route ncom ng connect ons to the most appropr ate term na
server
■ A pr nt ng subsystem that d d not requ re pr nt dr vers to be nsta ed on the term na
servers
■ Red rect on of new types of dev ces
Windows Server 2008 R2 and RDS

W ndows Server 2008 R2 s techn ca y a “m nor re ease” ke other R2 re eases, but t ntro-
duces a ot of changes for RDS The ro e serv ce has expanded aga n to add v rtua desktop
support (often ca ed VDI, for Virtual Desktop Infrastructure) It has a so ga ned some new
features, some of the most mportant be ng the fo ow ng
■ Support for connect on to Hyper-V based v rtua mach ne (VM) poo s of shared VMs
and persona VMs ass gned to an nd v dua
■ Changes to Remote Desktop (RD) Web Access that a ow the porta to d sp ay resources
from mu t p e RD Sess on Host servers (former y known as term na servers) or farms,
and that enab e secur ty fi ter ng for RemoteApp programs and VMs
www.it-ebooks.info
■ Improved app cat on compat b ty and resource management on RD Sess on Host
Support for Aero G ass remot ng and other user exper ence mprovements to RDP 7
■ Support for forms-based s ng e s gn-on through RD Web Access so that users need
authent cate on y once n the webs te to get to a the RemoteApp programs ass gned
to them
■ Improvements to Remote Desktop Gateway to enforce dr ve red rect on po c es and
enab e c ent remed at on when c ents do not conform to software ru es
■ Improved d scoverab ty for cense servers for a more re ab e connect on
DIRECT FROM THE SOURCE
Why VDI?
Michael Kleef, Senior Product Manager
Windows Server Marketing
M icrosoft added VDI support to Windows Server 2008 R2 to allow customers

further desktop delivery choice in thin client computing. Although Remote
Desktop Session Host is a mature product and still provides relevant customer value
at the right TCO (total cost of ownership) point, there are times when the level of
personalization and isolation that VDI with Windows 7 delivers are important for
specific use cases. Applications that require elevated permissions are hard to sup-
port on an RD Session Host because one elevated-privilege mistake could affect
all users of the server. The isolation of VMs makes it possible to support this type
of application using VDI. Another example is native application compatibility; this
was largely solved by Microsoft App-V, but it can’t solve all application issues in
which the application requires a Windows client installation. It’s for reasons like this
that Microsoft invested in delivering a VDI platform in Windows Server 2008 R2
and extended it further in Service Pack 1 with Dynamic Memory and RemoteFX, to
increase VM density and improve the rich user experience.
Most obv ous y, Term na Serv ces s now ca ed Remote Desktop Serv ces, and a subro es
are renamed to go a ong w th the change The serv ce was renamed to reflect the much
broader scope of the server ro e, nc ud ng sess ons and the ro e serv ces needed to get peo-
p e connected to them, but a so host ng of VMs and secure w de area network (WAN) access
NOTE Because this book is about Windows Server 2008 R2, it uses the current names
for the server role and its role services. See Table 1-1 for a list of some of the names you’ll
come across most often. For a complete mapping of the old and new name for RDS, see
http://technet.microsoft.com/en-us/library/dd560658(WS.10).aspx.
Where D d RDS Come From? Chapter 1 5
www.it-ebooks.info
TABLE 1-1 Mapp ng TS Names o RDS Names
FORMER NAME WINDOWS SERVER 2008 R2 NAME
Term na Serv ces Remote Desktop Serv ces

Term na server Remote Desktop Sess on Host server
Term na Serv ces L cens ng Remote Desktop L cens ng (RD L cens ng)
(TS L cens ng)
Term na Serv ces Web Access Remote Desktop Web Access
(TS Web Access) (RD Web Access)
Term na Serv ces Gateway Remote Desktop Gateway (RD Gateway)
(TS Gateway)
Term na Serv ces C ent Access L cense Remote Desktop Serv ces C ent Access
(TSCAL) L cense (RDSCAL)
Term na Serv ces Manager Remote Desktop Serv ces Manager
Term na Serv ces Configurat on Remote Desktop Serv ces Configurat on
The pattern s pretty obv ous; f any names you see don’t make sense, ook at the st pro-
v ded at the nk
The Evolving Remote Client Access Experience

A though th s book focuses on the server shared-computer exper ence, not the c ent, t s
mportant to know that RDS a so changed on the c ent s de as the server-s de capab t es
evo ved M crosoft W ndows 2000 Profess ona d d not support ncom ng remote access con-
nect ons (nor d d M crosoft W ndows 9 x), but M crosoft W ndows XP, W ndows V sta, and
W ndows 7 a do Support ng ncom ng remote connect ons enab ed severa new ways to use
W ndows c ents, nc ud ng
■ Remote access to a phys ca computer from home or another area of the bu d ng
■ Remote Ass stance
■ V rtua desktop host ng
■ Host ng RemoteApp programs to be d sp ayed n another c ent operat ng system (for
app cat on compat b ty)
Remote access from another computer reflects the rea ty that many peop e use more than
one computer, and that a home m ght have more than one computer Remote Ass stance uses
the remote contro feature of RDS—the ab ty to perm t a second person to see or even take
over a remote sess on—for enab ng he p desk support, even on desktops V rtua desktop
host ng was one of the ch ef compet tors to sess on host ng for a ong t me (and s now part
of the serv ce) Features ke RemoteApp on Hyper-V a ow peop e to run app cat ons on an
o der operat ng system wh e see ng them on a newer one, even f the app cat on won’t run
on W ndows 7 for some reason
www.it-ebooks.info
NOTE Generally speaking, most 32-bit applications can run on a 64-bit platform as long
as these applications don’t include drivers and don’t have a 16-bit installation routine. Web
applications designed to run in Microsoft Internet Explorer 6 are one exception to this
rule. Internet Explorer 6 is included with Windows Server 2003, but can’t be installed on
Windows Server 2008 R2. Therefore, if you have Internet Explorer 6–dependent applica-
tions and want to display them as RemoteApp programs, you can host them in VMs using
RemoteApp for Hyper-V.
RDS shows up n the c ent vers ons of W ndows even when you don’t expect t It’s the
techno ogy that enab es Fast User Sw tch ng and Remote Ass stance (to name just two), and a
vers on of the RDP protoco s the bas s of L ve Mesh
In short, the story of Remote Desktop Serv ces s the story of how mu t -user comput ng
has become ess of a n che techno ogy and more of a M crosoft strategy for enab ng var ous
scenar os that b ur the ne between the PC and the data center Even when they’re not ca ed
RDS, mu t -user comput ng and the Remote Desktop Protoco have become cruc a parts of
the core W ndows p atform
What Can You Do with RDS?

The preced ng sect on prov des a (very fast) ook at where RDS came from and how t became
part of the core W ndows p atform for both c ent and server You w earn about the tech-
no ogy n depth n ater chapters But what do you do w th t?
Fundamenta y, RDS breaks the hard nks between ocat on, c ent operat ng system, and
capab ty
In many ways, th s s a natura extens on of network ng If you’re us ng a s ng e computer
unconnected to any networks, you’re m ted to the app cat ons and data stored on that
computer If you attach that computer to a network and enab e fi e shar ng, you can use data
that s not stored on your aptop, and a systems adm n strator can both back up that data
( mposs b e for someone e se to do on an so ated desktop) and secure t W th RDS, you can
use not on y data stored somewhere e se but a so app cat ons stored somewhere e se They
don’t even have to be capab e of runn ng on the c ent computer as ong as they’ run on the
host Presentat on remot ng mproves fi e shar ng because the fi es you use don’t have to be
access b e to the c ent computer as ong as they’re ava ab e to the back-end app cat on
W th an so ated PC, you are abso ute y t ed to what that computer can do W th presenta-
t on remot ng, the capab t es are more flex b e, because what you see sn’t necessar y run-
n ng on the computer where you’re work ng, or even n the same country Th s has benefits
for secur ty, ocat on, and dev ce ndependence
What Can You Do w th RDS? Chapter 1 7
www.it-ebooks.info
Improved Security for Remote Users
Tota y PC-based comput ng has prob ems w th data secur ty More and more peop e work
on aptops, and aptops are meant to be taken p aces But aptops w th data stored on them
are a secur ty r sk, even f you password-protect the aptop Un ess you take the aptop w th
you everywhere, nc ud ng ugg ng t a ong to d nner nstead of eav ng t n the hote room
when you’re on the road, the data on your aptop s vu nerab e to theft And f someone
really wants the aptop, t doesn’t matter f you take t w th you Th s doesn’t even address
the d emma of eav ng the aptop n a tax or on a tra n by acc dent It happens B tLocker
techno ogy on W ndows 7 and W ndows V sta protects aga nst theft but does not protect
aga nst oss from a m sp aced or broken aptop that wasn’t backed up
If the data s on the aptop and you ose the aptop, the data’s gone The obv ous so ut on
s not to keep the data on the aptop—store t n the data center nstead But f you’re access-
ng the data center from a remote ocat on v a a v rtua pr vate network (VPN) and work ng
w th arge fi es ( n th s day of heavy-duty formatt ng, what fi e isn’t arge?), t’s tempt ng to
keep the fi e on the oca dr ve wh e work ng on t remote y and then copy t back to the net-
work when you’re done w th t However, f you work th s way, you’re back where you started
w th the data on the oca dr ve
Information Insecurity
I t’s not practical to make sensitive information accessible only to people within the
four walls of the office, but it’s been shown again and again what happens when
that information leaves the data center. In November 2009, the Army Corps of Engi-
neers lost a hard drive containing the names and social security numbers of as many
as 60,000 current and former Army service members and some civilians. As of this
writing, the drive has not yet been recovered. This isn’t the first time that sensitive
data has been lost to a misplaced laptop or other portable media.
It’s not always feasible to store sensitive information only in the data center, acces-
sible solely via secure connection to a Remote Desktop Session Host server behind
the perimeter network. Sometimes, the information must be available even when
a network connection isn’t. But when it is feasible, it’s much more secure to keep
information where it’s least likely to be compromised, stolen, or lost: in the data
center.
One so ut on to the d emma of how to secure data wh e keep ng t access b e to the peo-
p e who need t s to keep everything n the data center, nc ud ng the app cat ons requ red to
ed t the data If both the app cat ons and the confident a data are on the network, then t’s
e ther mposs b e to ed t the data oca y (because no app cat on for do ng the ed t ng s n-
sta ed oca y) or not as des rab e to do so because there’s no reason to down oad the remote
fi e to the oca computer for a more respons ve exper ence No sens t ve data ends up on the
c ent computer; t a stays w th n the boundar es of the data center
www.it-ebooks.info
NOTE Given a sufficiently long distance or sufficiently slow Internet connection, the
remote connection will also be slow; and if the network connection isn’t totally reliable, it
can be frustrating as the session disconnects. As you know all too well, even high-speed
networks experience some latency when you’re working on one continent and the data
center is on another one. But these problems apply to any remote-access scenario and
have less chance of accidentally corrupting the original document by attempting to write
to it over a slow connection. A disconnected session doesn’t lead to data loss—it’s just
there waiting for its user to reconnect to it.
What f you want peop e to be ab e to ed t confident a documents when they are n a

secure ocat on but not when they’re access ng the corporate network from the oca cof-
fee shop? Us ng RDS n W ndows Server 2008 R2, you can set up ru es that determ ne wh ch
app cat ons a remote user has access to, whether the user has any oca dr ves mapped, and
even whether t’s poss b e to cut and paste text between oca and remote app cat ons Secu-
r ty needs can determ ne the restr ct ons p aced on remote access wh e st keep ng the data
eas y ava ab e when t shou d be
Provisioning New Users Rapidly

Th s s espec a y usefu for temporary workers If you are prov d ng computer serv ces for
someone who w on y be around temporar y (for examp e, a consu tant need ng a tempo-
rary desktop or a temporary worker) then t’s good not to need to spend much t me on set-
t ng up a computer for her, but a so good to g ve her a c ean work env ronment that doesn’t
requ re her to work around the detr tus eft by the prev ous user of the computer Through
RDS, you can get a new user set up and work ng a most as qu ck y as you’re ab e to get her a
doma n account In add t on, the poo ed VM or remote desktop sess on the person uses w
be brand new, w th no o d sett ngs eft from a prev ous user, wh ch shou d s mp fy troub e-
shoot ng and tra n ng
Enabling Remote Work

Re ated to secur ty for mob e workers s remote work Te ecommut ng s becom ng more
common n the workp ace Some he p desk supp ers and U S government agenc es don’t
even have desks for a the r workers, s nce the r workp aces are des gned for most peop e
to be work ng from home most of the t me Accord ng to the Status of Te ework Report
to the Congress (see http://www.telework.gov/Reports and Studies/Annual Reports
/2009teleworkreport.pdf ), over 100,000 peop e work ng for the U S government te eworked
dur ng 2008, w th 64 percent of these te ework ng at east 1 to 3 days per week Th s
represents an ncrease of just under 9 percent s nce 2007
Nor s te ework a so e y North Amer can phenomenon In 39 percent of western European
compan es, some peop e work at home at east part of the t me, accord ng to “IT and the
Env ronment,” a 2007 paper by the Econom st Inte gence Un t
www.it-ebooks.info
But work ng from home has ts own set of cha enges, not east be ng the quest on of
how the company can support the desktop env ronment Home-based computers can’t be
eas y managed by Group Po cy; they can break down w th no IT staff mmed ate y ava ab e
to prov de ass stance, and peop e work ng from home can’t a ways read y ta k through a
computer-based prob em w th he p desk staff And how do you update an app cat on when
t’s t me to move from, say, M crosoft Office 2007 to Office 2010? If you’ve worked remote y
for even a br ef span of t me, you probab y have exper enced the advantages of mob ty and
the d sadvantages of ack of oca support It’s great be ng ab e to work from the coffee shop,
hote , or a rport obby; t’s not so great act ng as your own he p desk
Server-based comput ng he ps enab e remote scenar os n severa ways You don’t have
to worry about home users nsta ng app cat ons that they shou dn’t run on the Remote
Desktop Sess on Host servers f you fo ow bas c secur ty procedures (more ater on th s top c)
S nce the app cat ons are stored on the RD Sess on Host servers, they’re nsta ed and up-
dated there, not on the c ents And, as d scussed n the prev ous sect on, “Prov s on ng New
Users Rap d y,” us ng RDS a ows the adm n strator to determ ne the k nd of resource shar ng
that the oca and remote computers shou d do and wh ch app cat ons are ava ab e, depend-
ng on the ocat on from wh ch a user s connect ng
Bringing Windows to PC-Unfriendly Environments

Not a the peop e who need a PC work n an env ronment that a ows them to have one One
examp e s e ectron cs firms If you’re mak ng c rcu t boards, you make them w th n what’s
ca ed a clean room, a room w th no dust and wh ch requ res a t me-consum ng process to
enter If you need to use W ndows app cat ons n a c ean room, you can’t use PCs The fans
ns de the case k ck up dust ns de the computer and spread t nto the room In add t on, t’s
not pract ca to have PCs that m ght need serv c ng n any room that takes extens ve prepara-
t on to enter as a c ean room does Therefore, you need RDS to prov de W ndows app cat ons
to the term na s
Th n c ents are a so good for env ronments where you want access to W ndows app ca-
t ons but the c rcumstances are not PC-fr end y, f they’ve got too much dust or v brat on
to be good for the PC Sma term na s that can be wa -mounted or carr ed work better n
these c rcumstances than PCs do But s nce these sma term na s have very m ted memory
and CPU power and no d sks, you can’t run W ndows 7 on them To get access to the atest
operat ng system and app cat ons, you need an RD Sess on Host server for the term na s to
connect to
PC- ess W ndows env ronments nc ude p aces such as upsca e hea th c ubs or c ty apart-
ment obb es Management wants to attract customers by offer ng the conven ence of a
persona computer n the obby or cafe but doesn’t want to support computers n these
ocat ons (Bu k can a so be an ssue when you’re try ng to squeeze five user work areas nto a
sma counter space ) W ndows term na s can connect to an RD Sess on Host server and pres-
ent the app cat ons They’re a so sma er, coo er, and more re ab e than PCs, wh ch can get
m sconfigured
www.it-ebooks.info
It has been sa d that there’s no po nt to gett ng th n c ents because f you buy PCs, you
get more power for the same money W th th n c ents, you’re not pay ng for the comput ng
power; you’re us ng very tt e, comparat ve y speak ng You’re pay ng for the reduced adm n-
strat on and sma er phys ca footpr nt and energy use Th s so ut on s not for everyone, but
somet mes th n c ents are a better cho ce than PCs
Business Continuity and Disaster Recovery

One advantage of RDS s that t enab es you to set up user work env ronments qu ck y As
ong as the servers are ava ab e n the data center, they can be made ava ab e to users
a most as qu ck y as the user’s computer s p ugged n and turned on Us ng a comb nat on of
centra zed app cat on nsta s and Internet access, t’s poss b e to set up a new branch office
qu ck y even f the RD Sess on Host servers are ocated offs te For max mum flex b ty and
ease of setup, th s mode assumes that the RD Sess on Host servers are user-agnost c (that s,
a user nformat on, nc ud ng profi es, s stored e sewhere) and dent ca y configured
Supporting Green Computing

One of the hot top cs (no pun ntended) these days s how to make compan es and govern-
ments greener—how to he p them use ess energy IDC, a market-research firm, says that
power consumpt on s now one of systems managers’ top five concerns Compan es now
spend as much as 10 percent of the r techno ogy budgets on energy, says Rakesh Kumar of
Gartner, a consu tancy (On y about ha f of th s amount s used to run computers; much of t
goes toward coo ng them, s nce for every do ar used to power a server, you spend a do ar to
coo t ) Dropp ng power usage s a w n-w n s tuat on, rea y—because compan es have to pay
for the r power, us ng ess energy means that they spend ess money on power
NOTE A December 2007 paper from McKinsey & Company, “Reducing U.S. Greenhouse
Gas Emissions: How Much at What Cost?” (http://www.mckinsey.com/clientservice/ccsi/pdf
/US ghg final report.pdf ), shows the marginal costs of reducing carbon dioxide emissions.
The cost of reducing the carbon emissions for combined heat and power in commercial
buildings is negative. That is, it pays companies to go green.
There’s a lot of waste n desktop-centr c comput ng Accord ng to IDC, average server

ut zat on eve s range from 15 to 30 percent Average resource ut zat on rates for PCs have
been est mated at ess than 5 percent Because you have to power the processor and memory
whether you’re us ng them or not, th s represents a ot of waste Therefore, depend ng on
the needs of the c ent, there m ght be qu te a b t of room for peop e access ng the r desk-
tops—or at east the r app cat ons—from an RD Sess on Host server For compan es that can
reasonab y exchange desktop computers for W ndows-based term na s, th s can represent a
huge sav ngs, both n terms of the power drawn by the fu desktops and n terms of the a r
cond t on ng requ red to coo the bu d ng heated by hundreds of powerfu PCs
www.it-ebooks.info
Improved Command-Line Support
W ndows Server 2008 had a w de array of programmab e nterfaces that dup cated—and
even extended—the capab t es of the GUI What t d dn’t have was the best way to get at
them W ndows PowerShe supported W ndows Management Instrumentat on (WMI) but
had no remote access capab t es (and find ng the r ght WMI object sn’t tr v a un ess you
a ready know what you’re ook ng for), so you cou dn’t use W ndows PowerShe to manage
sett ngs on a server farm VBScr pt d d support remote access and WMI, but t requ red know-
ng how to scr pt (You a so need to earn to use W ndows PowerShe to use t, but t’s s mp er
and a ot of bas c tasks have cmd ets a ready prepared )
Command- ne management s s mp er n W ndows Server 2008 R2 for two reasons F rst,
the W ndows PowerShe team ntroduced remote access support n W ndows PowerShe
2 0 Second, the RDS team created W ndows PowerShe objects to map to ts WMI structure
It’s now poss b e to eas y find the capab ty that you want accord ng to server ro e, and the
objects are fu y supported by standard W ndows PowerShe cmd ets You’ be rev ew ng
throughout th s book how to use W ndows PowerShe to manage the RDS farms
RDS for Windows Server 2008 R2: New Features

So far, you’ve seen an overv ew of some of the ways you m ght app y server-based comput ng
to meet your company’s needs for support ng remote workers or PC-unfr end y env ronments
Many new features n W ndows Server 2008 he p you support these scenar os spec fica y
Th s book s devoted to ett ng you know what’s new n RDS and how to use t Th s sect on
d scusses some of the features and how th s vers on of RDS d ffers from prev ous vers ons n
ways arger than nd v dua features
12 CHAPTER 1 ntroduc ng Remote Desktop Serv ces
www.it-ebooks.info
For example, did you know that its Dynamic Fair Share Scheduling ensures that
each user on the same server gets an equal amount of processor attention? With it,
a lightweight user running Microsoft Word can collocate with a heavyweight user
performing a software build, or crunching a database query, or any other CPU-
intensive activity. Neither session is impacted by the actions of the other.
Remote Desktop IP Virtualization is also new for those finicky applications that
require unique IP addresses to function. Without it, all applications running from
the same RD Session Host will appear to have the same IP address. With it, an RDS
server can virtualize a set of IP addresses so that those applications execute without
problems.
Even Windows Installer gets improved with Windows Server 2008 R2. In previous
operating system versions, Windows Installer wasn’t fully Terminal Services–aware.
This limitation made the installation of some applications very difficult as concur-
rent installs would block each other. That awareness is finally present in R2, improv-
ing the success rate of installing applications to RDS. Installing MSI packages on an
RD Session Host server is the same as installing them on a client computer—they
serialize and don’t block.
With R2, your options for connecting users to applications become as important as
the application delivery itself. This “feature” isn’t so much a feature as a completely
new way of thinking about application delivery. The incorporation of RemoteApp
and Desktop Connection in Windows 7 with the RD Web Access in Windows Server
2008 R2 gives you more options for how you connect users to their applications.
Depending on your needs, you can deliver RemoteApp programs and VMs via a web
page in Internet Explorer, through an .RDP file delivered to the user, or, for those
using Windows 7, you can simply populate your users’ Start menu.
The Changing Character of RD Session Host Usage

One RDS change n W ndows Server 2008 R2 s n the usage assumpt ons W ndows Server
2003, for examp e, assumed that adm n strators w genera y run nd v dua servers from the
corporate LAN (and probab y on y one or two of them) s nce the sess on broker ng p ece s
ava ab e on y n the Enterpr se ed t on of the software W ndows Server 2008 assumed that
term na servers wou d be hosted n farms, that peop e wou d run both oca y nsta ed ap-
p cat ons and RemoteApp programs, and that at east some peop e wou d be access ng the
RD Sess on Host servers from the Internet
RDS n W ndows Server 2008 R2 expands on the assumpt ons n W ndows Server 2008 to
assume the fo ow ng, among other th ngs
■ Many users access the corporate LAN from the Internet at east some of the t me
■ Users don’t a ways og on from doma n-jo ned computers
RDS for W ndows Server 2008 R2: New Features Chapter 1 13
www.it-ebooks.info
■ Users are more ke y to use a PC (w th some oca y nsta ed app cat ons) than a term -
na dev ce
■ Users m ght work from a branch office but st are connected to the doma n
■ Some users w run very demand ng app cat ons from the data center
■ App cat ons w be served from a farm of dent ca servers more often than a s ng e
server
■ Some users w be a owed to nsta app cat ons even n a hosted workspace
■ Some app cat ons shou d be so ated for best compat b ty
You w earn about some RDS ro e serv ces here, but a techn ca wa kthrough of these
features s ess mportant r ght now than understand ng the bus ness prob ems that they’re
des gned to so ve The rest of th s book w prov de des gn, dep oyment, and operat ons
gu dance
Supporting VM Users
Sess ons are a good way to enab e that a ot of peop e use the same phys ca hardware How-
ever, sess ons don’t work for everyone, espec a y not f desktop rep acement s the goa A
sess on can’t perm t ts users fu adm n strat ve access to tweak sett ngs through the Contro
Pane , sn’t a ways fr end y to resource-hungry app cat ons (at east, the resource-hungry
app cat ons are not a ways fr end y to the other sess ons), and doesn’t perm t users to nsta
app cat ons to use ater n exact y the same env ronment Nor can you h bernate a sess on to
eas y save not just data, but a so the work that you were n the m dd e of comp et ng when
you dropped everyth ng and ran to catch the bus Us ng a VM, t s tera y poss b e to save
your work state
One new feature n W ndows Server 2008 R2 s nat ve support for V rtua Desktop Infra-
structure (VDI), wh ch s a short name for “managed v rtua mach nes ” M crosoft VDI supports
two k nds of VMs Personal desktops are ass gned to an nd v dua and can be custom zed ac-
cord ng to whatever ru es are n p ace n the organ zat on Pooled desktops are genera y ava -
ab e to anyone w th access to the poo A though t s poss b e n some cases to make changes
to them, there s no guarantee that a user chang ng a poo ed desktop w get the same one
the next t me they og n—ro ng back changes s often norma , to avo d peop e contam nat-
ng the desktop poo w th app cat ons and sett ngs they w never reuse
Each k nd of desktop s des gned for a d fferent purpose Persona desktops are for fu
desktop rep acement A though access b e on y v a RDP, a persona desktop s contro ed by
the user t s ass gned to, and f a person has a persona desktop, the RD Connect on Broker
w a ways attempt to connect them to t first A persona desktop can rep ace a phys ca
computer and even has the advantage of mak ng the mach ne state easy to back up, so mov-
ng to a new phys ca p atform doesn’t mean os ng a sett ngs
Poo ed desktops are more for support ng peop e who need to run app cat ons that aren’t
we hosted on an RD Sess on Host server, even w th the new support for fa r share process ng
www.it-ebooks.info
that prevents a s ng e sess on from us ng a the processor power They can be pre nsta ed
w th any app cat ons that the peop e who need the poo w need
Poo ed desktops can a so support an app cat on-compat b y feature re eased after
W ndows Server 2008 R2 sh pped RemoteApp on Hyper-V Th s feature a ows you to run
RemoteApp programs from a VM rather than from an RD Sess on Host server It’s des gned
to a ow computers runn ng W ndows 7 that need to run an app cat on that can’t run on
W ndows 7 (for examp e, a web app cat on based on Internet Exp orer 6) from a computer
runn ng W ndows XP ocated n the data center A though each VM can st on y support one
ncom ng connect on at a t me, RemoteApp for Hyper-V makes t poss b e to support these
o der app cat ons wh e reta n ng the features of W ndows 7 on the desktop
How to Get RemoteApp Technology from a Client
R emoting technology is great for displaying applications that can’t run on the
client. For example, you can run really demanding applications from a session
or a VM to integrate with an older operating system or on hardware that won’t
support them.
Supporting older applications that won’t run on an operating system later than
Windows Server 2003 and Windows XP is a bit more problematic. Windows
Server 2003 didn’t include support for RemoteApp technology, so to run the
older applications there would mean publishing only from a full desktop. And up
until now, Windows XP didn’t support RemoteApp connections (although some
companies had solutions that did something functionally similar).
Microsoft has several different technologies that support RemoteApp from client
operating systems such as Windows XP. They’re all intended for different user
scenarios.
XP Mode uses Virtual PC technology to run a Windows XP VM on a computer run-

ning Windows 7. People with their own computers would run this to enable them-
selves to run applications locally that will not run on Windows 7. To get XP Mode,
go to http://www.microsoft.com/windows/virtual-pc/download.aspx.
MED-V is essentially managed XP Mode (see http://blogs.technet.com/medv

/archive/2009/04/30/windows-xp-mode-in-windows-7-how-it-relates-to-future-ver-
sions-of-med-v.aspx). You’d use this to deploy XP Mode in an organization so that
you don’t rely on individuals to update their own RemoteApp guest machines.
The catch to XP Mode is that it requires the RemoteApp VM to run locally. Not all
computers have the hardware to run two full machines at the same time (required
with Type 2 hypervisors like Virtual PC). To make it possible to support RemoteApp
from Windows XP, there’s RemoteApp for Hyper-V. This model runs the Windows XP
guest VMs hosting the RemoteApp programs in a data center and uses RDP to
Continued on the next page
www.it-ebooks.info
display them on a computer running Windows 7. To get the updates required to use
RemoteApp for Hyper-V, go to http://support.microsoft.com/kb/961742.
MED-V and XP Mode are outside the scope of this book because they do not use
the RDS infrastructure, but RemoteApp for Hyper-V is discussed in more detail in
Chapter 3, “Deploying a Single Remote Desktop Session Host Server.”
Supporting Telecommuters and Mobile Workers Securely

The way that peop e work n nformat on fie ds has changed a great dea over the years At
one t me, most nformat on workers (the best way to descr be peop e who need regu ar ac-
cess to a shared poo of data to do the r jobs) went to where the nformat on was name y, to
the office When they eft the office, they stopped work ng on anyth ng that depended on
that centra poo of nformat on S m ar y, when they were n the office, they cou d eas y add
to th s centra poo of nformat on—after a , a th s nformat on s created by peop e—and
when they eft, they cou d not cont nue add ng to the centra poo of nformat on
Laptops changed th s by g v ng te ecommuters a computer that they cou d eas y take w th
them, but aptops st d dn’t have access to the centra poo of nformat on that peop e cou d
access at the office W despread Internet access comb ned w th the ncreas ng use of ema as
a persona nformat on store gave add t ona access, but ema doesn’t nc ude everything your
company knows—just that nformat on nc uded w th n ema s you’ve sent or rece ved
The next stage was secure y connect ng to the corporate network, retr ev ng the nforma-
t on requ red, and then down oad ng t to the aptop Th s, of course, requ red both broad
access to h gh-speed networks for down oad ng the documents to the oca computer and
a so for the app cat on to be nsta ed oca y It a so meant that peop e needed some way for
the aptop to access the data center w thout creat ng a secur ty breach or spread ng a v rus on
the corporate network
Much of the ndustr a zed wor d today has access to the necessary components ap-
tops and h gh-speed networks that are ava ab e both at home and n pub c p aces such as
a rports and hote s The tr cky prob ems that ar se nc ude how to regu ate wh ch computers
are a owed access to the network and how to keep sens t ve data off computers vu nerab e to
theft or oss There’s a so the prob em of ga n ng access to the data that mob e workers cre-
ate wh e on the road Data stored on a aptop won’t make t back to the corporate network
unt the road warr ors get back from the tr p, or at east get some free t me to up oad a the r
new data to the centra data poo
RDS ong he d prom se n support ng te ecommuters and mob e workers, but the so u-
t on nc uded w th the operat ng system d dn’t have a the too s needed to make th s work
unt W ndows Server 2008 W ndows Server 2008 Term na Serv ces changed th s, ntroduc ng
Term na Serv ces Gateway (TS Gateway) TS Gateway enab ed author zed users to access au-
thor zed corporate resources secure y v a RDP tunne ed through the Internet W ndows Server
2008 R2 added some enhancements for ncreased secur ty n the new vers on of TS Gateway,
ca ed Remote Desktop Gateway (RD Gateway)
www.it-ebooks.info
RD Gateway enab es users to access the corporate network—and the centra zed data
poo —secure y v a SSL from the hote or a rport or even the beach ( f you can keep sand out
of your aptop) When comb ned w th RDP fi e s gn ng and server authent cat on, RD Gate-
way prov des secure Internet access, g v ng users some assurance that the RDP fi e that they
aunch s a eg t mate resource and not a spoofed server set up to capture the r ogon cre-
dent a s RD Gateway can a so set po cy to protect the data center, contro ng wh ch peop e
and computers are a owed to access the data center v a th s path and ett ng adm n strators
contro what resources they have access to once they get there
NOTE RD Gateway and SSL aren’t the only ways to create a secure connection to the data
center from a remote location—VPNs and Direct Access are other access options. But RD
Gateway has some advantages, including controlled access to specific resources, which is
discussed in detail in Chapter 10, “Making Remote Desktop Services Available from the
Internet.”
Using Public Computers Without Storing Connection Data

The prev ous sect on d scussed persona aptops, and that’s what most peop e use to access
the data center wh e on the road However, t’s not reasonab e to expect that peop e w
never og on except from a computer that they own For examp e, you cou d be connect ng
to the corporate RD Sess on Host servers from a computer at your fam y’s home n Tucson,
or from a k osk at an Internet cafe n Darmstadt In both cases, you need a way to access work
resources w thout eav ng any persona data cached on those computers, nc ud ng an RDP
fi e used to po nt to the data center
Remote Desktop Web Access (RD Web Access) has features that enab e you to do th s
Rather than stor ng connect on sett ngs n an RDP fi e that you can get n ema or save to a
desktop, RD Web Access s a secured webs te that d sp ays cons represent ng shared desktops
and RemoteApp programs When a user c cks a nk, RD Web Access generates the RDP set-
t ngs for the resource to wh ch the user s attempt ng to connect W th the advent of forms-
based authent cat on n W ndows Server 2008 R2, users can og onto the webs te once, then
use the same credent a s to access a RemoteApp programs d sp ayed n the browser
RD Web Access and RD Gateway are ndependent ro e serv ces, but they can be comb ned
to prov de secured Internet access w thout depend ng on saved RDP fi es
Integrating Locally Installed Applications and RemoteApp Programs

RDS n W ndows Server 2008 R2 doesn’t requ re a spec fic c ent operat ng system to work;
you can connect to a VM or to an RD Sess on Host server us ng c ents as o d as RDP 5 2
(Prev ous vers ons of RDP aren’t supported because of secur ty mprovements n RDP 5 x.)
However, you’ defin te y get the best exper ence us ng RDP 7 Th s vers on of the c ent en-
ab es some new v sua remot ng not poss b e w th prev ous vers ons L ke Term na Serv ces n
W ndows Server 2008, RDS cont nues to b ur the ne between c ent and server
www.it-ebooks.info
One feature of RDS depends on a capab ty n the c ent operat ng system and s ava ab e
on y to c ents runn ng W ndows 7 RemoteApp and Desktop Connect ons (For those us ng
W ndows Server 2008 R2 as a c ent, t’s a so poss b e to set up th s feature from th s operat ng
system ) You w earn about th s feature n deta n Chapter 9, “Mu t -Server Dep oyments,”
but n short, t a ows users to add cons automat ca y from app cat ons runn ng n the data
center to the r Start menu
NOTE For the best user experience, you should use the latest version of RDP (7, as of
this writing) but many features are available even to older versions of the RDP client. See
Chapter 6, “Customizing the User Experience,” for more details.
Supporting High-Fidelity User Experience over RDP

Ear y vers ons of Term na Serv ces made t very obv ous that you were connect ng to a
remote computer The co or qua ty was ow, you cou dn’t red rect dev ces, you cou dn’t use
more than one mon tor, the qua ty of aud o red rect on wasn’t the best, and so forth
W ndows Server 2008 R2 makes t eas er to work remote y by support ng the fo ow ng
features
■ True mu t -mon tor support, nc ud ng vary ng ayouts and both andscape and portra t
or entat ons
■ Aero remot ng for s ng e-mon tor sess ons on W ndows 7
■ C ent-s de render ng of mu t med a and aud o W ndows Med a P ayer fi es
■ Improved d sp ay of v deo from S ver ght and W ndows Med a Foundat on
■ B -d rect ona aud o remot ng, nc ud ng sound record ng to a remote sess on
Working from Branch Offices

Work ng remote y sn’t a abe just for those work ng from home or wh e on the road
“Remote” workers m ght operate n a separate office, but one w th resources s m ar to the
corporate office In th s scenar o, the network s re ab e, the computers are doma n-jo ned
but the data center s not n the same phys ca ocat on as the branch office workers, and
ons te IT staffing m ght be m n ma
Supporting Larger Server Farms

RDS dep oyments don’t cons st of just one or two servers anymore, but the too s ava ab e n
W ndows Server 2003 d dn’t rea y support farms (Sess on D rectory Server was ava ab e on y
on the enterpr se ed t on of W ndows Server 2003 ) W ndows Server 2008 R2 RDS s more
su ted to manag ng access to mu t p e servers because t adds add t ona group po c es for
server management and the RD Connect on Broker enab es users to connect to farms nstead
of s ng e servers
www.it-ebooks.info
Other Business Cases for RDS
A dministrators benefit from RDS, too.
Regulatory Compliance Requirements

For the IT department, data security and the ability to meet regulatory require-
ments both remain top priorities. RDS helps secure an application and its data in a
central location, reducing the risk of accidental data loss caused by, for example,
the loss of a laptop. Key features of RDS, such as RD Gateway and RemoteApp com-
bined with RD Web Access, help ensure that partners, or users, who do not need full
access to a company network or computers can be limited to a single application, if
needed.
Complex Applications
In an environment with complex applications such as line-of-business (LOB) or
customized older software, or in situations in which large and complex applications
are frequently updated but are difficult to automate, RDS can help simplify the
process by reducing the burden of managing multiple applications across the entire
environment. The client machines can access the applications they require from a
central source, rather than requiring applications to be installed locally.
Merger Integration or Outsourcing

In the case of a merger, the affected organizations will typically need to use the
same LOB applications, although they might be in a variety of configurations and
versions. In addition, organizations might also find that they are working with
outsourced or partner organizations requiring access to specific LOB applications
but not to the full corporate network. Rather than performing a costly deployment
of the entire set of LOB applications across the extended infrastructure, these ap-
plications can be installed on an RD Session Host server and made available to the
employees and business partners who require access, when they need it.
New RDS Technology in Windows Server 2008 R2

New techno ogy n RDS n W ndows Server 2008 R2 does a ot to mprove the user exper -
ence Part of the goa of th s re ease was to make the remot ng unobtrus ve so that an ap-
p cat on execut ng remote y shou d appear to be execut ng oca y In th s sect on, you w
earn about some of the techno ogy n th s re ease that enab es th s The rest of th s book w
go nto more deta
www.it-ebooks.info
Integration of RemoteApp Programs and Desktops into the Start Menu
Techn ca y, t was poss b e to ntegrate RemoteApp cons w th the Start menu n W ndows
Server 2008 To do so, you had to
1. Package the RemoteApp from the RD Sess on Host server as a M crosoft W ndows
Insta er (MSI) fi e
2. Pub sh th s MSI fi e through Group Po cy
3. Repackage and repub sh manua y as requ red when the RemoteApp sett ngs
changed
It’s not a bad system, and MSI pub sh ng s st the on y way that you can support fi e
assoc at ons w th RemoteApp programs (It’s a so the on y way you can ntegrate RemoteApp
programs w th the Start menu on W ndows XP and W ndows V sta ) However, t doesn’t up-
date automat ca y, and you can’t add more RemoteApp programs to the Start menu w th-
out ed t ng Group Po cy F na y, s nce t requ res Group Po cy, you can’t use th s method to
pub sh app cat ons to computers outs de the doma n
A new feature ca ed RemoteApp and Desktop Connect ons avo ds these drawbacks A new
app cat on Contro Pane tem n W ndows 7 (and W ndows Server 2008 R2) ca ed Remote-
App and Desktop Connect ons can accept a Un form Resource Locator (URL) for the publish-
ing feed created from the farm Th s feed aggregates a the RemoteApp programs, VM poo s,
and persona desktops ava ab e When a user connects to the URL for the feed and presents
the r credent a s, RD Web Access fi ters the d sp ay so that they get nks on y to resources that
they are perm tted to use These nks then popu ate the c ent’s Start menu
Us ng RemoteApp and Desktop Connect ons has the fo ow ng advantages
■ It a ows users to start oca y nsta ed app cat ons and RemoteApp programs n the
same way through the Start menu
■ It does not requ re the computer runn ng W ndows 7 to be connected to the doma n
■ It updates automat ca y whenever RemoteApp programs or VMs are added to or
removed from the feed, or when perm ss ons change
■ Users have to og on on y once to create the connect on
■ F na y, th s feed s wr tten n XML, an ndustry standard, and s ava ab e to deve opers
to consume n other ways
Aero Glass Remoting

One of the v sua m tat ons of W ndows Server 2008 was that W ndows V sta had th s great
Aero G ass nterface but th s wasn’t ava ab e from term na server sess ons Today, Aero
remot ng s ava ab e when connect ng to W ndows 7 VMs and W ndows Server 2008 R2
sess ons from a c ent runn ng W ndows 7—even f the endpo nt can’t d sp ay Aero tse f (for
examp e, f connect ng to a head ess computer)
Aero G ass remot ng from W ndows 7 s enab ed by defau t; to enab e t from W ndows
Server 2008 R2 requ res turn ng on desktop compos t on The deta s are d scussed n Chapter 6
www.it-ebooks.info
NOTE Although you can get Aero remoting from Windows Vista to Windows Vista, Aero
remoting from Windows 7 or Windows Server 2008 R2 requires the Windows 7 client oper-
ating system.
Aero G ass remot ng s ava ab e for s ng e-mon tor sess ons on y
Improved Application Compatibility

One of the nterest ng quest ons about app cat ons, espec a y those that are a tt e fussy, s
whether they w work on an RD Sess on Host server Three new techno og es n W ndows
Server 2008 R2 RDS seek to address app cat on compat b ty prob ems
■ Changes to the process of nsta ng MSI packages make the nsta at on process work
more as t does on c ent operat ng systems Chapter 3 goes nto the deta s, but the
mpact s to prevent s mu taneous first-t me uses of app cat ons based on MSI nsta s
from b ock ng each other
■ W ndows Server 2008 has W ndows System Resource Manager (WSRM) for prevent-
ng s ng e sess ons or processes from us ng up a the processor t me W ndows Server
2008 R2 st supports WSRM, but t a so ntroduces a new feature for prevent ng th s
prob em n a more proact ve manner Whereas WSRM dent fies bad y behav ng ap-
p cat ons and sca es back the r processor t me, Dynam c Fa r Share Schedu ng (DFSS)
works w th the schedu er to ensure that a s ng e sess on never starves other sess ons for
processor cyc es You’ earn about th s n more deta n Chapter 3
■ F na y, IP v rtua zat on makes t poss b e for a sess on—or on y certa n app cat ons
runn ng n a sess on—to have a un que IP address In prev ous vers ons of Term na
Serv ces, a app cat ons on a server wou d have the same IP address the server’s IP
A though th s worked much of the t me, t prevented app cat ons or secur ty scenar os
that requ red a d screte IP address Aga n, you’ find out more about th s feature n
Chapter 3
Support for True Multi-monitor Remoting

Vers on 6 of the Remote Desktop Connect on c ent ntroduced mon tor spann ng, so you
cou d use two or more mon tors (up to a reso ut on of 4096 × 2048) to d sp ay a remote ses-
s on To get th s, you connected to the term na server us ng the /span sw tch Span was an
mprovement over be ng m ted to a s ng e mon tor but had some drawbacks
■ The mon tors had to be arranged n a row
■ The remote sess on was st a s ng e-mon tor sess on—just one w th a really b g mon -
tor Because of th s, f you had on y two mon tors, error messages d sp ayed n the
m dd e of your screen somet mes got b sected or obscured In add t on, max m zed
app cat ons wou d take up a the mon tor space
Aga n, the tota supported reso ut on had to be be ow 4096 × 2048 (for examp e, 1600 ×
1200 + 1600 × 1200 = 3200 × 1200)
www.it-ebooks.info
RDS rep aces mon tor spann ng w th true mu t -mon tor support W th mu t -mon tor sup-
port, each mon tor on the c ent mach ne s red rected nd v dua y, so that each mon tor (up
to 16) s seen as a separate mon tor to the remote sess on (Group Po cy m ts t to 10, but t’s
techn ca y poss b e up to 16 f you set th s va ue programmat ca y ) Therefore
■ The mon tors can be arranged n any configurat on that makes sense to the user a row,
a box, an L, and so forth
■ Ind v dua app cat ons w max m ze to the s ze of the mon tor they’re current y d s-
p ayed n, not the ent re row of mon tors
■ Each mon tor can have a max mum reso ut on of up to 4096 × 2048
True mu t -mon tor s not supported w th Aero G ass remot ng If mu t -mon tor and Aero
G ass remot ng are both configured, mu t -mon tor w take precedence
Remot ng huge and h gh-reso ut on d sp ays can take a to on server performance, so you
m ght want to tweak the max mum supported reso ut on and max mum supported mon tors
For more deta s, see Chapter 6
Client-Side Multimedia Rendering

Many modern persona computers, even modest ones, have a ot of power—more than a
server does to render a mu t med a n a sess on on the server and then stream t to the c ent,
at any rate
In W ndows Server 2008 R2, the RDS team has mproved the med a p ayback exper ence
by effic ent y transport ng aud o/v deo-based mu t med a n a compressed format w th n the
RDP protoco Rather than be ng rendered on the server, t’s sent to the c ent to be p ayed
back through W ndows Med a P ayer The content w appear to be d sp ay ng oca y because
t s—even though t was or g na y generated n a remote sess on However, t w a so be
fu y ntegrated w th the remote sess on
Th s approach has severa advantages
■ It reduces bandw dth usage s nce data over the w re w be compressed v deo nstead
of a success on of b tmaps; the exper ence s rough y equ va ent to runn ng from a fi e
share or v deo server Res z ng the w ndow won’t affect the p ayback, e ther
■ It reduces the process ng on the server because the server no onger needs to use
processor t me decod ng the v deo and packag ng t on RDP
To support th s, the c ent must support mu t med a red rect on and the server must be
configured for aud o and v deo p ayback Th s feature s covered n more deta n Chapter 6
Single Sign-On for Farms

S ng e s gn-on, or hav ng to present a password on y once to use resources from your com-
puter, s obv ous y good for users Imag ne com ng to work n the morn ng and ogg ng on to
your computer Then you c ck an con and need to present credent a s aga n Then you c ck
another con and need to present credent a s aga n By 10 A M , you’re probab y ready to just
www.it-ebooks.info
go for coffee and forget about work ng, s nce product v ty c ear y sn’t happen ng f you have
to og on every t me you start an app cat on
S ng e s gn-on was ntroduced n W ndows Server 2008, but t was mproved n W ndows
Server 2008 R2 w th forms-based authent cat on Whereas the prev ous vers on a owed you
to cont nue to work w thout re-present ng your credent a s when ogg ng nto the same
server, the current terat on caches your credent a s n a secure web form to present any t me
you attempt to connect to a RemoteApp program
Extending Easy Print to Client Platforms and Eliminating .NET

Dependency
Pr nter dr vers have ong been the bane of the term na serv ces adm n strator’s fe At first,
support ng pr nter dr vers was a gamb e n wh ch, f the dr ver d dn’t crash the term na server,
you’d won Support ng c ent-s de pr nters ncreased the exposure to error-prone dr vers by
essen ng the adm n strator’s contro over the dr vers nsta ed When support ng W ndows NT
dr vers on the term na servers and non–W ndows NT dr vers on the c ent (for examp e, when
us ng W ndows 98 as a c ent to a W ndows 2000 Server term na server), the dr vers m ght
not have the same name Th s wou d requ re the adm n strator to create dr ver mapp ng fi es
that bas ca y say, “When the system refers to this dr ver from w th n the c ent sess on, that
dr ver on the term na server shou d be used ” Otherw se, the pr nt job wou d not pr nt
Over t me, the dr vers got more re ab e as the prob em became better understood When
both the c ent and term na server were based on W ndows NT techno ogy, the dr ver name
m smatch prob em ceased to be an ssue Then W ndows Server 2003 ntroduced a new
Group Po cy that perm tted on y user-mode dr vers by defau t Th s removed the chance of
nsta ng a poor y wr tten kerne -mode dr ver that cou d crash the server, but t st meant
that term na server adm n strators had to test, ma nta n, and support a var ety of dr vers for
both corporate pr nters and mapped c ent pr nters (a though some compan es stopped sup-
port ng mapped c ent pr nters just to avo d the dr ver prob ems)
Another prob em w th prev ous terat ons of pr nt ng was dec d ng wh ch pr nters shou d
be mapped to the remote sess on If pr nter mapp ng was enab ed, then a the c ent pr nters
wou d map to the term na server, regard ess of whether th s was appropr ate Mapp ng a
these pr nters cou d a so be t me-consum ng, not to ment on ncreas ng the number of dr vers
that needed to be nsta ed on a term na server
Term na Serv ces n W ndows Server 2008 addressed these prob ems n severa ways F rst,
and s mp est, Group Po cy a ows adm n strators to map on y the c ent’s default pr nter to a
term na sess on Second, Easy Pr nt techno ogy avo ds the dr ver prob em for c ents runn ng
W ndows V sta and Remote Desktop Connect on 6 1 Bas ca y, Easy Pr nt a ows users to pr nt
from a remote sess on w thout hav ng to nsta any dr vers on the term na sess on at a The
remote sess on gets pr nter sett ngs from the c ent and even makes ca s to the c ent-s de
GUI to show the dr ver configurat on panes for the dr vers
Easy Pr nt had two catches, though It d dn’t work when connect ng to c ent operat ng
systems (wh ch e m nated most common VDI scenar os) and t requ red NET on the c ent
www.it-ebooks.info
operat ng system to work In W ndows Server 2008 R2, both those m tat ons are addressed
Whereas NET s requ red to convert the XPS of the data stream to the GDI commands re-
qu red to pr nt, n W ndows Server 2008 R2 and W ndows 7, the operat ng system does th s
To earn more about Easy Pr nt, see Chapter 6
RDS Roles in Windows Server 2008 R2

Users of Term na Serv ces n W ndows Server 2008 w find most of the ro es n W ndows
Server 2008 R2 RDS fam ar RDS s supported by s x ro e serv ces
■ RD Sess on Host
■ RD V rtua zat on Host
■ RD Connect on Broker
■ RD Web Access
■ RD Gateway
■ RD L cens ng
RD Session Host
The RD Sess on Host (known as the term na server n W ndows Server 2008) rema ns the core
p ece of the Remote Desktop Serv ces arch tecture for de ver ng nd v dua app cat ons and
for gett ng the h ghest user dens ty for fu desktops A RD Sess on Host server s d fferent
from other types of W ndows servers n severa ways Fundamenta y, a server w th th s ro e
nsta ed works a ot more ke a workstat on than a server
For examp e, other server ro es are des gned to serve one genera purpose, such as han-
d ng ema or database quer es The r pr or t es are c ear Whatever s at the foreground of
that server’s purpose gets the on’s share of the processor A shared server s d fferent Many
peop e are us ng t at the same t me, so t can’t just assume that wh chever app cat on s n
the foreground s the one that shou d get a the process ng t me—wh ch foreground of the
40 or so sess ons shou d t p ck? Therefore, a user processes on a Remote Desktop Sess on
Host server have the same pr or ty so that they share the processor more or ess even y
among a remote users
NOTE In Windows Server 2008 R2, a new feature called Dynamic Fair Share Scheduling
(DFSS) proactively ensures that the scheduler doesn’t allocate too much processor time to
any single session. This feature is on by default.
Users connect to an RD Sess on Host server v a the RDP They make th s connect on by
start ng an RDP fi e that deta s a the sett ngs for the connect on Users can get to th s fi e
from a network share or n ema , and t can be automat ca y generated from a browser or
(for c ents runn ng W ndows 7) the Start menu through RemoteApp and Desktop Connec-
t ons When a user starts a remote sess on, t’s protected from other remote sess ons runn ng
on that computer Users can’t see each other’s sess ons, and the app cat ons runn ng n those
www.it-ebooks.info
sess ons don’t share read/wr te memory They can have an mpact on each other nadver-
tent y (for examp e, by us ng demand ng app cat ons that take memory away from other us-
ers) but there’s m n ma secur ty r sk n hav ng mu t p e peop e runn ng sess ons on the same
RD Sess on Host server To say “no secur ty r sk” s, of course, not poss b e, because there are
some except ona cases that cou d be exp o ted by an expert w th the r ght too s, but th s s
genera y true
BEST PRACTICE RD Session Host servers have a heavy workload supporting all the re-
mote client sessions, so it’s generally best to reserve them only for that use.
Chapter 2, “Key Arch tectura Concepts for Remote Desktop Serv ces,” ta ks about how
to s ze an RD Sess on Host server; nformat on about how to nsta and set up the ro e s n-
c uded n Chapter 3; and how to set up server farms w th the RD Connect on Broker s covered
n Chapter 9
RD Virtualization Host
W ndows Server 2008 R2 ntroduces a new k nd of supported resource VMs (VMs, of course,
are not new w th W ndows Server 2008 R2, but support for them w th n the RDS nfrastructure
s ) Th s ro e serv ce uses Hyper-V to host VMs VMs can be poo ed (genera y ava ab e to
anyone w th access to the VM poo ) or persona (ass gned to a part cu ar user n AD DS)
Why support VMs as we as sess ons? The answer s s mp e both are va d means of v rtua -
z ng the desktop For h gher dens ty, you want sess ons Many more peop e can run sess ons
on a s ng e computer than can run VMs, because sess ons share a ot of bas c nfrastructure n
the operat ng system (even though they can’t see each other) VMs are a v rtua man festat on
of a phys ca mach ne and thus comp ete y separate from each other Th s takes many more
resources to support You can run a dozen sess ons on a server w th 4 GB of RAM and a mod-
ern processor, but th s same server wou d have a hard t me support ng more than a coup e of
VMs runn ng at the same t me
NOTE True story: At one virtualization event, some people said they had heard about
virtualized desktops through VMs first. They’d never heard of sessions and were excited by
the possibilities of “lightweight VDI.”
The reason why VMs are va uab e s re ated to why they’re so resource- ntens ve they’re a
comp ete y so ated env ronment A VM s configured w th a certa n amount of memory and
a certa n number of processors, reserved for t and not ava ab e to other VMs The operat ng
system s ent re y reserved for the use of the VM That means that whatever happens w th n
the VM does not affect other VMs runn ng on the same phys ca server Users can nsta
app cat ons and they w be nsta ed on y on that VM Users can run the most processor-
ntens ve CAD (computer-a ded des gn) software around and they won’t dra n resources from
other VMs Users can comp ete y m sconfigure a VM and cause t to crash, and th s w affect
on y the person current y us ng t
www.it-ebooks.info
In RDS, VMs are often ass gned to power users Those w th persona desktops are those who
need a comp ete desktop rep acement (a be t one that can be backed up and has a the pro-
tect on of the data center) those who need to be ab e to nsta app cat ons and configure the r
computers Persona desktops are a so good cand dates for app cat ons that requ re a pers s-
tent oca data source (that s, they can’t store a the r data on a network share) Those us ng
poo ed desktops are often those who need to run app cat ons that aren’t good cand dates for
v rtua zat on on an RD Sess on Host for one reason or another—they requ re a prev ous ver-
s on of the browser, are 16-b t (W ndows Server 2008 R2 s 64-b t on y, and 16-b t app cat ons
won’t run on that p atform), or otherw se just don’t fit but w work on a poo ed VM
Chapter 2 covers how to s ze an RD V rtua zat on Host server; Chapter 4, “Dep oy ng a
S ng e Remote Desktop V rtua zat on Host Server,” d scusses how to set up the ro e for a
s ng e-server nsta at on; Chapter 9 teaches you how to dep oy the ro e n a farm; and Chap-
ter 10 deta s how to manage arger dep oyments
RD Web Access
Remote Desktop Web Access (RD Web Access) ntegrates w th M crosoft Internet Informat on
Serv ces (IIS) to d sp ay the cons of author zed RemoteApp programs and VMs n a porta
d sp ayed n Internet Exp orer and aunch the connect ons A user author zes aga nst the por-
ta and can see the cons for a the remote resources a ocated to them by the adm n strator
When he or she c cks an con, t creates and starts a RemoteApp program n much the same
way t wou d f the RDP fi e were stored on the user’s computer Us ng the new forms-based
authent cat on n RDS, after a user authent cates to a porta once, h s or her credent a s can be
used for any resource the user s author zed to access
When a user starts a RemoteApp program, a sess on s started on the RD Sess on Host
server that hosts the RemoteApp program, or the VM back ng the VM con The RD Web Ac-
cess server does not start the app cat on As shown n F gure 1-1, t just d sp ays the app ca-
t on con, creates the RDP fi e for that app cat on when the user doub e-c cks that con (1),
and then passes the RDP fi e to the user to start the app cat on from the RD Sess on Host (2)
RemoteApp programs and desktops started v a RD Web Access do not d sp ay n the browser
but n the r own w ndows (3) and are ndependent of the browser w ndow C os ng the
browser won’t d sconnect or term nate the connect ons to the RD Sess on Host or VM
RemoteApp Perimeter Network
1 2
Mobile User RD Web Access RD Session Host
FIGURE 1-1 RD Web Access d sp ays app cat on cons n a browser for the conven ence of users.
26 CHAPTER 1 ntroduc ng Remote Desktop Serv ces
www.it-ebooks.info
RD Web Access has many benefits, nc ud ng the fo ow ng
■ Users can access RemoteApp programs from a webs te over the Internet or from an
ntranet To start a RemoteApp program, they just doub e-c ck the program con
■ W th the new Web SSO feature, after the user authent cates to the webs te, those
credent a s are stored and prov ded for any other connect ons they n t ate—even con-
nect ons on other servers or other farms
■ RD Web Access can d sp ay resources from more than one farm and aggregate them
nto a s ng e w ndow
■ RD Web Access w d sp ay on y the resources ass gned to a part cu ar person
■ By us ng RD Web Access, there s much ess adm n strat ve overhead than that requ red
to ma nta n and d str bute RDP fi es for connect ng to an RD Sess on Host farm You
can eas y dep oy programs from a centra ocat on and don’t have to worry about
ensur ng that RDP fi es conta n ng connect on nformat on are up to date
■ RD Web Access nc udes Remote Desktop Web Connect on, wh ch enab es users to
connect remote y to the desktop of any computer where they have Remote Desktop
access from the RD Web Access porta
■ RD Web Access works w th m n ma configurat on, but the RD Web Access web page
nc udes a custom zab e Web Part, wh ch can be ncorporated nto a custom zed web
page or a M crosoft SharePo nt s te
That’s how RD Web Access benefits peop e us ng a browser but n W ndows Server
2008 R2, th s ro e serv ce supports even peop e connect ng w thout a browser RemoteApp
and Desktop Connect ons s a new feature n W ndows 7 ( t’s part of the operat ng system,
not the RDP c ent, so t s not ava ab e n prev ous vers ons of W ndows) that a ows Remote-
App and VM cons to be added to a c ent’s Start menu and started from there The tr ck s that
RD Web Access gets ts nformat on about wh ch RemoteApp programs and desktops are ava -
ab e to wh ch users from the pub sh ng serv ce on the RD Connect on Broker and makes those
resources ava ab e through a URL One URL supports the webs te you see w th a browser, and
another supports connect ons de vered to RemoteApp and Desktop Connect ons
Chapter 9 exp a ns how to configure and use RD Web Access and RemoteApp and Desktop
Connect ons
RD Connection Broker
For the sake of redundancy, t’s good pract ce to have more than one RD Sess on Host server
host ng your remote app cat on set and to oad-ba ance your servers And t’s essent a y a
g ven that there w be more than one VM n any dep oyment us ng VDI—there m ght even
qu te poss b y be more than one RD V rtua zat on Host to run those VMs
Hav ng mu t p e endpo nts and servers support ng those endpo nts a ows you to spread
out the user oad and e m nates the poss b ty that one server cou d go down and take out
your ab ty to serve centra zed app cat ons The troub e s that connect ons are fundamen-
ta y made to nd v dua RD Sess on Host servers, not to groups of them That s, the fina
www.it-ebooks.info
connect on s made to the RD Sess on Host server named RDSH01 (or whatever other name
you’ve g ven t)
But f your RDP fi es nc ude the names of nd v dua RD Sess on Host servers, the connec-
t ons won’t be oad-ba anced Nor w they be flex b e enough to determ ne that a user rea y
shou d be connect ng to another RD Sess on Host server when start ng a new app cat on,
because he or she a ready has an app cat on open there If you’ve dep oyed VMs, t’s poss b e
to po nt an RDP fi e to a part cu ar VM w thout mak ng any ass gnments n Act ve D rectory
Doma n Serv ces— t’s essent a y the same th ng as us ng RDP to connect to a phys ca mach ne
dent fied by name But ass gn ng VMs by name doesn’t a ow you to use poo ed VMs Nor can
RDP fi es automat ca y wake up a VM that’s h bernat ng and prepare t for the connect on If
you attempt to make a d rect connect on to a h bernat ng VM, the connect on w fa
HOW IT WORKS
An Introduction to Connection Brokering
T he RD Connection Broker role service handles the problem of how to connect

user requests for sessions or VMs intelligently to the right endpoint, as shown in
Figure 1-2. For RemoteApp connections, RD Connection Broker makes this decision
according to several criteria, including
■ Which farm was the incoming request attempting to connect to?

■ Does the person making the connection request already have an existing
(active or disconnected) session on that farm?
■ If no connection exists, which RD Session Host server has the lowest number
of sessions?
RDSH
Farm 1
RD Connection
Broker
RDSH
Farm 2
FIGURE 1-2 The RD Connect on Broker routes ncom ng connect ons to the appropr ate
RD Sess on Host server.
www.it-ebooks.info
For VM connections (see Figure 1-3), the RD Connection Broker makes its decision
based on similar criteria.
■ Is the VM request for a personal VM?

■ If for a pooled VM, does the person requesting already have a disconnected
session on a VM?
If no connection exists, the connection is sent to the RD Virtualization Host server
that has the lowest number of currently active VMs, and the RD Virtualization Host
server prepares a VM for the connection.
Pooled VMs
RDVH1
RD Connection
Broker
Personal VMs
RDVH2
FIGURE 1-3 The RD Connect on Broker a so brokers connect ons to VMs on RD V rtua za
t on Host servers.
The RD Connection Broker includes only one form of load balancing—keeping

track of how many sessions RD Session Host servers have or how many VMs each
RD Virtualization Host is running—but it can be integrated with third-party load
balancers that support other criteria such as processor or memory load, time of day,
or application.
Chapter 9 exp a ns how to use RD Connect on Broker to support RD Sess on Host farms
and poo ed and persona VMs
RD Gateway
In the dark days before W ndows Server 2008, f you wanted to connect to a term na server
from the outs de wor d us ng on y the too s n the box, you m ght have cons dered open ng
port 3389 (the port that RDP stens on by defau t) so that the term na server cou d accept
ncom ng connect ons Most peop e d dn’t do th s, however, because of the secur ty ho e t
opened
One of the ro e serv ces of RDS n W ndows Server 2008 R2 s Remote Desktop Gateway (RD
Gateway) RD Gateway enab es author zed remote users to connect to resources on an nterna
corporate or pr vate network, from any Internet-connected dev ce, whether or g na y part of
www.it-ebooks.info
the doma n or a pub c computer or k osk As shown n F gure 1-4, the network resources can
be RD Sess on Host servers support ng fu desktops or RemoteApp programs, VMs, or com-
puters w th Remote Desktop enab ed In other words, peop e access ng the corporate network
from the Internet can use RDP to connect to fu desktops, nd v dua app cat ons, or even the r
own desktop computers— t a depends on what the adm n strator has set up
Perimeter
Network PC
Mobile User
Pooled VMs
RPC Over HTTPS
Mobile User
RD Gateway RDVH1 Personal VMs
Mobile User
RemoteApp
RDSH Full Desktop

Farm 1 Session
FIGURE 1-4 RD Gateway prov des secure access to the corporate network from other networks such as
the nternet.
RD Gateway uses RDP over HTTPS to estab sh a secure encrypted connect on between
remote users on the Internet and the nterna network on wh ch the r app cat ons run; th s
requ res on y port 443 to be open (wh ch t probab y s a ready for secure Internet connect v-
ty) By do ng th s, RD Gateway does the fo ow ng
■ Enab es remote users to connect to nterna network resources over the Internet by
us ng an encrypted connect on, w thout need ng to configure VPN connect ons
■ Prov des a comprehens ve secur ty configurat on mode that enab es you to contro
access to spec fic nterna network resources
■ Prov des a po nt-to-po nt RDP connect on that can be m ted, rather than a ow ng
remote users access to a nterna network resources
■ Enab es most remote users to connect to nterna network resources that are hosted
beh nd firewa s n pr vate networks and across Network Address Trans ators (NATs)
W th RD Gateway, you do not need to perform add t ona configurat on for the RD
Gateway server or c ents for th s scenar o (as de from open ng port 443 n the firewa )
www.it-ebooks.info
The RD Gateway Manager conso e enab es you to configure author zat on po c es to de-
fine cond t ons that must be met for remote users to connect to nterna network resources
For examp e, you can spec fy
■ Who can connect to RD Gateway ( n other words, the users and computers who can
connect)
■ Wh ch network resources (computers or computer groups) users can connect to
■ Whether dev ce and d sk red rect on s a owed
■ Whether c ents must use smart card authent cat on or password authent cat on, or
e ther one
To enhance secur ty further, you can configure RD Gateway servers and RDC c ents to use
Network Access Protect on (NAP) NAP s a hea th po cy creat on, enforcement, and remed a-
t on techno ogy nc uded n W ndows XP Serv ce Pack 3 (W ndows XP SP3), W ndows V sta,
W ndows Server 2008, W ndows 7, and W ndows Server 2008 R2 Us ng NAP, system adm n s-
trators can enforce c ent computer hea th requ rements, wh ch can nc ude software requ re-
ments, secur ty update requ rements, requ red computer configurat ons, and other sett ngs to
connect to RD Gateway
You can a so use RD Gateway server w th M crosoft Internet Secur ty and Acce erat on (ISA)
Server or Forefront Threat Management Gateway (TMG) to enhance secur ty In th s scenar o,
you can host RD Gateway servers n a pr vate network rather than a per meter network and
host ISA or TMG n the per meter network The SSL connect on between the RDC c ent and
ISA or TMG Server can be term nated at the Internet-fac ng server
The RD Gateway Manager conso e prov des too s to he p you mon tor RD Gateway con-
nect on status, hea th, and events W th RD Gateway Manager, you can spec fy events (such as
unsuccessfu connect on attempts to the RD Gateway server) that you want to mon tor
RD Gateway can be used w th RDP fi es stored on c ents, w th RD Web Access, or w th
RemoteApp and Desktop Connect ons Comb ned w th RD Web Access or RemoteApp and
Desktop Connect ons, you can set up a remote workspace that presents a webs te w th
the appropr ate app cat on cons and then makes sure that the person connect ng or the
computer he’s connect ng from meets the RD Gateway ru es
RD Gateway uses few resources and f s zed proper y can support hundreds of ncom ng
users, so t can safe y be comb ned w th other ro es that m ght be n the per meter network
RDS Licensing
The RDS L cens ng ro e serv ce s respons b e for keep ng track of who has a cense to use the
RD Sess on Host servers Not who’s authorized to use the RD Sess on Host server—AD DS user
r ghts or RD Gateway makes that ca , depend ng on what eve the adm n strator s author z-
ng th s connect on RDS L cens ng s the cense management system that enab es RD Sess on
Host servers to obta n and manage RDS c ent access censes (RDS CALs) for dev ces and us-
ers that are connect ng to an RD Sess on Host server
www.it-ebooks.info
NOTE RDS Licensing supports previous versions of terminal servers as far back as
Windows 2000 Server. Also, the operating system supports two concurrent connections to
administer a computer remotely, so you do not need a license server for these connections.
RD Sess on Host servers can be configured to requ re e ther per-user or per-dev ce RDS
CALs You’ earn more about the deta s of RDS L cens ng n Chapter 12, “L cens ng Remote
Desktop Serv ces,” but the bas c story s th s Each RD Sess on Host server determ nes f the
user or the computer connect ng to t has a va d cense If t does (and the user has perm s-
s on to og on), then the RD Sess on Host server grants the connect on If t does not, then the
RD Sess on Host server attempts to contact a cense server to see f a cense for that dev ce
or user s ava ab e The cense server then e ther a ocates a cense to the dev ce (per-dev ce
RDS CAL) or ed ts the propert es of the user’s account n AD DS to show that a cense has
been used (per-user RDS CAL) If the RD Sess on Host server cannot connect to an RDS
L cens ng server, t w ssue a temporary cense f the RD Sess on Host server s w th n ts
grace per od Access w be granted for up to 120 days
Servers support ng the RDS L cens ng ro e ma nta n a database that tracks how RDS CALs
have been ssued For per-dev ce RDS CALs, the cense s ass gned to a computer For per-
user RDS CALs, the cense s not actua y ass gned but ts usage s reg stered n AD DS and
can be tracked
RD L cens ng s a ow- mpact serv ce, requ r ng very tt e processor t me or memory for
regu ar operat ons Memory usage s ess than 10 MB Its hard d sk requ rements are sma ,
even for a s gn ficant number of c ents The cense database grows n ncrements of 5 MB for
every 6,000 RDS CALs ssued The cense server s act ve on y when an RD Sess on Host server
s request ng an RDS CAL, and ts mpact on server performance s very ow, even n h gh- oad
scenar os Therefore, n sma er dep oyments, the RDS L cens ng ro e serv ce can be nsta ed
on the same computer as the RD Sess on Host ro e serv ce In arger dep oyments, the RD
L cens ng ro e w often be on a separate computer
A though on y access ng the RD Sess on Host ro e w tr gger the consumpt on of an RDS
CAL, us ng any part of the RDS nfrastructure requ res an RDS CAL (or, for VDI-on y dep oy-
ments, a VDI CAL)
How Other Services Support RDS

The RDS ro e doesn’t ex st n a vacuum Severa ro es he p to support the var ous ro e ser-
v ces of RDS, and w thout them, the so ut on doesn’t work In add t on to the core RDS ro e
serv ces and the r re at onsh p w th each other, t’s mportant to understand the r re at onsh p
w th other W ndows Server ro es Th s sect on covers these ro es and how they support RDS
funct ona ty
What are the ro es and how do they fit together? How do they fit w th the other non-RDS
parts of the W ndows nfrastructure (Hyper-V, IIS, cert ficates, and AD DS, among others)?
www.it-ebooks.info
The Client Connection
Yes, t m ght be obv ous, but t’s st worth ook ng at The way the c ent nteracts w th the
ro e serv ces of RDS defines what the user exper ence to a part cu ar endpo nt w be
Whether the endpo nt s a sess on on an RD Sess on Host server, a VM hosted on RD V rtu-
a zat on Host, or even a phys ca mach ne, the fundamenta re at onsh p between c ent and
endpo nt has three parts the RDC c ent, the RDP connect on, and the endpo nt
■ The RDC c ent component n t ates the connect on to the endpo nt and rece ves the
data that the server sends to t
■ The server component on the endpo nt nteracts w th the core operat ng system and
takes the nformat on rece ved (for examp e, sounds be ng produced, b tmaps be ng
d sp ayed), converts t to RDP commands, and ser a zes t to be passed to the c ent
■ The protoco enab es the connect on between the c ent and the endpo nt; t defines
the k nd of nformat on that s passed between them v a v rtua channe s
NOTE Why the distinction between RDP and RDC? RDP is the Remote Desktop Protocol,
the protocol that passes user input and application output between client and server. RDC
is the Remote Desktop Connection, the client component that initiates and manages the
RDP connection.
In short, the c ent requests the connect on, the endpo nt formats the ca s to the ap-
p cat ons and operat ng system n a way that the c ent (or server, depend ng on wh ch way
the nformat on flow s go ng for a part cu ar transact on) can understand, and RDP passes
the r ght nformat on that ets the user commun cate w th the app cat ons on the server as
though they were runn ng oca y
Th s commun cat on re es on virtual channels, b -d rect ona connect on streams prov ded
through RDP They estab sh a data p pe between the RDC c ent and the endpo nt to pass
spec fic k nds of nformat on, such as dev ce red rect on or sound, between c ent and server
V rtua channe s are a way to extend the funct ona ty of RDP that’s been ava ab e s nce W n-
dows 2000 Server, and they are a so used by some features of RDS, such as dev ce and sound
red rect on
But a ot has changed s nce W ndows 2000 Server, and one of the components that’s
changed s that the 32 stat c v rtua channe s or g na y made ava ab e w th RDP 5 1 aren’t
enough anymore More k nds of data are now ava ab e, and t’s c ear that there m ght be
more not yet cons dered In add t on, stat c v rtua channe s had a prob em They were cre-
ated at the beg nn ng of the connect on and torn down at the end If you added a dev ce
dur ng the sess on, t cou dn’t use v rtua channe s un ess you term nated the connect on and
then reconnected
IMPORTANT Terminating a connection ends it completely on the server. A disconnected

session still exists on the server and a user can reconnect to it
How Other Serv ces Support RDS Chapter 1 33
www.it-ebooks.info
Therefore, RDS supports dynamic virtual channels, v rtua channe s that the c ent creates
on demand and then shuts down when t’s done w th them If you’re cur ous about the nter-
faces to make dynam c v rtua channe s work for you (or how they work at a ), see the PDF
t t ed “Funct ona ty for RDS Scr pters and Deve opers” on the compan on CD
Hosting VMs
For some t me, t has been poss b e to v rtua ze Term na Serv ces ro es, but Hyper-V was not
a requ red component of a Term na Serv ces dep oyment In RDS, Hyper-V s requ red to use
the VM host ng feature
Hyper-V s nsta ed automat ca y f you choose to nsta the RD V rtua zat on Host Ro e
serv ce Because RD V rtua zat on Host requ res Hyper-V, t s the on y RDS ro e serv ce that
cannot be v rtua zed
Authenticating Servers with Certificates

A though you don’t need a Cert ficate Author ty (CA) server to use RDS, you w defin te y
need cert ficates from somewhere
One of the cur ous th ngs about RDS s the trust requ red between c ent and server Obv -
ous y, the server has to trust the c ent, s nce the server s a part a portho e to the corporate
network But the c ent has to trust the server as we The c ent s prov d ng the user name
and password for the corporate network, so t’s mportant that the server the c ent s con-
nect ng to s a eg t mate endpo nt and not a rogue server set up to stea ogon credent a s
To ensure that an endpo nt’s dent ty can be trusted, you can nsta a cert ficate on the
server and on the c ent To do th s, you’ need to get cert ficates from your own n-house PKI
so ut on, or you’ need to purchase cert ficates from a pub c CA
IMPORTANT All RD Session Host servers in the same farm must use the same certificate
for certificate-based authentication.
Cert ficates are a so used to

■ Authent cate the dent ty of an RD Gateway server and a ow t to set up a secure chan-
ne w th the c ent
■ S gn RDP fi es
■ Prov de HTTPS access to the RD Web Access webs te
Enabling WAN Access and Displaying Remote Resources

Two components of RDS requ re IIS RD Web Access and RD Gateway RD Web Access’s need
for IIS s pretty apparent It prov des nformat on about the RemoteApp programs and desk-
tops ava ab e to a user through two URLs One URL supports d sp ay for RD Web Access and
one supports RemoteApp and Desktop Connect ons
www.it-ebooks.info
IIS s a so requ red for RD Gateway RD Gateway encapsu ates RDP traffic over HTTPs, so t
requ res certa n components of IIS
IIS s nsta ed automat ca y when you nsta an RDS ro e serv ce that requ res t
Updating User and Computer Settings

It’s such an obv ous cho ce to use AD DS for a support ro e that you m ght not have thought
of t, but t’s cruc a to a funct on ng centra zed comput ng nfrastructure n severa ways—not
a of wh ch you m ght have expected AD DS manages
■ The group po c es that configure RD Sess on Host servers and the user sess ons run-
n ng on them
■ Whether or not a user has the r ght to connect to an RD Sess on Host server
■ The process of show ng that a user has consumed a per-user RDS CAL
Functionality for RDS Scripters and Developers

It’s cruc a to understand that RDS s not just a product—a though t’s defin te y that—but t’s
a so a deve opment p atform for both ndependent software vendors (ISVs) and consu tants
creat ng custom so ut ons W ndows Server 2008 added a ot of new APIs for partners, and
W ndows Server 2008 R2 adds even more A though a descr pt on of how to use a of these
APIs s beyond the scope of th s book, nformat on ava ab e on the compan on med a h gh-
ghts some of the p atform extens ons ava ab e to RDS partners through pub c nterfaces
ON THE COMPANION MEDIA For a detailed description of the RDS API, please see
“Functionality for RS Scripters and Developers” on the companion media. Detailed
instructions for using this API are on MSDN.
NOTE Public interfaces (also known as APIs) are interfaces that are, well, publicly available
and documented on MSDN so that developers can use them. Private interfaces are not
documented. The main difference is supportability. A private interface might change at
any time if required by the people who developed it (in this case, Microsoft). An API won’t
change without notice. Even if you had the option to build solutions based on private
interfaces, it would be better to build on the public APIs than on private ones.
Summary
Th s chapter ntroduced you to RDS n W ndows Server 2008 R2 At th s po nt, you shou d
understand
■ How th s ro e has deve oped s nce t became part of W ndows 10 years ago
Summary Chapter 1 35
www.it-ebooks.info
■ What RDS s used for
■ The new bus ness cases that W ndows Server 2008 R2 RDS now supports
■ The RDS ro es that support these new bus ness cases and how they nteract
■ How other W ndows ro es (and the c ent) support RDS funct ona ty
■ How RDS s a deve opment p atform and some of the funct ona ty that scr pters and
deve opers can add to t
In Chapter 2, you’ find out how W ndows arch tecture supports RDS
Additional Resources
These resources conta n add t ona nformat on and too s re ated to th s chapter
■ To earn more about some fundamenta concepts of the operat ng system that affect
RD Sess on Host and RD V rtua zat on Host funct ona ty (and s z ng), see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces ”
■ To earn how to set up an RD Sess on Host server, see Chapter 3, “Dep oy ng a S ng e
Remote Desktop Sess on Host Server ”
■ To earn how to set up an RD V rtua zat on Host server to support poo ed VMs and
persona desktops, see Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on
Host Server ”
■ To earn how to set up user profi es w th RDS, see Chapter 5, “Manag ng User Data n a
Remote Desktop Serv ces Dep oyment ”
■ To understand how RDP ntegrates the c ent and server operat ng systems for d sp ay,
pr nt ng, and aud o and dev ce red rect on, see Chapter 6, “Custom z ng the User Expe-
r ence ”
■ To earn how to ock down the user env ronment w th Group Po cy, see Chapter 7,
“Mo d ng and Secur ng the User Env ronment ”
■ To earn how RDP connect ons are secured for LAN connect ons, see Chapter 8, “Secur-
ng Remote Desktop Protoco Connect ons ”
■ To earn how to use RD Connect on Broker to dep oy a farm of RD Sess on Host servers
or a poo of RD V rtua zat on Host VMs, see Chapter 9, “Mu t -Server Dep oyments ”
■ To earn how to pub sh resources to RD Web Access and RemoteApp and Desktop
Connect ons, see Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the
Internet ”
■ To earn how to use RDS on the Internet, see Chapter 10, “Mak ng Remote Desktop
Serv ces Ava ab e from the Internet ”
■ To earn how to manage sess ons on an RD Sess on Host server, see Chapter 11, “Man-
ag ng Remote Desktop Sess on Host Sess ons ”
www.it-ebooks.info
■ To earn how RDS cens ng works and how to use an RD L cense server, see Chapter 12,
“L cens ng Remote Desktop Serv ces ”
■ To earn about RDS fe-cyc e management, see Chapter 13, “L fe-Cyc e Management
for Remote Desktop Serv ces ”
■ For more deta s on the APIs ava ab e to deve opers, see the RDS Reference at
http://msdn.microsoft.com/en-us/library/aa383494(VS.85).aspx or, for onger
documents and source code, see the RDS Code Ga ery s te at
http://code.msdn.microsoft.com/rdsdev
■ For n-depth deve oper resources ( nc ud ng code samp es and deta ed documents),
see the RDS team Code Ga ery s te at http://code.msdn.microsoft.com/rdsdev
Add t ona Resources Chapter 1 37
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 2
Key Architectural Concepts

for Remote Desktop Services
■ Know Your App cat on De very System 40
■ Re evant W ndows Server 2008 R2 nterna s 41
■ Determ n ng System Requ rements for RD Sess on Host Servers 66
■ Support ng C ent Use Profi es 99
B efore you start nsta ng Remote Desktop Serv ces (RDS) ro e serv ces, you must
understand the bus ness and techn ca dec s ons you’ need to make Th s chapter
addresses those quest ons, nc ud ng both the deta s of the system arch tecture that
are essent a to support ng the two mode s of app cat on de very that RDS supports
and some of the bus ness dec s ons that you’ need to make before mp ement ng the
techno ogy Both w he p you better p an for the resources requ red to support what
you want to do The chapter covers such top cs as
■ W ndows Server 2008 R2 nterna s part cu ar y re evant to s z ng RDS ro es
■ How to s ze Remote Desktop (RD) Sess on Host and RD V rtua zat on servers
■ The c ent requ rements for us ng some new features of RDS
■ Character st cs of an app cat on that w run proper y on an RD Sess on Host
server
■ Techno ogy dec s ons rooted n bus ness needs, such as the cens ng mode or the
k nds of c ent hardware that make the best bus ness sense for your company
NOTE In parts of this chapter, you’ll learn about how to do performance scaling on
an existing RD Session Host server. When determining how to order the chapters in
this book, the decision was made to put planning before installing. For details of the
installation process, see Chapter 3, “Deploying a Single Remote Desktop Session Host
Server,” or Chapter 4, “Deploying a Single Remote Desktop Virtualization Host Server.”
39
www.it-ebooks.info
Know Your Application Delivery System
Before gett ng too deep y nto the quest on of the nterna s of memory arch tecture or t ps
for server s z ng, you need to know what an RD Sess on Host server and an RD V rtua zat on
Host server do Understand ng how each app cat on de very p atform works s essent a to
understand ng s z ng gu de nes
RDS supports two app cat on de very p atforms sess ons on an RD Sess on Host and VMs
on an RD V rtua zat on Host
RD Session Host Servers

A RD Sess on Host server s a shared workstat on for mu t p e concurrent users When n use,
the server starts app cat ons and oads fi es nto memory It saves users’ fi es When users og
on to an RD Sess on Host server, t oads the r user profi e so that they get the custom zed
work env ronment that they’ve come to know and ove Th s server does everyth ng a work-
stat on does but t does t for many users s mu taneous y
In pract ca terms, th s means that an RD Sess on Host server must
■ Try to spread the use of processor t me across a sess ons so that one sess on sn’t
consum ng a of t and starv ng the other sess ons
■ Support new users as they og on wh e st ma nta n ng current users
■ Run many nstances of the same app cat ons as effic ent y as poss b e
■ Keep track of how much phys ca memory s ava ab e and use t as effic ent y as
poss b e for the greater good of the ent re server
■ Iso ate the sess ons so that the users runn ng app cat ons on the same computer can’t
see each others’ data
RD Virtualization Host Servers

The RD V rtua zat on Host app cat on de very mode s a b t d fferent A RD V rtua zat on
Host server sn’t a shared workstat on; t’s a p atform for a co ect on of nd v dua worksta-
t ons runn ng n v rtua mach nes (VMs), each w th an so ated operat ng env ronment The
VMs on an RD V rtua zat on Host server are comp ete y so ated from each other They can
run d fferent operat ng systems, use ncompat b e dev ce dr vers, run demand ng app cat ons,
and even crash w thout d sturb ng the other VMs on the same host As ong as the RD V rtua -
zat on Host tse f s not comprom sed, the VMs w not be affected by each other
When you’re sett ng up VMs (more deta s about th s can be found n Chapter 4), you w
need to configure how much memory each VM has and the number of processors t’s got
Unused memory or processor power won’t be shared among the other VMs on the same host
server Therefore, you shou d have a pretty good dea of what the needs of each VM w be
and what hardware you’ requ re to support them
40 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Each mode for app cat on de very works a b t d fferent y, but they’re fundamenta y
do ng the same th ng ett ng a arge number of peop e use the same hardware at the same
t me Both mode s requ re a b t of jugg ng on the part of the operat ng system Your job s to
g ve each type of server enough resources to jugg e as effic ent y as poss b e To do your job,
t’s he pfu to know how the RD Sess on Host does a these th ngs
Relevant Windows Server 2008 R2 Internals

Th s sect on covers the nterna work ngs of some system components that are most he pfu
to understand ng how an RD Sess on Host or RD V rtua zat on Host server a ocates system
resources to the users t s host ng, nc ud ng
■ What t means to the RD Sess on Host that W ndows Server 2008 R2 comes on y n
64-b t
■ How VMs work
■ How app cat on de very servers a ocate processor cyc es to a the users on them
■ How app cat on de very servers perform memory management for sess ons and VMs
The fo ow ng sect ons w dea ma n y w th the RD Sess on Host servers because they’re
the most d fferent A though VM hosts are jugg ng resources among VMs, the VMs them-
se ves are n many ways ke s ng e-user operat ng systems These sect ons d scuss v rtua za-
t on and how processor schedu ng, memory management, and d sk and network access work
n that context
Windows Server 2008 R2 Is 64-Bit Only

One of the most bas c th ngs to understand about RDS s that n W ndows Server 2008 R2, a
server p atforms are 64-b t W ndows 7 comes n both 32-b t and 64-b t ed t ons, but server
SKUs no onger have th s opt on W ndows Server 2008 was the ast 32-b t server p atform
from M crosoft
NOTE The Windows Server 2008 edition of this book discussed Physical Address Exten-
sions (PAEs) and Address Windowing Extensions (AWEs). However, neither is supported—or
necessary—on a 64-bit operating system, so neither has been included in this edition.
For RD Sess on Host servers, the move to 64-b t s a most ent re y good news (You’ earn
why t’s an “a most” n just a moment ) On 32-b t operat ng systems, the b ggest bott eneck
for term na servers has genera y been memory, w th d sk reads and wr tes com ng a c ose
second A 32-b t operat ng system can’t address more than 4 GB of v rtua memory, no matter
how much phys ca memory you nsta on the server W ndows Server Standard Ed t on d dn’t
even support the nsta at on of more than 4 GB of phys ca memory, so t cou d not take ad-
vantage of such workarounds as PAEs and AWEs that et the operat ng system store and refer
Re evant W ndows Server 2008 R2 nterna s Chapter 2 41
www.it-ebooks.info
to data n more than 4 GB of phys ca memory even f t cou dn’t “see” t a at one t me Now,
64-b t W ndows can “see” up to 44 exabytes of v rtua memory addresses, so t can use a the
memory t cou d ever need w thout the memory tr cks that the 32-b t vers on of the operat ng
system wou d have to use
The reason why 64-b t W ndows s a most ent re y good news nvo ves the support for
o der dev ce dr vers and o der app cat ons You’ find that 32-b t app cat ons w genera y
run on a 64-b t operat ng system w thout ssues In most cases, an app cat on that can run
successfu y on a 32-b t term na server shou d run on a 64-b t RD Sess on Host However, a
64-b t operat ng system requ res 64-b t dr vers O der c ent pr nters that you’re st attempt-
ng to support, for examp e, m ght not have 64-b t dr vers
However, even reca c trant pr nter dr vers don’t have to crush your p ans to v rtua ze app -
cat on de very F rst, f you can use Easy Pr nt (d scussed n Chapter 6, “Custom z ng the User
Exper ence”) for your pr nters, then you won’t need pr nter dr vers on the RD Sess on Host
Servers and can just use the dr vers nsta ed on the c ent Second, f Easy Pr nt sn’t an opt on,
you can use RD V rtua zat on Host to support the users who need the o d pr nt dev ces
For RD V rtua zat on Host, hav ng the host run a 64-b t operat ng system s an unm t -
gated w n—the reason why Hyper-V has a ways been 64-b t The guest VMs on the host don’t
have to run a 64-b t operat ng system, so they rea y don’t have any app cat on or dr ver
ssues as ong as the user env ronment w work n W ndows XP SP2 or ater Hav ng 64-b t
operat ng systems just mean that you can nsta as much memory as you need to support a
your VMs
DIRECT FROM THE FIELD
How Does 64-Bit Windows Perform as an RD Session Host

Server?
Jeff Heatton
Operations Engineer, Microsoft
W e have recently moved to 64-bit on many of our servers. We see that the
same physical server that could support, say, 55 users in 32-bit mode with
4 GB of RAM, can support 150 users with little stress on 64-bit with 8 GB of RAM.
The 64-bit solution seems to work extremely well, and I suspect that in our environ-
ment, we could scale up further just by adding more RAM. Some servers have seen
more than 300 sessions with no performance issues.
We find that with our application the workload is variable by region for the same
application, because users have different work patterns in the different regions. The
European folks are heavy hitters, whereas the folks in the United States and Asia
give the RDS farms an easier time.
www.it-ebooks.info
How Does an RD Session Host Server Dole Out Processor
Cycles?
Noth ng happens on a computer w thout a processor When a computer serves dozens of
users, there’s a ot of compet t on for any ava ab e processor cyc es Here, you’ earn about
how the RD Sess on Host server dec des who’s go ng to get processor t me
Users run app cat ons, but operat ng systems don’t know anyth ng about app cat ons The
operat ng system dea s w th processes and threads that support the app cat on executab e
A process defines the work ng env ronment for an app cat on, nc ud ng ts pr or ty when t
comes to be ng a ocated processor t me, the mage name of the app cat on assoc ated w th
the process (for examp e, W nword exe), the process dent fier (process ID, or PID) that the
operat ng system uses to un que y dent fy the process, the memory reg ons a ocated to th s
process by the memory manager, nks to parent processes that spawned th s new process,
and anyth ng e se the app cat on wou d have to know to run and cooperate w th other run-
n ng app cat ons
HOW IT WORKS
Why Processes Need Both Names and PIDs
W hy does a process need both an image name (this is the same as the execut-
able name) and a PID? The reason is that image names are not necessarily
unique on a server, particularly on an RD Session Host, it’s highly likely that more
than one instance of the same application will be running, and it is guaranteed that
more than one instance of required system processes will be running (see Chapter 3
for more information about the processes common to all sessions).
Since more than one instance could be running in the same session, you can’t iden-
tify the processes by session. To give Windows and the administrator more control
over individual processes, the process manager creates new processes with a PID.
You’ll often work with PIDs when using the Remote Desktop Manager and query
process command-line tools, both discussed in Chapter 11, “Managing Remote
Desktop Sessions.”
Processes don’t do anyth ng themse ves Rather, they define the execut on env ronment
and re at onsh ps that the executab e part of a process, the thread, must know about Threads
know deta s such as the process they’re assoc ated w th, and the r secur ty nformat on, such
as the r access token (the record of the r ghts the thread has, g ven the dent ty of the account
who started t) and impersonation information (the secur ty credent a s be ng used) They a so
keep track of the r pend ng nput/output (I/O) requests L ke processes, threads have a pr or-
ty They nher t the r pr or ty range from the r process but can adjust the r own pr or ty w th n
that range
www.it-ebooks.info
One key property of a process or thread s ts pr or ty, s nce that determ nes how often
a thread gets some processor cyc es As you m ght guess, the h gher the pr or ty, the more
often a thread gets processor t me S nce noth ng happens on a computer w thout processor
t me to execute nstruct ons, th s s cr t ca
NOTE If you’re curious to see how a processor thread priority compares to that of other
types of processes, use the Process: Priority Current or Thread: Priority Current perfor-
mance counters in the Performance Monitor. For example, the Win32 Subsystem process
(which has the image name Csrss.exe) has a higher base priority than user applications, so
it will get more processor time. This is intentional, as it doesn’t matter if an application is
responsive if Windows isn’t.
One way n wh ch RD Sess on Host servers d ffer from other types of servers s n the r use
of process pr or ty Other types of servers are genera y des gned to do one th ng rea y we
They search databases, or manage ema , or support webs tes The r pr or t es are c ear The
app cat on n the foreground s the one to support Therefore, the processes and threads
be ong ng to the app cat on n the foreground have a h gher pr or ty than those n the
background
NOTE Just because the application in the foreground is the main one supported doesn’t
mean that the foreground application processes have the highest priority. See Microsoft
Windows Internals, Fifth Edition, by Mark E. Russinovich and David A. Solomon, with Alex
Ionescu (Microsoft Press, 2009), for more background on the relative priority of various
types of processes.
Un ke other servers, RD Sess on Host servers don’t have one c ear pr or ty ( n contrast to
a server runn ng M crosoft Exchange Server, for examp e, wh ch focuses on one task “I must
get the ma through!”) They have dozens of users to support, a of whom are do ng d fferent
th ngs and a of whom are expect ng a respons ve work env ronment Because of ts confl ct-
ng pr or t es, the on y way for a server w th the RD Sess on Host ro e nsta ed to cope s to
pr or t ze a user app cat on processes and threads equa y Because the processes back ng
user app cat ons have the same pr or ty, you can approx mate the oad a server can take by
determ n ng how much of the tota processor t me a user sess on w requ re You’ find out
more about how to do th s w th the Performance Mon tor ater n th s chapter n the sect on
ca ed “Us ng Performance Mon tor ” But a key po nt to remember s that the act on of nsta -
ng the RD Sess on Host ro e opt m zes the operat ng system for p ay ng th s ro e n your net-
work An RD Sess on Host server does not pr or t ze processes n the same way as a database
server or ma server, because the needs of th s server are d fferent
If one sess on were runn ng a arge number of demand ng app cat ons, t cou d potent a y
affect the performance of other sess ons, even though the user app cat ons a have the same
pr or ty W ndows Server 2008 addressed th s w th the W ndows System Resource Manager
www.it-ebooks.info
(WSRM), wh ch wou d reduce a thread’s pr or ty f other user threads n other sess ons were
be ng starved for processor cyc es WSRM made sure that processor t me was d v ded even y
among sess ons, but t engaged on y f a sess on was be ng affected W ndows Server 2008 R2
adds a new feature ca ed Dynam c Fa r Share Schedu ng (DFSS), wh ch changes the way that
the schedu er works n the kerne W th DFSS engaged—as t s by defau t—the schedu er w
make sure that the processor t me s schedu ed even y among sess ons from the beg nn ng
You’ earn more about how DFSS works n Chapter 3
How Do RD Session Host Servers Use Memory More

Efficiently?
RD Sess on Host servers spread processor t me among nd v dua sess ons by pr or t z ng a
user app cat on processes n the same way and us ng DFSS to ensure that no one sess on uses
up a the processor t me just because t’s runn ng demand ng app cat ons Next, you’ earn
how memory works on an RD Sess on Host server, nc ud ng
■ The d fferences between user mode and kerne mode
■ The re at onsh p between phys ca storage and v rtua memory
■ The ro e of the page fi e n prov d ng add t ona phys ca storage
■ How the memory manager opt m zes the use of memory
■ How memory usage, d sk reads/wr tes, and processor t me are re ated
■ How 64-b t on y affects v rtua memory management on RD Sess on Host servers
Understanding User-Mode and Kernel-Mode Virtual Address Space

You can’t do anyth ng on a computer w thout a processor, but the threads gett ng processor
t me can’t do anyth ng w thout memory to store data n Operat ng systems store data that
they’re current y work ng w th n memory (Data that they are not current y work ng w th,
such as fi es you’ve saved and don’t current y have open, are stored on the hard d sk ) Th s
data can nc ude user data such as fi es or app cat ons, or system data such as po nters to
where data s stored n memory (Memory s b g—really b g Even the operat ng system needs
a map to avo d gett ng ost )
There are two k nds of memory n your computer One s phys ca memory, determ ned by
the amount of RAM nsta ed n the computer If you have 24 GB of RAM, there are 24 GB of
phys ca memory ava ab e to the operat ng system (m nus memory taken by other hardware
components) The other s v rtua memory, wh ch s determ ned by the s ze of the operat ng
system address ng structure A 32-b t operat ng systems have a 4-GB v rtua memory ad-
dress space; 64-b t operat ng systems have a 16-terabyte v rtua memory address space—
8 terabytes for user-mode processes and 8 terabytes for kerne mode (If you’ve heard t sa d
that the 64-b t operat ng system removes the memory m tat on on a term na server, but
you weren’t qu te sure what that meant, th s shou d put the d fference nto perspect ve ) You’
see the 8-terabyte mode referred to n the exp anat on V rtua memory s supported by two
www.it-ebooks.info
phys ca storage p aces the phys ca memory of RAM and an area on the hard d sk ca ed the
page file or swap file Therefore, even f a computer runn ng a 64-b t operat ng system has on y
8 GB of RAM nsta ed, t st has an 8-terabyte range of v rtua addresses for data storage
NOTE If you’ve done the math, you’ll notice that 2 to the 64th power is more than 16
terabytes—it’s actually 16 exabytes. Windows (and currently available processors) don’t
currently support 264 bytes, however—they support only up to 244, or 16 terabytes split
evenly between kernel mode and user mode.
Th s 16 terabytes of v rtua memory address space s d v ded nto two reg ons kerne space
and user space, and the processes that store data n each reg on are ca ed user-mode or
kerne -mode processes Kerne space, the upper 8 terabytes, s shared by a processes that
store data here User space s spec fic to each user-mode process Conceptua y, the memory
ayout ooks ke that shown n F gure 2-1 A kerne -mode processes know they must share a
memory reg on, but a user-mode processes—not just a sess ons, but a processes—th nk
they have the r own persona 8 terabytes of user-mode storage Because th s means that
v rtua memory addresses are dup cated from process to process, one key job of the memory
manager s to make sure that user-mode processes don’t affect each other when stor ng
memory n the r v ew of user-mode memory
KERNEL MODE
8 TB
Virtual Memory
Winword.exe
Outlook.exe
Taskmgr.exe
Explorer.exe
iexplore.exe
Excel.exe
Visio.exe
8 TB
8 TB
8 TB
8 TB
8 TB
8 TB
8 TB
USER MODE
FIGURE 2-1 Kerne mode memory s common to a processes that store nformat on there; user mode
memory appears spec f c to each process.
Understand ng both user-mode and kerne -mode storage s mportant to understand ng

how an RD Sess on Host server uses memory
www.it-ebooks.info
HOW IT WORKS
Why Does It Matter Whether Drivers Are User-Mode or

Kernel-Mode?
P revious versions of Windows introduced Group Policy to require users to em-

ploy user-mode printer drivers. If it’s not obvious to you why a policy to require
user-mode drivers might be necessary or desirable, read on.
Every component of the Windows operating system is designed to call on memory

from a particular section of memory, which is organized into blocks. The amount
of memory an operating system can access depends on the addressing scheme
it supports. For example, 64-bit operating systems can call on up to 16 terabytes
of memory, and this memory is normally divided into two pieces: The upper 8
terabytes is kernel-mode memory and the lower 8 terabytes is user-mode memory.
Kernel-mode components have access to actual physical memory structures. User-
mode components have access only to a mapped view of these structures.
Think of the memory structures are a set of interoffice mailboxes. The kernel-
mode components have access to the mailboxes themselves—the physical bins
that line the wall. User-mode components don’t have access to the boxes; instead
they indicate that a piece of data should go into the box belonging to, say, Kim
Abercrombie or to Michael Pfeiffer. The kernel-mode component creates the
mapping that identifies which physical location is associated with Kim Abercrombie
and routes the data there, so that even if the boxes are shuffled or Kim gets a new
mailbox, the data ends up in the right place. Similarly, if a user-mode component
needs data from a location, that component doesn’t know the physical location
of the data, but calls on it according to its virtual data—“I need the data stored
in Kim Abercrombie’s mailbox.” The kernel-mode component then maps Kim
Abercrombie’s name to a mailbox location and retrieves the data. The area of
memory that a component is designed to use depends on what that component
needs to do, how quickly it needs to do it, and how likely it is to have a problem
doing it. Almost everything that you see happening on a computer occurs in user
mode: applications open, windows move, characters appear on the screen as you
type, and so forth. Operations running in user mode are protected from each
other because they write to virtual locations, not to physical ones. Kernel-mode
components ensure that these operations don’t write to the same physical locations.
For this reason, user mode is also called protected mode. If an application running in
user mode crashes, it does not affect other applications.
Kernel-mode components are slightly faster than user-mode components because

they don’t have to translate virtual memory addresses to physical ones; however,
they are more vulnerable to error. (That said, “slightly faster” in this context is not a
difference that a human can detect.) Kernel mode references the physical memory
www.it-ebooks.info
structures shared among all components on the same computer, so it’s possible that
two applications could attempt to store information in the same memory space.
When this happens, the components crash and it might crash the entire operating
system. Printer drivers running in kernel mode on a shared server, therefore, put not
just one person’s workspace at risk but that of everyone using that same computer.
Although printer drivers are more reliable on shared servers than they used to be,
it’s best to use only user-mode drivers. If you absolutely must use kernel-mode driv-
ers, you must test them before putting them into production.
Technically speaking, the user-mode drivers are only partially user-mode—or at

least, they are not able to do all their work from within user mode. They still com-
municate with a kernel-mode component that puts the data in the physical location
where it must go. However, if the user-mode piece fails, this does not affect the
kernel-mode area of memory.
The Role of the Memory Manager

How does a th s pag ng take p ace? Who’s n charge of mapp ng v rtua address space to
phys ca memory so that when you try to br ng a fi e nto memory, you get the r ght one?
How s t poss b e that each user-mode process th nks that t has ts own 8 terabytes of user-
mode memory? A th s s hand ed by a key part of the operat ng system ca ed the memory
manager The memory manager has four ma n jobs
■ Mapp ng the v rtua address space nto phys ca memory
■ Protect ng the address space of processes from each other and from the operat ng
system
■ Pag ng data to and from d sk
■ Manag ng key system resources such as the paged and non-paged memory poo s and
system cache
The memory manager works w th the I/O manager (respons b e for wr t ng to and read-
ng from d sk) and the cache manager (some storage for the system cache) to ensure that
processes have the data they need as qu ck y as poss b e
In the next sect ons, you’ earn more about how the memory manager does ts job
Mapping Virtual Memory to Physical Memory

A 64-b t operat ng system can see 16 terabytes of v rtua memory addresses, but the
computer n wh ch the operat ng system s runn ng won’t have 16 terabytes of RAM nsta ed
As you can see from Tab e 2-1, no ed t on of W ndows Server 2008 R2 or W ndows 7 supports
more than 2 terabytes of nsta ed RAM (M crosoft doesn’t support what t can’t test, and
systems w th more than 2 terabytes of RAM d dn’t ex st )
www.it-ebooks.info
TABLE 2-1 Phys ca Memory m s by SKU (Ed ons Suppor ng RDS On y)
VERSION RAM SUPPORTED
W ndows Server 2008 R2 Datacenter 2 terabytes

W ndows Server 2008 R2 Enterpr se 2 terabytes
W ndows Server 2008 R2 Standard 32 GB
W ndows Server 2008 R2 Foundat on 8 GB
Not on y does the amount of v rtua memory exceed the nsta ed RAM, but each user-
mode process th nks that t has a ded cated 8 terabytes of storage Someth ng has to sort out
where the data that a process th nks t stored at a part cu ar ocat on s rea y ocated That
funct on s hand ed by the memory manager
The way the memory manager keeps track of how v rtua addresses correspond to phys -
ca ocat ons s much the way you’d do t f someone gave you the same job It ma nta ns sts
mapp ng each v rtua address to a phys ca ocat on These sts are ca ed page tables. The co -
ect on of page tab es s organ zed n the page table directory (A page s a cont guous b ock of
memory and the sma est un t of data that the memory manager can work w th ) An nd v dua
entry on the page tab e s ca ed a page table entry (PTE) A PTE conta ns the po nter to an
area of phys ca memory If you find page d rector es and PTEs confus ng, th nk of t th s way
The page tab e d rectory s ke a te ephone book for each process W th n the te ephone
book are the pages of st ngs—the pages are the page tab es Ind v dua addresses on the
page tab es are the page tab e entr es W th any one of the addresses, you can find a phys ca
ocat on for the nformat on (the page)
Re evant W ndows Server 2008 R2 nterna s CHAPTER 2 49
www.it-ebooks.info
Page tab es and page tab e d rector es are stored n an area of kerne -mode memory re-
served for th s memory mapp ng nformat on The re at onsh p between v rtua memory, PTEs,
and phys ca storage s shown n F gure 2-2
Page at
address: Page Table RAM
11111111 Virtual Memory Directory
Addresses
11111111
22222222
33333333
44444444
PTE
55555555
66666666
MYAPP.EXE
Page Table
FIGURE 2-2 V rtua addresses get mapped to phys ca ocat ons w th PTEs.
W ndows ma nta ns a two- eve page tab e structure of page tab e d rector es and page
tab es Each process has ts own page tab e d rectory W th n that page d rectory are the page
tab es st ng the pages (A process has to have more than one page tab e—and hence the
page tab e d rectory—because the page tab es are m ted n s ze ) W th n the page tab es,
the entr es are ndexed accord ng to where they are on the page The va ue of the ndex te s
the memory manager wh ch area of phys ca storage a v rtua memory address po nts to A
v rtua address conta ns a po nter to the correct page tab e d rectory, ndex ng nformat on
that po nts to the correct page tab e, and ndex ng nformat on po nt ng to the correct PTE, as
shown n F gure 2-3
www.it-ebooks.info
Virtual Memory
Addresses
11111111
Page Directory Page Table Byte
22222222 Index Index Index
33333333
44444444
55555555
66666666
PTE RAM
MYAPP.EXE
Page
Table
FIGURE 2-3 V rtua memory addresses store ndex ng nformat on that po nts to the page tab e d rectory,
the page tab e, and the PTE
One of the m tat ons of Term na Serv ces on 32-b t W ndows s that the te ephone book
can be on y so b g because there’s a m ted amount of space to store the pages It’s as f the
s ze of a commun ty were m ted by the s ze of the te ephone book that wou d fit n each
ma box No more space ava ab e nd cates there can be no add t ona pages n the te ephone
book Th s means that you’ never be ab e to v s t the new fam y n the ne ghborhood
because they have no entry n the te ephone book and you can’t find them In the same
way, the s ze of the space ava ab e to store PTE records m ts the number of processes that
can run even f you have a the RAM n the wor d ava ab e The number of v rtua memory
addresses ava ab e to user-mode processes appears enormous because each process sees the
ent re 8-terabyte area But for th s area to be usefu , the memory manager must be ab e to
map the v rtua address to a phys ca ocat on, wh ch means creat ng a page d rectory, page
tab es, and PTEs for each process If the memory manager can’t do the mapp ng, then the
process can’t start
Before W ndows Server 2008, the area of kerne -mode memory ded cated to PTEs was
fixed n s ze In W ndows Server 2008 and ater, kerne -mode memory for these storage struc-
tures s a ocated dynam ca y, so that f the memory sn’t needed for one structure, t m ght
be ava ab e to another W ndows Server 2008 R2 uses more memory than W ndows Server
2003, due n part to some changes n the user she But f W ndows Server 2003 Term na
Server was constra ned by the amount of space ava ab e for PTEs, t’s poss b e that on the
same hardware, the W ndows Server 2008 R2 RD Sess on Host Server cou d support more
users
www.it-ebooks.info
Note that 64-b t W ndows has another advantage It’s got a ot more room to store System
PTEs (the PTEs used to map the ocat on of memory the system s us ng) The amount of stor-
age n 32-b t W ndows s 660 MB; 64-b t W ndows has 128 GB
How Virtual Memory Is Supported

Idea y, the v rtua memory a process uses to organ ze ts storage w map to the RAM com-
m tted to that process But RAM s fin te, and somet mes t’s necessary to store that data
e sewhere and then add t to the process work ng set when requ red “E sewhere” trans ates to
the page fi e or another area of memory To start, cons der the page fi e
The page fi e s one of those p eces of the memory structure that you’ve probab y heard
s very mportant but perhaps you aren’t qu te sure what makes t so mportant Bas ca y,
the page fi e he ps make v rtua memory work by add ng data storage to the server above
and beyond what phys ca RAM supp es When RAM gets fu , data that sn’t be ng used gets
moved to the area of hard d sk ca ed the page file or swap file—that s, the data s paged to
d sk When th s data wr tten to d sk s ca ed on, th s produces a hard page fault When a pro-
cess searches for that data, t goes to where the data was ast stored n v rtua memory The
memory manager ntercepts th s request and retr eves the requested data from ts ocat on n
the page fi e, pag ng the data back nto phys ca memory where the process can access t The
page fi e ncreases the amount of phys ca storage for the v rtua address space the operat ng
system recogn zes and can be used to store the data, but keep n m nd that swapp ng data to
and from the hard d sk takes some t me When memory s on the hard d sk, retr ev ng t takes
onger than f the data s stored n RAM, where t can be ca ed up more qu ck y Each page
fau t takes processor cyc es to comp ete Each request to read or wr te to d sk has to get n the
I/O queue for the hard d sk (more about th s short y) And the system s owdowns do add up
The page fi e sn’t sound ng ke much of a barga n, s t? You m ght be wonder ng why
t’s mportant The sens b e th ng to do wou d be to nsta as much RAM as poss b e, so that
the operat ng system w have p enty of very fast RAM to store data, nstead of swapp ng
data between the RAM and the page fi e To a po nt, you’d be r ght More RAM w genera y
resu t n a more respons ve operat ng system (and th s was espec a y true on 32-b t operat ng
systems, where memory was ke y to be the performance bott eneck)
However, you can’t just oad up an RD Sess on Host or RD V rtua zat on Host server w th
an equa amount of phys ca and v rtua memory There are two reasons for th s F rst, the
64-b t operat ng system supports 16 terabytes of v rtua memory, and the most phys ca
memory you can nsta on any W ndows SKU s 2 terabytes (For W ndows Server Standard,
the max mum amount of phys ca memory supported s 32 GB, and for W ndows Foundat on
Server, the max mum s 8 GB ) Second, a user-mode processes th nk that they have the r very
own 8-terabyte area of user-mode v rtua memory Support dozens or hundreds of users on a
s ng e server, and they’ often use more v rtua memory than you can back w th RAM
www.it-ebooks.info
BEST PRACTICES Microsoft’s best practices for RD Session Host servers suggest that your
page file should be two to three times the size of the installed RAM to support all the indi-
vidual user-mode memory areas for each process. The reasoning is that process creation is
expensive—two or three times more so than maintaining the process in memory. Because
many people are using the same computer, it’s likely that the computer will be creating
a lot of processes for all those people. Therefore, every time users start an application,
they’re engaging in this expensive activity. To keep the RD Session Host server running
smoothly, you need more memory than just enough to keep the processes running.
L ke other key structures, the page fi e s arger n 64-b t W ndows than 32-b t W ndows;
64-b t W ndows supports a 256-terabyte page fi e, and for 32-b t W ndows, the max mum
s ze s 16 terabytes
HOW IT WORKS
Improvements to the Page File System in Windows Server

2008 and Beyond
O ne change to memory management in Windows Server 2008 (and still relevant

in Windows Server 2008 R2) lies in the way the page file works. It’s designed
to be more efficient than previous versions of Windows in two important ways that
allow it to write less often.
First, the fewer write actions the operating system has to take, the better, because
every action has a cost. To reduce the number of necessary write options in
Windows Server 2003, the memory manager could write only up to 64 KB of data
in a single action. Today, that limit has been removed so the memory manager can
write data in larger chunks. Most write operations now are approximately 1 MB.
Another improvement to the page file beginning in Windows Server 2008 is that
it takes the amount of free physical memory into account before writing to the
page file. In previous versions of Windows, the decision to write to the page file
was based on the number of dirty pages in RAM, or areas where data had been
modified. Now, if there’s no shortage of RAM, the memory manager will leave the
modified data in RAM.
Not a data can be paged to d sk Some mportant data ( mportant to the funct on ng of
the operat ng system, not mportant to a user) must be ma nta ned n RAM at a t mes Data
that never gets paged s stored n an area of kerne -mode memory ca ed the non-paged pool
Kerne -mode processes that store data that can be paged to d sk store t n the paged poo In
prev ous vers ons of W ndows, paged poo s and non-paged poo s had fixed s zes depend ng
on the amount of RAM nsta ed on the server; beg nn ng w th W ndows Server 2008, these
www.it-ebooks.info
memory areas had no fixed s ze but cou d fluctuate depend ng on the needs of the operat ng
system (see F gure 2-4)
WINDOWS 2003 KERNEL MODE MEMORY
Fixed Fixed Fixed

Size Size Size
PAGED POOL
NON-PAGED POOL
SYSTEM CACHE
WINDOWS 2008 R2 KERNEL MODE MEMORY

Sizes Adjustable
PAGED POOL
NON-PAGED POOL
SYSTEM CACHE
FIGURE 2-4 Kerne mode memory areas support ng mportant system structures are s zed dynam ca y n
W ndows Server 2008.
On 64-b t W ndows, the max mum s ze of the non-paged poo s 128 GB, as opposed to
256 MB for 32-b t W ndows
Not a page fau ts are hard page fau ts Somet mes, the data s st stored n RAM, but not
n the process work ng set For examp e, t’s poss b e another process m ght be us ng the data
(see the next sect on, “Memory Shar ng and Copy-on-Wr te”) Soft page fau ts cost tt e n
terms of t me or system resources, so you don’t need to worry about them Hard page fau ts,
n wh ch the memory manager has to n t ate a process to retr eve the data from d sk, are
much more expens ve When a computer s very ow on ava ab e RAM and must store a ot of
data n the page fi e, the constant reads and wr tes are ca ed thrashing
The fo ow ng po nts sum up th s sect on
■ A user process expects to find the data t’s ook ng for n ts work ng set
■ If the data s not n the work ng set, then the memory manager w check to see f t’s
stored anywhere e se n RAM and add t to the process work ng set (a soft page fau t)
■ If the data s not n memory, then the memory manager prompts the I/O manager to
find the data n the page fi e on hard d sk so t can be added to the process work ng
set (a hard page fau t)
Memory Sharing and Copy-on-Write

Ear er you earned that a user-mode processes th nk they have an 8-terabyte user-mode
memory area to themse ves You a so d scovered that th s forces the need for a page fi e to
back the v rtua memory addresses, s nce there’s no way that RAM can do t But the memory
www.it-ebooks.info
oad of many modern app cat ons s qu te arge On an RD Sess on Host server support-
ng dozens or hundreds of sess ons, each runn ng memory-hungry app cat ons that are not
des gned to be effic ent w th memory (because app cat ons are st typ ca y des gned for a
s ng e-user computer), how do you avo d runn ng out of page fi e as we as RAM?
One way, of course, s to ensure that you’ve got enough page fi e Another way that
doesn’t requ re any work on your part s a memory-shar ng techn que mp emented n
W ndows that a ows processes to share memory space—somet mes Th s techn que s ca ed
copy-on-write and s re ated to shared memory
At the bas s of copy-on-wr te s the fact that there’s a ot of redundancy n a computer If
two processes need to use the same dynam c- nk brary (DLL), for examp e, t s better f they
can use the same one— f one can “read over the shou der” of the other So ong as ne ther
process s mod fy ng the data, th s works fine, and t decreases the amount of data that a
process must store n memory to support a ts threads
The tr cky b t comes when a p ece of data that two processes are us ng needs to be
changed by one of them There are two ways you can avo d hav ng a change by Process B
make an mpact on Process A One way s to make a copy of the data for Process B as soon as
Process B accesses the shared memory area Th s can be wasted effort, though—what f the
second process won’t change the shared data?
Another way that avo ds th s wasted effort s the approach that W ndows takes When
Process B needs to change the data at the shared ocat on, the memory manager cop es the
ed ted data to a new ocat on The or g na data s not affected, and the process that must
change the data can cont nue, now us ng ts own copy, as shown n F gure 2-5 W ndows
works ke th s; other operat ng systems m ght make a copy of the page at the t me the sec-
ond process must access the same data as the first process
Need to
make a change!
Process A Process B Process A Process B Process A Process B
Shared.dll
Shared.dll Shared.dll Shared.dll
(Copy)
Memory Manager Memory Manager Memory Manager
Step 1 Step 2 Step 3
FIGURE 2-5 Copy on wr te a ows for more eff c ent use of phys ca memory.
www.it-ebooks.info
The catch to copy-on-wr te s that app cat ons must be wr tten n a way that a ows them
to take advantage of t The W ndows operat ng system can use copy-on-wr te for tse f, but
deve opers must p an for ts use n user app cat ons
How Does Disk Affect Application Delivery?

The ast tem n our server nterna s overv ew s d sk performance A though not everyone
cons ders hard d sks when des gn ng an RD Sess on Host or RD V rtua zat on Host server, for
best resu ts, t’s mportant to keep d sk performance and data storage n m nd
Keep Shared Work Environments Generic

Whether you’re de ver ng app cat ons through VMs on an RD V rtua zat on Host or through
sess ons on an RD Sess on Host, t’s best to keep the app cat on de very system homogenous
A the RD Sess on Host servers n the same farm shou d have the same app cat ons nsta ed
and the same sett ngs configured; a the VMs n the same poo shou d have the same app ca-
t ons and configurat on On y the fo ow ng four k nds of data shou d be on the servers
■ The page fi e
■ The cached user profi es current y n use (wh e the profi es themse ves are stored on a
separate fi e server)
■ The operat ng system
■ The app cat ons
You shou d never store user-spec fic data ke user profi es or user data on a shared ap-
p cat on de very ro e ke an RD V rtua zat on Host poo ed VM or an RD Sess on Host server
Do ng so comp cates backups (s nce data sn’t on a centra server) and can ead to an ncon-
s stent user exper ence as users move from VM to VM or connect to a new sess on A poss b e
except on to th s ru e s the persona desktop ass gned to a user, because that user w a ways
return to that VM However, even stor ng persona data on a desktop has t downfa s because
t w comp cate restor ng fi es f the on y backup s of the VM tse f
IMPORTANT User profiles should not be stored on an RD Session Host server, but rather
on a central file share so that there’s only one copy of the profile. However, the profile will
be cached on the RD Session Host server for the duration of the session it’s supporting.
See Chapter 5, “Managing User Data in a Remote Desktop Services Deployment,” for more
details about combining profiles and RDS.
You not on y need to th nk about where you’re stor ng data to fac tate backups and
prov de a cons stent user exper ence, you need to take d sk performance nto account One
approach to stor ng a the data that shou d be on the RD Sess on Host or the VMs s to get
one b g hard d sk and keep a the data on t That way, you can m rror the hard d sk and have
a backup configurat on For sma env ronments or p ot programs, th s m ght work fine
www.it-ebooks.info
For arger dep oyments, best pract ce s genera y to d v de up the three types of data
(page fi e, user profi e cache, and the operat ng system and app cat ons) among three
separate hard d sks, to avo d wa ts for d sk I/O requests The prob em s that a user act v ty
requ res a ot of d sk reads and wr tes Beg nn ng a user connect on, oad ng a user profi e,
start ng an app cat on, pag ng some data n memory to d sk (or read ng data prev ous y
paged to d sk back nto memory)—these are just some of the events that generate d sk I/O
requests If these requests beg n to stack up, users w see de ayed response t mes Pag ng
data back nto memory from d sk, for examp e, s a ready re at ve y s ow compared to access-
ng the same data from phys ca memory
Processors and memory are extreme y fast D sks, a though fast, are much s ower than
e ther RAM or processors (If you’ reca from the sect on t t ed “How V rtua Memory Is
Supported” ear er n th s chapter, th s s why t’s good to m n m ze use of the page fi e, even
though t’s cr t ca to your server funct on ng we ) Idea y, try to have one hard d sk sp nd e
for every 20 to 30 users on a g ven RD Sess on Host or RD V rtua zat on Host server That way,
the users’ d sk requests w be ess ke y to de ay each other
Understanding the System Cache

As you’ve seen, wr t ng data to the page fi e or read ng from t s expens ve and re at ve y
s ow What f you’ use the data aga n soon but need to free up some RAM now? What f a
user requests one p ece of data but s ke y to need re ated p eces c ose to t n storage? In
e ther case, the memory manager can store some data n an area of kerne -mode memory
ca ed the system cache
The fi e system cache ho ds data pu ed from d sk W thout gett ng too deep y nto the
m nute deta s of the dec s on tree (see the “Add t ona Resources” sect on at the end of th s
chapter for some deta ed references), when a process requests some data, the request goes
first to the area n v rtua memory where the process stored the data If the data s n RAM,
then the process can cont nue w th whatever t was do ng
If the data s not n the RAM mapped to the user’s v rtua address space, the next stop
s the system cache, wh ch s a co ect on of v rtua addresses backed by RAM If the ent re
request can be sat sfied from the system cache (that s, f the process has asked for data A
through E, and the cache conta ns A, B, C, D, and E), then the request never gets as far as the
fi e system If on y part of the data s n the system cache (say, A and B), then the cache man-
ager forwards the request to the memory manager, wh ch then generates a hard page fau t
and gets the data from the page fi e or from d sk as appropr ate
The arger the system cache, the more effic ent the process of retr ev ng data s The cache
grows as needed (a refinement ntroduced n W ndows Server 2008) but n 64-b t W ndows
the system cache can be as arge as 1 terabyte—much arger than the 1 GB poss b e on 32-b t
W ndows
www.it-ebooks.info
How Does RAID Affect Disk Performance?
What about RAID? RAID (wh ch stands for “redundant array of ndependent d sks”) s one way
to ncrease the upt me of your servers by decreas ng the ke hood of a d sk fa ure The bas c
dea of RAID s that, rather than us ng a mono th c d sk for a your storage, you comb ne
part t ons on mu t p e d sks nto a s ng e og ca un t The part t on can encompass the ent re
phys ca d sk or on y part of t
The purpose for comb n ng the mu t p e d sks depends on the scenar o Some forms of
RAID are ntended for data secur ty by nk ng two or more d sks n a way that ma nta ns a
copy of your data Some ncrease d sk throughput by ett ng you use two or more I/O paths
to support a s ng e og ca d sk (one spann ng mu t p e phys ca d sks)
NOTE Not all forms of RAID increase server reliability. Some even reduce it by linking
two physical disks and making a volume spanning both, so that if one disk fails the entire
volume is inaccessible. For the purposes of this book, assume that references are only to
the fault-tolerant forms of RAID.
There are two bas c k nds of fau t-to erant RAID d sk m rror ng (RAID 1) and str pe sets
w th par ty (RAID 5) (RAID 10 s fau t-to erant, but essent a y comb nes 5 and 1 ) M rror ng s
the obv ous w nner when t comes to RD Sess on Host servers, but we’ rev ew both to make t
c ear why t s a better cho ce
DISK MIRRORING
D sk m rror ng s the preferred configurat on for an RD Sess on Host server In th s RAID con-
figurat on, you have two d sks back ng a s ng e og ca vo ume One d sk conta ns the pr mary
part t on, and one conta ns the m rror part t on Each t me you wr te data to the pr mary
part t on, t’s a so wr tten to the m rror part t on When you read data from the pr mary part -
t on, t can be read s mu taneous y, on some mp ementat ons, from the m rror part t on Th s
means that reads from a RAID 1 configurat on cou d theoret ca y be tw ce as fast as read ng
from a vo ume encompass ng on y a s ng e phys ca d sk Wr tes do not take tw ce as ong
because they can happen asynchronous y
If one d sk of a m rror set fa s, then a perfect and a ways up-to-date copy rema ns on the
other d sk If one d sk fa s, you can restore redundancy eas y by break ng the m rror set and
rep ac ng the fa ed d sk, then add ng the new d sk to the m rror set The d sks w re-create
the nformat on on the ex st ng d sk onto the one you’ve just added to the m rror set
RAID 1 reduces the t me requ red to read from d sk wh e not rea y affect ng the wr te
t me It a so makes t easy to recover from a d sk fa ure s nce the data s a ready fu y assem-
b ed About the on y d sadvantage s that t does not make very effic ent use of space because
there are two fu cop es of a data
www.it-ebooks.info
STRIPE SETS WITH PARITY
Another contender for a fau t-to erant system s RAID 5, or str pe sets w th par ty RAID 5
works d fferent y from RAID 1 Whereas RAID 1 ma nta ns a perfect copy of a the data on a
part t on on a second d sk part t on, RAID 5 takes a more space-effic ent approach It wr tes
a s ce of data to each d sk n the array (a m n mum of three d sks), but on y once across the
ent re array Each phys ca part t on then conta ns both actua data and par ty nformat on
for data stored on another dr ve Therefore, so ong as no more than one d sk fa s, you have
e ther the or g na data or the par ty nformat on requ red to create the or g na data
CAUTION Be aware that if a second disk fails before you replace one failed disk in a
stripe set, you will lose data. This is why some people choose RAID 10, which mirrors
striped volumes.
RAID 5 has ts advantages It can use many more d sks than RAID 1, and t s more effic ent
n the way that t stores data because t’s not ma nta n ng dup cates of a data—just some
of t, p us par ty nformat on needed to re-create t n case of d sk fa ure It can a so be more
effic ent for reads because more than one I/O path can be used But wr t ng data takes more
t me w th RAID 5 because every t me you wr te data, you must a so ca cu ate and wr te ts
par ty nformat on G ven the arge number of reads and wr tes that an RD Sess on Host or RD
V rtua zat on Host server w necessar y do, th s sn’t a good RAID mode
One caut on about us ng RAID on an RD Sess on Host server Don’t use software RAID
In part cu ar, don’t use software RAID 5 (str pe sets w th par ty), because the ca cu at ons
requ red w ut ze processor cyc es that cou d be used more profitab y e sewhere Hardware
RAID systems have the r own processor and w ncrease d sk performance
How Does Virtualization Affect Resource Usage?

V rtua zat on was an nterest ng footnote for W ndows Server 2008 Term na Serv ces (TS)
Most TS ro es could be v rtua zed for conven ence, w th the except on at the t me of the
term na servers themse ves (You’ earn short y about the hardware arch tectura changes
that have made v rtua z ng an RD Sess on Host server no onger a bad dea, g ven the r ght
processor arch tecture ) It wasn’t a core scenar o, however In RDS, however, one of the ro es
depends on v rtua zat on RD V rtua zat on Host re es on Hyper-V Therefore, you’ exp ore
how v rtua zat on works for a ocat ng processor t me, memory, d sk nput/output paths, and
network ng
www.it-ebooks.info
HOW IT WORKS
Distinguishing Type 1 and Type 2 Hypervisors
T here are two kinds of hypervisors supporting Windows virtualization today:

type 1 and type 2, as illustrated in Figure 2-6. If you’re not sure of the difference
or why it’s important, read on.
Parent Guest Guest Guest Guest

Partition OS 2 OS 3 OS 1 OS 2
Hypervisor Host OS Hypervisor
Hardware Hardware
Type 1 Hypervisor Type 2 Hypervisor
FIGURE 2-6 Contrast ng Type 1 and Type 2 hyperv sors
A Type 1 hypervisor, in a model also known as bare metal virtualization, interacts

directly with the computer hardware. In a Type 1 hypervisor such as Microsoft
Hyper-V, the hypervisor is the go-between for the system hardware and the parent,
or root, partition, the part of the operating system that manages the VMs. The VMs
are also known as the guests or the child partitions. A Type 1 hypervisor has a parent
partition and as many child partitions as it can support and needs.
Type 2 hypervisors (also known as host-based virtualization), such as Microsoft

Virtual PC, are part of the host operating system. Guest VMs communicate with the
host operating system to work with the system hardware.
The main reason to choose each right now depends on where you’re planning on
running the VM: the data center or the desktop. Since RDS is a data-centric comput-
ing model, you’d expect that this model would prefer running the VMs from the
data center on a Type 1 hypervisor, and you’d be right. However, if there is a valid
reason to use a VM on a desktop computer (for example, to run a demo), as of 2010,
it will most likely be on a Type 2 hypervisor. (Type 1 client hypervisors aren’t a trivial
problem, in part due to the wide variety of client hardware; servers are certified for
Hyper-V support.) Because RDS uses Hyper-V, a Type 1 hypervisor, you’ll focus on
that model in our discussion of virtualization.
You’ve earned a ot n th s chapter about how v rtua memory, d sk, and processor work
n W ndows Server 2008 R2 As you’d expect, when VMs are nvo ved, the story gets a b t
www.it-ebooks.info
more comp cated To understand t, you’ wa k qu ck y through the arch tecture of a Type 1
hyperv sor, nc ud ng
■ The ro e of the parent part t on
■ How ch d part t ons use memory and processor cyc es
■ How ch d part t ons access other hardware
■ Why you w get better performance us ng a v rtua zat on-aware guest operat ng
system
If you’d ke more deta s on how hyperv sors work, the add t ona resources at the end of
th s chapter po nt you to some sources to earn more about hyperv sor arch tecture
The Role of the Parent Partition

The parent part t on, or root part t on, s the a son for the hyperv sor (and occas ona y the
hardware) and the ch d part t ons The root part t on typ ca y runs a stub operat ng system
such as W ndows Server Core to save on memory requ rements W th n the root part t on are
■ The true dev ce dr vers for nteract ng w th hardware
■ The v rtua zat on serv ce prov ders (VSPs) used to manage access to synthet c dev ces
from the ch d part t ons (more about th s n the sect on t t ed “Dev ce Access from
Ch d Part t ons” ater n th s chapter)
■ The VM Serv ce that connects the parent part t on to the hyperv sor
■ Worker processes that manage the state of a ch d part t on and perform dev ce emu-
at on (more about th s ater)
You’ find out more about what a these p eces actua y do n the rema nder of th s sect on
How Memory and Processor Allocation Works on Child Partitions

You have been ntroduced to some of the prob ems of memory and processor t me manage-
ment across sess ons on the same host As you can mag ne, traffic contro s comp cated
when a processor or memory manager must figure out how to coord nate mu t p e serv ce
requests not just from d fferent sess ons, but from d fferent VMs—and mach nes that m ght
not a be runn ng the same operat ng system
Processor schedu ng and memory management are both hand ed by the hyperv sor tse f
Th s component of the v rtua zat on stack has both a processor schedu er and a memory
manager bu t n The schedu er manages the access to processor t me across a the ch d
part t ons and correspond ng to the v rtua processors n each VM, and the memory manager
hand es the track ng of where the v rtua address for each VM maps to n phys ca memory
PROCESSOR TIME
Ch d part t ons don’t d rect y access the processor schedu er; f they d d, they’d nterfere w th
each other and t wou d be mposs b e to coord nate a the requests A og ca processor (a
core n a phys ca processor s referred to as a logical processor) m ght be used by more than
www.it-ebooks.info
one VM (and ke y s), and a VM m ght be us ng more than one og ca processor To manage
a the processor t me requests, the hyperv sor represents processors n a ch d part t on as
v rtua processors (VPs) A ch d part t on can have zero (a though you won’t get a ot done
ke that) or more VPs The number of VPs s not re ated to the number of og ca processors—
aga n, a processor m ght be accessed by more than one ch d part t on or not accessed at a
by some A v rtua processor can be
■ Runn ng, when t’s act ve y execut ng nstruct ons
■ Ready, when t’s not execut ng nstruct ons but s ready to
■ Wa t ng, when the VP s wa t ng for nstruct ons that te t what to do next
■ Suspended, when t’s temporar y d sab ed and won’t execute nstruct ons aga n unt
taken out of the suspended state
The hyperv sor keeps track of the state of each VP and wh ch og ca processor a VP s
us ng The root part t on can access th s nformat on
MEMORY MANAGMENT
Memory management s a so more comp ex on a VM host than on a phys ca mach ne The
VMs themse ves can’t share memory for many reasons, nc ud ng secur ty so at on, and the
memory manager has three areas of memory to manage, not just two (see F gure 2-7) These
three areas are
■ The system phys ca address (SPA) space
■ The guest phys ca address (GPA) space
■ The guest v rtua address (GVA) space
The GPA s the representat on of phys ca memory from the perspect ve of the guest Op-
erat ng systems expect the r memory addresses to be numbered beg nn ng at 0 and expect
some structures to be n memory at a certa n address range, so guests can’t rea y share a
v ew of phys ca memory w thout gett ng confused The GPA s mapped to the SPA more or
ess n the same way that the memory manager maps v rtua memory addresses to phys ca
memory addresses, as d scussed n the sect on t t ed “How Do RD Sess on Host Servers Use
Memory More Effic ent y?” ear er n th s chapter When a guest operat ng system accesses
memory n the GVA, the request s mapped to the GPA, and from there mapped to the actual
phys ca address of the SPA
A th s memory management can use up processor cyc es, so VMs—espec a y those w th
a ot of memory reads and wr tes, ke RD Sess on Host servers—w benefit from Second-
Leve Address Trans at on (SLAT) techno ogy, as d scussed n the sect on “Can I Run RDS n a
VM?” ater n th s chapter
www.it-ebooks.info
Parent Partition Child Partition
Guest Virtual
Address
Guest Physical (GVA) Space
Address (GPA) Space
GVA memory
GPA memory page in use
Guest System Physical page in use
Virtual Address Address (SPA)
Empty GVA
(GVA) Space Space
memory page
GVA memory System memory
page in use page in use
Empty GVA GVA memory

memory page page on disk
Guest Page File
GVA memory Child Partition

page on disk
Guest Virtual
Address
Guest Physical (GVA) Space
Address (GPA) Space
GVA memory
GPA memory page in use
page in use
Empty GVA
memory page
System Page File GVA memory

page on disk
Guest Page File
FIGURE 2-7 Memory management w th a hyperv sor, from “Second Leve Address Trans at on Benef ts n
Hyper V R2,” by Jan que Carbone. Used w th perm ss on.
www.it-ebooks.info
Device Access from Child Partitions
Dev ces other than processors and RAM are managed separate y Rather than be ng managed
d rect y by the hyperv sor, other types of dev ces ( ke network cards and hard d sks) use VM
worker processes that contro the v rtua dev ces (VDs) and g ve the VMs a way to nteract
w th the dev ces nd rect y VDs can be emulated or synthetic
Emu ated dev ces are access b e to a guest VMs They’re bas ca y a set of I/O ports, mem-
ory ranges, and nterrupts (a represent ng dev ce access) that the guest can access and wh ch
the hyperv sor contro s When a guest tr es to use an emu ated dev ce (for examp e, a Legacy
Network Card), then the VM worker process s not fied The worker process bas ca y emu ates
the act on requested (for examp e, a d sk read) Wh e the guest VM s d stracted, the worker
process sends the request to the hyperv sor to be executed by the actua d sk, then works the
resu ts back up the cha n to the guest VM
Emu at on s s ow but s mp e, and t works even f the operat ng system sn’t v rtua zat on-
aware It’s a so ava ab e dur ng nsta at on (wh ch s why, after t s nsta ed, you need to n-
sta a too set onto the guest operat ng system to mprove the VM performance and d sp ay)
But t’s not rea y up to the demands of modern hardware For better performance, you’ use
synthet c dev ces
Synthet c dev ces are supported by VSPs, v rtua zat on serv ce c ents (VSCs), and the VMBus
VSPs run n the parent part t on When a ch d part t on attempts to use a synthet c dev ce (for
examp e, to read a fi e from a v rtua d sk), the VSC n charge of that part cu ar dev ce sends the
request to the VMBus The VMBus nks the ch d part t on and the parent part t on The VMBus
then sends the request to the VSP for d sk, and th s trave s v a the m n port dr ver to the hard-
ware The hyperv sor doesn’t get nvo ved at a , and th s mode s much faster
Enlightenment, or Why Windows 7 Guests Might Scale Better

There are reasons to run W ndows XP as the guest operat ng system n a VM, app cat on
compat b ty (the dr ver beh nd the RemoteApp for Hyper-V feature) be ng one of them
(more on th s n Chapter 4) However, one of those reasons shou dn’t be so you can run more
VMs on a s ng e host Contrary to what you m ght expect, c ents runn ng W ndows V sta and
W ndows 7 m ght sca e better, a e se be ng equa (Th s assumes that a VMs are us ng the
same amount of memory If you’re us ng ess memory for the W ndows XP VMs, then they w
sca e better ) The reason for th s s that these more recent operat ng systems were des gned
to be v rtua zed and W ndows XP was not
The current operat ng system kerne conta ns a techno ogy ca ed enlightenments, ntro-
duced n W ndows V sta and W ndows Server 2008 and present n W ndows Server 2008 R2
and W ndows 7 Bas ca y, en ghtenments are code that runs on y when the operat ng system
s v rtua zed When the code s runn ng, the en ghtenments coord nate act ons w th the
hyperv sor to make sure that they’re nteract ng w th the hardware as effic ent y as poss b e
For examp e, f updat ng a cached memory mapp ng for the ch d process, w thout en ghten-
ments, the operat ng system wou d nstruct the processor to flush the cache for that entry
w thout any caveats, wh ch wou d s ow memory mapp ng for any other ch d part t on us ng
www.it-ebooks.info
that cache En ghtenments a ow the guest operat ng system to et the processor know that
t shou d flush th s cache on y for the ch d part t on do ng the request ng Other parts of the
kerne operate w th the same nte gence When poss b e, they ask the hyperv sor to pass on
nstruct ons to carry out only for the ch d part t on request ng them, not the ent re host and
every guest runn ng on t
W ndows 7 and W ndows V sta were des gned w th v rtua zat on n m nd W ndows XP,
however, was bu t before Hyper-V Therefore, you m ght d scover that you can host more
W ndows 7 VMs than W ndows XP VMs per RD V rtua zat on Host for VMs w th the same re-
source profi e S nce W ndows 7 guest VMs w a so g ve the best user exper ence due to the r
fu support for RDP 7 features and W ndows XP endpo nts can on y d sp ay RDP 5 2 features,
n most cases W ndows 7 VMs w be the best cho ce
How Windows 2008 Improves VM Performance

Mark Russinovich
Technical Fellow at Microsoft and co author of W ndows nterna s, 5th edition
O ne way Windows improves the performance of child VM operating systems

is that both Windows Server 2008 and Windows Vista implement enlighten-
ments, which are code sequences that activate only when the operating system
is running on a hypervisor that implements the Microsoft hypercall application
programming interface (API). By directly requesting services of the hypervisor, the
child VM avoids virtualization code overhead that would result if the hypervisor had
to guess the intent of the child operating system.
For example, a guest operating system that does not implement enlightenments
for spinlocks, which execute low-level multiprocessor synchronization, would
simply spin in a tight loop waiting for a spinlock to be released by another virtual
processor. The spinning might tie up one of the hardware CPUs until the hypervisor
scheduled the second virtual processor. On enlightened operating systems, the
spinlock code notifies the hypervisor via a hypercall when it would otherwise spin
so that the hypervisor can immediately schedule another virtual processor and
reduce wasted CPU usage.
Another way Windows Server 2008 improves VM performance is to accelerate VM

access to devices. Performance is enhanced by installing a collection of compo-
nents, collectively called the VM integration components, into the child operating
system.
If you run a VM without installing integration components, the child operating

system configures hardware device drivers for the emulated devices that hypervisor
presents to it. The hypervisor must intervene when a device driver tries to touch a
www.it-ebooks.info
hardware resource to inform the root partition, which performs device I/O using
standard Windows device drivers on behalf of the child VM’s operating system.
Since a single high-level I/O operation, such as a read from a disk, might involve
many discrete hardware accesses, it can cause many transitions, called intercepts,
into the hypervisor and the root partition.
Determining System Requirements for RD Session

Host Servers
You’ve ooked at d sk, processor, and memory nterna s n some deta Armed w th your
newfound know edge, answer th s If you have a server runn ng 64-b t W ndows Server 2008
R2 Standard Ed t on w th 16 GB of RAM, a three-d sk array, two quad-core processors, and a
g gab t network, how many concurrent sess ons can th s RD Sess on Host server support?
The answer, of course, s that t depends on what the users ogged nto those sess ons are
do ng Many t mes, when you’re choos ng hardware to support a g ven s tuat on, you can take
a we -estab shed path to choose the hardware Look at the product documentat on for the
operat ng system that you p an to run and the software that you want to buy, and t’s easy to
te what the hardware requ rements are Fo ow those gu de nes and you shou d be a r ght
W th RD Sess on Host servers, t’s not that easy Defin ng hardware requ rements for th s
server ro e s more d fficu t than defin ng them for a server runn ng Exchange Server, for
examp e A server runn ng Exchange Server has a more pred ctab e oad It sends ma and t
rece ves ma The ma boxes can be of a predeterm ned s ze m t, and the process of send-
ng or rece v ng an ema takes a pred ctab e number of processor cyc es G ven a that, f you
know how many users are ut z ng the server, you can determ ne what hardware to buy
RD Sess on Host servers, n contrast, support nd v dua s who m ght be do ng var ous k nds
of act v t es w th d ffer ng types of app cat ons It’s poss b e to pred ct the hardware profi e
requ red to support 50 users gett ng ema w th a fa r degree of accuracy It’s much harder to
pred ct the hardware needed to support 50 users on an RD Sess on Host server who are us ng
a comb nat on of the thousands (to be conservat ve) of bus ness app cat ons ava ab e To
know the oad that an RD Sess on Host server can manage, you must have a very good dea
what the nd v dua s us ng t w be do ng
Th s m ght be frustrat ng to hear, but the most re ab e way to determ ne how many
peop e can use an RD Sess on Host server s mu taneous y s to try t Insta the server and the
app cat ons, get a representat ve group of users together, and keep add ng users unt per-
formance s ows to an unacceptab e eve A ternat ve y, you can make some guesses based on
a test run or on nformat on der ved from one sess on Read on for more deta s about do ng
a test run or extrapo at ng usage nformat on from a s ng e representat ve sess on
www.it-ebooks.info
Baseline RD Session Host Requirements
S aying that you can’t know how many people can use an RD Session Host server
at the same time given a certain hardware profile isn’t to say that there are no
guidelines at all. Before getting into some procedures for load testing, let’s look at
some basic recommendations for RD Session Host hardware.
Memory
Load up on memory. This is always true for an RD Session Host server, because
many people will be using applications and loading data into memory at the same
time, all in parallel. One person working on eight Microsoft PowerPoint presenta-
tions at the same time is bad enough, but 50 individuals doing the same thing can
take quite a toll on a server.
Memory was an issue with terminal servers running Windows Server 2003, but it will
be more of an issue for RD Session Host servers running Windows Server 2008 R2.
The base operating system uses more memory now, for reasons that have nothing
to do with RDS. First, the server operating system runs Windows Internet Explorer
8, which uses more memory than Microsoft Internet Explorer 6. Any scenarios that
require the Microsoft native browser will be affected by this. Second, the shell
in Windows Server 2008 R2 and Windows 7 is more memory-intensive than that
in Windows Server 2003 and Windows XP. And with Windows Server 2008, these
additional memory consumers will affect an RD Session Host server in particular,
because these programs are all about the user experience.
Remember that 64-bit Windows uses more memory than 32-bit; a lot of the stan-
dard processes use more memory in the 64-bit version than they do in the 32-bit
version. You need about 8 GB of RAM in an RD Session Host Server to bring it to
parity with a 32-bit terminal server with 4 GB. However, at 16 GB, the RD Session
Host server will start being able to support more users than the 32-bit server can.
Disk
As you saw previously, you must be sure to pay attention to your physical hard
disk layout. Everyone thinks about memory when sizing an RD Session server, with
processor power another obvious consideration. Not everyone takes disk I/O into
consideration, but a server supporting reads and writes for many users needs a wide
and unobstructed I/O path. Split data among multiple hard disks (20 to 30 users to a
disk spindle, as a guideline) for best performance and use hardware RAID 1 for disk
fault tolerance.
Network
Of course, network speed is important to a centralized computing environment. In-
house, bandwidth should not be a problem, although you might consider a multi-
Determ n ng System Requ rements for RD Sess on Host Servers Chapter 2 67
www.it-ebooks.info
homed server so you can dedicate one network card to Remote Desktop Protocol
(RDP) traffic and one to serving file and print requests. Out of the corporate
network, you’re dependent on networks you might not be able to control. To
support remote users, consider a test run to determine the usability via the
networks your users have available. What works well on the LAN might be difficult
over a digital subscriber line (DSL); what works well via DSL is likely to be difficult
over dial-up. Disable any features that use a large amount of bandwidth but aren’t
required and be sure to set the RDP clients’ network hint appropriately for their
connection type (see Chapter 6 for more about RDP).
Processor
Processor speed was unlikely to be your biggest bottleneck when running the 32-bit
version of Windows Server 2008, but it’s more important in 64-bit Windows where
memory is no longer constrained. Quad-core processors are common these days;
get a motherboard that has additional sockets. The amount of cache is more critical
to processor responsiveness than the processor’s speed. More cache provides more
space to store instructions that are quickly available to the processor to execute.
Incremental changes in megahertz (MHz) made a lot more difference when you
were moving from 66 MHz to 100 MHz. DFSS, introduced in Windows Server 2008
R2, automatically apportions processor time evenly among sessions.
RDP Network Requirements

Jon Wojan
Senior Premier Field Engineer
Timothy Newton
Support Escalation Engineer Defining Acceptable Performance
H ow much network bandwidth does a typical remote session require? The

answer depends on a variety of factors, including but not limited to the
following.
■ Pixel dimensions of the RDP session

■ Color depth of the RDP session
■ Redirected devices in the RDP session and their usage patterns
■ Amount of screen redraw done by user workload/multitasking and application
repaints in the RDP session
■ Compression schemes being used on the RDP channel
■ Version of RDP being used
www.it-ebooks.info
Due to the number of factors involved, any estimate would likely be wrong for
more than 90 percent of all scenarios. However, if you want to do some testing on
your own, you can use a third-party application that measures network traffic. One
option Tim uses is a tool called NetMeter, which shows a little graph of upload and
download in real time. Using a tool like this, you can easily see how much is going
up and coming down from a given client (or you could run it on the server and see
the overall load).
Your goa s to create an effic ent and effect ve user exper ence That user exper ence w
be defined subject ve y by three ma n cr ter a
■ The ogon process, nc ud ng both how ong t takes to og on, whether the server
seems unrespons ve or g ves some feedback data, and how many t mes the user needs
to supp y credent a s A though the dea user exper ence s to avo d ogons tota y—
just s tt ng down and hav ng app cat ons open s eas est—you can create a reasonab e
exper ence f the wa t sn’t unacceptab y ong and the process s fa r y transparent
■ App cat on respons veness s cruc a Users must fee as though app cat ons are re-
spons ve from the RD Sess on Host server or VM A tt e ag m ght be acceptab e, but
not much, and f the de ay s so great that users are typ ng ahead of the d sp ay, the IT
department w ke y rece ve comp a nts
■ F es shou d oad qu ck y when requested, and pr nt jobs shou d pr nt When us ng the
centra zed app cat on mode , you m ght get better response t mes than are poss b e
w th desktop-based app cat ons
NOTE Consider each of these criteria separately when designing a live test. That is, don’t
try to measure performance data at the same time you’re measuring the number of simul-
taneous logons the server can support. If you mix scenarios, the two tests will interfere
with each other. How can you tell how a server will perform on a daily basis if it’s stressed
out at that moment from too many logons? Sort out the logon bottleneck, and then look
to see how the servers will respond to day-to-day usage requirements.
Designing a Live Test

To create a ve test, you need to know wh ch app cat ons are go ng to be run and how the
users runn ng them work so you can p ck a representat ve group of users and app cat ons
What s the p an for these RD Sess on Host servers?
Root the Test in Reality

There’s a ot of d fference between runn ng a ow- mpact po nt-of-sa e app cat on and
runn ng computer-ass sted des gn (CAD) app cat ons requ r ng ots of render ng For a ess
extreme examp e, there’s even a d fference between runn ng M crosoft Office 2003 and
M crosoft Office 2007, s nce the Office 2007 nterface s more resource ntens ve Test w th the
www.it-ebooks.info
app cat ons you expect to be runn ng, not w th a random or nvented scenar o that does not
app y to your rea - fe expectat ons If the server sn’t do ng the work under norma c rcum-
stances, then your test resu ts w be mean ng ess
NOTE Because of the memory sharing discussed earlier, the first RD Session Host server
session might use more memory than that of subsequent consecutive sessions—it depends
on the application usage profile. This is why running the live test helps: It shows the effect
of multiple instances running.
Generate Typical User Behavior

S m ar y, you need to know how your users work Are they ntens ve workers who pound
at the r app cat ons a day (for examp e, nputt ng data or wr t ng a ong document)? Or
w they be up and down, engag ng the RD Sess on Host server on an occas ona bas s? Just
check ng the number of open sess ons on an RD Sess on Host server doesn’t g ve you the
nformat on you need Even f there are 100 open sess ons, how many are act ve? How ong
have the nact ve ones been d e?
NOTE You might see references to knowledge workers and task-based workers when
researching RD Session Host server sizing. Knowledge workers conform to the profile that
was described in Chapter 1, “Introducing Remote Desktop Services”; they need access to
the data stored in the data center to do their job. Knowledge workers use many business
applications such as Office. Task-based workers generally input or review discrete chunks
of data, such as working a cash register displayed as a Windows application. Each profile
can involve light, medium, or heavy usage. Someone who’s using an RD Session Host server
to check their email a few times a day is a knowledge worker, but a light one.
If your fina env ronment w be runn ng a m x of users, try to get that m x represented n
your ve test Does your work group nc ude 75 know edge workers and 25 task-based work-
ers? If so, se ect three know edge workers for every task-based worker for your test run
Idea y, get rea workers to part c pate n th s test so that you can rece ve usage data that
accurate y dep cts typ ca user act ons and needs throughout your workday For nstance, you
m ght know that users typ ca y open fi es ocated on a fi e server from the r RD Sess on Host
sess ons You m ght not know that these fi es are typ ca y 100 MB each It wou d be best f
th s s d scovered dur ng your test phase and not dur ng ro out
Executing the Tests

If your ma n concern s to determ ne how many users an RD Sess on Host server can support
dur ng the day, you’ need to bu d an RD Sess on Host server us ng the nstruct ons n
Chapter 3 Insta the app cat ons you ntend to use and make some representat ve fi es
ava ab e to the users nvo ved n the test These are the steps you’ fo ow
www.it-ebooks.info
1. Start an nstance of the Performance Mon tor, the W ndows Server 2008 R2 perfor-
mance mon tor ng too Beg n mon tor ng the counters that are not sess on-spec fic
2. Have the users og on
3. Tune the Performance Mon tor to record performance data for the act v ty n each of
the user sess ons for sess on-spec fic counters
4. Ask ogged-on users to start app cat ons, oad fi es, check ema ( f that’s a part of your
test), surf the Web— n short, have them work as they wou d norma y
5. Let the test cont nue for a reasonab e amount of t me—perhaps an hour, or even
onger
6. Rev ew the resu ts and see the stra n on the RD Sess on Host server as recorded by
Performance Mon tor
Using Performance Monitor

Most of these steps are fa r y se f-exp anatory, but us ng performance counters m ght be new
to you If so, read on for a wa kthrough of how the mon tor ng process works
COLLECTING THE DATA

To start the too , c ck Start, Adm n strat ve Too s, and Performance Mon tor
NOTE The process name for this tool hasn’t changed from previous versions of Windows
Server. You can also start it by selecting Start, Run, Perfmon.exe.
F rst, bu d a data co ector set Browse to Data Co ector Sets R ght-c ck User Defined and
se ect New, Data Co ector Set, as shown n F gure 2-8
FIGURE 2-8 Start by mak ng a new data co ector set.
www.it-ebooks.info
BEST PRACTICES Although you can monitor the counters from the Performance Monitor,
creating a data collector set makes it easier for you to reproduce your results.
Name your data co ector set us ng a descr pt on of what you are co ect ng, such as “RDS
User Test 1 ” As shown n F gure 2-9, choose Create Manua y (Advanced) and c ck Next
FIGURE 2-9 Create a new data co ector set manua y.
The goa s to og data, not n t ate a erts for error cond t ons, so choose to create data ogs
based on performance counters, as shown n F gure 2-10 C ck Next
FIGURE 2-10 Create a data og us ng performance counters.
www.it-ebooks.info
Next, you need to add performance counters to the co ect on set What counters shou d
you nc ude as part of a fu test pass? S nce you’re oad ng the server w th many users, you
can take a ho st c v ew of the server rather than just focus ng on what’s happen ng w th n a
s ng e sess on See Tab e 2-2 for an examp e of counters that can te you about the stra n on
the server
TABLE 2-2 Per ormance Mon or Coun ers or a Fu Tes Pass
COUNTER DESCRIPTION
Processor % Processor T me The percentage of e apsed t me that the processor spends

to execute a non- d e thread ( n other words, the percent-
age of t me the processor s do ng anyth ng usefu )
Term na Serv ces Sess on Tota number of bytes sent to and from th s sess on v a
Tota Bytes v rtua channe s G ves an dea of the traffic com ng n and
out of the sess on due to red rected dev ce ca s
Phys ca D sk Avg D sk Average number of I/O requests wa t ng for the d sk Th s
Queue Length number shou d not be more than 2
Memory Page Fau ts/Sec The rate at wh ch the RD Sess on Host server s read ng
from and wr t ng to the page fi e H gher numbers nd cate
that the server m ght be ow on memory for ts user oad
Term na Server Sess on The peak amount of v rtua memory backed by RAM
Work ngSetPeak for a g ven sess on Th s shows the demand for phys ca
memory
Term na Server Sess on The percentage of processor t me a g ven sess on uses
% Processor T me
To add a counter, find the appropr ate object n the st, as shown n F gure 2-11 C ck the
con to expand the st of counters for that object If you’re choos ng a sess on-spec fic coun-
ter, choose the sess ons to add t to; to choose a of them, choose <A Instances>
Determ n ng System Requ rements for RD Sess on Host Servers CHAPTER 2 73
www.it-ebooks.info
FIGURE 2-11 Choose counters for each object that you want to mon tor.
When you’re done se ect ng counters, c ck OK to d sp ay the st of counters that you’re

mon tor ng The defau t samp e se ect on shou d be fine C ck Next
Choose the ocat on where you’d ke to save the data (as shown n F gure 2-12) and c ck
Next
FIGURE 2-12 Spec fy the ocat on to save your data co ect on set.
You can e ther save the data co ector set to be n t ated manua y or ed t the propert es to
set a schedu e of when t shou d start and how ong t shou d ast For the moment, assume
that you’re go ng to start t manua y, so choose that opt on from the st shown n F gure 2-13
and c ck F n sh
www.it-ebooks.info
FIGURE 2-13 Save the data co ector set to start t ater.
When you’re ready to beg n test ng, return to the ma n screen of Performance Mon tor
and choose the saved set from the fo der of user-defined data co ector sets R ght-c ck to
open the context-sens t ve menu and choose Start, or c ck the green Start button, as shown
n F gure 2-14
FIGURE 2-14 Start the data co ector set.
When you have fin shed w th the test, go back to Performance Mon tor, r ght-c ck the co -
ector set, and choose Stop, or c ck the square-shaped Stop button ocated to the r ght of the
green Start button
REVIEWING THE DATA

To rev ew the resu ts of your test, go to the Reports area shown n F gure 2-15 to find the
report dent fied w th the name that you spec fied
www.it-ebooks.info
FIGURE 2-15 F nd your report.
A report doesn’t have to show a the counters that you nc uded n the or g na data co ec-
tor set, but by defau t t does To remove a counter that you don’t need, h gh ght t n the bot-
tom sect on on the r ght pane and c ck the red X button at the top of the pane (or press the
De ete key on your keyboard) Converse y, to add counters you want to show, c ck the green
p us s gn at the top of the pane on the r ght to open the d a og box shown n F gure 2-16 On y
the objects for wh ch you se ected counters for the spec fied report w be ava ab e
FIGURE 2-16 Choose the counters and spec f c object nstances to d sp ay n your report.
Choose the object and the counters that you want to nc ude, and because you are
measur ng the tota user oad, make sure that <A Instances> s se ected n the Instances Of
Se ected Object st <A Instances> s represented by the aster sk (*) symbo n the pane at
r ght C ck OK when you’ve chosen a the counters
NOTE The Total option makes a total count for all selected instances; <All instances> tabs
each instance individually but monitors all of them.
www.it-ebooks.info
F na y, c ck the Change Graph Type drop-down menu to the eft of the green p us s gn
and choose to d sp ay the nformat on as a report (or press Ctr +G tw ce), as shown n
F gure 2-17
FIGURE 2-17 Change the report v ew to Report.
You shou d see data s m ar to F gure 2-18, d sp ay ng the resu ts of your tests
FIGURE 2-18 V ew the f na report.
Using the RD Load Simulation Tool

Performance Mon tor w graph or report on set act v ty per ods on your RD Sess on Host
server, but t does not create act v ty on an RD Sess on host And before you go ve w th a
new RD sess on host env ronment or add a new app cat on to an ex st ng env ronment, you
shou d have a good dea that the server can hand e the amount of act v ty that your users w
mpose upon th s mach ne
www.it-ebooks.info
One way to do th s s to go through a test ng phase, where you have test users og n and
use the system wh e you take read ngs w th Performance Mon tor Th s s fine f you have
those test users and they can spare the t me to do th s k nd of test ng
Another way to understand what your RD Sess on Host can and can’t hand e s to s mu ate
user sess ons and user act v ty and mon tor the server’s performance wh e t’s be ng taxed
The RD Load S mu at on Too (RDLST) does just that It s mu ates user sess ons and nd v dua
user act v ty on an RD Sess on host server, g ven a set of parameters You spec fy how many
users you want to s mu ate, and what you want these users to do (for examp e, open a docu-
ment, type some text, create a graph c mage, or save the document) The too w program-
mat ca y start remote desktop sess ons to the spec fied RD Sess on Host from the des gnated
c ents and execute spec fied act ons w th n each sess on Based on how the server reacts to
the oad you put on t, you can get an dea of whether your server hardware s adequate for
your needs, exceeds your needs (so you cou d add more users), or about r ght By rev ew ng
the performance data, you can a so see wh ch counters are show ng stra n
ON THE COMPANION MEDIA The RDLST is available at

http://www.microsoft.com/downloads/details.aspx?FamilyID=c3f5f040-ab7b-4ec6-
9ed3-1698105510ad&displaylang=en. This link is also located on the CD.
RDLST nc udes a contro er component, a c ent agent, and a server agent, as shown n
F gure 2-19
Simulation Script
Simulation Configuation File Controller
Contains simulation
configuration parameters
Starts, controls, and ends
the simulation
Switch
RD Session Host
Hosts client sessions
Clients Machines 1...n
Initiates a remote desktop
connection for each test user
FIGURE 2-19 The RDLST cons sts of the contro er, server agent, and c ent agent.
www.it-ebooks.info
The contro er s respons b e for configur ng the test parameters The test c ents and RD
Sess on Host agents connect to the contro er The contro er starts the test, mon tors ts prog-
ress, and ends the test
The c ents are used to start remote desktop sess ons on the RD Sess on Host Then the RD
Sess on Host hosts the remote desktop sess ons started from the c ents
The RDLST s not a so ut on on ts own It requ res scr pts to perform the act ons t s bu t
to run, ke start ng user sess ons, runn ng app cat ons, and perform ng act v t es n each user
sess on (such as open ng an app cat on and do ng some work) Scr pts a so perform other
pre-test and post-test funct ons, ke start ng and stopp ng Performance Mon tor on the RD
Sess on Host server and end ng user sess ons
The RDLST comes w th nsta at on nstruct ons, gu dance on how to bu d scr pts to
perform tasks spec fic to your env ronment, and a reference gu de, so there’s no need to
dup cate that effort However, you shou d wa k you through an examp e of how to set up and
run a s mp e test aga nst an RD Sess on Host server us ng the fo ow ng bas c steps
1. Insta the agents on the des gnated test servers and c ents
2. Create test user accounts n Act ve D rectory Doma n Serv ces (AD DS)
3. Create the scr pt that w automate the user act v t es ns de the user remote desktop
sess on
4. Start the server and c ent agents
5. Configure Performance Mon tor on the RD Sess on Host
6. Take a base ne Performance Mon tor capture on the RD Sess on Host
7. Configure the contro er test parameters
8. Start a Performance Mon tor capture on the RD Sess on Host
9. Start the s mu at on from the contro er
10. Run the s mu at on
11. Stop the s mu at on
12. Stop Performance Mon tor data co ect on on the RD Sess on Host
13. Rev ew the Performance Mon tor report
In the next sect ons, you’ go through these steps n more deta
Install the Agents on the Designated Test Servers

To beg n, set up the contro er, the c ents, and the server for the test as fo ows
■ Insta the contro er too s on a des gnated server The contro er s respons b e for the
s mu at on configurat on, and t a so starts and ends the test To nsta the contro er,
run the RDLoadS mu at onToo s MSI fi e on the contro er, and choose the Contro er
Too s opt on
■ To set up the c ents, run RDLoadS mu at onToo s MSI on each of the c ents that you
w use to generate the user sess ons, and choose the C ent Too s opt on
www.it-ebooks.info
■ To set up the server, run RDLoadS mu at onToo s MSI on the RD Sess on Host server
and choose the Server Too s opt on Take care to run the 32- or 64-b t vers on of the
MSI that matches your operat ng system vers on
NOTE This simulation tool example assumes the availability of basic networking services
(AD DS, Domain Name System, Dynamic Host Configuration Protocol) and that all test
servers and clients can communicate with the other test machines.
Create Test User Accounts in AD DS

For the s mu at on to start remote desktop sess ons, t needs user accounts to og n and start
the remote desktop sess ons To be used w th the too , these user accounts need to be set up
as fo ows
■ User account names need to have the same prefix fo owed by a number suffix (for
examp e, TEST01, TEST02, TESTnn)
■ A user accounts a need to use the same password
Create these test user accounts n AD DS and add these accounts to the Remote Desktop
Users group on the test RD Sess on Host The fo ow ng PowerShe code (a so on the CD as
“Create30Users ps1”) w create mu t p e user accounts automat ca y, w th the same prefix,
fo owed by a number, and p ace them n a spec fied organ zat ona un t (OU) In our examp e,
the scr pt creates 30 user accounts, named ASHTEST1, ASHTEST2…ASHTEST30, w th the pass-
word “P@ssword”, p aced n the ASH Users OU
1..30 | ForEach-Object {
New-QADUser `
-ParentContainerASH_Users `
-Name "ASHTEST$_" `
-UserPassword "P@ssword" `
-UserPrincipalName "ASHTEST$_" `
-DisplayName "ASHTEST$_" `
-SamAccountName "ASHTEST$_" `
}
NOTE This script uses Quest Software’s free Windows PowerShell commands for AD DS,
which you can download at http://www.quest.com/powershell/activeroles-server.aspx (the
link is also provided on the CD).
www.it-ebooks.info
Create the USER ACTIVITY Script
As noted ear er, the RDLST doesn’t run any app cat ons on ts own— t’s the eng ne that
makes t poss b e You’ need to create scr pts to execute the app cat ons and s mu ate user
act v ty The RDLST gu des te you how to create these scr pts, but they a so nc ude one
examp e to get you started For the purpose of demonstrat ng how to use the too , you’
use the samp e nc uded n the box me ded nto a s ng e scr pt and nc uded on the CD as
Notepad vbs Th s scr pt starts a remote desktop sess on, ogs n a user, opens Notepad, wr tes
some text, and saves the text fi e It s started for each of the user sess ons nvoked by the
contro er
NOTE The SendKeys method will be very helpful to you in developing an interactive
script. See http://msdn.microsoft.com/en-us/library/8c6yea83(VS.85).aspx.
Start the Client and Server Agents

Log on to the c ents and servers w th an Adm n account Insta ng the c ent and server
agents adds the r cons to the Start menu, so you can start the agents from there or by re-
boot ng the computers Make sure the firewa s on the c ent and server mach nes are turned
off or have firewa except ons for th s app cat on n p ace so that the firewa gnores the
agents For th s examp e, the firewa s are turned off on a part c pat ng mach nes
The c ent agents automat ca y connect to the contro er upon execut on When they do,
the d a og box for the c ent agent w say that t s “Connected ” The server agent shou d a so
connect automat ca y If t does not, type the contro er server’s name nto the Contro er
nput box and c ck Connect
Configure the Controller Test Parameters

Next, configure the contro er w th the nformat on that t needs to run the test Start the
Contro er software from the Start menu or by start ng the executab e ( n th s case, on an x86
operat ng system) as fo ows
C:\Program Files (x86)\TSPerfTools\RDLoadSimulationController.exe
Th s starts the Remote Desktop Load S mu at on Contro er, shown n F gure 2-20 The con-
tro er shows the mach nes that connect successfu y n the Status Events sect on
www.it-ebooks.info
FIGURE 2-20 The Remote Desktop Load Contro er shows the test progress on and act ve test users.
In the Target Server nput box, type the name of the RD Sess on Host server Then c ck
Configure to open the Configurat on d a og box shown n F gure 2-21
www.it-ebooks.info
FIGURE 2-21 Conf gure the Genera tab to d ctate events that shou d occur on the RD Sess on Host server
before and after the s mu at on runs.
Man pu ate the data on each tab to create the deta s of how the s mu at on w work In
the upper sect on of the Genera tab, d ctate events that shou d occur on the RD Sess on Host
server before and after the s mu at on has run ts course For nstance, to reboot the server
before the test (one way to start the server agent and to end any pre-ex st ng user sess ons),
se ect the Reboot Server Before Test check box The three nput boxes n th s sect on are for
nputt ng paths to opt ona scr pts that can be run before or after a s mu at on to prepare or
c ean up the RD Sess on Host server For nstance, at the end of a s mu at on, you m ght want
to stop the Performance Mon tor capture and og off the test users The second sect on per-
forms s m ar tasks for the c ents
ON THE COMPANION MEDIA Note that the first two sections in this simulation
example are not used here, but you might need to use them in your testing. A script
to log off the test users is located on the CD in the LogOffUsers.cmd file. A script to
stop the Performance Monitor capture is on the CD in the StopPerfMon.cmd file.
www.it-ebooks.info
The Test End Mode drop-down box prov des four cho ces that govern when the contro er
w conc ude that the test s ended
■ Stay Alive The test does not end
■ Users Finished The test ends when a users te the contro er that they are fin shed
us ng the EndScr pt funct on
■ Users Launched The test ends as soon as the contro er starts the ast user scr pt
■ Users Launched –Timeout The contro er w wa t for the spec fied t meout after
aunch ng the ast user before the test ends
Th s examp e uses the Users Launched opt on
F rst, configure the user accounts On the User sect on of the Genera tab, spec fy the
user names of your test user accounts, the password for these accounts (now you see why
they shou d a have the same password), the name of the server runn ng Exchange Server ( f
needed), and the doma n name Test user account names n AD DS shou d match the sett ngs
here User Name Pad Count s the number of d g ts that w be added to the user name prefix
to reference the user names n the s mu at on For nstance, f the User Prefix s TEST and the
User Name Pad Count s 3, then the test w reference the user names TEST001, TEST002, and
TEST003
Next, c ck the C ents tab and check that the r ght c ents are se ected and that each s
runn ng the r ght number of sess ons A c ents current y commun cat ng w th the contro er
w be added automat ca y as test subjects on th s tab Se ect the Run Test On y On Se ected
C ents opt on to mod fy the part c pat ng c ent st At the bottom of the page, enter the
number of user sess ons that you w run from each c ent Th s examp e spec fies that 20 user
sess ons w be run per c ent (M crosoft has tested the too w th up to 50 users per c ent, but
the number that w be ab e to run u t mate y depends on the c ent hardware )
Next, des gn how the oad bu ds from the Test Progress on tab Enter the fo ow ng num-
bers accord ng to the s mu at on needs and then c ck Add to add the data to the s mu at on
configurat on
■ User range Spec fies how many users you w act vate w th th s s mu at on
■ User Group Size Spec fies how many users n a group
■ Interval between users (sec) Spec fies the number of seconds that the contro er
wa ts before start ng the next user w th n the group
■ Interval Between Groups (sec) Spec fies how many seconds w pass n between
the end ng of one group’s sess ons start ng and the beg nn ng of the next user group’s
sess ons start ng
■ Speed Factor Spec fies how fast the scr pts w be run The scr pts w run at the nor-
ma speed when the speed factor s set to 1 They w run at doub e speed when speed
factor s 2, and so on
F gure 2-22 shows the numbers used n th s examp e s mu at on
www.it-ebooks.info
FIGURE 2-22 Add a st entry on the Test Progress on tab.
Next, c ck the Scr pts tab to p ck the scr pt or scr pts that you’ use for the s mu at on C ck
Add Scr pt to open the Add Scr pt d a og box, shown n F gure 2-23
FIGURE 2-23 Enter the fu f e path to the scr pt to be used n the s mu at on.
Enter the fu path or browse to each scr pt that the RDLST too w ca to start the user
sess ons on the c ents, open remote desktop sess ons on the test server, and do some work
Enter a fr end y name of each scr pt The fr end y name w be used as the name of the con-
figurat on INI fi e created next Enter any opt ona parameters to be passed to the scr pt n the
www.it-ebooks.info
Parameters nput box Th s can be eft empty f no opt ona parameters are requ red In th s
examp e, none are needed Ignore the Scr pt type pu -down menu because t s d sab ed n
th s vers on of the too C ck OK Now h gh ght the scr pt n the Ava ab e Scr pts pane and
c ck the Add>> button n the m dd e pane to add the scr pt to the Se ected Scr pts st, as
shown n F gure 2-24
FIGURE 2-24 Add the s mu at on scr pt to the Scr pts tab.
C ck the Custom Command Schedu e tab Th s examp e does not use any extra added
commands, but th s tab box a ows for custom commands that w be run on servers based
on user events For examp e, you cou d configure the test to run a scr pt on the servers when
50 user sess ons are started and aga n when 100 user sess ons are started After you have
configured the contro er parameters, c ck OK n the bottom-r ght corner Then c ck the Save
Configurat on button on the Genera tab of the contro er Th s saves the configurat on to an
INI fi e that can be used to popu ate the contro er configurat on for future tests Ca the con-
figurat on fi e when start ng the program to autopopu ate the contro er configurat on w th
the parameters from the INI fi e The examp e’s INI fi e ooks ke th s
www.it-ebooks.info
[SCALCONTROLLER]
UserIndexMode=0
ServerAgentMode=1
TClientMode=0
RebootServerMode=0
RebootClientMode=0
UserPadCount=1
UsersPerMachine=20
TestEndMode=2
CommandTimeout=25
TestEndTimeout=0
UserPrefix=ASHTEST
UserPassword=P@ssword
DomainName=ash.local
ExchangeServer=
ServerName=LOGAN
ServerPreRebootCommand=
ServerPreTestCommand=
ServerTestCleanupCommand=
ClientPreRebootCommand=
ClientPreTestCommand=
ClientTestCleanupCommand=
TestDescription=Test to launch 30 user sessions, open Notepad, type some text and
;save the file...;
ProgressionListCount=1
Progression1=1-30-5-5-10-1
CommandListCount=0
ScriptListCount=1
ScriptName1=test.vbs - Notepad Test
[AVAILABLESCRIPTS]
ScriptsCount=1
ScriptName1=test.vbs - Notepad Test
[test.vbs - Notepad Test]
filepath=C:\test.vbs
parameters=
type=3
If you’re runn ng the 32-b t vers on, the INI fi e w be saved by defau t to the c \Program
F es (x86)\TSPerfToo s\ fo der The name of the fi e s the same name as the fr end y name of
the scr pt nput on the Scr pts tab To ca t n the future, open a Run box on the Start menu
and type
"C:\Program Files (x86)\TSPerfTools\RDLoadSimulationController.exe" SCRIPT-NAME.ini
www.it-ebooks.info
Configure Performance Monitor on the RD Session Host
Configure Performance Mon tor on the RD Sess on Host server to capture data that shows the
oad that the user sess ons p ace on the server Refer to the sect on t t ed “Us ng Performance
Mon tor” ear er n th s chapter for how to set up a data co ect on set Th s examp e uses a
data co ector set conta n ng the counters sted n Tab e 2-2
Take a Baseline Performance Monitor Capture

It’s mportant to know what the performance resu ts ook ke before you start the test so
that the true mpact of the sess ons s c ear To find out, make sure no users are ogged onto
the RD Sess on Host server and run the capture by se ect ng the Data Co ector Set made for
the s mu at on and then c ck ng the green P ay button n the top of the r ght pane Run the
capture for a m nute or two F gure 2-25 show the resu ts of th s examp e’s base ne capture
report As expected, very tt e act v ty s ogged n the resu t ng report
FIGURE 2-25 The RD Sess on Host server s base ne Performance Mon tor resu ts show tt e act v ty.
Start the Performance Monitor and Start the Simulation

Performance Mon tor needs to run dur ng the sess on to capture the data You can e ther
start t manua y or from a scr pt; f you’d prefer the atter, use StartPerfMon cmd on the CD
Th s scr pt w start Performance Mon tor automat ca y and start a capture g ven the name of
the data co ector set Add th s scr pt to the Server Setup Before Test nput box on the Genera
tab of the contro er configurat on
To start Performance Mon tor manua y, se ect the same data co ector that was used n the
base capture and c ck P ay Then mmed ate y start the s mu at on on the contro er server by
c ck ng Launch Test
NOTE You can only start Performance Monitor manually if you are not choosing the
Reboot Server Before Test option on the General tab. Otherwise the perfmon log will stop
when the server reboots. In the reboot case, you need to set the Perfmonstart.cmd script
to run by adding it to the Server Setup Before Test box on the General tab of the controller.
www.it-ebooks.info
Run The Simulation
After you start the s mu at on, the first th ng you’ see s the user sess ons start ng on the
c ents The act ve test users w beg n appear ng n the Act ve Test Users box on the Contro -
er graph c user nterface (GUI) The user sess ons w a so start appear ng n the RD Sess on
Hosts Users tab n Task Manager, as we as n the S mu at on agent on the c ent
As the s mu at on progresses, the contro er ogs status events; you can a so v ew them n
rea t me on the contro er’s GUI, as shown n F gure 2-26
FIGURE 2-26 The Remote Desktop Load S mu at on Contro er shows user sess on act v ty and ogs
s mu at on status events.
Dur ng the s mu at on, Task Manager on the RD Sess on Host w g ve a qu ck overv ew of

how the sess ons are tax ng the server
www.it-ebooks.info
Stop the Simulation and Performance Monitor
The s mu at on s cons dered over when the Test End Mode spec fied on the contro er’s
configurat on Genera tab occurs Th s examp e spec fies Test End Mode Users Launched Th s
means that when a the users have been started, the contro er cons ders the test comp ete
When the spec fied Test End Mode s reached, a Test Comp eted event w be ogged on the
contro er n the Status Events w ndow
At th s t me, the user sess ons need to be ogged off from the RD Sess on Host e ther
manua y us ng Task Manager or the Remote Desktop Manager or programmat ca y us ng a
scr pt that s spec fied n the s mu at on configurat on
Next, stop the Performance Mon tor capture; aga n, you can e ther do th s manua y by
c ck ng Stop or programmat ca y by us ng a scr pt spec fied n the s mu at on configurat on
F gure 2-27 shows the act v ty n th s examp e s mu at on from beg nn ng to end
FIGURE 2-27 The Task Manager on the RD Sess on Host shows the act v ty throughout the s mu at on.
Where the peak starts to drop on the Phys ca Memory usage h story s where the s mu a-
t on ends The very next p ateau shows the user sess ons d sconnect ng Then the fina drop
shows the user sess ons ogg ng off
Review the Performance Monitor Report

To get the resu ts of your effort, v ew the report correspond ng to the s mu at on capture n
Performance Mon tor on the RD Sess on Host The report w be ocated n the Reports\User
Defined fo der Se ect the report by name, se ect the opt on to change the graph type, and
se ect Report Compare th s report to the base ne report taken before the s mu at on was
started Th s examp e’s base ne report s shown n F gure 2-28, and the s mu at on report s
shown n F gure 2-29
www.it-ebooks.info
FIGURE 2-28 The report conta ns data captured when mon tor ng an RD Sess on Host base ne
conf gurat on.
FIGURE 2-29 The report conta ns data captured when mon tor ng a RD Load S mu at on test runn ng on a
RD Sess on Host server.
In short, us ng the RDLST w he p you determ ne how many users can work s mu tane-
ous y on your RD Sess on Host servers and how we the oad corresponds to the hardware
you have
ON THE COMPANION MEDIA See the book’s CD for a link to the RDLST to help
you programmatically determine how many people can use an RD Session Host
server based on your application set.
An Alternative to Full Testing: Extrapolation

Runn ng a test pass of the RD Sess on Host server s the best way for you to get a true p cture
of the sess on oad that your hardware can hand e before runn ng a fu p ot program There
m ght be s tuat ons, however, n wh ch you w be unab e to run through a test pass If no one
s ava ab e to he p you, and you cannot use the RDLST, you can do a s ng e pass on your own,
www.it-ebooks.info
record the resu ts w th the Performance Mon tor, and extrapo ate the number of users that
the server can hand e from the resu ts
You w st need to set up your RD Sess on Host server and oad the app cat ons that you
w host (To earn how to set up an RD Sess on Host server, see Chapter 3 ) Where you can
save t me s n user test ng Instead of m m ck ng your user env ronment w th mu t p e user
sess ons and w th rea user he p, you can make some est mates by test ng w th one represen-
tat ve user sess on and do ng some math
In th s test mode , most of the counters checked for the fu test pass w not he p you
You can’t rea y te much about page fi e usage w th on y one user, and w th on y one sess on
you’re not ke y to be putt ng much stra n on d sk I/O You can, however, te what’s go ng on
w th n the sess on tse f
To find out, create a data co ector as d scussed ear er n th s chapter, nc ud ng on y the
Term na Server Sess on counters for Work ng Set Peak and % Processor T me
NOTE Because your report doesn’t have to include every counter you collect data for, you
can reuse the one from the earlier walkthrough if you created it as you read.
Run the test as descr bed prev ous y, try ng to m m c a user sess on (that s, open programs
your users w open, do some work, pr nt pages, save fi es, and so on) When you’ve fin shed
co ect ng data, se ect the counters to v ew, as descr bed prev ous y n th s chapter, and
choose to show a report of what’s happen ng n that sess on (as opposed to choos ng counter
data for <A nstances> as n the test pass) V ew th s step n F gure 2-30
FIGURE 2-30 The report s based on sess on extrapo at on.
Now that you have th s report, what does t mean and how can you use t? You can v ew
the data n severa ways
www.it-ebooks.info
The data shows that the % Processor T me s approx mate y 10 percent To determ ne the
max mum users that can be supported w th th s processor, d v de 100 percent by 10 percent;
the resu t s 10 users
NOTE You might have multiple processors in your RD Session Host server. Be aware that
two processors don’t render twice the power of one. Instead, there is a sliding scale.
■ Approx mate y 1.8:1 when go ng from one to two processors
■ Approx mate y 1.65:1 when go ng from two to four processors
Therefore, if you have four processors in your RD Session Host server, you would use the
following calculations to compute Max Users.
100 percent divided by 5 percent = 10 users. Now take into account the other three pro-
cessors: 10*1.8*1.65 = 30 users at full load.
The processor n th s examp e wou d be the bott eneck, but that m ght not a ways be
the case You must ook at the peak work ng set for the sess on and we gh that aga nst the
amount of RAM n the computer In th s examp e, the peak work ng set was about 179 MB
D scount ng for the requ rements of the operat ng system, take the rema nder and d v de
t by 250 As you can see, f the RD Sess on Host has 4 GB of RAM (a very ow number for a
product on RD Sess on Host server), the RAM shou d be ab e to support 16 users runn ng the
app cat ons that you ran n your test
So can th s server support 30 users or 16 users? For best resu ts, t pays to be conservat ve
You shou d a ways use the ower number On a server w th th s processor, w th th s amount of
RAM, t’s safe to guess that you can reasonab y support rough y 16 concurrent users
Server Sizing Tips

Costin Hagiu
Remote Desktop Services Test Architect, Microsoft
Hammad Butt
Software Development Engineer II (Test), Microsoft
I f detailed information about user activity on the RD Session Host or RD Virtualiza-

tion Host server is not available, then you can make some estimates about how
many resources each session will need as follows.
■ Allocate a percentage of a processor to a user based on how much CPU you

expect users to need for running their tasks. For example, if you expect your
users to need approximately 5 percent of the CPU’s capacity for their work,
expect to have about 20 users per CPU.
www.it-ebooks.info
94 CHAPTER 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
■ You will have to buy RD Session Host servers. This is especially true if you
propose to virtualize the RD Session Host servers and want to get the benefits
of Second-Level Address Translation (SLAT). Older servers won’t have this
technology.
■ You will have to buy RDS client access licenses (RDS CALs) for users to connect
to those servers, regardless of how many servers they’re connecting to. If
you’re using any additional management software on those RD Session Host
servers, you’ll need to purchase those components as well. For example, if
you install Citrix XenApp on your RD Session Host servers, you’ll also need to
purchase both RDS CALs and per-connection licenses from Citrix.
People use RDS for many, many reasons and frequently discover that it’s possible
to reduce long-term costs and increase productivity. Upfront costs aren’t the best
way to determine how to build a sustainable platform, however. Reducing capital
expenditure isn’t generally the goal; reducing operations cost is.
Going back to the original question: Should you have one large server or two (or
more) smaller ones? Most often, you’ll find more servers—scaling out, not up—to
be the more cost-effective and fault-tolerant option. The larger the dual inline
memory modules (DIMMs), the more they’ll cost. More servers also means more
disk I/O paths. In addition, even in a small deployment, with a second or third
server, you create some redundancy in your environment by not relying solely on
one RD Session Host server.
Other Sizing Questions

Thus far, th s d scuss on has focused on what you need to know to s ze an RD Sess on Host
server proper y when that server s runn ng on a phys ca computer Let’s take a ook at other
s z ng scenar os
Sizing RD Virtualization Host Servers

The prev ous d scuss on about s z ng focused ma n y on RD Sess on Host servers What about
RD V rtua zat on Host servers—how many VMs can you support per host?
A though the answer to th s quest on st depends on what peop e are do ng on those
VMs, s z ng VMs s a b t more ke s z ng phys ca desktops than ke est mat ng the number
of peop e who can concurrent y use an RD Sess on Host server W th W ndows Server 2008
R2, you ass gn a certa n amount of RAM to each VM when creat ng t, so f you have 10 VMs
and x RAM, the abso ute max mum of memory that each runn ng VM can have s x/10, m nus
whatever the hyperv sor needs to operate After t’s created, you can a so tweak the other
hardware sett ngs A decent ru e to remember for VMs us ng RDP for remote d sp ay s that
you can run 4 VMs per core A ways test, though, because the configurat on for those VMs
w make or break the s z ng
www.it-ebooks.info
One cons derat on you m ght not th nk of s the operat ng system that you’re us ng n the
guest VMs Counter ntu t ve as t m ght seem, W ndows 7 m ght sca e better than W ndows XP
even though the W ndows XP she uses ess memory The reason, as d scussed ear er n th s
chapter, s that W ndows 7 was des gned to take advantage of v rtua zat on and W ndows XP
was not Therefore, W ndows XP s ess effic ent when t comes to memory management and
processor requests—or any kerne act v ty, rea y A though you m ght need to run W ndows
XP for app cat on compat b ty reasons n some cases, t m ght be better to use W ndows 7
Aga n, try t and see
What About Sizing Other RDS Roles?

Do other RDS ro e serv ces face the same constra nts as a RD Sess on Host server?
The short answer s “Not rea y ” You w earn about the nterna work ngs of each server
ro e as t’s ntroduced n th s book, but here’s a qu ck overv ew of what other ro e serv ces are
do ng
■ An RDS L cens ng server prov des per-dev ce RDS CALs or updates AD DS to show
usage of a per-user RDS CAL on a user account object, depend ng on whether the RD
Sess on Host server us ng the cense server s n per-user mode or per-server mode
Th s s not a demand ng work oad
■ A Remote Desktop Gateway (RD Gateway) server exam nes ncom ng connect ons and
perm ts them or refuses them based on the ru es that you set up If a connect on to a
resource s perm tted, the connect on w be prox ed through the RD Gateway server
The ma n constra nt on RD Gateway performance s the number of s mu taneous n-
com ng connect ons and the number of network packets n each one compared to the
network speed; keep n m nd that the server can ma nta n hundreds of connect ons
■ A Remote Desktop Connect on Broker (RD Connect on Broker) exam nes ncom ng
connect on requests and determ nes wh ch endpo nt (RD Sess on Host server or VM)
that they shou d be routed to based on ts broker ng og c and the type of endpo nt
requested After a connect on has been made, the RD Connect on Broker s no onger
nvo ved, but a ncom ng connect ons to a sess ons and VMs w go through th s
server ro e
■ A Remote Desktop Web Access (RD Web Access) server accepts ncom ng Hypertext
Transfer Protoco (HTTP) connect ons to generate RDP fi es on the fly When de vered,
those RDP fi es prov de a d rect connect on to an RD Sess on Host server Th s server
can be s zed ke any other web server
In short, w th the except on of RD Gateway, other RDS ro e serv ces genera y hand e short
transact ons and then pass the more substant a dut es to an RD Sess on Host or RD V rtu-
a zat on Host server The oad rea y sn’t very arge except dur ng heavy ogon t mes, when
they’re process ng a ot of connect ons Ensure that the RD Gateway (and RD Web Access,
wh chever users are go ng to first) has suffic ent bandw dth to hand e the expected oad of
concurrent ncom ng connect ons Otherw se, the servers shou d be ab e to funct on we f
they meet the requ rements for W ndows Server 2008 R2
www.it-ebooks.info
Can I Run RDS in a VM?
V rtua zat on s one of the hot top cs today Does v rtua zat on m x w th RDS?
The answer to the quest on s, of course, that t depends
Part of the answer depends on what ro es you want to v rtua ze Obv ous y, RD V rtua -
zat on Host requires you to use Hyper-V to host the VMs For many other ro e serv ces (for
examp e, RD Gateway, RD Connect on Broker, RD Web Access or RD L cens ng), runn ng n
a VM w probab y work fine, a though you m ght be ab e to support fewer s mu taneous
connect ons n a VM than you can n a phys ca mach ne In fact, for years, Term na Serv ces
adm n strators have run cense servers n v rtua computers to make t eas er to ma nta n a
backup (Th s sn’t necessar y supported by M crosoft, depend ng on the VM p atform used,
but t s done )
V rtua z ng RD Sess on Host servers on Hyper-V s supported, but the performance w
depend on a few factors The b ggest factor s whether the hardware p atform supports SLAT
As was d scussed ear er n th s chapter, v rtua z ng comp cates memory management Any
operat ng system has to map v rtua memory addresses to phys ca RAM to retr eve data
Hyperv sors have a harder job n that they must keep track of three th ngs
■ Phys ca memory
■ The phys ca memory each VM guest s us ng
■ The v rtua memory each VM guest s us ng
Remember the page tab e that the memory manager uses to map v rtua memory ad-
dresses to RAM? The hyperv sor ma nta ns a shadow page tab e for every guest VM On a
memory- ntens ve server ke an RD Sess on Host, that’s a ot of memory mapp ng for the
hyperv sor to keep track of Every t me the guest VM updates the page tab e, the hyperv sor
has to update ts shadow page tab e A though these tab es have to be stored n memory,
the prob em sn’t rea y runn ng out of memory addresses—on a 64-b t operat ng system ke
W ndows Server 2008 R2, that’s not ke y to be an ssue It’s actua y a prob em of processor
cyc es, because the processor has to chew up cyc es updat ng the shadow page tab es
SLAT-enab ed processors mprove the s tuat on by ma nta n ng the address mapp ngs n
hardware, not software In other words, on a SLAT-enab ed server, the hyperv sor does not
need to ma nta n the shadow page tab es, but th s can be done n hardware The resu t s that
a v rtua zed RD Sess on Host server can support more sess ons than the number of a v rtua -
zed RD Sess on Host runn ng on non-SLAT hardware Both memory usage and processor
overhead w drop
www.it-ebooks.info
How SLAT Reduces Overhead on Virtualized RD Session Hosts

Janique Carbone
Co author of M crosoft W ndows Server 2008 Hyper V Resource K t
W ith respect to memory management, Windows Server 2008 R2 Hyper-V sup-

ports a new feature named Second-Level Address Translation (SLAT). SLAT
uses AMD-V Rapid Virtualization Indexing (RVI) and Intel VT Extended Page Tables
(EPT) technology to reduce the overhead incurred during virtual to physical address
mapping performed for VMs. Through RVI or EPT respectively, AMD-V and Intel VT
processors maintain address mappings and perform (in hardware) the two levels
of address space translations required for each VM, reducing the complexity of the
Windows hypervisor and the context switches needed to manage VM page faults.
With SLAT, the Windows hypervisor does not need to shadow the guest operating
system page mappings. The reduction in processor and memory overhead associ-
ated with SLAT improves scalability with respect to the number of VMs that can be
concurrently executed on a single Hyper-V server. As an example, the Microsoft RDS
team recently blogged about performance tests conducted using an internal simu-
lation tool on a Windows Server 2008 Terminal Services configuration running as a
VM on Windows Server 2008 R2 Hyper-V. The results showed that a SLAT-enabled
processor platform increased the number of supported sessions by a factor of 1.6 to
2.5 when compared with a non-SLAT processor platform. Overall, Microsoft reports
that with SLAT-enabled processors, the Windows hypervisor processor overhead
drops from about 10 percent to about 2 percent and reduces memory usage by
about 1 MB for each VM.
Although RVI is not required to support workloads running on Windows Server

2008 R2 Hyper-V, if you intend to run memory-intensive workloads like RDS, Micro-
soft SQL Server, or web services, you should strongly consider using a SLAT-enabled
AMD-V or Intel VT platform to take advantage of the performance improvements
provided for your virtualized workloads.
If you’re runn ng the RD Sess on Host servers on o der Hyper-V hosts that don’t support
SLAT, then t’s st supported f you’re us ng Hyper-V, but your resu ts w depend on how
heav y used the RD Sess on Host servers are If the oad s very ght—say on y a few users per
server—then th s m ght be pract ca and a ow you to avo d ded cat ng a phys ca server to an
undemand ng ro e For RD Sess on Host servers w th heav er usage, however, th s sn’t ke y to
be a good fit for severa reasons
www.it-ebooks.info
■ Disk I/O bottlenecks You’ve earned about how best pract ces for RD Sess on Host
servers recommend that you have one d sk sp nd e—one phys ca d sk, usua y—for
each 20 to 30 users
■ Memory constraints RD Sess on Host and RD V rtua zat on Host servers are
memory-hungry A VM host must have a ot of RAM to support many RD Sess on Host
servers Th s VM host cou d a so end up be ng very expens ve Most servers top out at
e ght s ots for RAM As of th s wr t ng, 8-GB DIMMs cost three to four t mes as much
as 4-GB DIMMs F nanc a y, you’re better off w th a second server than one server w th
tw ce as much RAM—just us ng sma er DIMMs
There s a p ace for host ng RDS ro e serv ces (such as a cense server) on VMs, however—
even f the host does not support SLAT Connect on brokers and cense servers don’t need a
ot of resources to keep runn ng
Supporting Client Use Profiles

You’ve heard a ot about servers—and spec fica y the RDS ro e— n th s chapter But you a so
need to cons der your users when p ann ng What k nds of computers do they need? What
cens ng mode shou d you fo ow to best support the r work patterns?
Client Hardware: PC or Thin Client?

Th s s another one of those “ t depends” s tuat ons The reasons that make th n c ent dev ces
a requ rement for some peop e just don’t app y to a s tuat ons, and the same s true for PCs
NOTE For those new to RDS, a thin client is a simple computer that is intended to act
entirely or almost entirely as a client to a remote endpoint (for example, RD Session Host
or VM on an RD Virtualization Host). Clients supporting RDP connections typically run
Microsoft Windows CE or an embedded version of Windows. (You’ll see some Linux-based
thin clients, but the RDP clients on Linux are neither developed by nor supported by
Microsoft.)
PCs w th oca process ng power have become so nexpens ve that they’re a commod ty
tem n many p aces— ook at netbooks for one examp e Purchas ng th n c ents won’t gener-
a y save you money on hardware The reasons why you’d choose th n c ents are d fferent, as
fo ows
■ When or where PCs won’t work we because of space, v brat on, and other env ron-
menta ssues
■ When the cost of ma nta n ng nd v dua , persona zed computers s very h gh because
of frequent user turnover
Support ng C ent Use Profi es Chapter 2 99
www.it-ebooks.info
■ When c ent ockdown s v ta S nce th n c ents don’t genera y run app cat ons oca y
and don’t have access to data un ess they’re connected to the remote endpo nt, t’s
eas er to secure them—a secur ty s on the endpo nt
■ When a user desktop needs to be extreme y rep aceab e If a PC stops work ng and
you need to rep ace t, a fu rep acement s bu ky and, f the PC s custom zed at a for
the user, t me-consum ng Rep ac ng a th n c ent means unp ugg ng one term na and
p ugg ng n the new one
Th n c ents genera y work best when t’s acceptab e for a app cat ons to execute on the
remote endpo nt (sess on or VM) It s techn ca y poss b e to pre oad a th n c ent runn ng a
fu W ndows operat ng system such as W ndows XP Embedded w th app cat ons, but th s
wou d be extreme y expens ve because of the amount of flash memory and RAM requ red to
store and run those app cat ons oca y
NOTE As of this writing, thin clients running Windows CE Embedded do not support
RemoteApp programs, discussed in Chapter 3 and Chapter 9, “Multi-Server Deployments.”
Outs de of those spec a zed sett ngs where term na s sh ne, PCs (whether desktops,
netbooks, or aptops) are genera y the preferred opt on for one or more of the fo ow ng
reasons
■ Not a app cat ons m ght be runn ng remote y If some app cat ons don’t remote we ,
they m ght need to be nsta ed on the c ent
■ The user needs access to the app cat ons when d sconnected Mob e workers often do
we w th RDS, as d scussed n Chapter 1, but trave ers a so go offl ne at t mes, such as
when they are on a rp anes
■ You p an to use secure access from the Internet v a RD Gateway At th s t me, RD Gate-
way does not work w th W ndows CE, so the ghtest-we ght th n c ents won’t work
■ You need oca process ng power to opt m ze the remote exper ence RDP 7 sends
W ndows Med a P ayer content from the remote endpo nt to the c ent for process ng,
wh ch ooks terr fic However, th s requ res be ng ab e to process the content oca y
In short, you’re most ke y to use th n c ents to support task-based workers runn ng app -
cat ons on a LAN, and PCs for users w th more comp ex usage scenar os (offl ne access, WAN
access, and/or a m x of oca y execut ng app cat ons and RemoteApp programs)
What’s the Best License Model?

You’ earn about RDS L cens ng and how t works n deta n Chapter 12, “L cens ng Remote
Desktop Serv ces,” but RDS CALs are worth a ment on when you’re p ann ng your RDS
dep oyment
RD Sess on Host servers support e ther per-dev ce or per-user RDS CALs Per-dev ce RDS
CALs are assoc ated w th a part cu ar computer (e ther PC or th n c ent) Per-user RDS CALs
www.it-ebooks.info
are assoc ated w th a part cu ar user A RD Sess on Host knows wh ch type of censes to ask
for based on whether you’ve configured t to be n per-user or per-dev ce mode RDS does
not have concurrent-user cens ng
The answer to “Wh ch cense mode s better?” can best be answered by “Wh ch w cost
the east amount of money wh e st a ow ng us to comp y w th the End User L cense Agree-
ment (EULA)?” To ca cu ate the answer, just cons der whether you have more computers or
more users Organ zat ons do ng sh ft work, where three peop e m ght use the same com-
puter, w benefit from the per-dev ce mode Organ zat ons n wh ch the rat o s one user to
every computer, or even two computers to every user (for examp e, f many users have both a
desktop computer and a aptop), w benefit from the per-user mode
Each cens ng mode has a m tat on, or at east a cons derat on Per-user cens ng works
on y w th W ndows Server 2003 or ater and requ res Act ve D rectory/AD DS; you cannot
use t n a workgroup or w th n a doma n pr or to W ndows Server 2003 Th s s because the
cense usage s stored as a property to the user’s account object In add t on, the cense
server must be ab e to update the doma n contro er to wr te th s property A though per-
dev ce cens ng does not have th s m tat on, the cense s assoc ated w th a part cu ar dev ce
Th s can somet mes ead to comp cat ons when you ret re a PC or are us ng a th n c ent that
does not store the per-dev ce RDS CALs proper y and keeps request ng a new one whenever
t connects (not often a prob em anymore, but t used to be w th some mode s)
There is one other major d fference between per-user and per-dev ce cens ng n
W ndows Server 2008 R2 per-dev ce cens ng s enforced, whereas per-user cens ng s on y
tracked Th s does not mean t s okay to break the EULA You st need to buy a per-user
cense for each person access ng one of your RD Sess on Host servers
NOTE Only RD Session Host enforces or even tracks licensing, but using any RDS role
service (RD Gateway, RD Connection Broker, etc.) requires an RDS CAL. To learn more about
how licensing works, see Chapter 12.
What Applications Can I Run on an RD Session Host Server?

OK, you’re conv nced You’d ke to add RD Sess on Host servers to your IT nfrastructure One
quest on rema ns Can you use these servers to host a your current app cat ons?
Th s s a great quest on to wh ch there s no defin t ve answer M crosoft does not ma nta n
a st of th rd-party app cat ons tested w th RDS No current ogo program requ res ISVs to
test app cat ons on RD Sess on Host severs Therefore, not a app cat on vendors test the r
app cat ons on RD Sess on Host servers How can you find out what w work we , what w
work we w th a tt e he p, and what won’t work at a ?
www.it-ebooks.info
NOTE Although application vendors might not test on RD Session Host servers, if an ap-
plication is certified to run on Windows 7, it should run on an RD Session Host server. Not
all features might work as well as they would if the application was installed locally (it de-
pends on what you want the application to do and whether that strains what can be done
on a shared server displaying the application on a remote client), but the main features
of most applications certified to run on Windows 7 should work on Windows Server 2008
R2RD Session Host servers.
There are three ma n ways that you can find out f an app cat on w work on an RD Sess on
Host server (or what you’ need to do to t to make t work we ) before actua y nsta ng t
■ Ask f the vendor supports the app cat on on an RD Sess on Host server, and ask about
the recommended configurat on If the vendor has not tested the app cat on on a
shared server, you m ght need to get nto some deta s about the app cat on des gn
Tab e 2-3 nc udes some of the deta s that you shou d earn about an app cat on
before attempt ng to run t on an RD Sess on Host server Th s s espec a y app cab e
to o der or propr etary app cat ons; most app cat ons cert fied to run on W ndows 7
shou d not have any prob ems runn ng on a W ndows Server 2008 R2RD Sess on Host
server They m ght be resource- ntens ve, depend ng on the app cat on (few app ca-
t on deve opers des gn w th a shared computer n m nd), but they w avo d the des gn
flaws that prevent an app cat on from runn ng proper y
■ Check to see f anyone e se has successfu y run the app cat on on an RD Sess on Host
server Th s can be as s mp e as do ng a web search for the name of the app cat on
p us “RD Sess on Host server” (“term na server” shou d a so work and m ght generate
more h ts, because that name has been around onger) or go ng to the webs te of an
ndependent software vendor (ISV) who packages app cat ons for automat c dep oy-
ment on an RD Sess on Host server Know ng that t’s been done m ght not te you
how to tweak the app cat on to make t work on an RD Sess on Host server, but t w
at east nform you that t’s been done
NOTE See the Remote Desktop Services Comunity Verified Compatibility Center for
a list of applications that have been tested on RDS. The site is at http://www.microsoft.
com/rds/compatibility/Default.aspx.
■ Use the RDS App cat on Ana yzer to exam ne how the too operates and whether t’s
do ng anyth ng that w cause prob ems n a mu t -user env ronment n wh ch a user
does not have adm n strat ve pr v eges
www.it-ebooks.info
TABLE 2-3 App ca on Des gn Ques ons
CHARACTERISTIC BACKGROUND IMPLICATIONS
W the app cat on setup An RD Sess on Host server has If an app cat on does
automat ca y beg n Add/Re- a spec a mode ca ed Insta not nsta n Insta
move Programs? (App es to Mode for nsta ng app cat ons Mode, t w not support
non-MSI programs on y ) proper y for mu t p e users, persona zat on for each
wh ch the adm n strator can set person us ng t
from the command ne or by
us ng Add/Remove Programs If
the setup rout ne s started from
W ndows Exp orer or the com-
mand ne, the server shou d
change modes
W the app cat on perm t D fferent vers ons of an ap- If more than one vers on
mu t p e vers ons to be run p cat on m ght use dent ca y of an app cat on s
on the same RD Sess on Host named but d fferent DLLs runn ng on the same RD
server? Sess on Host server, the
app cat ons m ght have
a DLL confl ct and not
run proper y Th s ssue
often can be avo ded by
creat ng a server farm to
dep oy app cat ons or by
us ng App-V
Does the app cat on separate App cat ons m ght store S nce many peop e are
per-user and per-mach ne configurat on data n runn ng app cat ons on
reg stry data, or does t as- HKEY LOCAL MACHINE the same RD Sess on Host
sume that one user equates (the reg stry h ve re at ng to server, for persona zat on
to one computer? the computer) or n to be supported, the
HKEY CURRENT USER (the app cat on must separate
reg stry h ve re at ng to the per-mach ne and per-user
current y ogged- n user) RD data
Sess on Host servers w have
one nstance of HKCU for each
ogged- n user
Does the app cat on separate App cat ons m ght store con- S nce many peop e are
per-user and per-mach ne figurat on data n the system runn ng app cat ons on
configurat on data, or does t fi es, but these m ght not be the same RD Sess on Host
assume that one user equates (and shou d not be) ava ab e server, for persona zat on
to one computer? to everyone ogged on to the to be supported, the
shared server App cat ons app cat on must separate
shou d store persona zed data per-mach ne and per-user
structures by user data
www.it-ebooks.info
Does the app cat on a ow (or Some adm n strat ve app ca- More than one nstance
d sa ow) mu t p e nstances of t ons shou d on y be started of a management
tse f to run as appropr ate? once to work best (A d sk-man- app cat on cou d end up
agement ut ty that can mount n ncons stenc es n user
or format d sks s one good or mach ne configurat on
examp e ) Bus ness app cat ons that m ght resu t n
on an RD Sess on Host server ser ous prob ems For
shou d start more than once, bus ness app cat ons,
but o der apps m ght perm t f t w run on y one
on y one nstance of themse ves nstance, t’s use ess on an
RD Sess on Host server
It m ght st run n a VM,
however
Does the app cat on separate Some o der network app ca- If an app cat on dent fies
computer and user dent t es? t ons dent fy themse ves by tse f by the computer t’s
computer name (or IP) address, runn ng on, then t can’t
but on a shared computer, th s map to a spec fic user
doesn’t work proper y Ap- runn ng that app cat on
p cat ons that have a network on a shared computer IP
presence shou d be user-spec fic v rtua zat on n W ndows
( ke MSN Messenger, for exam- Server 2008 R2 does not
p e), not computer-spec fic ( ke enab e stat c mapp ngs
the o d W nChat used to be) of user dent ty to IP
addresses
Does the app cat on assume App cat ons shou d not assume If an app cat on assumes
that the W ndows Exp orer that the W ndows Exp orer w the W ndows Exp orer
she s a ways present? be ava ab e—espec a y now she s be ng used, then t
that RemoteApp programs are m ght not work proper y
used (In add t on, your user w th RemoteApps
configurat on for F e-Save Loca-
t ons shou d not assume that
the Desktop s ava ab e )
How does the app cat on If the app cat on needs to Hardware requ r ng ports
commun cate w th any exter- commun cate w th any exter- that are not supported
na hardware resources? na hardware resources, then t for red rect on won’t work
shou d use ports that are sup- from w th n an RD Sess on
ported for red rect on Host server sess on
Does the app cat on assume A user’s TEMP d rectory w be If the app cat on stores
that the TEMP d rectory s c eaned up when the user ogs data n Temp fi es, then
pers stent? off a sess on that data w be de eted
w th the TEMP d rectory
when the user ogs off
www.it-ebooks.info
Does the app cat on re y on a You can’t nsta Internet If a web app cat on
part cu ar vers on of Internet Exp orer 6 (for examp e) on an requ res a prev ous
Exp orer? RD Sess on Host server, wh ch vers on of Internet
comes w th W ndows Internet Exp orer, then you’ need
Exp orer 8 to run t on an operat ng
system that supports t
Th s m ght be worked
around by us ng W ndows
XP n a VM as a host
The app cat on s ava ab e n W ndows Server 2008 R2 s a A 16-b t app cat on w
16-b t on y 64-b t operat ng system It can not run on W ndows
run both 32-b t and 64-b t ap- Server 2008 R2
p cat ons, but not 16-b t
If an app cat on won’t work on RD Sess on Host for one of the reasons sted ear er, that
doesn’t necessar y mean that you must nsta t on the c ent, as shown n the fo ow ng
examp es
■ If the app cat on requ res a prev ous vers on of Internet Exp orer and won’t work w th
Internet Exp orer 8, then you can run the app cat on on a VM runn ng W ndows XP
As Chapter 4 w d scuss, you can run t e ther from a desktop or as a RemoteApp pro-
gram from the c ent operat ng system
■ If an app cat on stores data n Temp fi es, you m ght be ab e to keep t work ng us ng
the Flattemp command to keep a temporary data n one fo der nstead of d v d ng t
dur ng each sess on
■ If an app cat on assumes that the she w be Exp orer exe, then you can run t from a
fu desktop
■ If you need to support mu t p e vers ons of an app cat on, then you can dep oy the
app cat on us ng a server farm or so ate t w th App-V
■ If an app cat on requ res adm n strat ve pr v eges to run, you m ght be ab e to host t
n a VM on RD V rtua zat on Host
■ You m ght be ab e to run 16-b t app cat ons on 32-b t guest VMs runn ng W ndows 7
or ( f requ red) W ndows XP
Using the RDS Application Analyzer

Not sure why an app cat on won’t work proper y? The RDS team deve oped the RDS App ca-
t on Ana yzer (ava ab e from https://connect.microsoft.com/tsappcompat/Downloads) to he p
you answer such quest ons In short, the too w te you whether an app cat on, runn ng as
you wou d expect to run t on an RD Sess on Host, w work n that env ronment, and t can
a so offer some spec fic suggest ons about why there m ght be prob ems Th s too does not
need to be run on a W ndows Server 2008 R2 RD Sess on Host; t works fine from a c ent
www.it-ebooks.info
Us ng the too s fa r y stra ghtforward To beg n, down oad and nsta the too and make
sure that the RDS Ana yzer Serv ce s runn ng (a though the too does not requ re a reboot,
the serv ce won’t start just by be ng nsta ed) When the serv ce s runn ng, start the too You
shou d see a screen ke the one shown n F gure 2-31
FIGURE 2-31 Start the RDS App cat on Ana yzer by c ck ng the Launch button.
Don’t worry about the Log F e sect on; that’s used on y f you’re oad ng a og fi e from
memory To test an app cat on, c ck Browse to ocate the program executab e fi e or type the
path to the executab e You don’t need to change the symbo s path Before c ck ng Launch,
ook at the Launch Opt ons st and choose the r ght opt on depend ng on what you want to
test, as fo ows
■ To run the app cat on w th adm n strat ve pr v eges, se ect E evate Users won’t gener-
a y have these pr v eges, but se ect ng th s opt on w a ow you to get past any n t a
pr v ege ssues that m ght norma y shut the app cat on down For n t a test ng, don’t
se ect th s box
■ To run the app cat on as a norma user, c ear the E evate opt on and eave D sab e
V rtua zat on c eared as we
■ To rea y check an app cat on’s compat b ty, se ect D sab e V rtua zat on Th s w turn
off the reg stry v rtua zat on enab ed n W ndows V sta and ater to work around ap-
p cat on compat b ty ssues (see the How It Works s debar here for more deta s)
www.it-ebooks.info
HOW IT WORKS
Registry Virtualization
R egistry virtualization redirects writes from protected areas of the registry to

places where the person executing the application has the right to write. For
example, if an application attempts to write to HKEY LOCAL MACHINE\Software
\ASH\, it will redirect automatically to HKEY USERS\< User SID > Classes
\VirtualStore\Machine\Software\ASH. (Although this write is stored in the user
profile, it’s stored in the non-roaming section of the profile.)
The goal of this feature is to enable support for applications that write to areas of
the registry that the user doesn’t have permission to edit or view.
■ If an application attempts to open a virtualized key, then the key will be

opened with the Max Allowed rights instead of the security credentials of the
person who started the application.
■ If an application attempts to write to a virtualized key, then the virtualization
intercepts the write and sends it to the virtualized location.
■ If an application attempts to read a virtualized key, then the registry will
merge the values of the “real” key and the virtualized key. If it doesn’t have a
virtualized value, then it will report the “real” value. If it has been written to
already, then the registry will report the virtualized value.
If you disable registry virtualization in the RDS Application Verifier, then this will tell
you if the application that you’re testing depends on this feature. If it fails without
registry virtualization, you should take this as a warning. Microsoft implemented
registry virtualization in Windows Vista to solve application compatibility issues
brought about by applications attempting to access protected registry keys, but
this feature is intended to be temporary and it might be removed in future versions
of Windows—basically, when enough applications no longer need it.
When you’ve configured the Launch Sett ngs opt ons appropr ate y, type the path or
browse to the executab e fi e to test and c ck Launch From here, use the app cat on norma y
for a wh e—open and c ose fi es, mport mages, whatever you m ght do—so you can get a
good sense of what fi e ocat ons and reg stry keys t’s touch ng You m ght see some Debug
nformat on updat ng n the background, but th s s on y a sma part of the resu ts When
you’re done, c ose the app cat on Th s w prompt the RDS App cat on Ana yzer to og a
the data t co ected and d sp ay the resu ts, as n F gure 2-32 (show ng saved og data and
obscur ng the name of the app cat on be ng tested, wh ch s not mportant to understand ng
the resu ts)
www.it-ebooks.info
FIGURE 2-32 The Compat b ty Summary conta ns the resu ts of runn ng the RDS App cat on Ana yzer.
Let’s wa k through what you’re see ng here

■ File and Registry Access The F e and Reg stry tabs show what areas of the operat-
ng system the app cat on attempted to access w thout the r ght perm ss ons and what
the resu ts were For examp e, one of the three fa ed wr tes that th s app cat on made
was an attempt to de ete a fo der under Program F es The deta ed nformat on about
th s opt on ooked ke th s
RemoveDirectoryW: Directory (\Device\HarddiskVolume2\PROGRA~1\XXX) only grants

requested 'DELETE' to 'NT SERVICE\TrustedInstaller, NT AUTHORITY\SYSTEM, BUILTIN\
Administrators'
As you read th s, you can see that on y members of the Bu tIn\Adm n strators group
can de ete fo ders n th s ocat on, so the act on fa ed
■ INI Writes Few modern app cat ons st reference INI fi es, but f you run one that
does, you’ see t here
■ Token The Token sect on notes perm ss ons aga n If the token requ red for th s app -
cat on to run s Bu tIn\Adm n strators, then that app cat on s un ke y to work we on
an RD Sess on Host, where users do not have adm n strat ve pr v eges An app cat on
m ght use the Adm n strator r ghts to do c eanup w thout assum ng that t has them to
do the ma n funct ons of the app cat on, though
www.it-ebooks.info
■ Privilege Th s tab te s you more about the eve of access that the app cat on
demands If t requ res SeDebugPr v ege, then t won’t run proper y w thout e evated
pr v eges; t’s runn ng as a serv ce SeAud tPr v eges s not a prob em, though—that
just a ows the process to generate secur ty aud t data
■ Name Space Name space ssues refer to app cat ons attempt ng to create system
objects n a protected namespace App cat ons that try to do th s w need too many
pr v eges to work w thout adm n strat ve r ghts
■ Other Objects Th s tab nc udes ssues nvo v ng object access that aren’t re ated to
the fi e system or reg stry entr es Anyth ng sted here s a fa ed access attempt The
app cat on m ght st work, but t wasn’t ab e to do someth ng t was attempt ng to do
■ Process Th s tab sts any ssues w th process e evat on Aga n, th s w po nt to an
app cat on attempt ng to e evate ts pr v eges beyond those of a norma user account
Prob ems here w genera y ead to an app cat on fa ng on an RD Sess on Host
server
What Version of Remote Desktop Connection Do I Need?

Some features of W ndows Server 2008 R2RDS requ re the atest vers on of the Remote Desk-
top Connect on (RDC) As of th s wr t ng, the atest vers on s RDC 7, ava ab e for W ndows XP
Serv ce Pack 3, W ndows V sta Serv ce Pack 1, and nsta ed on W ndows 7
Tab es 2-4, 2-5, and 2-6 are adapted from “How to Detect RDS-Spec fic App cat on Com-
pat b ty Issues by Us ng the RDS App cat on Compat b ty Ana yzer” on the RDS team b og
They show what the user exper ence s ke for peop e us ng RDC 5 2 (the o dest supported
vers on of RDC), 6 1, and 7 to connect to a W ndows Server 2008 R2 or W ndows 7 endpo nt
IMPORTANT Both the client and server pieces of RDP determine the user experience,
and the earlier version will always take precedence if there is a conflict. For example, if you
are connecting to Windows XP from an RDC 7 connection, you’ll get the remote experience
of RDP 5.2, because Windows XP does not have the RDP 7 server component. If connecting
to Windows Server 2008 from RDC 7, you’ll get the RDC 6 user experience.
www.it-ebooks.info
110
TABLE 2-4 The RDC Connec v y Exper ence
WINDOWS 7/
WINDOWS
CONNECTING SERVER 2008 WINDOWS WINDOWS WINDOWS XP WINDOWS XP WINDOWS XP WINDOWS XP DISCUSSED
FROM R2 VISTA SP+ VISTA SP+ SP3 SP3 SP2 SP2 IN
RDC 7 0 RDC 7 0 RDC 6 1 RDC 7 0 RDC 6 1 RDC 6 1 RDC 5 2

Access to Yes Yes Yes Yes Yes Yes Yes Chapter 3
Remote
Desktop
sess ons
Access to Yes Yes Yes Yes Yes Yes No Chapter 3
RemoteApp
programs
Access to per- Yes Yes Yes Yes Yes Yes Yes Chapter 9
www.it-ebooks.info
sona desktop
Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
by us ng RD
Connect on
Broker
Access to v rtua Yes Yes Yes Yes Yes Yes Yes Chapter 9
desktop poo s
by us ng RD
Connect on
Broker
WINDOWS 7/
WINDOWS
Start app - Yes No No No No No No Chapter 9

cat ons and
desktops from
RemoteApp
and Desktop
Connect on on
c ent
Start Yes Yes Yes Yes Yes Yes No Chapter 9
RemoteApp
programs,
v rtua desktop,
and sess on-
based desktop
from RD Web
Access
Status & d scon- Yes Yes No No No No No Chapter 9
www.it-ebooks.info
nect system tray
con
Support ng C ent Use Profi es Chapter 2

111
112
TABLE 2-5 The RDC User Exper ence
WINDOWS 7/
WINDOWS

W ndows Med a Yes Yes No Yes No No No Chapter 6
P ayer Red rec-
t on
B d rect ona Yes Yes No Yes No No No
Aud o
Mu t -mon tor True True Spann ng True Spann ng Spann ng No Chapter 6
Support
Aero G ass Sup- Yes No No No No No No Chapter 6
www.it-ebooks.info
port
Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
Enhanced Yes Yes No Yes No No No Chapter 6
B tmap
Acce erat on
Language Bar Yes No No No No No No Chapter 6
Dock ng
Easy Pr nt Yes Yes Yes Yes Yes Yes No Chapter 6
TABLE 2-6 The RDC Secur y Fea ure Exper ence
CONNECTING DISCUSSED
FROM WIN7/R2 VISTA SP1 VISTA SP1 XP SP3 XP SP3 XP SP2 XP SP2 IN

Per-user fi ter ng Yes Yes Yes Yes Yes Yes na Chapter 9
of RemoteApp
programs
Web s ng e Yes Yes No Yes No No No Chapter 9
s gn-on
Web forms-based Yes Yes Yes Yes Yes Yes No Chapter 9
authent cat on
RD Gateway- Yes Yes Yes Yes Yes Yes No Chapter 10
based contro of
dev ce red rect on
RD Gateway sys- Yes Yes No Yes No No No Chapter 10
tem and ogon
messages
RD Gateway Yes Yes No Yes No No No Chapter 10
www.it-ebooks.info
Background
Author zat on &
Authent cat on
Gateway Id e & Yes Yes No Yes No No No Chapter 10
Sess on T meouts
NAP remed at on Yes Yes No Yes No No No Chapter 10
w th RD Gateway
Support ng C ent Use Profi es Chapter 2

113
What Role Services Do I Need to Support My Business?
A though W ndows Server 2008 R2 has severa ro e serv ces to support the ma n ro e of RDS,
you don’t necessar y need a of them, or you m ght add them as your needs grow Some of
these m ght seem obv ous, but you m ght have quest ons about a of these subjects, so they
are worth address ng d rect y
■ You a ways need an RDS cense server The RD Sess on Host server w not cont nue to
accept connect ons w thout one, and to be n comp ance, you need RDS CALs to use
any RDS ro e
■ You need RD Gateway to support secure access from the Internetv a port 443 You do
not need RD Gateway to prov de secure access w th n the firewa
■ You need RD Web Access and an Internet Informat on Serv ces (IIS) server f you ntend
to d sp ay app cat on nks n a web browser RD Web Access w work on both a cor-
porate ntranet and on the Internet
■ You don’t need RD Connect on Broker un ess you have more than one server to de ver
sess ons It’s defin te y worth t to have two servers, however Hav ng an RD Connect on
Broker a ows you to address your servers as a farm rather than as nd v dua s You w
a ways need RD Connect on Broker to support VM de very
Summary
After read ng th s chapter, you shou d have a good understand ng of the nterna work ngs
of W ndows Server 2008 R2 and how they app y to the RDS ro es You shou d a so have some
not on of how to des gn a test program, how to use the Performance Mon tor to est mate the
number of users that a server can support, and how to use the Load S mu ator You’ve cov-
ered the c ent requ rements and d scussed what server ro es you’ need to support d fferent
bus ness needs (for examp e, remote workers)
Best pract ces for p ann ng a W ndows Server 2008 RDS dep oyment nc ude the fo ow ng
■ Try to have one d sk sp nd e for each 20 to 30 s mu taneous users of the term na server
to avo d I/O bott enecks
■ Don’t nsta the RD Sess on Host ro e serv ce on a VM un ess the host supports SLAT
VMs aren’t we su ted to the d sk I/O and memory demands of term na servers
■ Choose app cat ons w se y App cat ons cert fied for W ndows 7 shou d genera y
run w thout prob ems on an RD Sess on Host server (as de from any ssues re at ng to
resource- ntens ve app cat ons) A proven track record or offic a support for execut on
on an RD Sess on Host server s dea
■ Use rea -wor d test ng to understand the system and network requ rements for the ap-
p cat ons and usage profi es you want to support Est mates based on theory are ess
usefu than exper ence
www.it-ebooks.info
Now that you understand the bas c operat ons of your RD Sess on Host and RD V rtua za-
t on Host servers, the next step s to start sett ng t up In Chapter 3, you’ go through the
process of sett ng up your bas c RD Sess on Host env ronment, and n Chapter 4, you’ do the
same for an RD V rtua zat on Host for a very s mp e dep oyment
A ot of nformat on s covered n th s chapter, and even more background s ava ab e If
you’d ke more deta s about W ndows nterna s that are re evant to p ann ng RDS dep oy-
ments, these resources conta n add t ona nformat on
■ For some t ps on capac ty p ann ng, see the “Remote Desktop Sess on Host Capac ty
P ann ng n W ndows Server 2008 R2” wh te paper posted at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
ca837962-4128-4680-b1c0-ad0985939063.
■ You’ve scratched the surface of RDS nterna s here For more nformat on about
W ndows Server nterna s, see Microsoft Windows Internals, 5th ed , by Dav d So omon
and Mark Russ nov ch, w th A ex Ionescu (M crosoft Press, 2009)
■ See the CD for a nk to the RD Load S mu at on and RDS App cat on Ana yzer too s
■ The RDS Team B og ocated at http://blogs.msdn.com/rds.
■ Jan que Carbone’s art c e “Second Leve Address Trans at on Benefits n Hyper-V R2”
can be found at http://www.virtualizationadmin.com/articles-tutorials
/microsoft-hyper-v-articles/general/second-level-address-translation-benefits-hyper-
v-r2.html.
■ To earn what app cat ons others have tested n RD Sess on Host servers, see
http://www.microsoft.com/rds/compatibility/Default.aspx
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 3
Deploying a Single Remote

Desktop Session Host Server
■ How RD Sess on Host Servers Work 117
■ nsta ng an RD Sess on Host Server 134
■ Essent a RD Sess on Host Configurat on 144
■ nsta ng App cat ons on an RD Sess on Host Server 164
Y ou don’t need a comp ex dep oyment to test Remote Desktop (RD) Sess on Host
server capab t es To beg n, t s more mportant that you understand what the RD
Sess on Host (and the RD V rtua zat on Host, but that w be covered n Chapter 4,
“Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server”) are do ng and how to
get them set up proper y Do ng th s we on a s ng e server w serve you we as you
expand and add other ro es to your dep oyment Therefore, n th s chapter, you’ earn
about the bas cs of th s ro e
■ How RD Sess on Host servers work
■ How to nsta the RD Sess on Host ro e serv ce
■ Configur ng an RD Sess on Host server for the best user exper ence
How RD Session Host Servers Work

You probab y know what an RD Sess on Host server does It accepts ncom ng connect ons
from mu t p e users and runs un que sess ons to support those users as though each per-
son had h s or her own computer What you m ght not know s how t does th s Th s sec-
t on d scusses the components of the operat ng system that et these servers do what they
do It covers both the key serv ces d rect y re ated to support ng the mu t -user remote
access arch tecture and the components that support t for the ent re operat ng system
Services Supporting RD Session Host

Three serv ces support an RD Sess on Host server Remote Desktop Serv ces, Remote
Desktop Configurat on, and Remote Desktop Serv ces UserMode Port Red rector
117
www.it-ebooks.info
NOTE All three services run on computers running both Windows Server 2008 R2 and
Windows 7 because both can accept remote interactive connections. You’ll use these
services on the client if you deploy the RD Virtualization Host. A major difference between
the two is licensing. A computer running Windows Server 2008 R2 can run multiple active
connections; a computer running Windows 7 can have only one active connection at any
given time. Even if the computer running Windows Server 2008 isn’t an RD Session Host
server, it can still accept multiple connections for remote administration: two remote and
one local.
The Remote Desktop Serv ces serv ce enab es a computer to accept an nteract ve ogon
from another computer Remote Desktop Configurat on enab es system configurat on that
needs to happen n the System Context (mean ng that t’s h gh y pr v eged, even more so
than the adm n strat ve context) The Remote Desktop Serv ces UserMode Port Red rector
enab es remote dev ce mapp ng (used for pr nters, MP3 p ayers, or c ent-s de dr ves)
To see the mpact of these three serv ces, try stopp ng them
CAUTION Before Windows Server 2008, the Remote Desktop Services service
(known as the Terminal Services service) could not be stopped; if you tried, you’d
get an error message. Today, you can stop it, even from a remote session. However,
unless you’re prepared to either restart the service remotely using VBScript or
Windows PowerShell, or you can get to the console physically to restart the service,
you might want to skip the first experiment!
If you stop Remote Desktop Serv ces, a remote connect ons to the computer— nc ud-
ng the one you’re us ng ( f you stop the serv ce from a remote connect on)—w d sconnect
mmed ate y That s, any app cat ons open n a remote sess on w st run on the RD Sess on
Host server, but the remote connect on s ended and anyone us ng that connect on w need
to og n aga n to reconnect If you need to d sconnect everyone from the RD Sess on Host
server mmed ate y, stopp ng th s serv ce w make that happen It w a so on y d sconnect
the r sess ons, not og them off, so the r app cat ons w rema n open
If you stop the Remote Desktop Serv ces UserMode Port Red rector, any c ent-s de dev ces
or dr ves that you have n the remote sess on w d sappear nstant y from My Computer n
the remote sess on Restart ng the serv ce w not br ng the red rected resources back after
stopp ng the serv ce de etes them If you restart th s serv ce, anyone who has c ent-s de de-
v ces red rected to the r term na sess on must d sconnect from and reconnect to the r sess on
to remap those resources to the remote sess on Th s s because when you stop the serv ce,
you’re c os ng down the v rtua channe s n the Remote Desktop Protoco (RDP) that support
dev ce red rect on To br ng them back, s mp y restart the connect on
118 Chapter 3 Dep oy ng a S ng e Remote Desktop Sess on Host Server
www.it-ebooks.info
NOTE For more about virtual channels, see Chapter 6, “Customizing the User Experience.”
The Remote Desktop Configurat on serv ce s respons b e for a Remote Desktop Serv ces
and Remote Desktop–re ated configurat on and sess on ma ntenance act v t es that requ re
the SYSTEM context These nc ude per-sess on temporary fo ders, themes, and cert ficates
Creating and Supporting a Session

The prev ous sect on descr bed the serv ces that support Remote Desktop Serv ces app cat on
de very The operat ng system needs to do the fo ow ng to support the sess ons that these
serv ces make poss b e
■ Create the sess ons for each person to use
■ Connect the c ent to the server v a a d sp ay protoco that a ows the two to share
data
■ Create a W ndows env ronment for each sess on
■ Route c ent nput to the correct app cat on on the RD Sess on Host server and route
c ent output to the appropr ate c ent, nc ud ng
• W ndows user nterface and app cat on screens (from endpo nt to c ent)
• Mouse c cks and keystrokes (from c ent to endpo nt)
• Sound (both d rect ons)
• Red rected dev ces such as pr nters and dr ves
• Mu t med a d sp ay (endpo nt to c ent)
■ Package the RDP data for transport over the network protoco [Transm ss on Contro
Protoco (TCP/IP), n th s case]
Key Processes Loaded at Boot Time

In W ndows Server 2008 R2 and W ndows 7, key system serv ces run n Sess on 0, wh ch s not
access b e to users When you boot an RD Sess on Host server, the operat ng system oads
many new serv ces to support tse f The ones mportant to ts funct ona ty nc ude
■ The Sess on Manager (Smss exe)
■ The W ndows Startup Manager (W n n t exe)
■ The Serv ces and Contro er App cat on (Serv ces exe)
■ The Loca System Author ty (Lsass exe)
■ The Loca Sess on Manager (Lsm exe)
■ The euphon ous y named Desktop W ndow Manager Sess on Manager (wh ch runs
ns de an nstance of Svchost exe)
■ The Remote Desktop Serv ces serv ce (runs ns de an nstance of Svchost exe)
How RD Sess on Host Servers Work Chapter 3 119
www.it-ebooks.info
At boot t me, the server comp etes a ser es of steps to enab e RD Sess on Host funct ona ty
1. The System process oads the Sess on Manager
NOTE The System process is different from other processes (described in Chapter 2,
“Key Architectural Concepts for Remote Desktop Services”). It does not host an execut-
able image but exists solely to host operating system threads for the memory manager,
cache manager, and other subsystems, as well as device driver threads. See Chapter 2
for more on what these subsystems do.
2. The Sess on Manager oads another nstance of tse f

3. The new Sess on Manager oads the W ndows Startup Manager and then ex ts
4. The W ndows Startup Manager oads the Serv ces and Contro er App cat on, the Loca
Secur ty Author ty, and the Loca Sess on Manager
5. The Serv ces and Contro er App cat on oads nstances of Svchost exe for the Desktop
W ndow Manager Sess on Manager and the Remote Desktop Serv ces serv ce (among
others not as re evant here)
To see a th s, use Process Mon tor Enab e boot ogg ng from the Advanced Boot Opt ons
screen as you reboot and restart the RD Sess on Host server Restart Process Mon tor and
then choose Too s, Process Tree to see the boot order As you can see, the parent nstance of
the Sess on Manager keeps runn ng, but after the ch d nstance has comp eted ts tasks, t
c oses
You can’t find the TermServ ce serv ce (or any other serv ce) n Process Mon tor eas y to
see what t’s start ng, because many serv ces run w th n processes ca ed Svchost exe (to speed
ogon t mes, n part) and you can’t d st ngu sh them by name To find out wh ch nstance of
Svchost exe a g ven serv ce s runn ng n and earn more about t us ng Process Mon tor, run
Task Manager and c ck the Serv ces tab Ed t the v s b e co umns to show the Process ID for
that serv ce (for th s examp e, TermServ ce) and se ect Remote Desktop Serv ces from the st
Now you can fi ter events n Process Mon tor to show on y that Process ID and eas y p ck out
the correct nstance of Svchost exe n the process tree
ON THE COMPANION MEDIA Download Process Monitor from the following link,
available on this book’s companion media: http://technet.microsoft.com/en-us
/sysinternals/bb896645.aspx.
www.it-ebooks.info
Gett ng the serv ces runn ng n Sess on 0 sets the stage for the RD Sess on Host server to
beg n accept ng ncom ng sess ons The fo ow ng sect ons w exp a n the ro es these serv ces
p ay n sett ng up the user env ronment for each sess on
NOTE To see which processes run in Session 0, run Task Manager. From the Process tab,
choose View, Select Columns to open the Select Process Page Columns dialog box. From
the list, make sure that the box is selected for Session ID. On the Process tab, you’ll now be
able to see which processes run in Session 0.
Creating a New Session on the RD Session Host Server

The first stage of creat ng a sess on s to connect to the RD Sess on Host server In W ndows
Server 2008 R2, th s connect on s made through a set of nterfaces ca ed the Remote
Desktop Protoco Prov der Th s app cat on programm ng nterface (API) s pub c, so t can be
used not on y by RDP but by any protoco to make a connect on n a standard zed way
When W ndows Server starts, the Remote Desktop Serv ces serv ce starts as we The
serv ce a so starts stener objects for RDP or any other protoco that s nsta ed, wh ch n turn
sten for c ent connect ons The serv ce and the protoco prov ders are user-mode objects
that commun cate by us ng the APIs d scussed n th s documentat on The first step for a
connect on to be made s to start up the stener When the stener s ready, Remote Desktop
Serv ces s ready to beg n accept ng connect ons
The connect on process sn’t as s mp e as just turn ng on the stener When the stener
detects that a c ent has requested a connect on, the stener creates a connect on object and
passes t to the Remote Desktop Serv ces serv ce to a ow th s serv ce to configure everyth ng
proper y (It a so creates a cens ng object respons b e for mak ng sure the sess on s censed )
Sett ng up the connect on takes a number of steps You’ find out more about the spec fics
short y, but broad y, you can dent fy these steps as fo ows
1. Prepare the computer to accept the sess on and app y the computer sett ngs
2. Confirm that the user or computer mak ng the connect on has a cense
3. Estab sh a connect on, app y the per-user sett ngs, and og the user on
You m ght be used to th nk ng of protoco commun cat on as happen ng between c ent
and server Some of the nteract on s between the server and c ents, but t’s ma n y the pro-
cess of the connect on object ta k ng to the Remote Desktop Serv ces serv ce to ensure that
everyth ng s set up proper y for the sess on
PREPARING THE COMPUTER TO ACCEPT THE CONNECTION

After the stener detects that a c ent s attempt ng to estab sh a connect on, t a erts the
Remote Desktop Serv ces serv ce and creates a connect on object for the Remote Desktop
Serv ces serv ce to configure (shown n F gure 3-1)
www.it-ebooks.info
Connection data
(color depth, redirection
settings, etc.) Creates connection object
3
Connection RDP
request Listener
1 Client error logon policy

RDS Connection
Service 2 Computer policies Object
4 User credentials
FIGURE 3-1 The connect on object prepares the computer to accept a connect on.
Here are the steps n th s process

1. The Remote Desktop Serv ces serv ce te s the connect on object how t shou d
respond f there are any ogon errors
2. The Remote Desktop Serv ces serv ce te s the connect on object about the computer-
w de po c es that shou d app y to th s sess on These po c es can conta n sett ngs such
as the co or depth, whether port red rect on s enab ed, the requ red encrypt on eve ,
and the ke
3. Now, the connect on gets c ent connect on data from the c ent Th s data nc udes
sett ngs such as whether to h de the t t e bar, the co or depth the c ent s request-
ng (wh ch cannot be more than the co or depth spec fied n the connect on po c es
set n Step 2), whether aud o red rect on shou d be enab ed, and so forth The c ent
connect on po c es must fit w th n the connect on po c es defined n Step 2 that s,
a though the c ent m ght be more restr ct ve, t cannot add features that are d sab ed
or restr cted n RDS Configurat on or Group Po cy
4. Next, the Remote Desktop Serv ces serv ce g ves the user credent a s to the connect on
object (It got them from W nLogon, as descr bed n the sect on t t ed “The Ro e of Ser-
v ces n Creat ng a New Sess on” ater n th s chapter ) A though these credent a s are
passed n p a ntext, they’re n p a ntext on y on the server tse f Even at the owest eve
of encrypt on that RDP supports, data sent from c ent to server s a ways encrypted
CONFIRMING THAT A LICENSE IS AVAILABLE

After the user has been authent cated, the protoco can start work ng on cens ng, as shown
n F gure 3-2 It doesn’t do th s before the user s authent cated so that there’s no way for un-
author zed users to dra n per-dev ce RDS c ent access censes (CALs) from the cense server
and prevent author zed users from gett ng censes
www.it-ebooks.info
License info: includes
name of the client
Connection RDP
request Listener
1 Opens communications
RDS 2 Licensing info or ... License

Service 3 Request license if needed Object
Licensing handshake complete 4
FIGURE 3-2 The Remote Desktop Serv ces serv ce hand es connect on cens ng needs.

1. To beg n the cens ng steps, the Remote Desktop Serv ces serv ce opens commun ca-
t on w th the cens ng object
2. The Remote Desktop Serv ces serv ce passes the cens ng nfo from the c ent to the
cens ng object, nc ud ng the name of the c ent
3. Next, the protoco requests a cense from the c ent (If the c ent can’t prov de one,
the Remote Desktop Serv ces serv ce w request a cense )
4. The Remote Desktop Serv ces serv ce te s the cens ng object that the cens ng hand-
shake s comp ete
LOG THE USER ON AND APPLY PER-USER SETTINGS

When the cens ng part of the connect on s comp ete, there are st a few more steps to
estab sh the connect on fu y, as shown n F gure 3-3
Connection RDP
request Listener
1 Session ID and GUID
RDS 2 Video/mouse/keyboard Connection

Service 3 Client allowed connection? Object
4 Allowed multiple connections?
FIGURE 3-3 The rema n ng steps to estab sh a connect on
www.it-ebooks.info
1. The Remote Desktop Serv ces serv ce te s the connect on object the Sess on ID and ts
g oba y un que dent fier (GUID) for the new sess on
2. Set up the v deo and mouse/keyboard connect ons for base connect v ty between the
c ent and the sess on At th s po nt, the sess on s n t a zed The user s not connected
to the sess on at th s po nt; the sess on s just prepared for the connect on
3. At th s po nt, the RD Sess on Host does one fina check G ven the user’s name and
doma n (and the r secur ty token) and the sess on ID to wh ch they’re attempt ng to
connect, are they a owed to og onto th s sess on? If so, the connect on cont nues; f
not, the connect on ends
4. Is the user a owed to have more than one sess on? If so, what are the sess on IDs for
the sess ons that they have ava ab e?
At th s po nt, the user ogs on and the Group Po cy sett ngs correspond ng to the user
(reca that the computer po c es were app ed ear er) are app ed to the sess on
Those are the steps to set up a funct on ng connect on Let’s ook a tt e more at how the
serv ces on the RD Sess on Host support th s process
The Role of Services in Creating a New Session

W ndows Server 2008 R2 a ways runs at east one sess on for serv ces (Sess on 0), and add -
t ona sess ons that users or adm n strators can nteract w th The Sess on Manager (Smss exe)
for the RD Sess on Host server s the e ement of W ndows that gets the process started A new
nstance of the Sess on Manager s created It starts a the processes requ red to support the
sess on
When someone attempts to og on to the system, the n t a nstance of Smss exe creates
another nstance (wh ch s of tse f—that s, t starts an add t ona nstance of Smss exe) to
configure the new sess on, just as t d d for Sess on 0 On RD Sess on Host servers runn ng
W ndows Server 2008, mu t p e nstances of Smss exe can run concurrent y, enab ng faster
ogons for mu t p e users (see F gure 3-4) The number of para e sess ons that Sess on Man-
ager can create at a t me depends on the number of v rtua processors n the RD Sess on Host
server For examp e, a server w th four quad-core processors s ab e to create up to 16 new
sess ons s mu taneous y
NOTE If you’re using Network Level Authentication (NLA) for pre-authentication, the
logon process works a little differently. NLA and securing RDP connections are covered in
Chapter 8, “Securing Remote Desktop Protocol Connections.”
www.it-ebooks.info
User 1 SESSION 1
User 2
User n SMSS.EXE
CSRSS.EXE
SESSION 0 WINLOGON.EXE
SESSION MANAGER
(SMSS.EXE) SESSION 2
SMSS.EXE
Local Session Manager
(LSM.EXE) CSRSS.EXE
Service Control Manager WINLOGON.EXE

(SERVICES.EXE)
SESSION n
SMSS.EXE
CSRSS.EXE
WINLOGON.EXE
FIGURE 3-4 The Sess on Manager n W ndows Server 2008 R2 can start mu t p e sess ons at once by oad
ng mu t p e cop es of tse f.
When the ch d nstance of the Sess on Manager starts, t starts the W ndows subsystem
(Csrss exe and W n ogon exe) and then ex ts
When Smss exe enab es new sess ons, t does so w th the he p of severa other serv ces
The Loca Sess on Manager accepts the ncom ng connect ons and he ps determ ne whether
a computer can connect to the server The Remote Desktop Serv ces serv ce a ows a server
to nteract w th ncom ng connect ons A these serv ces are managed by the Serv ce Contro
Manager To recap, see Tab e 3-1
TABLE 3-1 Key Sys em Processes or n a ng a Sess on on an RD Sess on Hos Server
FUNCTION SUPPORTING COMPONENT FILE NAME
Create, destroy, enumerate, and man pu ate Loca Sess on Manager Lsm exe
sess ons Pr or to W ndows Server 2008, t
was ncorporated nto the Term na Serv ces
serv ce It s now an ndependent process
www.it-ebooks.info
Check credent a s co ected by the credent a Loca Secur ty Author ty Lsass exe
prov der and create a token dent fy ng the
user
Start, stop, restart, and pause W ndows Serv ce Contro Manager Serv ces exe
serv ces
Create new sess ons Sess on Manager Smss exe
Enab e mu t p e sess ons on a server and RDS Termsrv d
prov de the run-t me nterfaces for com-
mun cat on between c ent sess on and the
operat ng system A so known as the Remote
Connect on Manager
Want to earn more about what happens w th n that new sess on? Read on
Enabling User Logons to the New Session

Hav ng a sess on sn’t enough To work, you need a way to og on to t In add t on to start ng
the Serv ce Contro Manager and the Loca Sess on Manager on the term na server, the Ses-
s on Manager bu ds the W ndows ogon nfrastructure n each sess on, nc ud ng
■ The C ent-Server RunT me Subsystem (CSRSS), a so known as the W ndows subsystem
■ The W ndows ogon process (W n ogon exe), wh ch starts UserIn t and the Logon User
Interface Host (Logonu exe), wh ch n turn starts the credent a prov der that accepts
the user’s ogon data
NOTE In versions of Windows prior to Windows Vista, Winlogon.exe started the Graphi-
cal Identification and Authentication (GINA) dynamic-link library (DLL) specified in the
registry. Windows Vista and Windows Server 2008 (as well as Windows Server 2008 R2 and
Windows 7) replaced the GINA with a credential provider, identified (if not the default) in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provid-
ers. It has a different name, but plays the same basic role for storing credentials. (It doesn’t
do some other things that a custom GINA could do, however.)
In short, the ogon process works by perform ng the fo ow ng steps

1. The W ndows subsystem starts the W ndows ogon process
2. The Loca Sess on Manager determ nes whether the ncom ng connect on s a owed at
a
3. The W ndows ogon process presents the nterface to the credent a prov der so a user
can prov de credent a s such as user name and password, or smart card and persona
dent ficat on number (PIN)
www.it-ebooks.info
4. The credent a prov der passes the credent a s to the Loca System Author ty, wh ch
checks them aga nst the secur ty database, wh ch s Act ve D rectory Doma n Serv ces
(AD DS) for a doma n account or the oca computer’s secur ty account manager for a
oca account
F gure 3-5 ustrates how these components work together to a ow you to og onto the
RD Sess on Host server
User Session
Windows Subsystem
(CSRSS.EXE)
Logon User Interface Host

(LOGONUI.EXE)
User name
Credential Provider
Password
User Session Token Local Security

Authority Subsystem
(LSASS.EXE)
Active Local Security

Directory Accounts
FIGURE 3-5 The W ndows ogon process
Creating the Base Environment in Each Session

F na y, the W ndows user env ronment needs a she —a user env ronment—even f the ses-
s on w d sp ay on y RemoteApp programs, not a fu desktop When d sp ay ng the fu desk-
top, the usua W ndows she s Exp orer (Exp orer exe) If d sp ay ng RemoteApp programs
on y, t’s the RDP she (RDPShe exe)
When the sess on beg ns, the Remote Desktop Serv ces serv ce and Desktop W ndow Man-
ager runn ng n Sess on 0 each beg n a per-sess on p ece of themse ves The Remote Desktop
Serv ces serv ce starts Rdpc p exe, wh ch supports the shared C pboard between the sess on
and any oca y runn ng app cat ons The Desktop W ndow Manager Sess on Manager starts
Dwm exe, wh ch manages the appearance of w ndows n the remote sess on
www.it-ebooks.info
Tab e 3-2 shows the user-mode processes that create the common user env ronment
(m nus the app cat ons that you’d a so expect to see runn ng) You won’t actua y see a these
from Task Manager
TABLE 3-2 User-Mode Processes Tha Suppor Each Sess on s W ndows Env ronmen
Create graph ca effects used n Aero G ass Desktop W ndow Manager Dwm exe
(for examp e, F p and transparent thumbna
v ews of m n m zed app cat ons) n v deo
memory, then sends them to the screen
when composed
D sp ay the W ndows She for desktops W ndows Exp orer Exp orer exe
Enab e c pboard red rect on between the C pboard red rect on too Rdpc p exe
sess on and the c ent
D sp ay RemoteApp programs The W ndows she for Re- RDPShe exe
moteApp programs
Supp y nformat on to management nter- W ndows Remote Desktop Wtsap d
faces on the RD Sess on Host server Serv ces API
Remote sess ons aren’t nterest ng w thout nteract on, however That’s where the ast step
of pass ng data between c ent and server comes n
Passing Data Between Client and Server

An RD Sess on Host server doesn’t have one sess on— t has dozens or even hundreds of ses-
s ons An RD Sess on Host c ent doesn’t necessar y d sp ay a s ng e app cat on runn ng from
the server farm; t has four or five or perhaps even more and not a of those four or five
app cat ons are necessar y runn ng on the same server How does the data pass ng between
c ent and server get to the r ght p ace? The answer has three parts
■ The sess on structure
■ The use of Sess on IDs and Process IDs to dent fy nterna y which nstance of an ap-
p cat on the system s referr ng to among the mu t p e nstances runn ng concurrent y
on the RD Sess on Host server
■ Cooperat on between components on the RD Sess on Host server (that s, common to
a sess ons) and n the c ent sess on (exc us ve to one sess on)
SESSION STRUCTURE
One connect on to an RD Sess on Host server s norma y equ va ent to one sess on In other
words, there’s never any quest on on the c ent as to wh ch sess on some nput shou d go to,
because each sess on’s commun cat on w th the RD Sess on Host server w be hand ed sepa-
www.it-ebooks.info
rate y from w th n the sess on Even RemoteApp programs w a run w th n the same sess on
as ong as they’re on the same server The on y t me you’d have more than one sess on on the
same server s f you de berate y connected to a second desktop and the RD Sess on Host
server was configured to perm t more than one sess on on the same server
Sess on so at on has evo ved over the years As you can see from F gure 3-6, the operat ng
system can be sess on-aware n var ous areas At the kerne eve , the memory manager (for
examp e) must be sess on-aware so t can map data to the r ght set of user-mode addresses
(as d scussed n Chapter 2) New kerne -mode awareness of sess ons was ntroduced n W n-
dows Server 2008 R2 w th Dynam c Fa r Share Schedu er (DFSS), wh ch a ocates processor
t me even y among sess ons (DFSS s part of the Process Schedu er component n F gure 3-6)
At the serv ce eve , a serv ces run n Sess on 0 and are sess on-aware to the extent that
they are not mapped to any s ng e user dent ty In W ndows Server 2008 and ater, even sys-
tem adm n strators don’t nteract w th Sess on 0 anymore
At the sess on eve , there’s a separate nstance of the W ndows subsystem, W ndows
Logon, W n32k sys (to prevent one sess on from be ng ab e to man pu ate w ndows n another
sess on), and now n W ndows Server 2008 R2, even Internet Protoco (IP) v rtua zat on for
W nSock app cat ons (any app cat on wr tten to use the W ndows Socket API for commun -
cat ng w th TCP/IP)
SESSION 1
SESSION 2
SESSION n
WINLOGON
CSRSS New in
Windows Server
Win32K Subsystem 2008 R2
IP Virtualization
Services in Session 0 (used to be the console session in Windows Server 2003)
Memory Management Object Manager I/O Manager Process Scheduler

Session aware kernel mode processes
FIGURE 3-6 There s even more sess on so at on n W ndows 2008 R2.
IDENTIFYING PROCESSES
If you’re n a s ng e sess on, how do you get the r ght data to the r ght nstance of an ap-
p cat on and send the feedback to the correct sess on? One way s that each sess on has a
un que dent fier on the RD Sess on Host server (the Sess on ID that you can see n the Remote
www.it-ebooks.info
Desktop Serv ces Manager d scussed n Chapter 11, “Manag ng Remote Desktop Sess ons”)
Act v ty w th n a sess on s dent fied to the RD Sess on Host server by ts Sess on ID, not by the
name of the person ogged on to the sess on Therefore, even f one person has more than
one sess on open on the same server, the server won’t confuse the sess ons
The RD Sess on Host server a so avo ds confus on through the way the operat ng system
dent fies processes W ndows Server 2008 R2 dent fies processes runn ng on an RD Sess on
Host server not on y by the r names but by the r Process IDs (Th s s true on any W ndows
operat ng system, but on an RD Sess on Host server, t’s even more mportant because of the
ke hood that many processes w be dup cated ) A Process ID s a so un que on an RD Ses-
s on Host server Process IDs are covered n more deta n Chapter 11, as part of the d scus-
s on about manag ng user sess ons and processes
COMMUNICATING BETWEEN SESSION AND RD SESSION HOST SERVER

The fo ow ng port ons of the RD Sess on Host server are respons b e for mak ng sure the
r ght data ends up w th the r ght sess on after the ownersh p of Process IDs and Sess on IDs s
sorted out
■ Rdpwsx d s the path between RDP and the kerne It conta ns
• Gener c Conference Contro (GCC) to manage v rtua channe s, wh ch transport

spec fic types of data between the remote sess on and the c ent
• The Mu t po nt Commun cat on Serv ce (MCS), wh ch ass gns data to v rtua chan-
ne s and sets the pr or ty of each so that GCC can work w th a the v rtua channe s
as a s ng e p pe
■ The RDP stack has three jobs
• Rdpwd sys transforms d sp ay data nto RDP commands to be transm tted to the
sess on
• Wdtshare sys encrypts and packages the RDP stream

• Tdtcp sys packages RDP for transport on TCP/IP so that the data can be passed
between server and c ent
The dr vers and brar es support ng data-pass ng between the RD Sess on Host server and
each c ent sess on are sted n Tab e 3-3
TABLE 3-3 Key Dr vers and Serv ces Sess ons or he En re RD Sess on Hos Server
Manage the v rtua channe s, a ow ng the cre- GCC Rdpwsx d

at on and de et on of sess on connect ons and
contro ng resources prov ded by MCSMUX
Accept keyboard nput from the sess ons Keyboard dr ver for Remote Kbc ass sys
Desktop Serv ces
www.it-ebooks.info
Ass gn data to v rtua channe s w th n RDP, set MCS Rdpwsx d

pr or ty eve s, and segment data as requ red
Th s abstracts the mu t p e RDP stacks nto a
s ng e ent ty
Accept mouse nput from the sess ons Mouse dr ver for RDS Mouc ass sys
Encode d sp ay data nto RDP commands RDP W nStat on dr ver Rdpwd sys
Commun cate w th kerne v a I/O Contro Interface between d sp ay Rdpwsx d
Interface; conta ns GCC and MCSMUX protoco and kerne
Package RDP onto TCP/IP TCP dr ver Tdtcp sys
Coord nate and manage RDP protoco act v ty RDS dev ce dr ver Termdd sys
Hand e user nterface (UI) transfer, compres- Wdtshare sys
s on, encrypt on, and fram ng
Manage dev ce red rect on and aud o RDP dev ce red rect on Rdpdr sys
dr ver
The c ent a so has some work to do to pass data between the sess on and the RD Sess on
Host server for process ng (see Tab e 3-4) W n32k sys s the kerne -mode component of the
W ndows subsystem that manages mouse and keyboard nput and sends t to the r ght app -
cat on Rdpdd sys s the d sp ay dr ver that packages W ndows neat y to be processed by the
Remote Desktop Serv ces Dev ce Dr ver
TABLE 3-4 Key Serv ces and Dr vers Runn ng W h n Sess ons on he RD Sess on Hos
Manage the W ndows graph ca user Kerne -mode component of the W n32k sys
nterface (GUI) env ronment by tak ng the W ndows subsystem
mouse and keyboard nputs and send ng
them to the appropr ate app cat on
Capture the W ndows user nterface and RDP d sp ay dr ver Rdpdd d
trans ates t nto a form that s read y con-
verted by Rdpwd sys nto the RDP protoco
The commun cat on between each sess on and c ent ogged nto t uses v rtua channe s
Each k nd of data has ts own v rtua channe so that data transfer can be enab ed or d sab ed
se ect ve y For nstance, t’s poss b e to d sab e c pboard red rect on wh e st a ow ng other
types of data to pass between c ent and server
V rtua channe s can be stat c or dynam c Stat c v rtua channe s are created at the beg n-
n ng of a sess on and rema n unt that sess on s d sconnected or term nated You can’t create
new stat c channe s dur ng a sess on Dynam c v rtua channe s are created and torn down on
www.it-ebooks.info
demand, such as when a new dev ce s connected to a term na sess on For more nformat on
about v rtua channe s, see Chapter 6
Why Do You Need a Separate Instance of Win32k.sys for Each

Session?
Sriram Sampath
Senior Development Lead, Remote Desktop Virtualization
T he Window management and Graphics Subsystem in Windows primarily reside

in a key kernel driver called Win32k.sys. It primarily consists of two subcompo-
nents: the Window Manager (NTUSER) and the Graphics Subsystem (GDI).
In the RD Session Host architecture, there is one instance of this subsystem

(Win32k.sys) for each session. The primary motivation behind this is security
boundary and strong isolation between sessions. To elaborate, the window station/
desktop boundary is considered to be the security isolation boundary for user ses-
sions; it is not possible to send window messages, for example, from one session to
another. This creates a very strong isolation environment. Having one instance of
Win32k.sys in each session aids us with this.
The Win32k.sys driver is also responsible for loading and managing the display
driver associated with each session; this allows different display drivers to be loaded
in different sessions. As an example, the NVIDIA driver can be loaded in the physi-
cal console session and the RD Session Host server display driver, RDPDD, can be
loaded in a different session.
Some other subsystems of the operating system that are session-aware in this man-
ner are
■ Winlogon process One for each session

■ Csrss process One for each session
■ Object manager Some parts of the object, like BaseNamedObjects, are
sessionized
■ I/O manager One instance for the operating system, but session-aware
■ Plug and Play manager One instance for the operating system, but session-
aware
Putting It All Together

When you comb ne the key p eces of a work ng RD Sess on Host server env ronment that
both support a sess on and a ow t to commun cate w th the RD Sess on Host server, t ooks
ke the overv ew shown n F gure 3-7
www.it-ebooks.info
= Protocol-Dependent Component Session Space
System Space LPC/RPC
SVCHOST.EXE LPC/RPC
RDPWSX.DLL Session n
User Mode TERMSRV.DLL
Protocol Session 2
Remote Connection
Extensions Manager Session 1
GCC (Network Service)
WINLOGON.EXE
MCSMUX Windows Logon
Process WINSTA.DLL
Remote
LogonUI Desktop
DMW Services RPC
SMSS.EXE UserInit/RDPInit Client DLL
Session LMS.EXE
Manager Local Session
Manager Explorer/RDP Shell WTSAPI.DLL
(System) LPC RDS
DWM Administration
CSRSS.EXE
Client-Server
Command Channel Runtime Application n
Subsystem Application 2
Application 1
Static Virtual User application
RDPCLIP.EXE
Channel running in session
Clipboard
Redirector
Static Virtual TSAppCompat
RDPENDP.DLL
Channel
Remote Audio
User Mode Endpoint
Kernel Mode
RDPDR.SYS TERMDD.SYS
RDP Device
Redirection
Remote Desktop Services
Driver
protocol-agnostic device WIN32K.SYS
driver. Primary function Beep Channel
Dynamic Virtual Channel Manager
is to load and manage

protocol stack drivers. NTUSER
Mouse Channel
Audio Redirection
GDI
Stack Instance 2 Keyboard Channel
Stack Instance 1 BASEVIDEO
Video Channel
RDPWD.SYS
RDP Winstation
Driver
WDTSHARE.SYS
TDTCP.SYS
TCP/IP Device RDPDD.DLL
Driver RDP Display
Driver
FIGURE 3-7 These are the components of Remote Desktop Serv ces arch tecture n
W ndows Server 2008 R2
How RD Sess on Host Servers Work CHAPTER 3 133
www.it-ebooks.info
Th s mode has been d scussed n the preced ng pages, but there’s a ot of data here F rst,
here s a qu ck descr pt on of what’s happen ng n each quadrant of th s ustrat on, wh ch s
broken out between system space (common to a sess ons on the RD Sess on Host server)
and sess on space (un que to each sess on), and between kerne mode and user mode
In the ��
upper��
- eft quadrant (System Space, User Mode), the RD Sess on Host server s start-
ng sess ons, accept ng ncom ng connect ons, and organ z ng v rtua channe s In the upper-
r ght quadrant (Sess on Space, User Mode), the sess on runs the fo ow ng ts W ndows ogon
processes, the W ndows subsystem (CSRSS exe) for present ng a aspects of the user nterface,
ts she , and ts app cat ons
In the ��
ower��
- eft quadrant (System Space, Kerne Mode), the server s oad ng and man-
ag ng the protoco -spec fic funct ona ty of the sess on That s, RDP s on y one poss b e
protoco that you can use to nteract w th a RD Sess on Host server ICA, used for connect ng
to servers w th C tr x’s XenApp extens ons to RD Sess on Host nsta ed, s another
In the ower-r ght quadrant (Sess on Space, Kerne Mode), the sess on packages the d sp ay
data and nput data to be processed by the d sp ay protoco when work ng n the Kerne
Mode sect on of System Space
Installing an RD Session Host Server

Now that you’re acqua nted w th the nner work ngs of an RD Sess on Host server, t’s t me to
become fam ar w th the outer work ngs of nsta ng and configur ng t
NOTE There is a lot of time spent installing roles during the course of this book, and you
might notice some steps are skipped to avoid unnecessary repetition, but it’s worth going
into detail once so you understand the processes involved.
Installing an RD Session Host Server Using the

Administrative Tools Interface
To nsta the RD Sess on Host ro e serv ce, c ck Start, Adm n strat ve Too s, and then Server
Manager R ght-c ck Ro es, choose Add Ro es to open the Add Ro es W zard, and then c ck
Next to move past the open ng page When you get to the next page of the w zard, you’
see a st of ava ab e ro es, as shown n F gure 3-8 Se ect the box next to Remote Desktop
Serv ces and c ck Next
When you choose to nsta Remote Desktop Serv ces, the next page of the w zard offers
you an overv ew of the serv ce C ck Next
NOTE Do not install the RD Session Host role on a server that already has the Active
Directory Domain Services role installed. First, it’s not good security practice to allow users
to connect to a domain controller. Second, should some problem with a user or applica-
tion require you to bring down the RD Session Host server for maintenance, you’ll have a
domain controller offline.
www.it-ebooks.info
FIGURE 3-8 Choose the Remote Desktop Serv ces ro e from the st.
Now, you can see why the Add Ro es W zard offered on y Remote Desktop Serv ces on the
Se ect Server Ro es page; from here (see F gure 3-9), you can choose any of the re ated ro e
serv ces For now, st ck w th add ng RD Sess on Host and c ck Next
FIGURE 3-9 Choose Remote Desktop Sess on Host from the st of RDS ro e serv ces.
Next, you’ see the App cat on Compat b ty page te ng you that f you nsta ed app ca-
t ons on the server pr or to nsta ng RDS, some of the ex st ng app cat ons m ght not work n
a mu t p e user env ronment (You’ earn more about the reasons for th s ater n th s chap-
ter ) C ck Next
nsta ng an RD Sess on Host Server Chapter 3 135
www.it-ebooks.info
Unt now, most quest ons have been fa r y se f-exp anatory As shown n F gure 3-10, how-
ever, you need to make a dec s on about whether you want computers ogg ng nto the RD
Sess on Host server to support NLA
FIGURE 3-10 Choose NLA to protect the server from fa ed ogon attacks or do not requ re t to support
broader access to the RD Sess on Host server.
NLA requ res users to be authent cated before they make a fu connect on to the RD Ses-
s on Host server, thus protect ng the server from den a -of-serv ce (DoS) attacks us ng fa ed
ogon attempts to use up a the server’s processor t me
NLA s supported on y for RDC 6 x and ater, but more mportant y, t emp oys the Creden-
t a Secur ty Prov der (CredSSP) to authent cate the user ear y n the process You’ find out
more about the deta s n Chapter 8, but for now, you need to know three th ngs
■ Requ r ng NLA enab es you to force users to authent cate themse ves before they can
create a connect on to the RD Sess on Host server
■ If you requ re NLA, on y c ents support ng CredSSP (at east those runn ng W ndows 7,
W ndows V sta SP1 or ater, or W ndows XP SP3) w be ab e to connect to the RD Ses-
s on Host server
■ NLA s not ava ab e w th W ndows V sta RTM or W ndows XP SP2; t requ res the ser-
v ce pack updates that add support for CredSSP NLA s not a serv ce of RDP
NOTE The decision to require NLA isn’t final; as with many configuration settings, you can
change your mind later by reconfiguring the host.
www.it-ebooks.info
Next, you can choose the cense mode of the RD Sess on Host server (see F gure 3-11) An
RD Sess on Host server can be n per-user or per-dev ce mode—that s, t can accept e ther
per-user censes or per-dev ce censes—but not both at the same t me The ncom ng con-
nect on must present the k nd of cense that the server s expect ng, f the mach ne or user
mak ng the connect on a ready has one It a so means that f the ncom ng connect on doesn’t
present a Remote Desktop Serv ces c ent access cense (RDS CAL) at connect on t me, and
the RD Sess on Host server has to request one from the cense server, then the censes on
the cense server must be a type the RD Sess on Host server s ab e to accept Th s s d s-
cussed n more depth n Chapter 12, “L cens ng Remote Desktop Serv ces ”
NOTE In Windows Server 2003, you had to choose the license mode when installing a
terminal server. In Windows Server 2008 and later, you can delay this decision until you
are certain what types of licenses will be available. An RD Session Host server in Configure
Later mode will not ask incoming connections for a license, but an RD Session Host server
can be in this mode only during its grace period (120 days). After that, it will not accept
connections without a license server and a licensing mode.
FIGURE 3-11 Choose the appropr ate cense mode or de ay the dec s on unt you have more nformat on.
www.it-ebooks.info
HOW IT WORKS
Why Configure Later?
S o, why should people use the Configure Later option? Why not just require
people to choose a license mode when they install the server? After all, they can
change this mode later using the Remote Desktop Session Host Configuration tool.
The reason is simple: That’s the way it worked in Windows Server 2003 and it caused
some problems.
Before Windows Server 2003, there was only one license mode for terminal servers:
per-device. This model was enforced, meaning that a terminal server set up to ac-
cept per-device Terminal Services client access licenses (TS CALs) would eventually
stop accepting connections from computers unable to present one. This model was
also the default mode for terminal servers running Windows Server 2003, but Win-
dows Server 2003 introduced a new license mode for terminal servers: per-user.
The trouble started when people installed the terminal servers without really look-
ing at the license mode option, since this had not mattered before Windows Server
2003. They installed the terminal servers in per-device mode, because that was the
default, but often got per-user licenses, because that model fit their needs better.
Because the terminal servers weren’t set up to use or issue per-user TS CALs, the
terminal servers stopped accepting connections. Although the Event Log recorded
the problem and (with Service Pack 1 for Windows Server 2003) pop-up windows
warned administrators when they logged in, this didn’t entirely fix the problem.
Because RD Session Host servers must now be in one mode or the other, part of
the solution in Windows Server 2008 and later is a Configure Later option. The RD
Session Host licensing mode will eventually need to be configured, but at least the
administrator is making a conscious choice when configuring it.
Next, you’ choose who has access to the RD Sess on Host Server access s part a y
determ ned by user membersh p n the Remote Desktop Users group (see F gure 3-12) On y
members of th s group can connect to the RD Sess on Host server
www.it-ebooks.info
FIGURE 3-12 Add groups to the Remote Desktop Users group to enab e user connect ons.
By defau t, the oca Adm n strator’s group s added a ready To add more peop e to the
Remote Desktop Users group, c ck Add to open the Se ect Users d a og box Enter the secu-
r ty group or users to add, c ck Check Names to va date the name of the accounts, and then
c ck OK For examp e, you m ght add the Doma n Users group to the Remote Desktop Users
group (You can do th s because Doma n Users s a g oba group and Remote Desktop Users s
a oca group; g oba groups can be members of oca groups ) Then, you can deny access to
groups or users se ect ve y
Why wou d you m t who s a owed to use the server? Three reasons, as fo ows
■ You have a m ted number of RDS CALs ava ab e, and you don’t want to g ve them to
users who don’t rea y need them
■ You have a m ted number of app cat on user censes ava ab e for app cat ons on the
RD Sess on Host server, and you don’t want to use them unnecessar y
■ You s zed the server for a certa n number of users, and you want to m t the number
a owed to og on to your s ze m t
NOTE You can deny even members of the Remote Desktop Users group the right to log
on by editing their user account properties in Active Directory Users And Computers, or
through Group Policy. They just can’t log on if they’re not members of the Remote Desktop
Users group.
www.it-ebooks.info
Another opt on to m t user access s to create a secur ty group ca ed, for examp e, Com-
pany RDS Users Add on y users that need access to the RD Sess on Host server to th s group,
and then add the Company RDS Users group to the Remote Desktop Users group
NOTE If you’re not sure of the name of the group or user accounts you want to add, click
Advanced, choose the proper domain or computer, and click Find Now to populate the
Search Results area. Then you can select the users or groups to add.
After you have added the appropr ate users and groups, c ck Next On the next page
(shown n F gure 3-13), you have a few opt ons ava ab e to make the user exper ence on the
RD Sess on Host nc ude some funct ona t es users wou d exper ence us ng W ndows 7 Th s
screen s new to W ndows Server 2008 R2
FIGURE 3-13 Opt ons are ava ab e to enhance the user exper ence on the RD Sess on Host server.
The opt ons ava ab e are as fo ows

■ Audio And Video playback Users can sten to aud o and v ew v deo n the r remote
desktop sess on
■ Audio Recording Redirection Users can record aud o and have th s record ng red -
rected to the r remote desktop sess on
■ Desktop Composition Enab es v sua effects nc ud ng W ndows F p, three-d men-
s ona (3-D) w ndow trans t on, and g ass w ndow frames Th s s needed to enab e Aero
G ass remot ng n Remote Desktop sess ons
www.it-ebooks.info
NOTE The Desktop Experience feature (which includes features included in the typi-
cal Windows 7 experience such as Windows Calendar, Desktop Themes, Windows Media
Player, and Snipping Tool) will be installed automatically if you select either the Audio And
Video playback or Desktop Composition options.
One th ng to cons der when enab ng these opt ons s the potent a mpact on the band-
w dth prov ded for the sess on connect ons A user p ay ng back aud o and v deo fi es w take
up more bandw dth than a user ed t ng spreadsheets How much more depends on how the
users work, so f you are enab ng these features, t’s a good dea to make sure your RD Ses-
s on Host server oad test ng nc udes representat ve data of these act v t es (See Chapter 2
for more nformat on on oad test ng )
The ast stage s confirm ng the sett ngs that you spec fied dur ng the w zard, as shown n
F gure 3-14
FIGURE 3-14 Conf rm the sett ngs n your setup before nsta ng.
To save the configurat on at setup, c ck the Pr nt, E-ma , Or Save Th s Informat on nk

to create and open a s mp e Hypertext Markup Language (HTML) page that you can then
pr nt, ema , or save as part of your RD Sess on Host server configurat on documentat on
You shou d ser ous y cons der do ng th s so you can make a record of the bas c nsta at on,
part cu ar y f you se ected a cens ng mode Th s nformat on documents the way that the RD
Sess on Host server s set up and w be a gu de to the person sett ng up the second server—
or the 20th—who does not want to nspect the server configurat on manua y to make sure
t’s cons stent across the oad-ba anced farm
www.it-ebooks.info
After you c ck Insta , the server w take some t me nsta ng the serv ce When t’s fin-
shed, you’ be prompted to restart the server and get a second chance at pr nt ng or sav ng
the configurat on report When you c ck C ose, you w be prompted to restart the server
After reboot ng, as you start up aga n, the RD Sess on Host server w spend a few m nutes
process ng and mak ng fina recommendat ons, as shown n F gure 3-15
FIGURE 3-15 Comp ete the nsta at on after reboot ng.
You m ght have a ready nsta ed Desktop Exper ence f you chose to enab e aud o and
v deo p ayback and/or Desktop Compos t on features Desktop Exper ence s mportant As
you’ earn n Chapter 6, t’s requ red to enab e the P ug and P ay framework for automat -
ca y detect ng c ent-s de p ug-and-p ay dev ces such as cameras If you don’t nsta Desktop
Exper ence, you won’t be ab e to red rect these dev ces seam ess y to the remote connect on
You’ a so need t for aud o and mu t med a red rect on
Installing an RD Session Host Server from the Command

Line
In W ndows Server 2008, you cou d do a very bas c nsta at on from the command ne w th
Servermanager exe Th s executab e has been deprecated n W ndows Server 2008 R2 and
rep aced by W ndows PowerShe cmd ets
NOTE To install Windows roles, role services, and features via Windows PowerShell, you
must run Windows PowerShell with elevated privileges.
www.it-ebooks.info
To run server manager cmd ets n W ndows PowerShe , first mport the Servermanager
modu e ke th s
Import-Module servermanager
To see wh ch commands are ava ab e for th s modu e, ass gn the act on of gett ng the
Servermanager modu e to a var ab e, as shown here
$sm = Get-Module servermanager
Then reference the var ab e ke th s
$sm
ModuleType Name ExportedCommands
---------- ---- ----------------
Manifest servermanager {Remove-WindowsFeature, Get-WindowsFeat...
You can see from the resu t ng text that there are mu t p e ExportedCommands ava ab e
w th th s modu e, but they are a not sted here (some are h dden by the e ps s) To see
c ear y a the commands offered by th s modu e, type the fo ow ng command
$sm.exportedcommands
Name Value
---- -----
Remove-WindowsFeature Remove-WindowsFeature
Get-WindowsFeature Get-WindowsFeature
Add-WindowsFeature Add-WindowsFeature
You want to add the RD Sess on Host server ro e serv ce, so type Add-WindowsFeature to
get a ong st of a the features you cou d nsta on th s server The Remote Desktop Serv ces
ro e serv ces that you can nsta are shown here
[X] Remote Desktop Services Remote-Desktop-Services

[X] Remote Desktop Session Host RDS-RD-Server
[ ] Remote Desktop Virtualization Host RDS-Virtualization
[ ] Remote Desktop Licensing RDS-Licensing
[ ] Remote Desktop Connection Broker RDS-Connection-Broker
[ ] Remote Desktop Gateway RDS-Gateway
[ ] Remote Desktop Web Access RDS-Web-Access
From the resu t ng st, you now know both the d sp ay name (Remote Desktop Sess on
Host) and ts correspond ng “name” (RDS-RD-Server) Insta the Remote Desktop Sess on
Host ro e by referenc ng the server ro e name ke th s
Add-WindowsFeature RDS-RD-Server
www.it-ebooks.info
A successfu nsta returns the fo ow ng
WARNING: [Installation] Succeeded: [Remote Desktop Services] Remote Desktop

Session Host. You must restart this server to finish the installation process.
Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------
True Yes Succes... {Remote Desktop Session Host}
Reboot the server to fin sh the nsta at on process, as nstructed To reboot from W ndows
PowerShe , type
Shutdown /r
Insta ng RD Sess on Host v a W ndows PowerShe doesn’t g ve you the opt on of config-
ur ng any opt ons When you nsta th s way, the RD Sess on Host server w be set up w th a
the defau t sett ngs The Remote Desktop Users group w be empty In add t on, the server
w not prompt you for NLA opt ons or the enhanced user exper ence opt ons (enab ng desk-
top compos t on, and so on)
NOTE If you have installed and removed this role service in the past, take care to double-
check your settings, because some settings (NLA, users added to the Remote Desktop Users
group, and so on) will retain the information from the previous install, and if Desktop Expe-
rience was installed before, it is likely be installed now unless you specifically removed it.
To remove the ro e serv ce, type the fo ow ng command and then reboot the server as
spec fied by the resu t ng nstruct ons
remove-windowsfeature RDS-RD-Server
WARNING: [Removal] Succeeded: [Remote Desktop Services] Remote Desktop Session
Host. You must restart this server to finish the removal process.

------- -------------- --------- --------------
True Yes Succes... {Remote Desktop Session Host}
Essential RD Session Host Configuration

After nsta ng the serv ce, you have some bas c configurat on to set up before anyone uses
the RD Sess on Host server Th s sn’t the on y essent a configurat on you’ be do ng—much
of th s book s concerned w th that—but th s s what you shou d do before peop e start us ng
the server
www.it-ebooks.info
Allocating Processor Time
One of the n ghtmare scenar os for a shared computer s that of the user who s such a heavy
user of RAM and processor t me that he or she affects even ght users Th s s somet mes a
reason for organ z ng users based on how much they w stress a server, and somet mes a
reason for not putt ng heavy users onto the shared server at a
Iso at ng users on the r own computers sn’t a ways dea (or even poss b e), and what do
you do f peop e’s use patterns change over t me? A better answer s to do what you can to
even out resource usage automat ca y
In W ndows Server 2008, to make sure that processor t me wou d be fa r y a ocated
among sess ons, you’d configure the W ndows System Resource Manager (WSRM) Th s
too evens out processor t me by mon tor ng processes and ower ng the r pr or ty f they
start affect ng the performance of the processes runn ng n other sess ons When a process
rece ves more processor t me than others, WSRM owers ts pr or ty for a wh e so that t wa ts
for threads n other processes to execute (It’s s m ar to the way n wh ch a process that sn’t
gett ng enough t me can have ts pr or ty temporar y boosted to get ts threads through
some processor cyc es ) WSRM s react ve; for t to get nvo ved, a process must take too many
processor cyc es
NOTE A bug in Windows Server 2008 made WSRM very resource-intensive. If you had
this problem on Windows Server 2008, see http://support.microsoft.com/kb/970067 for a
solution. This issue was fixed in Windows Server 2008 R2.
The catch w th WSRM s that t is react ve Not on y that, but t’s not enab ed by defau t In
other words, you have to configure t proper y, and even f you do, there has to be a prob em
before WSRM can respond (the de ay wou dn’t norma y be more than a few seconds, but t’s
worth ment on ng) In W ndows Server 2008 R2, W ndows Server added DFSS, a new feature
that operates n the kerne and makes sure that each sess on s us ng no more than ts fa r
share of processor t me That s, f a server has five sess ons runn ng, then each sess on shou d
get no more than 20 percent of processor t me, but a sess on does not have to use that much
Th s feature s enab ed by defau t You can d sab e th s feature by sett ng the va ue of the fo -
ow ng reg stry entry to 0, as fo ows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SessionManager\DFSS\EnableDFSS
If a ocat ng processor t me even y across a sess ons works for you, then you’re done If
you’re nterested n we ght ng sess ons—perhaps to et the peop e fac ng a t ght dead ne
crunch numbers n the r spreadsheets faster—then you can set up we ghted sess ons us ng
WSRM, as descr bed n the fo ow ng sect ons
Essent a RD Sess on Host Configurat on Chapter 3 145
www.it-ebooks.info
CAUTION WSRM has a memory management feature that can limit the size of a
process’s working set or committed memory. Do not use this feature on an RD Ses-
sion Host server. First, it is not session-aware; it just limits the memory available to
a particular process regardless of where it’s running. Second, starving a process of
memory will make it run more slowly, which is very frustrating in an interactive ap-
plication (less so for an application running in the background). If a process is taking
up too much memory, then add more memory to the RD Session Host server or (as a
last resort) remove the application in question from the farm.
Installing WSRM
To nsta WSRM, start Server Manager R ght-c ck Features and c ck Add Features to start the
Add Features W zard Scro down the st to se ect W ndows Server Resource Manager When
you se ect t, you m ght be prompted to nsta an add t ona component WSRM requ res that
you have a database to store h stor ca data, so f the W ndows Interna Database sn’t a ready
nsta ed (and t cou d be; t’s a so used by severa other features), you’ be prompted to add
that feature Go ahead and nsta t f prompted to do so by c ck ng Add Requ red Features
When you c ck Next, you’ see a confirmat on page show ng the features that you w
nsta C ck Insta to perform the nsta at on
When the nsta at on s fin shed, Server Manager w show you that the two features are
fu y nsta ed C ose the d a og box; you don’t need to reboot
To nsta WSRM from W ndows PowerShe , use the fo ow ng code to mport the modu e
and then start the serv ce
add-WindowsFeature WSRM
------- -------------- --------- --------------
True No Success {Windows Internal Database, Windows System...
Configuring WSRM for Weighted Remote Sessions

As d scussed ear er, t m ght make sense to g ve some sess ons more processor t me than
others DFSS doesn’t a ow th s, but WSRM does To configure WSRM for th s purpose, c ck
Start, Adm n strat ve Too s, and W ndows System Resource Manager to open the W ndows
System Resource Manager snap- n shown n F gure 3-16 You’ first be prompted to choose
the computer that you want to manage; for now, choose the oca server (You do not need to
d sab e DFSS for th s to work )
www.it-ebooks.info
CAUTION If you have not already configured Weighted Remote Sessions as the
managing policy, then first make sure that no one is logged into the RD Session Host
server that you’re configuring and then put it into drain mode from RD Session Host
Configuration. Changing the managing policy requires a reboot.
FIGURE 3-16 The WSRM management conso e
R ght-c ck the We ghted Remote Sess ons po cy and choose Propert es from the menu
to open the d a og box n F gure 3-17 Th s d a og box shows a the groups for wh ch you’ve
configured th s po cy, so t shou d be empty
FIGURE 3-17 Add groups to We ghted Remote Sess ons.
www.it-ebooks.info
To add a group, c ck Add to open the d a og box n F gure 3-18 The Pr or ty opt ons n the
drop-down st are Prem um, Standard, and Bas c They’re n descend ng order of the r pr or ty
for gett ng processor t me
FIGURE 3-18 Add new users or groups to the st.
C ck Add to add a new user or group to the st Th s w open the d a og box shown n
F gure 3-19 Th s s the standard d a og box for p ck ng users or groups; use t as you norma y
wou d for choos ng user groups
FIGURE 3-19 Set the WSRM propert es.
When you’ve chosen the r ght users, they’ appear n the Add Users Or Groups d a og box,
shown n F gure 3-20 Choose the r ght pr or ty and c ck OK To add more users, c ck Add
www.it-ebooks.info
FIGURE 3-20 Set user or group pr or ty.
When you c ck OK, a the users you’ve configured so far w be n the We ghted Remote
Sess ons Propert es d a og box, as shown n F gure 3-21 As you can see, the pr or ty of each
s sted here If you need to change a pr or ty, c ck Ed t to return to the Add Users Or Groups
d a og box and change the pr or ty as needed C ck OK when you’re done
FIGURE 3-21 Conf gured user accounts are sted.
To fin sh, c ck Set As Manag ng Po cy n the r ght pane to change the defau t po cy to
We ghted Remote Sess ons; do ng th s makes t poss b e to g ve some groups or users more
we ght Th s w requ re a reboot to start work ng (You can a so take th s step before config-
ur ng the po cy, but one way or another, you’ need to reboot the server after chang ng the
defau t po cy n WSRM )
www.it-ebooks.info
Enabling Plug and Play Redirection with the Desktop
Experience
To enab e P ug and P ay red rect on on the RD Sess on Host server, nsta Desktop Exper ence
Th s feature requ res no configurat on and tt e setup To nsta t, s mp y open the Server
Manager and m grate to the st of features C ck the nk to add a new feature and then wa k
through the w zard to se ect and nsta Desktop Exper ence
You can a so enab e th s feature from W ndows PowerShe n W ndows Server 2008 R2,
us ng the fo ow ng code
PS C:\Users\admin> add-WindowsFeature Desktop-Experience

------- -------------- --------- --------------
True No NoChan... {}
You w not need to reboot the RD Sess on Host server after nsta ng or un nsta ng
Desktop Exper ence
Adjusting Server Settings with Remote Desktop

Configuration
After you have Desktop Exper ence set up, the next step to the bas c RD Sess on Host server
nsta at on s rev ew ng the configurat on sett ngs n the Remote Desktop Sess on Host
Configurat on MMC snap- n shown n F gure 3-22 Th s too manages sett ngs on a per-
server bas s; to manage sett ngs for many RD Sess on Host servers at a t me, use W ndows
PowerShe or Group Po cy as descr bed n Chapter 7, “Mo d ng and Secur ng the User
Env ronment ”
NOTE Not all settings are relevant to a single-server RD Session Host deployment like the
one discussed here. For more information about farm and RD Connection Broker settings,
see Chapter 9, “Multi-Server Deployments.”
Open the Remote Desktop Sess on Host Configurat on too by c ck ng Start Adm n s-
trat ve Too s Remote Desktop Serv ces Remote Desktop Sess on Host Configurat on To
change a sett ng (or sett ngs), doub e-c ck any s ng e entry n the Ed t Sett ngs sect on to
open the Propert es d a og box shown n F gure 3-23
www.it-ebooks.info
FIGURE 3-22 Use Remote Desktop Sess on Host Conf gurat on to ed t each RD Sess on Host server s
conf gurat on.
FIGURE 3-23 C ck ng any sett ng n Remote Desktop Sess on Host Conf gurat on Ed t Sett ngs sect on
opens th s tabbed Propert es d a og box.
www.it-ebooks.info
You can a so configure a these sett ngs through W ndows PowerShe , us ng the new Re-
mote Desktop Serv ces prov der, nsta ed a ong w th the RDS ro e serv ce To use t, first oad
the modu e us ng the mport-modu e command from w th n W ndows PowerShe , as fo ows
PS C:\Users\admin> Import-module remotedesktopservices
Next, nav gate to the RDS prov der by ssu ng e ther the Set-Location rds: or Cd rds: cmd et
(they’re the same; Cd s just an a as for Set-Locat on to make t eas er for those accustomed to
us ng the command- ne nterface), as shown here
PS C:\Users\admin> set-location rds:

PS RDS:\>
To st the contents of the RDS conta ner, use the Dir cmd et as fo ows
PS RDS:\> dir
Directory: RDS:
Name Type CurrentValue GP PermissibleValues PermissibleOperations

---- ---- ------------ -- ----------------- ---------------------
RDSConfiguration Container - Get-Item,
Get-ChildItem
RemoteApp Container - Get-Item,
Get-ChildItem
The configurat on opt ons for an RD Sess on Host server are n the RDSConfigurat on con-
ta ner Nav gate to the RDSConfigurat on conta ner ke th s
PS RDS:\> cd rdsconfiguration
PS RDS:\rdsconfiguration> dir
Directory: RDS:\rdsconfiguration
---- ---- ------------ -- ----------------- ---------------------
Connections Container - Get-Item,
Get-ChildItem,
New-Item
LicensingSettings Container - Get-Item,
Get-ChildItem
ConnectionBrokerSettings Container - Get-Item,
Get-ChildItem
TempFolderSettings Container - Get-Item,
Get-ChildItem
ProfileSettings Container - Get-Item,
Get-ChildItem
SessionSettings Container - Get-Item,
Get-ChildItem
152 CHAPTER 3 Dep oy ng a S ng e Remote Desktop Sess on Host Server
www.it-ebooks.info
VirtualIPSettings Container - Get-Item,
Get-ChildItem
UserLogonMode Integer 0 - 0, 1, 2 Get-Item,
Set-Item
RDSessionHostServerMode Integer 1 - 0, 1 Get-Item
TimeZoneRedirection Integer 0 No 0, 1 Get-Item, Set-Item
Now that you’ve got the too s to ed t the configurat on from the GUI or command prompt,
the fo ow ng sect ons exp a n the sett ngs found n Remote Desktop Sess on Host Configura-
t on You’ come back to some of these sett ngs throughout th s book
General Session Settings

Most often, you won’t need to adjust any of the sett ngs on the Genera tab shown n
F gure 3-23
TEMPORARY FOLDER SETTINGS

The on y c rcumstance under wh ch you’re ke y to need to change the temporary fo der
sett ngs s f you are support ng an o der app cat on (or a propr etary one) that won’t store
temporary d rector es on a per-user bas s, but on y per computer Most of the t me, there’s no
reason not to de ete per-sess on temporary fi es when the user ends the sess on Do ng th s
a so protects user pr vacy
To configure temporary fo der sett ngs us ng Group Po cy, go to Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Temporary Fo ders Then proceed as fo ows
■ To d sab e de et ng a user’s per-sess on temporary fo ders when they ex t, enab e Do
Not De ete Temp Fo der Upon Ex t When th s sett ng sn’t configured, the temporary
fo ders w be de eted un ess you’ve spec fied otherw se us ng RD Configurat on
■ If you enab e the Do Not Use Temporary Fo ders Per Sess on po cy sett ng a user’s
temporary fi es for the user’s sess ons on a server w be stored n the common Temp
fo der n the user’s profi e nstead of each sess on stor ng temporary fi es n separate
subfo ders n th s ocat on
You can a so use W ndows PowerShe to configure these temporary fo der opt ons Con-
figure the Do Not De ete Temp Fo der Upon Ex t opt on ke th s
PS RDS:\RDSConfiguration\TempFolderSettings> Set-Item DeleteTempFolders X
where X s one of these va ues

■ 1 = Yes (se ected n the GUI)
■ 0 = No (c eared n the GUI)
www.it-ebooks.info
Configure the Use Temporary Fo ders Per Sess on opt on ke th s
PS RDS:\rdsconfiguration\tempfoldersettings> Set-Item UseTempFolders X

■ 1 = Yes (se ected n the GUI)
■ 0 = No (c eared n the GUI)
SESSION COUNT
W th RemoteApp programs, there s a so genera y no reason to a ow users to ma nta n more
than one sess on on the same RD Sess on Host server A RemoteApp programs started from
the same server run n the same sess on, so they can a use the core processes needed to
support the sess on (for examp e, Csrss exe, W n ogon exe, and W n32k sys) and save memory
Runn ng n the same sess on a so a ows a those app cat ons to use the same nstance of
the user profi e (Profi e ssues are d scussed n Chapter 5, “Manag ng User Data n a Remote
Desktop Serv ces Dep oyment,” but for now, understand that t’s good to have on y one copy
of your profi e open )
To configure ogon restr ct ons us ng Group Po cy, go to Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote Desk-
top Sess on Host Connect ons The sett ng n quest on s Restr ct Remote Desktop Serv ces
Users To A S ng e Remote Sess on
Configure the opt on to restr ct users to a s ng e user sess on us ng W ndows PowerShe
ke th s
PS RDS:\RDSConfiguration\sessionsettings> Set-Item SingleSession X

■ 0 = Se ected (restr ct use to a s ng e sess on)
■ 1 = C eared (a ow mu t p e sess ons)
USER LOGON MODE

The sett ngs for user ogon mode depend on whether the RD Sess on Host server s current y
n product on or you’re p ann ng on tak ng t down but don’t want to abrupt y end everyone’s
sess ons One opt on app es f you are p ann ng for a reboot (for examp e, f you cyc ca y
reboot RD Sess on Host servers to fix o d app cat ons w th memory eaks), n wh ch case you
shou d choose the opt on to m t connect ons unt the serv ce restarts If you’re p ann ng on
onger ma ntenance, however, choose to m t connect ons unt you exp c t y re-enab e them
To configure the user ogon mode us ng Group Po cy, go to Computer Configurat on
Remote Desktop Sess on Host Connect ons The sett ng n quest on s A ow Users To Con-
nect Remote y Us ng Remote Desktop Serv ces However, th s s one s tuat on n wh ch Group
Po cy isn’t the best configurat on opt on User ogon mode s most appropr ate y set by
Group Po cy when you’re stag ng a bunch of servers and don’t want any of them to go on ne
www.it-ebooks.info
unt you’re done If you’re tak ng an RD Sess on Host server offl ne, then t’s much eas er and
faster to adjust th s sett ng us ng the configurat on too s on the server
Configure the user ogon mode from W ndows PowerShe ke th s
PS RDS:\RDSConfiguration\sessionsettings>Set-item USerLogonMode X
where X equa s one of these three va ues

■ 0 = A ow a connect ons
■ 1 = A ow reconnect ons, but prevent new ogons unt the server s restarted
■ 2 = A ow reconnect ons, but prevent new ogons at a t mes
Configuring IP Virtualization
When mu t p e peop e are a work ng from the same server, they’re a us ng the same IP
address For most app cat ons, th s s acceptab e Some app cat ons, however, don’t work
proper y un ess they have a un que IP address for every connect on Some c ent/server ap-
p cat ons, for examp e, requ re th s To a ow app cat ons ke th s to be used on RD Sess on
Host, W ndows Server 2008 R2 added IP v rtua zat on to ass gn a s ng e IP address to each
sess on or to certa n app cat ons w th n a sess on
To configure IP v rtua zat on, open RD Sess on Host Configurat on and choose IP
V rtua zat on (or, f you have the server’s Propert es d a og box a ready open, turn to the
appropr ate tab) to show the sett ngs n F gure 3-24
FIGURE 3-24 Conf gur ng P v rtua zat on
www.it-ebooks.info
Most of the steps here are pretty ntu t ve F rst, enab e IP v rtua zat on You w need a
Dynam c Host Configurat on Protoco (DHCP) server ava ab e for th s, but you won’t need to
do any configurat on on the DHCP server— t’s not aware of th s feature but just ass gns IP
addresses as t wou d norma y
Enab e or d sab e IP V rtua zat on from W ndows PowerShe us ng th s code
PS RDS:\RDSConfiguration\VirtualIPSettings> Set-Item VirtualIPActive X
Where X s one of these va ues

■ 0 = D sab ed (c eared)
■ 1 = Enab ed (se ected)
Second, choose the network nterface adapter to use You must choose one adapter to use
(by defau t, none w be se ected)
To set or mod fy th s sett ng, IP v rtua zat on must be enab ed, and the mode must be set
to Per Program (th s s the defau t cho ce se ected when you enab e IP V rtua zat on) Choose
the network adapter that w be used for IP V rtua zat on us ng W ndows PowerShe ke th s
PS RDS:\RDSConfiguration\VirtualIPSettings> Set-Item NetworkAdapter 00-15-5D-0A-31-68
NOTE When using Windows PowerShell, you must specify the Network Adapter by the
adapter media access control (MAC) address, not name.
Next, change the v rtua zat on mode f needed Genera y, per-program s the best cho ce
f you can use t You probab y know wh ch app cat ons requ re un que IP addresses, and a
sess on won’t use a v rtua IP address f that app cat on s not runn ng In add t on, per-sess on
IP v rtua zat on won’t work on mu t homed RD Sess on Host servers, even f you on y p ck one
NIC Per-program works on mu t homed servers
Set the V rtua IP mode us ng W ndows PowerShe us ng th s command
PS RDS:\RDSConfiguration\VirtualIPSettings> Set-Item VirtualIPMode X

■ 0 = Per sess on
■ 1 = Per program
If you choose per-program, you’ need to p ck the app cat ons that shou d use a v rtua IP
address W th th s opt on, a app cat ons configured th s way and runn ng n the same sess on
w have the same v rtua IP address, wh e other app cat ons w be us ng the address of the
RD Sess on Host server’s NIC
Aga n, you can a so configure th s sett ng us ng W ndows PowerShe The fo ow ng com-
mand adds a program (Notepad exe) that ex sts at a spec fied path (C W ndows\System32\
Notepad exe) to the st of programs that w be ass gned a v rtua IP address
PS RDS:\RDSConfiguration\VirtualIPSettings\applications>
New-Item -Name 'Notepad' -AppPath 'c:\windows\system32\Notepad.exe'
www.it-ebooks.info
Sett ng the exact path s opt ona Add the app cat on name w thout the exact path to
ass gn a v rtua IP address to any program runn ng ns de a user sess on that has the spec fied
app cat on name The fo ow ng s an examp e
PS RDS:\RDSConfiguration\VirtualIPSettings\applications>
New-Item -Name 'Notepad' -AppName 'Notepad.exe'
To remove a program, execute the fo ow ng command
PS RDS:\RDSConfiguration\VirtualIPSettings\applications> Remove-Item Notepad.exe
Two Group Po cy sett ngs contro th s feature F rst, you can enab e the feature from Com-
puter Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote
Desktop Serv ces Remote Desktop Sess on Host App cat on Compat b ty The sett ng n
quest on s Turn On Remote Desktop IP V rtua zat on Second, you can prevent a sess on from
us ng the RD Sess on Host server’s IP address f no IP address s ava ab e for the sess on by
enab ng the Do Not Use Remote Desktop Sess on Host IP Address When V rtua IP Address s
Not Ava ab e sett ng
One po nt to be aware of w th IP v rtua zat on s that us ng t can doub e the IP addresses
that your organ zat on w need Everyone’s c ent w have a un que IP address, and every-
one’s sess on w have ts own IP address (a be t on y for the durat on of the sess on) There s
no way to configure DHCP to m t the number of addresses n a part cu ar range that shou d
be a ocated to sess ons In add t on, IP v rtua zat on s enab ed on the server, not on a per-
user bas s, so you can’t p ck and choose wh ch peop e shou d use t The best way to use t
s to m t t to certa n app cat ons Many app cat ons don’t need t; use th s feature on y for
app cat ons that do
RD Session Host Licensing Settings

The next tab of the Propert es d a og box a ows you to configure the cens ng sett ngs, both
for the type of cense you’ use and the d scovery method that the server w use to ocate
cense servers Gett ng the correct sett ngs (as shown n F gure 3-25) s cruc a for the success-
fu mp ementat on of RDS w th n your organ zat on
REMOTE DESKTOP SERVICES LICENSING MODE

An RD Sess on Host server can be n e ther per-dev ce mode or per-user mode The mode
that you se ect depends on the type of censes you purchase, wh ch depends ma n y on the
proport on of users to computers If there are more computers than users (for examp e, f
peop e us ng RD Sess on Host servers can og n from e ther a work computer or from a home
computer), then per-user cens ng makes more sense If there are more users (for examp e, f
the peop e us ng the RD Sess on Host servers are sh ft workers and three peop e use the same
th n c ent at d fferent t mes of day) then per-dev ce cens ng makes more sense
www.it-ebooks.info
FIGURE 3-25 Remote Desktop Serv ces L cens ng sett ngs are cr t ca to RD Sess on Host ava ab ty.
You can change the cens ng mode, but wh chever mode you p ck, you must be sure that
the match ng cense types are nsta ed on the cense server that you’re us ng Otherw se,
even f the RD Sess on Host server can find a cense server, t w not be ab e to a ocate
censes to users or computers
To configure the cens ng mode us ng Group Po cy, se ect Computer Configurat on
Remote Desktop Sess on Host L cens ng The sett ng n quest on s Set The Remote Desktop
Serv ces L cens ng Mode Th s s an exce ent sett ng to ed t us ng Group Po cy, as a RD
Sess on Host servers n a farm are ke y to have the same cens ng mode Us ng th s sett ng
avo ds acc denta errors
Set the cense server mode from W ndows PowerShe ke th s
PS RDS:\RDSConfiguration\LicensingSettings> Set-Item LicensingType X

■ 2 = Per-dev ce
■ 4 = Per-user
V ew the current cens ng mode w th the fo ow ng command
PS RDS:\RDSConfiguration\LicensingSettings> Get-Item LicensingName
www.it-ebooks.info
SPECIFYING A LICENSE SERVER
Prev ous vers ons of Term na Serv ces supported cense server d scovery, but th s method had
so many cond t ons that cou d cause t not to work proper y that RDS removed th s feature
You must now spec fy a cense server Do th s n the GUI by c ck ng Add on the L cens ng tab
of the Propert es d a og box Then e ther se ect a cense server from the st of known cense
servers or add a cense server by name or IP address and then c ck Add Then c ck OK
To add a cense server us ng W ndows PowerShe , use the fo ow ng command and fi n
the requested parameters
PS RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers> New-Item
cmdlet New-Item at command pipeline position 1
Supply values for the following parameters:
Path[0]: Liberty.ash.local
Path[1]:
To see the cense server added, run th s command
PS RDS: \RDSConfiguration
LicensingSettings\SpecifiedLicenseServers> dir
Directory: RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers

---- ---- ------------ -- ----------------- ---------------------
Liberty.ash.local Container - Get-Item,
Get-ChildItem,
Remove...
Remove a cense server ke th s
PS RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers>
remove-item LIBERTY.ash.local –force
NOTE You have to use the –Force parameter if the license server you are removing is the
last or only license server listed.
To configure RDS L cens ng us ng Group Po cy, se ect Computer Configurat on Po c es

Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote
Desktop Sess on Host L cens ng The sett ng n quest on s Use The Spec fied Remote
Desktop Serv ces L cens ng Servers Aga n, th s s a good sett ng for Group Po cy to make
sure t’s cons stent across a servers and that new ones w be configured automat ca y to
match the ex st ng set
To add one or more servers, type the r names n the text box and then c ck Check Names
to va date the names; you shou d see a confirmat on message say ng “The servers spec fied
are va d term na cense servers ” If you don’t rece ve th s confirmat on, ver fy the name
When you spec fy cense servers, the r names are added to the RD Sess on host server’s reg-
stry n HKLM\SYSTEM\CurrentContro Set\Serv ces\TermServ ce\Parameters\L censeServers\
Spec fiedL censeServers
www.it-ebooks.info
Spec fy ng a cense server sn’t a ways as easy as just typ ng n a server name, for the fo -
ow ng reasons
■ The cense servers that you spec fy must be runn ng W ndows Server 2008 or ater It s
not poss b e for a cense server runn ng W ndows Server 2003 to ssue W ndows Server
2008 R2 RDS CALs (A cense server runn ng W ndows Server 2008 R2 can ssue TS
CALs for term na servers runn ng W ndows Server 2003, however )
■ You can po nt to a cense server outs de the forest However, f th s cense server w
be ssu ng per-user RDS CALs, there must be a trust re at onsh p between the two do-
ma ns When ssu ng per-user RDS CALs, the cense server needs to be ab e to contact
AD DS on beha f of the person request ng an RDS CAL
Protocol-Specific Settings
The Connect ons port on of Remote Desktop Configurat on conta ns nformat on about
any protoco s supported on the server (doub e-c ck RDP-Tcp to see them) In th s examp e,
you’ see on y Remote Desktop Protoco because that’s the nat ve protoco used by Remote
Desktop Serv ces and the on y one that s nsta ed Were C tr x XenApp extens ons to Remote
Desktop Serv ces nsta ed, for examp e, there’d be another entry here for ICA, the defau t
protoco for user sess ons when Xenapp s nsta ed
Most protoco -spec fic sett ngs are contro ed from the user account propert es v s b e
from Act ve D rectory Users and Computers, and the sett ngs that aren’t there are nc uded n
Group Po cy (If they are set us ng Act ve D rectory Users and Computers, Group Po cy can
st overr de them ) The sett ngs n Remote Desktop Configurat on (see Tab e 3-5) are ma n y
adv sory In th s sect on, you’ earn what the sett ngs mean and how you m ght use them
TABLE 3-5 Pro oco Con gura on Se ngs n Remo e Desk op Con gura on
TAB SETTINGS CONTAINED WHEN YOU WOULD EDIT
Genera Ma n y secur ty sett ngs, nc ud ng Hopefu y, not often A modern

the m n mum encrypt on eve set c ents can support Secure Sock-
between c ent and server, whether ets Layer (SSL) connect ons, wh ch
the server must authent cate tse f reduces the chance that a rogue
to the c ent (RDP secur ty ayer vs term na server cou d ntercept c ent
SSL), and whether NLA s requ red authent cat on data
See Chapter 7 for more nformat on NLA requ res at east RDP 6 1 and
about these opt ons CredSSP support on the c ent
Env ronment In t a program path and sett ngs Probab y never Because W ndows
Server 2008 R2 supports RemoteApp
programs, you don’t need to spec fy
startup app cat ons
www.it-ebooks.info
TAB SETTINGS CONTAINED WHEN YOU WOULD EDIT
Sess ons Sett ngs determ n ng behav or Rare y These sett ngs can be set from
when a sess on has been act ve, Group Po cy or Act ve D rectory
d sconnected, or d e for a certa n Users and Computers, and both w
ength of t me overr de the sett ngs here Use Group
Po cy to set cons stent connect on
po c es across a term na servers;
Act ve D rectory Users and Comput-
ers to set connect on po c es for
nd v dua s
Logon Whether to use the c ent ogon Rare y You m ght use th s sett ng for
Sett ngs nformat on or gener c ogon a spec a -use RD Sess on Host server
credent a s support ng anonymous connect ons,
but genera y you’ want to use the
user ogon credent a s
Remote The ru es govern ng remote contro Rare y These sett ngs can a so be
Contro of a user’s sess on set n Act ve D rectory Users and
Computers and Group Po cy and by
defau t those sett ngs take prece-
dence Remote Contro sett ngs can
a so be defined on a per-mach ne
bas s through Group Po cy
C ent Max mum co or depth and dev ce Occas ona y, to overr de c ent-s de
Sett ngs red rect on ru es Most supported sett ngs
dev ces are enab ed by defau t
Network Chooses the network adapters to Occas ona y, to m t the network
Adapter support RDP traffic and m ts the adapters be ng used for RDP con-
number of connect ons that the nect ons or to keep connect ons to
term na server w support the RD Sess on Host server w th n the
bounds of what t can support
Secur ty Users and groups perm tted access to Rare y As He p w rem nd you when
the term na server you sw tch to th s tab, t s best prac-
t ce to contro access v a contro ng
the membersh p of the Remote Desk-
top Users group because the resu ts
are more pred ctab e
www.it-ebooks.info
NOTE There are some discrepancies between the user account properties visible in Ac-
tive Directory Users and Computers and the settings visible in Server Configuration on
the Environment and Sessions tabs. The corresponding tab in Active Directory Users and
Computers shows settings that don’t apply to RDP; the Remote Desktop Session Host
Configuration console settings and Group Policy settings are current. (The option on the
Sessions tab of the Active Directory Users and Computers user Properties dialog box to Al-
low Reconnections From Any Client Or Originating Client Only does not apply to RDP.)
You can a so configure most of these sett ngs us ng Group Po cy Some of the more usefu
ones are descr bed n the rest of th s chapter; you’ earn more about what these sett ngs are
for throughout the book The Network Adapter and Secur ty tabs do not have re ated Group
Po cy sett ngs
To configure connect on secur ty ( nc ud ng enab ng server authent cat on and network-
eve authent cat on and c ent encrypt on eve ), se ect Computer Configurat on Po c es
Desktop Sess on Host Secur ty Chapter 7 w d scuss the sett ngs n more deta , but the
po c es n quest on are as fo ows
■ Set C ent Connect on Encrypt on Leve
■ Requ re Use Of Spec fic Secur ty Layer For Remote (RDP) Connect ons
■ Requ re User Authent cat on For Remote Connect ons By Us ng Network Leve
Authent cat on
To configure dev ce red rect on and env ronment sett ngs, se ect Computer Configurat on
Remote Desktop Sess on Host Dev ce And Resource Red rect on The Pr nter Red rect on and
Remote Sess on Env ronment subkeys n th s same path a so nc ude po c es to contro the
user env ronment, wh ch s d scussed n more deta n Chapter 5
To configure the ru es for remote contro of a user’s sess on by an adm n strator, se ect
Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Sess on Host Connect ons The sett ng n
quest on s Set Ru es For Remote Contro Of Remote Desktop Serv ces User Sess ons You’
find out more about the use of remote contro n Chapter 11
Checking Configuration with the Best Practices Analyzer

A though many configurat on cho ces are eft to you to determ ne what’s best for your en-
v ronment, some configurat ons must be done n a certa n way for a feature to funct on For
examp e, users cannot connect to the RD Sess on Host server f they are not n the Remote
Desktop Users Group Other best pract ces aren’t necessar y a prob em, but the server w
funct on better and be ess exposed to r sk f t conforms to them—for examp e, to support
pre-connect on user authent cat on (wh ch prevents DoS attacks from unauthor zed users
n t at ng sess ons that they can’t start), you need to enab e NLA
www.it-ebooks.info
Best Pract ces Ana yzer (BPA) s a server management too n W ndows Server 2008 R2
BPA can he p you conform to recommended best pract ces by scann ng nsta ed ro es on a
server and report ng any v o at ons (Some v o at ons w requ re mmed ate act on and some
are adv sory, but a are ntended to h gh ght any potent a prob ems w th the server con-
figurat on ) You can run the BPA for the oca computer or remote y, and because t’s bu t on
W ndows PowerShe , t a so works from the command ne so that you can run reports on an
ent re farm programmat ca y
In th s examp e, we’ show you how to run the BPA for Remote Desktop Serv ces The
product group can update BPA as part of recommended updates, so you m ght have add -
t ona opt ons by the t me you read th s book
The BPA works by dent fy ng certa n best pract ces for a ro e and then programmat ca y
check ng the configurat on to make sure that the sett ngs support the best pract ces [A con-
figurat on s stored n W ndows Management Instrumentat on (WMI) ] If a sett ng does not
support a recommended best pract ce, then the report g ves feedback about the ssue and a
recommended fix
To start us ng the BPA, open the Server Manager and scro down to the Remote Desktop
Serv ces ro e, as shown n F gure 3-26 You’ see a nk that says Scan Th s Ro e (c rc ed here)
FIGURE 3-26 Start ng the BPA
C ck the nk to d sp ay the page shown n F gure 3-27 You’ see a progress bar as the
scan cont nues When t’s done, you’ see a report In th s case, t’s show ng that the Remote
Desktop Users Group s not popu ated
www.it-ebooks.info
FIGURE 3-27 The BPA Report on RD Sess on Host
Aga n, add t ona ru es w be added to the BPA as you add W ndows updates, so you
m ght see other ru es to check Other ro es have ru es, too, so the resu ts of the scan w de-
pend on what ro es are nsta ed
Installing Applications on an RD Session Host Server

Insta ng an app cat on on an RD Sess on Host server s d fferent from nsta ng the same
app cat on on W ndows 7 When you nsta an app cat on on W ndows 7 (or W ndows Server
2008 R2 when not configured as an RD Sess on Host server), you’re genera y prompted to
choose whether you want to nsta that app cat on for a users of the computer or just for
the user who s current y ogged on The nsta at on performed for a users d ffers from the
nsta at on performed for a spec fic user The d fferences between these cho ces (there are
some except ons among app cat on vendors, but th s s what M crosoft recommends for v2
profi es) are exp a ned n Tab e 3-6
TABLE 3-6 Recommended ns a a on Op ons or W ndows Server 2008 R2 and W ndows 7
OPTION COMMON SETTINGS CURRENT USER
Shortcuts Insta ed n Pub c profi e Insta ed n current user’s

profi e
L st ng n Programs And For a users For the current user on y
Features n Contro Pane
www.it-ebooks.info
OPTION COMMON SETTINGS CURRENT USER
COM reg strat on HKLM\Software\C asses HKCU\Software\C asses

Run w th execut ve pr v eges Yes Opt ona
Storage ocat on for cons %W nD r%\Insta er\ %UserProfi e%\AppData\
and transform fi es {ProductCode} M crosoft\Insta er\
{ProductCode GUID}
There are few surpr ses here the per-user nsta at on stores a re evant data n the user’s
profi e An a -users nsta at on stores the re evant data on a per-computer bas s (or n the
Pub c fo der so that the RD Sess on Host server s ready to add more users to the app cat on)
Which Applications Will Work?

Th s subject was br efly ment oned n Chapter 2, n the d scuss on of how to use the RDS Ap-
p cat on Ana yzer, but you’ earn about t n more deta here
Most newer app cat ons w run on an RD Sess on Host server, but you can’t assume that
every app cat on w perform successfu y As you know f you’ve used Term na Serv ces n
the past, not a app cat ons work on a shared server (and that s espec a y true for o der ap-
p cat ons) Somet mes the prob em s that the app cat on s too resource- ntens ve to share,
or t m ght requ re too many graph ca updates to update the c ent-s de d sp ay proper y
(render ng app cat ons come to m nd) But somet mes the prob em s more subt e than that
Broad y speak ng, most app cat on compat b ty prob ems come from one of these
sources
■ M crosoft Internet Exp orer 6 dependency
■ Insta at on
■ Concurrent resource usage
■ Perm ss ons ssues
■ Pr vacy ssues
■ Performance ssues
■ Dev ce red rect on ssues
Let’s ook at each of these n more deta
Internet Explorer 6 Dependency

Some o der web-based app cat ons were wr tten w th a dependency on Internet Exp orer 6
These app cat ons won’t run on W ndows Server 2008 R2 because t uses W ndows Internet
Exp orer 8 Internet Exp orer cannot be v rtua zed w th App-V, so f you need to run these
app cat ons remote y, you’ need to e ther set up a term na server runn ng W ndows Server
2003 or run the app cat on from a v rtua mach ne (VM) runn ng W ndows XP (as descr bed n
Chapter 4)
nsta ng App cat ons on an RD Sess on Host Server Chapter 3 165
www.it-ebooks.info
Application Installation
Many app cat on nsta at ons are des gned for a s ng e-user computer Th s means that such
an app cat on was created w th certa n assumpt ons—for examp e, that t’s acceptab e to
store persona sett ngs n HKLM (wh ch wou d mean that the app cat on doesn’t custom ze
proper y; mach ne-w de means a sett ngs app y to a users), or to store sett ngs n INI fi es n
the W ndows d rectory (wh ch causes a users to have the same app cat on sett ngs)
One app cat on-compat b ty sett ng that s ava ab e to deve opers to avo d these k nds
of prob ems s the /TSAWARE opt on, wh ch s n a program’s header fi e For examp e,
app cat ons des gned to be mu t -user-aware shou d not use INI fi es to store sett ngs The
/TSAWARE sw tch prov des a workaround for app cat ons that were not necessar y des gned
for a mu t -user env ronment so that f an app cat on does use INI fi es, the RD Sess on Host
server w accommodate th s dur ng nsta at on by creat ng v rtua W ndows d rector es
for each user n wh ch to store the INI fi es W thout th s opt on, app cat ons us ng INI fi es
w have a s ng e configurat on fi e, and everyone us ng the app cat on w have the same
sett ngs
Unfortunate y, there’s no way for an adm n strator to check to see f the /TSAWARE opt on
has been set n an app cat on If you have a homegrown app cat on that depends on INI
fi es, however, you can check w th the deve oper to see f t s TS-aware so that INI fi es w be
stored on a per-user bas s
Another potent a nsta at on ssue ntroduced w th W ndows Server 2008 R2 s that of
16-b t nsta ers, spec fica y the stub component some app cat ons use to check the ma-
ch ne type before the 32-b t nsta at on eng ne runs 32-b t app cat ons can run on a 64-b t
p atform; the 64-b t W ndows Insta er can hand e them 16-b t app cat ons cannot That sa d,
M crosoft rea zed that th s cou d be an ssue and addressed t for certa n nsta ers If an ap-
p cat on uses any of the fo ow ng nsta ers ( sted n HKLM\Software\M crosoft\W ndows NT\
CurrentVers on\NtVdm64)
■ M crosoft Setup for W ndows 1 2
■ Insta Sh e d 5 x
then, when you start the nsta at on, W ndows w remove the 16-b t nsta er that starts the
32-b t nsta at on eng ne and rep ace t w th a 32-b t vers on Th s st can’t be extended If
your app cat on uses another nsta at on eng ne, you w need to convert t to use a 32-b t
nsta er to make t work on W ndows Server 2008 R2
www.it-ebooks.info
Concurrent Resource Usage
Many nstances of the same app cat on run concurrent y on an RD Sess on Host server If the
app cat ons want to use the same phys ca port, wr te to the same fi es, or wr te to the same
port ons of the reg stry, they won’t work on an RD Sess on Host server If two app cat ons at-
tempt to wr te to the same fi e at the same t me, th s can ead to data corrupt on; f they wr te
to the same fi e at d fferent t mes (perhaps to the same INI fi e, as d scussed n the prev ous
sect on), then th s can ead to unexpected behav or
Privacy Issues
A though the arch tecture of an RD Sess on Host server sess on s des gned to keep sess on
memory areas separate, app cat ons a so must honor th s n the way they share fi es If those
fi es store any pr vate data (for examp e, the web pages that a user has v ewed), then the ap-
p cat ons can’t use the same fi es
Performance Issues
By defin t on, app cat ons runn ng on an RD Sess on Host server must share hardware
resources, nc ud ng d sk nput/output (I/O), processor t me, and phys ca memory If an ap-
p cat on needs a ot of any of those, then t’s probab y not a good fit for an RD Sess on Host
server (Even the DFSS mechan sm on y d v des processor t me more even y— t doesn’t make
more of t ) S m ar y, some app cat ons don’t remote we over h gh- atency networks As
you’ see n Chapter 6, RDP 7 has cont nued the trend of more effic ent usage of resources to
better d sp ay h gh-qua ty mu t med a n W ndows Med a P ayer, but some F ash and S ver-
ght app cat ons m ght not d sp ay we over a w de area network (WAN)
Device Redirection
As d scussed n Chapter 5, W ndows Server 2008 R2 RD Sess on Host servers can red rect new
k nds of resources They can’t, however, red rect everything—or at east, they can’t support a
features (for examp e, Act veSync) f they do Dev ces that need but don’t get th s red rect on
w not work n a remote sess on
What can you do about these m tat ons of app cat ons and dev ce red rect on? F rst,
you can do some check ng ahead of t me so that you w know wh ch app cat ons w work
and wh ch w not One opt on s to search some webs tes to find out what app cat ons have
been packaged to work on a shared server, because f someone e se has been ab e to make
the app cat on work, then at east you know that t can be done (The software prov der
v s onapp, for examp e, ma nta ns a st of th s k nd at http://visionapp.com/1701.0.html?&ftu=
7074772b28 ) Another opt on s to ana yze the app cat ons themse ves, us ng the App cat on
Ana yzer too ava ab e on the compan on CD and descr bed n Chapter 2
www.it-ebooks.info
Storing Application-Specific Data
Insta ng app cat ons on a shared server s somewhat d fferent from both the per-user or
a -users nsta at on opt on performed on a s ng e-user operat ng system The s tuat on s d f-
ferent; n th s case, you want a users who access the RD Sess on Host server to be ab e to use
the app cat on, but you a so want them to be ab e to ma nta n the r sett ngs n the r profi es
so those sett ngs w fo ow them between servers Therefore, when you nsta app cat ons
on an RD Sess on Host server, the operat ng system comb nes the two approaches App ca-
t on b nar es are stored to be access b e to anyone connected to the server, but the operat ng
system stores some sett ngs n a part cu ar part of HKLM ca ed the shadow key The ocat on
of th s key w vary w th the operat ng system and app cat on type, as fo ows
■ 64-b t vers ons of W ndows Server 2008 R2 store shadow key nformat on for
32-b t app cat ons n HKLM\Software\Wow6432Node\M crosoft\W ndows NT\
CurrentVers on\Term na Server\Insta \Software
■ 64-b t vers ons of W ndows Server 2008 R2 store shadow key nformat on for
64-b t app cat ons n HKLM\Software\M crosoft\W ndows NT\CurrentVers on\
Term na Server\Insta \Software
NOTE Like APIs, registry key names didn’t change when Terminal Services became
Remote Desktop Services in Windows Server 2008 R2. That would have broken applications
that relied on the Terminal Server name.
The shadow key stores configurat on sett ngs for a the app cat ons nsta ed on the RD
Sess on Host server, d v ded by pub sher When a user ogs on, the contents of th s key are
cop ed to her profi e, so ong as the contents of the key are newer than the contents n the
profi e The operat ng system determ nes the re at ve age of the configurat on data n the
user profi e and n the shadow key by compar ng t mestamp va ues of two reg stry keys, both
of wh ch have recorded ast wr te-t me n seconds s nce 1970 The key n the user profi e
s LastUserIn SyncT me, stored n HKCU\Software\M crosoft\W ndows NT\CurrentVers on\
Term na Server; the date of the shadow key s stored n LatestReg stryKey n HKLM\
SOFTWARE\M crosoft\W ndows NT\CurrentVers on\Term na Server\Insta \In F eT mes
NOTE The iniFileTimes key is hidden, so don’t expect to see it in the registry if you look
for it.
If the profi e s newer, the sett ngs aren’t cop ed; f the configurat on n the shadow key s
newer, the user profi e s updated w th the data n the shadow key You don’t want to update
the centra data source, so the user profi e w never update the shadow key
www.it-ebooks.info
HOW IT WORKS
32-Bit Applications in a 64-Bit World
W indows Server 2008 R2 is only 64-bit, but it’s not practical to assume that
64-bit versions of all applications will be available. To work around this prob-
lem, 64-bit Windows implements the WOW64 emulator. This user-mode emulator
loads a 32-bit version of NTDLL.dll, used by applications to make system calls. When
a 32-bit application calls on NTDLL.dll to interact with the operating system in some
way (for example, to read from or write to disk), WOW64 intercepts the call (this is
not an expensive operation because it, like the application it’s working with, runs in
user mode) and sends the request to the 64-bit operating system. In other words,
the 32-bit application and the 64-bit operating system don’t have to know about
each other.
To enable 32-bit applications to take advantage of some of the additional memory

space 64-bit applications get, application creators can compile the applications with
the IMAGE FILE LARGE ADDRESS AWARE flag set in the image header. Using this
flag doesn’t give the 32-bit applications the full 8 terabytes of user-mode virtual
memory addresses that 64-bit applications can use, but it does double their virtual
memory space to 4 GB.
In addition to needing some way to communicate with the operating system, it’s
important to separate registry data for 32-bit and 64-bit applications so that they
don’t load the wrong DLLs or overwrite each other’s configuration data. Therefore,
64-bit applications on a 64-bit server use the keys and values stored in HKLM\
Software, and the 32-bit applications use the keys and values stored in HKLM\
Software\Wow6432Node. Under each key, the structure is approximately the same.
It would be impossible to support 32-bit applications on a 64-bit operating system

if all 32-bit applications had to be rewritten to support this compatibility key.
Instead, to make this work, 64-bit versions of Windows use registry redirection to
intercept calls to the registry. If a 32-bit application (or component, for that mat-
ter) tries to read from or write to the registry, then the operating system’s WOW64
subsystem intercepts the request and redirects it to the appropriate path of the
registry. If 64-bit applications attempt to access the registry, the WOW64 subsystem
ignores the call.
Sometimes both 32-bit and 64-bit applications need the same data, but they must
read it from their own section of the registry. For data that both versions need, the
operating system employs registry reflection. Registry reflection updates both the
32-bit section and the 64-bit section. This is done mainly for operations such as file
association (HKLM\Software\Classes) to ensure that the same application always
opens a file with a particular extension. Registry reflection ensures that the contents
www.it-ebooks.info
of the Classes key are maintained in parallel for both the 32-bit and 64-bit sections
of the registry.
For our purposes here, the implications of this are that 64-bit versions of Windows
maintain two areas for shadow keys: one for 32-bit applications and one for 64-bit
applications.
Avoiding Overwriting User Profile Data

You m ght have not ced that the dec s on to overwr te or not overwr te the user profi e s
done so e y by the re at ve age of the data n the profi e and the shadow key If you nsta and
dep oy more servers to the farm, the new servers w have a newer date than the o der serv-
ers Th s can ead to prob ems, because the newer RD Sess on Host servers overwr te the user-
updated data n the user profi e because t’s (apparent y) newer As an examp e of how th s
cou d affect the user, et’s say that you had an RD Sess on Host server w th M crosoft Office
2010 nsta ed on t You a ow users to custom ze the r app cat on exper ence, so they change
wh ch too bars are v s b e When you dep oy a new RD Sess on Host server n the farm, the
defau t sett ngs on the new server w have a newer t mestamp than the user profi e t me-
stamp When the user ogs onto the new server, the changes the user had made and grown to
re y on wou d be overwr tten w th the defau t opt ons on the new server You can get around
th s prob em n one of severa ways
■ Create new servers from mages of o d servers
■ Ensure that the shadow key t mestamps on the new servers are o der than the user
profi e
■ Remove the keys from the shadow key
■ Prevent updates to ex st ng profi e data
Edit the Shadow Key Timestamps

Because the dec s on to wr te or not s based on whether the nformat on n the user profi e
s o der than the data n the shadow key, one approach s to ensure that the shadow key s
a ways o der than any data n the user profi e You can set the c ocks back on new servers
before nsta ng app cat ons The number of seconds s nce 1970 s determ ned by the c ock
on the operat ng system, not the system c ock on the motherboard, so t’s not hard to foo
You just need to ensure that you’re cons stent about the date to wh ch you set the RD Sess on
Host servers
ON THE COMPANION MEDIA An after-the-fact approach could be to change the

timestamps on the registry keys. One way to do this is with a freeware tool like the
Registry Time Stamp Tool from Immidio, linked from the companion media.
www.it-ebooks.info
Removing Sections from Shadow Keys
Another way to prevent the keys from be ng updated n the user profi e s to de ete them
from the shadow key If you do so, of course they won’t be added to the user profi e, and
you’ need to app y them w th ogon scr pts
The advantage to th s approach s that t ensures that the keys won’t overwr te the user
profi e The d sadvantage s that t takes some work to set th s up, and more to ma nta n t
You need to de ete the contents of the shadow key on a RD Sess on Host servers, and you
must ensure that a users get the keys added to the r sess on In add t on, f you add more
app cat ons, you must update the ogon scr pts
Selectively Disabling Registry Writes

Rather than remov ng the contents of the shadow key, you can contro reg stry propagat on
se ect ve y To do th s, go to HKLM\Software\M crosoft\W ndows NT\CurrentVers on\Term na
Server\Compat b ty\Reg stryEntr es\PathName, where PathName s the path to the key that
you don’t want updated ( ocated n HKCU\Software) For examp e, f you exam ne the con-
tents of th s path, you’ see that M crosoft\W ndows\CurrentVers on\Exp orer\She Fo ders s
a ready there
NOTE For 32-bit applications on a 64-bit operating system, edit the path to HKLM\
Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\
Compatibility\RegistryEntries\PathName.
The tr cky part here es n the va ue ass gned to th s key to contro propagat on By de-
fau t, M crosoft\W ndows\CurrentVers on\Exp orer\She Fo ders has a va ue of 108 hexadec -
ma Th s va ue s actua y the resu t of compat b ty b ts A va ue of 8 hex means that the path
po nts to a 32-b t app cat on The 100 hex comes from the configurat on of reg stry mapp ng
If th s b t s set (wh ch means t has a va ue of 100), then new entr es from the system master
reg stry mage w be added to the user profi e when the app cat on s started, but no ex st-
ng data n the profi e w be de eted or changed If th s b t s not set (has a va ue of 0, or sn’t
present), the operat ng system de etes and overwr tes the user’s reg stry data f t s o der than
the system master reg stry data
Therefore, to prevent W n32 app cat on reg stry sett ngs from be ng updated n the user
profi e, prov de the path to the key n HKEY USERS where that app cat on data s stored and
g ve t a va ue here of 108 n hex
Populating the Shadow Key

How does th s data get nto the shadow key n the first p ace? The answer depends on the
type of app cat on nsta at on App cat ons that nsta from M crosoft W ndows Insta er fi es
(MSIs) work d fferent y from app cat ons that nsta from exe fi es, and the changes can have
rea mp cat ons for the way the shadow key captures reg stry sett ngs
www.it-ebooks.info
Two Models for Application Installation on Windows Server

2008 R2
Ara Bernardi
Senior Software Development Engineer
N ot all applications install in exactly the same way. The following information
describes how MSIs differ from applications that do not install from MSIs.
The Pre-MSI Model

In the pre-MSI model, applications are typically installed by running a custom
Setup.exe file or a common installation tool such as InstallShield. Such setups do not
visibly distinguish per-user configuration from per-machine configuration, so there
is no easy way for servers to capture the per-user related changes and propagate
such changes to each user’s hive. Therefore, installations are done in Install Mode,
which records any registry key operation in that session, no matter what process
makes the changes. For example, if the administrator decides to change his or her
home page while installing an application in Install Mode, that change will also be
recorded. Therefore, it is important not to take any actions while an installation
is ongoing that do not pertain directly to the installation. When the installation
finishes, the session should be put back into Execute Mode.
The related commands are Change user /install and Change user /execute.
The “recording” of registry key changes is saved in the registry under HKLM\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\
Software.
While in Install Mode, changes to the Start menu are also tracked, and then those
changes are moved to the public menu so that shortcuts are visible to all users.
When a user logs on, Userinit.exe checks to see if the user’s hive under HKCU\
Software has or is missing keys from the equivalent path above. If anything is
added, or changed, it compares the two paths and takes appropriate action by
adding keys/values from the HKLM path.
The MSI Model

Applications with MSI-based setup install differently. Since the advent of MSI, a
centralized service is now responsible for installation, so there is no need to track
registry key changes made by any or all programs in a session. Instead, we need to
track only the registry key changes made by the MSI infrastructure. Additionally,
MSI has options to make per-user installation appear as a global installation for all
users (although this is mostly limited to user interface elements such as the Start
menu or Desktop shortcuts). Since applications continue to install registry keys (in
www.it-ebooks.info
When you run an MSI fi e to nsta an app cat on, th s act on sends a message to the
TSAppCompat component to prepare for nsta at on Th s component then creates a snap-
shot of HKCU\ Defau t\Software and saves t
Now, the TSAppCompat component checks the contents of HKCU\ Defau t\Software to
compare the before and after vers ons, nc ud ng a nsert ons, de et ons, and changes Hav ng
done so, t creates a de ta of a the changes Th s de ta s what now popu ates the shadow key
nsta ng App cat ons on an RD Sess on Host Server CHAPTER 3 173
www.it-ebooks.info
On y the contents of HKCU\ Defau t\Software are mon tored If the MSI starts another DLL
(an nfrequent y used opt on), then the effects of that DLL w be gnored
The Change user command that comes w th RDS and used when you run an nsta at on
rout ne such as Setup exe s another matter When you put the RD Sess on Host server ses-
s on nto Insta Mode w th the command Change user /install, a d fferent component named
Advap 32 mon tors a reg stry changes—all changes, not just the changes that have anyth ng
to do w th nsta ng the app cat on So ong as the server s n Insta mode, then the changes
are recorded and cop ed to the user profi e when they og on For examp e, f you change the
home page for Internet Exp orer, you’ be record ng th s data and chang ng t for everybody
Summary
Th s chapter has d scussed the essent a s of sett ng up a Remote Desktop Sess on Host server
nfrastructure By now, you shou d be fam ar w th how RD Sess on Host servers create ses-
s ons, va date user ogons, and ssue censes to author zed users or computers
Best pract ces for RD Sess on Host server configurat on nc ude the fo ow ng
■ When configur ng more than one server, use Group Po cy, not the RD Sess on Host
Configurat on too When adjust ng sett ngs on a per-server bas s, t’s too easy to
ntroduce ncons stenc es among servers, and ncons stenc es now can ead to a ot of
troub eshoot ng ater
■ DFSS even y d str butes processor t me across user sess ons; you need to use WSRM
on y f g v ng some users greater pr or ty than others
■ Do not use the memory management features of WSRM on an RD Sess on Host server
■ Insta the Desktop Exper ence feature to enab e P ug and P ay red rect on
■ Use the BPA to check RD Sess on Host sett ngs
The fo ow ng resources conta n add t ona nformat on and too s re ated to th s chapter
■ To earn more about sett ng up Group Po cy objects for manag ng user sett ngs, see
Chapter 6, “Custom z ng the User Exper ence ”
■ To earn more about how to manage RD Sess on Host servers as a group, see
Chapter 9, “Mu t -Server Dep oyments ”
■ For more deta s about re ated W ndows Server 2008 R2 arch tecture, see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces ”
www.it-ebooks.info
CHAPTER 4
Deploying a Single Remote

Desktop Virtualization Host
Server
■ What s VD ? 175
■ How M crosoft VD Works 178
■ nsta ng Support ng Ro es for VD 188
■ Us ng RemoteApp for Hyper V for App cat on Compat b ty 218
P r or to W ndows Server 2008 R2, V rtua Desktop Infrastructure (VDI) was not part
of M crosoft’s presentat on remot ng package [even though M crosoft techno ogy
n the form of Remote Desktop Protoco (RDP) and the W ndows operat ng system was
used to enab e another company’s VDI so ut on] In th s chapter, you w earn about th s
new ro e, how t works, and how to set t up for a s ng e-server dep oyment (Dep oy ng
mu t p e RD V rtua zat on Host servers works the same way as dep oy ng one A though
SCVMM s out of scope for th s book, t w he p you manage VMs across mu t p e hosts
See http://www.microsoft.com/systemcenter/en/us/virtual-machine-manager.aspx for
more nformat on on SCVMM )
What Is VDI?
But first, what is VDI?
At ts most bas c, V rtua Desktop Infrastructure (VDI) s a dep oyment des gn that
puts the user desktop on a v rtua mach ne (VM) n the datacenter, rather than on the
phys ca computer at someone’s desk Some degree of connect on and mage manage-
ment s usua y mp ed n VDI
Speak ng genera y, VDI can range n comp ex ty, as fo ows
■ Examp e 1 One VM ass gned to each person w th a v rtua desktop, w th that per-
son connect ng to that desktop v a the Remote Desktop Connect on (RDC) c ent,
spec fy ng the desktop s name or Internet Protoco (IP) address
175
www.it-ebooks.info
■ Examp e 2 A persona desktop ass gned to a user, but the user doesn’t have to know
what the VM’s name s—just that he or she wants to connect to the mach ne
■ Examp e 3 A poo of desktops ava ab e to a set of users on a temporary bas s
A few th ngs vary w th the d fferent k nds of comp ex ty
■ The d scovery process
■ The user contro over the VM
■ The ease of de very
F rst, there’s the process of d scover ng and connect ng to the r ght VM In the first ex-
amp e, t’s obv ous You go to the desktop that you have spec fied by name n the RDP fi e
and hope that the VM s turned on In the second and th rd examp es, there must be some
nte gence somewhere to get you to the r ght endpo nt and make sure the VM s ready to
accept connect ons
The degree of adm n strat ve contro a so var es w th the type of VDI In the first two
examp es, one user w a ways use the same VM As the IT manager, you can a ow that user
whatever degree of contro over th s v rtua desktop that you see fit In the poo ed case, users
can’t a ter the shared poo of desktops If they d d, they’d e ther ose whatever changes they
made ( f you’d configured the VM to d scard changes and ro back to ts saved state at ogoff)
or they’d be mess ng up the VM for the next user ( f you hadn’t)
F na y, the VDI de very mode s d ffer n how easy t s to persona ze the VM and the
app cat ons nsta ed on t Aga n, the first two mode s make t easy Even f you don’t a ow
users to nsta the r own app cat ons, the VMs can st have a spec fic set of app cat ons
des gned for a spec fic user’s needs The poo ed mode makes t d fficu t to support much
persona zat on because a VMs n the poo must have the r ght app cat ons for a peop e
who use them, and persona nsta s don’t work n th s mode
NOTE App-V can offer some degree of personalization. For more information on App-V,
see http://www.microsoft.com/systemcenter/appv/default.mspx.
If the VMs n a poo are assumed to be homogeneous, persona changes w ead to user
confus on
In the end, though, t’s a VDI putt ng a c ent operat ng system on a VM to be accessed
remote y The steps requ red for the user to find the VM, the degree of custom zat on the user
can make, and eve of user contro over th s VM are the var ab es
One more th ng about M crosoft VDI It’s not just about a s ng e ro e serv ce A though the
Remote Desktop V rtua zat on Host (RD V rtua zat on Host) ro e serv ce s essent a to en-
ab ng th s VDI mode , t’s comp emented by two other ro e serv ces As shown n F gure 4-1,
RD Web Access d sp ays the VM cons for users to d scover, and RD Connect on Broker gets a
user to the r ght endpo nt based on the k nd of connect on requested and the oad ba anc-
ng ru es n p ace Even the RD Sess on Host gets nvo ved n a sma way Th s ro e serv ce
supports the red rector, an essent a p ece requ red for send ng connect on requests to RD
Connect on Broker
176 Chapter 4 Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server
www.it-ebooks.info
Act ve D rectory Doma n Serv ces (AD DS) a so p ays a key part n support ng VDI AD DS
stores the user account objects that the RDS ro es can use to see what the user shou d see
when they og nto RD Web Access (s nce not a users m ght have access to a poo s) The
user account objects a so store the mapp ngs for persona desktops to users, as app cab e
VM_User1
User 1
VM_User2
RDVH1
Pooled VM 1
Pooled VM 2
RD Session Host in
redirection mode
User 2
VM_User3
IP Address of
Personal Desktop
VM_User4
DesktopPool1
RDVH2
Pooled VM 3
Pooled VM 4
RD Connection
Broker
VM_User5
VM_User6
User n
RDVH n
Pooled VM 5
AD DS Pooled VM 6
FIGURE 4-1 Ro e serv ces support M crosoft VD .
NOTE The information in the rest of this chapter explains exactly how a user ends up con-
nected to their requested VM. For now, the key take-away is that all of the role services in
Figure 4-1 play a part in the process.
What isn’t VDI? VDI sn’t just about v rtua z ng ex st ng desktops, or us ng a too such as
System Center V rtua Mach ne Manager (SCVMM) to mage a desktop computer and move t
nto the data center It’s true that there s a sma amount of benefit n runn ng a desktop from
a VM It’s easy to back up and therefore to restore, so a crashed desktop computer doesn’t
b ock a user from work ng Fundamenta y, though, there’s a ot more benefit n v ew ng VDI
as part of a strategy for reduc ng management costs than n just putt ng desktops n the data
What s VD ? Chapter 4 177
www.it-ebooks.info
center Done we , VDI can reduce some operat ng costs; but done poor y, t becomes a some-
what more expens ve way of hav ng phys ca desktops w th a good oca backup
How Microsoft VDI Works

The first sort of VDI—the one that has each user w th an RDP fi e connect ng to a s ng e VM
by name— sn’t rea y part of M crosoft’s vers on of VDI Th s s most y because t’s both very
s mp e to set up and very hard to manage on any k nd of sca e A you have to do to get th s
mode work ng s nsta Hyper-V and then set up some VMs for peop e to use, but there are
no too s to manage the VMs, the connect ons, or ensure that the VMs are ready to accept
connect ons when peop e want to use them
M crosoft VDI s des gned for connect ng to poo ed and persona VMs Poo ed VMs are
ava ab e to anyone who s a member of the Remote Desktop Users group on each VM, and
persona desktops are ass gned to users n AD DS and ava ab e on y to the person to whom
they’re ass gned To support th s d sp ay of and connect on to persona and poo ed VMs, the
RDS components nc ude the fo ow ng
■ A pub sh ng nfrastructure to ass gn VMs or the use of a poo to peop e (opt ona )
■ A connect on broker to route the connect on request to the most appropr ate VM
■ A red rector (an RD Sess on Host n red rect on mode) to send the connect on to the
connect on broker
■ The VM Host agent on the RD V rtua zat on Host to prepare the VMs for connect ons
■ A Hyper-V hyperv sor on the RD V rtua zat on Host
■ A c ent component that d sp ays the user’s set of VMs (and RemoteApp programs)
■ AD DS to store the nformat on about wh ch users have persona desktops ass gned to
them and a p ace to ook up the user SID so that RD Web Access can determ ne wh ch
VM poo s a user shou d see
NOTE The publishing infrastructure is optional, but it makes connection management

easier. Publishing RemoteApp programs and VMs is discussed in more detail in Chapter 9,
but the basic story is that the publishing infrastructure handles the chores of updating RDP
files and getting them to users as you add more resources or delete existing ones. Without
the publishing service, you’d have to keep sending users updated RDP files.
www.it-ebooks.info
The term no ogy can get a tt e tr cky For examp e, when you’re ta k ng about connect ng
to a c ent operat ng system runn ng n a VM, wh ch one s the c ent? When d scuss ng VDI,
use the fo ow ng terms to exp a n what’s happen ng
■ The computer that s runn ng the RDC c ent and that someone s ts n front of s ca ed
the client Th s s cons stent w th term no ogy when connect ng to a sess on
■ The VM that th s person s connect ng to s the endpoint, or the guest (a guest of the
RD V rtua zat on Host t’s runn ng on) A sess on on an RD Sess on Host can a so be an
endpo nt
■ Prepar ng a VM to be used (for examp e, br ng ng t out of h bernat on) s ca ed
orchestration.
■ Mov ng a VM to a new RD V rtua zat on Host s ca ed placement. P acement s not
part of the bas c RDS VDI so ut on but m ght be supported v a a fi ter p ug- n
The rest of th s chapter covers the mechan cs of how you nsta and configure the RDS
ro es requ red to support VDI For now, the focus s on the mechan cs of how peop e d scover
persona desktops and poo ed VMs, and how the connect ons they make get to the appropr -
ate endpo nts
The Central Role of the RD Connection Broker

W thout the RD Connect on Broker, there s no VDI As shown n F gure 4-2, the RD Connec-
t on Broker s centra to the operat on of th s feature—the “bra n ” It keeps track of c ent con-
nect ons to persona and poo ed VMs, determ nes the k nd of connect on a user s request ng,
and finds the r ght endpo nt for the request
From the perspect ve of the RD Connect on Broker, t does not matter how a c ent makes
a connect on request Someone can request a connect on by c ck ng an con n RD Web
Access, start ng an RDP fi e from the desktop or a network share, by manua y us ng Remote
Desktop Connect on (RDC), or by connect ng to RemoteApp and Desktop Connect ons on
the c ent runn ng W ndows 7 and c ck ng an con on the Start menu In a these cases, the
request s brokered by RD Connect on Broker RD Connect on Broker works w th RDP c ents
back to RDP 5 2 (wh ch was ava ab e for W ndows XP SP2 and W ndows Server 2003), so the
vast major ty of M crosoft RDP c ents are supported
It a so does not matter to the RD Connect on Broker on wh ch RD V rtua zat on Host the
VM res des RD Connect on Broker s capab e of keep ng track of mu t p e RD V rtua zat on
Hosts, as we as a the r persona and poo ed VMs, even f those poo s span mu t p e servers
How M crosoft VD Works Chapter 4 179
www.it-ebooks.info
Personal VMs Virtual Desktop
Pools
RD Virtualization
Host
RD Connection
Broker
RD Session Host in
redirection mode
Windows 7
Remote
RDP File Desktop RemoteApp and
RD Web Access Desktop Connection
Connection
(RDWA Feed) (RADC)
Clients request a connection to a personal or pooled VM via RD

Web Access, pre-defined RDP File, Remote Desktop Connection,
or RemoteApp and Desktop Connection.
FIGURE 4-2 RD Connect on Broker s n charge of connect ng users to persona and poo ed VMs.
www.it-ebooks.info
Discovering a VM
The first step of us ng a VM s d scover ng that a VM ex sts To a ow users to d scover VMs,
the adm n strator ass gns a persona desktop or creates a VM poo from the RemoteApp and
Desktop Connect ons Manager on the RD Connect on Broker When an adm n strator ass gns
a persona VM, th s ass gnment s recorded n the user account propert es n AD DS (Act ve
D rectory n both W ndows Server 2008 and W ndows Server2008 R2 support th s user ac-
count property ) Both persona and poo ed VMs are added to the pub sh ng feed that popu-
ates both Remote Desktop Web Access and RemoteApp and Desktop Connect ons on c ents
runn ng W ndows 7 Th s pub sh ng feed s custom zed for each user’s secur ty credent a s, so
that one user does not see another’s persona desktop RemoteApp program d sp ay s a so
fi tered accord ng to wh ch users have perm ss on to use wh ch app cat ons That sa d, a VM
poo s are v s b e to a consumers of the feed
When a user— et’s ca her K m Akers—nav gates to the RD Web Access page, she’s
prompted for her credent a s Those credent a s go to the pub sh ng serv ce on RD Connec-
t on Broker, wh ch then ooks them up n AD DS to determ ne what resources—RemoteApp
programs and VMs—have been ass gned to those credent a s The browser w then d sp ay
a fi tered ook of the RemoteApp programs and VMs to wh ch K m has access Aga n, K m w
see a the poo s
If K m were connect ng to the feed through RemoteApp and Desktop Connect ons on the
c ent runn ng W ndows 7, the process wou d be pretty s m ar The ma n d fference s that
K m wou d see the VM (as we as RemoteApp cons to wh ch she has access) n a fo der on her
Start menu Conceptua y, her connect on process ooks ke F gure 4-3
RD
Connection
Broker
1 User Credentials
TScPubRPC
(RemoteApp and
Filtered User Resources 3
Desktop Connection
Kim Akers
Management Service)
Kim Akers Resources:
• kim.akers Personal VM
• RemoteApp 1
• RemoteApp 3 2 User SID Check
• RemoteApp 6
• VM Pool X
AD DS
FIGURE 4-3 How VM d scovery works
www.it-ebooks.info
NOTE It’s also possible to save an RDP file that points to a personal VM or pool and
email that file to someone or put it on a network share. If you do that, the connection
process will be the same, but users can skip the discovery step (the process of finding
out what VMs are available to you). Distributing RDP files manually saves a few steps in
publishing but complicates the process of updating available resources, especially in large
environments.
Brokering a Connection
K m n t ates the broker ng phase by c ck ng the persona desktop or poo ed VM con At th s
po nt, she’s requested a type of resource, ke access to a VM poo , and the broker ng must
get her to the most appropr ate ocat on based on the server oad and what she’s asked for
The RD Connect on Broker s bu t to be flex b e both n terms of determ n ng what k nd of
resource K m wants to connect to (a VM or a sess on) and the ru es govern ng wh ch connec-
t on s most appropr ate It does th s by us ng a coup e of d fferent k nds of p ug- ns resource
plug-ins, wh ch are used for a spec fic k nd of resource, and filter plug-ins, wh ch are used n
comb nat on w th a part cu ar resource p ug- n to tweak the ru es govern ng wh ch resource
s chosen and what happens to prepare t for a connect on The broker ng serv ce commun -
cates w th the resource p ug- ns to engage them as appropr ate for the type of connect on It
a so gets the VM IP address back from the VM resource p ug- n to nform the c ent of ts fina
endpo nt See F gure 4-4 for a d agram of the re at onsh p between the component parts
Brokering Service
Check cache of SESSION PLUG-IN VM PLUG-IN

user sessions
Farm Logic Farm Logic Machine Logic
Load Load
Placement
Balancing Balancing
Orchestration
Connection Broker
Database
FIGURE 4-4 The Broker ng serv ce on the RD Connect on Broker engages w th the appropr ate resource
p ug n.
RD Connect on Broker comes w th two resource p ug- ns a sess on p ug- n used for
connect ng to RD Sess on Host servers and a VM p ug- n used to connect to persona and
poo ed VMs Each of these resource p ug- ns comes w th bu t- n nterna og c that the RD
Connect on Broker uses to determ ne where a connect on shou d go and how t’s made
www.it-ebooks.info
ready to accept connect ons By defau t, the VM p ug- n w d str bute VM requests even y
among a RD V rtua zat on Host servers ava ab e Because our bas c scenar o nc udes on y
a s ng e server, a connect ons w go there, but f more were ava ab e, then t wou d use a
round-rob n techn que to d str bute the VM requests Resource p ug- ns are stored on the RD
Connect on Broker n HKLM/System/CurrentContro Set/Serv ces/Tssd s/Parameters/Resource
F gure 4-5 shows the sett ngs for the VM resource p ug- n (Th s RD Connect on Broker
has on y the VM Resource p ug- n because there are current y no RD Sess on Host farms
configured on t ) The va ue for IsEnab ed must be 1 for the p ug- n to funct on, and the
system must be ab e to dent fy the p ug- n by name, c ass ID (the un que dent fier for a COM
object), and prov der
FIGURE 4-5 Bu t n VM resource p ug n
A though RDS comes w th on y two p ug- ns (aga n, the RD Sess on Host p ug- n doesn’t
show here because th s RD Connect on Broker s not connected to an RD Sess on Host farm),
ndependent software vendors (ISVs) can mp ement resource p ug- ns for other k nds of end-
po nts as we , such as b ade PCs or phys ca desktops The broker ng og c used to connect to
and prepare those resources wou d depend on how the ISV had mp emented the resource
p ug- n and the ru es that were nc uded These ru es cou d be bu t nto the resource p ug- ns
or mp emented as fi ter p ug- ns to the ma n resource p ug- n, as the ISV saw fit
To change the defau t behav or of the resource p ug- n, you’d add a new fi ter p ug- n and
assoc ate t w th that resource p ug- n For examp e, you m ght want to change the way that
oad ba anc ng works Rather than send ng VM requests to each RD V rtua zat on Host n
turn, an ISV m ght create a product to send them to the host server w th the owest processor
stress, or the owest number of current y runn ng VMs In that case, the ISV doesn’t have to
change the under y ng og c to connect to a VM—just the ru es by wh ch t happens F ter
p ug- ns can contro behav or for oad ba anc ng (p ck ng the r ght endpo nt), orchestrat on
(ready ng a VM for a connect on), or p acement (putt ng a VM on a host) F ter p ug- ns are
stored on the RD Connect on Broker n HKLM/System/CurrentContro Set/Serv ces/Tssd s/
Parameters/F ter
www.it-ebooks.info
Each fi ter p ug- n s assoc ated w th a s ng e resource p ug- n, and more than one fi ter
p ug- n can be act ve at one t me To determ ne wh ch fi ter p ug- n’s ru es w preva n case
of a confl ct, you can set pr or ty when mp ement ng the fi ter p ug- n F ter pr or ty s set
n HKLM/System/CurrentContro Set/Serv ces/Tssd s/Parameters/F ter/n, where n s a who e
number greater than 0
Orchestrating a VM
D scovery and broker ng get a user 95 percent of the way to a work ng VM, but not 100
percent The fina stage s orchestration, wh ch means to make the VM ready for connect ons
Orchestrat on s an mportant step W thout t, the VM wou d have to be constant y on, wa t-
ng for a connect on Orchestrat on makes t poss b e to put a VM to s eep and wake t up on
demand, sav ng hardware resources on the host
NOTE Although the Microsoft VDI model also supports placement, RDS alone doesn’t
implement placement; add-ons might. If you’re using RDS only, then the VMs you run will
need to be on the hosts where they will be running.
As shown n F gure 4-6, dur ng orchestrat on, the VM Host Agent finds a VM on the RD
V rtua zat on Host that doesn’t a ready have a connect on and wakes t You can watch th s
from Hyper-V Manager A s eep ng VM w wake up and be ready to accept ncom ng con-
nect ons The key part of th s s the VM Host agent—w thout that, the hyperv sor has no way
to know that t needs to wake up the VM The WTS app cat on programm ng nterface (API)
shown here s for manag ng the VM sess ons In Chapter 11, “Manag ng Remote Desktop
Sess ons,” you w earn more about how you can use too s bu t on th s API to nteract w th
sess ons and VMs
VM Host
Guest VM 1 WTS API
Guest VM 1 WTS API
VM HOST AGENT: Responsible for

waking and monitoring VMs
FIGURE 4-6 The VM Host Agent wakes up and mon tors the VMs on the RD V rtua zat on Host.
www.it-ebooks.info
Connecting to a VM Pool
When K m gets the con represent ng the VM poo or persona desktop, she can c ck t to
n t ate the connect on process Let’s start w th the poo ed VM case (shown n F gure 4-7) and
assume that she s mak ng a new connect on and does not have any d sconnected sess ons
ava ab e K m wou d proceed w th the fo ow ng steps
1. K m c cks the con represent ng the VM poo Do ng so opens the RDP fi e assoc ated
w th that con, wh ch then popu ates the fie ds of MSTSC DLL w th the nformat on n
the RDP fi e MSTSC DLL sends th s connect on request to the red rector (The red rec-
tor s an RD Sess on Host server that has been configured not to accept ncom ng con-
nect ons, but on y forward requests to the RD Connect on Broker )
2. The red rector sends the request to the RD Connect on Broker A though broken out
as separate mach nes n F gure 4-7, to better ustrate the connect on process, the
RD Connect on Broker can be on the same server as the red rector, and th s s n fact
recommended
3. The RD Connect on Broker nspects the nformat on that MTSC DLL sent and earns that
K m s attempt ng to connect to a VM and the VM s a poo ed VM The RD Connect on
Broker act vates the VM resource p ug- n Know ng that K m requested a VM poo , the
RD Connect on Broker checks ts connect on database to see whether K m a ready has
a d sconnected sess on on a VM n the poo It knows th s because the VM Host Agent
on each RD V rtua zat on Host updates the RD Connect on Broker when a VM’s state
changes
4. Hav ng a found a VM Host, the VM p ug- n sends a request to the VM Host agent on the
RD V rtua zat on Host server and asks that the VM be prepared for K m’s connect on
5. The VM Host agent orchestrates the VM (and restores t to a ready state f t s h ber-
nat ng) and, when t’s ready, gets ts IP address
6. The VM Host agent passes the IP address to the RD Connect on Broker
7. The RD Connect on Broker sends the IP address to the red rector
8. The red rector sends the IP address to the c ent from wh ch K m made the or g na
request
9. K m s seam ess y d sconnected from the RDP connect on to the red rector and recon-
nected to the VM us ng the IP address that the red rector sent to her computer
www.it-ebooks.info
Session Plug-in
RDVH Server
VM Plug-in 3
RD Connection
Broker 6 4
Pooled VM 1
5
2 7 Pooled VM 2
Pooled VM 3
1
RD Session Host in
redirection mode
Kim.Akers
FIGURE 4-7 K m Akers connects to a VM poo .
How d d the RD Connect on Broker determ ne that K m wanted to connect to a poo ed

VM? The answer es n the RDP fi e she was us ng The fo ow ng ne entry conta ned n the
RDP fi e connects a user to a poo ed VM because of the 1 after vmresource and the Poo ID
The Poo ID s the way that the RDP fi e and RD Connect on Broker dent fy the poo , as op-
posed to the fr end y name that peop e use
loadbalanceinfo:s:tsv://vmresource.1.VM-POOL-ID-GOES-HERE
If the code nc uded a 2 nstead of a 1 and no Poo ID, that wou d have nd cated a per-
sona VM However, because the defau t oad ba anc ng sends a user to a persona VM f he or
she has one, th s ne sn’t rea y requ red for connect ng to persona VMs
Connecting to a Disconnected Session

If K m had a ready had a sess on, th s process wou d have changed s ght y at Step 3 If K m
a ready has a sess on on a VM, there’s no need to do oad ba anc ng—you want her to return
to the VM where she has that sess on so she can cont nue work ng Therefore, n that case,
the VM P ug- n w contact the VM Host agent on the RD V rtua zat on Host server where
the VM s p aced and ask t to ready the VM to accept connect ons When t’s ready, the IP ad-
dress w be returned to K m’s computer, as descr bed n the prev ous sect on
Rolling Back a VM
Ro ng back a VM means revert ng a VM’s state to a pr or po nt n t me Th s s done by tak ng
a “snapshot” of the VM and then us ng t to return to the state the VM was n when the snap-
shot was taken Th nk of a snapshot as a stat c p cture of a VM When a VM s ro ed back, any
changes made to the VM beyond the po nt when the snapshot was taken are reversed
www.it-ebooks.info
CAUTION It’s best to snapshot a VM when it’s turned off, so that the VM doesn’t
preserve any temporary data that you don’t want to be part of the pooled VM. Do
ensure that the VMs are gracefully powered down; if you just turn the VM off in
Hyper-V instead of gracefully shutting down, then the VM will not start normally
and will show the boot menu to choose normal or safe mode.
Those who’ve used Term na Serv ces n the past to access sess ons m ght wonder why
ro back s an ssue When you’re done w th a sess on, you just og off and, except for changes
wr tten to your profi e, any changes that you made wh e the sess on was act ve are gone Th s
s because an RD Sess on Host server s, n best pract ce, proper y ocked down to avo d user
changes to the system tse f
VMs n a poo are d fferent, however Each user who ogs on to a part cu ar VM w see the
same VM that the prev ous user had, not a un que sess on on a server So the changes made
by one user (new app cat on nsta s, and so on) w st be there when one user fin shes and
ogs off and the next user connects to that VM Therefore, the user exper ence over t me
cou d vary cons derab y from VM to VM because changes made (by each user) to the VMs n
the poo wou d be reta ned Troub eshoot ng wou d become more comp cated, because a
VM’s configurat on wou d no onger be pred ctab e Enab ng ro back on a the VMs n a poo
ensures that any changes made to these VMs wh e a user was ogged n w be d scarded,
thus ma nta n ng a cons stent env ronment for a users each t me they connect to a VM n the
poo
CAUTION Because any changes made while a user is logged on to the VM will be
discarded, it is very important to update VMs while they are not in use and to then
take another snapshot after this maintenance. Otherwise, those updates will also be
discarded.
Connecting to a Personal Desktop

Had K m been attempt ng to connect to a persona desktop, the process wou d have changed
s ght y at Step 3 n F gure 4-7 If K m c cks on the con to og n to her persona desktop, the
VM p ug- n on the RD Connect on Broker shou d make sure she connects to that VM RD Con-
nect on Broker can determ ne that she’s ask ng for a persona desktop by add ng the fo ow-
ng ne n the RDP fi e (e ther created by RD Web Access or stored n a saved RDP fi e)
loadbalanceinfo:s:tsv://vmresource.2
VMResource shows that she’s ask ng for a VM, and 2 nd cates that a persona VM s requested
(A 1 s gn fies a poo )
www.it-ebooks.info
When K m c cks the con to connect to her persona desktop, she’s prompted for her cre-
dent a s When she prov des her credent a s to og on, she’s pass ng them to the RD Connec-
t on Broker RD Connect on Broker checks those credent a s aga nst Act ve D rectory and finds
the name of her persona VM, stored n her user account propert es After the persona VM
s ocated, the VM p ug- n on the RD Connect on Broker w contact the VM Host where her
persona desktop s ocated and prompt the VM Host Agent there to orchestrate the VM and
return the VM’s IP address The red rector returns the IP address to K m, and the RDP c ent on
her computer w s ent y d sconnect from the red rector and reconnect to the persona VM
Installing Supporting Roles for VDI

RD V rtua zat on Host s a new ro e serv ce to RDS and s essent a to M crosoft VDI, but, as
d scussed a ready, t doesn’t act a one W thout RD Web Access, there’s no easy way to d scover
the VM poo or persona desktop W thout the RD Connect on Broker, there’s no way for a
connect on to get to the r ght VM and have the RD V rtua zat on Host wake t up W thout
the support ng ro es, RD V rtua zat on Host s essent a y a hyperv sor w th some extra—and
unused—capab t es
NOTE This implementation assumes that machines are domain joined and AD DS is avail-
able for user SID checks and RemoteApp and VM filtering.
F gure 4-8 shows a b rd’s-eye v ew of what must happen to each ro e serv ce and to the
VMs to support M crosoft VDI It s a so ava ab e n the fi es M crosoft-VDI-Setup-Steps vsd
and M crosoft-VDI-Setup-Steps xps on the compan on med a
To support M crosoft VDI, you’ need to do the fo ow ng
■ Insta the RD V rtua zat on Host
■ Insta and configure the RD Connect on Broker ( nc ud ng the red rector on the same
computer)
■ Insta and configure RD Web Access to a ow users to d scover the VMs
■ Configure the VMs to work w th VDI
■ Create poo s and ass gn persona desktops as requ red
The next sect ons exp a n how to accomp sh each of these steps
www.it-ebooks.info
• Install RDVH Role
Service For every pooled
• Rename Personal VMs or personal VM:
to match the VM
computer name! • Enable Remote Desktop and add users to
Remote Desktop Users group
• Snapshot each
RDVH1 • HKLM/System/CurrentControlSet/Control/
pooled VM
TerminalServer/AllowRemoteRPC = 1
• Rename each
snapshot: • For RemoteApp for HyperV: HKLM/System/
RDV_Rollback CurrentControlSet/Control/TerminalServer/
fDenyTSConnections = 0
• Make Firewall Exception for Remote Service
Management
• Set RDP Protocol Permissions
• Install RDSH role service
Note: The RD Session Host will be put into redirection mode

by the RD Connection Broker when you run the Virtual
Desktops Wizard.
RD Session Host in
Redirection Mode
• Install RD Connection Broker Service

• Add RD Web Access server to the TS Web Access Computers
group (or add it to the RemoteApp and Desktop Connection
Properties in the Remote Desktop Connection Manager)
• Run Virtual Desktops Wizard, specify:
• The RDVH server
RD Connection • The RDSH server as the Redirector
Broker • The RD Web Access server
• Run the Create Virtual Desktop Pool Wizard
• Install RDWA Role service

• Add appropriate users to the TS Web Access Administrators
group so they can manage the website (local administrators
already have this right)
• Add the RD Connection Broker server as a “source”
RD Web Access
• Run RemoteApp and Desktop Connections from Control Panel–

add the feed referencing the RDWA server:
https://RDWA-Server-Name/RDWeb/Feed/webfeed.aspx
Client PC
FIGURE 4-8 Conf gur ng ro e serv ces to support M crosoft VD
nsta ng Support ng Ro es for VD Chapter 4 189
www.it-ebooks.info
Installing the RD Virtualization Host
Insta ng the RD V rtua zat on Host ro e serv ce s s mp e Th s feature depends on Hyper-V,
so RD V rtua zat on Host s the on y RDS ro e serv ce that cannot be v rtua zed tse f
Assum ng that no RDS ro es are nsta ed on the server, you w beg n to nsta RD V rtu-
a zat on Host by open ng Adm n strat ve Too s/Server Manager and choos ng Ro es from the
menu n the eft pane C ck the Add Ro es nk You’ see the Before You Beg n page; c ck
Next when you are sure that you have met the recommendat ons to have a strong adm n s-
trator password, have configured requ red Stat c IPs, and have nsta ed the atest updates
From the Se ect Server Ro es page, choose Remote Desktop Serv ces from the st You
shou d see the Hyper-V ro e serv ce a ready nsta ed as shown n F gure 4-9 ( f you don’t,
you’ be prompted to nsta t when you se ect the ro e serv ce)
NOTE If you have installed RDS on this server already, begin the process from the Add
Role Services link in the Role Status section of the Roles page in Server Manager. This will
skip the first couple of steps and take you directly to the Select Role Services page.
FIGURE 4-9 Hyper V s a requ rement for the RD V rtua zat on ro e serv ce.
www.it-ebooks.info
C ck Next to open the Introduct on To Remote Desktop Serv ces page and then c ck Next
aga n to open the Se ect Ro e Serv ces page
On the Se ect Ro e Serv ces page, se ect the check box next to the Remote Desktop V rtu-
a zat on Host ro e serv ce and c ck Next, as shown n F gure 4-10
FIGURE 4-10 Se ect the Remote Desktop V rtua zat on Host ro e serv ce.
Confirm your nsta at on se ect ons on the next page and c ck Insta When the nsta -
at on s comp ete, the Insta at on Resu ts screen shou d nd cate that the nsta at on suc-
ceeded C ck C ose
Back n the Server Manager, browse to the Ro es se ect on and h gh ght Remote Desktop
Serv ces, and you w see the Remote Desktop V rtua zat on Host Agent runn ng n the Sys-
tem Serv ces sect on, as shown n F gure 4-11 Th s agent s respons b e for orchestrat ng VMs,
so t’s essent a to th s ro e serv ce’s funct on
www.it-ebooks.info
FIGURE 4-11 After the RD V rtua zat on Ro e Serv ce s nsta ed, the Remote Desktop V rtua zat on Host
Agent serv ce appears n the Server Manager.
At th s po nt, the RD V rtua zat on Host s ready to support v rtua desktop poo s and per-
sona desktops Before sett ng those up, et’s cont nue by nsta ng the broker
Installing RD Virtualization Host Role Service via Windows

PowerShell
To nsta RD V rtua zat on Host ro e serv ce v a W ndows PowerShe , mport the
Servermanager modu e as fo ows
Then run the Add-W ndowsFeature command and reference the RD V rtua zat on Host
ro e serv ce as fo ows
Add-WindowsFeature RDS-Virtualization
The RD V rtua zat on Host ro e requ res the Hyper-V ro e, and t w be nsta ed dur ng
th s nsta at on procedure f t s not a ready present If your mach ne does not meet the
requ rements for Hyper-V, the nsta at on of RD V rtua zat on Host ro e serv ce w fa and
show you th s message
www.it-ebooks.info
Add-WindowsFeature : Hyper-V cannot be installed. The processor on this computer is
not compatible with Hyper-V. To install this role, the processor must have a supported
version of hardware-assisted virtualization, and that feature must be turned on in the
BIOS…
------- -------------- --------- --------------
False No Failed {}
Installing RD Connection Broker

Insta ng the RD Connect on Broker ro e serv ce s s mp e The RD Connect on Broker can be
run on a VM f you’ve dec ded to v rtua ze your env ronment
Assum ng that no RDS ro es are nsta ed on the server, you w beg n to nsta RD Con-
nect on Broker by open ng Adm n strat ve Too s/Server Manager and choos ng Ro es from
the menu n the eft pane C ck the Add Ro es nk You’ see the Before You Beg n page; c ck
Next when you are sure you have met the recommendat ons to have a strong password, have
configured requ red Stat c IPs, and have nsta ed the atest updates From the Se ect Server
Ro es page, choose Remote Desktop Serv ces from the st
NOTE If you have installed RDS on this server already, begin the process from the Add
Role Services Link in the Role Status section of the Roles page in Server Manager. This will
skip the first couple of steps and bring you directly to the Select Role Services page.
C ck Next to open the Introduct on To Remote Desktop Serv ces page and then c ck Next
aga n to open the Se ect Ro e Serv ces page
On the Se ect Ro e Serv ces page, se ect the check box next to Remote Desktop Connec-
t on Broker and c ck Next, as shown n F gure 4-12
The RD Connect on Broker requ res an RD Sess on Host server configured n red rect on
mode (for the sake of conven ence, we’ ca that server the red rector because that’s ts job)
to pass t ncom ng RDP connect ons As d scussed ear er, the RDP requests don’t go d rect y
to the RD Connect on Broker but to the red rector For s mp c ty, set up the red rector on the
same computer as the RD Connect on Broker To do th s, a so choose RD Sess on Host from
the st shown n F gure 4-12
www.it-ebooks.info
FIGURE 4-12 The RD Connect on Broker s a ro e serv ce of RDS.
Confirm your nsta at on se ect ons on the next page and c ck Insta When the nsta a-
t on s fin shed, the Insta at on Resu ts screen shou d nd cate that the nsta at on succeeded
C ck C ose The RD Connect on Broker s now nsta ed and ready to be configured for poo ed
and persona VMs
To nsta RD Connect on Broker v a W ndows PowerShe , first mport the Servermanager
modu e as fo ows
Then run the Add-W ndowsFeature command and reference the RD Web Access ro e
serv ce as fo ows
Add-WindowsFeature RDS-Connection-Broker
The resu ts of a successfu nsta at on w ook ke th s

------- -------------- --------- --------------
True No Success {Remote Desktop Connection Broker}
To remove the RD Connect on Broker ro e serv ce v a W ndows PowerShe , use th s

command
Remove-WindowsFeature RDS-Connection-Broker
www.it-ebooks.info
Configuring RD Web Access
RD Web Access s nstrumenta to d scover ng VMs, but ts scope goes beyond that to nc ude
RemoteApp programs, VMs, fu desktop sess ons, and even phys ca desktops For more n-
format on on how to nsta and configure th s ro e serv ce for d fferent scenar os, see Chapter
9 For th s c rcumstance, we w assume that you have nsta ed the ro e serv ce and want to
configure t to serve VMs on y
To pub sh poo ed and persona VMs v a RD Web Access, the ro e serv ce needs to be
configured w th a source for wh ch the webs te w d sp ay persona and poo ed VMs For th s
scenar o, you need to configure RD Web Access to pu nformat on from RD Connect on Bro-
ker, so the first th ng that you need to do s add the RD Web Access server to the TS Web Ac-
cess Computers group on the RD Connect on Broker server After you have done th s, t’s t me
to configure RD Web Access from the webs te tse f Access t by do ng e ther of the fo ow ng
■ Se ect the Remote Desktop Web Access Configurat on too sted n the Remote Desk-
top Serv ces fo der n Adm n strat on Too s
■ Open W ndows Internet Exp orer and type the fo ow ng URL
https://servername/RDWeb
where servername s the name of your RD Web Access server You can a so subst tute
localhost for the server name f you are access ng the webs te from the server tse f
A fresh nsta of the RD Web Access webs te w configure the s te as a secured s te us ng
a Hypertext Transfer Protoco Secure (HTTPS), and t w have a Secure Sockets Layer (SSL)
cert ficate ass gned to t automat ca y The cert ficate w be a se f-s gned cert ficate, w th the
server FQDN represent ng the cert ficate common name For examp e, f you were to nsta
RD Web Access on a server ca ed Co fax ash oca , the se f-s gned cert ficate ass gned to the
cert ficate s made for Co fax ash oca and s gned by Co fax ash oca However, access ng the
s te by e ther of these methods w produce an error page that says the fo ow ng
The security certificate presented by this website was not issued by a trusted
certificate authority.
The security certificate presented by this website was issued for a different website's
address.
Security certificate problems may indicate an attempt to fool you or intercept any data
you send to the server.
Th s s expected behav or; the cert ficate ass gned does not have a common name that s
referenced n the URL opened by the RD Web Access Configurat on too ( t uses oca host n-
stead of the server FQDN), nor s the cert ficate trusted by defau t C ck the Cont nue To Th s
Webs te nk and you w get a ogon screen
NOTE Chapter 10, “Making Remote Desktop Services Available from the Internet,” ex-
plains how to avoid this error.
www.it-ebooks.info
Members of the oca adm n strators group are a owed to configure RD Web Access by
defau t, so og on w th an adm n strator account, as shown n F gure 4-13
FIGURE 4-13 Log on to the RD Web Access webs te.
Enter your user name n the form of domain/user name, enter your password, and c ck
S gn n
NOTE In the security section of this page, you have the option of selecting whether you
are accessing this website from a public or private computer. If you choose the option This
Is A Public Or Shared Computer, then the timeout for the website login is shorter than if
you choose the option This Is A Private Computer.
Next, you w be taken to the Configurat on tab of the webs te, as shown n F gure 4-14
www.it-ebooks.info
FIGURE 4-14 Add a source for RemoteApp programs and desktops to RD Web Access.
When you access persona and poo ed VMs, you must spec fy an RD Connect on Broker
server as the source because th s s the server that s aware of those persona VM ass gnments
and VM poo s Se ect the An RD Connect on Broker Server opt on and enter the fu y qua fied
doma n name (FQDN) of the RD Connect on Broker server C ck OK
Configuring the RD Connection Broker Server

After you have the ro e serv ces nsta ed that th s VDI so ut on requ res, t’s t me to do some
bas c configur ng of the RD Connect on Broker server Th s ro e serv ce depends on the ava -
ab ty of other RDS ro e serv ces to do ts job, so you need to te the server about these other
ro e serv ces The Configure V rtua Desktops W zard wa ks you through th s configurat on It
w prompt you for the fo ow ng nformat on
nsta ng Support ng Ro es for VD CHAPTER 4 197
www.it-ebooks.info
■ The name of the RDSH red rector from wh ch t w be rece v ng ncom ng requests,
and to whom t w be send ng fu fi ed request nformat on
■ If you need to prov de red rect on for c ents us ng RDC 6 1 or ear er, then you w
prov de the a ternat ve server name, wh ch bas ca y s the same red rector server, but
uses a d fferent ssued Doma n Name System (DNS) host record
■ If you w requ re connect ons to go through RD Gateway, then you w prov de th s
RD gateway nformat on (you’ find out more about th s n Chapter 11)
■ If you w s gn the RDP fi es created for poo ed and pr vate desktop connect ons, you
w prov de the d g ta cert ficate used to s gn these fi es (d scussed n more deta n
Chapter 8, “Secur ng Remote Desktop Protoco Connect ons”)
Start the w zard by c ck ng the Configure V rtua Desktops nk n the Act ons pane of the
Remote Desktop Connect on Manager As shown n F gure 4-15, th s w open the w zard’s
Before You Beg n page
FIGURE 4-15 The Before You Beg n page te s you the nformat on that you w be prov d ng n the fo
ow ng pages.
C ck Next to se ect the RD V rtua zat on server(s) that w support your VM poo s and
persona desktops, as shown n F gure 4-16 You can use one or more RD V rtua zat on Host
servers to support the poo
www.it-ebooks.info
FIGURE 4-16 Prov de the names of the RD V rtua zat on servers that w prov de persona and poo ed
VMs.
After choos ng the RD v rtua zat on host server, c ck Next to configure the red rect on set-
t ngs, as shown n F gure 4-17
FIGURE 4-17 Prov de the name (and the a ternat ve name, f you want) of the RD Sess on Host red rector.
www.it-ebooks.info
Add the name of the red rector (th s can be the same mach ne as the RD Connect on
Broker f you chose to nsta the two ro e serv ces on the same mach ne) If you need to sup-
port c ents us ng RDC 6 1 or ear er, add an “a ternat ve server name” to make th s work You
create an a ternat ve name by add ng another Host record (an A or AAAA record) to DNS w th
an un que name that po nts to the IP address of the RD Sess on Host server that s n red rec-
t on mode For examp e, F gure 4-17 shows that the a ternat ve name for the red rector server
s pyram d-vmred r, so the DNS entry added to DNS wou d be pyram d-vmred r ash oca and
wou d map to the same IP address as the DNS entry that s a ready created for th s server
name y, pyram d ash oca
Configuring RD Session Host Server Role Service for Redirec-

tion Manually
Y ou don’t have to let the wizard automatically configure the RD Session Host
server appropriately for its redirection duties. If you don’t, however, you will
need to do this manually on the server. Here’s how.
1. Add the RD Session Host server name to the Session Broker Computers group on
the RD Connection Broker server.
2. On the RD Session Host server, open the RD Session Host Configuration tool, and
in the middle pane, double-click Member Of Farm In RD Connection Broker.
3. On the RD Connection Broker tab, click Change Settings.
4. In the Remote Desktop Virtualization section, select the Virtual Machine Redi-
rection option.
5. At the bottom of the RD Connection Broker Settings screen, enter the name of
the RD Connection Broker server and click OK.
You will see a warning dialog box that tells you the changes that will be made to the
RD Session Host if you put it in redirection mode. In short, those changes mean that
people will not be able to use the RD Session Host to run RemoteApp programs or
full desktops. Click Yes and then click OK on the Properties dialog box that appears.
When you’re fin shed, c ck Next to nd cate the RD Web Access server that w enab e
d scovery, as shown n F gure 4-18
www.it-ebooks.info
FIGURE 4-18 Prov de the name of the RD Web Access server.
Spec fy the RD Web Access server that w prov de access to poo ed and persona VMs to
users In th s examp e, the RD Web Access server and the RD Connect on Broker are the same
server, but they do not have to be When you’ve chosen the server, c ck Next to rev ew the
changes, as n F gure 4-19
FIGURE 4-19 Rev ew and conf rm your se ect ons and then app y them.
www.it-ebooks.info
When you’re sure that you have set up the RD Connect on Broker server correct y, c ck
App y to fin sh and v ew a summary of the sett ngs (shown n F gure 4-20)
FIGURE 4-20 Comp ete the w zard to v ew the summary.
Not ce that no persona VMs are yet ass gned—hence the ye ow warn ng symbo Th s sn’t
necessary to configure a VM poo , though
These sett ngs can be adjusted at any t me To access the configurat on pages, n Remote
Desktop Connect on Manager, se ect RD V rtua zat on Host and then r ght-c ck and choose
Propert es to v ew or ed t the sett ngs on the Red rect on Sett ngs tab These sett ngs shou d
be fam ar to you because you configured them us ng the w zard prev ous y
NOTE Because we haven’t yet discussed the roles of the RD Gateway or digital signature,
we won’t discuss those tabs of the Properties dialog box until Chapter 10 and Chapter 8,
respectively.
If you use a text ed tor to open a poo ed or persona VM RDP fi e RD Web Access cre-
ated (for examp e, one that was prov ded n RemoteApp and Desktop Connect ons on c ents
runn ng W ndows 7), you’ not ce someth ng a b t odd the pr mary fu address sett ng va ue
w be that of the a ternate server name, and the a ternate fu address sett ng w have the
pr mary server name as ts va ue, ke th s
alternate full address:s:pyramid.ash.local

full address:s: pyramid-vmredir
www.it-ebooks.info
Th s s more of a cur os ty than anyth ng e se; don’t ed t the RDP fi e to reverse the sett ngs
and do not change the sett ngs n the Remote Desktop Connect on Manager to reflect the
sett ngs n the RDP fi e
Setting Up VMs
VDI s bu t for de ver ng c ent operat ng systems, and the n-box so ut on supports W ndows
XP SP3, W ndows V sta SP1, and W ndows 7 To prepare a VM to be used as a poo ed or per-
sona VM, you need to make a few adjustments to the operat ng system On each VM, you must
do the fo ow ng
1. Enab e Remote Desktop
2. Add the peop e who w be us ng the VM to the Remote Desktop Users group
3. Enab e RemoteRPC on the VM
4. G ve the RD V rtua zat on Host server the requ red perm ss ons to orchestrate the VM
5. Create firewa except ons for Remote Desktop Protoco and Remote Serv ce
Management
6. Reboot to restart the Term na Serv ces serv ce and use the new perm ss ons (requ red
for W ndows XP VMs on y)
We w go through each of these steps n deta , but f th s ooks ke a ot of work to do on
every VM, you’ be g ad to know that you don’t have to M crosoft has prov ded a scr pt to do
th s prep work Down oad the scr pt from http://gallery.technet.microsoft.com/ScriptCenter
/en-us/68462b23-0890-4dbd-95b6-8de5763e4f68 The scr pt works on VMs runn ng
W ndows 7, W ndows V sta, and W ndows XP operat ng systems
When you run the scr pt, you m ght see two more command- ne boxes appear and then
d sappear Th s s expected; the scr pt ca s Netsh exe to make firewa except ons, and you are
see ng Netsh runn ng n a command prompt
Both persona and poo ed VMs must be n a doma n A members of a poo must be n
the same doma n, but there are no spec fic requ rements for the AD DS schema A persona
desktops must be n a nat ve-mode doma n; you can use the add t ona funct ona ty n the
User Account Propert es tab to ass gn a persona VM f you use W ndows Server 2008 R2
(W ndows Server 2008 doesn’t have the graph ca user nterface for th s, so you w need
at east one doma n contro er runn ng W ndows Server 2008 R2 or a computer runn ng
W ndows 7 w th the Remote Server Adm n strat on Too s nsta ed to make the ass gnment )
www.it-ebooks.info
Enable Remote Desktop and Add Users to the Remote Desktop Users
Group
Remote Desktop s not enab ed by defau t on c ent operat ng systems To perm t ncom ng
RDP connect ons to a c ent, you must enab e them To do so, go to the Contro Pane and
open System C ck the Remote Sett ngs nk on the eft s de of the d a og box to open the
tabbed d a og box shown n F gure 4-21
FIGURE 4-21 Enab e Remote Desktop.
To enab e connect ons, choose one of the two opt ons If the computers that you’ be
us ng to connect to th s VM are runn ng W ndows V sta or ater, you can choose the opt on
requ r ng Network Leve Authent cat on (NLA), wh ch requ res that a user prov de credent a s
before estab sh ng a sess on w th the endpo nt If they’ be runn ng other operat ng systems
(for examp e, ear er vers ons of M crosoft W ndows CE), a ow connect ons from any vers on
of Remote Desktop
NOTE Chapter 8 discusses how NLA works.
Before any users can og on to a computer runn ng W ndows v a RDP—server or c ent—

the r user account must be added to the Remote Desktop Users group on the c ent (Adm n-
strators are bu t nto th s group, wh ch s why th s step s not requ red for remote adm n s-
trat on ) To se ect users to be added to th s group, c ck Se ect Users (or Se ect Remote Users
n W ndows XP), as shown n F gure 4-21, to open the d a og box shown n F gure 4-22 (the
doma n and user name are de eted n the d a og box shown here)
www.it-ebooks.info
FIGURE 4-22 Add users to the Remote Desktop Users group.
If you c ck Add, you’ open the Se ect Users d a og box Browse to the des red user group
(or nd v dua s, as requ red) and add them
Enable RemoteRPC
Remote Procedure ca s (RPCs) a ow other processes to connect w th the operat ng system
They’re requ red to a ow the VM Host Agent to wake up the VM To a ow RPC connect v ty,
set the va ue of A owRemoteRPC to 1 n the ocat on HKLM/System/CurrentContro Set/
Contro /Term na Server, as shown n F gure 4-23
FIGURE 4-23 Enab e RemoteRPC.
Create Firewall Exceptions for RDP and Remote Service Management

By defau t, traffic for Remote Desktop and Remote Serv ce Management (wh ch uses named
p pes and RPCs) are not a owed to pass through the firewa To enab e th s traffic, go to the
Contro Pane and open the W ndows F rewa configurat on too shown n F gure 4-24
www.it-ebooks.info
FIGURE 4-24 Enab e Remote Desktop through the f rewa .
Se ect the check boxes for both serv ces to enab e th s traffic through the mach ne firewa
and then c ck OK
For W ndows XP, you w not see these opt ons n F rewa Run these commands at a com-
mand prompt to accomp sh these configurat on changes
netsh firewall set service type=REMOTEDESKTOP mode=ENABLE profile=ALL

netsh firewall set service remoteadmin enable subnet
Configure RD Virtualization Host RDP Permissions

Dur ng th s step, you’re g v ng the RD V rtua zat on Host mach ne account appropr ate RDP
perm ss ons on the VM As you m ght have not ced wh e exp or ng RDP-TCP Propert es on an
RD Sess on Host server, the Secur ty tab has an Advanced button C ck t to v ew the Ad-
vanced Secur ty Sett ngs, and you can c ck Ed t to d sp ay the Perm ss ons Entry d a og box
w th the perm ss on sett ngs shown n Tab e 4 1
www.it-ebooks.info
TABLE 4-1 Ava ab e and Requ red Perm ss ons or he RD V r ua za on Hos Server o Manage VMs
PROGRAMATIC REQUIRED BY RDVH FOR

SETTING DESCRIPTION VALUE VM MANAGEMENT
Query Informat on Query sess ons and 0 Yes

servers for nformat on
Set Informat on Configure connect on 1 Yes (used to set query,
propert es ogoff, and d sconnect
perm ss ons)
Remote Contro V ew or act ve y 4 No
contro another user’s
sess on
Logon Log on to a sess on on 5 No
the server
Logoff Log off a user from a 2 Yes
sess on
Message Send a message to 7 No
another user’s sess ons
Connect Connect to another 8 No
sess on
D sconnect D sconnect a sess on 9 Yes
Reset Reset (term nate) a 6 No
sess on
V rtua Channe s Use v rtua channe s 3 No
We’ve nc uded the programmat c va ues n th s tab e to make t eas er to fo ow what the
next commands (and the scr pt that you saw a nk to ear er) are do ng Essent a y, t’s a ow-
ng the RD V rtua zat on Host server to query the VM status v a RDP, og off the connect on,
and d sconnect a sess on
To a ow the RD V rtua zat on Host to manage the VM, you’ need to ed t these sett ngs
on each VM Because the c ent operat ng system does not have the RD Sess on Host UI, you’
need to execute the fo ow ng commands at a command prompt
wmic /node:localhost RDPERMISSIONS where TerminalName="RDP-Tcp" CALL AddAccount

"contoso/rdvh-srv$",1
wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console')
and AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 0,1
Net stop termservice
Net start termservice
www.it-ebooks.info
ON THE COMPANION MEDIA This code is contained in batch files on the
companion media called RDP-Permissions.bat (for Windows Vista and Windows 7)
and RDP-Permissions-XP.bat (for Windows XP). To use these files, edit the variables
DOMAINAME and RDVH-SERVERNAME to reflect your domain name and RD
Virtualization Host server name.
Giving RD Virtualization Host Access to VMs Running

Windows XP
Rajesh Ravindranath
Software Development Engineer II, Remote Desktop Virtualization team
T he process of setting up a VM is the same whether or not the VM is running

Windows XP SP3 or Windows 7. However, Windows XP does not make the
RDPERMISSIONS and RDACCOUNT aliases available to WMIC, the Windows Man-
agement Instrumentation (WMI) command-line tool, so you need to call the WMI
interfaces slightly differently from the way you do with Windows 7. To give the RD
Virtualization Host server the right permissions on a Windows XP VM, run the fol-
lowing commands at a command prompt.
WMIC.exe /node:localhost /namespace://root/cimv2 PATH

Win32_TSPermissionsSetting where TerminalName="RDP-Tcp" CALL
AddAccount "contoso/rdvh-srv$",1
WMIC.exe /node:localhost /namespace://root/cimv2 PATH Win32_TSAccount
where "(TerminalName='RDP-Tcp' or TerminalName='Console') and
AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 0,1
Enabling Rollback (Pooled VMs Only)

To keep poo ed VMs n a pr st ne state, you’ need to enab e ro back on them to d scard any
changes made wh e a user was ogged on Essent a y, you’ create a snapshot for each VM
and rename t RDV Ro back When the VM Host Agent puts the mach ne nto a saved state, t
w restore the snapshot
www.it-ebooks.info
To enab e ro back on a VM, perform the fo ow ng steps
1. Log on to the RD V rtua zat on Host server us ng an Adm n strator account
2. In Adm n strat ve Too s, open Hyper-V Manager
3. Under V rtua Mach nes, r ght-c ck a runn ng VM and then c ck Snapshot Wa t wh e
the system creates the snapshot
4. When the snapshot s comp ete, rename t to RDV Ro back
Ro back occurs when the user ogs off the VM The VM s saved and then mmed ate y
reverted and returned to ts state at the t me of ro back Make sure that the VM s n the state
you want t to be n when you’re ro ng back before mak ng the snapshot
Creating Pools
There’s rea y no re at onsh p between a VM poo and the server on wh ch t’s ocated; the
poo boundar es are not dr ven by the hosts’ capac ty A VM poo can be on a s ng e server, or
t can be spread across mu t p e servers An RD V rtua zat on Host server can have one poo ’s
VMs on t or more than one Because a poo does not have to be ocated on a s ng e server,
you can add capac ty just by add ng new servers and add ng the VMs from those servers to
the poo
To create a VM poo , go to Adm n strat ve Too s/Remote Desktop Serv ces/Remote Desk-
top Connect on Manager on the RD Connect on Broker From the eft pane, r ght-c ck RD
V rtua zat on Host Servers and choose Create A V rtua Desktop Poo to start the w zard, as
shown n F gure 4-25
FIGURE 4-25 Rev ew sett ngs for the poo before beg nn ng.
The adv ce that the w zard g ves here s mportant F rst, the VMs n a poo shou d a be
dent ca , or e se the user’s exper ence w change depend ng on wh ch VM he or she con-
nects to Th s perta ns to operat ng systems too W ndows 7 VMs shou d be n one farm, and
www.it-ebooks.info
any W ndows XP VMs shou d be n another In add t on, make sure that the RD Connect on
Broker a ready s aware of about the RD V rtua zat on Host where you’ve set up the VMs to
popu ate the poo When you’re sure of both of these tems, c ck Next to se ect VMs to add to
the poo
FIGURE 4-26 Choose VMs to popu ate the poo .
Choose the VMs by h gh ght ng them (to se ect more than one, ho d down the Ctr key
and c ck each VM that you want to add), as shown n F gure 4-26 Not ce that t s much s m-
p er to choose the r ght VMs f you are very exp c t about the VM configurat on (defin ng the
operat ng system, whether t’s 32-b t or 64-b t, and so forth) A VMs on the RD V rtua zat on
Host w be d sp ayed here, whether they are runn ng c ent or server operat ng systems The
VMs se ected n th s examp e w back a poo of W ndows XP SP3 VMs
NOTE Microsoft VDI is for supporting client operating systems, but, especially in small
deployments where one piece of hardware supports many roles, it’s possible that an RD
Virtualization Host server could have VMs running a server operating system.
When you’ve se ected a the VMs, c ck Next to cont nue to the Set Poo Propert es page
shown n F gure 4-27
www.it-ebooks.info
FIGURE 4-27 Conf gure the d sp ay name for the poo .
Type a d sp ay name for the poo (not ce that, to make t eas er to determ ne the poo ’s
contents, we named t accord ng to the operat ng system of the VMs n t) Then enter a Poo
ID for the poo The Poo ID s used by the RDP fi e to dent fy the poo When you are done,
c ck Next to rev ew the sett ngs, as shown n F gure 4-28
FIGURE 4-28 Rev ew the farm sett ngs for the VM poo .
In th s examp e, the VMs are actua y ocated on two d fferent RD V rtua zat on Host serv-
ers, so both are sted here C ck F n sh to c ose the w zard
www.it-ebooks.info
Should You Deploy Pooled or Personal VMs?
M icrosoft VDI supports both pooled and personal desktops. Which should you
use?
Personal VMs are best if you’re looking to create an experience very like that of a
desktop computer in a company where users have administrative control over the
computer and will customize it.
Pooled VMs are better for a more generic user experience because they really can’t
be customized. They’re similar to sessions in that way, except that they run in a VM
and are therefore fully protected from affecting people using other machines in the
VM pool. Pooled VMs can be cheaper to manage because they are more generic,
too—if one VM starts being a problem, a user can log out and log back in again and
get a new VM when the other is taken offline. In addition, it’s easier to troubleshoot
issues on a pooled VM because it should be identical to other members of the pool.
The more consistent a set of machines is, the easier it is to update them, as well.
You might end up with a mix, but those who need to give their user base more con-
trol will likely deploy personal desktops for at least those users. Bear in mind that it
might be most appropriate to give pooled VM users sessions on an RD Session Host
server, if their applications will run there. Sessions scale much more than pooled
VMs on the same computer, so this option is more economical.
Assigning Personal Desktops

Persona desktops are ded cated to one person Techn ca y, users cou d connect and use a
VM w thout RDS, just ke a desktop, prov ded they knew the name of the VM and the user
was added to the Remote Desktop Users group on that VM (as part of sett ng up the VM)
Ass gn ng a user a persona desktop n the RD Connect on Broker means that the user does
not need to know the name of the VM, create an RDP fi e, or configure an RDC connect on
to access the VM A of th s s done automat ca y for the user and s prov ded as a nk n RD
Web Access or as a nk on the user’s Start menu on computers runn ng W ndows 7
After you have prepared a VM to be used as a persona VM (see the sect on ent t ed “Set-
t ng Up VMs” ear er n th s chapter for deta s on how to do th s), you are ready to ass gn t
To ass gn a VM, open the Remote Desktop Connect on Manager on the RD Connect on
Broker, expand RD V rtua zat on Host Servers, r ght-c ck Persona V rtua Desktops, and
choose Ass gn Persona Desktops to users, as shown n F gure 4-29 A ternat ve y, n the Ac-
t ons pane, c ck Ass gn Persona Desktops to ass gn to each user
www.it-ebooks.info
FIGURE 4-29 Ass gn persona desktops to nd v dua users.
C ck ng the nk w start the Ass gn Persona V rtua Desktop W zard shown n F gure 4-30
FIGURE 4-30 Open the Ass gn Persona V rtua Desktop W zard.
The first page of the w zard offers genera gu de nes about persona desktops They can
be ass gned to on y one user at a t me, each person can on y have one desktop at a t me,
both user and VM must be doma n members, and the name of the VM must match the name
n the Hyper-V Manager (For more spec fics about the doma n requ rements for persona
desktops, see the fo ow ng s debar )
www.it-ebooks.info
AD DS Schema Requirements for Personal Virtual Desktops

Janani Venkateswaran
Program Manager II, Remote Desktop Virtualization
M icrosoft’s VDI solution offers two deployment scenarios: virtual desktop pools
and personal virtual desktops. Virtual desktop pools do not depend on a
specific AD DS schema level; however, personal virtual desktops do need a Windows
Server 2008 or Windows Server 2008 R2 schema.
Following are the AD DS requirements for personal virtual desktops.
■ To deploy personal virtual desktops, your schema for the AD DS forest must
be at least Windows Server 2008. To use the added functionality provided by
the Personal Virtual Desktop tab in the User Account Properties dialog box in
Active Directory Users And Computers, you must run Active Directory Users
And Computers from a computer running Windows Server 2008 R2 or from
a computer running Windows 7 that has Remote Server Administration Tools
(RSAT) installed.
■ You must use a domain functional level of at least Windows 2000 Server
native mode. The functional levels Windows 2000 Server mixed mode and
Windows Server 2003 interim mode are not supported.
Next to the User Name nput box, c ck Se ect User and choose a user from AD DS to
whom you want to ass gn the VM When you’ve done so, the V rtua Mach ne drop-down
menu w become act ve From the drop-down menu, se ect the VM to be ass gned to th s
user A ava ab e VMs on a RD V rtua zat on Host servers that are added to RD Connect on
Broker w be sted n the V rtua Mach ne drop-down menu When you’ve chosen the VM,
c ck Next Confirm the ass gnment as shown n F gure 4-31 and then c ck Ass gn
F na y, on the Ass gnment Summary page, e ther c ck F n sh or se ect the check box to
ass gn more VMs Se ect ng the check box w enab e the Cont nue button, a ow ng you to
ass gn more VMs to users Then, when you c ck Cont nue, the w zard w restart, and you w
go through the same procedures for each VM that you want to ass gn
When you are fin shed ass gn ng VMs to users, c ear the Ass gn Another VM To Another
User check box The Cont nue button w change to a F n sh button C ck F n sh, and you are
done
www.it-ebooks.info
FIGURE 4-31 Conf rm the VM ass gnment.
HOW IT WORKS
Creating an RDP file for a User to Connect to a Personal or

Pooled VM
I f you’d like to experiment with personal VMs without needing to use discovery,
here’s how. Creating an RDP file to give to users to connect to their personal VMs
is a matter of adding a few extra settings to a saved RDP file.
Start by opening Remote Desktop Connection (Mstsc.exe). In the Computer Name

input box, add the name of the Remote Desktop Session Host server that is put in
redirection mode. Enter the user name of the user that will be receiving and using
this RDP file. Doing this adds the following lines to the RDP file (the user name in
this example is Kristin, and the RD Session Host server in redirection mode is
Humpback.ash.local).
username:s:kristin
full address:s:humpback.ash.local
Save the file and then open it in a text editor (like Notepad.exe). Now add the fol-
lowing line (and, of course, save the file once more).
use redirection server name:i:1
www.it-ebooks.info
If any consumers of this RDP file will be using RDC 6.1 client or earlier, then you also
need to add the alternative name of the RD Session Host server in redirection mode
that is specified on the Redirection Settings tab of the RD Connection Broker Virtual
Desktop Properties dialog box. The example line of code here specifies the server
name humpback-vmredir.
alternate full address:s:humpback-vmredir
Creating an RDP file used to connect to the VM pool is the same process as creating
an RDP file to connect to a personal VM, with one difference. You must specify the
VM Pool ID, so that the redirector knows that the user needs to connect to the VM
pool, instead of a personal VM. To do so, add the following line to the RDC file.
loadbalanceinfo:s:tsv://vmresource.1.VM-POOL-ID-GOES-HERE
The VM Pool ID is located on the General tab of the VM Pool Properties dialog box
in the RD Connection Broker. The 1 in the previous line signifies that a pooled VM is
requested. A 2 indicates a personal VM, but if a personal VM exists for a user, then
the RD Connection Broker will send them there automatically, even without the 2
specified; that’s how load balancing works for VMs. It’s similar to the way that the
broker will always reconnect a user to a disconnected session instead of starting a
VM.
Configuring Personal and Pooled VM Properties

For both poo ed and persona VMs, you can contro the fo ow ng RDP sett ngs for a per-
sona VMs and on a per poo bas s
■ D sp ay name and poo ID (poo s on y)
■ Whether to show the persona or poo ed VM n RD Web Access
■ Automat ca y sav ng VMs after a g ven t me per od
■ Dev ce and resource red rect on
■ D sp ay sett ngs
■ Custom RDP sett ngs ( ke aud o sett ngs)
To configure RDP sett ngs for a persona VMs, n Remote Desktop Connect on Manager,
expand RD V rtua zat on Host Servers, r ght-c ck the Persona V rtua Desktops, and choose
Propert es Do ng so w br ng up the Persona V rtua Desktops Propert es tabbed d a og
box, as shown n F gure 4-32
www.it-ebooks.info
FIGURE 4-32 Conf gure persona VM RDP sett ngs v a the Persona V rtua Desktops Propert es tabbed
d a og box.
On the Genera tab, enab e users to see the r persona v rtua desktop (shou d they be as-
s gned one) n RD Web Access and n the r Start menu by se ect ng the check box next to the
opt on Show In RemoteApp And Desktop Connect on
NOTE You can also toggle showing and hiding personal VMs in RADC and RD Web
Access by right-clicking Personal Virtual Desktops and then choosing the setting from the
shortcut menu.
To save power on your RD V rtua zat on host servers, set your persona VMs to go nto a
saved state when a certa n amount of t me has passed after a user ogs off or s d sconnected
Mach nes are saved n the state they are n at that t me, and they are restored to th s state
when needed aga n To set th s opt on, se ect the Automat ca y Save V rtua Mach nes check
box and then choose a t me n m nutes (w th a m n mum of 5) to wa t before the VM s put
nto a saved state
Next, se ect the Common RDP Sett ngs tab Here you can contro dev ce and resource red -
rect on by se ect ng the check boxes next to the resources you want the user to have access to
n the remote sess on By defau t, a red rect on s a owed You can a so contro the fo ow ng
d sp ay sett ngs
■ Allow Font Smoothing Font smooth ng s a owed by defau t To d sab e t, c ear the
check box next to A ow Font Smooth ng
www.it-ebooks.info
■ Multiple Monitor Use By defau t, the sess on w use a c ent mon tors when con-
nect ng to the persona VM remote sess on To use on y one mon tor, c ear the check
box next to Use A C ent Mon tors When Connect ng To A Remote Desktop
■ Color Depth By defau t, th s s set to h gh qua ty (32 b t) Change the sess on co or
depth by open ng the correspond ng drop-down menu and choos ng 15, 16, or 24 b t
To spec fy custom RDP sett ngs (sett ngs that are configurab e n an RDP fi e but not set on
the preced ng two tabs), c ck the Custom RDP Sett ngs tab Here you can nput RDP sett ngs
nc ud ng aud o red rect on sett ngs, custom desktop he ght and w dth, and whether W ndows
key comb nat ons are app ed to the oca or remote computer
NOTE For details on RDP settings you can customize, see http://technet.microsoft.com
/en-us/library/ff393699(WS.10).aspx. The link is also available on the companion media.
For a full list of RDP settings, see Appendix A.
Custom sett ngs you nput cannot overwr te sett ngs a ready configured n Remote Desk-
top Configurat on Manager If a sett ng s nva d or tr es to overwr te a sett ng that s a ready
configured, you w get an error and you w need to remove the custom sett ng
To configure RDP Sett ngs on a per-VM-poo bas s, r ght-c ck the VM poo you want to
configure and choose Propert es The poo ’s Propert es d a og box w appear These sett ngs
are dent ca to the sett ngs ava ab e to persona VMs, except that on the Genera tab you
can a so ed t the poo d sp ay name (the name that appears n RD Web Access and RADC) as
we as the Poo ID (the ID that RD Connect on Broker uses to dent fy the poo ) Change these
sett ngs by ed t ng the text n the correspond ng text boxes When you are done ed t ng RDP
sett ngs for poo s or persona VMs, c ck OK to save the changes
Persona and poo ed VM RDP sett ngs are a so configurab e v a PowerShe To get to these
sett ngs, mport the RDS Modu e
Import-Module RemoteDesktopServices
Nav gate to the persona or poo ed VMs sect on
cd connectionbroker\virtualdesktops\pools\
Then nav gate further to Persona V rtua Desktops or to a named poo and ed t sett ngs
us ng the set- tem command
Using RemoteApp for Hyper-V for Application

Compatibility
Thus far n th s chapter, you’ve earned about VMs n the context of desktop rep acement
They a so have an add t ona use app cat on compat b ty Us ng VMs, you can upgrade the
c ent operat ng system on the desktop to W ndows 7 wh e cont nu ng to run app cat ons
www.it-ebooks.info
that requ re W ndows XP One obv ous examp e of th s wou d be a web app cat on requ r ng
M crosoft Internet Exp orer 6 That vers on of Internet Exp orer doesn’t come w th W ndows
7, and you can’t v rtua ze t us ng App-V W ndows Server 2003 Term na Serv ces doesn’t
support RemoteApp programs, e ther W thout th s feature, you’d have one opt on set up a
W ndows Server 2003 term na server and run the app cat on from there on a fu desktop
RemoteApp for Hyper-V makes th s unnecessary Th s feature enab es a c ent runn ng
W ndows XP SP3 (or W ndows V sta, or W ndows 7) to serve RemoteApp programs to a
computer runn ng W ndows 7 (or techn ca y, to any computer runn ng the RDC 7 c ent) The
endpo nt can st support on y a s ng e connect on—that’s how an RDP connect on to a c ent
operat ng system works—but th s feature can enab e you to use W ndows 7 on the desktop
wh e export ng o der app cat ons to the newer p atform
One connect on doesn’t mean one RemoteApp If a VM s prov d ng more than one
RemoteApp program, then a user can run as many as requ red; a w run on the same VM, n
the same sess on
NOTE This feature also allows Windows 7 and Windows Vista to serve RemoteApp
programs. However, most applications that run on either of those platforms will run on
Windows Server 2008 or Windows Server 2008 R2. Rather than using RemoteApp for
Hyper-V, it might be more cost-effective to run RemoteApp programs that don’t require
Windows XP from a terminal server/RD Session Host. This is because a client operating
system can support only a single active remote connection.
When you run a RemoteApp from a guest operat ng system, t w reta n the ook and fee
of the operat ng system that t’s runn ng on That s, f the endpo nt s runn ng W ndows XP,
the RemoteApp w have the W ndows XP t t e bar and contro s
If you’ve heard of a feature ca ed XP Mode, you m ght have not ced that th s sounds
extreme y s m ar For those who haven’t, when runn ng a computer n XP Mode, you use
M crosoft V rtua PC to run a guest VM of W ndows XP on the oca computer and run
app cat ons from there Th s works we n many cases RemoteApp for Hyper-V d ffers from
XP Mode n be ng appropr ate n the fo ow ng cases
■ When the client can’t run Virtual XP or can’t support two operating systems
running at the same time Netbook computers are one good examp e of th s s tu-
at on They can run W ndows 7, but you’re not ke y to be happy runn ng W ndows 7,
V rtua PC, and W ndows XP at the same t me on a ow-power computer
■ When the user needs the application only occasionally, or only for a few min-
utes at a time If someone’s us ng an app cat on for 5 m nutes an hour, t’s e ther a
waste of comput ng resources to keep the W ndows XP VM runn ng or a waste of t me
to keep start ng t whenever you need the app cat on
Us ng RemoteApp for Hyper V for App cat on Compat b ty Chapter 4 219
www.it-ebooks.info
Configuring RemoteApp on Hyper-V
To use RemoteApp on Hyper-V, you must configure both the c ent and the endpo nt, as
fo ows
■ The VM must be runn ng W ndows XP SP3 (Profess ona Ed t on), W ndows V sta SP1
(Enterpr se or U t mate Ed t on), or W ndows 7 (Enterpr se or U t mate Ed t on)
■ The VM must have the update to enab e RemoteApp de very (W ndows XP and
W ndows V sta on y) and you must ed t the reg stry to a ow the RemoteApp program
to start
■ The c ent must have the RDC 7 c ent nsta ed and an RDP fi e configured to connect
to a RemoteApp
■ Set Group Po cy to d sconnect sess ons on the endpo nt after a certa n amount of t me
Let’s start w th the endpo nt
Configuring the VM
To configure the VM, first nsta the update that enab es th s feature Aga n, th s s not
requ red for W ndows 7, but t s requ red for W ndows V sta SP1 and W ndows XP SP3 The
update s ava ab e on y for 32-b t operat ng systems
To nsta the hotfix for W ndows XP, nav gate to http://www.microsoft.com/downloads
/details.aspx?FamilyID=2f376f53-83cf-4e5b-9515-2cb70662a81b&displaylang=en and choose
to down oad the hotfix
When t’s down oaded and you run t on W ndows XP, you’ be prompted to nsta
KB961742-v3 exe C ck Run to unpack the nsta at on and beg n The steps are s mp e
1. Rev ew the open ng page and note that you m ght need to restart the computer after
nsta ng the hotfix
2. Agree to the cense terms
3. Let Setup check the current configurat on
4. When prompted, c ck F n sh to end the nsta at on and prompt the reboot
IMPORTANT The hotfix for Windows Vista is located at http://www.microsoft.com

/downloads/details.aspx?displaylang=en&FamilyID=097b7478-3150-4d0d-a85a-
6451f32c459c. When you have installed the update, install the application that you want to
publish as you would normally.
When the app cat on s nsta ed, you’ need to perm t peop e to n t ate a connect on to
the VM by start ng that app cat on To use the M crosoft term no ogy, you’re add ng t to the
a ow st To do so, you’ be ed t ng the Reg stry
On the VM, enab e RemoteApp for Hyper V by chang ng the fo ow ng va ue from 0 to 1
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Terminal Server/TsAppAllowList/

fDisabledAllowList = 1
www.it-ebooks.info
Readying the Client
The c ent must have RDP 7 nsta ed RDP 7 s pre nsta ed on W ndows 7; you can down oad
t to nsta on 32-b t W ndows XP or W ndows V sta as we (see the sect on ent t ed “Add -
t ona Resources” ater n th s chapter for the ocat on of the down oad)
Editing the RDP File

When the hotfix s nsta ed and the VM rebooted, you’re ready to configure an RDP fi e to
access a RemoteApp program Open an RDC on the c ent PC and configure the RDC as f you
were go ng to access the fu desktop of the VM Save th s fi e, nam ng t someth ng ke the
name of the app cat on that t w u t mate y open (such as Remote Notepad)
R ght-c ck the RDC fi e and open t w th a text ed tor ke Notepad Ed t the fo ow ng two
nes to match the fo ow ng
remoteapplicationmode:i:1
alternate shell:s:rdpinit.exe
Then add the fo ow ng nes (ed t them to su t your needs)
RemoteApplicationName:s:FRIENDLY NAME FOR APP GOES HERE (example: Remote Notepad)

RemoteApplicationProgram:s:PATH TO APP GOES HERE (example: %windir%/system32/notepad.exe)
DisableRemoteAppCapsCheck:i:1
Prompt for Credentials on Client:i:1
Those sett ngs w work f you have just one mach ne But most ke y you w have mu -
t p e computers prov d ng these RemoteApp programs, configured as a VM poo If so, then
the RDP fi e needs adjust ng to connect to the poo The computer name that you enter w
need to be the name of the RD Sess on Host server red rector, and you need to add th s ne
to the RDP fi e
loadbalanceinfo:s:tsv://vmresource.1.POOL-ID-GOES-HERE
After you’ve configured the RDP fi e appropr ate y, then anyone attempt ng to use the
RemoteApp VM poo w be routed to the most appropr ate endpo nt for the r sess on, just as
they wou d for a fu desktop If a user attempts to start a second RemoteApp program that
s prov ded by VMs n the poo , then the RD Connect on Broker w route the r connect on
request to the VM where they’re a ready runn ng a RemoteApp Th s s because the first step
of broker ng s to see f the person attempt ng to connect a ready has a sess on runn ng
Us ng RemoteApp for Hyper V for App cat on Compat b ty CHAPTER 4 221
www.it-ebooks.info
Configuring a Time Limit for Disconnected Sessions on the Endpoint
When a user starts a RemoteApp program on a VM runn ng RemoteApp for HyperV, when
the user c oses the app cat on, the r sess on on that VM rema ns act ve, and stays act ve, even
f the VM s put nto a saved state When the VM s restored, the ast user who had started the
RemoteApp w st be ogged on to that mach ne In add t on, because c ents can have on y
one sess on go ng at a t me, th s computer s now effect ve y on y usab e by that user That s,
no other users w be ab e to start a RemoteApp on th s mach ne
Fortunate y, you can set a t me m t for d sconnected sess ons on the endpo nt v a a Group
Po cy object (GPO) Here’s how
1. Create an organ zat ona un t (OU) for your endpo nt(s) n Group Po cy Manager, add
the endpo nt computers to th s OU, and then create a GPO and enab e th s sett ng
Computer Configuration | Policies | Administrative Templates | Windows Components

| Remote Desktop Services | Remote Desktop Session Host | Session Time Limits |
set the time for disconnected sessions
2. When you have enab ed the sett ng, choose a t me per od after wh ch a d sconnected
sess on w be ended
3. App y the GPO to the Endpo nt OU that you just created and reboot the endpo nts
(because computer po c es are app ed at startup)
Can You Use RemoteApp for Hyper-V Without RDS?

It s techn ca y poss b e to use the RemoteApp feature on any c ent, whether t’s a VM on
Hyper-V (or any hyperv sor, rea y) w thout RD V rtua zat on Host, a b ade, or a phys ca
desktop We do recommend us ng th s feature as part of RDS, however Comb n ng th s
feature w th a connect on broker s ke y to ead to the most effic ent use of resources w th
the s mp est management
As a rem nder, each VM can susta n on y a s ng e connect on at a t me, even though t’s
pub sh ng RemoteApp programs ke an RD Sess on Host server W thout a broker n the m x,
connect ng to one or two peop e can effect ve y monopo ze the farm f they connect to a
d fferent VM each t me
If you ded cated a RemoteApp for each person’s exc us ve use and saved the VM’s name
n the RDP fi e for each RemoteApp, you cou d pu th s off However, th s sn’t a very effic ent
way of a ocat ng resources The VMs won’t be ava ab e for anyone e se’s use, and f you’re
not us ng RD V rtua zat on Host and the RD Connect on Broker, you’ need to make sure that
they’re turned on and ready for the r owners to use It’s more effect ve to arrange the VMs for
RemoteApp on Hyper-V n a ded cated poo Just mod fy the poo ed RDP fi e as descr bed n
th s sect on to support pub sh ng RemoteApp programs from a VM
www.it-ebooks.info
Troubleshooting: Why Did a Pooled VM Connection Fail?
A user clicked an icon to connect to a pooled VM, and the connection didn’t
work. Why not? Here are two things that can go wrong during the connec-
tion, aside from the standard “you didn’t configure this properly” errors reported at
http://technet.microsoft.com/en-us/library/ee891400(WS.10).aspx.
Waking the VM . . .
This is about the elusive “Waking the VM…” message and eventual timeout. There
are a few reasons for this, all of which have to do with not having the client config-
ured correctly. You will receive this error for the following reasons.
■ The VM has not been prepared properly. You will experience this situation
when any of the preparation was not done, including the exceptions in the
firewall, the registry entry adjustments, or the WMIC commands.
■ The VM was prepared properly, but the Rollback snapshot was taken
before the preparation was finished, and as a result, the VM can ‘t accept
connections.
Unable to Verify Settings . . .

Another scenario that produces obscure errors in the Event Log is one in which the
RD Connection Broker has issues connecting the client to the requested VM. The
user tries to initiate a connection to a pooled or personal VM, but he or she receives
an error message saying that the connection could not be established because
the Connection Broker was unable to verify the settings in the RDP file. On the
Connection Broker, the following two errors are logged in the TerminalServices-
SessionBroker-Client event log.
Event ID 1296:
Remote Desktop Connection Broker Client failed while getting redirection
packet from Connection Broker.
User : ASH/kristin
HRESULT = 0x80070490
followed by
Event ID: 1306:

Remote Desktop Connection Broker Client failed to redirect the user
ASH/kristin.
HRESULT = 0x80070490
Remedy this situation by re-running the Configure Virtual Desktops Wizard on the
RD Connection Broker server. You do not need to change any of the settings (unless
they are wrong, of course). Just re-run the wizard with the same settings as you had
before, and the RD Connection Broker will resume working properly.
Us ng RemoteApp for Hyper V for App cat on Compat b ty Chapter 4 223
www.it-ebooks.info
Summary
Add ng VM support to RDS ncreases the number of scenar os that RDS can support
A though sess ons st a ow you to get more peop e per server, VMs have the r own
advantages Persona desktops enab e comp ete desktop rep acement, mov ng the persona
computers nto the data center and prov d ng more centra management Poo ed VMs a ow
a set of peop e to share a more so ated env ronment than a sess on can prov de RemoteApp
for Hyper-V a ows you to serve app cat ons from a c ent runn ng W ndows XP to a W ndows
7 desktop, even f the c ent runn ng W ndows 7 can’t run a oca hyperv sor
After read ng th s chapter, you shou d know the fo ow ng
■ When to use VMs nstead of sess ons
■ When to use persona and poo ed VMs
■ How to set up VM poo s and persona desktops
■ How d scovery, broker ng, and orchestrat on work
■ How to use RemoteApp for Hyper-V to pub sh app cat ons from a W ndows XP VM
■ The hotfixes to enab e RemoteApp d sp ay on W ndows XP SP3 are on ne at
http://www.microsoft.com/downloads/details.aspx?FamilyID=2f376f53-83cf-4e5b-9515-
2cb70662a81b&displaylang=en.
■ The hotfix to enab e RemoteApp d sp ay on W ndows V sta SP1 s ava ab e from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
26a2de17-8355-4e8d-8f33-9211e48651fb.
■ Error messages re at ng to RD Connect on Broker are documented at
http://technet.microsoft.com/en-us/library/ee891400(WS.10).aspx.
■ For nformat on on custom z ng the RDP sett ngs used n Persona and Poo ed VMs, see
Chapter 6, “Custom z ng the User Exper ence ”
■ For nstruct ons on nsta ng RD Web Access, and for configur ng RD Web Access to
prov de access to RD Sess on Host desktops and RemoteApps, see Chapter 9, “Mu t -
Server Dep oyments ”
■ For nformat on on us ng RD Gateway to access poo ed and persona VMs, as we as
other RDS resources from outs de your corporate network, see Chapter 10, “Mak ng
Remote Desktop Serv ces Ava ab e from the Internet ”
www.it-ebooks.info
CHAPTER 5
Managing User Data in a

Remote Desktop Services
Deployment
■ How Profi es Work 226
■ Des gn Gu de nes for User Profi es 242
■ Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces 248
■ Profi e and Fo der Red rect on Troub eshoot ng T ps 287
T hus far n th s book, you have earned how to set up a s ng e Remote Desktop (RD)
Sess on Host server or a s mp e M crosoft V rtua Desktop Infrastructure (VDI) de-
p oyment Those dep oyments aren’t yet product on-ready, though No app cat ons are
ava ab e, the connect ons aren’t secured, you haven’t yet defined the dev ces and exper -
ence to red rect, and the profi es and Fo der Red rect on aren’t yet set up
Proper y configured profi es and Fo der Red rect on go a ong way toward a good user
exper ence for users work ng v a remote connect on to the data center Because profi es
weren’t or g na y des gned for remote work env ronments, th s can somet mes be tr cky
Remote Desktop Serv ces (RDS) ndependent software vendor (ISV) partners have deve -
oped some products to he p make a h gh y flex b e system for comp ex env ronments
Th s chapter, however, shows you how best to configure profi es and Fo der Red rect on
us ng the too s that come w th W ndows
The bas c e ements of a user workspace are the configurat on sett ngs n the user’s
profi e and the defau t ocat ons to save data After read ng th s chapter, you w under-
stand the fo ow ng
■ How roam ng, oca , and mandatory profi es work
■ Why v rtua zat on can comp cate mp ement ng profi e strateg es
■ Best pract ces for stor ng and manag ng profi es
■ How to use Fo der Red rect on to un fy user defau t ocat ons between oca and
remote app cat ons
225
www.it-ebooks.info
■ The benefits and drawbacks of us ng mandatory profi es to ma nta n a cons stent ook
and fee
■ How to secure the desktop to prevent users from sav ng fi es to t and why th s s
mportant
■ How to support profi es across servers runn ng both W ndows Server 2008 R2 and
W ndows Server 2003, or W ndows 7 and W ndows XP v rtua mach nes (VMs)
How Profiles Work

A profile s a co ect on of sett ngs and documents that define a user’s work env ronment,
somet mes referred to as a user’s “persona ty ” A user’s profi e nc udes both configurat on
data and persona data such as documents and p ctures Persona data n the profi e can be
stored on the desktop or n one of the fo ders assoc ated w th the user account (for examp e,
My Documents) The profi e a so nc udes user spec fic sett ngs, such as the fo ow ng
■ Changes that you make to app cat on ayouts, such as add ng buttons, chang ng the
ayout, and add ng a defau t s gnature
■ Changes to system sett ngs that are un que to the user exper ence, such as chang ng
your desktop background, screen saver, and keyboard ayout
Mach ne-w de sett ngs such as firewa sett ngs are not stored n the user profi e
Documents and support ng fi es that are part of your profi e are stored n a un que user
profi e fo der (and subfo ders) Loca and roam ng profi e sett ngs are stored as a s ng e fi e
(ca ed NTUSER DAT), not as a co ect on of nd v dua sett ngs NTUSER DAT s stored n the
root of each user’s profi e fo der Mandatory profi e sett ngs are stored n NTUSER MAN; th s
fi e can be shared among mu t p e users because t s read-on y
NOTE Super-mandatory profiles label the folder where they’re stored with the .man
suffix, like this: //servername/sharename/mandatoryprofile.man/. Super-mandatory user
profiles are similar to normal mandatory profiles except that users with super-mandatory
profiles cannot log on when the server that stores the mandatory profile is unavailable.
Users with normal mandatory profiles can log on with the locally cached copy of the
mandatory profile. Use super-mandatory profiles only when you want to have absolute
control of the user profile—so much so that you can’t take the chance that a cached copy
might be out of date.
Wh e a user s ogged n, the NTUSER DAT fi e s oaded temporar y nto HKEY CURRENT
USER (HKCU) n the reg stry of the computer that user s ogged on to; the documents are
stored n the subfo ders w th n the profi e fo der, as shown n F gure 5-1 You w find out
n deta about the parts of a profi e—both the reg stry and the data fo ders— ater n th s
chapter But first et’s exam ne the d fferent types of profi es
226 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Profile Folders with Data NTUSER.dat Loaded in HKCU
FIGURE 5-1 The user prof e conta ns persona sett ngs and data such as fo ders and the user spec f c
reg stry sett ngs.
Types of Profiles
As a uded to n the prev ous sect on, there are three types of profi es oca , roam ng, and
mandatory Loca profi es are stored on and used from a s ng e computer and store data
n NTUSER DAT Roam ng profi es are stored on and used from a network share, so they’re
ava ab e to any computer that can access that part cu ar network share They a so store data
n NTUSER DAT Mandatory profi es are often centra y ocated ke roam ng profi es, but
whereas oca profi es and roam ng profi es are read-wr te, mandatory profi es are read-on y
They store the r sett ngs n NTUSER MAN
Loca profi es are usua y fast to oad because they are stored on the computer the user s
us ng When a user ogs on, the oca profi e w oad from ts oca ocat on on the hard dr ve
and popu ate HKCU When the user ogs off, the contents of HKCU ( nc ud ng any changes
that the user made) w be wr tten back to the oca hard d sk and overwr te the prev ous ver-
s on of the fi e
How Profi es Work Chapter 5 227
www.it-ebooks.info
NOTE Local profiles aren’t a good fit for most remoting scenarios because they’re stored
on a single computer. Personal desktops and single RD Session Host server deployments are
possible exceptions to this, but pooled VMs and RD Session Host sessions in a farm larger
than one server will quickly find that local profiles lead to an inconsistent user experience.
This is because the user would have a unique local profile on each machine she logs onto.
Roam ng profi es afford the most flex b ty n a remot ng env ronment because they’re
stored n a centra ocat on access b e to a VMs and RD Sess on Host servers They’re a so
read-wr te, so users can adjust the r sett ngs When a user ogs onto a sess on or VM (or
a computer, for that matter), the roam ng profi e w oad from ts network ocat on and
popu ate HKCU n the reg stry When the user ogs off, the contents of HKCU ( nc ud ng any
changes that the user made) w be wr tten back to the network ocat on and overwr te the
prev ous vers on of the fi e
Mandatory profi es are oaded to HKCU when a user ogs on, just ke a roam ng profi e,
but they aren’t wr tten back to the r storage ocat on at ogoff—a changes to the profi e are
just d scarded
How Profiles Are Created

A user does not start w th a user profi e The profi e s created the first t me that a user ogs
onto a mach ne Mandatory profi es are the except on to th s, and even the mandatory profi e,
wh ch s used by mu t p e peop e, has to n t a y come from somewhere To fu y understand
profi es, you need to know how profi es are n t a y created Th s w come n handy ater n
th s chapter, when you earn how to create a mandatory profi e and a so how to custom ze a
defau t profi e
A profi es are created from a “defau t profi e ” Each RD Sess on Host—actua y, every
computer—has a oca defau t user profi e ( ocated at C \Users\Defau t n W ndows V sta and
ater) for th s purpose Depend ng on wh ch type of profi e w be used and how you have
mp emented the profi e strategy, the process of mak ng user profi es var es s ght y
If your users w use oca profi es (for nstance, f you have on y one RD Sess on Host), new
user profi es w be created by mak ng a copy of the oca defau t profi e ocated on the com-
puter that the user ogs on to Th s copy w go nto a new fo der abe ed by the og n name
of the user
If your users w use roam ng profi es, when a new user ogs on to a server for the first
t me, a new profi e s created for h m by mak ng a copy of a defau t user profi e Doma n
jo ned computers w first ook for a network defau t user profi e (stored n the net ogon
share on a doma n contro er and rep cated to other doma n contro ers) If t does not find
one n the network share, then t w use the oca defau t profi e ocated on the computer to
wh ch the user ogged on
www.it-ebooks.info
User Profile and the Registry
The reg stry s organ zed nto sect ons ca ed keys, wh ch a gn w th a part cu ar configurat on
opt on For examp e, computer-w de sett ngs are stored n HKEY LOCAL MACHINE (HKLM),
whereas user-spec fic sett ngs are stored n HKEY CURRENT USER (HKCU) As w th a vers ons
of M crosoft W ndows NT s nce t was first re eased, W ndows Server 2008 R2 and W ndows 7
ma nta n user-spec fic sett ngs n HKCU for each user ogged on to the computer
You can see how HKCU works and reflects changes to the user env ronment by fo ow ng
the process out ned n the fo ow ng How It Works s debar, “Observe How Changes to the
Env ronment Are Reflected n the Reg stry ”
HOW IT WORKS
Observe How Changes to the Environment Are Reflected in

the Registry
O ne easy way to watch how HKCU changes as you customize your environment
is to make a change and watch the contents of the registry, as follows.
1. Run Regedit.exe and confirm that you want to run it when prompted.
2. Navigate to HKCU\Control Panel\Colors\ and look at the value of the Window

key. If you’re using the default Windows 7 color scheme, the value of this entry
should be 255 255 255. (Full saturation of red, blue, and green values show up as
white on a monitor. Values of 0 for all three show up as black. If you ever studied
color theory, this is a demonstration that black is the absence of color.)
3. Right-click the Desktop and choose Personalize from the context menu to open
the Personalization window.
4. Click Window Color And Appearance. In the Appearance Settings dialog box,
click Advanced to open the aptly named Advanced Appearance dialog box. From
here, select Window from the Item drop-down list. Change Color 1 to light gray
and click OK.
5. Click OK in the Appearance Settings dialog box. The screen will adjust for a mo-
ment, and then the background color of windows will turn light gray.
6. If you examine the value of HKCU\Control Panel\Colors\Window, you’ll see that

it’s now 192 192 192.
In W ndows Server 2008 R2 and W ndows 7, HKCU conta ns the subkeys descr bed n
Tab e 5-1 Even f you’re ogg ng on to a W ndows Server 2008 R2RD Sess on Host server from
an ear er operat ng system such as W ndows XP, the profi e n the RD Sess on Host sess on
corresponds to the server p atform These are st the reg stry keys that app y to the sess on,
not the c ent computer operat ng system There m ght be add t ona subkeys n th s sect on;
t depends on wh ch app cat ons you have nsta ed For examp e, f you nsta M crosoft
Out ook, you’ see an Ident t es key
www.it-ebooks.info
TABLE 5-1 Subkeys o HKCU n W ndows 7 and W ndows Server 2008 R2
SUBKEY DESCRIPTION MAPS TO
AppEvents Sounds p ayed on system events Contro Pane \Sounds

Conso e Command w ndow sett ngs such as Command Prompt\Propert es
w ndow s ze, co ors, and buffer s ze
Contro Pane User desktop appearance sett ngs, Contro Pane
mouse and keyboard sett ngs, power
po cy, and access b ty
Env ronment Env ronment var ab e defin t ons Contro Pane \System\Advanced
EUDC Custom zed characters that users Contro Pane \Fonts
nsta for v ew ng and pr nt ng
documents when standard fonts
don’t support them App es to East
As an font sets
Keyboard Ed ts the keyboard ayout Usefu f Contro Pane \Reg ona and
Layout your operat ng system s d sp ay ng Language Opt ons
n one anguage but you want to use
the keyboard ayout of another one
(for examp e, d sp ay ng n Eng sh
but arrang ng the keyboard as
though you were n Germany)
Network Network dr ve mapp ngs and Contro Pane \Networks
sett ngs
Pr nters Pr nter connect on sett ngs Contro Pane \Pr nters
Remote Conta ns sett ngs to be app ed
(Remote Access to remote sess ons (for examp e,
n W ndows 7) C earType or wa paper) for each
sess on The subkey corresponds to
the Sess on ID
Sess on Informat on about the current Not stored—popu ated dur ng the
Informat on sess on, such as how many sess on
app cat ons are open
Software Persona sett ngs for a software Ind v dua app cat ons
nsta ed for that user
System Conta ns the current contro set for Not stored—popu ated on startup
that user (dr vers and serv ces to run
at startup)
Vo at e Env ronment var ab es for the current Not stored—popu ated for each
Env ronment ogon sess on sess on
www.it-ebooks.info
Data s stored n HKCU on y for the durat on of the sess on, wh e data stored n HKLM per-
s sts unt the reboot Most p eces of the reg stry are saved n fi es ca ed hives and are oaded
as necessary When a h ve fi e s opened, t’s re oaded nto the reg stry Therefore, HKCU s
stored as a h ve n a fi e ca ed NTUSER DAT that s oaded at user ogon Each user ogged on
to an RD Sess on Host server sees h s or her own vers on of HKCU
How does th s data get oaded? When you og on to a computer, the User Profi e Serv ce
oads the h ve fi e from the ocat on spec fied n your user account propert es and popu ates
HKCU for that sess on When you og off the computer, the h ve fi e s wr tten back to ts
storage ocat on as NTUSER DAT If you happen to be ogged on to more than one computer
at a t me, two cop es of your profi e w be open, popu at ng the contents of HKCU on each
computer
NOTE Profiles can be cached on the server to speed up logons if you set the correspond-
ing Group Policy. However, even if you enable caching, when a user logs off the RD Session
Host server, the corresponding branch of HKCU is cleared. You’ll find out more about cach-
ing user profiles in the section entitled “Caching Roaming Profiles” later in this chapter.
In add t on to oad ng HKCU w th the contents of your profi e, ogg ng on to an RD Sess on

Host server updates two parts of HKLM, the computer-w de sect on of the reg stry HKLM\
Software\M crosoft\W ndows NT\CurrentVers on\Profi e L st (F gure 5-2) conta ns a st of a
profi es cached on the computer It a so sts the profi es used by the System account, Net-
work Serv ce account, and the Loca Serv ce account As you can see, mach ne accounts have
profi es just ke user accounts do
The users are dent fied by secur ty dent fiers (SIDs), but you can d st ngu sh them by
brows ng the keys The va ues show the path to both the oca cache (the Profi eImagePath
key va ue shown n F gure 5-2) and to the roam ng profi e fo der share (the Centra Profi e key
va ue shown n F gure 5-2), so t’s not hard to map user names to profi es
FIGURE 5-2 Load ng a prof e nto a remote desktop sess on updates the Prof e L st key for the ent re RD
Sess on Host server.
www.it-ebooks.info
When you og off an RD Sess on Host server, the two keys w th your SID are ocked They
don’t actua y go away, but f you attempt to open the key assoc ated w th a user who s cur-
rent y ogged off, you’ get an error message te ng you that the system cannot find the fi e
spec fied Log on aga n, and the key w th the same SID w be repopu ated
A though oad ng a profi e adds two keys to the reg stry that never go away, most of the
t me t doesn’t matter As d scussed n the sect on ent t ed “The Consequences of De et ng a
Profi e Fo der from W ndows Exp orer” ater n th s chapter, t does matter shou d you choose
to de ete a profi e De et ng the fi e doesn’t de ete the reg stry keys assoc ated w th t There-
fore, a ways use the correct too s to de ete profi es; otherw se those users won’t be ab e to
oad the r profi es proper y when they og on aga n
How Profile Changes Are (Not) Merged

The operat ng system oads the contents of NTUSER DAT nto HKCU at ogon and saves back
to NTUSER DAT at ogoff, n the same way that you m ght open a M crosoft Word document
when you og on, type n t for a wh e, and then save the document when you og off Th s
has some mportant mp cat ons for a remote env ronment
As an examp e, mag ne th s scenar o You are ogged on to two d fferent computers and
you open a new Word document n each sess on In Sess on 1, you type “Every Good Boy
Does F ne ” In Sess on 2, you type “A Cows Eat Grass ” You save the fi e n Sess on 1 as Myfi e
docx Next you save the fi e n Sess on 2 as Myfi e docx n the same ocat on, confirm ng that
you want to overwr te the o d fi e when prompted
The next t me you open Myfi e docx, the fi e w say on y “A Cows Eat Grass ” The phrase
“Every Good Boy Does F ne” has been overwr tten In short, the fi es are not merged; they’re
wr tten back to the save ocat on, and the vers on ast wr tten to that ocat on s the on y one
you’ see
So t s w th profi es, wh ch are just another type of fi e If you og on to two sess ons, each
of wh ch s us ng the same roam ng profi e, you w have two cop es of your profi e open If
you make changes to the open profi e, you’ see them at the t me, but they won’t be saved
nto NTUSER DAT unt you og off (Un ke the Word docx fi e, the fi e system won’t ask f
you want to overwr te the profi e fi e ) As n the prev ous examp e, f you have a profi e open
n Sess on 1 and n Sess on 2, og off Sess on 1 and then og off Sess on 2, on y the changes
made to the Sess on 2 copy of the profi e w appear when you og on aga n and re oad that
profi e The on y d fference from the document scenar o s that the operat ng system won’t
ask you f you want to overwr te the prev ous vers on
CAUTION One implication of the way profiles work is that you shouldn’t use the
same profile for local sessions and remote sessions. If you do, then by definition, ev-
ery time you log on to your computer and then log on to an RD Session Host server,
you will be opening two copies of your profile. You will almost certainly lose profile
data this way.
www.it-ebooks.info
You m ght be wonder ng whether open ng two RemoteApp programs from a s ng e RD
Sess on Host server opens one or two cop es of your profi e The answer depends on the ver-
s on of W ndows Server host ng the sess on, and how you’re start ng the app cat ons On a
term na server runn ng W ndows Server 2003, you cou d create a Remote Desktop Protoco
(RDP) sess on that wou d open a s ng e app cat on nstead of d sp ay ng the ent re desktop
(As noted n Chapter 1, “Introduc ng Remote Desktop Serv ces,” not many peop e d d th s be-
cause the exper ence wasn’t very user-fr end y, but t was poss b e ) If you presented nd v dua
app cat ons th s way, then each t me a user opened an app cat on on the same server, he
wou d open a separate sess on and therefore a separate copy of the profi e
W ndows Server 2008 mproved on th s des gn n two ways F rst, t ntroduced RemoteApp
programs A RemoteApp programs started from the same server by the same user account
run n the same sess on, so they open on y a s ng e copy of your profi e Second, when
dec d ng where to route ncom ng connect ons to an RD Sess on Host server farm, the RD
Connect on Broker w check to see f a user a ready has an open sess on on an RD Sess on
Host server n the farm If t does, then the user w be routed to the same sess on to start the
app cat on So, what s the resu t? You have preference to the server where you a ready have
an open connect on, and, so ong as you’re connect ng to on y a s ng e server, on y one copy
of the profi e w be open because a RemoteApp programs w run n the same sess on
Profile Contents External to the Registry

Not a parts of a profi e are stored n HKCU The same fo der that conta ns the NTUSER DAT
fi e a so conta ns other fo ders that conta n user data as we as app cat on-spec fic data In
W ndows V sta and W ndows Server 2008, the profi e nc udes the fo ders sted n Tab e 5-2
(More fo ders m ght be ava ab e, depend ng on wh ch app cat ons you have nsta ed )
TABLE 5-2 Fo ders Assoc a ed w h a W ndows 7 or W ndows Server 2008 R2 Pro e
FOLDER DESCRIPTION
AppData Defau t root ocat on for user app cat on data and b nar es
Contacts Used to store contact nformat on and s a so the address book for W ndows
Ma , the successor to M crosoft Out ook Express (W ndows Ma s not
nc uded n W ndows 7 or W ndows Server 2008 R2)
Desktop A tems stored on the desktop, nc ud ng fi es and shortcuts
Documents Defau t root ocat on for a user-created fi es (spreadsheets, text
documents, and so on)
Down oads Defau t ocat on for a fi es down oaded us ng W ndows Internet Exp orer
Favor tes Bookmarked Un form Resource Locators (URLs) n Internet Exp orer
L nks F e and fo der shortcuts; these show up under the Favor tes menu on the
eft s de of an Exp orer w ndow
Mus c Defau t root ocat on for a mus c fi es
www.it-ebooks.info
FOLDER DESCRIPTION
P ctures Defau t root ocat on for a mage fi es

Saved Games Defau t ocat on for saved games
Searches Defau t ocat on for saved searches performed from the Search Programs
And F es nput box on the Start menu
V deos Defau t root ocat on for a v deo fi es
Beg nn ng n W ndows V sta and W ndows Server 2008, the profi e structure changed from
W ndows XP and W ndows Server 2003 (W ndows 7 and W ndows 2008 R2 reta n th s new
profi e structure ) The new structure uses more fo ders to organ ze the data
Not ce that W ndows XP and W ndows 2003 were not ment oned n Tab e 5-2 Th s s
because profi es have evo ved over t me and the structure of profi es has changed W ndows
XP and W ndows Server 2003 profi es are ca ed vers on 1 (V1) profi es; profi es us ng the
structure of W ndows V sta and W ndows Server 2008 and ater are ca ed vers on 2 (V2)
profi es A V2 user profi e fo der s d st ngu shed from ts predecessors by an added V2
extens on
Vers on 2 profi es genera y use more fo ders than those of W ndows XP, but V1 top- eve
fo ders such as NetHood and Pr ntHood were moved ns de the AppData fo der beg nn ng n
W ndows V sta Tab e 5-3 (adapted from the M crosoft document “Manag ng Roam ng User
Data Dep oyment Gu de” ocated at http://technet.microsoft.com/en-us/library
/cc766489(WS.10).aspx) shows the d fferences n the defau t root profi e fo der structure
between V1 and V2 profi es
TABLE 5-3 Pro e Fo der S ruc ures o V1 and V2 Pro es
V2 PROFILE FOLDERS V1 PROFILE FOLDERS

(WINDOWS VISTA AND LATER) (WINDOWS XP AND WINDOWS SERVER 2003)
Now AppData\Roam ng App cat on Data

Contacts Not App cab e
Desktop Desktop
Down oads Not App cab e
Favor tes Favor tes
L nks Not App cab e
Documents My Documents
Mus c In My Documents
P ctures In My Documents
V deos Not App cab e
Saved Games Not App cab e
www.it-ebooks.info
V2 PROFILE FOLDERS V1 PROFILE FOLDERS
(WINDOWS VISTA AND LATER) (WINDOWS XP AND WINDOWS SERVER 2003)
Searches Not App cab e

Trac ng Not App cab e
Now n AppData fo der My Recent Documents
Now n AppData fo der NetHood
Now n AppData fo der Pr ntHood
Now n AppData fo der Send To
Now n AppData fo der Start Menu
Now n AppData fo der Temp ates
Now n AppData fo der Loca Sett ngs
Now n AppData fo der Cook es
As you m ght have not ced n Tab e 5-3, the Loca Sett ngs fo der from V1 profi es does
not ex st n V2 profi es, and many V1 profi e fo ders are now conso dated under the AppData
fo der n V2 profi es Why does th s reorgan zat on of data matter?
One b g accomp shment of the V2 profi e reorgan zat on s that mach ne-spec fic data s
now separated from user-spec fic data V1 profi es kept mach ne-spec fic and user-spec fic
data scattered through the profi e V2 profi es sort th s data and do a better job of separat ng
user-spec fic data from data that s e ther too arge to roam w th the user or s spec fic to a
part cu ar mach ne and therefore shou d not roam
In V2 profi es, the AppData fo der now has three subfo ders that separate th s k nd of data
■ AppData\Roaming Data that s user-spec fic and shou d roam w th the user profi e
■ AppData\Local Data that s e ther mach ne-spec fic or too arge to roam w th a
user’s profi e fo der, for examp e, an Out ook OST fi e
■ AppData\LocalLow Data for “ ow- ntegr ty” apps (such as browser-based apps) to
store data
Tab e 5-4 (wh ch was adapted from the M crosoft “Manag ng Roam ng User Data Dep oy-
ment Gu de”) shows where certa n V1 profi e data s stored n the V2 profi e structure
TABLE 5-4 Da a S orage Reorgan za on rom V1 o V2 Pro es
V2 PROFILE DATA LOCATIONS V1 PROFILE DATA LOCATIONS
…\AppData\Loca Loca Sett ngs\App cat on Data

…\AppData\Loca \M crosoft\W ndows\H story Loca Sett ngs\H story
…\AppData\Loca \Temp Loca Sett ngs\Temp
…\AppData\Loca \M crosoft\W ndows Loca Sett ngs\Temporary Internet
\Temporary Internet F es F es
www.it-ebooks.info
V2 PROFILE DATA LOCATIONS V1 PROFILE DATA LOCATIONS
…\AppData\Roam ng\M crosoft\W ndows\Cook es Cook es
…\AppData\Roam ng\M crosoft\W ndows NetHood

\Network Shortcuts
…\AppData\Roam ng\M crosoft\W ndows Pr ntHood
\Pr nter Shortcuts
…\AppData\Roam ng\M crosoft\W ndows\Recent Recent
…\AppData\Roam ng\M crosoft\W ndows\Send To Send To
…\AppData\Roam ng\M crosoft\W ndows\Start Menu Start menu
…\AppData\Roam ng\M crosoft\W ndows\Temp ates Temp ates
NOTE The “Managing Roaming User Data Deployment Guide” is available at

http://technet.microsoft.com/en-us/library/cc766489%28WS.10%29.aspx.
Because V1 profi es and V2 profi es are so d fferent, you can’t use the same profi es for
W ndows Server 2008 R2 RD Sess on Host servers that you d d for term na servers runn ng
W ndows Server 2003or W ndows XP VMs The structures of the profi es don’t match
You’ earn ater n th s chapter how to a ow W ndows Server 2003 and W ndows Server
2008 profi es to coex st (See the sect on ent t ed “Shar ng Fo ders Between W ndows Server
2003 and W ndows Server 2008 Roam ng Profi es” ater n th s chapter ) Th s s mportant
both for support ng m xed dep oyments of term na servers runn ng W ndows Server 2003
and W ndows Server 2008 R2 RD Sess on Hosts, and for support ng W ndows 7 VM poo s and
W ndows XP VM poo s (The changes to the profi e structure between the operat ng systems
are one reason why you shou d not comb ne W ndows 7 and W ndows XP VMs n the same
poo )
Introduction to Folder Redirection

A though these data fo ders are stored by defau t n the user’s profi e fo der, they don’t have
to be In fact, n most cases, t’s best f some of them aren’t Here’s why
F rst, keep ng user data w th n the profi e fo der ncreases the profi e s ze Assum ng that
you’re stor ng profi es on a centra share nstead of on nd v dua RD Sess on Host servers
(and, for reasons you’ see short y, th s s a good assumpt on), th s can s ow ogons A arge
profi e ncreases the t me that t takes for users to og on and og off (because the data n the
profi e must be cached on the RD Sess on Host server) In W ndows Server 2008 R2, f the pro-
fi e cache on a server exceeds the quota a ocated to the profi e cache, t w de ete the most
recent y used profi es, but there’s st no reason to fi the cache w th user data
www.it-ebooks.info
Second, f you’re us ng mandatory profi es and you don’t red rect fo ders outs de the
profi e fo der, users w not be ab e to save fi es to the standard persona fo ders such as
Documents The fi es w ook ke they’re sav ng, but they won’t be reta ned Th s w cause
users a great dea of gr ef and br ng you many unso vab e ca s to the He p desk
NOTE The Recycle Bin is a hidden file in the root of the profile folder. You can’t redi-
rect it, and even if you’re using mandatory profiles, you will still be able to send files to
the Recycle Bin.
The th rd reason app es to VMs, whether poo ed or persona In the case of a persona
desktop, sav ng fi es oca y preserves them, but t comp cates fi e restore because the fi es
are stored n the VM To restore the fi es saved on the oca VM, you’d need to restore the
VM from backup Sav ng the fi es separate y makes t eas er to restore them, and the eas est
way to do that s to enab e Fo der Red rect on In the case of pooled VMs, Fo der Red rect on
s essent a As w th mandatory profi es, sav ng fi es to oca fo ders on a poo ed VM can ead
to ost data As d scussed n Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on
Host Server,” the most common configurat on for poo ed VMs s to ro back changes at user
ogout so the VM rema ns pr st ne That ro back means that any documents saved to the VM
wou d be ost (Some ISV so ut ons actua y de ete the VM on each use and re-create t, wh ch
has the same effect )
For these reasons, t’s good pract ce to use Fo der Red rect on w th RDS, whether connect-
ng to VMs or sess ons You’ earn how to do th s n the sect on ent t ed “Centra z ng Per-
sona Data w th Fo der Red rect on” ater n th s chapter For now, just know that red rect ng
profi e fo ders means just that stor ng profi e subfo ders and the data w th n them, outs de
the ma n root profi e fo der
How Virtualization Complicates Storing User Configuration and Files

Th s top c w be d scussed a ot n th s chapter, but to beg n, you need to be very c ear about
why v rtua zat on comp cates user profi es and the way users store data Fundamenta y, t’s
because profi es were or g na y des gned for ogg ng nto one p ace at a t me, and when us-
ng RDS, you m ght be ogged nto more than one remote sess on
RDS supports five remot ng work scenar os
■ RemoteApp programs runn ng from an RD Sess on Host server and d sp ayed a ong-
s de oca y runn ng app cat ons
■ RemoteApp programs runn ng from a VM (most often a W ndows XP VM)
■ A fu desktop sess on on an RD Sess on Host server
■ A poo ed VM, wh ch m ght be runn ng any vers on of a W ndows c ent operat ng system
■ A persona VM, wh ch m ght be runn ng any vers on of a W ndows c ent operat ng
system
www.it-ebooks.info
F gure 5-3 shows the ntr cate matr x of user profi es and red rected fo ders for users who
access mu t p e desktop and RDS env ronments
Personal VMs
File Server
Windows 7 Virtual
Desktop Pools
Personal VM Roaming Profiles
Windows 7 Pool Roaming Profiles
Windows XP Virtual
Desktop Pools Redirected Folders
Windows XP Pool Roaming Profiles (V1)
RDS Mandatory Profile
RD Session Desktop Roaming Profiles

Host Farm
Desktops
FIGURE 5-3 Prov d ng a cons stent env ronment for RDS env ronments becomes more comp cated w th
v rtua zat on.
www.it-ebooks.info
So what does t mean to have a these v rtua zat on env ronments ava ab e?
Us ng more than one or two types of v rtua zat on can ead to profi e pro ferat on It’s
re at ve y s mp e f you use one type of v rtua zat on For examp e, f you norma y work from
a desktop runn ng W ndows 7 and use RemoteApp for Hyper-V to run a coup e of W ndows
XP app cat ons as RemoteApp programs, then you w have two profi es—one for the Re-
moteApp sess on and one for oca use Add a sess on to that and you cou d potent a y have
three profi es to manage S m ar y, the more server farms that a person w need to access
to run RemoteApp programs, the more ke y that she w have mu t p e cop es of her profi e
open at once Th s s a good argument aga nst farm pro ferat on
Operat ng systems that use V1 profi es can techn ca y use the same V1 profi e (and the
same goes for operat ng systems that use V2 profi es) Whether th s s a good dea depends
on whether the sett ngs n the profi es are appropr ate to both oca and remote sess ons
A so, keep n m nd that f you have a copy of your profi e open n two sess ons, then you
m ght ose changes f you ed t both cop es
Storing Profiles
By defau t, when you og on to a computer runn ng W ndows 7 for the first t me (un-
ess you’ve set up roam ng profi es), you’ create a new profi e n ts oca profi e d rectory
(%SystemRoot%\Users) Th s profi e d rectory w have your name as a ogon a as; t w
conta n your fo ders and NTUSER DAT (wh ch s a h dden fi e, so you won’t see t un ess you’ve
enab ed v ew ng h dden fi es) If eft a one, thereafter you’ store everyth ng n that ocat on
Documents w defau t to Documents, mages w defau t to P ctures, and where mus c s
stored by defau t s eft as an exerc se for the reader A w be we so ong as that’s the
on y computer you use If t’s not the on y computer you use, however, fe gets somewhat
more comp cated
Thus far, you have earned how to set up on y a s ng e RD Sess on Host server However, to
prov de redundancy and better sca e, you’ need to have mu t p e RD Sess on Host servers or-
gan zed nto a farm When a user ogs on to an RD Sess on Host server farm, the connect on s
passed from an RD Sess on Host server to the RD Connect on Broker If the user try ng to con-
nect has no current sess ons, the RD Connect on Broker p cks the RD Sess on Host server w th
the owest number of act ve sess ons and sends the user there, as shown n F gure 5-4 Each
t me a user connects, the RD Connect on Broker dec des anew wh ch server the user shou d
connect to, based on the number of connect ons that each server s act ve y support ng and
whether the user a ready has a sess on open somewhere The user connects to the server w th
the fewest act ve connect ons or the one where the user a ready has an open sess on It s
ke y (and h gh y recommended) that users w og off when not us ng the r RD Sess on Host
server sess on, so f you use oca profi es for RD Sess on Host server sess ons, then over t me,
a user w have a oca profi e on a the servers n the farm
www.it-ebooks.info
RD Session Host Farm
User Local
Profile created
User logs on Wednesday
Monday
RD Session Host Server 1
User Local
Profile created
Tuesday
User logs on RD Connection
Tuesday Broker RD Session Host Server 2
User Local
Profile created
Monday
User logs on RD Session Host Server 3

Wednesday
FIGURE 5-4 f you use oca prof es w th RD Sess on Host or poo ed VMs, a user cou d eventua y have
oca prof es on every server n the farm or every VM.
Th s m ght not sound so bad The user’s ogons w occur qu ck y because the profi e
sn’t oaded from the network but rather from the oca computer But when the user makes
a change here and there, over t me, her desktop w ook comp ete y d fferent depend-
ng on wh ch RD Sess on Host server (or poo ed VM) she ogs on to (If user data s part of
the profi e— f you haven’t red rected profi e fo ders—the user w be even more confused
because the data that she saved n one oca My Documents fo der won’t be n another one )
If she makes a bad change, that change cou d we ead to a He p desk ca that can be tr cky
to figure out unt you determ ne to wh ch RD Sess on Host server she s connected Th s s
espec a y true because the prob em m ght van sh f the user ogs off and then ogs back on
and the RD Connect on Broker sends her to a d fferent RD Sess on Host server
To avo d th s scenar o, a the RD Sess on Host servers shou d use the same copy of the
profi e, wh ch means that you need to use roam ng (or mandatory) profi es stored on a net-
work share When a user ogs on, the User Profi e Serv ce ooks at the user account propert es
to see where the profi e reserved for RD Sess on Host server sess ons s kept and oads t from
there
www.it-ebooks.info
When a user ogs off, the profi e s e ther de eted from the RD Sess on Host server or
reta ned n the oca cache, depend ng on the Group Po cy sett ngs app ed to the RD Sess on
Host servers For faster ogons, cache the profi e Just ensure that there’s enough space on the
hard d sk ho d ng the cache to support everyone who m ght need to cache the r profi e there
Providing a Consistent Environment

The ways n wh ch you can prov de app cat ons to users has grown, and keep ng the user ex-
per ence cons stent across these d fferent env ronments has become even more comp cated
Now you must des gn and mp ement a profi e strategy that takes nto account the fo ow ng
■ Users can use more than one endpo nt type at the same t me
■ M crosoft VDI can nc ude both V1 ( n W ndows XP) and V2 profi es ( n W ndows V sta
and ater)
■ One user can have mu t p e profi es
Expect Multiple Profiles

As you offer more ways to present app cat ons to users, de ver ng user configurat on data n
the profi e gets more comp cated For examp e, nstead of hav ng users ogg ng onto a s ng e
desktop and do ng a of the r work on that oca mach ne, you can now offer fu desktops n
a sess on, RemoteApp programs, persona VMs, poo ed VMs, and even RemoteApp pro-
grams from VMs Each of these app cat on de very so ut ons has a un que env ronment, and
therefore, when us ng the RDS, we recommend mp ement ng d fferent user profi es for each
of these un que env ronments The prob em w th th s s that users expect to have the same
exper ence wherever they og on Th s s not rea y poss b e when users have mu t p e un que
env ronments
The Last Write Wins

The benefits of hav ng mu t p e profi es far outwe ghs the profits of not hav ng them Imp e-
ment ng a un que profi e for each env ronment he ps to overcome the “Last Wr te W ns”
prob em Th s s exact y what t sounds ke If a user ogs on to mu t p e p aces (mu t p e RDS
farms, for examp e) and those farms have a been set up so that the user ut zes a s ng e
roam ng profi e, then that s ng e roam ng profi e gets overwr tten each t me the user ogs off
each farm Each t me the profi e used n a sess on s cop ed back to the roam ng profi e share,
t overwr tes what was prev ous y there
The user profi e s made of both fo der data and reg stry data You m ght not exper ence
much data gett ng overwr tten n the fo der areas because you can open on y certa n fi es n
certa n env ronments (as shown n F gure 5-5) However, the user profi e stored n HKCU s a
conta ned n one fi e NTUSER DAT As F gure 5-5 shows, f the user has a profi e open n two
d fferent sess ons, the second ogoff w overwr te any changes saved to the profi e at the first
ogoff
www.it-ebooks.info
File Server
Adam Barr
Roaming Profile
Documents
Document X Document Y
..\Appdata\Application Y
..\Appdata\Application X
NTUser.dat
The whole
NTUSER.DAT
file gets
The whole
overwritten
NTUSER.DAT file gets
overwritten again =
Last Write Wins!
RDS Farm1: Adam Barr profile cached RDS Farm1:

Application X in each logged on location Application Y
Adam logs off RDS Farm1 second Adam logs off RDS Farm1 first
Adam Barr
FIGURE 5-5 The Last Wr te W ns.
For th s reason, we recommend creat ng mu t p e farms on y when necessary
Design Guidelines for User Profiles

Each of the fo ow ng affects how you save user-spec fic configurat on sett ngs and data for
use w th RDS
242 CHAPTER 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
■ Loca profi es genera y aren’t su ted to dep oyments of more than one RD Sess on Host
server because the user exper ence w be d fferent on every RD Sess on Host server
■ Large roam ng profi es can ncrease ogon and ogoff t mes The User Profi e Serv ce
must copy the fi es to the endpo nt and then copy them back to the profi e when stor-
ng fi es on a persona VM can comp cate backups and restor ng data
■ Ro back reverts a changes to a poo ed VM to the state when you took the snapshot
■ Profi e sett ngs are stored as a flat fi e wr tten back to the profi e storage ocat on at
ogoff
The fo ow ng sect ons exp a n how these facts affect your des gn
Balance Flexibility and Lockdown

Loca profi es aren’t a good fit for RDS dep oyments arger than a s ng e server Stor ng oca
profi es on RD Sess on Host servers n a mu t -server env ronment w cause the fo ow ng
prob ems
■ It eads to an ncons stent user exper ence and can create prob ems that are hard to
troub eshoot because they’re nked to ogg ng onto a spec fic RD Sess on Host server
■ It fi s up an RD Sess on Host server hard d sk w th dup cate cop es of a profi e (that s,
the profi e w be stored on each RD Sess on Host server that a user ogs on to)
■ It requ res that you back up the RD Sess on Host server because t now ho ds user data
You have two rema n ng cho ces roam ng profi es and mandatory profi es Ne ther cho ce
s a ways appropr ate The opt on that you p ck depends on the amount of contro you want
and have author ty to mp ement
Roam ng profi es can be free y ed ted by the r owners w th n the m ts defined by Group
Po cy (d scussed n Chapter 6, “Custom z ng the User Exper ence”) That s, f you’ve defined
the wa paper for a user group v a Group Po cy, that w be the wa paper every t me anyone
n that user group ogs on If you haven’t spec fied the wa paper us ng Group Po cy, anyone
s we come to change the wa paper when connect ng to the RD Sess on Host server L ke oca
profi es, roam ng profi es store user configurat on data n NTUSER DAT
Mandatory profi es d ffer from roam ng profi es n that the r owners can ed t them, but
any changes that they make w not be saved to the profi e Th s can speed up ogoff t mes
because noth ng s wr tten back to the network share where you’ve stored the mandatory
profi es More ns d ous y, mandatory profi es don’t save any data to fo ders stored w th n the
profi e fo der You must use Fo der Red rect on f us ng mandatory profi es, f you want users
to be ab e to save data to the r persona fo ders In fact, that’s worth h gh ght ng n a caut on-
ary note
CAUTION If you use mandatory profiles or pooled VMs with rollback enabled, you
must configure Folder Redirection to allow users to save files to their personal fold-
ers that are part of their profiles.
Des gn Gu de nes for User Profi es Chapter 5 243
www.it-ebooks.info
The core cho ce between mandatory and roam ng profi es s the tradeoff of flex b ty
versus contro Mandatory profi es e m nate the chance of a user mak ng a bad change that
can’t be fixed by ogg ng off and ogg ng back on aga n Mandatory profi es a so speed ogoff
t mes because they don’t need to be wr tten back to the share
However, mandatory profi es don’t a ow users the degree of persona zat on that many
peop e have come to expect from W ndows In add t on, mandatory profi es don’t a ow other
app cat ons to save data to the profi e e ther Th s means that some secur ty app cat ons that
requ re g v ng users a pr vate key [such as the encrypted fi e system (EFS)] don’t work w th
mandatory profi es The cho ce w depend on your corporate cu ture, your need to use app -
cat ons that requ re pr vate keys, and the ab ty of the IT department to contro the desktop
ON THE COMPANION MEDIA One solution to the choice between roaming pro-
files and mandatory profiles is not to choose. Use mandatory profiles and combine
them with a mechanism that allows users to save selected settings and have them
applied at logon. Windows Server 2008 does not include this functionality, but
several RDS ISVs or consulting partners do. You can find an example of this function-
ality—a tool named Flex Profiles—from the following link on the companion media:
http://www.immidio.com/flexprofiles.
Use Folder Redirection

Whether you’re us ng roam ng profi es or mandatory profi es, t’s best pract ce to use Fo der
Red rect on w th sess ons or poo ed or persona VMs
If you’re us ng roam ng profi es, Fo der Red rect on w ensure that the profi e stays sma
A arge profi e w s ow both ogon and ogoff t mes The fastest approach s to use oca
profi es, but for reasons a ready d scussed, you don’t want to comb ne oca profi es w th RD
Sess on Host servers
If you’re us ng mandatory profi es, then use Fo der Red rect on se ect ve y Any fo ders
stored n the profi e fo der w become read-on y For some fo ders, th s s very bad news
because peop e won’t be ab e to save the r documents or p ctures n the r persona fo ders
But for some fo ders, th s s exact y what you want For examp e, f you don’t want peop e to
remove cons from the Start menu permanent y, eave the Start Menu fo der n the profi e
fo der See the sect on ent t ed “Centra z ng Persona Data w th Fo der Red rect on” ater n
th s chapter for how to mp ement Fo der Red rect on
Compartmentalize When Necessary

It s genera y best pract ce to ma nta n d fferent profi es for d fferent env ronments because
d fferent types of v rtua zat on can have d fferent user configurat on requ rements Don’t go
crazy creat ng d fferent profi es for every poss b e occas on, but make sure your profi e p an
supports the var ous ways peop e use RDS Compartmenta z ng can a so he p avo d acc den-
ta overwr tes
www.it-ebooks.info
■ You m ght need V1 profi es to access term na servers runn ng vers ons of W ndows
ear er than W ndows Server 2008, and V2 profi es to access RD Sess on Host servers
■ Imp ement roam ng profi es for use w th VM poo s to keep the user exper ence cons s-
tent and avo d os ng profi e changes to ro back
■ Persona VMs can use a oca profi e for faster ogons
■ To avo d the Last Wr te W ns prob em, avo d users open ng the same profi e on mu -
t p e mach nes at the same t me
Prevent Users from Losing Files on the Desktop

There are a coup e of cases where t’s rea y mportant to prevent users from sav ng fi es to
the desktop
Users can ose, or m sp ace, data when us ng RemoteApp programs f you’re not carefu
about Fo der Red rect on Here’s why The Desktop fo der conta ns everyth ng that you can
see on the desktop—fi es and shortcut cons Many users are used to sav ng documents to
the desktop Th s s acceptab e f you’re actua y see ng the fu desktop, but f you’re us ng
RemoteApp programs, users don’t see the r desktop n the RD Sess on Host server sess on
Users cou d save data to the desktop and then not know where that data actua y s because
they can’t see t (They cou d open a document f they moved to the Desktop path when
open ng a fi e, but just doub e-c ck ng a document on the sess on desktop s not poss b e n
th s scenar o ) To prevent users from sav ng fi es to the desktop, you can make the desktop
read-on y and tr gger an error message f the user tr es to save fi es to the desktop To do th s,
you’ need to do the fo ow ng
■ Red rect the Desktop fo der to an externa share
■ Set the perm ss ons on th s externa share to read-on y
NOTE For instructions on how to create a read-only desktop, read the section entitled
”Creating a Safe Read-Only Desktop” later in this chapter.
If you keep the Desktop fo der n the profi e fo der and use mandatory profi es, then
peop e can save fi es to the desktop as ong as they are ogged on When the user ogs off,
however, no changes are saved, nc ud ng saved fi es on the desktop The same th ng w hap-
pen to users of VM poo s w th ro back enab ed; anyth ng saved by the user to the VM dur ng
each sess on w be d scarded once the VM snapshot s nvoked
In both cases, red rect the desktop to a fo der so users can save data there w thout t be ng
d scarded at ogoff
NOTE For instructions on implementing Folder Redirection, see the section “Centralizing
Personal Data with Folder Redirection” later in this chapter.
www.it-ebooks.info
Upload Profile Registry Settings in the Background
NTUSER DAT s updated on y when a user ogs off A user who does not og off sn’t sav ng
changes Th s can ead to data oss A new po cy n W ndows Server 2008 R2 enab es th s fi e
to be up oaded wh e the user s ogged on, as fo ows
Computer Configurat on Adm n strat ve Temp ates System User Profi es Background
up oad of a roam ng user profi e’s reg stry fi e wh e user s ogged on
Configure the sett ng to up oad NTUSER DAT on a set schedu e (at a certa n t me of day) or
at a set nterva , des gnated n hours
NOTE This setting does not upload any other profile data, just the contents of HKCU.
Speed Up Logons
Peop e are sens t ve to the amount of t me t takes to og on to a sess on If t takes too ong,
you’ have prob ems w th peop e eav ng the r sess ons open rather than ogg ng off Th s s
a secur ty r sk, has the potent a to ock fi es that more than one person m ght need to ed t,
and keeps processes open on the RD Sess on Host server You can d sconnect and term nate
sess ons forc b y us ng Group Po cy, but th s has other drawbacks
To encourage peop e to og off, make the ogon process as pa n ess as poss b e You’ve
a ready earned about us ng Fo der Red rect on to m n m ze the s ze of a profi e To speed
th ngs up, you can a so emp oy Group Po c es to do the fo ow ng
■ Cache roam ng profi es
■ L m t the amount of t me an RD Sess on Host server or VM w try to oad the user
profi e before us ng a temporary profi e
■ Set an upper m t on the s ze of a user profi e
■ Process group po c es asynchronous y
New to Windows Server 2008: Speeding Up Logoffs
S peeding up logons is important, but when it’s Friday afternoon and you want to
get out of the office, logoffs are just as important. There are two ways in which
Windows Server 2008 and later help logoffs take less time.
You can limit the size of a profile using Group Policy (and help this limit by redirect-
ing the folders out of the policy). This policy, Limit Profile Size, is set per user and
is located in User Configuration Policies Administrative Templates System User
Profiles.
Prior to Windows Server 2008, there was a nasty catch when it came to profile
quotas: Windows was serious about enforcing this limit. If you made your roaming
www.it-ebooks.info
profile larger than Group Policy allowed, Windows would prevent you from logging
off until you made the profile smaller. In Windows Vista and later, you can log
off, but if the profile is larger than the size permitted by Group Policy, the profile
changes won’t get written back to the roaming profile storage area.
Before Windows Server 2008, another issue that could delay logoffs (or prevent you
from unloading your roaming profile altogether) was applications or drivers that
left handles to the registry open (in other words, they started to use it but never
broke the connection). Microsoft had a separate tool called the User Profile Hive
Cleanup Service (in an application called UPHClean) that checked for these open
handles and closed them so users could log off. In Windows Server 2008 and later,
UPHClean functionality is handled by the User Profile Service.
Caching Roaming Profiles

To reduce the t me that t takes to og on to an RD Sess on Host server, the server w cache
the roam ng profi es Ord nar y, RD Sess on Host servers attempt to retr eve the roam ng
profi e from ts centra ocat on In cases when the network connect on to the profi e server
s too s ow or not work ng, however, be ng ab e to og on w th a oca y cached copy of your
profi e can at east speed th ngs up Cach ng stores a copy of the profi e on the RD Sess on
Host server Th s profi e cache sn’t used f the or g na roam ng profi e s ava ab e, but t can
speed up ogons n the case of s ow or absent network connect ons
Cach ng profi es s not w thout ts drawbacks It consumes hard d sk space on the RD
Sess on Host server It can a so prevent new users from ogg ng on f the space a ocated to
cached profi es gets fi ed up If you do cache profi es, make sure that you’ve got suffic ent
space for your user base and use Group Po cy to de ete profi es that aren’t be ng used
CAUTION Don’t delete user profiles from the RD Session Host server using
Windows Explorer or the delete command-line tools, because this does not clean
up the registry entries associated with the profile and can affect the user’s ability to
log on again. Configure the RD Session Host servers with Group Policy to delete any
profiles unused for a given period.
Process Group Policy Asynchronously

Cach ng user profi es a so means that you can use asynchronous process ng of Group Po cy, a
po cy process ng mode ntroduced n W ndows Server 2008 You can app y Group Po cy syn-
chronous y or asynchronous y If you app y t synchronous y (the defau t mode for a server),
ogon doesn’t comp ete unt the Group Po cy sett ngs that app y to that user are app ed If
www.it-ebooks.info
you app y Group Po cy asynchronous y (the defau t act on for a desktop), the user can og on
wh e Group Po cy s be ng app ed Asynchronous process ng can ead to changes n the user
env ronment after users have ogged on but w speed up ogon t mes f Group Po cy process-
ng s s ow ng th ngs down For a rev ew of the connect on process, see Chapter 3, “Dep oy ng
a S ng e Remote Desktop Sess on Host Server ”
A ow asynchronous Group Po cy process ng by enab ng the fo ow ng Group Po cy
sett ng
Computer Configurat on Po c es Adm n strat ve Temp ates System Group Po cy

A ow Asynchronous User Group Po cy Process ng When Logg ng On Through Remote
Desktop Serv ces
Th s po cy works on y when ogg ng on to an RDS sess on host It’s not needed when
ogg ng on to desktop poo s, because a desktop operat ng system a ready processes Group
Po cy asynchronous y by defau t
Deploying Roaming Profiles with Remote Desktop

Services
Th s sect on d scusses manag ng roam ng profi es n an RDS env ronment, nc ud ng the fo -
ow ng
■ Creat ng roam ng profi es
■ Convert ng an ex st ng oca profi e to a roam ng profi e
■ Creat ng a defau t network profi e
■ Us ng Group Po cy to set up the roam ng profi e storage area automat ca y
■ Imp ement ng a Group Po cy nfrastructure that supports these po c es, nc ud ng
secur ty fi ter ng and oopback po cy
■ Manag ng roam ng profi es cached on the RD Sess on Host servers
Creating a New Roaming Profile

To mp ement roam ng profi es, you w need to
1. Create a network share n wh ch to store the roam ng profi es
2. Configure the user accounts (through Act ve D rectory Users And Computers or Group
Po cy) to use roam ng profi es
3. Have each user og on and create the roam ng profi e
F rst, create a shared network ocat on to store the roam ng profi es On the fi e server,
create a new fo der and set the appropr ate NTFS and share perm ss ons, us ng the gu de nes
n Tab e 5-5
www.it-ebooks.info
TABLE 5-5 Recommended Share and NTFS Perm ss ons or an RDS Roam ng Pro es S orage Fo der
USER ACCOUNT PERMISSION TYPE NTFS PERMISSIONS
Authent cated Users group Share Fu Contro

Creator Owner NTFS Fu Contro , subfo ders and fi es on y
Loca System NTFS Fu Contro on th s fo der, subfo ders,
fi es
User/Group whose profi es NTFS L st Fo der Content/Read, Create
w be stored n the fo der Fo ders/Append Data, a on th s fo der
on y
How Profile Folders Are Named

Sergey Kuzin
Software Development Engineer II
T he way that a user’s profile folder is named depends on the circumstances in

which it’s created. The user My Name (with user name Myname) with an ac-
count in Domain1 will store his profile in one of two places: \RDS-Roaming-Profiles\
Myname or \RDS-Roaming-Profiles\Myname.Domain1.
The best case is to add the domain name to the profile path; this disambiguates
the path when there are two (or more) users with the same name living in different
domains. For example, in a large corporate network, you might have Domain1\
Myname (that’s me) and Domain2\Myname (some other user). When Domain1\
Myname logs on to a legacy terminal server the profile created for him will be
…\Myname. If Domain2\Myname later wants to store his profile on the same server,
he will have a problem. That’s why you add .domain to the profile path, so that users
with the same name but from different domains would have different profiles. So
ideally, you always want to add .domain to the profile path.
But then, what do you do with profiles that were created before you made this
change and don’t have .domain in the name? Leave them as is. But in this case, how
do you know which user this particular profile belongs to? You use permissions to
determine that. When the User Profile Service creates a new profile, it gives full
control to the user whom this profile is created for. So, if Domain1\Myname has
explicit full control permission to the …\Myname folder, then this profile belongs
to me and not to Domain2\Myname. That’s why you have this logic when creating
profile names.
Here is the logic you use to create the profile path.
Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces Chapter 5 249
www.it-ebooks.info
1. Attempt to locate the …\username.domain path. If it exists and the user has
explicit permissions to it, then use it.
2. If the user does not have explicit Full Control access to …\username.domain or
this folder does not exist, then try to access …\username.
3. If …\username exists and the user has explicit permissions to it, then use it.
4. If the user does not have explicit Full Control access to …\username or the folder
does not exist, then use …\username.domain.
As you can see, by default you always create the folder with …\username.domain.
Only when the …\username folder exists and the user has explicit Full Control ac-
cess to it do you use it. Again, it’s always best to include the domain name in the
profile path so that two people with the same user name with accounts in different
domains can store their profiles in the same central share.
When you’ve set up the profi e ocat on, configure the user account to use roam ng pro-
fi es Th s process var es s ght y for profi es used w th RD Sess on Host servers and for profi es
used w th poo ed and persona VMs You w see these d fferences as you step through th s
process It’s eas est f you configure th s v a Group Po cy, but you w a so see how to do t on
a per-user bas s
Remote Desktop Session Host

To configure a user account to use roam ng profi es, perform the fo ow ng steps
1. Open Act ve D rectory Users And Computers, r ght-c ck a user’s account, and choose
Propert es
2. For Remote Desktop Sess on Host s tuat ons, nav gate to the Remote Desktop Serv ces
Profi e tab and type the Profi e Path ocat on us ng the format \\servername\share
name\%username%.DomainName, as shown n F gure 5-6
The var ab e %username% nserts the user account name nto the profi e path, so you
don’t have to custom ze the path for each person when add ng new accounts manua y or
through a scr pt You don’t need to add the V2 extens on to th s path, e ther; t w be added
automat ca y because the profi e w be a 2008 vers on profi e The next t me the user ogs
on to the RD Sess on Host server, he w use the roam ng RDS profi e
www.it-ebooks.info
FIGURE 5-6 Enter the Remote Desktop Serv ces prof e path.
NOTE Windows Server 2008 and later and Windows Vista profiles have a .V2 extension.
Older operating systems use V1 profiles, which have no extension associated with the
profile folder name.
Virtual Machines
Poo ed and persona VMs do not use Remote Desktop Serv ces profi es A poo ed or persona
VM s rea y a v rtua zed c ent desktop and acts accord ng y—that s, t uses regu ar profi es
For these VM scenar os, enter the profi e share’s UNC path on the Profi es tab of the user ac-
count Propert es d a og box, shown n F gure 5-7
www.it-ebooks.info
FIGURE 5-7 Spec fy the prof e used for poo ed and persona VMs on the Prof e tab, not the Remote
Desktop Serv ces Prof e tab.
When the user s configured to use roam ng profi es, t’s t me to create the profi e Th s
happens when the user first ogs on to the RD Sess on host server (or the poo ed/persona
VM) When the user first ogs on, the fo ow ng happens
1. The User Profi e Serv ce creates a profi e fo der for the user n the spec fied path
2. The User Profi e Serv ce cop es the defau t profi e on the RD Sess on Host server or VM
to g ve the user a profi e
3. When the user ogs off, the User Profi e Serv ce cop es the profi e to ts storage oca-
t on n the spec fied network share The user w be the owner of the fo der and there-
fore w be the on y one to have access to the fo der and ts contents
A though a user profi e fo der s for the user, f Adm n strators a so have perm ss ons they
can de ete a corrupted profi e or perform other ma ntenance eas y To perm t th s, g ve the
Doma n Adm ns group Fu Contro NTFS r ghts to the parent fo der, and pre-create roam ng
profi e fo ders for each user n the roam ng profi es share Make sure that the user has fu
contro of h s profi e fo der, subfo ders, and fi es and that the user s a so the owner of the
fo der The s mp est way to do th s s to use Group Po cy; f you keep your RD Sess on Host
servers or poo ed VMs n the r own organ zat ona un t (OU), you can a so create a computer
Group Po cy object (GPO) w th Loopback Process ng enab ed and g ve adm n strators access
to profi e contents by enab ng the fo ow ng GPO sett ng
www.it-ebooks.info
Computer Configurat on Po c es Adm n strat ve Temp ates System User Profi es Add
The Adm n strators Secur ty Group To The Roam ng User Profi e Share
For more nformat on on Loopback Process ng and us ng Group Po cy to create and man-
age RDS roam ng profi es, see the sect on ent t ed “Us ng Group Po cy to Manage Roam ng
Profi es” ater n th s chapter
Managing Roaming Profiles Without Admin Access to the File

Server
Bohdan Velushchak
Operations Engineer, MSIT
T o use roaming profiles, you need a file server to store them on. In a smaller
deployment, you can have administrative rights to the file server as well as the
terminal servers, but enterprise deployments often segregate ownership. If you
aren’t an administrator of the file server, you can’t manage the folders directly—
you’ll need to ask the file server administrator. Even the Group Policy setting Add
The Administrators Security Group To Roaming User Profiles will not help if the RDS
administrator is not a member of the Administrators group on the file server. You
could lobby to become a member of the Administrators group on the file server,
but this is counter to Least Privilege Access principles.
You can resolve this situation with a logoff script. Use Icacls.exe to include RDS
administrators to the user profile’s permissions during logoff from user’s security
context. This works because the user has full access permissions to her profile, so
she can add necessary permissions for RDS Administrators. For example, the Logoff
script might look like this.
Icacls.exe //<profile root>/%username%.%userdomain%.v2 /grant

<RDS Admins group>:
F /T /Q
Add this script to each user through Group Policy: User Configuration Windows
Settings Scripts Logoff Script. Now you can manage that profile folder.
There are two reasons to do this at logoff, not logon. First, if the user is logging
on for the first time, the profile folder might not yet exist, so the settings wouldn’t
apply until the second time. If the user never logged in again, you couldn’t delete
her profile without the help of the file server administrators. Second, if the profile
is large, it takes some time for Icacls.exe to go through the whole tree. Users do not
like long logon times, so why make them wait to start working? Let the script pro-
cess permissions when they’re done working and are less concerned about time.
www.it-ebooks.info
Converting an Existing Local Profile to a Roaming Profile
Somet mes you w want to convert ex st ng oca profi es to roam ng profi es Th s can app y
f you are convert ng a trad t ona desktop dep oyment to an a -RDS dep oyment, and you are
w ng to r sk that the oca profi e sett ngs are appropr ate for the remote work env ronment
NOTE It’s often unwise to convert a local profile that a user has been using on a personal
desktop to a Remote Desktop Services roaming profile. The user might have administrative
access to her personal computer and could have installed numerous applications and made
many customizations that don’t apply to the shared (and more locked-down) world of RD
Session Host servers.
Convert ng oca profi es to roam ng profi es s rea y s mp e Configure a user accounts to

use roam ng po c es as descr bed ear er, and spec fy that cached cop es of the profi e shou d
be de eted When users og on to the server where the r oca po cy res des and then og off,
the r oca profi e w be cop ed to the network share that you spec fied The cache on the
server w be de eted and on y the roam ng profi e n the network share w rema n
You m ght have done th s convers on n W ndows Server 2008 us ng the Copy To button n
the User Profi e Propert es d a og box Th s s no onger poss b e on a server runn ng W ndows
2008 R2 or a c ent runn ng W ndows 7—the button has been d sab ed
Why the Copy To Button Is Disabled

Kyle Beck
Program Manager, Microsoft
T he Copy To button is now disabled, because even though this button was used to
overwrite a profile with another profile, it was unsupported to use it to edit the
default profile. It was unsupported because the source profile was just copied whole-
sale into the default profile—the Copy To button performed a complete copy of ev-
erything in the source profile over the default profile. This could lead to errors in the
registry because references to the source user would persist on any new user created
from the new default profile. Because it was an unsupported method, its behavior was
updated; the default profile is now the only one that is copyable using this button.
The remova of th s funct ona ty doesn’t prevent you from convert ng oca profi es to
roam ng profi es or even overwr t ng one user’s profi e w th another’s Remov ng the funct on-
a ty prevents you from overwr t ng the defau t user profi e w th another user profi e Peop e
often overwrote the defau t user profi e w th a custom zed one from another user to dep oy
custom zed profi es to new users As descr bed n the D rect from the Source s debar ent t ed
“Why the Copy To Button Is D sab ed,” do ng th s was unsupported (a though popu ar) as far
www.it-ebooks.info
back as W ndows XP, because a though th s “worked” for many peop e, t actua y was not a
c ean process It cou d ead to prob ems f that profi e had been used at a , and t wou d a so
“tattoo” the profi e w th nappropr ate sett ngs and nam ng, such as the fo ow ng
■ A st of that user’s frequent y run programs
■ The user’s documents fo ders w be ncorrect y ca ed Adm n strator’s Documents
■ The user m ght have access to Adm n strat ve Too s (th s s ncorrect for regu ar users)
■ W ndows 7 brar es w be broken
ON THE COMPANION MEDIA There are other implications to overwriting the

default user profile with a user profile by way of the Copy To button. See this article
(also on the companion media) for more information: http://blogs.technet.com
/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-
for-windows-7-and-windows-server-2008-r2.aspx. This article also discusses some
options for customizing the default profile in Windows 7.
Customizing a Default Profile

Custom z ng the defau t profi e s one way to ensure that a new RDS users start w th the
same sett ngs The on y supported method for custom z ng the defau t profi e s to use the
Sysprep exe too (bu t nto W ndows 7 and W ndows Server 2008 R2) to overwr te the defau t
profi e w th the profi e that you are ogged onto when you run Sysprep exe Here are the steps
1. Log on as an adm n strator and custom ze the profi e as needed Th s s the profi e that
w be cop ed over the defau t user profi e
2. Create an Unattend xm fi e and add a ne of code to t to te t to copy the profi e of the
user ogged on over the defau t profi e when the system reboots The ne you add s
<CopyProfile>true</CopyProfile>
The fo ow ng s examp e code for a 64-b t vers on Unattend xm fi e w th the extra ne

of code added
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog:e:/clg files/64-bit/install_windows 7
ultimate.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
www.it-ebooks.info
3. Save th s Unattend xm fi e to C \W ndows\System32\Sysprep
4. After you have the Unattend xm fi e n p ace, open a command prompt and type the
fo ow ng command
sysprep.exe /oobe /reboot /generalize /unattend:unattend.xml
NOTE The article at http://support.microsoft.com/kb/973289 explains how to do this,

but at the time of this writing, the syntax is incorrect. Use the one provided here.
After you run th s command, the server w reboot When t comes back up, the defau t
profi e w be overwr tten w th the one that was ogged n when you ran Sysprep Now you
can h gh ght the defau t profi e and use the Copy To button to copy the profi e to a network
share to be used for roam ng profi es
CAUTION Don’t run Sysprep on a production machine. The Sysprep command

resets the computer SID as well as eliminating system-specific data like the computer
name and the domain affiliation. It can also remove unique hardware drivers and
can reset the Windows activation key. If you are using VMs, then one workaround
is to take a snapshot of the VM before running Sysprep. After you are done running
Sysprep, rebooting, and copying the default profile to another location, apply the
snapshot and the VM will be rolled back to its prior state.
Creating a Default Network Profile

You have a ready earned ( n the sect on t t ed “How Profi es Are Created” ear er n th s
chapter) when a network defau t user profi e wou d be used to create new user profi es Us ng
a defau t network profi e to create new roam ng profi es m ght benefit your roam ng profi es
mp ementat on because t ensures that when new profi es are created, they a stem from the
same source
Reasons Not to Create a Network Default Profile
C reating a network default profile can work well to deploy customized profiles in
low-complexity environment. But it’s not always the best solution.
First, there is no way to distinguish when a network default profile should be used
to create a new roaming user profile. As discussed earlier in this chapter, in complex
remoting scenarios, it’s possible for people to have more than one remoting profile,
and if you point them to the same starting point, they will start with the same pro-
file in all scenarios. For example, a new profile created when the user logs on to a
Windows 7 pooled VM would stem from the same network default user profile that
is used to create a new user roaming user profile for use in an RD session host server
www.it-ebooks.info
environment. Depending on how you implement profiles, this might or might not
be acceptable.
In short, Windows doesn’t allow you to specify more than one default profile loca-
tion. So unless it’s okay to use the same default profile to build all roaming profiles,
we recommend applying customizations through Group Policy or scripting.
Assum ng that you can use a network defau t profi e for a your scenar os, on W ndows
2008 (and W ndows 7) you can copy a oca defau t profi e to the NETLOGON share on a
doma n contro er, fo ow ng these steps
1. Log on to the server w th an adm n account
2. From the Run box, browse to the doma n contro er \\DOMAIN CONTROLLER\
NETLOGON
3. Create a fo der n the NETLOGON share and name t Defau t User v2
4. From Server Manager, c ck Change System Propert es, nav gate to the Advanced tab,
and then c ck the Sett ngs button n the User Profi es sect on
5. Se ect the Defau t Profi e from the st of profi es stored on the server and c ck Copy To
6. Browse to or type the network path \\DOMAIN CONTROLLER\NETLOGON Defau t
User v2
BEST PRACTICE Ensure that the profile doesn’t contain any unnecessary data. A large
default network profile will slow down the initial profile creation process because new
profiles have to pull this large amount of data across the network.
Using Group Policy to Manage Roaming Profiles

You’ve seen how to d ctate who uses roam ng profi es by sett ngs th s up on a per user bas s
n Act ve D rectory Users And Computers If you have more than a few users, t’s eas est to
create a GPO that d ctates the RDS roam ng profi e ocat on for everyone who ogs on to a
farm Th s sect on exp a ns how to do th s and how to set up the Group Po cy nfrastructure
that you’ need
The s ng e most mportant part of successfu y us ng roam ng profi es w th RD Sess on Host
servers s to set up the RD Sess on Host server env ronment OU and create the GPOs correct y
Group Po cy has many d fferent uses, but t a comes down to mak ng changes to many
computers or many users a at once
There are two broad categor es of Group Po cy computer sett ngs and user sett ngs
Computer sett ngs are app ed at boot t me, or on an RD Sess on Host server (see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces,” for more deta s), when a sess on
starts (to app y the sett ngs to the sess on) User sett ngs are app ed when the user ogs on
www.it-ebooks.info
to the sess on Because sett ngs are app ed to users at ogon, they don’t have to be saved as
part of a user’s account propert es Because they’re app ed second, sett ngs app ed to a user
w contro when there’s a confl ct
Because of the order n wh ch user and computer Group Po cy s app ed, when manag-
ng RD Sess on Host server sett ngs, you’ a most a ways use an add t ona GPO to enforce
loopback policy processing In short, oopback po cy reapp es the user-spec fic sett ngs that
are p aced on the OU where Loopback Process ng s enab ed after the norma user GPOs are
app ed The resu t s that sett ngs p aced on the RD Sess on Host server OU w a ways take
precedence n case of a confl ct If you have b ocked GPO nher tance on the RDS OU, then
on y the user po c es that you p ace on the OU w be mp emented for your users You’ find
out more about oopback po c es n the sect on ent t ed “The Ins and Outs and Ins of Loop-
back Po cy Process ng” ater n th s chapter
There’s some over ap between the computer- and user-spec fic sett ngs n Group Po cy, but
you’ genera y find that you’ need both to configure the users’ work ng env ronment When
sett ng up an RD Sess on Host server env ronment, where t’s mportant not just that you are
ogg ng on but that you’re us ng an RD Sess on Host server, you’ definitely need both
ON THE COMPANION MEDIA The following explanations assume that you have
permission to manage Group Policy for your RD Session Host servers. If this is not
the case, you’ll need to provide the instructions to the administrator controlling
Group Policy for your organization and let him or her fit them into corporate
management policy. This is one way to organize your RD Session Host server GPOs,
but it is not the only possible model. GPO architecture is unique to the particular
situation. For example, for some organizations, blocking inheritance might not be an
option for business policy reasons. For more information on Group Policy modeling,
see “Design Considerations for Organizational Unit Structure and Use of Group
Policy Objects,” located at http://technet2.microsoft.com/windowsserver/en
/library/2f8f18cf-a685-48db-a7be-c6401a8fb6341033.mspx?mfr=true. (This article
was written for Windows Server 2003, but it still applies.) You can also find the link
on this book’s companion media.
Controlling Group Policy Processing for an RDS Environment

When you have mu t p e users work ng on one computer, you need to contro the env ron-
ment as much as poss b e The eas est way to do th s s to perform the fo ow ng steps
1. Put RD Sess on Host server farms and a VMs poo s nto the r own OUs
2. B ock nher tance of a GPOs that are not spec fica y enforced (You m ght not have
th s opt on, depend ng on company po cy )
3. P ace computer and user GPOs on these OUs to spec fy the sett ngs to be mp emented
for each poo and farm
Here’s how to do a th s
www.it-ebooks.info
ORGANIZE FARMS AND POOLS INTO OUS
F rst, create an OU for each RD Sess on Host farm or VM poo (Because a members of a farm
or poo are homogenous, they shou d a be n the same OU ) Open Act ve D rectory Users
And Computers, r ght-c ck the doma n, and choose New, Organ zat ona Un t Name t after
the farm (for examp e, RDSH Farm1) and then drag a computer objects n the farm or poo
nto the OU (see F gure 5-8)
FIGURE 5-8 Create OUs for your RD Sess on Host server farms and VM poo s.
BLOCK GPO INHERITANCE

Next, f poss b e n your organ zat on, b ock GPO nher tance for th s OU Th s ensures that
on y computer sett ngs set by GPOs nked to th s OU w app y to the computers n th s OU It
a so ensures that w th Loopback Process ng enab ed, on y user sett ngs set by GPOs nked to
th s OU w be app ed to users ogg ng on to the computers n th s OU; other GPOs set at the
doma n or s te eve w not be app ed
To b ock nher tance for a farm or poo OU, open the Group Po cy Management conso e
(GPMC; do th s by c ck ng Start, Programs, Adm n strat ve Too s, and Group Po cy Manage-
ment), r ght-c ck the RD Sess on Host server’s OU, and choose B ock Inher tance If poss b e,
a so do th s for your poo ed VM OUs Persona VMs can be contro ed ke th s, but more ke y
they w act as regu ar desktops n your env ronment and w treated as such n the case of
Group Po cy process ng
www.it-ebooks.info
IMPORTANT Company policy might prevent you from blocking inheritance. You can
still know exactly what policies are going to be applied to the users and computers in your
OUs; it will just take more effort because you will have to know about all Group Policies
applied at higher levels.
CREATE GPOS FOR USER AND COMPUTER SETTINGS

There are mu t p e ways to set up po c es, but t s usua y eas est f you separate computer-
and user-spec fic sett ngs nto d fferent po c es A though one po cy m ght conta n both
user- and computer-spec fic sett ngs, t’s s mp est to so ate the two types of sett ngs un ess
your env ronment s very sma or your user base s very homogenous Th s a ows you to
create a cons stent mode of RD Sess on Host server management wh e st a ow ng you the
flex b ty to app y d fferent po c es to d fferent groups of users and computers (that s, us ng
a GPO on mu t p e OUs f the funct ona ty s needed n mu t p e p aces) Create two d fferent
types of GPOs a computer GPO and user GPOs, as shown n F gure 5-9
The computer policy will affect all Create different GPOs for
users who log on to any RD Session different terminal server user
Host server or VM in the OU. groups based on group needs.
Computer Policy: User Group 1 Policy:

• Disable User portion of policy • Disable Computer portion
• Enable Loopback Processing of policy
• Set security filtering for • Set security filtering for
computers in the group User Group 1
User Group 2 Policy:

• Disable Computer portion
of policy
• Set security filtering for
User Group 2
User Group n Policy:

• Disable Computer portion
of policy
• Set security filtering for
User Group n
FIGURE 5-9 Create separate user and computer GPOs for the RDS env ronment.
www.it-ebooks.info
To create the GPOs, open the GPMC (by c ck ng Start, Programs, and Adm n strat ve Too s)
R ght-c ck the Group Po cy Objects fo der n the eft pane, found under your doma n fo der,
and choose New to open the d a og box shown n F gure 5-10
Name the computer po cy someth ng descr pt ve, such as RDS Computer GPO, and then
c ck OK
FIGURE 5-10 Create an RD Sess on Host server computer po cy.
Next, create another po cy that w ho d user-spec fic sett ngs, nam ng t someth ng ke
RDS User GPO C ck OK, and you w be back n the GPMC, w th a st of ava ab e po cy ob-
jects that nc udes the ones you just created, as shown n F gure 5-11
FIGURE 5-11 Create computer and user spec f c GPOs.
Next, ensure that each GPO s spec fic to one type of sett ngs—computer or user Th s s
opt ona , but th s w g ve you more contro over your RDS env ronment
C ck the Deta s tab n the upper port on of the r ght pane Here, there’s a GPO Status
drop-down st w th four opt ons A Sett ngs D sab ed, Computer Configurat on Sett ngs
D sab ed, Enab ed, and User Configurat on Sett ngs D sab ed For your computer-spec fic
GPOs, make sure that no user-spec fic sett ngs w be app ed by sett ng the Status to User
Configurat on Sett ngs D sab ed Fo ow the same process to create a new user-spec fic GPO
For the User GPO, nav gate to the drop-down menu on the Deta s tab and set the GPO Status
to Computer Configurat on Sett ngs D sab ed
www.it-ebooks.info
Updating Group Policy
A ctive Directory Domain Services (AD DS) does not immediately send user
Group Policy changes down to the computers to which they apply. The Group
Policy engine on the computer actually pulls the GPO changes from AD DS at
specific intervals, called the refresh interval. By default, the refresh interval is 90
minutes (plus a random time ranging from 0 to 30 minutes). To immediately see
the effects of changes that you make to GPOs, you can force this refresh. Open a
command prompt on your RD Session Host server and type gpupdate /force. Most
computer policies can be updated just by doing this; a few (like Folder Redirection)
will require a reboot.
The Ins and Outs and Ins of Loopback Policy Processing

Outs de an RD Sess on Host server env ronment, you often app y Group Po cy based on the
persona of the user ogg ng on If you don’t want Adam Barr to open Contro Pane , for ex-
amp e, you probab y fee much the same way about th s whether Adam Barr s ogged on to
h s desktop computer or h s aptop S m ar y, f you don’t care whether he s runn ng Contro
Pane , then you cont nue not to care whether he’s ogged on to h s desktop or h s aptop
It’s h s space— et h m mess t up (The He p desk m ght fee d fferent y about th s, but that’s
another matter )
As d scussed n “Us ng Group Po cy to Manage Roam ng Profi es” ear er n th s chapter,
the computer po cy w a ways be app ed first, then the user po cy If a user po cy and a
computer po cy confl ct, the user po cy w “w n,” because t’s app ed ast Any Group Po cy
stored oca y on the computer s app ed first Next, po c es p aced at these eve s are app ed
n order ( oca , S te, Doma n, OU), as shown n F gure 5-12
In case of confl cts, the po cy app ed ast w ns For examp e, computer po c es set on a
computer OU w overr de confl ct ng po c es set at the doma n eve And user po c es w
overwr te computer po c es n confl ct ng s tuat ons (some sett ngs can be set for a computer
and a so for a user) because they are app ed after computer po c es
www.it-ebooks.info
Local
1 Computer policies Applied when the computer starts
5 User policies Applied when a user logs on
Site
Domain
Computer OU
User OU
FIGURE 5-12 Group Po c es get app ed from the top down.
On a persona computer, t’s perfect y acceptab e to have the dent ty of the person
ogg ng on define the fina sett ngs for Group Po cy But RD Sess on Host server farms and
poo ed VMs are ocat on-spec fic or context-spec fic s tuat ons n wh ch where you are matters
even more than who you are For examp e, you m ght dec de that t’s acceptab e for users to
use c pboard red rect on when connect ng to persona VMs, but for secur ty reasons, you
don’t want them us ng c pboard red rect on when connect ng to an RDS server farm host ng
sens t ve data You need po c es app ed based on wh ch computer you are ogged on to In
th s case, you w app y oopback po cy process ng to te the Group Po cy eng ne to app y
the user GPOs that are app ed to a computer OU (for examp e, to an RDS farm OU) after ap-
p y ng the user GPOs that are norma y app ed dur ng ogon W th oopback po cy process-
ng enab ed, GPO process ng w now work as shown n F gure 5-13
www.it-ebooks.info
Local
Site
Domain
RDS Computer OU Loopback Processing Enabled
User OU
FIGURE 5-13 Loopback Process ng changes the effect ve Group Po cy resu ts.
When the RD Sess on Host server starts, computer GPOs are app ed When the user ogs
on to the RD Sess on Host server, the User GPOs are app ed to the sess on Then, because
oopback po cy process ng s enab ed, User GPOs that are app ed to the RD Sess on Host
server OU are app ed ast In add t on, f you have b ocked nher tance, t’s poss b e that the
only GPOs that w be app ed are computer and user GPOs that are p aced spec fica y on the
OU
To enab e Loopback Process ng, r ght-c ck the Computer GPO app ed to the RD Sess on
Host server OU and choose Ed t The Group Po cy Management Ed tor opens the GPO Go
to Computer Configurat on, Po c es, Adm n strat ve Temp ates, System, and Group Po cy and
www.it-ebooks.info
find the User Group Po cy Loopback Po cy Process ng Mode node n the pane on the r ght
Doub e-c ck t and you w see the d a og box shown n F gure 5-14
FIGURE 5-14 Enab e oopback po cy process ng from the User Group Po cy Loopback Process ng Mode
Propert es d a og box.
HOW IT WORKS
Applying Loopback Policy
L oopback policy can apply to users in one of two ways: Merge Mode and Replace
Mode.
■ In Merge Mode, loopback policy processing will apply the user GPOs placed
on the RD Session Host server OU along with the other normal user GPOs
applied from the OU where the user account resides. If there is a conflict,
then the user GPOs applied to the RD Session Host server OU will prevail.
■ In Replace Mode, the Group Policy engine ignores all other user GPOs from
the User OU and applies only the user GPOs applied to the RD Session Host
server OU.
Merge Mode and Replace Mode affect only GPOs placed on the OU where the user
account resides. User GPOs placed at higher levels (for example, at the domain
level) will still be applied unless you have specifically blocked inheritance on the OU
where the computers reside.
Whether you choose Merge Mode or Replace Mode depends on your goals and
how you’ve set up the rest of your environment. If users are using the same GPOs to
www.it-ebooks.info
log on to the RD Session Host servers and to their local desktops, their user settings
might not mesh well with a shared environment. If that’s the case, then you’d pick
Replace Mode. If you want the user experience to be as similar as possible for both
local and remote logons, then Merge Mode might be more appropriate because
it will preserve user-specific policies. The main thing you’ll need to watch out for
is that GPO settings from the GPOs applied to the user do not cause problems for
your user when she is logged on to an RD Session Host server (or pooled VM). Using
Merge Mode is more work because it requires a lot of considering of individual
policies and their effect on a remote workspace.
Fine-Tuning GPOs with Security Filtering

A GPO works because by defau t, anyone n the Authent cated Users group can use t, and
Authent cated Users means “anyone who s ogged on to the doma n ” (Computers a so og
on to the doma n, so they’re a so members of Authent cated Users )
If you have groups of users w th spec fic needs contro ed by Group Po cy, you can create
a User Po cy for each user group and then use Secur ty F ter ng to app y each User GPO to
a spec fic user group For examp e, th s techn que cou d come n handy f you g ve access to
mu t p e app cat ons n one farm but on y have cens ng enough for a subset of users You
cou d b ock certa n users from runn ng that app cat on, thus meet ng software cens ng com-
p ance requ rements To narrow the scope of to whom (or to what) these po c es w app y,
doub e-c ck the GPO n the Group Po cy Objects fo der and nav gate to the Scope tab n the
r ght pane In the Secur ty F ter ng sect on on th s tab, mod fy Secur ty F ter ng to nc ude the
spec fic users group for wh ch you want sett ngs n the GPO to app y, as shown n F gure 5-15
FIGURE 5-15 Add users to the GPO Secur ty F ter ng sect on of the ASH TS Users Po cy.
www.it-ebooks.info
Using Group Policy to Define the Roaming Profile Share
After you have a Group Po cy nfrastructure set up, you can create a po cy to create roam ng
profi e fo ders n the proper fo der share ocat on automat ca y
The Group Po cy sett ng to set the path for RDS roam ng profi es s a computer set-
t ng R ght-c ck your Computer Po cy GPO and choose Ed t Expand the GPO to Computer
Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop
Serv ces Remote Desktop Sess on Host Profi es In the pane at r ght, doub e-c ck Set Path
For Remote Desktop Serv ces Roam ng User Profi e, shown n F gure 5-16
FIGURE 5-16 Set the path for Remote Desktop Serv ces Roam ng User Prof e storage.
Se ect the Enab ed opt on and type the RDS roam ng profi e share ocat on n the Profi e
Path text box If you use Group Po cy to set the RDS roam ng profi e path, then the profi e
fo ders that are created take the form of username domainname V2; you do not need to
add the %username% var ab e, the doma n name, or the V2 extens on Th s s n contrast to
defin ng the path to the Remote Desktop Serv ces profi e fo der by ed t ng the user account
propert es through scr pt ng or through Act ve D rectory Users And Computers, where you
must spec fy the username and domainname var ab es to create the fo der proper y
Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces CHAPTER 5 267
www.it-ebooks.info
NOTE If you already have profiles stored in the profile path and the profile folders do not
include the domain name (perhaps they take the form of username.V2), change the names
to include the domain name. Otherwise, the server will not see the existing profile, and the
service will create a new one in the format username.domainname.V2.
If the profi e fo ders are created automat ca y when the user ogs on, then the user gets
so e access to the profi e and s a so set as the owner of the profi e fo der To perm t adm n-
strators to access the profi e, enab e the fo ow ng GPO sett ng Computer Configurat on
Po c es Adm n strat ve Temp ates System User Profi es Add The Adm n strators Secur ty
Group To Roam ng User Profi es W th th s GPO sett ng enab ed, the fo ow ng perm ss ons are
p aced on new y created user fo ders
■ User Fu Contro , owner of fo der
■ SYSTEM Fu Contro
■ Administrators Fu Contro (Th s s the oca adm n strators group of the server
where the profi es are stored, wh ch a so conta ns the Doma n Adm ns group )
You can a so pre-create user profi e fo ders and set perm ss ons as requ red For more
nformat on about profi e fo der perm ss ons, see the sect on ent t ed “Convert ng an Ex st ng
Loca Profi e to a Roam ng Profi e” ear er n th s chapter
W th th s GPO sett ng configured, users access ng the RD Sess on Host servers n th s OU
now have a roam ng profi e created and stored n the des gnated share
Configuring Roaming Profile Paths for VMs

Poo ed and persona VMs w run c ent operat ng systems Sett ng an RDS roam ng profi e
path on these mach nes s mp y won’t work They are c ent mach nes, and for the most part,
they shou d be treated as such To configure the roam ng profi e path for c ent mach nes, use
th s GPO sett ng Computer Configurat on Po c es Adm n strat ve Temp ates System User
Profi es Set Roam ng Profi e Path For A Users Logg ng On To Th s Computer
Enter the share name where your profi es are stored and add the %username% var ab e to
the end of the path so that each user gets a un que profi e fo der, as fo ows
\\servername\sharename\%username%
Speeding Up Logons
One of the b ggest cha enges that IT profess ona s face n an RDS env ronment s to prov de
a user exper ence that fee s as much ke a oca computer as poss b e Users want to og on
qu ck y, work stead y, get the r job done, and get out If they find that they have to wa t on-
ger to og on than they ke, the He p desk w hear about t, or peop e w ook for ways to
c rcumvent the data center
www.it-ebooks.info
Roam ng profi es are usua y the best cho ce for RDS Centra z ng the profi e on a network
share makes t poss b e to a ways have the same exper ence no matter what RD Sess on Host
server or VM a user s ogged nto—even new ones that were just added Centra z ng a so
s mp fies backups However, f you don’t take steps to avo d t, profi es grow over t me By
defau t, a profi e conta ns not on y configurat on data but a so user documents Assum ng
that a user saves fi es to the fo ders there for that purpose, the profi e w grow B g profi es
s ow down ogons and ogoffs due to the mass ve amounts of data that must be cop ed to the
remote ocat on
There are severa th ngs you can do to speed ogons
■ Take advantage of the new behav or of Group Po cy cach ng among servers n a farm
to reduce the t me needed for the first og n
■ Enab e Fo der Red rect on
■ Manage po cy cach ng
■ L m t profi e s ze
Let’s start w th the one that requ res no configurat on
Roam Group Policy Cache Between RD Session Host Farm Servers

Group Po cy s cached on a computer to speed up ogon t mes The first t me someone ogs
on to an RD Sess on Host server, her Group Po cy sett ngs won’t be cached there A new fea-
ture of W ndows Server 2008 R2 cop es the Group Po cy cache to a servers n a farm That
way, once a user has ogged on to one member of the farm, her GP cache w be ava ab e on
a servers n the same farm
Enable Folder Redirection

When a user ogs on to an RD Sess on Host server, h s roam ng profi e has to be cop ed to
that RD Sess on Host server When the user ogs out, the changed profi e must be cop ed back
to the roam ng profi e storage ocat on Note that you are wr t ng the ent re profi e back, not
just the changes to the profi e Imag ne f one of your users saved 30 GB of data n h s Docu-
ments fo der He wou d og on to the RD Sess on Host server and then go get a cup of coffee
(or even go to unch) wh e wa t ng for the profi e to copy tse f to the server Now mag ne
f a your users had that much data stored n the r Documents fo der If they a come n at 9
A M and try to og on to the RD Sess on Host server, ogons cou d qu ck y consume a your
network bandw dth Soon the water coo er or break room wou d be very popu ar, and no one
wou d get any work done
Profi e cach ng a so suffers f you exper ence profi e b oat Profile caching saves a copy of
the user profi e on the RD Sess on Host server so that, f the network s s ow to retr eve the
saved profi e from ts fi e share, the user can st og on us ng the cached copy (When you og
on to an RD Sess on Host server, a copy of your profi e s saved there as a matter of course If
you enab e profi e cach ng, the profi e sn’t de eted when you og off ) However, f the profi es
n the cache are too arge, the space a ocated for them w fi up, and peop e won’t be a -
www.it-ebooks.info
owed to og on because there’s no room to store the r profi es There are Group Po c es to
remove o der data n the cache f room runs out, but t’s better f you can avo d th s prob em
ent re y
The s mp est step that you can take to avo d profi e b oat s to enab e Fo der Red rec-
t on Fo der Red rect on has two advantages t keeps user data out of the profi e to keep the
profi e sma er, and t a ows d fferent a synch ng (so that f on y part of a fi e s changed, that
part w be saved to the centra ocat on, rather than copy ng the ent re fi e) You’ earn how
to set up Fo der Red rect on n the sect on “Centra z ng Persona Data w th Fo der Red rec-
t on” ater n th s chapter
Limit Profile Size

One way to reduce the mpact of cach ng profi es on the RD Sess on Host servers s to m t
the s ze of the profi es A though too many profi es can st fi up the hard d sk, sma er
cached profi es have ess mpact To m t profi e s ze, open your RDS User GPO and browse
to User Configurat on Po c es Adm n strat ve Temp ates System User Profi es Locate the
po cy L m t Profi e S ze and enab e t
If you’re red rect ng fo ders, the s ze of the profi e shou dn’t be a major concern
NTUSER DAT s a fa r y sma fi e The exact s ze depends on the profi e, but t’s not much;
check the s ze of some representat ve NTUSER DAT fi es to gauge the space needed to
a ocate space for profi es
Manage the Profile Cache on RD Session Host Servers

Another way to keep the s ze of the cache on the RD Sess on Host servers from gett ng too
arge s to de ete o d cop es of the user roam ng profi es You can a so m t the profi e cache
s ze f you’re concerned about runn ng out of room on the servers
PROGRAMMATICALLY MANAGING THE CACHE

You can use two computer Group Po cy sett ngs to de ete unused cached profi es on RD Ses-
s on Host servers n the RD Sess on Host Farm OU automat ca y Both po c es are ocated n
Computer Configurat on Po c es Adm n strat ve Temp ates System User Profi es
■ Delete Cached Copies Of Roaming Profiles Enab ng th s sett ng de etes a user’s
cached profi e when the user ogs off Th s sett ng ensures that the oaded profi e s a -
ways the most recent However, the cached profi e prov des a fa back configurat on to
oad f the actua profi e sn’t ava ab e for some reason If you de ete cached profi es,
then f the actua profi e can’t be oaded, the user w get a temporary profi e and any
changes he makes to t w be d scarded when the user ogs off
■ Delete Unused Profiles W ndows Server 2008 R2 has a new Group Po cy sett ng
that m ts the s ze of the overa roam ng profi e cache ( ocated n the %SystemDr ve%\
Users d rectory) If the s ze of the profi e cache exceeds the configured s ze, RDS
de etes the east recent y used cop es of roam ng profi es unt the overa cache goes
www.it-ebooks.info
be ow the quota The po cy sett ng s found n Computer Configurat on Adm n stra-
t ve Temp ates W ndows Components Remote Desktop Serv ces Remote Desktop
Sess on Host Profi es L m t The S ze Of The Ent re Roam ng User Profi e Cache
NOTE Although you can apply the Delete Cached Copies Of Roaming Profiles GPO set-
ting to pooled and personal VMs, it doesn’t accomplish anything useful. Pooled VMs get
rolled back (if set up to do so) when a user logs off, so the user profile cache is cleared
as part of the rollback function. And personal VMs are, well, personal. They will have one
profile cached on the machine. You will have enough room for one user profile cache in
this instance. Deleting the profile cache on a personal desktop will just increase logon time
and has no advantages.
Another way to make sure that your servers do not run out of d sk space due to an over-
grown profi e cache s to put a cap on the cache s ze If the s ze of the ent re cache exceeds
the m t set by th s po cy, the server w de ete the o dest profi e n the cache unt the overa
s ze drops be ow the thresho d you set The GPO sett ng s ocated at Computer Configurat on
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces RD Sess on
Host Profi es L m t The S ze Of The Ent re Roam ng User Profi e Cache
Enab e th s sett ng and enter the fo ow ng numbers
■ A mon tor ng Interva ( n m nutes) The nterva at wh ch the profi e cache s ze s
checked
■ Max mum cache s ze ( n GB) Th s s the thresho d If the cache grows beyond th s num-
ber, the o dest profi es start gett ng de eted
DELETING CACHED PROFILES MANUALLY

De et ng cached profi es manua y sounds too s mp e to bother exp a n ng, but t’s more
subt e than t m ght appear Cached profi es are kept n the %SystemDr ve%\Users d rectory
However, the obv ous approach doesn’t work If you do the obv ous— ook at the profi es,
check the dates, note that some profi es haven’t been used n a wh e, and de ete them—you
w prevent the owners of those de eted profi es from be ng ab e to og on to the RD Sess on
Host server and oad the r roam ng profi es, at east w thout some he p from you See the sec-
t on ent t ed “The Consequences of De et ng a Profi e Fo der from W ndows Exp orer” ater n
th s chapter for more nformat on For now, et’s see how you can avo d extra work
The prob em s that c ean ng up o d profi es sn’t just a matter of de et ng some o d d -
rector es The reg stry ma nta ns a st of profi es n HKLM\Software\M crosoft\W ndows NT\
CurrentVers on\Profi eL st Sort through that key (see F gure 5-17), and you’ see entr es for
everyone who current y has a profi e cached on the server A though the keys themse ves
are dent fied by the SIDs of the user accounts, you can see the names of the profi e paths by
exam n ng the contents of the keys
www.it-ebooks.info
FIGURE 5-17 When you cache a prof e on a server, t automat ca y creates a correspond ng reg stry
entry.
NOTE Examining this key can also help you troubleshoot profile problems. If a user seems
to be getting his standard profile to log on to the RD Session Host server, check the con-
tents of CentralProfile (see Figure 5-17). If this entry is blank, that person is using a local
profile.
If you just de ete the profi e from W ndows Exp orer, the entr es n the reg stry rema n,
wh ch confuses the server, as exp a ned n the next sect on
The c eanest way to de ete unused profi es s to et Group Po cy de ete the o d and unused
profi es You can a so de ete cached roam ng user profi es from the User Profi es sect on of
System Propert es on the RD Sess on Host server Log on to the RD Sess on Host server as
an adm n strator Go to Start, Contro Pane , System, and c ck Change Sett ngs The System
Propert es d a og box w appear Se ect the Advanced tab In the User Profi es sect on, c ck
Sett ngs… to open the User Profi es d a og box, shown n F gure 5-18
FIGURE 5-18 The User Prof es d a og box d sp ays the prof es stored on the computer.
www.it-ebooks.info
H gh ght the roam ng profi e that you want to de ete and then c ck De ete When you see
a d a og box confirm ng that you want to de ete the profi e, c ck Yes and the roam ng profi e
cache s de eted C ck OK
THE CONSEQUENCES OF DELETING A PROFILE FOLDER FROM WINDOWS EXPLORER

Just n case you dec de to try de et ng a profi e fo der from W ndows Exp orer, here’s what w
happen If you de ete an unused profi e fo der from W ndows Exp orer, the next t me that user
w th that fo der ogs on, he w be unab e to oad h s roam ng profi e A temporary roam ng
profi e w be created for h m, profi e changes that he makes w be d scarded at ogoff, and
Event ID 1511 s ogged n the W ndows App cat on event og stat ng that W ndows cannot
find the oca profi e and s ogg ng h m on w th a temporary profi e
De et ng that d rectory caused a prob em because you d dn’t c ean up the cached profi e
comp ete y For each cached profi e stored n %SystemDr ve%\Users\%UserName%, the User
Profi e Serv ce creates a reg stry entry for th s profi e at HKLM\Software\M crosoft\W ndows
NT\CurrentVers on\Profi eL st, shown n F gure 5-19 Th s reg stry key s named accord ng to
the user SID
FIGURE 5-19 The RDS roam ng prof e cache reg stry entry for user Adam Barr
The Profi eImagePath key n th s fo der nd cates the cache ocat on, wh ch by defau t s
%SystemDr ve%\Users\%UserName% (The network ocat on where the roam ng profi e s
stored s n the Centra Profi e key )
If you de ete the user’s oca y cached profi e fo der and that user starts a sess on on that
RD Sess on Host server, he w get a temporary profi e The reg stry entry correspond ng to
the user’s cached profi e s renamed The SID part stays the same, but t s g ven an extens on
of bak, as shown n F gure 5-20
www.it-ebooks.info
FIGURE 5-20 The o d reg stry key for the prof e that was de eted ncorrect y now has a .bak extens on.
In add t on, a new key s created n ts p ace The new y created reg stry entry s named
after the user SID just as before However, the Profi eImagePath key ns de the new fo der now
po nts to %SystemDr ve%\Users\TEMP, as shown n F gure 5-21
FIGURE 5-21 A new reg stry entry s created, but the Prof e magePath key po nts to
%SystemDr ve%\Users\TEMP.
Therefore, the entry that used to work now has a bak extens on and s not usab e, and
the profi e actua y be ng used s a temporary profi e When the user ogs off, h s temporary
profi e s not cop ed back to the centra profi e storage ocat on on the fi eserver
De et ng the profi e from the System Propert es d a og box User Profi es sect on no onger
works e ther Most ke y, the profi e w not even be sted n the d a og box If t s, t most
ke y means that the user has not ogged off comp ete y If you do manage to se ect t and
c ck De ete, you get an error message “Profi e not de eted comp ete y Error – The system
cannot find the fi e spec fied ”
www.it-ebooks.info
To rect fy th s, you must manua y de ete the abandoned reg stry entry that has the bak
extens on You m ght a so need to reboot the server On y then can the user og on to the RD
Sess on Host server and have h s roam ng profi e correct y cached once aga n on the server
Centralizing Personal Data with Folder Redirection

The s ng e b ggest th ng that you can do to affect profi e s ze, s mp fy backups, and speed
ogons and ogoffs s to red rect user-spec fic storage out of the user profi e By defau t, user
data fo ders such as Documents are n the profi e, but they don’t have to be Instead you can
create a po nter to a network share where the data actua y ves Users w st store fi es
n the r persona fo ders, but the user data won’t be roamed, so t w not affect the t me
requ red to oad the profi es at ogon
Fo der red rect on s fundamenta y very s mp e If you go to HKCU\Software\M crosoft\
W ndows\CurrentVers on\Exp orer\User She Fo ders, you’ see every fo der n your profi e
and the current ocat on of that fo der If Fo der Red rect on s not turned on, then a entr es
w ook ke th s %USERPROFILE%\Mus c The goa s to get r d of the %USERPROFILE% var -
ab e and rep ace t w th a new ocat on
You can’t red rect a fo ders, but you can red rect the ones w th the b ggest mpact on
profi e s ze These fo ders are
■ AppData(Roaming) Conta ns a user’s app cat on sett ngs that are not computer-
spec fic and therefore can roam w th the user
■ Desktop Conta ns any tems a user p aces on h s desktop
■ Start Menu Conta ns a user’s Start menu
■ Documents Conta ns documents saved to the defau t ocat on
■ Favorites Conta ns a user’s Internet Exp orer favor tes
■ Music Conta ns a user’s mus c fi es saved to the defau t ocat on
■ Pictures Conta ns a user’s p ctures saved to the defau t ocat on
■ Video Conta ns a user’s v deo fi es saved to the defau t ocat on
■ Contacts Conta ns a user’s contacts saved to the defau t ocat on
■ Downloads Conta ns a user’s down oads saved to the defau t ocat on
■ Links Conta ns a user’s Favor te nks from Internet Exp orer
■ Searches Conta ns a user’s saved searches
■ Saved Games Conta ns a user’s saved games
Before you red rect these fo ders, you need a p ace to red rect them to Create a shared
fo der on the server where you want to store the red rected fo ders and set perm ss ons on
th s fo der accord ng to the user profi e fo der perm ss ons that were descr bed n Tab e 5-5
To red rect the fo ders to th s share, open the GPMC, create or se ect an ex st ng user GPO,
r ght-c ck t, and choose Ed t Go to User Configurat on Po c es W ndows Sett ngs Fo der
Red rect on, as shown n F gure 5-22
www.it-ebooks.info
FIGURE 5-22 Set the Fo der Red rect on po cy.
R ght-c ck the AppData(Roam ng) fo der and choose Propert es to open the d a og box
shown n F gure 5-23
FIGURE 5-23 AppData(Roam ng) Fo der Red rect on propert es d a og box
www.it-ebooks.info
To spec fy the ocat on of the AppData(Roam ng) fo der, choose between two opt ons n
the Sett ng drop-down menu
■ Basic Redirect Everyone’s Folder To The Same Location Th s means just what t
says; a AppData(Roam ng) fo der data for every user w go to the same ocat on
■ Advanced Specify Locations For Various User Groups To store user data n d f-
ferent ocat ons based on user group membersh p, choose th s opt on
The menu contents w vary depend ng on the type of fo der red rect on you choose If
you choose Bas c, then you get a Target fo der ocat on drop-down menu w th three cho ces
■ Create A Folder For Each User Under The Root Path Choose th s opt on to put
each user’s profi e data nto a fo der under the root path named accord ng to the user
name In the Root Path text box, spec fy the ocat on of your des gnated Fo der Red -
rect on share In most cases, th s s the best opt on
■ Redirect To The Following Location Choose th s opt on to red rect a user data
to the same ocat on You’d do th s f you wanted a users to use the same Desktop or
Start Menu fo der Choose th s opt on on y f you want everyone to wr te to the same
user-spec fic fo ders
■ Redirect To The Local Profile Location Don’t choose th s opt on Your profi es
roam, and you want your profi e fo ders red rected to the network share
C ck the Sett ngs tab, as shown n F gure 5-24
FIGURE 5-24 Grant The User Exc us ve R ghts To AppData(Roam ng) s enab ed by defau t. C ear th s
check box to et adm n strators manage the red rected fo der.
www.it-ebooks.info
By defau t, Grant The User Exc us ve R ghts To AppData(Roam ng) s enab ed If you eave
t th s way, then the user w own th s fo der, and on y she w be ab e to access th s data To
enab e manag ng th s fo der, c ear th s box so that the r ghts from the parent fo der w be
nher ted For examp e, f you g ve Doma n Adm ns fu contro of the parent fo der, then th s
group w have access to the red rected user fo ders as we
If your users a ready have these fo ders before you set up Fo der Red rect on, then you
must set up the ex st ng fo ders n one of two ways (otherw se, Fo der Red rect on w fa )
■ The user needs to be the owner of the fo der and can be granted exc us ve r ghts to the
fo der
■ If the user does not need to be the owner of the fo der, c ear th s box
A the fo ders sted n th s GPO sect on have the same cho ces to p ck from, except for the
P ctures, Mus c, and V deo fo ders These fo ders have an extra sett ng that you can choose
for the ocat on of the fo der Fo ow The Documents Fo der Th s means that these fo ders w
be stored n the user’s Documents fo der, wherever that fo der s red rected
To move the contents of the ex st ng fo der to the new fo der outs de the profi e, se ect
the Move The Contents Of “The Name Of The Fo der Be ng Red rected” check box to the new
ocat on
ON THE COMPANION MEDIA When redirecting a folder using Group Policy, one
of the options is Move The Contents. Unless you select this option, a duplicate link
will be left behind, even when that folder is completely empty, meaning that users
will see two Documents folders, two Music folders, and so forth. For tips on how to
avoid the “duplicate link” problem, see http://blogs.technet.com/deploymentguys
/archive/2008/05/01/dealing-with-duplicate-user-profile-links-in-windows-vista.aspx.
You can also find the link on this book’s companion media.
Sharing Personal Folders Between Local and Remote

Environments
Because the RemoteApp programs are des gned to b ur the ne between the remote
computer and the oca computer, t m ght make sense for you to he p th s a ong by us ng
the same fo der to store user-spec fic documents Th s e m nates the prob em of hav ng to
remember whether you were sav ng a fi e from a oca or a remote app cat on to know where
the fi e wou d be stored
www.it-ebooks.info
Sharing Folders Between Windows Server 2003 and
Windows Server 2008 R2 Roaming Profiles
The eas est profi e env ronment to manage s homogenous A users work on y n RD Sess on
Host servers, and a servers of sess ons are runn ng W ndows Server 2008 R2 However, there
are good reasons why you m ght need to support both V1 and V2 profi e structure at the
same t me
■ Some users work both on the RD Sess on Host server and on VMs runn ng W ndows XP
(perhaps because they’re us ng RemoteApp on Hyper-V)
■ You’re m grat ng to W ndows Server 2008 R2 RDS from W ndows Server 2003 Term na
Serv ces, and some of the o der servers are st n use as you convert
V1 profi es and V2 profi es are not compat b e Therefore, f you have some act ve 2003 RD
Sess on Host servers, you w need to keep two sets of profi es for your users—one to og on
to the 2003 servers and one to og on to the 2008 servers And you m ght need even more
profi es f users are a so us ng poo ed and persona VMs, and/or RemoteApp programs on
Hyper-V However, Fo der Red rect on can be used to br dge the gap
Not a 13 fo ders that can be red rected n W ndows Server 2008 R2 can be red rected n
W ndows Server 2003, but some can You can share the data n these fo ders between the
2003 profi es and the 2008 profi es On the Sett ngs tab of each fo der n the Fo der Red rec-
t on conta ner s an opt on ca ed A so App y Red rect on Po cy To W ndows 2000, W ndows
2000 Server, W ndows XP And W ndows Server 2003 Operat ng Systems For some fo ders,
th s opt on s ava ab e, but on others (the ones that w not red rect for down eve operat ng
systems), t appears d mmed and s unava ab e Tab e 5-6 shows wh ch of the fo ders can be
red rected for W ndows 2000, W ndows XP, and W ndows Server 2003
TABLE 5-6 Pro e Fo der Red rec on Capab es or Var ous Vers ons o W ndows
CAN THE FOLDER BE

REDIRECTED FOR EARLIER
FOLDER OPERATING SYSTEMS? DETAILS
AppData(Roam ng) Yes If you enab e the sett ng A so App y

Red rect on Po cy To W ndows 2000,
W ndows 2000 Server, W ndows XP,
And W ndows Server 2003 Operat ng
Systems, the fo ow ng fo ders w th n
AppData(Roam ng) are not red rected
Start Menu, Network Shortcuts, Pr nter
Shortcuts, Temp ates, Cook es, and Sent
To These fo ders are red rected f you do
not enab e th s sett ng
Desktop Yes
www.it-ebooks.info
CAN THE FOLDER BE
REDIRECTED FOR EARLIER
FOLDER OPERATING SYSTEMS? DETAILS
Start Menu Yes In W ndows Server 2003, the contents

of the Start Menu fo der are not cop ed
to the red rected ocat on It s assumed
that the Start Menu fo der has been pre-
created Therefore, f you do not pre-
create the Start Menu fo der and p ace
t n the red rected ocat on, the defau t
Start Menu fo der ocated n the user’s
W ndows Server 2003 roam ng profi e
ocat on s used nstead
Documents Yes
P ctures Depends If the check box for Documents s se-
ected, th s fo der w fo ow the Docu-
ments fo der for ear er operat ng system
profi es If Documents s not red rected,
however, then th s fo der cannot be
red rected
Mus c Depends If the check box for Documents s se-
then th s fo der cannot be red rected
V deo Depends If the check box for Documents s se-
then th s fo der cannot be red rected
Favor tes No NA
Contacts No NA
Down oads No NA
L nks No NA
Searches No NA
Saved Games No NA
www.it-ebooks.info
ON THE COMPANION MEDIA For more information on Windows Server 2003 and
Windows XP Profiles and Folder Redirection, see http://technet2.microsoft.com
/windowsserver/en/library/06f7eebc-2ebb-47c5-8361-1958b58078cc1033.mspx?mfr=true.
You can also find the link on this book’s companion media.
NOTE Some custom applications might not respond well to having the AppData folder
redirected. But not redirecting AppData could lead to profile bloat, especially if your ap-
plications write a lot of data to this location. For situations like this, consider using App-V
to deploy the problem application. For technical resources on sequencing with App-V, see
http://www.microsoft.com/systemcenter/appv/dynamic.mspx.
Setting Standards with Mandatory Profiles

One ssue w th roam ng profi es s that users can change them On the one hand, that’s the
po nt On the other hand, changes can cause prob ems If users can change the r profi es, they
can de ete cons, acc denta y res ze the r too bar so that t d sappears, add wa paper that
s ows the r ogon t me, and so on
One way to avo d th s s to set po c es contro ng what users can and cannot do, and
Chapter 7, “Mo d ng and Secur ng the User Env ronment,” exp a ns how to do th s Another
way to prevent users from mak ng permanent changes to the r profi e s to make the user
profi e read-on y A user can change sett ngs, but those sett ngs w not be saved when the
user ogs off the RD Sess on Host server
Profi es that don’t change are ca ed mandatory profiles Mandatory profi es on a cen-
tra store are cop ed to the RD Sess on Host server at ogon, but they are not cop ed back
at ogoff Any profi e changes that occur are d scarded at the end of the user sess on Many
compan es w not mp ement mandatory profi es because users find them too constr ct ng,
but comb ned w th Fo der Red rect on, they m ght g ve your users enough flex b ty Some
th rd-party profi e so ut ons a so requ re the use of mandatory profi es— t depends on how
the products are mp emented
A though t’s poss b e to g ve every user a un que mandatory profi e, t’s not dea One of
the best th ngs about mandatory profi es s that because the profi e w never be changed, a
users can use a s ng e mandatory profi e, creat ng much ess ma ntenance work for adm n-
strators If a change needs to happen to the profi e, there s on y one p ace to make the
change, nstead of many f every user had h s or her own nd v dua profi e
Mandatory profi es are great n many respects, but you need to be carefu when mp e-
ment ng them to make sure each user who ogs on w not be suscept b e to reg stry changes
from other users See the D rect from the F e d s debar that fo ows for more deta s
www.it-ebooks.info
Mandatory Profiles: Insecure By Default?

Helge Klein
IT Architect, sepago
M andatory profiles are generally considered fast and secure because they
usually are small in size and cannot be modified by the user. Although that is
true—mandatory profiles stay pristine indefinitely—there is more to security than
read-only access.
Mandatory profiles are a variant of roaming profiles: A master copy on a file server
is copied to the RDS session host during logon. The resulting local copy is secured
with file system ACLs that grant full access to the user, but to no one else (except
administrators and SYSTEM). All is safe and secure—except in the case of manda-
tory profiles.
A user profile consists not only of file system data, but also of a registry hive (stored
in the file NTUSER.MAN) that is mounted to HKU\<SID> and accessible from within
a session via the well-known name HKCU. In contrast to the file system, registry
permissions are not changed during logon because that is not necessary—at least
with roaming profiles where the master copy of each hive already has the correct
permissions.
Not so with mandatory profiles. The creation of a mandatory profile involves

changing registry permissions on the master copy to full access for “Everyone.” And
because many users are logged on simultaneously to an RDS session host, each
server’s registry consists of many users’ hives that are readable and writeable by
everyone, not just the owner of the individual user profile.
So on an RD Session Host server where mandatory profiles are used, a user can
simply open Regedit (if not blocked from doing so), navigate to HKU\<Some other
user’s SID>, and read/write at will.
Consequences
Users being able to read/write somebody else’s HKCU hive poses a potentially grave
security problem. At least two types of attacks can be envisioned: eavesdropping
and damaging. Here are some simple examples.
Many applications store a list of most recently used (MRU) files in HKCU (for exam-
ple, Word: HKCU\Software\Microsoft\Office\12.0\Word\File MRU). By reading such
lists, attackers can gain information about which documents another user is editing.
Applications and the operating system itself need and expect write access to HKCU.
Because a user always has write access to HKCU, programs do not handle
www.it-ebooks.info
the absence of such permissions well. By changing permissions on another user’s
hive (for example, removing write access), an attacker could effectively break
another user’s session, making it impossible to start and use even the most trivial
programs—most applications that store their settings in HKCU would be affected.
How to Fix
The following workarounds can help fix this security vulnerability.
1. Make sure that remote registry editing is limited to administrators.
2. Block access to the registry via software restriction policies. This includes, but is
not limited to, Regedit.exe, Cmd.exe, Reg.exe, scripts and batch files, and other
custom (downloaded) tools. In essence, in order to avoid this problem exclusive
white-listing is required.
3. Re-ACL (change the security permissions on) each registry hive after it is loaded
and replace “Everyone” with the current user.
Converting Existing Roaming Profiles to Mandatory

Profiles
Sett ng up mandatory profi es s very s m ar to sett ng up roam ng profi es us ng Group
Po cy To convert a roam ng profi e to a mandatory profi e, you first need to have roam ng
profi es work ng, e ther by sett ng the RDS Roam ng Profi e path n the user’s account prop-
ert es n Act ve D rectory Users and Computers, or by us ng Group Po cy For nformat on
on how to set up roam ng profi es, see the sect on ent t ed “Us ng Group Po cy to Manage
Roam ng Profi es,” ear er n th s chapter
Assum ng you have roam ng profi es mp emented, when a user ogs on, her profi e s
stored n a subd rectory of the des gnated roam ng profi e share To make the user’s profi e
mandatory, n the user’s profi e fo der, ocate NTUSER DAT and change ts extens on to man
(see F gure 5-25) Then change the NTFS perm ss ons for the user from Fu Contro to Read &
Execute (so she can’t change the extens on back) The next t me the user ogs on, she w be
us ng a mandatory profi e
www.it-ebooks.info
FIGURE 5-25 To convert a roam ng prof e to a mandatory prof e, change ts extens on.
No changes that the user makes to the profi e w be saved But comb n ng mandatory
profi es w th Fo der Red rect on w g ve users some contro over the r sess on and a ow them
to change the r Favor tes, Documents, Desktop, and other sett ngs w thout comprom s ng the
configurat on data oaded n HKCU
Creating a Single Mandatory Profile

If you have many users, you probab y won’t want to convert each roam ng profi e to a man-
datory one—that wou d negate one of the ma n reasons to mp ement mandatory profi es
ess configurat on and ma ntenance To g ve everyone the same exper ence, you can create
one mandatory profi e for everyone to use Here are the steps to do so
1. Create a network share to store the mandatory profi e (for examp e //Co fax/ASH-
Mandatory-Profi e) Make sure to configure the perm ss ons on th s fo der correct y
Tab e 5-7 and Tab e 5-8 out ne the necessary share and NTFS perm ss ons that need to
be set on th s fo der
TABLE 5-7 Share Perm ss ons or a Manda ory Pro e S orage Fo der
USER ACCOUNT SHARE PERMISSIONS
Adm n strators Fu Contro

Authent cated Users Read
www.it-ebooks.info
TABLE 5-8 NTFS Perm ss ons or User Accoun s or a Manda ory Pro e S orage Fo der
USER ACCOUNT NTFS PERMISSIONS
SYSTEM Fu Contro , th s fo der, subfo ders, fi es

Adm n strators Fu Contro , th s fo der, subfo ders, fi es, Owner
Authent cated Users Read & Execute, th s fo der, subfo ders, fi es
2. Create a fo der w th n the fo der created n Step 1, name t someth ng appropr ate to
nd cate t s a mandatory profi e, and append the V2 extens on (for examp e
ASH RDS MAN V2)
3. Because us ng the Copy To button now works on y for the Defau t user profi e, th s s
the profi e you w copy to the share you created n Step 1 On the RD Sess on Host
server, from Server Manager, c ck Change System Propert es and se ect the Advanced
tab In the User Profi es sect on, c ck Sett ngs H gh ght the Defau t User, and c ck
Copy To In the Copy To d a og box, type or browse to the shared fo der ocat on that
you created n Step 1 C ck Perm tted To Use, add Everyone, and c ck OK
NOTE If you choose to create a customized mandatory profile, use Sysprep to over-
write the Default User profile on the machine that you will copy from. For more on
customizing the default user profile and using the Copy To button, and how to use
Sysprep to customize the Default User Profile, see the sections earlier in this chapter
entitled “Converting an Existing Local Profile to a Roaming Profile” and “Customizing a
Default Profile.”
4. Rename NTUSER DAT n the resu t ng profi e ( n the fi e share created n Step 1) to
NTUSER MAN You w need to change the fo der opt ons to show h dden fi es and
fo ders to see th s fi e
5. Create appropr ate GPOs by do ng the fo ow ng
■ Ed t the Computer GPO sett ng as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Profi es Set Path For Remote Desktop Serv ces
Roam ng User Profi e to po nt to the share created n Step 2, for examp e //co fax/
ash-rds-mandatory-profi e/ASH RDS MAN) Do not nc ude the V2 extens on
■ Enab e the Computer GPO po cy sett ng as fo ows Adm n strat ve Temp ates
W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host
Profi es Use Mandatory Profi es On The RD Sess on Host Server
■ Enab e the Computer GPO sett ngs as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates System User Profi es Add The Adm n strators Secur ty
Group To Roam ng User Profi es
www.it-ebooks.info
6. App y the GPOs to the RD Sess on Host Server OU ( n Group Po cy Manager on a
doma n contro er)
7. Reboot the RD Sess on Host servers and test by ogg ng n as a regu ar user
Creating a Safe Read-Only Desktop

One cur ous s de effect to not be ng ab e to save anyth ng to a mandatory profi e s that
any fo ders rema n ng n the profi e (that s, not red rected) w not save changes e ther For
examp e, f you do not red rect the Desktop fo der and f users save fi es to the desktop, those
fi es w be d scarded when they og off There won’t be any error, and the fi e w be on the
desktop dur ng the sess on, but the fi es won’t be there when the users og on aga n To put
t m d y, th s cou d be confus ng However, f you’re us ng Remote App programs, you don’t
rea y want peop e sav ng fi es to the desktop because not be ng ab e to see the desktop w
make those fi es hard to find
To keep the desktop read-on y but make sure peop e know t s read-on y, red rect the
desktop to a read-on y fo der as descr bed n the sect on ent t ed “Centra z ng Persona Data
w th Fo der Red rect on” ear er n th s chapter Th s w both prevent users from sav ng fi es
to the desktop (wh ch you want) and a ert them to the fact that they can’t save fi es to the
desktop (wh ch you a so want) If they try, they w get an error They st can’t save anyth ng
to the desktop, but at east they w know that they can’t
Decrease Logon Times with Local Mandatory Profiles

The ma n reason to house a mandatory profi e on a network share s to make t eas er to
update when you have a farm env ronment But t’s a so worth not ng that ogon t mes can be
decreased s gn ficant y by keep ng a mandatory profi e oca to the server because the profi e
doesn’t get pu ed down from the network share when the user ogs on
Ma nta n ng oca mandatory profi es s more work, because any changes to the manda-
tory profi es w need to be made to the mandatory profi e on each server But the ncrease n
ogon speed m ght make th s worthwh e to you, espec a y f you have on y a few RD Sess on
Host servers n a farm or you don’t often need to change the profi e Aga n, test ng th s fu y
n your env ronment w te you f t makes sense for your setup
To use oca mandatory profi es, perform the fo ow ng steps
1. Create a fo der on each mach ne ca ed someth ng ke “Mandatory Profi e V2” and set
the appropr ate NTFS profi e fo der perm ss ons as spec fied n Tab e 5-8
2. Copy a defau t profi e to the new Mandatory Profi e fo der, g v ng Everyone perm ss on
to use t when you perform the copy
3. Convert th s oca profi e to a mandatory profi e by chang ng the extens on of
NTUSER DAT to make t NTUSER MAN
286 CHAPTER 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
4. Enab e the GPO sett ng as fo ows Computer Configurat on Po c es Adm n strat ve
Temp ates W ndows Components Remote Desktop Serv ces Remote Desktop
Sess on Host Profi es Use Mandatory Profi es On The RD Sess on Host Server
5. Enab e the Computer GPO sett ng as fo ows Computer Configurat on Po c es
Desktop Sess on Host Profi es Set Path For Remote Desktop Serv ces Roam ng User
Profi e Po nt to the oca mandatory profi e ocat on, such as C \Mandatory Profi e Do
not nc ude the V2 extens on
6. Do th s on each mach ne n the farm or poo
Profile and Folder Redirection Troubleshooting Tips

Many peop e find the comb nat on of RD Sess on Host servers and profi es daunt ng And t’s
true—th ngs don’t a ways work the way you expect them to Tab e 5-9 descr bes some com-
mon errors, poss b e so ut ons, and the sect ons n the chapter where you’ earn how to fix
each prob em
TABLE 5-9 Pro es and Fo der Red rec on Troub eshoo ng T ps
ADDITIONAL INFORMATION
PROBLEM SOLUTION IN THIS CHAPTER
Po c es appear to be set Force a po cy update by See the s debar ent t ed

correct y, but aren’t be ng us ng Gpupdate or by “Updat ng Group Po cy ”
app ed reboot ng
Fo ders are not be ng Check event ogs to make See the sect ons ent t ed “The
red rected to the proper sure that share s ava ab e Consequences of De et ng a
ocat on or roam ng profi es on the network and has Profi e Fo der from W ndows
are not be ng oaded appropr ate perm ss ons Exp orer” and “Centra z ng
Persona Data w th Fo der
Red rect on ”
Group Po cy sett ngs aren’t Check the secur ty fi ters See the sect on ent t ed
be ng app ed to the r ght and make sure that you’ve “F ne-Tun ng GPOs w th
computers, groups, or users nc uded the correct groups Secur ty F ter ng ”
Fo ders from profi es from Make sure you’ve enab ed See the sect on ent t ed
ear er operat ng systems ear er Fo der Red rect on for “Shar ng Fo ders Between
aren’t red rect ng proper y, that GPO W ndows Server 2003 and
but W ndows 7 and W ndows W ndows Server 2008
Server 2008 R2 profi e fo ders Roam ng Profi es ”
are red rect ng
Profi e and Fo der Red rect on Troub eshoot ng T ps Chapter 5 287
www.it-ebooks.info
ADDITIONAL INFORMATION
PROBLEM SOLUTION IN THIS CHAPTER
Users cannot oad the r You m ght have de eted the See the sect on ent t ed
roam ng profi es when cached profi e manua y “De et ng Cached Profi es
they og on, and they see a us ng W ndows Exp orer Manua y ”
message that they w be De ete the o d reg stry keys
ogged on w th a temporary and use too s such as the
profi e profi e management ut ty or
De prof to de ete profi es
Test ng Mandatory Profi es Make sure you set the
returns the error “Access s Everyone group to be
den ed ” perm tted to use the
profi e when you use the
Copy To button to create
the mandatory profi e If
necessary, de ete the profi e
that s not work ng and redo
t
Summary
A though roam ng profi es (read-wr te or read-on y) are often the best mode for stor ng user
profi es n an RDS env ronment, the comp cat ons nvo ved n mak ng them work well can be
daunt ng Th s chapter has exp a ned how profi es work, nc ud ng how the User Profi e Serv ce
oads and saves configurat on data You’ve earned about best pract ces, nc ud ng how to
keep profi es manageab e n s ze to speed user ogons and how Fo der Red rect on and profi e
cach ng a so contr bute to faster ogons You’ve seen how to set up Group Po cy to enab e
automat c profi e creat on and how to use secur ty fi ter ng and oopback po cy process ng to
ensure that the po c es are app ed correct y w th RDS F na y, you’ve earned how to set up
and use mandatory profi es w th RDS and how to prevent users from os ng fi es when us ng
mandatory profi es
■ There are three types of profi es oca , roam ng, and mandatory ( nc ud ng super-
mandatory)
■ Comb n ng roam ng profi es w th Fo der Red rect on s genera y the best way to store
user data n remote env ronments Fo der Red rect on s very mportant for keep ng
ogon t mes short and profi e s zes sma
■ Mandatory profi es work best when you don’t want to save any changes to the profi e
and have prevented users from wr t ng fi es to profi e fo ders
■ Profi es don’t merge—they overwr te For best resu ts, open on y one copy of the user
profi e at a t me For th s reason, you shou d genera y not use the same roam ng pro-
fi e for both oca ogons and RD Sess on Host server ogons
www.it-ebooks.info
■ Imp ement ng Group Po cy correct y from the beg nn ng s key to mak ng roam ng
profi es work
■ Fo der Red rect on s very mportant to mak ng profi es work proper y, as fo ows
• Fo der Red rect on keeps profi es sma

• Fo der Red rect on reduces the data that must be wr tten back to a fi e stored na
profi e fo der
• Us ng Fo der Red rect on, you can share fo ders between two profi es for better
ntegrat on of oca and remote user exper ences
• If us ng mandatory profi es, you must use Fo der Red rect on to a ow users to save
fi es to any of the r norma document storage ocat ons (for examp e, Documents
and Favor tes)
The fo ow ng resources w extend your know edge of top cs addressed n th s chapter A
nks are ava ab e to you on th s book’s compan on med a
■ For more nformat on on user profi e management (w th or w thout RDS), read the
fo ow ng
• “Manag ng Roam ng User Data Dep oyment Gu de,” ava ab e on ne at

http://technet.microsoft.com/en-us/library/cc766489%28WS.10%29.aspx and for
down oad from http://go.microsoft.com/fwlink/?LinkId=73760
• “Us ng User Profi es n W ndows Server 2003,” ocated at

http://technet2.microsoft.com/windowsserver/en/library/23ee2a30-5883-4ffa-
b4cf-4cfff3ff8cb71033.mspx?mfr=true
■ For more nformat on about how to configure dev ce red rect on, see Chapter 6,
“Custom z ng the User Exper ence ”
■ To earn how to ock down the server, see Chapter 7, “Mo d ng and Secur ng the User
Env ronment ”
■ For more nformat on about pub sh ng RemoteApp programs, see Chapter 9, “Mu t -
Server Dep oyments ”
■ For more nformat on about enab ng RD Sess on Host server farms w th RD
Connect on Broker and mu t -server management, see Chapter 9
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 6
Customizing the User

Experience
■ How Remot ng Works 291
■ Mov ng the C ent Exper ence to the Remote Sess on 307
■ Pr nt ng w th RDP 334
If you’re read ng th s book sequent a y, by th s po nt you have the bas c v rtua mach ne
(VM) or sess on de very system enab ed, and you’ve configured profi es and fo der
red rect on for your env ronment At th s stage, you’re ready to move on to what most
users wou d cons der the cr t ca part of remot ng the user exper ence After read ng th s
chapter, you’ know more about the fo ow ng po nts
■ How the core features of Remote Desktop Protoco (RDP) 7 0 work
■ How the remote exper ence w vary depend ng on the vers on of RDP a user
emp oys to get to W ndows 7 or W ndows Server 2008 R2
■ How RDP 7 0 and RemoteFX d ffer n the r approaches to remot ng
■ How to configure the remote exper ence so that c ent-s de dev ces work n
remote sess ons
■ How to configure pr nt ng w th and w thout RD Easy Pr nt
How Remoting Works

Remote Desktop Serv ces (RDS) s a about the RDP W thout RDP, RDS just sn’t very
exc t ng In th s sect on, you’ exam ne how RDP works You’ start w th the bas cs of how
stat c v rtua channe s, dynam c v rtua channe s, and protoco data un ts cooperate to
send data, and then move on to a deeper ook at how the nd v dua features use v rtua
channe s and Protoco Data Un ts (PDUs)
291
www.it-ebooks.info
New Features in RDP 7.0
E ach version of RDP adds new features to improve the user experience. RDP 7.0
introduces a number of changes to the remoting protocol that are designed to
make the remote session feel more like working on the local computer.
● Multimedia remoting
● True multi-monitor support
● Audio recording from the local session to the remote session
● Desktop composition (Aero Glass) remoting from a session
● Language bar redirection
All these features require having Windows 7 or Windows Server 2008 R2 on the
endpoint, and they are not available for /admin connections to a server running
Window Server 2008 R2.
Multimedia Remoting
Using Remote Desktop Connection (RDC) 7 with Windows 7 and Windows Server
2008 R2, audio and video content, played back by using Windows Media Player, is
redirected from the RD Session Host server to the client in its original format and
rendered by using the client’s resources. Other multimedia content, such as Silver-
light and Windows Presentation Foundation (WPF), are rendered as bitmaps on the
server. The bitmaps are then compressed and sent over to the client.
Multiple Monitor Support

Remote Desktop Connection (RDC) 7, with Windows 7 or Windows Server 2008
R2, enables support for up to 16 monitors. This feature supports connecting to
a remote session with any monitor configuration that is supported on the client.
Programs function just as they do when they are running on the client. All monitors
connected to the client will show the remote session; you can’t choose to exclude a
monitor to show only local programs.
Audio Recording Redirection

RDC 7, with Windows 7 and Windows Server 2008 R2, redirects audio recording de-
vices, such as microphones, from the client to the remote desktop session. This can
be useful for organizations that use voice chat or Windows Speech Recognition.
Desktop Composition
RDC 7, with Windows 7 and Windows Server 2008 R2, supports Aero Glass remoting
and display of other advanced graphics features within an RD Session Host session.
Desktop composition works only with a single monitor.
Language Bar Redirection

Using RDC 7 with Windows 7 and Windows Server 2008 R2, you can use the language
bar on the client to control the language settings within your RemoteApp programs.
292 CHAPTER 6 Custom z ng the User Exper ence
www.it-ebooks.info
What Defines the Remote Client Experience?
D st ngu sh ng RDP 7 0, RDC 7, and the actua user exper ence can be confus ng There are
three p eces that fac tate remot ng (shown n F gure 6-1)
■ The RDC application on the client Th s app cat on comes nat ve to an operat ng
system, but can be upgraded You don’t have to upgrade the operat ng system
■ The RDP listener on the endpoint The W nstat on dr ver on the endpo nt stens for
ncom ng RDP connect ons and sends data to the c ent computer The stener s bu t
nto the operat ng system, so to upgrade t, you have to upgrade the operat ng system
■ The RDP The protoco that the RDC and the stener use to pass data between the
oca and remote computer
RDC Client
RDP Listener
RD
An Application. Can be Session
upgraded without Host
upgrading the RDC Client Farm
operating system.
RDP Listener
RDC Client RDP Protocol

RDC Client
RDP Listener
VM 1
RDP Listener
Part of the operating RDC Client

system. To be able to VM 2 VM
support more features, RDP Listener Host
you upgrade the
operating system.
RDC Client
VM n
RDP Listener
FIGURE 6-1 The RDP C ent, stener, and protoco work together to fac tate remot ng.
The three of these comb ned define the c ent exper ence The protoco tse f passes data,
the RDC sends data from the c ent and hand es t when rece ved, and the W nstat on dr ver
on the remote computer sends data from the server and rece ves t
The stener and the RDC c ent support vers ons of the RDP protoco Tab e 6-1 descr bes
the remot ng exper ence atta nab e g ven d fferent comb nat ons of RDC and the RDP stener
(A though the user nterface n the RD Sess on Host Configurat on too says RDP 6 1, the
exper ence s RDP 7 0 ) There s no user nterface to d sp ay the vers on of the RDP stener on
How Remot ng Works CHAPTER 6 293
www.it-ebooks.info
c ent operat ng systems, but th s s the vers on bu t n to the operat ng system (To see the
vers on on c ent SKUs, go to HKLM\SYSTEM\Contro Set001\Contro \Term na Server\Wds\
Rdpwd )
NOTE It’s a bit confusing that the RDP listener name in RD Session Host Configuration
says “6.1” when the protocol experience is 7. It does this because, as you can see in
HKLM\SYSTEM\ControlSet001\Control\Terminal Server\Wds\Rdpwd, the name of the
Winstation driver (the session driver, and stored in WdName) is “Microsoft RDP 6.1.” It
could just have easily been “Fred.” Regardless of the name of the driver, the experience you
will get when connecting to a Windows Server 2008 R2 or Windows 7 endpoint with RDC 7
is that of RDP 7.0.
RDC 7 0 w appear n the W ndows XP and W ndows V sta RDC About d a og box as ver-
s on 6 1 7600 “7600” s the RTM vers on number of the W ndows 7 bu d It w a so say that
RDP 7 0 s supported
TABLE 6-1 RDP Pro oco and s ener Suppor Ma r x
SERVER 2008 SP1, SP2

SERVER 2003 SP1,SP2
WINDOWS XP SP3
SERVER 2008 R2
VISTA SP1, SP2
WINDOWS 7
WINDOWS
WINDOWS
WINDOWS
WINDOWS

RDC can support

RDP 7 0 RDP 7 0 RDP 6 RDP 7 0 RDP 6 1 RDP 7 0
up to
RDP Listener
RDP 5 1 RDP 6 1 RDP 5 2 RDP 7 0 RDP 6 1 RDP 7 0
Supports
NOTE Table 6-3 in the section entitled “How the RDC Version Affects the User Experi-
ence—or Doesn’t” later in this chapter further defines this matrix.
When connect ng from a c ent to an endpo nt, the remot ng exper ence w be the ow-
est common denom nator of what the RDC can support and what the RDP stener on the
endpo nt can support For examp e, f you connect from a mach ne runn ng W ndows XP to
another mach ne runn ng W ndows XP, even f you have nsta ed RDC 7, the exper ence w
be that of RDP 5 1, because the RDP stener on W ndows XP supports on y up to RDP 5 1
Another examp e If you connect from a mach ne runn ng W ndows 7 to a mach ne runn ng
www.it-ebooks.info
W ndows Server 2008 R2, RDP 7 0 s supported by both the c ent and the stener, so that s
the exper ence you w get
The RDP protoco connect ng the RDC and the endpo nt s sp t nto virtual channels
V rtua channe s are ded cated paths that carry part cu ar k nds of data For examp e, d ffer-
ent channe s support pr nt jobs, c pboard shar ng, dr ve red rect on, and so forth In W ndows
Server 2008 R2, v rtua channe s operate n both user mode and kerne mode (see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces,” for a descr pt on of user mode and
kerne mode) Remote aud o and the c pboard red rector both have v rtua channe s n user
mode, whereas p ug and p ay dev ces commun cate v a kerne -mode v rtua channe s
To pass data between c ent and server, both ends of the channe must ex st and be
enab ed That’s why t’s poss b e to turn off dr ve red rect on on an RD Sess on Host server
w thout hav ng to overr de th s sett ng on the c ent—the server just sn’t sten ng on that
channe It’s a so why t’s not poss b e to use a g ven v rtua channe un ess t s supported by
both c ent and server You can’t, for examp e, use the RDP 7 0 c ent to enab e P ug and P ay
(PnP) Dev ce Red rect on on a term na server runn ng W ndows Server 2003 The c ent sup-
ports that channe , but the server does not
HOW IT WORKS
Why Don’t I Get Language Bar Redirection When Connecting

to Windows XP from Windows 7?
W hen the product group blogged about RDP 7.0 on the RDS Team Blog, some
people wanted to know if the new protocol would enable new features on
earlier versions of Windows. For example, would someone using RDP 7.0 on the cli-
ent get language bar support when connecting to Windows XP? Would they get any
new functionality?
The short answer is “Not really.” This is because of the way that virtual channels
work. Almost all features available with RDS rely on virtual channels. (One exception
to this rule is the integration of RemoteApp and Desktop Connections in the Start
menu of Windows 7. That feature actually depends on the client operating system
itself.) If the virtual channel isn’t on both ends of the connection, then the feature
doesn’t work.
Because remoting functionality requires support on both ends of the connection,

the new features of RDP 7.0 are available only if you’re connecting to an endpoint
that supports them. Windows XP listener supports RDP 5.1, and Windows Vista SP1
supports RDP 6.1, so the user experience will fall back to whatever that version can
handle.
www.it-ebooks.info
Unt W ndows Server 2008, a v rtua channe s were created at the beg nn ng of the ses-
s on and severed when the sess on was ended by the c ent or the server—these are static
channels W ndows Server 2008 ntroduced a new k nd of v rtua channe ca ed a dynamic
virtual channel (DVC) that an app cat on can create after the sess on has begun, and wh ch t
can sever before the sess on ends DVCs make t poss b e to add new red rected dev ces to a
sess on after t’s started If you re ed on stat c channe s ent re y, then t wou d not be pos-
s b e to p ug n a camera (for examp e) to the c ent and have t show up n an act ve remote
sess on Instead, you’d have to p ug the camera nto the un versa ser a bus (USB) port before
beg nn ng the sess on
ON THE COMPANION MEDIA Although it’s possible to connect to an RD Session

Host server using RDP 5.2 or later, applications using DVCs require RDP 6.1 or later;
the IWTSVirtualChannelManager interface that manages the connections has a
minimum requirement of RDP 6.1. You can get RDP 6.1 in Windows XP SP3 and
Windows Vista SP1, or download RDC 7 for both these operating systems from
http://support.microsoft.com/kb/969084.
Separat ng data nto v rtua channe s s how th s arch tecture a ows you to se ect ve y d s-
ab e c ent-s de red rect on It’s poss b e to enab e pr nt ng but d sab e dr ve red rect on, or to
enab e c pboard red rect on but d sab e PnP dev ces The fo ow ng sect on exp ores n deta
how v rtua channe s work
The Foundation of RDP: Virtual Channels and PDUs

W th a very few except ons, the commun cat on between the endpo nt and the c ent—and
therefore the remot ng exper ence— s enab ed through v rtua channe s and Protoco Data
Un ts (PDUs) RDP descr bes the genera gu de nes for how data gets from po nt A to po nt B,
but the actua data s passed a ong the v rtua channe s, and the negot at on of how the data
s sent s done through PDUs
Static Virtual Channels

RDP has been pass ng data through stat c v rtua channe s from ts ncept on Stat c v rtua
channe s are created at the beg nn ng of a sess on and rema n n p ace unt the sess on s
d sconnected RDP can have a max mum of 31 stat c v rtua channe s, wh ch s one reason
why DVCs are usefu They’re the bas s for a remot ng; even the features that use DVCs (see
the sect on ent t ed “Dynam c V rtua Channe s” ater n th s chapter) depend on stat c v rtua
channe s, because DVCs run n a stat c v rtua channe
RDP goes through e ght steps to set up stat c v rtua channe s for a connect on
1. The c ent n t ates the connect on and the endpo nt responds Not ce that the c ent
a ways n t ates
www.it-ebooks.info
2. The server and c ent exchange some bas c nformat on about the connect on,
nc ud ng the fo ow ng
• Whether they can both support mu t p e mon tors

• The c ent d sp ay he ght and w dth
• The co or depth requested
• The type of keyboard
• The c ent operat ng system bu d number and RDP vers on
• What k nd of secur ty the c ent w use
• How the c ent w prov de credent a s (for examp e, whether t’s us ng CredUI)
• The number of v rtua channe s requested

NOTE For more details on the security negotiations, see Chapter 8, “Securing Remote
Desktop Protocol Connections.”
3. The c ent and server hook up the v rtua channe s

4. If the c ent s us ng standard RDP secur ty, the c ent and server set up sess on keys for
the connect on (aga n, you’ cover th s n more deta n Chapter 8) After th s po nt, a
subsequent RDP traffic w be encrypted us ng the sess on keys, accord ng to the eve
of secur ty set on the c ent and enforced by the server
5. The c ent sends the user name and password to the server
6. The server and c ent negot ate whether the c ent has or needs a cense, and then the
server arranges to a ocate the c ent a cense f the c ent doesn’t a ready have one
NOTE For details on licensing, see Chapter 12, “Licensing Remote Desktop Services.”
7. The server te s the c ent what capab t es t supports, and the c ent acknow edges th s
nformat on The server capab t es sent dur ng th s step nc udes features such as the
fo ow ng
• RemoteApp support
• Desktop compos t on support
• The eve of compress on supported
8. F na y, the c ent and server fina ze the connect on deta s After the c ent has rece ved
th s, t can start send ng keyboard and mouse nput to the sess on, and the server can
beg n send ng graph ca updates to the c ent
www.it-ebooks.info
The fo ow ng features of RDP use stat c v rtua channe s
■ C pboard red rect on
■ DVCs
■ RemoteApp programs
■ Aud o output
■ Smart card red rect on
■ F e system red rect on
■ Ser a port red rect on
■ Legacy pr nter red rect on (not RD Easy Pr nt)
■ Sess on shadow ng
An RDP connect on m ght not have a these stat c v rtua channe s n p ace Dur ng the
capab ty negot at ons between c ent and server, po c es app ed to the endpo nt (and c ent)
w be taken nto cons derat on Therefore, even f the operat ng system cou d techn ca y
support, say, fi e system red rect on, f fi e system red rect on s turned off due to Group Po cy
or turned off on the RDC, then the feature won’t be supported and the stat c v rtua channe
won’t be created
Dynamic Virtual Channels

Dynam c v rtua channe s (DVCs), ntroduced w th W ndows Server 2008, are v rtua channe s
that connect the c ent to an app cat on runn ng on the server (for examp e, W ndows Med a
P ayer) Because they’re nked to app cat ons, they can be created after a sess on beg ns
and destroyed before t ends DVCs a ow you to add remote support for a dev ce (such as a
camera) dur ng a sess on w thout hav ng to p ug the camera nto the c ent’s USB port before
beg nn ng the sess on
DVCs everage the stat c v rtua channe arch tecture At the beg nn ng of the connect on,
when the stat c v rtua channe s are created, a DVC Server Manager negot ates capab t es
w th the DVC C ent Manager ( nc ud ng the vers on of DVC supported) and n t a zes the
DVC path Then, when an app cat on wants to open one or more DVCs, the path s a ready
prepared The DVC Manager on the server keeps a the DVCs stra ght (and avo ds confus ng
data between app cat ons) by ass gn ng each DVC an dent fier A traffic for a part cu ar
DVC s marked w th ts channe ’s dent fier E ther the c ent or the server can n t ate a DVC
request, and any data sent between c ent and endpo nt us ng DVCs s not acknow edged by
the rec p ent
There are two vers ons of the DVCs Vers on 1 a ows an app cat on to commun cate w th
the other end of the connect on Vers on 2 adds the ab ty to pr or t ze the data w th n the
DVCs n case some data s more t me-sens t ve than other data For examp e, mu t med a
remot ng s very t me-sens t ve, or e se the user w detect a ag Pr nt ng us ng RD Easy Pr nt
s ess so
www.it-ebooks.info
The fo ow ng features of RDP use DVCs
■ RD Easy Pr nt
■ PnP Remot ng
■ Mu t med a Remot ng
■ Aud o Record ng from c ent to sess on
■ Compos ted Remot ng (requ red to enab e effects ke Aero G ass remot ng)
Protocol Data Units

PDUs are not spec fic to RDP by any means, but the r ro e w th n RDP s often to he p negot -
ate the respect ve capab t es of c ent and endpo nt to he p RDP transport data as requ red
(PDUs can a so transport data f requ red ) Throughout th s sect on, when descr b ng how the
c ent and endpo nt are negot at ng how they can commun cate, th s negot at on uses PDUs
Basic Graphics Remoting

The most obv ous th ng that RDP does s update the c ent d sp ay w th the graph ca updates
n the sess on W thout that, there sn’t much to the exper ence In th s sect on, you’ earn
about the bas c graph cs remot ng that RDP does and how t draws the desktop to ook
better
Bas c graph cs remot ng does what t sounds ke It gets the graph ca data from the server
to the c ent As bas c graph cs remot ng uses stat c v rtua channe s, t does not requ re a very
advanced RDP c ent to support t (W ndows Server 2008 R2 and W ndows 7 both support
connect ons from RDP 5 2, even though you m ght not get a fu comp ement of features) It s
a so the bas s for more advanced graph cs capab t es ke compos ted remot ng and mu t -
med a red rect on
Bas c graph cs remot ng has to be ab e to do the fo ow ng th ngs
■ D st ngu sh between mu t p e endpo nts when send ng graph ca updates to the c ent
■ Make the sess on as respons ve as poss b e
■ Stop send ng graph cs updates to the c ent when the sess on s d sconnected or the
remote w ndow s h dden
Bas c graph c remot ng s enab ed when the c ent and the server estab sh a connect on, as
descr bed n the connect on sequence n the sect on ent t ed “Stat c V rtua Channe s” ear er
n th s chapter After the connect on s there, the two ends can work out how to hand e the
other aspects of graph cs remot ng, such as mu t med a remot ng or desktop compos t on
Distinguishing Between Sessions

When the connect on s estab shed, the server keeps track of wh ch sess on a process s run-
n ng n and assoc ates that process w th the sess on ID for each sess on Because the operat ng
system has to know wh ch process generated keyboard or mouse nput, t w assoc ate the
www.it-ebooks.info
process w th the sess on (A though a c ent operat ng system endpo nt can support on y a
s ng e nteract ve sess on at a t me, Fast User Sw tch ng means that t m ght have more than
one sess on ogged on at once )
Minimizing Data Sent

One way to send graph ca updates s common y known as “screen scrap ng”—send ng
b tmap mages of the d sp ay on the endpo nt to the c ent for d sp ay Th s method s s mp e,
makes t poss b e to support a w de array of c ent dev ces, and a ows for h gh-fide ty render-
ng of a graph ca updates, but over ower-bandw dth connect ons, t’s neffic ent and eads
to a very choppy d sp ay Therefore, RDP does pr m t ve remot ng whenever poss b e, not
b tmap remot ng In pr m t ve remot ng, the endpo nt sends the nstruct ons for how and
where to draw, say, a rectang e to the c ent, rather than send ng the p cture of the rectang e
and ts prec se pos t on RDP w send b tmaps when t needs to—when remot ng S ver ght
app cat ons, for examp e—but when t does, the d sp ay speed s reduced because t has to
send more data
Another way that RDP can m n m ze the data sent s by us ng a codec on the endpo nt to
commun cate w th a codec on the c ent When th s opt on s ava ab e (see the sect on en-
t t ed “Advanced Graph cs Remot ng” ater n th s chapter), then the codecs can send the data
to the c ent for render ng; th s m ght not reduce the amount of bandw dth requ red because
the data st has to get to the c ent computer somehow, but to the user, t w appear to be
updated more qu ck y and w genera y ook better
F na y, RDP can use a cache for graph ca data sent to the c ent W th the except on of
b tmaps, caches are stored n memory, not on d sk, and are w ped c ean when the sess on s
d sconnected C ent and server negot ate the r cach ng capab t es when the connect on s
be ng estab shed, but the cache m ght conta n the fo ow ng
■ B tmap mages
■ Co ors used n draw ng the screen updates
■ G yphs (characters) that the c ent types, both s ng y and n groups
■ F areas (for examp e, those needed to pa nt the desktop co or)
■ Graph cs dev ce nterface (GDI) pr m t ves, cached by both c ent and server
Each p ece of the cache has an ID When the endpo nt s go ng to send a graph ca update
that m ght be cached, the server w te the c ent what t p ans to send, and the c ent can
ook to see f t’s a ready got t If t does, then t w use the b tmap, or g yph, n the cache
If t does not, the server can send the update If the server wants to use the GDI pr m t ves
cache, t w te the c ent exact y where to ook n ts own cache for that nstruct on
www.it-ebooks.info
Why Microsoft RemoteFX?

Tad Brockway
Principal Product Unit Manager, Remote Desktop Virtualization
I have been passionate about desktop centralization for many years, even before I
joined the Microsoft Remote Desktop Virtualization team in 1998. Prior to joining
Microsoft, I was a UNIX developer. (We didn’t call the scenario “desktop centraliza-
tion” at that time. We called it “X Windows.”)
The promise of Virtual Desktop Infrastructure (VDI) is that user desktops can be
centralized in such a way as to move complexity and state from the desktop into the
datacenter. To execute on this promise, we needed to allow people to use a broad
range of endpoint devices without compromising on the user experience. To this
end, we are developing a remoting approach that complements traditional graphics
remoting capabilities and works for endpoint devices ranging from PCs to the most
lightweight of thin clients.
Up to now, graphics remoting protocols like RDP have approached remoting in a

client-centric way. Client-centric remoting intercepts graphics on the host device
and then efficiently forwards the intercepted graphics “primitives” (for example,
“Draw Rectangle” or “Draw Line”) to the client device. The client endpoint renders
the primitives using a client-side counterpart for each graphics intercept point on
the host. Client-centric remoting originated when there was limited bandwidth
from the datacenter to the user desktop and when the vast majority of applications
were developed on top of the same Windows graphics API: GDI.
Client-centric remoting relies heavily on the rendering capabilities of the client

software and hardware. The chief benefit to client-centric remoting is that it’s a very
bandwidth-efficient way of remoting graphics types that can be intercepted high in
the software stack and sent as primitives. But when the client and host don’t both
support a particular graphics type, either the application fails to run properly or the
two sides negotiate down to a least common denominator graphics construct: a bit-
map. Bitmaps require more bandwidth than primitives because they have to detail
how to remote everything. For example, the primitive representation of “Draw Line”
would simply include the X and Y coordinates for the line start and the line finish.
The bitmap representation of the line would have to describe at least the X and Y
coordinates for every single point on the line.
If you have a powerful client device with a rich software stack and your host has all
the right graphics intercept points, a client-centric graphics remoting can give you a
great user experience over a relatively low-bandwidth connection. But if you have a
less complex client device, are missing some important graphics intercept points on
www.it-ebooks.info
the host, or both, client-centric remoting will result in gaps in the experience, such
as choppy video or missing graphics.
Today, bandwidth is less expensive and more widely available, and Windows users
want a wide array of graphics types (for example, Silverlight, Adobe Flash, DirectX,
Aero Glass, Windows Media, and so on). These changing conditions call for the ad-
dition of a new model that can support all graphics types, including 3-D, by sending
highly compressed bitmaps to the endpoint device in an adaptive manner. We call
this host-centric remoting.
You can ensure a consistent user experience for a wide array of devices if you follow
the VDI model and move a large portion of the client software and hardware into
the datacenter. With host-centric remoting, all the graphics can be intercepted on
the host at a very low layer in the software stack. All graphics are rendered on the
host into a single frame buffer (a temporary holding station for graphical updates)
that represents the user’s display. Changes to the frame buffer are sent to the client
at a frame rate that dynamically adapts to network conditions and the client’s abil-
ity to consume the changes. The changes are sent to the client endpoint as highly
compressed bitmaps by using an encoding scheme optimized for Windows desktop
content. The basic graphics requirement for the client endpoint is that it supports
the ability to decode and display the highly compressed bitmaps that it receives
from the host. At a minimum, the client needs the decoder counterpart to the en-
coder that was used on the host, as well as a basic graphics display capability.
Host-centric remoting requires more bandwidth than client-centric remoting. How-

ever, it delivers a consistent experience for every aspect of the modern Windows
desktop regardless of the capability of the client-side device.
If you’re wondering which remoting model to choose, you don’t have to. If you
have a client device with a rich software stack and advanced processing capabilities,
client-centric remoting makes sense. But to deliver completely on the promise
of VDI for less powerful client devices, you also need host-centric remoting. We
are adding RemoteFX as a new capability or “payload” to the RDP platform, while
continuing to support and enhance our existing client-centric model. Whichever
remoting model you use, the fundamentals of RDP are unchanged. RDP includes
the same authentication, encryption, device redirection, and transport capabilities,
independent of the remoting model being used.
Compressing RDP Data

RDP supports two k nds of bu k compress on (compress on done on a v rtua channe s, as
opposed to compress ng nd v dua channe s) Both compress on y when sent from server to
c ent, not from c ent to server Standard bu k compress on compresses a the data go ng
www.it-ebooks.info
through RDP channe s us ng a oss ess techn que known as Huffman compression (Loss ess
compress on doesn’t ose any data dur ng the compress on/decompress on process )
NOTE Huffman compression encodes data based on the frequency of symbols in the
data stream. If a symbol appears more often, its representative code is shorter than a
character that appears only once. For more information on Huffman compression, see
http://www.huffmancoding.com/my-family/my-uncle/huffman-algorithm.
W ndows Server 2008 added a new codec, ca ed NSCodec, for mprov ng graph cs com-
press on over the w de area network (WAN) for 32-b t and 24-b t graph cs (used on y w th
RDC 5 1) Th s ossy compress on a gor thm s contro ed by the fo ow ng Group Po cy object
(GPO)
Computer Configurat on Adm n strat ve Temp ates W ndows Components Remote

Desktop Serv ces RD Sess on Host Remote Sess on Env ronment Set Compress on
A gor thm For RDP Data
Th s compress on mode s off by defau t because t s more memory- ntens ve on the end-
po nt (wh ch can reduce the number of sess ons that an RD Sess on Host server can support)
However, t a ows RDP to perform better over s ower networks To the user, the mages st
ook fine—your eye puts the mages together n the same way t does for a newspaper mage
The more data that s ost n the compress on process—wh ch genera y corre ates to a h gher
degree of compress on—the gra n er the connect on w ook
NSCodec works by degrad ng the graph cs s ght y (a most mpercept b y to the user),
us ng the fo ow ng techn ques
■ Sp tt ng and comb n ng co or p anes, wh ch bas ca y means send ng a the co or nfor-
mat on at once nstead of treat ng two types of co ors as d fferent “ ayers” n the mage
and send ng them separate y
■ Co or space convers on (requ red for chroma subsamp ng)
■ Chroma subsamp ng and super-samp ng, wh ch reduces the var at on n co ors
between adjo n ng p xe s (wh ch the human eye s ess sens t ve to) wh e ma nta n ng
the ntens ty Reduc ng the co or fide ty s gn ficant y reduces the amount of data that
needs to be sent
■ Co or oss reduct on
When the c ent and endpo nt are negot at ng the r mutua capab t es (see the sect on
ent t ed “Stat c V rtua Channe s” ear er n th s chapter), they determ ne whether the c ent
supports both ossy compress on (and how much co or oss the c ent w to erate) and
chroma subsamp ng Both requ re at east RDP 6 1 on the c ent
www.it-ebooks.info
www.it-ebooks.info
received data. If it can’t, then it will need the endpoint to send the character again.
ClearType remoting is off by default and isn’t recommended for wide area network
(WAN) connections.
As you can see, the choices you could make depend on the amount of bandwidth
available and are computer-wide. If you need to support both local and remote
users, one option would be to define a parallel farm for use via RD Gateway only.
(For more about RD Gateway, see Chapter 10, “Making Remote Desktop Services
Available from the Internet.”) If you did this, then you could use the compression
algorithm optimized for low-bandwidth scenarios and limit the color depth, then
provide greater color depth and a memory-optimized compression algorithm on
the endpoints for local use.
Sending Updates Only When the Session Is Active

There’s no po nt n send ng frequent graph ca updates when the user sn’t nteract ng w th
the sess on When the sess on doesn’t need updates—when the user has m n m zed the w n-
dow or d sconnected from the sess on—the sess on on the endpo nt rema ns act ve, but the
c ent doesn’t get updates
When the c ent sends a request to d sconnect, the server w first refuse the request and
then rep y w th an error to prompt that d sconnect ng w end the connect on, but the ses-
s on w rema n act ve If the user on the c ent confirms the request, the connect on w be
d sconnected and the endpo nt w stop send ng graph ca updates
Advanced Graphics Remoting

Bas c RDP d sp ays the desktop and app cat ons on the endpo nt n a w ndow on the c ent
Compos ted remot ng, ntroduced w th W ndows Server 2008 R2 and W ndows 7, mproves
the remote d sp ay by draw ng a w ndows separate y from each other to ach eve a 3-D
effect, wh ch s requ red for Aero G ass remot ng, w ndow prev ews, and other advanced
graph cs remot ng features To make th s work, RDP must be ab e to send the contents of
each app cat on ayer separate y and then send them to the Desktop W ndow Manager on
the c ent to reassemb e them appropr ate y
Advanced graph cs remot ng s ava ab e on y when the c ent has a s ng e mon tor If the
c ent uses more than one mon tor n a remote sess on, th s feature s d sab ed even f t s
enab ed on the endpo nt
To enab e advanced graph cs remot ng, open Server Manager on the host In the C ent
Exper ence sect on, make sure that you’ve se ected the box for Desktop Compos t on
W ndows 7 Enterpr se and U t mate don’t requ re add t ona configurat on to support th s
feature
www.it-ebooks.info
The RDP 7.0 FAQ
W hen the product group posted the RDS Team Blog entry announcing RDP 7.0
for Windows XP SP3 and Windows Vista SP1, we got a lot of questions. For
easy reference, we’ve organized and answered them here.
What Operating Systems Is RDC 7 Available For?

All versions of Windows 7 and Windows Server 2008 R2 come with RDC 7. You can
install RDP 7.0 on 32-bit Windows XP SP3 and 32-bit Windows Vista SP1 and SP2.
(The RDC upgrade is not available for 64-bit versions of Windows XP and Vista
because the code base for 64-bit XP is different and there wasn’t enough user
demand to justify the huge increase in test cost.) For thin clients, RDP 7.0 is available
for Windows Embedded Standard 2009 and Windows Embedded POSReady 2009.
NOTE Windows 7 Premium allows outbound RDP connections. It does not

permit incoming RDP connections.
A separate installation of RDP 7.0 is not supported on earlier server operating sys-
tems as a client, and if you hack the install to install RDP7 on a server SKU (there are
instructions floating around the web for this, but none are supported or endorsed
by Microsoft), then this will not enable the new features of RDP7 on the endpoint.
As of this writing, there is no RDP 7.0 for Apple Macintosh operating systems, just a
basic connectivity. Microsoft does not make or support an RDP client for Linux.
Which Endpoints Will Give Me All the Features of RDP 7.0?

To get all the features of RDP 7.0, you’ll need to connect to Windows 7 Enterprise or
Ultimate edition, or Windows Server 2008 R2 with the RD Session Host role service
installed. Administrative connections to RD Session Host servers or connections to
other Windows 7 SKUs will get a limited set of features. Windows 7 Premium cannot
be an RDP endpoint.
Does RDP 7.0 Support Tablet Input?

No.
If Using Windows Server 2008 R2 as a Client and Connecting to

Windows 7, Will You Get All Features of RDP 7.0?
Yes, as long as you’re connecting to Windows 7 Enterprise or Ultimate edition.
When you connect to Windows 7 Professional, some features, such as multimedia
redirection, bidirectional audio, and true multi-monitor support, will not be
available.
www.it-ebooks.info
Can I Use RDP 7.0 to Make Windows 7 Support Multiple Sessions?
No. Client SKUs support only a single active session at a time. This is by design; mul-
tiple sessions aren’t covered by the End User License Agreement (EULA).
Can I Split the Remote Display to Show Both Local and Remote
Desktops?
If a monitor is connected to the client, it will be used to display the remote ses-
sion. Using the tools provided, it is not possible to specify that a particular monitor
should be used for displaying the remote session and another should be used for
displaying the local desktop. It’s also not possible to hook up an external display
tool (like a projector) and show the local window on the projected image and the
remote session on the client’s monitor (or the reverse).
Moving the Client Experience to the Remote Session

It’s been sa d of RDS that t “makes t ke be ng there, on y better ” Let’s see what you can do
to et users br ng the r persona work hab ts to the remote sess on w thout caus ng troub e for
you or the other users shar ng that RD Sess on Host server or poo ed and persona VMs
The fo ow ng sect ons d scuss both per-user and per-computer sett ngs that define the
c ent exper ence Not a user-exper ence configurat ons can be managed at the user eve n
Group Po cy Where app cab e, the d scuss ons nc ude the sett ngs n RD Configurat on Too
and Act ve D rectory Users And Computers, for those not us ng Group Po cy to configure a
sett ngs
Which Client Devices Can You Add to the Remote Session?

Most supported c ent dev ces requ re tt e setup to use n a remote sess on, as ong as you
meet the system requ rements For PnP red rect on, make sure that you’ve nsta ed the Desk-
top Exper ence feature on each RD Sess on Host server or W ndows 7 computer For RD Easy
Pr nt, make sure that you’ve nsta ed RDP 6 1 or ater on each c ent RDP 7 0 s best as t does
not requ re the M crosoft NET Framework on the c ent, whereas RDP 6 1 does
You can configure dev ce and resource red rect on n one of four ways
■ Us ng Group Po cy (h ghest pr or ty)
■ Us ng Act ve D rectory Users And Computers on a per-user bas s (pr nter red rect on
on y; second pr or ty)
■ Us ng the Remote Desktop Sess on Host Configurat on on a per-server bas s (th rd
pr or ty)
■ Us ng the RDC on a per-connect on bas s (fourth pr or ty)
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 307
www.it-ebooks.info
The pr or t es mean that a though configurat on at these eve s w be merged for the
connect on, f dev ce red rect on s not a owed at any of these eve s, the red rect on w be
d sab ed for the user or mach ne(s) the sett ng affects For examp e, f dr ve red rect on s eft
unconfigured n Group Po cy but enab ed n RDC, t w be enab ed for the connect on But f
you enab e dr ve red rect on n RDC, yet t s d sab ed at the server eve ( n Remote Desktop
Sess on Host Configurat on), dr ve red rect on to that server w be d sab ed A ower-pr or ty
sett ng m ght be ab e to d sab e a sett ng enab ed at a h gher pr or ty, but t can never enab e
someth ng d sab ed at a h gher pr or ty
Not a po c es are configurab e through a too s Group Po cy exposes a po c es (except
for the dr ves and dev ces p ugged n ater sett ngs); other too s expose a subset Because
of the d fferent ways you can contro dev ce and resource red rect on, the opt ons can be
confus ng Tab e 6-2 summar zes the types of dev ces and resources that can be red rected;
whether they can be contro ed by Act ve D rectory Users And Computers, RDC, Remote
Desktop Sess on Host Configurat on, or Group Po cy; and what that contro ed state s set to
by defau t
TABLE 6-2 De au Dr ve and Resource Red rec on Se ngs or Ac ve D rec ory Users And Compu ers, RDC,
Remo e Desk op Sess on Hos Con gura on Too , and Group Po cy Se ngs
ACTIVE DIRECTORY REMOTE

USERS AND DESKTOP
COMPUTERS USER SESSION HOST
ENVIRONMENT TAB RDC 7 CONFIGURATION GROUP POLICY
Audio Not configurab e Enab ed D sab ed Not configured;

and video from here d sab ed by
playback defau t for server
endpo nts;
enab ed by
defau t for c ent
endpo nts
Limit audio Not configurab e Not Not Not configured;
playback from here configurab e configurab e defau t sett ng s
quality from here from here Dynam c
Audio Not configurab e D sab ed Enab ed Not configured;
recording from here by defau t
enab ed when
the endpo nt
s W n7 but
d sab ed when
the endpo nt s
W ndows Server
2008 R2
www.it-ebooks.info
ACTIVE DIRECTORY REMOTE
USERS AND DESKTOP
COMPUTERS USER SESSION HOST
ENVIRONMENT TAB RDC 7 CONFIGURATION GROUP POLICY
Printer Enab ed Enab ed Named W ndows Not configured;

redirection pr nter; enab ed enab ed by
defau t
LPT Not configurab e Not Enab ed* Not configured;
redirection from here configurab e enab ed by
from here defau t
Clipboard Not configurab e Enab ed Enab ed Not configured;
redirection from here enab ed by
defau t
Smart card Not configurab e Enab ed Not configurab e Not configured;
redirection from here from here enab ed by
defau t
Serial ports/ Not configurab e Not Enab ed Enab ed Not configured;
COM port from here enab ed by
redirection defau t
Drive Has no effect** Not enab ed Enab ed Not configured;
redirection enab ed by
defau t
Drives Not configurab e Not enab ed Not configurab e Not configurab e
connected from here from here from here
to later
PnP device Not configurab e Not enab ed Enab ed Not configured;
redirection from here enab ed by
defau t
Devices Not configurab e Not enab ed Not configurab e Not configurab e
plugged in from here from here from here
later
Default to Enab ed Not Not configured Not configured;
main client configurab e enab ed by
printer from here defau t
*In Remote Desktop Session Host Configuration, LPT port redirection will be disabled and not able to be edited
(the check box will be shaded and unavailable to check) if this Group Policy setting, Use Remote Desktop Services
Easy Print Printer Driver First, is enabled. The setting is located at Computer Configuration Policies Administra
tive Templates Windows Components Remote Desktop Services RD Session Host Printer Redirection.
**Although there is a setting on the Environment tab in the user account Properties dialog box available from Ac
tive Directory Users And Computers, this setting has no effect. It was originally designed to be used by the Citrix
MetaFrame add on to Windows 2000 Remote Desktop Services (before RDP supported drive redirection), and it
isn’t used by RDP.
www.it-ebooks.info
By defau t, most dev ce red rect on s not spec fied at the Group Po cy eve (the po c es
are ava ab e but not configured) To contro dev ce red rect on v a Group Po cy, the GPOs
that you wou d mod fy (and app y to the OU where the endpo nt res des) are ocated at Com-
puter Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote
Desktop Serv ces Remote Desktop Sess on Host Dev ce and Resource Red rect on They are
■ Allow Audio And Video Playback Redirection Aud o and v deo p ayback red rec-
t on s d sab ed by defau t when connect ng to a W ndows 2008 R2 RD Sess on Host
server but enab ed for W ndows 7, W ndows V sta, or W ndows XP If th s sett ng s un-
configured, aud o and v deo p ayback red rect on can be contro ed us ng the Remote
Desktop Sess on Host Configurat on on a per-server bas s
■ Allow Audio Recording Redirection Aud o record ng red rect on s not a owed
by defau t when connect ng to a W ndows 2008 R2 RD Sess on Host server, but t s
a owed by defau t when connect ng to a W ndows 7 endpo nt To change th s defau t
behav or, togg e th s GPO (to Enab ed for RD Sess on Host Servers, or D sab ed for
W ndows 7 endpo nts)
■ Limit Audio Playback Quality You can m t the qua ty of aud o p ayback by en-
ab ng th s sett ng L m t ng aud o p ayback qua ty can he p save bandw dth over s ow
WAN nks You can set the aud o p ayback to H gh (no compress on), Med um (some
compress on, atency determ ned by the codec used), or Dynam c, wh ch determ nes
the best cho ce of p ayback qua ty g ven the bandw dth ava ab e to the connect on
■ Do Not Allow Clipboard Redirection Enab e th s po cy to d sab e c pboard red -
rect on to an endpo nt C pboard red rect on can a so be contro ed on a user bas s n
Group Po cy w th th s GPO User Configurat on Po c es Adm n strat ve Temp ates
Dev ce and Resource Red rect on Do Not A ow C pboard Red rect on
■ Do Not Allow COM Port Redirection Enab e th s po cy to d sab e COM Port
red rect on By defau t, COM Port red rect on s a owed for RDS sess ons If your users
don’t need t, stop COM Port red rect on by enab ng th s sett ng If you d sab e th s
sett ng, then COM Port red rect on s a ways a owed If th s sett ng s eft unconfigured,
COM port red rect on s not spec fied by Group Po cy but can be spec fied us ng RD
Configurat on Too on a per-server bas s
■ Do Not Allow Drive Redirection Enab e th s po cy to d sab e dr ve red rect on to an
endpo nt
■ Do Not Allow LPT Port Redirection Th s sett ng does affect LPT pr nters However,
t w have no effect f you’re us ng RD Easy Pr nt because that’s not red rected— t’s
just sent to the c ent for process ng Th s sett ng can a so be configured from e ther
Act ve D rectory Users And Computers or the C ent Sett ngs tab for RDP n Remote
Desktop Sess on Host Configurat on Enab e th s po cy to d sab e LPT Port red rect on
to an endpo nt
■ Do Not Allow Supported Plug And Play Device Redirection By defau t, th s s not
contro ed by Group Po cy, and users can choose to enab e P ug And P ay Red rect on
www.it-ebooks.info
n the RDC c ent Enab e th s po cy to d sab e P ug And P ay Red rect on It can a so be
contro ed on a per-server bas s us ng RD Sess on Host Configurat on
■ Do Not Allow Smart Card Device Redirection By defau t, smart card red rect on
s enab ed for RDP 6 1 and ater Enab e th s po cy to d sab e dr ve red rect on to an
endpo nt
■ Allow Time Zone Redirection T me zone red rect on s not a owed by defau t, and
t s configurab e on y by GPO See the sect on ent t ed “Red rect ng T me Zones” ater
n th s chapter for more nformat on T me zone red rect on a so does not work for
poo ed and persona VMs runn ng c ent operat ng systems
NOTE Although these policies are listed in the Remote Desktop Services section of Group
Policy, they apply to pooled and personal VMs as well (except for time zone redirection).
You can a so d sab e red rect on of spec fic types of supported p ug and p ay dev ces
w th GPOs ocated at Computer Configurat on Adm n strat ve Temp ates System Dev ce
Insta at on Dev ce Insta at on Restr ct ons, but you need to know the Dev ce IDs or Dev ce
g oba y un que dent fiers (GUIDs) of the dev ces for wh ch you wanted to d sab e red rect on
For examp e, to b ock red rect on of a camera, enab e the GPO ca ed Prevent Insta at on Of
Dev ces Us ng Dr vers That Match These Dev ce Setup C asses and nput the Dev ce C ass of
the spec fic dev ce for wh ch you want to b ock red rect on
To find out what a dev ce’s GUID s, open Computer Management, se ect Dev ce Manager,
r ght-c ck a dev ce, se ect Propert es, se ect the Deta s tab, and n the Propert es drop-down
box, choose Dev ce C ass GUID R ght-c ck the va ue and choose Copy
You can a so a ert the user that the dev ce red rect on has been b ocked by po cy restr c-
t ons by send ng a pop-up message to the remote sess on Enab e e ther of these two GPOS
and add a text message
■ D sp ay A Custom Message When Insta at on Is Prevented By A Po cy Sett ng
■ D sp ay A Custom Message T t e When Dev ce Insta at on Is Prevented By A Po cy
Sett ng
By defau t, dev ce red rect on s a owed on a per RD Sess on Host server (except for aud o
and v deo p ayback) To d sab e spec fic dev ce red rect ons, open the Remote Desktop Ses-
s on Host Configurat on on the server, doub e-c ck RDP-Tcp, se ect the C ent Sett ngs tab,
and se ect the check box next to any of the fo ow ng dev ces that you do not want to red rect
■ Dr ve
■ W ndows Pr nter
■ LPT Port
■ COM Port
■ C pboard
■ Aud o And V deo P ayback (d sab ed n RD Configurat on by defau t)
www.it-ebooks.info
■ Aud o Record ng
■ Support P ug And P ay Dev ces
■ Defau t To Ma n C ent Pr nter
Note that Defau t To Ma n C ent Pr nter s more of an opt on than a red rect on, but t s
ocated n th s pane Th s togg es whether or not to make the c ent defau t pr nter the defau t
pr nter n the remote sess on
Assum ng that you’ve not d sab ed dev ce red rect on by GPO or at the server eve , any
rema n ng dev ce red rect on setup occurs on the c ent (If you have d sab ed dev ce red rec-
t on at the GPO or server eve , then there’s noth ng to be done on the c ent—noth ng that
you do on the c ent w overr de Group Po cy or cho ces made at the server eve ) Run the
Remote Desktop Connect on (RDC) c ent To configure dev ce red rect on, c ck the Op-
t ons button n the RDC d a og box and se ect the Loca Resources tab The Pr nters and the
C pboard opt ons are on th s tab, but to choose to red rect other dev ces, you’ need to c ck
More to open the d a og box shown n F gure 6-2
FIGURE 6-2 You can choose to make p ug and p ay dev ces ava ab e n the remote sess on.
If you use smart cards for user authent cat on n your env ronment, then smart cards must
be red rected so users can use them to authent cate the r remote sess ons As shown n
F gure 6-2, smart cards are red rected by defau t
Ser a port dev ces are not remoted by defau t; not many dev ces use ser a connect ons
these days L kew se, dr ves are not remoted by defau t Expand the Dr ves opt on to se ect
part cu ar dr ves that you want to make access b e n the remote sess on (One opt on s Dr ves
That I P ug In Later, so you can opt to add USB dr ves to the remote sess on us ng DVCs )
www.it-ebooks.info
P ug and p ay dev ces are not remoted by defau t, so you’ need to enab e the r red rec-
t on to use them n the sess on In F gure 6-2, there s a camera p ugged nto the c ent If you
se ect the check box next to Other Supported P ug And P ay (PnP) Dev ces, when you connect
to the remote sess on, the RD Sess on Host server w nsta the red rector dr ver and then
d sp ay the dr ve n My Computer as though t were oca y attached, as shown n F gure 6-3
FIGURE 6-3 Red rected dev ces appear n the remote nstance of My Computer, just as they do n the
oca nstance.
IMPORTANT If you don’t see the PnP device automatically in the remote session—if
instead the endpoint prompts you to install drivers—then you probably haven’t previously
installed the Desktop Experience, which is required to use the PnP Device Redirection
Framework.
Red rected dev ces, such as the camera n the examp e, w d sappear when unp ugged
and then w reappear when you p ug them n aga n When the sess on ends, a red rected
dev ces d sappear from the endpo nt
Pros and Cons of Redirecting Resources

Prov d ng remote access to resources has both benefits and drawbacks The more remote de-
v ces that you enab e, the r cher the c ent exper ence becomes, as t s more ke the desktop
c ent exper ence But more red rected dev ces can ead to un ntended consequences
Obv ous y, red rect ng dr ves opens a secur ty ho e When a oca dr ve s red rected to the
remote sess on, stor ng data to the oca dr ves s easy Th s s true from a desktop computer
on the corporate network, of course, but a desktop or corporate-sponsored aptop s trusted
A persona aptop or a pub c computer n a hote or coffee shop s not Not on y that, but
even a trusted aptop can be ost or sto en A aptop w th corporate data on t s much more
va uab e than the cost of rep ac ng the hardware If you enab e dr ve red rect on, you’re a so
vu nerab e to data from the c ent mak ng ts way to the endpo nt Dr ve red rect on s fu
dup ex; data can trave n both d rect ons It s not poss b e to restr ct data to one d rect on
www.it-ebooks.info
Therefore, t’s necessary to make sure that you restr ct remote user access to key dr ves from
remote sess ons
Perhaps ess obv ous y, red rect ng dev ces to a remote sess on m ght affect the exper ence
for the person who’s benefit ng from the red rect on Those remote dev ces must pass data
back and forth between c ent and endpo nt The more data you pass, the more compet t on
there s for bandw dth between c ent and server RDP compresses data we (see the How It
Works s debar ent t ed “Tun ng RDP Performance for LANs and WANs” ear er n th s chap-
ter), and t s qu te respons ve for LAN connect ons, but t can st be affected by arge fi e
transfers, ke any other network— t’s just that arge fi e transfers don’t affect the user’s typ ng
when work ng oca y
Red rect ng pr nt dev ces can a so ease management at the expense of performance Be-
cause pr nt ng to red rected pr nters s much eas er w th RD Easy Pr nt, t m ght be tempt ng
to a ways pr nt to red rected pr nters Th s can be a good po cy, but keep n m nd the phys ca
ocat on of the pr nters Every t me the pr nt job has to trave across the network, that’s one
hop across a re at ve y s ow connect on (A LAN m ght be qu te fast, but t’s st s ower than
pass ng data between components on the same computer ) So f a c ent has a oca y nsta ed
pr nter, that’s one hop If the c ent has a network connect on to a TCP/IP pr nter, that’s two
hops (one to get to the c ent and one to get to the pr nter) If the c ent s connect ng to a
pr nt server w th connect ons to other pr nters, that’s three hops one to get to the c ent, one
to get to the pr nt server, and one to get to the pr nter
Attach ng the pr nters to the RD Sess on Host server works somet mes, but t doesn’t
a ways work we One d sadvantage s that th s puts you r ght back to nsta ng a the pr nter
dr vers on the RD Sess on Host server, w th the management overhead that enta s For an-
other reason, c ents m ght be nowhere near the RD Sess on Host server—perhaps not even n
the same country But t’s worth keep ng the “hop” count n m nd when des gn ng the pr nter
arrangement, ba anc ng t aga nst the management requ rements
The bottom ne s that the dec s ons you make about dev ce red rect on w be based on
the c rcumstances n wh ch you’re dep oy ng RDS and the scenar os that you’ need to enab e
Device and File System Redirection

In add t on to core graph cs remot ng, RDP supports shar ng a number of resources be-
tween the c ent and the sess on on the endpo nt These resources can nc ude tems ke the
c pboard, pr nters, the fi e system, and even some p ug and p ay dev ces ke cameras Un ke
graph cs and keyboard/mouse remot ng, you can have a remote sess on w thout support ng
any of these features; the user w just find the exper ence more ke us ng the oca computer
f you do th s
www.it-ebooks.info
Changing Bandwidth Allocation for RDP Connections

Makarand Patwardhan
Software Development Engineer
W hen running applications in a remote connection, multiple applications

send data from server to client. These applications compete for available
bandwidth, and over a slow connection, you might find that the session
responsiveness suffers. This problem manifests itself most severely when printing
a large document over a low bandwidth connection. The printer data competes
for available bandwidth with the video rendering, thus deteriorating the graphics
rendering significantly.
Beginning in Windows Server 2008 and Windows Vista, we fixed this problem by
allocating a fixed percentage of bandwidth to video updates to the client. The rest
goes to virtual channel traffic for redirected devices. By default, this allocation is 70
percent for video and 30 percent for virtual channel data. When bandwidth usage is
constrained, video data is guaranteed to get 70 percent of the available bandwidth,
so the session will remain responsive.
Although this scheme solves the problem effectively, there could be some scenarios
in which you might want to tweak it a bit. You can adjust these settings by editing
the registry. Please note that these edits are not supported, and you will need to
reboot the RD Session Host server to see the changes take effect.
View or add the following list of registry values that affect the bandwidth allocation
behavior. These are all DWORD values under HKLM/SYSTEM/CurrentControlSet/
Services/TermDD.
● FlowControlDisable When set to 1, this value will disable the new flow control
algorithm, making it first-in–first-out (FIFO) for all packet requests. This provides
results similar to Windows Server 2003. (Default for this value is 0).
● FlowControlDisplayBandwidth/FlowControlChannelBandwidth These two
values together determine the bandwidth distribution between display and virtual
channels (VCs). You can set these values in the range of 0–255. For example, setting
FlowControlDisplayBandwidth = 100 and FlowControlChannelBandwidth = 100 will
make the bandwidth distribution equal between video and VCs. The default settings
are 70 for FlowControlDisplayBandwidth and 30 for FlowControlChannelBandwidth,
thus making the default distribution equal to 70–30.
● FlowControlChargePostCompression This value, if set to 1, bases the bandwidth
allocation on post-compression bandwidth usage. The default for this value is 0,
meaning the bandwidth distribution is applied on precompressed data.
www.it-ebooks.info
Clipboard Redirection
The system c pboard a ows users to transfer data between app cat ons that are runn ng on
the same computer F rst, a user cop es data from one app cat on, wh ch p aces that data on
the c pboard Next, the user pastes t n another app cat on Because the c pboard stores
the data, t’s poss b e to paste mu t p e t mes Because the c pboard w store data n mu -
t p e formats, t’s poss b e to share nformat on between app cat ons that support d fferent
formats—for examp e, you can paste data from M crosoft Word to Notepad, even though
Notepad does not support the docx format Any app cat on that uses the c pboard can
share data between the oca and remote sess on
C pboard red rect on a ows you to share the fo ow ng between oca and remote
app cat ons
■ Gener c data
■ Pa ette data to preserve the co or of the data on the c pboard
■ Metafi e data for stor ng an mage n an app cat on-agnost c format
■ The st of fi es to be transferred
■ F e Stream data for transm tt ng p eces of an mage ( nstead of the who e fi e) or
separat ng the copy act on for mu t p e fi es
To set up red rect on, the c ent and server go through the fo ow ng steps to n t a ze the
connect on shown n F gure 6-4
1. The server te s the c ent the capab t es that t supports
2. The server te s the c ent that t s ready and wa t ng
3. When t hears that the server s ready, the c ent transm ts ts capab t es to the server
4. The c ent not fies the server of a ocat on on the c ent fi e system that can be used to
depos t fi es be ng cop ed to the c ent To use th s ocat on, the server must be ab e to
access t d rect y At th s po nt, the c ent and the server capab ty negot at on s com-
p ete
5. The server and c ent synchron ze the C pboard Formats that each supports, by m m-
ck ng a copy operat on on the c ent by forc ng t to send a Format L st PDU
6. The server confirms the st of supported formats
www.it-ebooks.info
Capabilities PDU 1
Monitor Ready PDU 2
Format List Response PDU 6
Static Virtual Channel
3 Capabilities PDU
4 Temp Directory PDU
5 Format List PDU
FIGURE 6-4 Here s the c pboard red rect on connect on n t a zat on sequence.
Two sequences compr se the data transfer between the c pboards on each end of the
v rtua channe the copy sequence and the paste sequence These sequences together copy
data on the server c pboard to the c pboard of a c ent
The copy sequence synchron zes the st of ava ab e formats across the c ent and the serv-
er c pboards The endpo nt s not fied when the user updates the contents of the c pboard so
t doesn’t have to keep po ng the keyboard to get updates When the c pboard s updated
on the server, t sends a Format L st PDU to the c ent conta n ng an updated st of formats
that are ava ab e on the endpo nt The c ent updates ts c pboard format st and sends a
Format L st Response PDU back to the server
The paste sequence transfers data from the server to the c ent c pboard It gets nvoked
when an app cat on on the endpo nt requests data from ts c pboard When an app cat on
on the server requests data from the c pboard, the endpo nt sends a Format Data Request
PDU The Format Request PDU conta ns a format ID of the type of data requested The c ent
responds by Format Data Response PDU conta n ng the data requested from ts oca c p-
board
NOTE If the data requested is a file, a File Contents Request PDU and File Contents
Response PDU are used to implement the transfer of files.
F gure 6-5 dep cts a c pboard copy/paste funct on over an RDP connect on In the fo -
ow ng scenar o, there s data on the c ent c pboard that s requested from w th n the RDP
sess on hosted on the server Here are the steps
1. Data from a c ent app cat on gets cop ed to the c pboard
2. The c pboard not fies the v rtua channe on the c ent
3. The VC on the c ent sends an updated Format L st to the server
4. The server’s VC rece ves the Format L st and updates the c pboard on the server
www.it-ebooks.info
5. The server’s VC acknow edges that the update happened successfu y
6. The app cat on on the server requests data
7. The server’s VC requests the data from the c ent
8. The c ent’s VC gets the data or fi e from the c ent’s c pboard
9. The c ent’s VC sends the requested data or fi e back to the endpo nt
10. The VC on the server sends the data or fi e to the c pboard
11. The c pboard sends the data to the app cat on
CLIENT SERVER
Data Application
copied to requests
clipboard data
Application 1 6 Application
11
Clipboard Clipboard
2
VC gets data 8 Clipboard Clipboard
notifies VC updated
4 10
3 or at List PD U
or at List R esponse PDU 5
or at Data ile Contents
7
Request PDU
or at Data ile Contents
9
Response PDU
VC ENDPOINT VC ENDPOINT
CLIPBOARD VIRTUAL CHANNEL
FIGURE 6-5 C pboard red rect on n act on.
File System Redirection

F e system red rect on refers to the red rect on and access of c ent-s de fi e storage hard-
ware from a remote desktop sess on Th s s accomp shed by the F e System V rtua Channe
Extens on It runs over a stat c v rtua channe ca ed RDPDR The F e System V rtua Channe
Extens on prov des access to c ent-s de non-vo at e resources ( nc ud ng hard dr ves, floppy
dr ves, and flash dr ves) from w th n an RDP sess on by red rect ng nput/output (I/O) requests
and responses between the fi e system dr vers on the c ent and the fi e system dr vers on the
server
www.it-ebooks.info
NOTE Device redirection is called an extension to basic RDP because it enhances the core
RDP capabilities of graphics remoting and enabling mouse and keyboard input. The exten-
sion is also used as a base by other RDP extensions for printers, ports, and smart cards.
F rst, the protoco has to be n t ated The n t at on sequence cons sts of an “announce and
rep y” exchange, a capab t es exchange, and a dev ce st exchange between the c ent and
the server, as fo ows
1. The server and c ent exchange vers on nformat on, and the c ent sends a C ent ID to
the server
2. The c ent sends ts computer name to the server
3. Then the server and c ent exchange the r capab t es—the st of features that w be
sent over the v rtua channe The capab t es st n these exchanges can nc ude both
fi e system capab t es and capab t es for other extens ons that p ggyback on the F e
System V rtua Channe extens on (such as the Port V rtua Channe Extens on and the
Pr nt V rtua Channe Extens on) If the capab ty s not nc uded n th s exchange, then
the feature w not be supported over the channe and the subsequent dev ce w not
be red rected
4. The server confirms that t got the c ent ID
5. The c ent sends a C ent Dev ce L st Announcement Request to the server conta n ng
nformat on on a the dev ces that w be red rected, nc ud ng fi e system dev ces,
pr nters, ser a ports, para e ports, and smart cards The server sends a Server Dev ces
Announce Response message to the c ent nd cat ng the success or fa ure of each
dev ce n t at on
After a successfu n t at on sequence, oca fi e system dev ces can be used n the remote
sess on as f they were oca The fi e system VC extens on takes care of forward ng var ous
I/O requests and responses between the c ent and server (reads, wr tes and quer es, contro
requests, and so on) to the red rected dev ces
Even though fi e system red rect on uses stat c v rtua channe s, dev ces (for nstance, flash
dr ves) can be attached to the c ent and to the ex st ng remote sess on wh e the sess on s
act ve When a new dev ce s added to the c ent, the c ent not fies the endpo nt and the end-
po nt confirms the changes When a dev ce s removed from the c ent, the c ent not fies the
server that the dr ve s no onger ava ab e F gure 6-6 ustrates how these commun cat ons
fac tate dr ve (and other resource) red rect on
www.it-ebooks.info
CLIENT SERVER
Hard Drive Hard Drive

RDPDR VIRTUAL CHANNEL
Server Announce Request

Client Announce Reply with Client ID
Client Name Request (computer name)
Server Core Capability Request

Client Core Capability Response
Server Client ID Confirm

File System File System
VC Extension VC Extension
Client Device List Announcement Request
Server Device List Announcement
Response (Device 1)
Server Device List Announcement
Response (Device n)
Server I/O Request

Client I/O Response
Client Drive Device List Remove
FIGURE 6-6 F e system red rect on sequences are shown here.
Devices Connected to Client-Side Ports

The Ser a and Para e Port V rtua Channe Extens on st pu ates the commun cat on used to
enab e ser a and para e port red rect on between a c ent and a server Port red rect on a -
ows app cat ons on a server to use the phys ca ports on the c ent
The Ser a and Para e Port V rtua Channe Extens on p ggybacks on the F e System
V rtua Channe Extens on (d scussed n the prev ous sect on, “F e System Red rect on ”)
Therefore, the F e System V rtua Channe Extens on must be n t a zed before ser a or
para e ports can be red rected After the F e System V rtua Channe Extens on s n t a zed,
the ports on the c ent get enumerated and a match ng pseudo-dev ce gets created on the
server The endpo nt pseudo-dev ce that corresponds to the c ent port gets created ke th s
www.it-ebooks.info
1. The port red rect on extens on enumerates the oca ser a and para e ports that need
to be red rected, and the F e System V rtua Channe Extens on sends the nformat on
(conta n ng un que IDs for each dev ce) to the server
2. When the server rece ves th s request, t creates a pseudo-port dev ce that emu ates
the c ent dev ce The pseudo-dev ce’s ID matches the port ID on the c ent
3. When the server creates the pseudo-port, t sends a Server Create Request to the c ent
to open an nstance of the port dev ce
Now that the pseudo-port s created on the server, the sess on can start us ng the port
The pseudo-port acts as a sort of ntermed ary between the app cat on and the c ent
when the port s used, shar ng nformat on that t rece ves from one w th the other Whenever
an app cat on on the server opens the pseudo-dev ce, the server sends a message to
the c ent conta n ng app cat on request parameters, and the c ent processes the data
Whenever an app cat on on the server requests a read, wr te, or contro operat on on the
pseudo-dev ce, the port sends a correspond ng message to the c ent for process ng The
c ent n return processes the requests and sends a correspond ng message back to the port
conta n ng the resu ts of the request The port forwards the resu ts to the app cat on that
made the n t a request For these transact ons, the server must ma nta n an assoc at on
between the I/O requests from the app cat ons and the responses from the c ent It does so
by tagg ng them w th a match ng ID ca ed a F eID
When an app cat on attempts to c ose the port nstance to the pseudo-dev ce, the end-
po nt sends the request to the c ent The c ent processes the request and responds w th a
confirmat on (or an error)
Printers
For o der pr nt ng mode s (RD Easy Pr nt runs n ts own DVC, so t does not use th s extens on),
the RDS Pr nt V rtua channe extens on a ows red rect on of c ent-s de pr nters n a remote
sess on runn ng on a server The RDS Pr nt VC Extens on s a subprotoco w th n the RDP F e
System VC Extens on and w on y operate when the F e System VC extens on s work ng
As part of the F e System VC Extens on setup, the c ent prepares and sends a C ent Dev ce
L st to the server (see the sect on ent t ed “F e System Red rect on” ear er n th s chapter for
more nformat on) conta n ng nformat on on a the dev ces that w be red rected The Pr nt
VC Channe Extens on he ps to create th s st by prepar ng the pr nter dev ce data (enumerat-
ng the pr nter queues, determ n ng what pr nters w be red rected, and so on) that goes nto
the C ent Dev ce L st When the server rece ves the st, t creates a pseudo-pr nter queue that
represents the c ent-s de pr nter
NOTE For more details on configuring RD Easy Print and standard printer redirection, see
the section entitled “Printing with RDP” later in this chapter.
www.it-ebooks.info
Plug and Play Devices
The Dev ce Red rect on Framework ntroduced n W ndows Server 2008 and nsta ed when
you nsta the Desktop Exper ence uses DVCs to enab e P ug and P ay (PnP) Dev ce Red rec-
t on Th s framework makes t poss b e to red rect certa n types of dev ces from a c ent to
a remote sess on (R ght now, t works on y for spec fic types of dev ces, but the framework
s des gned to support potent a y any k nd of p ug and p ay dev ce ) Both oca and remote
app cat ons can use the red rected dev ces, and the dev ces are v s b e on y to the sess on n
wh ch they are started Here’s the rea y good part—th s process works w thout nsta ng dr v-
ers for those dev ces on the endpo nt The dev ce red rect on framework uses the c ent-s de
dr vers to enab e the dev ces
As far as poss b e, you won’t want to nsta dr vers on a server or VM Dev ce dr vers are
not a ways re ab e If a dr ver crashes, t can affect the person us ng t (a user-mode dr ver) or
crash the endpo nt (a kerne -mode dr ver) Unfortunate y, dev ce dr vers enab e the operat ng
system to commun cate w th hardware, so you don’t have a cho ce about us ng them M cro-
soft doesn’t make a W ndows dr vers, so ts contro over th s prob em s m ted
RD Sess on Host Server n W ndows Server 2008 R2, as we as W ndows 7, s des gned to
m n m ze the dependency on dev ce dr vers As you’ see n the sect on ent t ed “When You
Cannot Use RD Easy Pr nt” ater n th s chapter, t’s not a ways poss b e to avo d us ng dev ce
dr vers to enab e c ent-s de dev ces, and you w earn how to support them when you can’t
avo d us ng them But PnP Dev ce Red rect on and RD Easy Pr nt he p reduce the prob ems
assoc ated w th us ng dr vers They don’t e m nate dr vers ent re y—you st need dev ce dr v-
ers on the c ent—but they do keep the dr vers off the server, as ong as the c ent-s de dr vers
support the framework
ON THE COMPANION MEDIA The guidelines for creating a conforming driver

information file (INF) are located in “Device Driver INF Changes for Plug and Play
Device Redirection on Terminal Server,” located at http://www.microsoft.com/whdc
/driver/install/ts redirect.mspx.
The PnP Dev ce Red rect on Framework uses the components shown n F gure 6-7
www.it-ebooks.info
CLIENT ENDPOINT
Application
MSTSC.exe UmRdpService
User Mode Driver

TSDR Framework (UMDF)
PnP Protoco
RDP Virtual
Channel Host Process
PnP Redirector
Redirection
/O
I/O Redirector Driver
RDP Virtual
Channel
Ref ected /O
USER MODE USER MODE
KERNEL MODE KERNEL MODE
/O Rep ay
PnP Events
RDP Protocol UMDF Reflector

Original Device Stack
Driver Stack
Device Redirection Components

Bus I/O
Real Device Components
User Mode Driver Framework (UMDF)
Hardware
RDP Protocol Components
FIGURE 6-7 Arch tecture of the PnP Dev ce Red rect on Framework.
On the c ent s de s the RDC (Mstsc exe), w th a PnP red rector and an I/O red rector
[You can see these two components on the c ent n the form of the Remote Desktop Dev ce
Red rector (RDDR) n the System Dev ces sect on of the Dev ce Manager ] RDDR manages two
aspects of commun cat ng w th c ent-s de mob e dev ces
■ Inventory of wh ch dev ces are present, the r capab t es, and the data on them,
hand ed by the PnP manager and passed to the PnP red rector
■ Reads from and wr tes to those dev ces (I/O rep ay), hand ed by the nput/output (I/O)
manager and passed to the I/O red rector
The PnP manager and I/O red rector both commun cate w th the dr ver stacks for the
dev ces they’re manag ng, wh ch then commun cate w th the hardware The RDDR sends th s
commun cat on to the sess on on the server v a two v rtua channe s one each for PnP-re ated
traffic and I/O-re ated traffic
On the server, the two v rtua channe s backed by RDDR both commun cate w th the
Rdpdr sys dev ce dr ver n the RDP stack, wh ch hand es dev ce red rect on for RDP sess ons
The PnP protoco passes the dev ce management and I/O data between the RDP stack n
kerne mode and the Remote Desktop Serv ces User Mode Port Red rector serv ce (the
www.it-ebooks.info
UMRDP serv ce), wh ch makes dev ce red rect on work By send ng the data to the sess on, the
PnP protoco and port red rect on serv ce a ow the dev ces to show up n the sess on
Commun cat on w th those dev ces s hand ed through the User-Mode Dr ver Framework
(UMDF) The UMDF s part of the standard W ndows operat ng system— t’s not spec fic to RD
Sess on Host servers—and was or g na y deve oped to support dev ces such as cameras and
portab e mus c p ayers The UMDF has three components
■ Dr ver manager (user mode) n the form of the UmRDP Serv ce
■ Reflector (kerne mode)
■ Host process (user mode)
The driver manager s a system-w de W ndows serv ce started when the first UMDF dev ce
s nsta ed It manages the host process and responds to messages from the reflector
The reflector s the proxy for the kerne -mode stack for the dr vers It ves n the kerne ,
but t s not a dr ver— ts ro e s to send messages to the correct dr ver runn ng n user mode
Every t me an app cat on makes an I/O request nvo v ng an app cat on us ng the UMDF, the
request goes through standard secur ty vett ng and s then passed to the reflector
The host process s a ch d process of the dr ver manager (so that f t crashes, t won’t br ng
down the dr ver manager) The host process accepts messages from the dr ver manager (to
oad dr vers) and from the reflector (to accept requests to those dr vers)
The three components work together ke th s An app cat on makes an I/O request that
requ res a user-mode dr ver (Wh ch one sn’t mportant for the genera case descr bed here )
The request goes to the reflector The reflector passes th s request to the UMDF framework
w th n the host process The framework e ther sends the job to the appropr ate dr ver or
sends t back to the reflector f no dr ver s ava ab e Next, the reflector sends the request
back to the dr ver manager to te the host process to oad an add t ona dr ver
The UMDF host can manage any compat b e user-mode dr ver In th s case, RDS has mp e-
mented a red rector dr ver whose job s to commun cate w th Rdpdr sys n the RDP protoco
stack Therefore, the red rector dr ver’s job s to accept the messages passed to t by the
reflector, wh ch rece ves those requests from the app cat on runn ng n the remote sess on
that’s try ng to access the red rected dev ce
For examp e, the p eces can commun cate someth ng ke th s
1. An app cat on runn ng n the remote sess on makes a request to copy a p cture from a
c ent-s de med a dev ce
2. The I/O request (to copy a fi e from the p ug and p ay dev ce) goes to the kerne -mode
UMDF reflector
3. The UMDF reflector passes the request to the UMDF host process, wh ch determ nes
that the request came from the remote desktop sess on and uses the UMDF dr ver
manager to route t to the user-mode red rect on dr ver
4. The red rect on dr ver sends the request to Rdpdr sys, n the protoco stack
www.it-ebooks.info
5. Rdpdr sys sends the request to the Term na Server Dev ce Red rector (TSDR) on the
c ent v a the VCs
6. TSDR commun cates w th the I/O manager to sat sfy the request
Today, on y dev ces support ng the Med a Transfer Protoco (MTP) and P cture Transfer
Protoco (PTP) can be red rected us ng the PnP Dev ce Red rect on Framework (and not a
dev ces support ng those protoco s are supported w th RD Sess on Host Servers or poo ed
and persona VMs) However, the framework s des gned to be extens b e, so other types of
dev ces can be red rected as we
Redirecting Time Zones

If a users are access ng RD Sess on Host servers from w th n the same bu d ng, they are a
work ng w th n the same t me zone If the workforce s mob e or spread over a w de geo-
graph c area, try ng to work from a non- oca t me zone can get d sor ent ng for the users
Th s sn’t uncommon; many arge compan es have severa ocat ons w th n a country, and
qu te a few—even sma compan es—must support peop e outs de the r own country and
maybe even outs de the r own cont nent If the data center s n New York but one part of
the deve opment team s work ng from Ca forn a and access ng remote app cat ons to keep
project ogs, us ng the New York t me zone n remote sess ons can be very confus ng
Start ng w th W ndows Server 2003, Term na Serv ces has been ab e to red rect the c ent’s
t me zone to the remote sess on In W ndows Server 2008 R2, the RD Sess on Host server does
the math, subtract ng or add ng t me accord ng to the re at ve t me zones, and then presents
the adjusted t me n the c ent sess on The t me zone s sent to the RD Sess on Host server, not
the actua t me If the users manua y adjust the r t me on the r computers but don’t change
the t me zone, then the d fference w not show up n the remote sess on In W ndows Server
2008 and W ndows Server 2008 R2, th s sett ng s ava ab e as a user po cy as we as a com-
puter po cy, so you can se ect ve y red rect t me zone nformat on
The Group Po cy sett ng contro ng t me zone red rect on s A ow T me Zone Red rec-
t on If you want to configure t for users or groups of users, t’s ocated at User Configura-
t on Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Dev ce And Resource Red rect on
NOTE Although time zone redirection has been supported since Windows Server 2003,
the user policy controlling was introduced in Windows Server 2008. In Windows Server
2003, you could enable or disable this setting only on a computer-wide basis.
Configure th s sett ng on a computer-w de bas s by enab ng the same po cy n Computer

Configurat on Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Dev ce And Resource Red rect on By defau t, t me zone
red rect on s turned off (the po cy s not configured) To turn t on, enab e the po cy A RDC
www.it-ebooks.info
c ents capab e of return ng the c ent computer’s t me zone (RDP 5 1 and ater) w do so To
d sab e t, e ther don’t configure the po cy or d sab e t
NOTE The time zone redirection GPOs work only on RD Session Host servers, not when
connecting to pooled or personal VMs.
Playing Audio
RDP 7 0 supports two k nds of aud o red rect on from endpo nt to c ent one us ng host-
based render ng and one us ng c ent-based render ng In the first, the aud o s rendered on
the server and sent to the c ent In the second ( ntroduced n RDP 7 0), the aud o s sent from
the endpo nt to the c ent for render ng The first vers on has great backward compat b ty
as th s feature was ntroduced n W ndows Server 2003 The second, ava ab e on y w th RDP
7 0 and when connect ng to W ndows 7 or W ndows Server 2008 R2, has the advantage of
perfect y synch ng aud o and v deo p ayback because they’re rendered on the c ent
In add t on to remot ng aud o from endpo nt to c ent, RDS can remote aud o from c -
ent to endpo nt, enab ng users to record themse ves at the r computers wh e work ng n a
remote ocat on
Basic Audio Remoting

Bas c aud o remot ng has ex sted n Term na Serv ces s nce W ndows Server 2003 and
W ndows XP Th s feature a ows aud o to be generated n a sess on and sent to the c ent for
p ayback Th s feature re es on a stat c v rtua channe set up at the beg nn ng of the sess on
and removed at the end
Aud o p ayback has three aspects n t a zat on (to negot ate the c ent and server capa-
b t es and set up the commun cat on to someth ng they can both hand e), transferr ng the
data to the c ent for render ng, and send ng updates to reflect the vo ume and p tch (so that
when users ra se the vo ume n the sess on for a song they ke, the song p ays ouder on the
c ent) Th s commun cat on takes p ace us ng stat c v rtua channe s and (for W ndows XP and
W ndows Server 2003 c ents and endpo nts on y) User Datagram Protoco (UDP)
Dur ng the n t a zat on phase, the c ent and server figure out the r re at ve capac t es that
w govern how they commun cate for the rema nder of the connect on These capac t es
nc ude the vers on, the supported aud o formats, and whether the c ent can accept UDP
traffic (and, f t can, whether the commun cat on w use UDP or a stat c v rtua channe )
F gure 6-8 dep cts th s process
www.it-ebooks.info
UDP YES/NO
Version
Formats
Static Virtual Channel
YES/NO
YES/NO
YES/NO
YES/NO UDP
CLIENT SERVER
FIGURE 6-8 Aud o red rect on negot at on
The steps of the process are as fo ows

1. The server sends a packet to the c ent v a stat c v rtua channe , descr b ng ts vers on
nformat on and the aud o formats that t supports
2. The c ent responds w th a packet to the server, a so v a stat c v rtua channe , us ng
flags to nd cate the fo ow ng
• The c ent can consume aud o data (If th s flag sn’t set, then the endpo nt won’t
send aud o data to the c ent )
• The c ent can change the vo ume on the aud o f t’s changed n the sess on
• The c ent can adjust the p tch f t’s changed n the sess on
3. The server and c ent sort out whether to use UDP to send the aud o traffic to the
server
If the c ent s runn ng W ndows XP SP 1 or ater, then the c ent can accept the aud o
data sent to t v a UDP The fact that t can doesn’t mean t will—the server m ght over-
r de the c ent and send the nformat on v a stat c v rtua channe The dec s on process
works ke th s
• If the server s runn ng W ndows XP SP1 or ear er, t w a ways use UDP commun -
cat ons f the c ent supports them
• If the endpo nt s runn ng W ndows XP SP2 or SP3, then f the c ent vers on s
greater than 5 (mean ng that the c ent s runn ng W ndows XP SP2 or ater) the
server w send aud o data to the c ent v a UDP
• If the server s runn ng W ndows V sta or W ndows Server 2008, or W ndows 7 or

W ndows Server 2008 R2, then the server w a ways use stat c v rtua channe s to
send the aud o data to the c ent, even f the c ent can use UDP
www.it-ebooks.info
After the c ent and server have estab shed how they can commun cate, c ents us ng UDP
w work out w th the server wh ch port they’re us ng and get the UDP commun cat ons set
up
NOTE Although audio traffic sent via UDP isn’t covered by RDP encryption, part of the
UDP configuration is setting up encryption between the client and server.
If the commun cat on s happen ng on stat c v rtua channe s and both server and c ent are
runn ng W ndows 7 or W ndows Server 2008 R2, then they w work out how much contro
the sess on can have over the aud o There are three flags that the c ent can send to te the
server how t wants to adjust the aud o qua ty
■ For the owest-qua ty aud o, the server dynam ca y adjusts the aud o format to best
match network bandw dth (the s ze of the p pe) and atency (the speed of the p pe)
■ For med um qua ty, the server p cks a format that the c ent supports that s a so the
best comprom se between qua ty and ava ab e bandw dth
■ For h gh qua ty, the server chooses the aud o format the c ent supports that a so w
de ver the best aud o, regard ess of the bandw dth requ rements
That just set up the commun cat ons between c ent and server, but the actua data trans-
fer s much s mp er In a nutshe , when commun cat on happens a ong a stat c v rtua channe ,
the server first te s the c ent what aud o to expect next (w th a short segment of the actua
content), then sends the aud o After each transm ss on, the c ent sends an acknow edgment
To adjust the vo ume of the aud o be ng sent to the c ent, the server w send a packet
te ng the c ent what the vo ume shou d be ( n abso ute terms, not re at ve to what t m ght
have been prev ous y)
Multimedia Redirection
Mu t med a red rect on, ntroduced w th W ndows 7 and W ndows Server 2008 R2, s a b t
d fferent from standard aud o red rect on In th s feature, any content that can be p ayed
w th W ndows Med a P ayer can be sent to the c ent to be rendered us ng the c ent’s copy of
W ndows Med a P ayer, as ong as the fo ow ng cond t ons app y
■ The server s runn ng W ndows 7 U t mate or Enterpr se ed t on or s an RD Sess on host
server
■ The user s not connect ng w th an /adm n connect on
■ The c ent s connect ng v a RDC 7
■ The c ent has W ndows Med a P ayer nsta ed
www.it-ebooks.info
At a h gh eve , n mu t med a remot ng, mu t med a content s sent from c ent to server v a
a s ng e DVC W th n the DVC are subchanne s for send ng the aud o and v deo updates (see
F gure 6-9)
DYNAMIC VIRTUAL CHANNEL GUID

Subchannel: Presentation Initialization
Subchannel: Data System
Subchannel: Playback State
Subchannel: Video Windows Updates
Subchannel: Volume Updates
FIGURE 6-9 Mu t med a remot ng over DVC uses subchanne s
There are severa aspects to mak ng th s work

■ Negot ate the c ent and server capab t es and sett ng up the v rtua channe , dent -
fied w th a GUID so that the server a ways knows wh ch channe to send data to and
wh ch c ent s send ng t messages
■ In t a ze the presentat on of the data when W ndows Med a P ayer starts n the remote
sess on and end ng the remot ng when the mu t med a ends
■ The data s streamed to the c ent for p ayback
■ As the mu t med a p ays, the server sends messages to the c ent to et t know the
p ayback state (for examp e, paused, rewound, or fast-forwarded)
■ The server not fies the c ent f the v deo w ndow on the endpo nt changes n s ze or
moves
■ The server not fies the c ent f the vo ume set n the sess on changes so the c ent can
adjust accord ng y
To enab e advanced graph cs remot ng, open Server Manager on the host In the C ent
Exper ence sect on, make sure that you’ve checked the box for Aud o and V deo P ayback
W ndows 7 Enterpr se and U t mate ed t on endpo nts don’t requ re add t ona configurat on
to support th s feature
Recording Audio from Client to Server

Another new feature of RDP 7 0 (requ r ng both a W ndows 7 or RD Sess on Host endpo nt
and the RDC 7 c ent) s often ca ed bidirectional audio. Because RDP has supported aud o
remot ng s nce W ndows Server 2003 and W ndows XP, the rea new feature here s that you
can send sound from the c ent to the server—once aga n, rea y b urr ng the ne between
the desktop and the data center Th s feature enab es new funct ona ty, ke mak ng vo ce
record ngs n a remote sess on
www.it-ebooks.info
To enab e advanced graph cs remot ng, open Server Manager on the RD Sess on Host
server In the C ent Exper ence sect on, make sure that you’ve checked the box for Aud o
record ng red rect on W ndows 7 Enterpr se and U t mate ed t on don’t requ re add t ona
configurat on to support th s feature
To record from w th n a sess on, you’ need to enab e th s feature on the c ent Open
the RDC c ent and expand the opt ons Se ect the Loca Resources tab and c ck the Sett ngs
button n the Remote Aud o sect on In the Remote Aud o Record ng sect on, make sure that
Record From Th s Computer s se ected
How the RDC Version Affects the User Experience—or

Doesn’t
Some peop e expect that upgrad ng to the RDC 7 c ent w g ve them a the features of RDC
7 mmed ate y And t w —as ong as the server you’re connect ng to s capab e of support-
ng a the features of RDP 7 0 If t’s not, the connect on w support to the set of features that
both c ent and server can hand e The endpo nts that can support the fu set of RDP 7 0 fea-
tures are W ndows 7 Enterpr se and U t mate ed t ons and W ndows Server 2008 R2 w th the
RD Sess on Host ro e serv ce nsta ed Everyth ng e se w get some var ant depend ng on ts
techn ca capab ty or the features ava ab e to that ed t on See Tab e 6-3 for some examp es
of how the user exper ence w vary depend ng on the vers on of c ent and server, and the
max mum supported c ent for each operat ng system
NOTE For the sake of readability, this table will not attempt to show the myriad subcases
(for example, the user experience when connecting to an RD Session Host server via an
/admin connection). The most important thing to remember is that the full set of RDP 7.0
features is available only when connecting a Windows Server 2008 R2 RD Session Host
server or a Windows 7 Enterprise or Ultimate edition computer, and using the RDC 7 client.
TABLE 6-3 De erm n ng he User Exper ence
CLIENT MAX
OPERATING SYSTEM SUPPORTED RDC SERVER RDP EXPERIENCE
W ndows 7 or RDC 7 W ndows Server 2008 R2 RDP 7 0

W ndows Server RD Sess on Host Server or
2008 R2 W ndows 7 U t mate and
Enterpr se ed t on
W ndows V sta SP1, RDC 7 W ndows Server 2008 R2 RDP 7 0
SP2 RD Sess on Host Server or
W ndows 7 U t mate and
Enterpr se ed t on
www.it-ebooks.info
CLIENT MAX
OPERATING SYSTEM SUPPORTED RDC SERVER RDP EXPERIENCE
W ndows XP SP3 RDC 7 W ndows Server 2008 R2 RDP 7 0

RD Sess on Host Server or
Enterpr se ed t on
W ndows V sta RTM RDC 6 1 W ndows Server 2008 R2 RDP 6 1
Enterpr se ed t on
W ndows XP SP2 RDC 6 1 W ndows Server 2008 R2 RDP 6 1
Enterpr se ed t on
W ndows XP SP1 RDC 5 2 W ndows Server 2008 R2 RDP 5 2
Enterpr se ed t on
W ndows 7 or RDC 7 W ndows V sta (a vers ons) RDP 6
W ndows Server
2008 R2
W ndows 7 or RDC 7 W ndows XP SP3 RDP 5 2
W ndows Server
2008 R2
As you can see from Tab e 6-3, the RDP exper ence s never greater than the owest RDP
vers on supported on the c ent and server (remember that an RDC c ent connects to an
RDP stener vers on on the server) Insta ng RDC 7 on the endpo nt does not update the
stener; t just updates the c ent component There s no way to upgrade the stener w thout
upgrad ng the server’s operat ng system Therefore, wh chever has the owest vers on (c ent
RDC or server stener) s the vers on that w determ ne the user exper ence
For the spec fics of the user exper ence when connect ng to an RD Sess on Host server or
W ndows 7 Enterpr se or U t mate ed t on, see the fo ow ng sect ons
Connectivity Experience
Tab e 6-4 descr bes how users can connect to the RemoteApp programs and VMs ass gned
to them For bas c connect v ty, the vers on of the server sn’t cr t ca as ong as users have
perm ss on to make the connect on (and the server sn’t runn ng W ndows 7 Prem um, wh ch
does not a ow ncom ng RDP connect ons), th s w work
www.it-ebooks.info
TABLE 6-4 C en RDC Vers on De erm nes he Connec v y Exper ence
CONNECTING FROM DESCRIPTION RDC 7 RDC 6.1 RDC 5.2
Access to Remote Desktop Users can connect to a fu Yes Yes Yes

sess ons desktop sess on
Access to RemoteApp Users can run RemoteApp Yes Yes No
programs programs a ongs de oca y
nsta ed app cat ons
Access to persona desktop Users can broker Yes Yes Yes
by us ng RD Connect on connect ons to VMs
Broker ass gned n Act ve D rectory
Doma n Serv ces (AD DS)
Access to v rtua desktop Users can broker Yes Yes Yes
poo s by us ng RD connect ons to VM poo s
Connect on Broker
Start app cat ons and Users can start VMs or Yes No No
desktops from RemoteApp RemoteApp programs (W ndows 7
and Desktop Connect on ass gned to them from on y)
on c ent the r Start menu
Start RemoteApp Users can start VMs or Yes Yes No
programs, v rtua desktop, RemoteApp programs
and sess on-based desktop ass gned to them from RD
from RD Web Access Web Access
Status and d sconnect Users can d sconnect Yes No No
system tray con connect ons to RemoteApp (W ndows 7
programs and VMs v a a on y)
system tray con Ava ab e
on y when start ng RDP
connect ons assoc ated
w th a RemoteApp and
Desktop Connect on feed
User Experience
Tab e 6-5 descr bes the features ava ab e to users when they are connected Th s t me, vers on
matters Assume here that the server s an RD Sess on Host server or W ndows 7 U t mate or
Enterpr se ed t on W ndows 7 Profess ona (for examp e) w not have the fu comp ement of
features
In Tab e 6-5, the “true” and “spann ng” descr pt ons for mu t -mon tor support deta the
way the feature man fests In true mu t -mon tor support, the v deo dr ver on the endpo nt
can d st ngu sh between a the mon tors connected to the d sp ay and treats them ndepen-
dent y In the spann ng mu t -mon tor support ava ab e w th RDP 6 0 and 6 1, the endpo nt’s
www.it-ebooks.info
d sp ay dr ver treats a c ent-connected mon tors as a s ng e dev ce There’s one catch to true
mu t -mon tor support It does not work w th Aero G ass If you have more than one mon tor,
Aero G ass w be d sab ed
TABLE 6-5 User Exper ence o RD Sess on Hos or W ndows 7
CONNECTING
FROM DESCRIPTION RDC 7 RDC 6.1 RDC 6.1 RDC 5.2
W ndows Enab es content hosted Yes No No No

Med a P ayer n W ndows Med a P ayer
Red rect on contro s to be red rected
to the c ent for decod ng
on users’ computers Th s
both mproves the qua ty
of the v deo and ensures
that v deo and aud o are
a ways n sync
B d rect ona Red rects aud o Yes No No No
Aud o record ng dev ces such
as m crophones on the
c ent to the remote
sess on Usefu w th
vo ce recogn t on and
app cat ons that record
aud o
Mu t mon tor W ndows V sta and True Spann ng Spann ng No
Support W ndows Server 2008
endpo nts, on y support
mon tor spann ng RD
Sess on Host and W ndows
7 nc ude true mu t -
mon tor support for up to
16 mon tors and work for
both Remote Desktop and
RemoteApp programs
Aero G ass W ndows Server 2008 d d Yes No No No
Support not support Aero G ass
remot ng for sess ons
Th s s now supported
n W ndows Server 2008
R2 RDS n sess ons w th a
s ng e mon tor
www.it-ebooks.info
CONNECTING
FROM DESCRIPTION RDC 7 RDC 6.1 RDC 6.1 RDC 5.2
Enhanced Improves the remote Yes No No No

B tmap d sp ay of graph cs-
Acce erat on ntens ve app cat ons ke
M crosoft PowerPo nt,
F ash, and S ver ght
Language Bar A ows users to use the r Yes (W ndows No No No
Dock ng docked anguage bar 7 to RD
w th the r RemoteApp Sess on Host
app cat ons just as they server on y)
do w th the oca ones,
nstead of re y ng on the
float ng anguage bar
Easy Pr nt A ows users to pr nt to Yes Yes Yes No
the r oca pr nters from
RemoteApp programs and
VMs w thout need ng to
nsta pr nt dr vers on the
host Both RD Sess on Host
servers and c ents runn ng
W ndows 7 support RD
Easy Pr nt
Printing with RDP

Some years ago, peop e used to ta k a ot about “the paper ess office ” They seem to have
most y g ven up on the dea now, and w th good reason Even as you pr nt ess nformat on,
there s a ot more nformat on created that does have to be pr nted Pr nt ng sn’t go ng away
In add t on, w th d sp ay remot ng, pr nt ng has some new cha enges There are two ways
to pr nt from a remote desktop sess on
■ Pr nt to a pr nter nsta ed d rect y on the server (a sess on on an RD Sess on Host
server, or a VM)
■ Pr nt to a pr nter that has been red rected to the remote desktop sess on from the
c ent
Both of these methods have advantages and d sadvantages, wh ch you w find out more
about n the next sect ons Because RDS now supports both sess ons and VMs, the nforma-
t on nc udes pr nt ng capab t es for poo ed and persona VM scenar os, as we as pr nt ng
from RD Sess on Host server sess ons
www.it-ebooks.info
Printing to a Directly Connected Printer
The s mp est way to prov de pr nt ng capab t es from an server s to nsta the pr nter d rect y
onto t Every user ogg ng onto the server w (g ven the proper perm ss ons) have access to
the pr nter, no matter where he or she s remot ng from The pr nter can be a network pr nter
(perhaps shared from a pr nt server), a d rect y connected pr nter (v a USB or para e port
connect on), or an IP-based pr nter ocated on the LAN
Pr nt ng to d rect y connected pr nters on a h gh eve works ke th s
1. An app cat on creates a pr nt job and sends t to the pr nt spoo er
2. The spoo er does any convers on necessary and sends the resu t ng spoo fi e to the
pr nter dr ver (or to the spoo er on another mach ne, for examp e, a pr nt server, wh ch
w pass t to ts pr nter dr ver)
3. The pr nter dr ver sends the fi e to e ther a GDI pr nt dev ce or an XML Pr nt Spec fica-
t on (XPS) pr nt dev ce
HOW IT WORKS
Basic GDI and XPS Printing
A GDI printer accepts enhanced metafile (EMF)–formatted files, and an XPS print
device accepts XPS formatted files, so depending on what type of initial file an
application creates (XPS or EMF), it might need to be converted to the format that is
accepted by the print device.
NOTE For more information on the GDI and XPS print paths, refer to MSDN
at http://msdn.microsoft.com/en-us/library/ms742418.aspx.
Figure 6-10 maps the different scenarios for printing to a GDI print device from dif-
ferent types of applications.
PRINT SPOOLER
WPF XPS to GDI Conversion Module (.NET)

Application
(.NET App) Windows XP/Windows Server
2003/Windows Vista (w/o update)/
Windows Server 2008 RTM EMF GDI
Spool Printer
Win32 XPS File Driver
Application XPS to GDI native conversion
GDI Print
Windows Vista (w/update), Windows 7/ Device
Windows Server 2008 R2
Win32
Application EMF print job
FIGURE 6-10 F es pr nted to a GD pr nt dev ce m ght need convers on depend ng on the

f e type n t a y created.
Pr nt ng w th RDP CHAPTER 6 335
www.it-ebooks.info
A .NET application will create a print job and send it to the print spooler, where it
goes through the .NET XPS to GDI conversion module (when native conversion is
not available). The print spooler processes the resulting EMF file and sends the print
job to the print driver, which sends the job to the print device.
If an application creates an XPS file, it must go through conversion to be printed on

a GDI print device. In Windows Vista (with the platform update), Windows 7, and
Windows 2008 R2, conversion is now native, so .NET no longer needs to be installed
to do this (Windows XP Vista without the Platform update, Windows Server 2003,
and Windows Server 2008 RTM still need to use the NET conversion module). The
spooler sends the resulting EMF file to the printer driver, and the driver sends the
print job to the GDI print device.
If an application creates an EMF file, it needs no conversion. The print spooler

passes the EMF file to the printer driver and the printer driver sends the print job to
the GDI print device.
Figure 6-11 maps out different scenarios for printing to a XPS print device from
various types of applications.
PRINT SPOOLER
WPF
Application XPS print job
(.NET App)
GDI to XPS native conversion

Win32 XPS
XPS XPS
Application Windows Vista (with update),
Spool Printer
Windows 7/Windows Server 2008 R2
File Driver
XPS Print
Win32 GDI to XPS Conversion Module (.NET) Device
Application Windows XP/Windows Server
2003/Windows Vista (w/o update)/
Windows Server 2008 RTM
FIGURE 6-11 F es pr nted to an XPS pr nt dev ce m ght need convers on depend ng on the
f e type n t a y created.
A .NET application creates an XPS file. No conversion is necessary to print to an

XPS print device. The print spooler sends the print job to the printer driver, and the
printer driver sends the job to the print device.
If an application creates an XPS file, it needs no conversion. The print spooler passes
the XPS file to the printer driver, and the printer driver sends the print job to the
XPS print device.
A GDI file created by an application must go through conversion to be printed on an

XPS print device. In Windows Vista (with the needed platform update), Windows 7, and
Windows 2008 R2, conversion is now native, so .NET no longer needs to be installed to
www.it-ebooks.info
Insta ng the pr nter dr vers on the endpo nts works we n scenar os where the pr nt
dev ces, pr nt servers, and endpo nts are a ocated on the same LAN, preferab y where work-
ers can reach th s pr nter eas y on foot It’s eas er to mp ement for RD Sess on Host servers
than VMs—there’s ess nsta ng because VMs are s ng e-user—but t’s techn ca y poss b e on
both
Attach ng a pr nter d rect y to the server s not such a good dea n h gh y d str buted
scenar os, espec a y f there’s a WAN nvo ved Pr nt ng speeds can be dramat ca y affected
by h gh- atency networks Not on y that, but you cou d have users wa k ng a ong way for
a pr nted document—poss b y to Germany from New York, f the pr nters are a c ustered
around the RD Sess on Host servers n the Frankfurt data center F na y, nsta ng pr nters on
each poo ed or persona VM s a hass e to manage When t’s not pract ca to attach the pr nt-
ers to the endpo nts, the benefits of pr nt red rect on rea y stand out
Printing via Redirected Printers

Pr nt red rect on a ows users to ut ze the pr nters that are nsta ed on the r c ent from
w th n a remote desktop sess on It does not matter f the pr nt dev ce s oca to the c ent, IP-
based, mapped from a pr nt server, or a Portab e Document Format (PDF) or XPS pr nter A
these types of pr nters can be red rected to the remote desktop sess on
For users to pr nt from a remote sess on, two th ngs must happen
■ The pr nter must show up n the remote sess on
■ The pr nt job must get to the pr nter on the c ent
W ndows Server 2008 R2 supports two pr nt ng mode s a mode for use w th RDC 6 1 and
ater that uses the dr vers nsta ed on the c ent and a mode for prev ous vers ons of the RDP
www.it-ebooks.info
c ent (a so used w th W ndows Server 2003) that uses dr vers on the pr nter The fo ow ng
sect ons exp a n how pr nter red rect on works for RDP 6 0 c ents and ear er, and how the RD
Easy Pr nt mode works; both m ght be app cab e to W ndows Server 2008 R2
The Legacy Printing Model for Remote Desktop Services

The egacy pr nt ng mode requ res a match ng pr nter dr ver nsta ed on both the c ent
and the endpo nt for t to work—and part of match ng means, “The names must match ” For
nstance, f the c ent has access to an HP LaserJet 6L pr nter, for pr nter red rect on to work for
th s pr nter, the endpo nt wou d need to have a match ng dr ver nsta ed, and the dr ver name
must match from c ent to server exactly
NOTE On the server side, you do not need a matching printer installed—just the printer
driver. On a Windows Server 2008 R2 RD Session host server, you add print drivers by add-
ing and then deleting a printer (leaving the driver behind) or by highlighting a printer that
is already installed, clicking the Print Server Properties link, navigating to the Drivers tab,
and clicking Add.
ENUMERATING PRINTERS IN THE REMOTE SESSION

Chapter 3, “Dep oy ng a S ng e Remote Desktop Sess on Host Server,” exp a ned how sess on
creat on works One component of sess on creat on s enumerat ng (that s, find ng and creat-
ng a st of) any pr nters on the c ent so they can be red rected to the server Severa compo-
nents are nvo ved n the red rect on
■ W n ogon exe, the W ndows Logon process n the c ent sess on
■ W nsta d , used for configur ng the sess on
■ Termsrv d , the remote connect on manager
■ Rdpwsx d , a user-mode component on the server that hand es the connect on se-
quence for remote connect ons us ng RDP
■ Rdpdr sys, the kerne -mode RDP dev ce red rect on dr ver
■ Spoo sv exe, the pr nt spoo er on the server
■ Usbmon d , wh ch hand es a the dynam c pr nter ports (dynam c because they are
created and destroyed w th the remote sess on) on the RD sess on host server
■ Mstscax d , the RD sess on host server c ent, wh ch enumerates the pr nters on the c -
ent and the r names, dr vers, and sett ngs
■ System Event Not ficat on Serv ce (SENS), wh ch mon tors system events such as RDS
sess on connects and d sconnects and ogon/ ogoff events and de vers them to the
app cat ons need ng them
www.it-ebooks.info
NOTE Wnotify.dll monitored system events in previous versions of Windows but was
replaced with SENS beginning in Windows Server 2008 and Windows Vista.
To red rect c ent-s de pr nters to the remote desktop sess on automat ca y, these compo-
nents cooperate n the fo ow ng ways
1. The c ent, Mstsc exe, connects to a server and goes through the connect on and ogon
sequence W n ogon exe rema ns oaded n the user sess on, as does W nsta d , used
for configur ng the term na sess on
2. V a W nsta d and the remote connect on manager, Rdpwsx d s not fied of the new
connect on and not fies Rdpdr sys
3. Rdpdr sys sends a packet request ng that the pr nters for the new sess on be enumer-
ated
4. The c ent co ects the fo ow ng nformat on from the c ent and sends t to the sess on,
where t s passed by Rdpwsx d to Rdpdr sys
• Pr nter configurat on data ava ab e,nc ud ng name, dr ver name, paper or entat on,
defau t status, and so forth—everyth ng standard for a W ndows pr nter, but noth-
ng conta ned outs de the W ndows pr nter configurat on d a og boxes
• Pr nt queues and the r port names

• Manua y created pr nt queues created dur ng prev ous ogons ( sted n subkeys
under HCKU/Software/M crosoft/RD sess on host server C ent/Defau t/Add Ins/
RDPDR on the c ent)
5. Rdpdr sys creates a correspond ng pr nt port for each queue the c ent sends up, nam-
ng them TSXXX, where XXX s a number, count ng from 001 You can see th s on the
RD Sess on Host server by c ck ng a pr nter, c ck ng the Pr nter Server Propert es nk,
and se ect ng the Ports tab, shown n F gure 6-12
www.it-ebooks.info
FIGURE 6-12 Rdpdr.sys creates a correspond ng pr nt port for each queue that the c ent sends.
NOTE Group Policy controls whether all printers are redirected, or just the client
default printer. If it’s the latter, only the client default printer is created in the remote
session.
6. Rdpdr sys a so te s the PnP app cat on programm ng nterfaces (APIs) that new pr nt-
ers are ava ab e These APIs not fy the spoo er (Spoo sv exe) of the new pr nters for
that connect on The spoo er has Usbmon d enumerate the ava ab e ports, as cop ed
from the c ent and renamed on the sess on The spoo er updates the c ent’s reg stry
to make the pr nters ava ab e to them
NOTE In Windows Server 2003, the spooler service was not session-aware and up-
dated HKCU for everyone logged on to the RD session host server, so that users ended
up with printers in their profiles that belonged to other users. They couldn’t use them,
but they were recorded in the registry. The CPU cycles the spooler service used in order
to write to all the copies of HKCU strained the RD Session Host server. This has been
changed in Windows Server 2008 so that a user’s printers are written only to the user’s
copy of HKCU.
www.it-ebooks.info
7. W n ogon exe not fies SENS that the sess on s created SENS wa ts for d sconnect or
ogoff events so that t can te Rdpdr sys when to tear down the mapped ports
8. SENS does the fo ow ng
• Ensures that the pr nter has a correspond ng dr ver ava ab e on the endpo nt
• Sets the c ent’s defau t pr nter to be the defau t pr nter n the sess on
• Adds the new pr nter queue to ts st of dev ces
• Sets the defau t secur ty for the pr nter so that the ogged-on user has read/wr te/
pr nt perm ss ons to the pr nter queue and the adm n strator has fu contro
The pr nters shou d now appear n the remote sess on as TS001 to TS00n If the pr nters are
not appear ng, check the fo ow ng
■ The c ent and the server must have a match ng dr ver nsta ed for each pr nter that
w be red rected If there s no dr ver match, you w see event ID 1111 ogged n the
System Event Log on the endpo nt
■ C ent pr nters are a owed to be red rected Th s po cy can be set n RD Sess on Host
Configurat on ( n the RDP sett ngs), n Act ve D rectory Users And Computers, and n
Group Po cy You’ find out more about how to do th s n the sect on ent t ed “Con-
tro ng Pr nter Red rect on” ater n th s chapter Pr nter red rect on ab t es are a so
contro ed by the Pr nters check box ocated on the Remote Desktop Connect on c -
ent’s Loca Resources tab
■ Rdpdr sys must be funct on ng proper y If no dev ces are be ng red rected and po cy
perm ts red rect on, open Dev ce Manager and nspect the contents of System Dev ces
to find the RD Sess on Host server Dev ce Red rector and see f t’s work ng proper y
■ The Remote Desktop Serv ces UserMode Port Red rector serv ce on the server must
be runn ng If t’s not, then start t and d sconnect and reconnect a sess ons Because
pr nter queues are bu t at the beg nn ng of the connect on, s mp y restart ng th s ser-
v ce won’t restore pr nter queues
■ The Pr nt Spoo er serv ce on the server must be runn ng
PRINTING FROM A REMOTE SESSION

Now that the pr nters are sted n the remote sess on, et’s see how a pr nt job gets to a
red rected pr nter when RD Easy Pr nt s not used Pr nt ng nvo ves a arge number of mov ng
parts, but th s h gh- eve v ew w show you how t works for remote desktop sess ons
1. The app cat on on the server starts the pr nt job The RDC not fies the RDP graph cs
subsystem of the pr nters nsta ed on the c ent
2. Then the app cat on creates the pr nt job—e ther an EMF or XPS fi e—that conta ns a
the nstruct ons needed to render that p cture wh e ma nta n ng the p cture’s or g na
s ze, reso ut on, and ayout
3. The GDI or XPS Pr nt API passes the fi e to the spoo er Th s fi e can be saved to d sk f
many pr nt jobs are queued for a part cu ar pr nter
www.it-ebooks.info
4. Assum ng that the pr nt job s go ng to a red rected port ( dent fied as TSXXX), the
spoo er sends the pr nt job to the dynam c port mon tor (Usbmon d )
5. The dynam c port mon tor transfers the spoo fi e to Rdpdr sys, wh ch sends the data to
the appropr ate RDS c ent, where t’s sent to the appropr ate pr nter
To sum up, most of the process ng s done on the server, the dr vers must be present on
the server (so that the GDI or XPS Pr nt API can format the data stream appropr ate y for the
se ected pr nter), and there’s a ot of data convers on (for examp e, EMF fi es actua y get con-
verted to RAW format when ts sent to a PostScr pt pr nter) Every t me you convert data from
one format to another, there’s a r sk of data oss
The RD Easy Print Architecture

Before RD Easy Pr nt, pr nt ng from remote sess ons was not an easy task IT adm n strators
had to dea w th the fo ow ng
■ Kernel-mode drivers In the o d days of kerne -mode dr vers, a buggy dr ver cou d—
and somet mes d d—crash the term na server For th s reason, the use of kerne -mode
dr vers has been b ocked by defau t s nce W ndows Server 2003
■ Driver name mapping When the c ent and server were not runn ng on the same
kerne (for examp e, c ents runn ng M crosoft W ndows 98 and the server runn ng
M crosoft W ndows 2000 Server), the dr vers often d dn’t have the same name You
had to map them n an INF fi e manua y to make pr nt ng to a red rected pr nter work
at a (You w earn how to do th s ater n th s chapter, n case you cannot use RD Easy
Pr nt and need to use the o der pr nt ng method Tweak ng name mapp ngs have some
other advantages, too )
■ Driver testing and distribution You had to test dr vers before nsta ng them on
the term na server, and after they were tested, d str bute them to a the other term na
servers
■ Bandwidth usage Pr nt ng cou d take up a ot of bandw dth, wh ch cou d s ow the
sess on when the user pr nted documents
In short, support ng pr nt ng w th term na servers has h stor ca y been a ot of work Un-
fortunate y, because the paper ess office has yet to mater a ze (and probab y won’t, at east n
the near future), t’s necessary to cont nue support ng the process
It’s sa d that the defin t on of nsan ty s to keep do ng the same th ng and expect ng
d fferent resu ts Because dr vers on the server are hard to support, W ndows Server 2008
dec ded to eave the pr nt ng nsan ty beh nd by e m nat ng pr nter dr vers on the term na
server as much as poss b e Instead, beg nn ng w th W ndows Server 2008 and now w th
W ndows Server 2008 R2 and W ndows 7, pr nt ng over RDP uses a new arch tecture based on
the XPS pr nt format to a ow jobs pr nted to a red rected pr nter to use the c ent-s de pr nter
dr vers nstead of requ r ng pr nter dr vers on the server
www.it-ebooks.info
RD Easy Pr nt s supported by c ents runn ng RDP 6 1 or ater The o der format descr bed
prev ous y s st supported for o der vers ons of RDP, but RD Easy Pr nt s the preferred
method because of ts ower management and bandw dth overhead As exp a ned prev -
ous y, W ndows 7, W ndows 2008 R2, and W ndows V sta and W ndows 2008 w th a p atform
upgrade a support XPS nat ve y W ndows 2003 and W ndows XP requ re NET Framework to
do the convers on to XPS
L ke o der pr nt ng methods, RD Easy Pr nt must render data nto a WYSIWYG format and
pass that data from the endpo nt to the c ent where the pr nter s ocated Where Easy Pr nt
d ffers s n the render ng and spoo ng process Bas ca y, Easy Pr nt takes a pr nt job request
and does on y enough process ng on the server to get the pr nt job to the c ent, as ustrated
n F gure 6-13
SERVER
PRINT SPOOLER
WPF
Application XPS print job pass through
(.NET App)
GDI to XPS native conversion
Win32
Application Windows Vista (w/update),
Windows 7/ Windows Server 2008 R2
GDI to XPS conversion RD Easy XPS

.NET Framework 3.0 SP1 Print XPS Spool
Print Driver File
Windows Vista (w/o update)/
Windows Server 2008 RTM
XPS Spool File gets passed via RDP to the Remote Desktop Client
CLIENT
PRINT SPOOLER
XPS XPS
XPS print job pass through Spool Printer
Remote File Driver
Desktop
Client with XPS Print
XPS to GDI Conversion
Device
.NET Framework 3.0 SP1
RD Easy
Print Windows XP/Windows Server 2003/ EMF GDI
Plug in Windows Vista (w/o update)/ Spool Printer
Windows Server 2008 RTM File Driver
GDI Print
XPS to GDI Conversion Device
Native
Windows Vista (w/update)/

Windows 7/Windows Server 2008/
Windows Server 2008 R2
FIGURE 6-13 Easy Pr nt uses c ent s de pr nter dr vers to create pr nt jobs.
www.it-ebooks.info
The pr nt ng process works ke th s
1. The user starts a pr nt job from an app cat on runn ng n the remote sess on
2. The pr nt job s converted to an XPS fi e, nat ve y (th s step s sk pped f the fi e s a -
ready n XPS format)
3. The XPS fi e s sent to the RD Easy Pr nt p ug- n n the RDC c ent
4. XPS fi es dest ned for an XPS pr nter are passed to the XPS pr nt dr ver XPS fi es des-
t ned for a GDI pr nter are converted to EMF spoo fi es and then passed to the GDI
pr nter dr ver
5. The pr nt job goes to the pr nter
The most mportant concept to remember n th s process s that you don’t have to nsta
pr nter dr vers on the server RD Easy Pr nt uses a proxy dr ver on the server to pass pr nt jobs
to the c ent for pr nt ng Because of th s, a c ent pr nters are ava ab e n the remote desktop
sess on By us ng RD Easy Pr nt, you no onger have to match dr vers on the endpo nt w th
dr vers on the c ent, and there s no r sk of server crashes due to crash ng kerne -mode pr nt
dr vers or spoo er crashes stemm ng from a prob em dr ver
L ke other dev ce red rect on, RD Easy Pr nt uses v rtua channe s to et you configure the
pr nt ng propert es app cat on d rect y on the c ent When a user c cks a pr nter’s prefer-
ences from a sess on, the RD Easy Pr nt dr ver on the endpo nt ntercepts th s ca and sends
the request to the RD Easy Pr nt p ug- n on the RDC c ent The c ent ca s the c ent-s de
pr nter dr ver, wh ch br ngs up the pr nt ng preferences d a og box on the c ent Therefore,
the preferences that you get when you pr nt from a c ent are the same preferences that you
get when pr nt ng from an RDS sess on
Printing from Remote Desktop Services

One of the most mportant parts of mov ng the c ent exper ence to the remote sess on es n
pr nt ng
NOTE Although the following discussions are about printing, they apply to faxing as well.
Faxing works just fine with RD Easy Print—simply set up the fax on the client. When the
client chooses to send a fax, the client-side dialog box opens to prompt the user for the
contact information. Scanning is not supported in native Windows Server 2008 R2, but it is
enabled by several third-party products.
Requirements for Easy Print

To take advantage of RD Easy Pr nt, the c ents need to be runn ng RDC 6 1 or ater, and the
endpo nts need to be runn ng W ndows Server 2008, W ndows Server 2008 R2, or W ndows
7 RDC 7 comes w th W ndows 7 and s ava ab e for W ndows V sta SP1 and W ndows XP
SP3 RDC 7 s the preferred c ent, and W ndows Server 2008 R2 or W ndows 7 the preferred
www.it-ebooks.info
endpo nt In the prev ous vers on of Term na Serv ces, the NET Framework was a so requ red
to convert XPS to GDI for output on GDI pr nters and to convert XPS to GDI for output w th
XPS pr nters One of the b ggest mprovements to RD Easy Pr nt n W ndows 7 and W ndows
Server 2008 R2 s that the NET Framework s no onger needed to do th s convers on— t’s
bu t nto the operat ng system In add t on, w th the r ght serv ce pack and p atform update
nsta ed, W ndows Server 2008 and W ndows V sta no onger requ re the NET Framework
e ther when act ng as c ents
NOTE The platform update for Windows Vista and Windows Server 2008 is downloadable
from the Microsoft website at http://support.microsoft.com/kb/971644. Windows Server
2008 requires Windows Server 2008 Service Pack 2 in order to install the update, and
Windows Vista requires Windows Vista Service Pack 2.
W ndows XP st requ res the NET Framework 3 0 SP1 or ater be nsta ed Tab e 6-6
prov des a st of s tuat ons n wh ch the NET Framework s no onger requ red to use RD Easy
Pr nt
TABLE 6-6 Scenar os n Wh ch he NET Framework s No onger Needed o Use RD Easy Pr n
CLIENT SERVER
W ndows V sta SP2 w th RDC 7 and KB971644 nsta ed W ndows Server 2008 R2
(http://support.microsoft.com/kb/971644)
W ndows V sta SP2 w th RDC 7 and KB971644 nsta ed W ndows 7
W ndows 7 W ndows Server 2008 R2
W ndows 7 W ndows 7
W ndows Server 2008 w th SP2 and KB971644 nsta ed W ndows 7
W ndows Server 2008 R2 W ndows 7
W ndows Server 2008 w th SP2 and KB971644 nsta ed W ndows Server 2008 R2
RD Easy Pr nt s not meant for a s tuat ons So t’s not ava ab e, for examp e, from a
W ndows 7 c ent remot ng to a W ndows XP server RD Easy Pr nt s a so not ava ab e n any
sess on when you make an adm n strat ve connect on (mstsc /adm n) Tab e 6-7 and Tab e 6-8
show s tuat ons n wh ch RD Easy Pr nt w and w not work Th s s he pfu when you’re try ng
to determ ne what’s wrong, on y to rea ze that the server that you attempted to use RD Easy
Pr nt on was a doma n contro er to wh ch you had an adm n strat ve connect on
NOTE Some of these scenarios work or don’t work depending on whether or not RD Ses-
sion Host Server role service is installed on the server. These are noted by entries in the last
column.
www.it-ebooks.info
TABLE 6-7 Scenar os When RD Easy Pr n W Work
CLIENT SERVER IF
W ndows Server 2008 R2 W ndows Server 2008 R2 RDSH s nsta ed

W ndows Server 2008 W ndows Server 2008 R2 RDSH s nsta ed
W ndows 7 Profess ona W ndows Server 2008 R2 RDSH s nsta ed
W ndows 7 U t mate/Enterpr se W ndows Server 2008 R2 RDSH s nsta ed
W ndows 7 U t mate/Enterpr se W ndows Server 2008 R2 RDSH s not nsta ed
W ndows XP SP3 and NET W ndows Server 2008 R2 RDSH s nsta ed
Framework 3SP1 and h gher
W ndows Server 2008 R2 W ndows Server 2008 Term na Serv ces s
nsta ed
W ndows 7 U t mate/Enterpr se W ndows Server 2008 Term na Serv ces s
nsta ed
W ndows XP SP3 and NET W ndows Server 2008 Term na Serv ces s
Framework 3SP1and h gher nsta ed
W ndows Server 2008 R2 W ndows 7 U t mate/Enterpr se
W ndows Server 2008 W ndows 7 U t mate/Enterpr se
W ndows 7 U t mate/Enterpr se/ W ndows 7 U t mate/Enterpr se/
Profess ona Profess ona
W ndows XP SP3 and NET W ndows 7 U t mate/Enterpr se
Framework 3SP1 and h gher
W ndows Server 2008 W ndows Server 2008 Term na Serv ces s
nsta ed
TABLE 6-8 Scenar os n Wh ch RD Easy Pr n W NOT Work
CLIENT SERVER IF
W ndows Server 2008 R2 W ndows Server 2008 R2 RDSH s not nsta ed

W ndows Server 2008 W ndows Server 2008 R2 RDSH s not nsta ed
W ndows 7 Profess ona W ndows Server 2008 R2 RDSH s not nsta ed
W ndows XP SP3 and NET W ndows Server 2008 R2 RDSH s not nsta ed
Framework 3 SP1and h gher
W ndows Server 2008 R2 W ndows Server 2008 Term na Serv ces s
not nsta ed
W ndows 7 U t mate/Enterpr se W ndows Server 2008 Term na Serv ces s
not nsta ed
www.it-ebooks.info
CLIENT SERVER IF
W ndows XP w th SP3 and NET W ndows Server 2008 Term na Serv ces s
Framework 3 SP1and h gher not nsta ed
W ndows Server 2008 R2 W ndows 7 Profess ona
W ndows Server 2008 W ndows 7 Profess ona
W ndows XP w th SP3 and NET W ndows 7 Profess ona
Framework 3 SP1and h gher
W ndows Server 2008 R2 W ndows XP SP3 and NET
Framework 3 SP1 and h gher
W ndows Server 2008 W ndows XP SP3 and NET
Framework 3 SP1 and h gher
W ndows 7 U t mate/Enterpr se/ W ndows XP SP3 and NET
Profess ona Framework 3 SP1 and h gher
W ndows XP SP3 and NET W ndows XP SP3 and NET
Framework 3 SP1and h gher Framework 3 SP1 and h gher
W ndows Server 2008 W ndows Server 2008 Term na Serv ces s
not nsta ed
NOTE In some instances (noted in Table 6-8), you can get RD Easy Print to work with
Windows 7 Professional, but it is not supported officially.
Printing with RD Easy Print

Mak ng RD Easy Pr nt work requ res no setup on the c ent or the server so ong as your c -
ents meet the requ rements Observe RD Easy Pr nt at work n the fo ow ng examp es Here’s
the doma n breakdown
■ The doma n s a W ndows Server 2008 R2 doma n named Ash oca
■ The W ndows Server 2008 R2 RD Sess on Host servers are named FUJI and GLACIER
They are configured as a farm ca ed Farm1 ash oca
■ ASHPersona VM1 s a c ent PC runn ng W ndows 7
■ ASHPersona VM5 s a c ent PC runn ng W ndows XP SP3
ASHPersona VM1 meets RD Easy Pr nt Requ rements nat ve y— t comes w th RDC 7 and
a so has XPS convers on capab t es bu t nto the operat ng system (no need to add the NET
Framework) ASHPersona VM5 s runn ng RDP 6 1, wh ch s requ red for RD Easy Pr nt The
c ent runn ng W ndows XP st requ res NET Framework 3 0SP1 or ater—you must down oad
and nsta t separate y
www.it-ebooks.info
Let’s rev ew the scenar o A user ogs on to ASHPersona VM1 Some pr nters are ava ab e,
as shown n F gure 6-14
FIGURE 6-14 Pr nters are ava ab e on the c ent PC.
The user creates a sess on on Farm1 ash oca Open ng the Pr nters conso e n the ses-
s on, you can see that a four pr nters have been red rected and are ava ab e n the remote
desktop sess on The red rected pr nters are des gnated by the name of the pr nter p us the
red rected sess on ID number (wh ch s red rected 3 n th s examp e), as shown n F gure 6-15
FIGURE 6-15 Red rected pr nters are des gnated by the sess on D number.
NOTE In the older printing model, redirected printers were named according to this
format: Client Printer Name (from Client Computer Name) in session number X. In
Windows Server 2008 and Windows Server 2008 R2, redirected printer names now follow
this format: Client Printer Name (redirected session ID). This makes it easier to read the
names and distinguish them from other printers when many printers are available.
www.it-ebooks.info
H gh ght ng the pr nter revea s the dr ver used for the pr nter n the ower sect on of the
w ndow (as the Mode ) As the h gh ghted pr nter n F gure 6-15 shows, the pr nter s us ng
the Remote Desktop Easy Pr nt Dr ver
The user opens Notepad, creates a text fi e, and then chooses F e, Pr nt The Pr nt
d a og box appears, and the user se ects the defau t red rected pr nter and then c cks the
Preferences button n the upper-r ght area of the pr nter d a og box The pr nter Propert es
d a og box appears If the RDP sess on s open n fu -screen mode, the pr nter Propert es
d a og box appears to be part of the sess on But f the RDS sess on s v ewed n a sma er
w ndow, as shown n F gure 6-16, the user can actua y drag the pr nter Propert es d a og
box out of the w ndow That s because th s d a og box s runn ng not n the remote desktop
sess on but from the oca computer, because t’s us ng the oca dr ver
FIGURE 6-16 The Pr nt ng Preferences d a og box s super mposed over the sess on w ndow.
A though you can’t see t d rect y, pr nt ng to a red rected pr nter us ng RD Easy Pr nt

br ngs up another d a og box ocated r ght beh nd the pr nter Propert es d a og box It opens
when you se ect Pr nt Preferences, stat ng that the pr nter has been red rected by the RDC
c ent and the pr nt ng preferences w d sp ay n a separate w ndow
www.it-ebooks.info
When You Cannot Use RD Easy Print
RD Easy Pr nt works a ot of the t me, but t does not work a the t me W th so many pr nt-
ers out today, you are bound to run nto a few that just do not respond we to RD Easy Pr nt
(e ther they won’t pr nt or they pr nt bad y) In these cases, you w need to re y on the o der
pr nt ng method— nsta ng dr vers on the endpo nt
The RD Easy Pr nt dr ver s nsta ed by defau t on W ndows XP SP3 and ater, and us ng the
RD Easy Pr nt dr ver for pr nter red rect on s a so enab ed by defau t To make the server ook
for pr nter dr vers nstead of us ng the RD Easy Pr nt dr ver, you must change the sequence
n wh ch the RD Easy Pr nt dr ver w be used The endpo nt w try to use the RD Easy Pr nt
dr ver for pr nter red rect on first and resort to other pr nter dr vers on y f the RD Easy Pr nt
dr ver s not ava ab e Set one of the fo ow ng GPOs to reverse th s (make the endpo nt use
pr nter dr vers first, and then RD Easy Pr nt)
■ On a computer bas s Computer Configurat on Po c es Adm n strat ve Temp ates
Pr nter Red rect on Use Remote Desktop Easy Pr nt Pr nter Dr ver F rst
■ On a user bas s User Configurat on Po c es Adm n strat ve Temp ates W ndows
Components Remote Desktop Serv ces Remote Desktop Sess on Host Pr nter Red -
rect on Use Remote Desktop Easy Pr nt Pr nter Dr ver F rst
If th s po cy s enab ed or not configured, the server reflects ts defau t behav or RD Easy
Pr nt dr ver first, other dr vers second To make the server ook for other pr nter dr vers before
t attempts to use RD Easy Pr nt, set the po cy to D sab ed Th s does not d sab e RD Easy
Pr nt, but the server w attempt to use the RD Easy Pr nt dr ver on y f a match ng pr nter
dr ver s not ava ab e
HOW IT WORKS
Removing the RD Easy Print Driver
T he RD Easy Print driver is installed by default. You can delete it, but it will rein-
stall again when you reboot. It’s also available for manual reinstallation as part
of the Windows Server 2008 R2 driver set. If you do remove the RD Easy Print driver
from the endpoint and your endpoint is running Windows 7 or has the RD Session
Host role service installed, then no redirection will happen at all if the preceding
GPO is enabled or not configured. The endpoint will attempt to use the RD Easy
Print driver that is missing and will not look for other printer drivers to use; printer
redirection simply fails. There is no supported method for removing the RD Easy
Print driver permanently.
www.it-ebooks.info
Distributing Drivers to Endpoints
If you have prob ems us ng RD Easy Pr nt w th certa n pr nter mode s, you’ need to revert to
the o der pr nt ng mode , wh ch means nsta ng pr nter dr vers on the server The cha enge
here s how to get the dr vers onto the endpo nts (and d str bute them to other endpo nts
after they are tested)
If a pr nter dr ver s nc uded w th the operat ng system, the server w nsta the dr ver
automat ca y f t’s needed and the person attempt ng to use t has the r ght perm ss ons But
what f the pr nter dr ver s not nc uded n the operat ng system?
You can use Group Po cy and the Pr nt Management Conso e (PMC) to d str bute the
dr vers w thout touch ng every server You nsta the pr nters (so that the dr vers are nsta ed)
but then you delete the printers Th s second step s cr t ca , because t keeps users from be ng
confused by pr nters that they can see but don’t have perm ss on to pr nt to or that do not
actua y connect to an actua pr nt dev ce
In W ndows Server 2008 R2 and W ndows 7, you can use Group Po cy to dep oy the pr nt-
ers to each server When you app y and then remove the GPO, the pr nters get removed, but
the dr vers rema n Here are the steps to perform
1. F rst, add the pr nters by open ng the PMC, r ght-c ck the pr nter server, and choose
Add Pr nter to open the Network Pr nter Dr ver W zard The pr nters do not have to
work because they are on y temporary to fac tate d str but ng the pr nter dr vers
2. After your pr nters are nsta ed, use the PMC to create the GPO for dep oy ng pr nters
(PMC s nsta ed as part of the Pr nt Server ro e ) In the PMC, nav gate to the Pr nt-
ers sect on, r ght-c ck each pr nter that you want to dep oy, and choose Dep oy W th
Group Po cy, as shown n F gure 6-17
FIGURE 6-17 C ck Dep oy W th Group Po cy to create a GPO to dep oy pr nters to endpo nts.
3. Browse and se ect the GPO that you want to use to conta n the pr nters that you w
d str bute, or, f you want to use a new GPO, c ck the Create New Group Po cy Object
con, as shown n F gure 6-18
www.it-ebooks.info
FIGURE 6-18 Create a new GPO to use to d str bute pr nters.
4. Name the new GPO someth ng descr pt ve, ke “Dep oy Pr nters To Endpo nts,” and
c ck OK Se ect the check box next to the computers that th s GPO app es to (per
mach ne) Then c ck Add to add the pr nter to the st Then c ck OK Do th s for every
pr nter that you want to dep oy
NOTE If you look at this GPO in the Group Policy Management console (GPMC), you
will see the path for which the setting is located: Computer Configuration Policies
Windows Settings Printer Connections. But if you try to create a policy manually (not
using the PMC), you won’t be able to get to the Printer Connections GPO. It will not
show up in the GPMC.
5. When the GPO s comp ete, app y t to each OU where your servers res de Next, forc-
b y update the po c es on the endpo nts by runn ng gpupdate /force or reboot ng The
pr nters w now be nsta ed
6. F na y, after you’ve ensured that the pr nters are dep oyed correct y to the servers, re-
move the pr nters by de et ng the GPO and forc ng the update The pr nter s removed
from the server, but the dr vers are st ava ab e (You can see th s by open ng the Pr nt
Server Propert es tab on the Dev ces And Pr nters conso e (you must have a pr nter
nsta ed and se ected for th s button to be ava ab e)
Mapping Printer Driver Names on Client and Endpoint

In the past (for nstance, w th c ents runn ng W ndows 98 remot ng to a server runn ng
W ndows Server 2003), there were some cases where pr nter dr vers made for the c ent
operat ng system and the correspond ng pr nter dr ver made for the server were not named
the same way For examp e, the pr nter dr ver for a pr nter HP LaserJet X made for the c ent
cou d be named Hew ett Packard LaserJet X for the server—that s, the names do not match
exact y Th s was most often a prob em when the dr vers were wr tten for ent re y d fferent
www.it-ebooks.info
operat ng systems W thout go ng nto deta , W ndows 7 and W ndows Server 2008 R2
are fundamenta y very s m ar W ndows 98 and W ndows Server 2003 were not—the r
arch tectures were ent re y d fferent Because W ndows 98 and W ndows Server 2003 were so
d fferent, pr nter manufacturers d d not a ways make sure the dr vers had the same name
Name m smatches were (and occas ona y st are) a prob em when remot ng us ng pr nter
dr vers because f the names don’t match exact y, the mapp ng does not occur The work-
around for th s was to create an INF fi e on the endpo nt that te s the endpo nt that Dr ver
X equa ed Dr ver Y ( n th s examp e, HP LaserJet X = Hew ett Packard LaserJet X) The server
wou d read th s fi e and make the pr nter dr ver match, and then t cou d red rect the pr nter
Th s dr ver name m smatch m ght not happen w th newer operat ng systems, but the work-
around has another use Shou d you dec de to mp ement the o der pr nt ng mode , you can
use th s techn que to m n m ze the number of pr nter dr vers that you have to nsta on your
endpo nt; you can create one-to-many mapp ng (one dr ver on the server to many pr nter
dr vers on the c ent) The server w use the one dr ver that you te t to use whenever t en-
counters a need for any of the dr vers that you map to that s ng e dr ver For nstance
■ Brother MFC-230C = Brother MFC-235C
NOTE Some printers might not work with specified drivers. Also, you might lose some
functionality when using one driver in place of another. For instance, one driver might
allow you to print in Booklet style, and another might not. You will need to test printer
driver mapping fully to see what printer drivers will map to certain printers, and also what
functionality you might lose by doing so.
To find the server dr ver name and the c ent dr ver name that you want to map, the dr ver
name s spec fied n the pr nter propert es of an nsta ed pr nter R ght-c ck an nsta ed
pr nter and go to the Advanced tab of the Pr nter Propert es d a og box The pr nter dr ver
name can a so be found n the Pr nt Server Propert es d a og box Do th s by open ng the
Pr nt Server Propert es d a og box, se ect ng the Dr vers tab, h gh ght ng the dr ver, and c ck-
ng Propert es
Here s how to mp ement the mapp ng
1. Create an INF fi e that conta ns the mapp ngs (name t PRINTDRIVERMAP nf) Store
the fi e n C \W ndows\System32\on the endpo nt The fi e shou d ook ke th s (but
conta n ng your un que mapp ngs)
[Printers]
;"Client Printer Driver Name" = "Server Printer Drive Name"
"Client Printer Driver X" = "Server Printer Driver W"
"Client Printer Driver X" = "Server Printer Driver X"
"Client Printer Driver y" = "Server Printer Driver Y"
"Client Printer Driver Z" = "Server Printer Driver Z"
www.it-ebooks.info
NOTE This INF example file shows mapping two client drivers to one server driver, and
then two more unique mappings.
The fi e needs to have the sect on t t e [Pr nters] because t gets referenced next n
the reg stry keys that need to be put n p ace on the endpo nt to nvoke the mapp ng
process
2. Nav gate to the Rdpwd fo der and choose New, Str ng Key Name the keys Pr nterMap-
p ngINFName and Pr nterMapp ngINFSect on, respect ve y Creat ng the fo ow ng
reg stry keys w te the endpo nt to ook for pr nter dr ver mapp ngs n the Pr nters
sect on of the PRINTDRIVERMAPS nf fi e
• HKLM\System/Currentcontro set\Contro \Term na server\Wds\Rdpwd\

Pr nterMapp ngINFName
• HKLM\System\Currentcontro set\Contro \Term na server\Wds\Rdpwd\

Pr nterMapp ngINFSect on
3. Then set the reg stry key va ues by do ng the fo ow ng
• Doub e-c ck the Pr nterMapp ngINFName key and type PRINTDRIVERMAP.inf

• Doub e-c ck the Pr nterMapp ngINFSect on key and type Printers
ON THE COMPANION MEDIA A script to automate this work is located on the
companion media in the Printer-Driver Mapping-Setup.PS1 file. It creates the INF file
PRINTDRIVERMAP.inf in the C:\Windows\System32 directory on each server in the
specified OU (and overwrites the file if it is already there). If also creates the needed
registry keys for each computer in an OU (and overwrites the values if the keys are
already there).
Controlling Printer Redirection

Pr nter red rect on can be enab ed or d sab ed at three t ered eve s per-connect on, per-
mach ne, or per-group of computers, as shown n F gure 6-19 In th s mage, the broadest bar
contro s n case of any confl cts n po cy
Group of Machines
Machine
Connection
FIGURE 6-19 Pr nter red rect on s contro ed on t ered eve s.
www.it-ebooks.info
If pr nter red rect on s d sab ed at any of these eve s, pr nter red rect on w be d sab ed
for the user or mach nes that the sett ng affects—and therefore, everyth ng be ow that eve
Controlling Printer Redirection per Connection

Pr nter red rect on s enab ed by defau t n the RDC c ent To d sab e t, c ck Opt ons, se ect
the Loca Resources tab, and c ear the Pr nters check box n the Loca Dev ces And Resources
sect on Then e ther save the RDP fi e or c ck Connect Th s sett ng, at the owest sect on of
the pyram d (F gure 6-19), affects on y the connect on made or subsequent connect ons made
from the resu t ng saved RDP fi e
Controlling Printer Redirection per Server

Pr nter red rect on s contro ed on a mach ne bas s n the RD Sess on Host Configurat on too
on an RD Sess on Host server (no nd v dua mach ne contro ex sts on VM poo s or persona
VMs) It s a owed by defau t To turn t off, open RD Sess on Host Configurat on, doub e-c ck
RDP-Tcp, se ect the C ent Sett ngs tab, se ect the check box next to W ndows Pr nters n the
Red rect on sect on, and then c ck OK Even f you a ow pr nter red rect on n the RDC, f t s
d sab ed on the RD Sess on Host server, then t s d sab ed for a sess ons hosted by the server
Controlling Printer Redirection for Multiple Endpoints

Use Group Po cy to contro pr nter dr ver red rect on for mu t p e computers Set the fo -
ow ng GPO, and then p ace the GPO on the OU that ho ds the computers that you want to
affect

Remote Desktop Serv ces Remote Desktop Sess on Host Pr nter Red rect on Do Not
A ow Pr nter Red rect on
If you enab e th s po cy, users w not be ab e to red rect pr nt jobs to the r oca computer
pr nters If you do not configure or d sab e th s po cy, pr nter red rect on s a owed
Because th s sett ng s not configured by defau t, pr nter red rect on at th s eve s a -
owed but can st be affected at the other eve s (by computer or by sess on) If th s po cy s
enab ed, t w take precedence over sett ngs at the other eve s
Managing Print Settings with Group Policy

There are a few other Group Po cy sett ngs that you can use to configure pr nt red rect on
further The fo ow ng Group Po cy for pr nter sett ngs s configured n the fo ow ng ocat on

Remote Desktop Serv ces Remote Desktop Sess on Host Pr nter Red rect on
www.it-ebooks.info
The Group Po c es are
■ Use RD Easy Print Printer Driver First You encountered th s sett ng ear er n th s
chapter If th s po cy s enab ed or not configured, the endpo nt tr es to use the Easy
Pr nt dr ver to red rect c ent pr nters first On y f the Easy Pr nt dr ver sn’t ava ab e w
t ook for a pr nter dr ver on the endpo nt that matches the pr nter dr ver on the c ent
Th s does not d sab e Easy Pr nt, but the endpo nt w use Easy Pr nt on y f a pr nter
dr ver s not ava ab e
■ Specify RD Session Host Server Fallback Printer Driver Behavior Fa back pr nter
dr ver behav or te s the endpo nt that f t cannot find a pr nter dr ver match to a
pr nter dr ver on a computer, then t shou d attempt to use an a ternate pr nter dr ver
Fa back pr nter dr vers are HP DeskJet 500, HP DeskJet 500C, HP LaserJet 4/4M PS,
and HP Co or LaserJet 5/5M PS Th s sett ng s d sab ed by defau t
■ Redirect Only The Default Client Printer C ents m ght have many pr nters nsta ed
on the r c ent PCs; by defau t, a w be red rected to the sess on To decrease resource
usage on the endpo nt, you can enab e th s po cy such that on y the defau t pr nter on
the c ent PC w be red rected to the sess on
■ Do Not Set A Default Client Printer To Be The Default Printer In A Session By
defau t, the c ent’s defau t pr nter s the defau t pr nter for the remote sess on If you
enab e th s sett ng, there s no defau t pr nter for the remote sess on
Printer Driver Isolation

New to W ndows 7 and W ndows Server 2008 R2, the Pr nter Dr ver Iso at on feature enab es
pr nter dr vers to be separated from the pr nt spoo er process (Spoo sv exe) and e ther run n
a separate process that s shared by other pr nter dr vers (shared so at on mode) or so ated
nto the r own process ( so ated mode) If the so ated pr nter dr ver has ssues, t crashes on y
ts own process (or the shared process) and does not take down the pr nt spoo er on the
server or endpo nt Th s s good news f you have to nsta dr vers on your endpo nt (e ther n
conjunct on w th RD Easy Pr nt or nstead of us ng RD Easy Pr nt)
www.it-ebooks.info
L ke other pr nt ng sett ngs, Pr nter Dr ver Iso at on s contro ed n a t ered fash on, by
Group Po cy, by the pr nter dr ver INI fi e, and by the Pr nt Management Conso e Here are
the opt ons
■ If you want, you have the opt on of contro ng overa Pr nter Dr ver Iso at on on a
computer by sett ng the fo ow ng GPO
Computer Configurat on Adm n strat ve Temp ates Pr nters Execute Pr nt Dr vers n
Iso ated Processes
■ If th s po cy s d sab ed, then dr ver so at on s d sab ed for a dr vers on the affected
computers If th s po cy s enab ed or not configured, then t s a owed
■ If Pr nter Dr ver Iso at on s a owed (or not configured) by Group Po cy, next the
pr nter dr ver INI fi e s checked to see f the pr nter dr ver supports so at on If the
Pr nter Dr ver Iso at on key Dr verIso at on s m ss ng or s set to 0, the dr ver does not
support Pr nter Dr ver Iso at on If the Dr verIso at on key s set to 2, the dr ver does
support so at on
■ If the dr ver supports Pr nter Dr ver Iso at on, t s oaded by defau t nto a separate
process ca ed Pr nt so at onhost exe ( nstead of be ng oaded nto Spoo sv exe) a ong
w th other pr nter dr vers that are configured for shared so at on If a dr ver does not
support so at on, the dr ver w be oaded nto Spoo sv exe
NOTE All native drivers for Windows 7 and Windows Server 2008 R2 support Printer
Driver Isolation, and by default, they will run in shared mode unless otherwise dictated.
Th s defau t funct ona ty can be overr dden by Group Po cy and on each nd v dua pr nter
dr ver us ng the Pr nt Management Conso e
Pr nter dr vers that are compat b e by defau t run n shared mode But you can overr de
th s on a per-dr ver bas s n the Pr nt Management Conso e To do th s, r ght-c ck each dr ver
and choose Shared, Iso ated, or None
NOTE If GPO dictates that printer isolation is disabled, isolation mode settings from the
Print Management Console are ignored.
You can a so force pr nter dr vers that are not compat b e w th Pr nter Dr ver Iso at on to
run n shared mode or to adhere to the sett ngs n the Pr nt Management Conso e by en-
ab ng the fo ow ng GPO
Computer Configurat on Adm n strat ve Temp ates Pr nters Overr de Pr nt Dr ver Execu-
t on Compat b ty Sett ng Reported By Pr nt Dr ver
www.it-ebooks.info
The opt ons for th s GPO are
■ Enabled The pr nter dr ver w run n shared mode or as spec fied n the Pr nt Man-
agement Conso e
■ Disabled Or Not Configured The Pr nter Dr ver Iso at on s determ ned by the key
sett ng n the pr nter dr ver INI fi e
NOTE For more on Printer Driver Isolation, see http://msdn.microsoft.com/en-us/library

/ff560836%28VS.85%29.aspx.
Troubleshooting Printing Issues

Th s sect on exp a ns how to so ve some common prob ems that peop e face when dea ng
w th red rected pr nters
If pr nter dr ver red rect on s not work ng at a between a c ent and endpo nt, make sure
pr nter red rect on s a owed (as out ned n the sect on ent t ed “Contro ng Pr nter Red rec-
t on” ear er n th s chapter)
■ The Remote Desktop C ent configurat on a ows pr nter red rect on
■ The RD Sess on Host server a ows pr nter red rect on ( n the RD Configurat on Too )
■ Group Po cy a ows for red rect on on the endpo nt OU
A so, the pr nt spoo er (started by defau t) needs to be runn ng on both c ent and end-
po nt Check Serv ces msc to make sure t s st runn ng
Interpreting Event ID 1111

Event ID 1111 ogged n the endpo nt’s system event og nd cates a pr nter dr ver m smatch
Th s can occur n two d fferent scenar os
■ If you are try ng to red rect pr nters to an RD Sess on Host server or a W ndows 7
endpo nt us ng the RD Easy Pr nt dr ver and the dr ver s m ss ng from the endpo nt
■ If you are us ng regu ar pr nter dr vers to red rect pr nters and the dr ver s m ss ng or
the dr ver name does not match
Doub e-check that e ther RD Easy Pr nt dr ver s nsta ed on both the c ent and the end-
po nt or that you have match ng pr nter dr vers on the c ent and the endpo nt
Margin or Character Errors Occur When Using RD Easy Print

There are a few updates that correct marg n errors on W ndows V sta, W ndows Server 2008,
and W ndows XP SP3 If you are exper enc ng marg n errors when pr nt ng us ng the RD Easy
Pr nt dr ver, consu t the fo ow ng Know edge Base (KB) art c es to see f these hotfixes perta n
to your mp ementat on (The nks for these art c es are a so ava ab e on the compan on
med a )
www.it-ebooks.info
■ http://support.microsoft.com/kb/959442 The edges of a document are truncated
when you try to pr nt the document by us ng Term na Serv ces Easy Pr nt from a c ent
that s runn ng W ndows XP SP3, W ndows V sta SP1, or W ndows Server 2008
■ http://support.microsoft.com/kb/946411 When you pr nt an XPS fi e on a com-
puter runn ng W ndows XP SP2 or SP3, the characters n the XPS fi e pr nt ncorrect y
NOTE Other formatting problems and corresponding KB articles that pertain to

these issues are mentioned in the RDS Team Blog at http://blogs.msdn.com/rds
/archive/2009/09/28/using-remote-desktop-easy-print-in-windows-7-and-windows-
server-2008-r2.aspx.
Easy Print Is Not Printing (Windows Server 2008 Only)

Th s fix perta ns to W ndow Server 2008 (not W ndows Server 2008 R2) If your users are con-
nect ng v a TS Gateway and your pr nt jobs eave the server and then just d sappear, check
th s KB art c e to see f th s fix app es to you KB968605—“TS Easy Pr nt Not Pr nt ng ” You’
find th s art c e at http://support.microsoft.com/kb/968605
Using Generic Text Driver

As of th s wr t ng, there s a known ssue perta n ng to us ng RD Easy Pr nt w th pr nters that
are set to use Gener c Text On y mode Unfortunate y, there s no known so ut on at the
moment See the fo ow ng M crosoft forum thread for more deta s http://social.technet.
microsoft.com/Forums/en/windowsserver2008r2rds/thread/cd8792cb-e826-4f35-bdaf-c5b-
29ca58ca8 If you exper ence th s prob em, try us ng a pr nter dr ver nstead of the Easy Pr nt
dr ver Do th s by nsta ng a match ng dr ver on the c ent and the server and d sab e the
opt on to use the Easy Pr nt dr ver first
Summary
From the user’s po nt of v ew, the remot ng exper ence s the most mportant aspect of RDS If
the screen doesn’t ook good, the aud o doesn’t sound good, or the pr nt jobs don’t pr nt, the
user has a bad exper ence
After read ng th s chapter, you shou d have earned the fo ow ng
■ The re at onsh p between the RDC c ent, the RDP protoco , and the RDP stener, and
how the three e ements define the user exper ence
■ The RDP features ntroduced w th W ndows 7 and W ndows Server 2008 R2
■ How a features of RDP re ated to the remote exper ence work
■ How to enab e and configure features of RDP
■ How to pr nt v a RDP, w th and w thout Easy Pr nt
Summary CHAPTER 6 359
www.it-ebooks.info
Now that you know how RDP prov des the “ ke be ng there, on y better” exper ence for
users, you w earn n the next chapters how you, the adm n strator, can ock down the user
desktop (Chapter 7, “Mo d ng and Secur ng the User Env ronment”) and protect the network
connect on (Chapter 8)
Th s chapter exam nes n depth how RDP works For more nformat on, the fo ow ng MSDN
s tes prov de the or g na documents deta ng how the protoco works
■ Bas c RDP Remot ng http://msdn.microsoft.com/en-us/library
/cc240445(v=PROT.10).aspx
■ Graph cs Acce erat on http://msdn.microsoft.com/en-us/library
■ Graph cs Compress on http://msdn.microsoft.com/en-us/library
/ff635378(v=PROT.10).aspx
■ Desktop Compos t on http://msdn.microsoft.com/en-us/library
/cc216513(v=PROT.10).aspx and http://msdn.microsoft.com/en-us/library
/dd358323(v=PROT.10).aspx
■ Dynam c V rtua Channe s http://msdn.microsoft.com/en-us/library
■ Bas c Aud o Remot ng http://msdn.microsoft.com/en-us/library
■ C pboard Red rect on http://msdn.microsoft.com/en-us/library
■ Easy Pr nt http://msdn.microsoft.com/en-us/library/cc242947(v=PROT.10).aspx
■ Pr nter Red rect on http://msdn.microsoft.com/en-us/library/cc242116(v=PROT.10).aspx
■ Aud o Input Red rect on http://msdn.microsoft.com/en-us/library
■ Mu t med a Remot ng http://msdn.microsoft.com/en-us/library
■ Ser a and Para e Port Red rect on http://msdn.microsoft.com/en-us/library
■ F e System Red rect on http://msdn.microsoft.com/en-us/library
■ P ug and P ay Red rect on http://msdn.microsoft.com/en-us/library
www.it-ebooks.info
■ Want more nformat on about RDP performance? See the wh te paper nked at
http://blogs.msdn.com/rds/archive/2010/02/05/announcing-the-remote-desktop-
protocol-performance-improvements-in-windows-server-2008-r2-and-windows-7-
white-paper.aspx.
■ Down oad RDC 7 for W ndows V sta SP1+ and W ndows XP SP3 at
http://blogs.msdn.com/rds/archive/2009/10/28/announcing-the-availability-of-remote-
desktop-connection-7-0-for-windows-xp-sp3-windows-vista-sp1-and-windows-vista-
sp2.aspx.
■ You can down oad the Remote Desktop c ent for Mac ntosh at
http://www.microsoft.com/mac/products/remote-desktop/default.mspx.
■ New W ndows 7 pr nt ng arch tecture can be down oaded at
http://download.microsoft.com/download/5/E/6/5E66B27B-988B-4F50-AF3A-
C2FF1E62180F/CON-T572 WH08.pptx.
■ M crosoft Most Va uab e Profess ona Emer tus Vera Noest has put together a great
st of hotfixes and updates perta n ng to pr nt ng, wh ch can be found at
http://ts.veranoest.net/ts printing.asp.
Add t ona Resources CHAPTER 6 361
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 7
Molding and Securing the

User Environment
■ Lock ng Down the Server 364
■ Prevent ng Users from Runn ng Unwanted App cat ons 376
■ Creat ng a Read On y Start Menu 391
■ Keep ng the RD Sess on Host Server Ava ab e 393
■ Tak ng Remote Contro of User Sess ons 394
If you’re read ng th s book n order, at th s po nt, your users can use the r v rtua
mach nes (VMs) or sess ons The servers are set up, the profi es and fo der red rect on
are a configured, and user dev ces are red rected The on y catch s that now the user
work env ronments are w de open
G v ng users non-secured work env ronments m ght be a r ght As you’ earn n
th s chapter, the ru es for secur ty w ke y vary w th the k nd of work env ronment that
you’re support ng RD Sess on Host servers need to be ocked down because the server
host ng the sess ons s pers stent and the mach ne s shared, so one person’s error can
have ast ng mpact on a ot of peop e Poo ed VMs us ng ro back—so the VM ro s back
to a saved state each t me a user ogs off—need ess secur ty because you don’t want
users runn ng ma ware but don’t need to worry about permanent changes to the VMs
A so, persona desktops shou d be governed by the same ru es that you’ve app ed to
phys ca desktops
Th s chapter w show you how to enab e and yet st contro your users’ dev ces and
des res, mean ng that you’ understand how to map the c ent-s de exper ence to the re-
mote env ronment but you’ do so n a way that doesn’t negat ve y affect the servers
or the end users The fo ow ng top cs w be d scussed
■ Lock ng down the servers (and why you shou d do so)
■ Opt m z ng the user exper ence
■ Configur ng remote contro of a sess on
■ Secur ng access to the RD Sess on Host server
363
www.it-ebooks.info
The pr mary focus of th s chapter s RD Sess on Host server env ronments Th s s because
poo ed VMs revert when a user ogs off, and persona VMs shou d be hand ed the same way
that you hand e phys ca user desktops n your company Th s doesn’t mean that you won’t
tweak poo ed or persona VMs For nstance, t’s poss b e that you w not want a user nsta -
ng or runn ng rogue software from a poo ed mach ne, even f t w revert to ts or g na state
after ogoff Therefore, f a sett ng or procedure s spec fic, e ther on y to RD Sess on Host
servers or on y to poo ed or persona VMs, we w say so Otherw se, assume that the tact c,
sett ng, or procedure app es to both k nds of mp ementat ons
Locking Down the Server

Somet mes, t’s not obv ous that you need to ock down the server RemoteApp programs
( ntroduced n Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server,”
and exp ored more deep y n Chapter 9, “Mu t -Server Dep oyments”), ntroduced n W ndows
Server 2008, v sua y ntegrate app cat ons runn ng on the server w th app cat ons runn ng
on the oca computer Th s makes t eas er to avo d os ng app cat ons and can s mp fy tra n-
ng because you don’t have to teach nexper enced users how to find the app cat ons that
they need or how to move between a oca and a remote desktop No one ever sees a sepa-
rate desktop; they just see the app cat on that they need to run When users c ose the ast RD
RemoteApp they have open, the sess on on the RD Sess on Host server ends
If no one sees a desktop, why wou d you need to ock down the server? The answer has
to do w th how RemoteApp programs work A RemoteApp n a sess on s st n a sess on,
w th the same access to the W ndows env ronment that an app cat on on a fu desktop has
A savvy user can find out pretty eas y that Ctr +A t+End opens Task Manager on the remote
sess on, and that when you have Task Manager open, you can get to the Run box When you
get to Run, you can run near y any app cat on or command on the RD Sess on Host server
that sn’t ocked down
We’re Star Wars enthus asts As Yoda m ght say, “Ctr +A t+End eads to the Task Manager
The Task Manager eads to Run Run eads to suffer ng ”
D sp ay ng on y a s ng e app cat on s no rep acement for ock ng down the server Th s
sect on d scusses the Group Po cy sett ngs that you use to accomp sh th s
As the d scuss on here goes through the process of ock ng down the server, keep your
persona s tuat on n m nd Th s s not a comp ete st of what you must do Th s s a descr p-
t on of what you can do F rst, some of these sett ngs w over ap—the same goa can be
accomp shed us ng d fferent sett ngs, so t w be up to you to choose what sett ngs or
methods of ockdown work for your c rcumstances Second, for pract ca reasons, you m ght
not be ab e to use every sett ng d scussed n the next pages Shutt ng down W ndows Internet
Exp orer w c ose one back door, but f the ma n reason that you run an RD Sess on Host
server s to prov de access to a browser-based app cat on, then b ock ng access to Internet
Exp orer sn’t a v ab e opt on Test a po c es before dep oy ng them to make sure that the
comb nat ons that you’ve chosen haven’t d sab ed any funct ona ty you need
364 Chapter 7 Mo d ng and Secur ng the User Env ronment
www.it-ebooks.info
Restricting Device and Resource Redirection
As was d scussed n Chapter 6, “Custom z ng the User Exper ence,” dev ce red rect on s a b g
part of mak ng a remote app cat on fee ke a oca app cat on Dev ce red rect on a ows us-
ers to open oca fi es n remote sess ons or save fi es to the r oca computers, copy data back
and forth, p ay and record aud o, and so forth
Integrat on between oca and remote computers sounds great unt you rea y need to
enforce secur ty on corporate data For examp e, by defau t, c ent dr ves and the c pboard
are v s b e n a remote connect on, but both open a secur ty ho e from the data center to a
remote computer Dr ve red rect on a ows users to copy or even save sens t ve data from the
corporate network to a poss b y unsecured computer
The ru e of thumb for dev ce and resource red rect on s that more s not necessar y better
D sab e red rect on that you don’t need As you can see from the descr pt ons n Chapter 6,
d sab ng unnecessary dev ces both cuts down on bandw dth resources that m ght be used for
other funct ons and can reduce server and sens t ve data exposure
NOTE For details on how device redirection works when applied at the user, machine, or
Group Policy level, see Chapter 6.
Restricting Device and Resource Redirection Using Group Policy

You can configure dev ce and resource red rect on by sett ng the correspond ng dev ce or re-
source Group Po cy sett ngs to the appropr ate state Note that these are computer po c es,
not user po c es You configure dev ce red rect on based not on who someone s, but what
mach ne she s work ng on
The fo ow ng computer po c es are ocated at Computer Configurat on Po c es
Desktop Sess on Host Dev ce And Resource Red rect on
■ Allow Audio Redirection You m ght want to d sab e aud o red rect on f you’re not
runn ng any app cat ons that requ re t because t takes up more bandw dth
■ Do Not Allow Clipboard Redirection What f you’d genera y ke to enab e c p-
board red rect on but have one or two sens t ve app cat ons? Because RemoteApp
programs runn ng on the same server for the same user are a runn ng w th n a s ng e
sess on and n the same user context, t’s not poss b e to d sab e c pboard red rect on
on a per-app cat on bas s To be that spec fic, you’ need to so ate the app cat ons
requ r ng the h gher eve of secur ty on separate servers and d sab e c pboard red rec-
t on on those servers
■ Do Not Allow COM Port Redirection To d sab e COM port red rect on, enab e th s
po cy Not many resources use COM ports these days
■ Do Not Allow Drive Redirection Red rect ng user dr ves to the sess on enhances
the fee of the sess on but opens a secur ty ho e RDS dr ve red rect on works two-ways
Any data that users can access from the term na sess on can be cop ed from t, and
Lock ng Down the Server Chapter 7 365
www.it-ebooks.info
they can copy data to any dr ve to wh ch they have access To turn off dr ve red rect on
for users or computers, enab e th s po cy
■ Do Not Allow LPT Port Redirection LPT ports are used to access o der pr nters If
you don’t have a need to red rect these dev ces, enab e th s po cy
■ Do Not Allow Supported Plug And Play Device Redirection Enab e th s po cy to
d sab e red rect on for P ug and P ay dev ces such as cameras
■ Do Not Allow Smart Card Device Redirection Enab e th s po cy to d sab e smart
card red rect on
Dr ve red rect on s an obv ous secur ty ho e ( t a ows users to transfer fi es from the r
remote sess on to the r oca hard dr ve and v ce versa), but pr nt ng can a so create a secur ty
prob em To d sab e a pr nter red rect on, enab e th s po cy, found n the computer’s Group
Po cy sett ngs Computer Configurat on Po c es Adm n strat ve Temp ates W ndows
Components Remote Desktop Serv ces Remote Desktop Sess on Host Server Pr nter
Red rect on Do Not A ow C ent Pr nter Red rect on By defau t, t s not configured; f
t s not configured, pr nter red rect on can be contro ed v a Act ve D rectory Users And
Computers, Remote Desktop Connect on (RDC), or the RD Configurat on Too
You can a so d sab e red rect on of spec fic types of supported p ug and p ay dev ces For
examp e, you m ght not want to b ock a p ug and p ay dev ce red rect on, but you don’t want
to a ow floppy d sk or CD-ROM dr ve red rect on spec fica y The Group Po cy object (GPO)
to do th s s ocated at Computer Configurat on Adm n strat ve Temp ates System Dev ce
Insta at on Dev ce Insta at on Restr ct ons Prevent Insta at on Of Dev ces That Match Any of
these Dev ce IDs
NOTE The redirection-oriented group policies mentioned in this section are covered in
more detail in Chapter 6.
Restricting Printer Redirection Using Active Directory Users And

Computers
On y pr nter red rect on can be contro ed v a Act ve D rectory Users And Computers To do
so, open Act ve D rectory Users And Computers, doub e-c ck a user account, c ck the Env -
ronment tab, and se ect or c ear the check box next to Connect C ent Pr nters At Logon Th s
sett ng s enab ed by defau t
The c ent-s de pr nter s the defau t pr nter n the remote sess on To d sab e th s sett ng,
c ear the Defau t To Ma n C ent Pr nter check box
NOTE There is also a Connect Client Drives At Logon option; it is checked by default.
However, this setting has no effect. It was originally designed to be used by the Citrix
MetaFrame add-on to Microsoft Windows 2000 Remote Desktop Services before the
Remote Desktop Protocol (RDP) supported drive redirection, and it isn’t used by RDP.
www.it-ebooks.info
Restricting Device and Resource Redirection Using the RD Session Host
Configuration Tool
You can a so d sab e dev ce and resource red rect on from Remote Desktop Sess on Host
Configurat on, but remember that th s means configur ng each server separate y You cannot
configure dev ce and resource red rect on for poo ed or persona VMs us ng RD Sess on Host
Configurat on
To d sab e dr ve and resource red rect on from Remote Desktop Sess on Host Configura-
t on, open the RDP c ent Propert es d a og box by doub e-c ck ng RDP-Tcp and then nav gat-
ng to the C ent Sett ngs tab shown n F gure 7-1 Se ect the check boxes correspond ng to
the type of red rect on that you want to d sab e C ck App y and then c ck OK
FIGURE 7-1 Restr ct red rect on by se ect ng the check boxes on the C ent Sett ngs tab of the RDP Tcp
Propert es d a og box.
Preventing Users from Reconfiguring the Server

You rea y don’t need users to reconfigure a s ng e RD Sess on Host server w thout your
know edge, et a one an RD Sess on Host server farm that you are try ng to keep cons stent
At the very east, th s nu fies your change management po c es; at worst, t cou d render
the server unusab e For poo ed VMs, even though the VM w be reverted to ts prev ous
state when the user s done w th t, for secur ty reasons (and to ower support costs), t m ght
be advantageous to restr ct access to parts of the system that the user has no reasonab e
cause to access Set the fo ow ng Group Po cy sett ngs to he p m t server (and poo ed VM)
changes to the ones that you know about and author ze
www.it-ebooks.info
Restricting Access to the Control Panel
User Configurat on Po c es Adm n strat ve Temp ates Contro Pane
■ Prohibit Access To Control Panel Users shou d have no need to access the Contro
Pane Enab ng th s sett ng removes Contro Pane from the Start menu and W ndows
Exp orer, so users won’t have access to Contro Pane , nor w they be ab e to run any
of the Contro Pane tems
NOTE When you enable this setting, you prevent administrators from installing any
Windows Installer (MSI) package onto the RD Session Host server, even if Deny is explicitly
set for the Administrator account. Therefore, to install applications, you’ll need to disable
this policy. While installing, disable remote logons.
Restricting Printer Driver Installation

Computer Configurat on Po c es W ndows Sett ngs Secur ty Sett ngs Loca Po c es
Secur ty Opt ons
■ Devices: Prevent Users From Installing Printer Drivers Enab ng th s sett ng pre-
vents users from add ng pr nter dr vers to an RD Sess on Host server as part of add ng
a network pr nter Th s po cy does not affect adm n strators and does not perta n to
add ng a oca pr nter
Preventing Access to the Registry

At first, th nk ng that users m ght run Reged t exe eads to worst-case scenar os The truth s,
on an RD Sess on Host server, doma n users are restr cted to wr t ng to the r own keys That
sa d, you don’t want users wander ng through the reg stry To prevent access to too s that
enab e d rect read and wr te capab t es to the reg stry, use the fo ow ng two po c es
User Configurat on Po c es Adm n strat ve Temp ates System
■ Prevent Access To Registry Editing Tools By defau t, access to the reg stry (on a
m ted bas s) s a owed Enab e th s sett ng to prevent access to the reg stry
■ Disable Regedit From Running Silently Enab e th s sett ng to prevent users
from runn ng reged t w th the /s sw tch For nstance, a user cou d run regedit /s
Filename reg from a command prompt and mport a fi e nto the reg stry even though
Prevent Access To Reg stry Ed t ng Too s s enab ed
www.it-ebooks.info
Preventing Access to Windows Automatic Updates
To prevent W ndows updates from be ng app ed automat ca y to product on RD Sess on
Host servers, d sab e W ndows Automat c Updates Th s ockdown sn’t about users as much
as t s about mak ng sure that changes aren’t made un ntent ona y and w thout fu test ng
These po c es are
■ Windows Automatic Updates Enab ng th s sett ng prevents W ndows from au-

tomat ca y search ng for, down oad ng, and nsta ng updates If th s sett ng s not
configured or d sab ed, W ndows w down oad updates to the server automat ca y
User Configurat on Po c es Adm n strat ve Temp ates W ndows Components W ndows

Update
■ Remove Access To All Windows Update Features Enab ng th s sett ng b ocks ac-
cess to the W ndows Update webs te and removes the W ndows Update nk from the
Start menu and from the Too s menu n Internet Exp orer Not ficat ons about updates
w cease and automat c updat ng s d sab ed
Closing Back Doors on RD Session Host Servers

Much of ock ng down the RD Sess on Host server nvo ves c os ng back doors (p aces where
users cou d run executab es) on the server Th s m n m zes un ntended consequences caused
by users runn ng the command prompt, brows ng the network, or brows ng the computer
Restricting Access to the Start Menu and Networking Items

The Start menu enab es access to programs and too s n fu desktop sess ons F gure 7-2 out-
nes the Start menu program areas, wh ch are mportant to understand ng how the po c es
be ng d scussed here work and nteract
The taskbar s a so a back door to the operat ng system, offer ng easy access to the
Address, L nks, and Desktop too bars Un ess you restr ct access to the Start menu and
taskbar, you’ve eft many ho es open on the server For examp e, eav ng the Run box exposed
cou d ead to a user execut ng rogue software on the server
www.it-ebooks.info
Pinned programs list
User data
A program’s jump list
Computer, Network,
Recent Items, Connect To,
Recently used programs Games, Favorites
Control Panel, Devices And

Printers, Default Programs,
Administrative Tools, Help
All Programs list And Support, Run
List is a combination of: Windows Security
%systemdrive%\ProgramData\
Microsoft\Windows\Start Menu
%Userprofile%\AppData\
Roaming\Microsoft\Windows\
Start Menu
Search Box
FIGURE 7-2 The Start menu areas and the r sources of data are shown here.
To ock down the Start menu and taskbar, use these Group Po cy sett ngs, wh ch are
accessed n the fo ow ng ocat on
User Configurat on Po c es Adm n strat ve Temp ates Start Menu And Taskbar
■ Prevent Changes To Taskbar And Start Menu Settings Be ng ab e to make
changes to the taskbar and the Start menu g ves users the opportun ty to access
programs such as Internet Exp orer, ema programs, network shares, and Internet
webs tes v a the Address bar, L nks, and so on Enab ng th s sett ng b ocks access to the
Propert es d a og box that users see when they r ght-c ck the taskbar It a so removes
the Taskbar and Start menu tems from the Taskbar And Sett ngs Menu Propert es
d a og box It does not stop users from turn ng on taskbar too bars
■ Show QuickLaunch On Taskbar By defau t, the Qu ckLaunch too bar s shown on
the taskbar when a user ogs on Th s can be he pfu f you want to p ace app cat on
nks for your users on th s bar—for nstance, by preconfigur ng the defau t user profi e
Just be aware that users can de ete cons from the Qu ckLaunch too bar, wh ch m ght
generate He p desk ca s Users can a so turn th s too bar on and off H de the Qu ck-
Launch too bar and prevent users from turn ng t on by d sab ng th s sett ng
■ Remove Access To The Context Menus For The Taskbar Enab ng th s sett ng
prevents users from turn ng taskbar too bars on and off
■ Remove Programs On Settings Menu Enab ng th s sett ng removes access to the
Contro Pane , Pr nters, and Network Connect ons fo ders from the Start menu
www.it-ebooks.info
■ Remove Common Program Groups From Start Menu Enab ng th s sett ng
d sp ays on y tems pu ed from the user’s profi e n the Start menu Items from the
Pub c User profi e w not be merged and ava ab e on the user’s Start menu n the A
Programs st or on the desktop
■ Remove The Pinned Programs List From The Start Menu Enab ng th s sett ng
removes the p nned programs st from the Start menu and prevents users from p n-
n ng programs to the Start menu By defau t, Internet Exp orer and an ema c ent can
be p nned to th s menu; th s sett ng removes the r nks by c ear ng the correspond ng
boxes on the S mp e Start menu custom zat on contro pane
■ Remove the All Programs List From The Start Menu A Programs s norma y
made of a comb nat on of the pub c users’ programs and an nd v dua user’s pro-
grams port on of the profi e Enab ng th s sett ng removes the A Programs menu
from the Start menu Th s nc udes nks to Accessor es, the Startup fo der, and other
program nks that you m ght not want to be access b e
■ Remove Network Connections From Start Menu Enab ng th s sett ng den es users
access to the Manage Network Connect on nk n the Network And Shar ng Center
■ Remove Network Icon From Start Menu Enab ng th s sett ng removes the Net-
work con from the Start menu; however, t st appears and s access b e n the Contro
Pane and W ndows Exp orer
■ Remove Favorites Menu From Start Menu A though the Favor tes menu s not
shown by defau t, enab ng th s sett ng proh b ts users from d sp ay ng the Favor tes
menu v a the Propert es of the Start menu, thus proh b t ng easy access to Un form
Resource Locators (URLs) from the Start menu
■ Remove Run Menu From Start Menu Enab ng th s sett ng removes the Run opt on
from the Start menu, Task Manager, and W ndows Exp orer In add t on, users w not
be ab e to enter a oca fi e path or a Un versa Nam ng Convent on (UNC) path nto the
Internet Exp orer address bar The key comb nat on W ndows Logo+R no onger br ngs
up the Run box f th s sett ng s enab ed
■ Remove Drag And Drop Context Menus On The Start Menu Enab ng th s sett ng
prevents users from dragg ng nks to the Start menu However, t does not prevent
access to the Start Menu Propert es d a og box
■ Do Not Search Internet Enab ng th s sett ng prevents the W ndows Search box
from search ng Internet h story or Favor tes Th s can decrease user access to URLs that
cou d po nt to executab es or other potent a y harmfu scr pt fi es
■ Do Not Search Programs and Control Panel Items Enab ng th s sett ng keeps
users us ng the Search box on the Start menu to search for programs or Contro Pane
tems on the RD Sess on Host server Th s w prevent search ng the RD Sess on Host
server for programs that users m ght not need to run or wh ch m ght be harmfu
www.it-ebooks.info
Removing Icons from the Desktop
P ac ng cons on the desktop s a very easy and d rect way to access some nformat on f
you’re d sp ay ng fu desktops nstead of RemoteApp programs However, you m ght not
want users ook ng at the System propert es of My Computer or mapp ng a dr ve so eas y
You can remove cons from the desktop w th these sett ngs, access b e from the fo ow ng
ocat on
User Configurat on Po c es Adm n strat ve Temp ates Desktop
■ Hide And Disable All Items On The Desktop Enab ng th s sett ng h des and d s-
ab es a tems on the desktop, nc ud ng the Recyc e B n and My Computer Users w
not be ab e to access My Computer from the desktop and ga n access to unauthor zed
data and programs by mapp ng a network dr ve (These programs are st ava ab e
from other ocat ons, such as the Desktop too bar on the taskbar, however )
■ Remove Computer Icon From The Desktop Th s po cy removes the Computer con
from the desktop as we as w th n W ndows Exp orer, and from the Desktop too bar on
the taskbar, prevent ng users from r ght-c ck ng My Computer and mapp ng a dr ve
Restricting Access to CD-ROM and Floppy Drives

CD-ROM and floppy dr ves ( f your servers even have floppy dr ves) on the server shou d not
be a arge secur ty r sk If you have any eve of phys ca secur ty on the servers host ng the VMs
and sess ons, users won’t be ab e to nsert the r own CDs and floppy d sks nto a server that s
ocated beh nd a ocked door In the nterest of secur ng the server, however, you can enab e
these po c es that m t access to these externa dr ves except from oca connect ons wh e st
keep ng the dr ves ava ab e for oca use They are ava ab e n the fo ow ng ocat on
Computer Configurat on Po c es W ndows Sett ngs Secur ty Sett ngs Loca Po c es

Secur ty Opt ons
■ Dev ces Restr ct CD-ROM Access To Loca y Logged-On User On y

■ Dev ces Restr ct F oppy Access To Loca Logged-On User On y
Preventing Access to the Command Prompt

The command prompt sn’t a back door to the server as much as a front door If you can get
to the command prompt, you can run any executab e to wh ch you have access and perm s-
s on to run To d sab e the command prompt, configure the po cy n the fo ow ng ocat on
■ Prevent Access To The Command Prompt Enab e th s sett ng to prevent users from
us ng the command prompt
372 CHAPTER 7 Mo d ng and Secur ng the User Env ronment
www.it-ebooks.info
Removing Access to Task Manager
The Task Manager s on y one step removed from the command prompt, as t prov des access
to the Run button Therefore, t’s good to remove th s source of temptat on n sess ons For
VMs, you m ght want to eave t open so peop e can have more contro over hang ng app ca-
t ons or other Task Manager too s— t depends on whether you v ew access to Run as accept-
ab e Th s po cy s ava ab e n the fo ow ng ocat on
User Configurat on Po c es Adm n strat ve Temp ates System Ctr +A t+De Opt ons
■ Remove Task Manager Enab e th s sett ng to prevent users from execut ng new
tasks (start ng programs) or chang ng the pr or ty of processes v a the Task Manager
Restricting Access to Internet Explorer and the Internet

One way to b ock Internet access s to b ock the on y browser nsta ed by defau t—Internet
Exp orer To b ock access to Internet Exp orer comp ete y, create a Software Restr ct on Po cy
or AppLocker ru e (more about th s n the sect on ent t ed “Prevent ng Users from Runn ng
Unwanted App cat ons” ater n th s chapter) that den es Internet Exp orer from runn ng
You can a so nh b t access to Internet Exp orer by h d ng ts con and remov ng access to
W ndows Updates These opt ons are access b e from the ocat ons g ven here
User Configurat on Po c es Adm n strat ve Temp ates Start Menu And Taskbar
■ Remove Links And Access To Windows Update A though the W ndows Update
webs te s ava ab e on y to adm n strators, users can use W ndows Update from the
Contro Pane ( f you have not b ocked access to t) to open Internet Exp orer If you are
not b ock ng Internet Exp orer access, enab e th s sett ng
User Configurat on Po c es Adm n strat ve Temp ates Desktop
■ Hide Internet Explorer Icon On Desktop Th s po cy does not prevent users from
start ng Internet Exp orer another way, but t removes the Internet Exp orer con from
the desktop and from the Qu ckLaunch too bar on the taskbar
Somet mes b ock ng Internet Exp orer s not pract ca To limit access v a Internet Exp orer,
you can configure a proxy sett ng on the browser to po nt to an nterna web page te ng us-
ers that Internet access has been b ocked, and d sab e the ab ty to change the proxy sett ngs
Th s w a ow access to ntranet s tes wh e keep ng users off the Internet To do so, configure
the fo ow ng po c es, found n these ocat ons
User Configurat on Po c es W ndows Sett ngs Internet Exp orer Ma ntenance Connect on
■ Proxy Settings Set the proxy sett ngs to a fa se nterna address or to an nterna
webs te that te s users that Internet access s forb dden from Remote Desktop Serv ces
(RDS) Se ect the Do Not Use Proxy Server For Loca (Intranet) Addresses check box
www.it-ebooks.info
User Configurat on Po c es Adm n strat ve Temp ates W ndows Components Internet
Exp orer
■ Disable Changing Proxy Settings Enab e th s sett ng so users can’t d sab e or

change the proxy sett ng that you defined
If users need to access Internet Exp orer to reach the Internet, you can at east stop them
from chang ng browser sett ngs by enab ng the fo ow ng sett ngs contro ng the d sp ay of
the tabbed Too s d a og box, ava ab e n th s ocat on
User Configurat on Po c es Adm n strat ve Temp ates W ndows Components Internet

Exp orer Internet Contro Pane
■ Disable The Advanced Page Enab ng th s sett ng b ocks access to the Advanced
page defin ng the secur ty sett ngs for Internet Exp orer (The Advanced page has other
funct ons, but the secur ty sett ngs are most mportant to the safety of your RD Sess on
Host servers )
■ Disable The Connections Page Enab ng th s sett ng b ocks access to the Connec-
t ons page, where users can configure VPN and proxy sett ngs
■ Disable The Content Page Enab ng th s sett ng b ocks access to the Content page,
where rat ngs and cert ficates are managed
■ Disable The General Page Enab ng th s sett ng b ocks access to the Genera page,
where the home page sett ngs, d sp ay sett ngs, and brows ng h story are managed
■ Disable The Privacy Page Enab ng th s sett ng b ocks access to the Pr vacy page,
wh ch defines sett ngs for b ock ng pop-up w ndows and the secur ty sett ngs for
pages
■ Disable The Programs Page Enab ng th s sett ng b ocks access to the Programs
page, where ema c ents, defau t browser not ficat ons, and browser add-ons are
managed
■ Disable The Security Page Enab ng th s sett ng b ocks access to the Secur ty page,
where zone trust eve s (and zone membersh ps) are set Th s s another mportant
page to ock down
Restricting Access to System Drives

The goa s to keep users out of dr ves on the server Users aren’t stor ng data on a sess on
or poo ed VM, so they don’t need to be ab e to do anyth ng other than run the app cat ons
a otted to them By defau t, ord nary users can’t do much to the system dr ves— f they try
to de ete mportant fi es or pub shed app cat ons, they are prompted for adm n strat ve cre-
dent a s If they run management too s such as Remote Desktop Serv ces Configurat on on the
RD Sess on Host server, they can v ew opt ons but can’t ed t them However, there’s no reason
for users to be pok ng around the system dr ve, so you need to know how to keep them from
do ng th s The fo ow ng opt ons are found n th s ocat on
www.it-ebooks.info
User Configurat on Po c es Adm n strat ve Temp ates W ndows Components W ndows
Exp orer
■ Remove Map Network Drive And Disconnect Network Drive Enab ng th s set-
t ng removes the ab ty to map a network dr ve by r ght-c ck ng My Computer or from
the Too s menu n W ndows Exp orer and Network Shar ng Center
■ Remove Windows Explorer’s Default Context Menu Enab ng th s sett ng removes
the w ndow that users get when they r ght-c ck an tem n W ndows Exp orer; for
nstance, enab ng th s po cy wou d d sab e r ght-c ck ng My Computer ocated on the
desktop, wh ch prov des users w th a menu w th the opt on to map a network dr ve or
manage the computer
■ Hide These Specified Drives In My Computer Th s sett ng does just what t says It
h des the dr ve etters that you spec fy It does not b ock access to the dr ves v a other
methods such as Run L m t th s sett ng to spec fic dr ve etters f you have mapped
dr ves that users must have read y ava ab e To rea y prevent access, use t n comb -
nat on w th the Prevent Access To Dr ves From My Computer po cy
■ Prevent Access To Drives From My Computer Enab e th s sett ng for dr ves A
through D to prevent access to those dr ves, wh ch are most ke y the system dr ves,
the floppy dr ve ( f present— t’s not ke y), and the CD-ROM dr ve Users w see the
dr ves but cannot open or search them L m t th s sett ng to spec fic dr ve etters f you
have mapped dr ves that users need to access Th s sett ng s usefu to prevent users
add ng oca dr ves to brar es
Controlling Libraries
L brar es, ntroduced w th W ndows 7 and W ndows Server 2008 R2, don’t fundamenta y
change the need to ock down the RD Sess on Host server or poo ed VMs, but they do g ve
you another reason to do t L brar es are des gned to encourage users to add more storage
ocat ons, and you rea y don’t want users to add ocat ons on the oca hard d sk As d scussed
n Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep oyment,” stor ng fi es
on the hard d sk comp cates backups (for RD Sess on Host servers) and can ead to destroyed
data (for poo ed VMs set to ro back at user ogoff) Let’s ta k about how to configure brar es
to prevent users from sav ng fi es oca y
F rst, you’ need a tt e background, because brar es are new L brar es don’t conta n
anyth ng themse ves—they are co ect ons of assoc ated fo der ocat ons These co ect ons
are stored n Extens b e Markup Language (XML) fi es (one for each brary) w th names ke
Mus c brary-ms A brar es are stored n C \Users\UserName\AppData\Roam ng\M crosoft\
W ndows\L brar es, mean ng that they can be part of the roam ng user profi e f you have
one (Even f you’re us ng a oca profi e, the brary data w st be stored n the same p ace )
If you’re us ng roam ng user profi es, users do not have to re-create the r brar es every t me
they og on to a new RD Sess on Host server or poo ed VM There are four defau t brar es
Documents, V deos, P ctures, and Mus c
www.it-ebooks.info
The brary descr pt on fi es nc ude nformat on ke the Secur ty ID of the owner, the fo der
type (d fferent types of fi es use d fferent types to d sp ay d fferent k nds of data d fferent y),
and the defau t save ocat on for the brary A though you can read th s fi e n Notepad, t’s
not very nformat ve, and t’s not recommended that you ed t t manua y because t wou d be
easy to mess up
NOTE C++ developers can edit this file programmatically using the IShell Library
Interface documented on MSDN at http://msdn.microsoft.com/en-us/library
/dd391719(v=VS.85).aspx. There is no Windows PowerShell or Windows Management
Instrumentation (WMI) interface to manipulate libraries, unfortunately.
The ma n ssue w th brar es s that by defau t, the Documents brary (for examp e)
conta ns two fo ders My Documents and Pub c Documents If you have set up fo der
red rect on, My Documents w be the path to the red rected fo der, wh ch s what you want
My Documents s the defau t save ocat on, wh ch s a so what you want
However, the brary a so surfaces the Pub c Documents fo der on the C dr ve ( n Users\
Pub c\Documents), wh ch s not what you want It’s poss b e that there cou d be some reason
why you’d want to store documents there that a the users cou d see, but that’s not a great
p an most of the t me, for reasons exp a ned n the first paragraph You a so don’t want
peop e add ng more ocat ons on the C dr ve and scatter ng fi es random y on the RD Sess on
Host hard d sk or on a poo ed VM that w be overwr tten when users are fin shed w th t—
annoyed users w be ca ng the He p desk ook ng for the r m ss ng fi es To prevent users
from stor ng fi es n Pub c Documents or anywhere e se on the C dr ve, you shou d use NTFS
perm ss ons and the H dden attr bute to ock down the C \Users\Pub c fo der
Preventing Users from Running Unwanted

Applications
Your goa s to prevent users from runn ng any app cat ons to wh ch you have not granted
access As Chapter 9 d scusses, pub sh ng app cat ons v a the RemoteApp Manager adds
them to the allow list of app cat ons that can be started oca y The a ow st contro s wh ch
RemoteApp can be used to beg n a sess on However, after a user makes a connect on to the
RD Sess on Host server, the a ow st has no further effect Th s sect on ta ks about the defau t
ways to restr ct program access
www.it-ebooks.info
The Simplest Way to Lock Down an RD Session Host Server

Brian Madden
Remote Desktop Services MVP
W hat’s the simplest thing you can do to lock down an RD Session Host server?
Remove the Execute permissions from everywhere they don’t need to be. Do
users really need to be able to execute programs from their home drives, temporary
Internet files, or the Outlook attachment cache folder? Of course not! By preventing
them from doing so using this method, you remove about 99.99 percent of all pos-
sible ways to execute “rogue” software on your RD Session Host server.
Whether you remove these permissions via Group Policy (with a Software Restric-
tion Policies disallowed path rule or by using AppLocker) or via good old-fashioned
editing of NTFS permissions depends largely on your environment and what else
you might be doing. But the bottom line is that there are only a few folders from
which users actually must be able to run programs (such as the Windows and Pro-
gram Files folders, for example). For everything else on a server (and the network),
remove those permissions.
User Configuration Policies Administrative Templates System
● Don’t Run Specified Windows Applications This is the block list ap-
proach—starting with everything and then defining applications that are not
allowed to run. Blacklists aren’t the most effective way to manage applica-
tions because executable names change (or new executables are created) and
block lists don’t take changes into account.
This policy does not stop users from copying the executable file from another
computer, renaming it, and running the same application under another
name. A better way to block application execution is to implement Software
Restriction Policies.
● Run Only Specified Applications This is a whitelist approach—starting from
nothing and then adding programs that are allowed to run. This approach is
more secure than the block list approach because it does restrict even new
executables, but it can be difficult to implement because of unexpected ap-
plication dependencies.
Enabling this setting and adding executables to the corresponding list
prevents all programs except the ones on the list from running. However, it
does not stop users from copying an executable file from another computer,
renaming it to match an application known to be exempt, and running it that
way.
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 377
www.it-ebooks.info
Computer Configuration Policies Administrative Templates Windows
Components Remote Desktop Services Remote Desktop Session Host
Connections
● Allow Remote Start Of Unlisted Programs When disabled, this policy

prevents users from starting any application via RDP other than the ones
specified in the allow list. Again, be aware that this does not affect locally run
programs. If you log on to the RD Session Host server and are presented with
a desktop, then you can still run other programs that are not on the Remote-
Apps list.
Because the Group Policy settings don’t check for anything except the file name,
a better approach to blocking application execution is to implement Software
Restriction Policies.
Using Software Restriction Policies

Software Restr ct on Po c es (SRPs) b ock unauthor zed app cat ons, scr pts, macros, or any
other executab es from runn ng on an RD Sess on Host server or a VM
NOTE AppLocker, which is discussed next, supersedes SRP for Window 7 and Windows
Server 2008 R2. Although SRPs will work with Windows 7 and Windows Server 2008 R2,
you will most likely use AppLocker instead because it’s a lot simpler. For all other operating
systems, you will continue to use SRP to restrict application access.
SRPs are mp emented through Group Po cy and checked every t me a p ece of software s
run An SRP can be set as a user po cy or a computer po cy (or both), wh ch means that ad-
m n strators have the flex b ty to a ow or deny software for groups of users or for everyone
who ogs on to the sess on or VM
Depend ng on how you set up the po cy, one of two th ngs happens E ther the software s
express y den ed (or not a owed) by the po cy and t does not run, or the software s spec fi-
ca y a owed (or not den ed) by the po cy and t executes The reason that software can be
seen as e ther express y a owed or not den ed and v ce versa s because there are three ways
to set up the po cy
A Software Restr ct on Po cy s made up of two parts a secur ty eve and add t ona ru es
The secur ty eve s an overa ru e that reflects the method that you w use to restr ct soft-
ware access Three secur ty eve s are ava ab e at the fo ow ng ocat on
Computer Configurat on Po c es W ndows Sett ngs Secur ty Opt ons Software

Restr ct on Po c es Secur ty Leve s
NOTE These GPO settings will be available after you create a policy.
www.it-ebooks.info
■ Unrestricted Th s s the east secure method It a ows a programs to be executed
except those that you spec fica y deny Th s s common y ca ed “b ack st ng ”
■ Basic User Th s method s cons dered an ntermed ate eve of secur ty Un ess there
s an except on found for th s ru e, software w run as a norma user (w thout adm n s-
trat ve pr v eges)
■ Disallowed Th s s the str ctest, but a so the most secure, method It does not a ow
any programs to run except those that you spec fica y a ow If you choose to use th s
method, take care to test the po cy fu y before act vat ng t on product on computers,
so you find a software dependenc es Th s approach s common y ca ed “wh te st ng ”
When you have chosen your secur ty eve , make except ons to th s overa ru e for spec fic
app cat ons or for types of app cat ons or code You can do th s by creat ng add t ona ru es
w th a d fferent defau t ru e app ed There are four types of add t ona ru es that you can cre-
ate to make except ons to the secur ty eve , at the fo ow ng ocat on
Computer Configurat on Po c es W ndows Sett ngs Secur ty Sett ngs Software

Restr ct on Po c es Add t ona Ru es
These GPO sett ngs w be ava ab e after you create a po cy

■ Hash Rule A hash s a d g ta fingerpr nt of a p ece of software Us ng the p ece of
software as an nput to an a gor thm, the a gor thm then creates a representat on (a
hash) of the p ece of software based on ts contents nstead of other ways, such as ts
ocat on or ts name If you change anyth ng about the software, ts hash s no onger
va d and t w not execute
■ Certificate Rule A cert ficate ru e uses code-s gn ng d g ta cert ficates to dent fy
software You can ssue code-s gn ng cert ficates to your software and use them to
dent fy the software on the RD Sess on Host server by check ng the d g ta s gnature n
the cert ficate
NOTE The Basic User security level is not supported for certificate rules.
■ Path Rule Th s ru e dent fies a spec fic path of an app cat on and on y the app ca-
t on n that path can be a owed or den ed A spec fic p ece of code (such as W nword
exe) can be expressed n the path, or the path can po nt to a fo der If the atter, a
code n the fo der s a owed or den ed For examp e, f you host M crosoft Office 2010
app cat ons on your RD Sess on Host server, you can po nt to the M crosoft Office
nsta at on d rectory A code n that d rectory w be a owed or den ed depend ng
on the po cy secur ty eve and add t ona ru e sett ngs Env ronmenta var ab es, UNC
paths, reg stry paths, quest on marks, and aster sk w dcards can be used n path ru es
■ Network Zone Rule Th s ru e app es on y to MSI fi es, so t s probab y not very
usefu n ock ng down an RD Sess on Host server except when nsta ng software The
network zone ru e a ows or den es software nsta at on (for MSI fi es on y) based on
wh ch Internet zone t was down oaded from
www.it-ebooks.info
These ru es are app ed from the most spec fic to the most genera Cert ficate ru es are
extreme y spec fic about the software they represent, fo owed by hash ru es, then path ru es,
and fina y, Internet zone ru es are the east spec fic Any software not covered by one of these
add t ona ru es s contro ed by the defau t secur ty eve (defau t ru e)
For examp e, et’s create an SRP that w affect doma n users n the fo ow ng ways when
they og on to your RD Sess on Host server(s)
■ Doma n users can run Office 2007 app cat ons
■ Doma n users cannot run Internet Exp orer
■ Doma n users cannot run Cmd exe or Contro exe (Contro Pane )
■ Doma n users cannot run any software on the RD Sess on Host server that s not n-
sta ed on the RD Sess on Host server For nstance, f a user cop es Cmd exe from her
oca computer to the roam ng profi e desktop and then tr es to start th s app cat on
from the RD Sess on Host server, you want the act on to fa
Th s examp e assumes you have your RD Sess on Host servers p aced n the r own orga-
n zat ona un t (OU), and f you have mu t p e RD Sess on Host servers n the same farm, that
they are configured dent ca y See Chapter 9 for more about RD Sess on Host farms
Because you want to affect the doma n users group when they og on to the RD Sess on
Host server, create a Software Restr ct on Po cy n the user sect on of a GPO, ocated here
User Configurat on Po c es W ndows Sett ngs Secur ty Sett ngs Software Restr ct on
Po c es
NOTE The Software Restriction Policy setting for Computers is located at Computer
Configuration Policies Windows Settings Security Settings Software Restriction Policies.
Open the Group Po cy Management conso e (GPMC) and create a new GPO; n th s ex-
amp e, t s named RD Software Restr ct on Po cy Then nav gate to the Software Restr ct on
Po c es fo der, r ght-c ck the fo der, and choose New Software Restr ct on Po c es
To keep software that s not nsta ed from runn ng, you need to d sa ow a software from
runn ng and then make except ons to th s ru e for software ocated n spec fic p aces on the
server
C ck the Secur ty Leve s fo der, and n the r ght pane, r ght-c ck D sa owed and choose
Set As Defau t Now you need to create the except ons to th s defau t ru e So you don’t ock
yourse f out, and so you can run app cat ons nsta ed on the RD Sess on Host server, M cro-
soft creates two except ons to the D sa owed secur ty eve and p aces them n the Add t ona
Ru es fo der when you create a new SRP They are
■ %HKEY LOCAL MACHINE\SOFTWARE\M crosoft\W ndowsNT\Current Vers on\
SystemRoot%
The secur ty eve for th s add t ona ru e s set to Unrestr cted; t a ows access to tems
n the server system root fo der (C \W ndows) Users need access to some tems n the
W ndows fo der to og on, so keep th s sett ng
www.it-ebooks.info
■ %HKEY LOCAL MACHINE\SOFTWARE\M crosoft\W ndows\Current Vers on\
ProgramF esD r%
The secur ty eve for th s add t ona ru e s set to Unrestr cted and a ows access to the
tems n the Program F es D rectory Internet Exp orer happens to be nsta ed to th s
d rectory, so de ete th s ru e, because one of the goa s s to b ock access to Internet
Exp orer
Users current y have unrestr cted access to Cmd exe and Contro exe because of the
add t ona ru e that a ows unrestr cted access to the W ndows fo der; W ndows conta ns
the System32 fo der, wh ch s where these app cat ons res de Therefore, you need to make
add t ona ru es to deny access for these spec fic app cat ons R ght-c ck the Add t ona
Ru es fo der and choose New Path Ru e Enter the path to Cmd exe n the Path text box
(C \W ndows\System32\Cmd exe), change the secur ty eve to D sa owed, type a descr pt on
of the ru e, and c ck OK Then do the same th ng for Contro exe
To a ow Office software to run, create another path ru e, type the path to Office (typ ca y
C \Program F es\M crosoft Office), and change the secur ty eve to Unrestr cted Type a
descr pt on of the ru e and c ck OK To app y th s GPO to the Doma n Users group, change
the secur ty fi ter ng on the GPO by remov ng the Authent cated Users group and add ng the
Doma n Users group App y the GPO to the OU where the RD Sess on Host server(s) res de,
and then you are done
Now, f you don’t a ready have oopback po cy process ng enab ed, create a computer
GPO, app y oopback process ng, and then app y the GPO to the RD Sess on Host server OU
Th s app es the user’s SRP to the users spec fied n the user’s SRP secur ty fi ter ng
If you set SRPs us ng a computer GPO, you w ke y want to forgo app y ng th s po cy
to the oca adm n strator account To do th s, c ck the Software Restr ct on Po c es fo der,
doub e-c ck the Enforcement sett ng, and choose to App y Software Restr ct on Po c es To
The Fo ow ng Users A Users Except Loca Adm n strators C ck OK
Using AppLocker
A though o der operat ng systems w cont nue to re y on SRP to contro software access,
AppLocker, wh ch s new to W ndows Server 2008 R2 and W ndows 7 (U t mate and Enterpr se
ed t ons), supersedes SRP for these new operat ng systems and prov des an enhanced soft-
ware restr ct on feature set In fact, wh e AppLocker has some s m ar t es to Software Restr c-
t on Po c es, t s actua y a comp ete y new feature bu t us ng d fferent techno ogy
NOTE Windows 7 Professional can be used only to create AppLocker rules—the rules
cannot be enforced in this version.
AppLocker has qu te a few advantages over SRPs

■ AppLocker ru es can be app ed to spec fic users or user groups (whereas SRP ru es ap-
p y to a users)
www.it-ebooks.info
■ Un ke hashes, AppLocker ru es can surv ve vers on upgrades and ocat on path
changes because they can be based on d g ta s gnatures
■ AppLocker po c es can be run n aud t-on y mode, so you can determ ne the effect of
a ru e before you dep oy t
■ AppLocker ru es are w zard-dr ven, so they’re easy to set up Because you can mport
and export them, t’s a so easy to move ru es from a test to a product on env ronment
■ AppLocker organ zes fi e formats nto four collections [executab es, nsta ers, scr pts
and dynam c- nk brar es (DLLs)] to prov de s mp e ways to bu d mu t p e ru es that
together can prov de more deta ed restr ct ons
■ AppLocker has W ndows PowerShe support v a AppLocker cmd ets
You can st use SRPs w th W ndows 7 and W ndows Server 2008 R2, but f AppLocker ru es
and SRPs ex st n the same GPO, AppLocker ru es po c es w supersede any SRP po c es for
W ndows 7 and W ndows Server 2008 R2 O der operat ng systems w use on y the Software
Restr ct on Po c es
NOTE You don’t have to upgrade your infrastructure to support AppLocker. A computer
running Windows Server 2008 R2 or Windows 7 is needed to create the rules, but they can
be housed on a Windows Server 2003 or 2008 domain controller.
AppLocker s s m ar to SRP n that you create wh te sts (ru es that spec fica y a ow access
to fi es) and b ock sts (ru es that spec fica y deny access to fi es) to contro access to fi es and
fo ders on computers You create ru es as needed, for four predefined fi e categor es (co ec-
t ons) executab es, scr pts, nsta ers, and DLLs
NOTE DLL rules are turned off by default, because DLL rules can affect machine perfor-
mance. Take caution when creating and enforcing DLL rules and test thoroughly before
deployment.
AppLocker Underlying Philosophy: Admit Nothing, Deny Everything

AppLocker’s bas c approach s one of extreme contro Do exact y what the ru es d ctate, and
deny a other access for executab es n that co ect on It does th s nd scr m nate y for both
wh te sts and b ock sts In other words, f no ru es are set for a spec fic co ect on, then a ac-
cess s a owed The m nute that you create a ru e for a co ect on, on y what s a owed n that
ru e s app ed, and a other access s den ed
Th s approach s mportant to understand because t can have some unexpected conse-
quences For examp e, f you a ow doma n adm n strators access to a executab es, that s
great for them But by creat ng on y th s ru e, you nherent y deny everyone e se access to any
executab es on the mach ne Th s means that users can’t even access the computer remote y
because W n ogon exe, Exp orer exe, and other executab es needed to estab sh and access a
sess on (fu desktop or RemoteApp— t doesn’t matter wh ch) are den ed
www.it-ebooks.info
To he p you avo d th s p tfa , when you first create a ru e, AppLocker w prompt you to et
t create a set of “defau t” ru es to make sure that you don’t ock peop e out of the mach ne
Of course, you can hone these ru es to su t your needs
AppLocker Rule Conditions

Aga n, the four co ect ons are executab es, nsta ers, scr pts, and DLLs AppLocker ru es for
these four co ect ons are based on the fo ow ng three cond t ons
■ Publisher The ru e s based on the fi e’s d g ta s gnature and the extended attr butes
of that s gnature A d g ta s gnature conta ns the fo ow ng spec fic nformat on (at-
tr butes) about the fi e
• Publisher
Examp e O=MICROSOFT CORPORATION, L=REDMOND,
S=WASHINGTON, C=US
• Product Name Examp e WINDOWS® INTERNET EXPLORER

• File Name Examp e IEXPLORE EXE
• File Version Examp e 8 0 7600 16385
When you create an AppLocker ru e based on a fi e’s pub sher, you browse and se ect
the s gned fi e, and the pub sher attr butes retr eved from the fi e’s d g ta s gnature
By defau t, a four of these attr butes are used to determ ne access e g b ty, but you
can choose how deta ed the ru e s app ed by mov ng the s der n the graph ca user
nterface (GUI) to nc ude or exc ude certa n attr butes, as shown n F gure 7-3
FIGURE 7-3 AppLocker Pub sher ru es are based on a comb nat on of the extended attr butes of
the f e s d g ta s gnature.
www.it-ebooks.info
NOTE You can customize publisher rules by selecting the Use custom values check box
shown in Figure 7-3 and editing the attribute values as needed.
■ Path The ru e w affect a spec fic fi e or a fi es n a spec fic fo der Both of these
opt ons are set by spec fy ng (by typ ng or brows ng to) the path of the fi e or fo der
■ File Hash F e Hash ru es are based on a d g ta fingerpr nt of a fi e Us ng the
fi e (an executab e, scr pt, nsta er, or DLL) as an nput, an a gor thm generates a
representat on (a hash) of the fi e If you change anyth ng about the fi e, ts hash s no
onger va d, and a ow ru es w no onger work
AppLocker Rules Affect Specific Computers and Users

Overa , AppLocker ru es are app ed to computers or to OUs conta n ng computers However,
each ru e configurat on a ows you to choose what users or user groups the ru e w affect
For examp e, you can make a ru e a ow ng adm n strators to run a executab es on your RD
Sess on Host servers, and another ru e a ow ng users to run on y executab es n the W ndows
fo der (so they can og on) and a so n the Office fo der (so they can run the r Office app ca-
t ons) You p ace these ru es on the OU where the RD Sess on Host servers res de, and the
ru es app y to a computers n the OU
AppLocker Exceptions
To fac tate even more deta ed contro over fi e access, you can a so make except ons to each
ru e For examp e, you cou d a ow access to a executab es n the Programs fo der for User
Group A, except for certa n app cat ons w th n the Programs fo der that you w sh to deny to
User Group A
AppLocker Deny Rules

S m ar to mak ng a ow ru es, you can a so create deny ru es Deny ru es spec fica y deny
access to a fi e or group of fi es However, you can’t just create a deny ru e and expect
everyth ng e se to be a owed, because the mere act on of creat ng a ru e for a co ect on
means that everyth ng that s not a owed s ntr ns ca y den ed for the co ect on By do ng
th s, you wou d bas ca y deny what you put n the ru e and then deny everyth ng e se as we
So what s the purpose of deny ru es f AppLocker s des gned to deny everyth ng except
what s spec fica y a owed? Deny ru es, ke ru e except ons, he p you create a more prec se
matr x of what s a owed and what s den ed Except ons w app y to the user(s) conta ned
on y n the ru e where the except on s made Deny ru es a ow you to spec fy except ons to
ru es based on user or user group because you can create a separate deny ru e and app y t to
a subset of users
www.it-ebooks.info
AppLocker Audit Mode
AppLocker s powerfu To he p you determ ne the rea effects of the ru es that you make,
AppLocker prov des an “aud t on y” mode, n wh ch you can og the effects of ru es so that
you can determ ne the overa resu ts of ru es before you put them nto product on When
AppLocker ru e co ect ons are set to Aud t On y mode, act ons that the ru es wou d have
affected (a owed or den ed) w be ogged n the Event V ewer of the mach ne where the
act on was comm tted For examp e, f a user executes CMD exe on an RD Sess on Host server
where an AppLocker ru e that was enforced wou d have den ed the act on, the fo ow ng
event wou d be ogged n the RD Sess on Host server Event Log at Event V ewer/App cat on
and Serv ces ogs/M crosoft/W ndows/AppLocker/EXE and DLL/
Event Id 8003: %SYSTEM32%\CMD.EXE was allowed to run but would have been prevented from
running if the AppLocker policy were enforced.
Implementing AppLocker
The fo ow ng examp e shows how to mp ement AppLocker po c es for an RD Sess on Host
farm Th s examp e shows how you can create, aud t, and enforce AppLocker po c es that w
do the fo ow ng
■ G ve adm n strators fu access to the mach ne
■ Enab e access for the ASH Users group to the M crosoft Office fo der on the RD
Sess on Host server farm members, except for M crosoft Exce
■ Prov de the ASH Users group the ab ty to start a remote desktop sess on by grant ng
access to fi es n the W ndows fo der, except CMD exe, Powershe exe, Reged t exe,
Wscr pt exe, and Cscr pt exe
■ B ock a users except adm n strators from runn ng any scr pts or nsta ers on the
mach ne
F rst, for AppLocker ru es to affect mach nes, those mach nes must be runn ng the App -
cat on Ident ty Serv ce The serv ce s not started by defau t, and the serv ce sett ng s set to
Manua You m ght want to change the defau t serv ce sett ng from manua to automat c, so
that whenever you start the servers n the farm, AppLocker w work w thout you need ng to
turn the serv ce on manua y
ON THE COMPANION MEDIA A script that starts the AppIDSvc service and also
sets the service startup parameter to Automatic for all computers in a specified OU is
located on the companion media as Start-AppIDSvc.ps1.
A so, be aware that users who have adm n strator r ghts on mach nes and VMs that are
contro ed by AppLocker po c es can render the po c es use ess by s mp y d sab ng the
AppIDSvc serv ce Make sure that users do not have th s ab ty n any RDS sess on or poo ed/
persona VM scenar o
www.it-ebooks.info
AppLocker ru es can be created from d fferent sources
■ D rect y n the oca po cy of the mach ne on wh ch the po c es w app y
■ On another mach ne runn ng W ndows 7 or W ndows Server 2008 R2 w th the same
software nsta ed as the product on env ronment, and a so the Remote Server Adm n-
strat on Too s (RSAT) nsta ed
E ther way you create your ru es, you shou d first mp ement them n a test env ronment
and then aud t them n a product on env ronment before enforc ng them Th s two-step
process w cut down on unforeseen consequences negat ve y affect ng user access n an RDS
env ronment
In th s examp e, you w see how to create po c es d rect y on a farm member (the RD
Sess on Host server’s name s FUJI) that s current y not accept ng connect ons Then you w
see how to export the ru es to an XML fi e and mport them nto a GPO that w be app ed to
an RD Sess on Host farm n Aud t mode When t’s c ear that the AppLocker po c es accom-
p sh the ntended goa s but do not affect the users negat ve y, t’s safe to change the GPO to
Enforce mode
F rst, create and export the AppLocker po c es by comp et ng these steps
1. On RD Sess on Host server FUJI, open the Loca Secur ty Po cy, browse to the App ca-
t on Contro Po c es fo der, and expand the AppLocker fo der
2. R ght-c ck Executab e Ru es and choose Create Defau t Ru es Three executab e ru es
w appear n the r ght pane, as shown n F gure 7-4 By creat ng the defau t ru es,
you have a ready g ven the BUILTIN/Adm n strators group fu access to a fi es on the
mach ne, because th s s one of the defau t ru es
FIGURE 7-4 The Executab e Ru es defau t ru e s set.
3. Adjust the first ru e to a ow a spec fic user group ASH Users ( nstead of Everyone) to
access the Office executab es, except for Exce , as fo ows
a. Doub e-c ck the first ru e h gh ghted n F gure 7-4 On the Genera tab, se ect the
user group that you want to affect ( n our examp e, ASH Users) Keep the A ow
opt on se ected
www.it-ebooks.info
b. On the Path tab, c ck Browse Fo ders and browse to the fo der where the Office
executab es are ocated %PROGRAMFILES%\M crosoft Office\*
c. On the Except ons tab, add a pub sher except on by c ck ng Add, brows ng to the
Exce executab e, and then c ck ng OK
d. C ck OK aga n to app y the changes to the defau t ru e
4. Doub e-c ck the second defau t ru e shown n F gure 7-4 [named (Defau t ru e) A fi es
ocated n the W ndows fo der] and adjust t to a ow ASH Users to access a execut-
ab es n the W ndows fo der Then make an except on to the ru e and deny access to
CMD exe, Powershe exe, Reged t exe, Wscr pt exe, and Cscr pt exe, as fo ows
a. Doub e-c ck the h gh ghted ru e On the Genera tab, rep ace the Everyone group
by c ck ng Se ect and choos ng the appropr ate user group to whom you want th s
ru e to app y (ASH Users) Leave the A ow opt on se ected
b. Leave the %WINDIR% path on the Path tab as s
c. On the Except ons tab, add five except ons, one for each executab e to wh ch you
want to deny th s group access Leave the Pub sher except on type se ected C ck
Add, browse to cmd exe, and c ck OK Do the same for the other four executab es
When the except ons st s comp ete, as shown n F gure 7-5, c ck OK to app y the
changes to the ru e
FIGURE 7-5 Add executab e except ons to the A ow ru e.
5. The eas est way to b ock a users except adm n strators from runn ng any scr pts on the
mach ne s to nvoke the creat ng of “defau t scr pt ru es” and then de ete the ones that
you do not want to use
www.it-ebooks.info
a. Se ect and r ght-c ck the Scr pt ru es node n the Loca Secur ty po cy, and then
choose Create Defau t Ru es Three defau t ru es w be created, as shown n
F gure 7-6
FIGURE 7-6 Create Scr pt Ru es defau t ru es.
b. Se ect the first two ru es and then r ght-c ck and choose De ete
You are eft w th one ru e that a ows the BUILTIN/Adm n strators group to run a
scr pts on the mach ne, but no one e se w be a owed to do so because of the
nherent Deny ru e that s enforced
6. To b ock a users except adm n strators from runn ng any nsta ers on the mach ne,
fo ow the steps a d out n Step 5, but do so us ng the W ndows Insta er Ru es node
7. Now you w export the ru es that you have created to an XML fi e and mport them
nto a GPO R ght-c ck the AppLocker node and choose Export Po cy Choose a path
to save the fi e, enter a fi e name (our fi e name s ASH Farm1 AppLocker Ru es), and
c ck Save
388 CHAPTER 7 Mo d ng and Secur ng the User Env ronment
www.it-ebooks.info
8. When you export ru es from the oca secur ty po cy, they are not de eted De ete them
for now because they have not yet been tested n a non-product on env ronment
R ght-c ck the AppLocker node and choose C ear Po cy Th s reverts AppLocker to ts
or g na unconfigured state If you need to adjust the ru es n the future, you can do so
by re- mport ng the po cy XML fi e that you created and adjust ng and re-export ng
the po cy; but for now, there s no reason to eave them n p ace
After you have created the ru es XML fi e, create a new GPO (us ng Group Po cy
Manager) and then mport the XML fi e nto the AppLocker node n the GPO, as shown
n F gure 7-7
FIGURE 7-7 mport the AppLocker Po cy nto a GPO.
Auditing AppLocker Rules

Next, because you are n the test ng phase of th s mp ementat on, you need to set the
AppLocker ru es to be aud ted on y, not enforced R ght-c ck the AppLocker node and choose
Propert es On the Enforcement tab, make sure the Configured check box s se ected for each
of the three ru e co ect ons, and then choose Aud t On y from each of the three drop-down
sts, as shown n F gure 7-8 C ck OK to save the sett ngs
www.it-ebooks.info
FIGURE 7-8 Set the AppLocker ru es to Aud t On y mode.
Next, you app y the new GPO to the OU that conta ns the servers that you want to affect
In th s examp e, you app y the ru e to the ASH RD Farm1 OU, conta n ng two RD Sess on Host
servers (FUJI and GLACIER) Now, when users og on to the farm, AppLocker ogs the act ons
the user takes that are a owed and the act ons that wou d be den ed had the AppLocker ru es
been enforced These ogs are n the Event V ewer\App cat ons and Serv ces Logs\M crosoft\
W ndows\AppLocker fo der on the RD Sess on Host server where the user sess on s runn ng
In our examp e, Exce was b ocked from start ng As you can see n F gure 7-9, the event og
shows that had the AppLocker ru e been enforced, the user wou d have been den ed access
After you have tested and adjusted the AppLocker ru es fu y to su t your needs, change
the enforcement of the ru es shown n F gure 7-8 from Aud t On y to Enforce Ru es and c ck
OK to save the change Your ru es w now be enforced Any changes that you need to make
n the future can be done so d rect y n the GPO ( f you know the text you need to enter), or
you can mport the ru es aga n to a mach ne that s not current y host ng or accept ng con-
nect ons, make changes to the ru es there, export the new ru e set, and re- mport them nto a
GPO
www.it-ebooks.info
FIGURE 7-9 AppLocker ogs warn ngs and nformat on regard ng aud ted AppLocker ru es n the Event
V ewer of the server where the user sess on runs
Creating a Read-Only Start Menu

Lockdown s mportant, but t’s not the on y reason to tweak the user exper ence You can a so
custom ze the exper ence to s mp fy t so that peop e don’t have to see menu tems that they
w never use and wh ch w on y confuse them
The u t mate goa for an RDS env ronment, be t poo ed/persona VMs or a sess on on an
RD Sess on Host server, s to he p peop e work If you make t easy for peop e to get to the r
app cat ons by remov ng the c utter they don’t need, you’re work ng toward that goa
You cou d custom ze the defau t user profi e so that when users og onto a sess on or VM,
the r profi e w conta n custom zed sett ngs for the Start menu Th s m ght be fine f you
have one sma poo of VMs or one RD Sess on Host server, but manag ng th s k nd of setup
for many servers wou d be a daunt ng task for tt e benefit In add t on, you wou d st need
to ock th ngs down so the user cou d not change these sett ngs ater Therefore, a better
approach s to custom ze the Start menu (on a per-user or user-group bas s) by red rect ng
the Start menu to a read-on y Start Menu fo der Then, you set a few GPOs to h de other Start
menu areas (to cut down on unnecessary tems) and remove unneeded tems from the other
Start menu areas) Here’s how to do t
1. Create a network share or use an a ready-ex st ng network share (for examp e, you
m ght use the same share that you use to store the user’s red rected fo ders)
2. In the network share, create a fo der ca ed Start Menu and p ace shortcuts to the tems
that you want n the fo der Adjust the fo der NTFS perm ss ons so that users have read-
on y r ghts
Creat ng a Read On y Start Menu Chapter 7 391
www.it-ebooks.info
3. Create a GPO that red rects the Start menu for a users who og on to the mach nes n
the OU to th s one ocat on and p ace the GPO on the appropr ate OU
4. Set the fo ow ng GPOs (some of wh ch were ment oned ear er n the sect on about
ock ng down the Start menu and taskbar)
User Configurat on Po c es Adm n strat ve Temp ates Start Menu and Task Bar
• Remove Common Groups From Start Menu Th s does not p ace tems from
the A Users group n the user’s Start menu ocated at C \ProgramData\M crosoft\
W ndows\Start Menu\Programs
• Remove Pinned Programs List From The Start Menu Enab ng th s sett ng
removes the tems stored n the Qu ckLaunch fo der of the user profi e For examp e,
you cou d use a roam ng user profi e w th Qu ckLaunch tems stored at \\FILE-
SERVER\ASH-user-fo der-red rect on\kr st n gr ffin\AppData\Roam ng\M crosoft\
Internet Exp orer\Qu ck Launch\User P nned\Start Menu
• Remove The Network Icon From The Start Menu Th s removes the network
con from the r ght s de of the Start menu
5. Remove the Contro Pane con from the Start menu by enab ng the fo ow ng GPO
User Configurat on Po c es Adm n strat ve Temp ates Contro Pane Proh b t Access
To The Contro Pane
6. Prov de adm n strat ve too s on the r ght s de of the Start menu, wh e e m nat ng th s
for regu ar users (who shou d not have a need for these too s) On each RD Sess on
Host server remove NTFS perm ss ons for the Everyone group and the Users group
from the fo ow ng fo der C \ProgramData\M crosoft\W ndows\Start Menu\Programs\
Adm n strat ve Too s
The resu t of these few steps s a cons stent Start menu for users even f they are us ng
roam ng profi es and fo der red rect on The same tems w be ava ab e n the A Programs
menu each t me the user ogs on, and to add or change th s menu, you on y have to ma nta n
the one red rected Start Menu fo der
What’s a so n ce about th s arrangement s that d fferent users can see d fferent cons,
effect ve y g v ng them a d fferent Start menu depend ng on who they are To do th s, just
change the NTFS perm ss ons on each con n the Start Menu red rected fo der Users who do
not have NTFS perm ss ons to the con w not see the con n the r Start menu
You can a so red rect d fferent user groups to d fferent Start menus (that s, d fferent Start
Menu red rected fo ders) and ach eve the same effect Th s requ res that you create and ma n-
ta n mu t p e GPOs that red rect the Start menu to d fferent fo ders, on a user-group bas s
Just remember to set the appropr ate NTFS perm ss ons on the red rected fo der and a so to
remove the Authent cated Users group from the GPO secur ty fi ter ng and add the spec fic
users and user groups that you want to use the GPO
www.it-ebooks.info
Keeping the RD Session Host Server Available
You have seen how to secure the sess ons and VMs and how to s mp fy the user’s v ew of the
desktop Some Group Po cy sett ngs a ow you to mprove the user exper ence through m t-
ng access or shorten ng ogon t mes
Allowing or Denying Access to the RD Session Host Server

A though users cannot og on to the RD Sess on Host server un ess they are members of the
oca Remote Desktop Users group on that RD Sess on Host server, you can contro the ab ty
of users to og on v a Group Po cy Use the fo ow ng sett ng
■ Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Sess on Host Connect ons A ow Users
To Connect Remote y Us ng Remote Desktop Serv ces
Th s sett ng contro s whether users can access the RD Sess on Host server remote y An
RD Sess on Host server w not accept any user ogons unt the Remote Desktop Users
group s popu ated Th s po cy g ves you more deta ed contro over who has access to
the RD Sess on Host servers so that you can prevent unauthor zed users from consum-
ng censes that you had ntended for peop e who need them
NOTE It’s also possible to prevent logons to the RD Session Host server via Active Direc-
tory Users And Computers; one option in the user account Properties dialog box defines
whether users are allowed to log on to the RD Session Host server (they are, by default).
Although it might appear that Group Policy or Active Directory Users And Computers set-
tings are good ways to prevent people from logging on during server maintenance, they’re
really not, because the policy might not apply in time and you might not have Active
Directory Domain Services (AD DS) control anyway. To lock out users during maintenance,
run the following command on the RD Session Host that you need to work on.
change logon /disable
Limiting the Number of RD Session Host Server

Connections
For app cat on cens ng reasons or performance reasons, you m ght want to m t the number
of s mu taneous connect ons to the server Do th s w th the fo ow ng GPO sett ng
Remote Desktop Serv ces Remote Desktop Sess on Host Connect ons L m t Number
Of Connect ons
Enab e the L m t Number Of Connect ons sett ng to m t the tota number of s mu ta-
neous connect ons that can be act ve on an RD Sess on Host server If you have 100 us-
ers, and each user s m ted to one sess on, you know that you can m t the number of
Keep ng the RD Sess on Host Server Ava ab e Chapter 7 393
www.it-ebooks.info
connect ons to approx mate y 100 and not nterfere w th user access Th s a so ensures
that you won’t a ow more connect ons than are needed
Setting Session Time Limits

The GPOs to set t me m ts on act ve, d e, and d sconnected sess ons are ocated at

Remote Desktop Serv ces Remote Desktop Sess on Host Sess on T me L m ts
Sett ng sess on t me m ts can be a de cate ba anc ng act For examp e, the onger that
d sconnected sess ons are ava ab e before be ng term nated, the more t me users have to re-
connect Reconnect ng to an ex st ng sess on s faster than creat ng a new sess on, and recon-
nect ng to an ex st ng sess on keeps the user ocked nto a part cu ar RD Sess on Host server
However, d sconnected sess ons st requ re some memory Not much memory s needed
because when a sess on s d sconnected, the data stored n phys ca memory s h gh on the st
to be paged to d sk, but t does requ re some If the RD Sess on Host server s memory-con-
stra ned, d sconnected sess ons cou d affect performance To set a t me m t on d sconnected
sess ons, enab e and configure the fo ow ng po cy
Set The T me L m t For D sconnected Sess ons
You can a so set sess on m ts defin ng how ong sess ons m ght be act ve or d e before
they’re d sconnected However, you can’t set sess on t me m ts for nd v dua RemoteApp
programs A RemoteApp programs us ng the same sess on w fo ow the same ru es
Taking Remote Control of User Sessions

You’ve probab y exper enced the fo ow ng s tuat on You have a prob em w th your computer
or w th an app cat on Someth ng just sn’t r ght—for examp e, you can’t format the spread-
sheet the way you want, even though you’re sure you’re do ng t proper y Someone stops
by your desk and asks what’s go ng on When you exp a n that the spreadsheet sn’t work ng
proper y, your co-worker asks you to show h m what’s not work ng wh e he watches You do
t aga n, and t works perfect y th s t me
You can make th s happen on an RD Sess on Host server even w thout someone stand ng
beh nd you One way n wh ch remote sess ons on an RD Sess on Host server can be usefu
s that t s s mp e to troub eshoot prob ems by shadow ng a user’s sess on Sess ons runn ng
on an RD Sess on Host server are easy to mon tor us ng the Remote Contro too n Remote
Desktop Serv ces Manager or the command- ne shadow too
NOTE As discussed in Chapter 11, “Managing Remote Desktop Sessions,” although VMs
are not visible in the Remote Desktop Services Manager, you can shadow them from the
command prompt if you know the session ID for the VM. Chapter 11 discusses how to do
this in the explanation of how to use shadow for runtime management.
www.it-ebooks.info
In br ef, Remote Contro works by ntercept ng the output of the RDP graph cs dr ver
When a sess on s shadowed, rather than send ng the output to on y one sess on, the RDP
graph cs dr ver sends the screen updates and mouse and keyboard nputs to two sess ons the
sess on be ng shadowed and the sess on do ng the shadow ng Th s s why you can’t shadow a
sess on un ess you’re n an RDP sess on yourse f
Chapter 11 d scusses how to use Remote Contro , but for now, et’s focus on the perm s-
s ons opt ons and how to set them
NOTE By default, only members of the Administrators or Domain Administrators group

are allowed to shadow sessions on the RD Session Host server, so you don’t need to worry
about users spying on each other. The Shadow command and Remote Control option in RD
Session Manager don’t work for users unless you specifically give them permissions to use
them by assigning them the Remote Control permission on the RDP listener. This setting
gives a user the ability to shadow any session controlled by those listener properties, so
use it with discretion.
There are two eve s of nteract on w th a Remote Contro sess on F rst, you can use t
to v ew the user sett ng Th s sett ng a ows both the user and the adm n strator to see the
sess on at the same t me, but on y perm ts the user to nteract w th t The other opt on s to
a ow the adm n strator to nteract w th the user’s sess on
There are three opt ons for Remote Contro
■ You can d sab e t ent re y Th s sett ng w prevent adm n strators from us ng Remote
Contro on user sess ons Th s s the most secure opt on, but t’s a so the east he pfu
■ You can enab e t but requ re the user’s perm ss on for an adm n strator to connect to
the sess on
■ You can enab e t and not requ re any not ficat on
The opt on that you p ck w obv ous y depend on the c rcumstances D sab ng shadow ng
m ght be necessary when pr vacy ru es n your organ zat on don’t perm t t Requ r ng
not ficat on a ows you to use th s capab ty but st reassure the users that no one can see
the r desktop w thout the r know edge or perm ss on A so, not requ r ng not ficat on a ows
the adm n strator to aud t user act v ty, wh ch s a requ rement n some organ zat ons
You can define the way Remote Contro works on a per-server bas s through RD Sess on
Host Configurat on, for spec fic users n AD DS user account propert es, or by us ng Group
Po cy
To configure Remote Contro sett ngs for nd v dua RD Sess on Host servers, go to Start,
Adm n strat ve Too s, Remote Desktop Serv ces and open RD Sess on Host Configurat on In
the Connect ons sect on at the top of the m dd e pane, doub e-c ck RDP-Tcp to open the
RDP-Tcp Propert es d a og box, and then go to the Remote Contro tab shown n F gure 7-10
Tak ng Remote Contro of User Sess ons Chapter 7 395
www.it-ebooks.info
FIGURE 7-10 Conf gure computer propert es for Remote Contro .
As you can see, the defau t sett ngs a ow the per-user sett ngs to overr de To configure
Remote Contro sett ngs on a per-user bas s, open Act ve D rectory Users And Computers and
open a user’s account Propert es d a og box, as shown n F gure 7-11
To set remote sett ngs us ng Group Po cy, configure Set Ru es For Remote Contro Of RD
Sess on Host Server User Sess ons You can set the po cy on a per-computer or per-user bas s
For computers, the po cy s ocated n Computer Configurat on Po c es Adm n Temp ates
W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host Connec-
t ons For users, t’s n User Configurat on Po c es W ndows Components Remote Desktop
Serv ces Remote Desktop Sess on Host Connect ons Enab e the po cy and then ed t the
sett ngs to p ck the appropr ate opt on, as shown n F gure 7-12
www.it-ebooks.info
FIGURE 7-11 Conf gure user account propert es for Remote Contro .
FIGURE 7-12 You can ed t the Remote Contro Group Po cy for users or for a RD Sess on Host servers.
Tak ng Remote Contro of User Sess ons Chapter 7 397
www.it-ebooks.info
If you don’t configure the po cy or any remote contro sett ngs, then the sett ngs n Act ve
D rectory Users And Computers w take effect by defau t, and Remote Contro sess ons w be
a owed w th the user’s perm ss on, w th adm n strators a owed to nteract w th the sess on
Un ess there’s a rea y good reason to configure Remote Contro sett ngs d fferent y for
d screte sets of peop e, you shou d configure them for a RD Sess on Host servers n the same
way Hav ng d fferent po c es for d fferent peop e cou d eas y confuse adm n strators and
render the Remote Contro opt on ess usefu
Summary
Host ng shared desktops and app cat ons n the datacenter s a de cate ba ance between
prov d ng a r ch user exper ence (as d scussed n Chapter 6) and ock ng down the server to
avo d one user from affect ng others, as d scussed n th s chapter (Some ockdown can a so
app y to any desktop, whether t s n the datacenter or t s a phys ca desktop that you want
to contro )
Here are some of the best pract ces covered n th s chapter
■ Use Group Po cy to configure user sett ngs f poss b e A sett ngs are n Group Po cy,
and some are represented n e ther Act ve D rectory Users And Computers or the
Remote Desktop Serv ces Configurat on Too
■ Lock down the RD Sess on Host server by remov ng the ab ty to browse the operat ng
system and perm tt ng on y author zed executab es to run
■ Avo d confus ng peop e who work n sess ons and poo ed VMs by h d ng oca fi es n
brar es and prevent ng peop e from wr t ng to those oca ocat ons
■ On W ndows 7 VMs and W ndows Server 2008 R2 RD Sess on Host servers, use
AppLocker to prevent unauthor zed app cat ons from runn ng
■ Creat ng a read-on y Start menu can he p s mp fy the exper ence for peop e who need
a fu desktop but shou dn’t be confused by too many opt ons
■ L m t usage of the RD Sess on Host servers and m t sess on counts to keep contro of
cens ng for app cat ons censed on a per-connect on bas s and to opt m ze perfor-
mance on the RD Sess on Host servers
■ Configure Remote Contro sett ngs to enab e sess on aud t ng as we as enab e the
He p Desk to ass st users remote y
The fo ow ng resources are re ated to top cs covered n th s chapter You can a so find the
nks on th s book’s compan on med a
■ For more nformat on about Software Restr ct on Po c es, see http://go.microsoft.com
/fwlink/?LinkID=92567.
www.it-ebooks.info
■ An ntroduct on to AppLocker s ocated at http://technet.microsoft.com/en-us/library
/dd560656(WS.10).aspx.
■ For some deas of how to manage AppLocker v a W ndows PowerShe , see
http://blogs.msdn.com/b/powershell/archive/2009/06/02/getting-started-with-
applocker-management-using-powershell.aspx.
■ To down oad RDP 7 for W ndows V sta SP1 and ater, go to
http://www.microsoft.com/downloads/details.aspx?familyid=AC7E58F3-2FD4-4FEC-
ABFD-8002D34476F4&displaylang=en for 32-b t systems, and
http://www.microsoft.com/downloads/details.aspx?familyid=11E7A081-22A8-4DA7-
A6C5-CDC1AC51A1A4&displaylang=en for 64-b t systems
■ To down oad RDP 7 for W ndows XP SP3, go to http://www.microsoft.com/downloads
/details.aspx?FamilyId=72158b4e-b527-45e4-af24-d02938a95683&displaylang=en
■ To down oad RDP 6 1 for W ndows XP SP2, go to http://www.microsoft.com/downloads
/details.aspx?FamilyId=6E1EC93D-BDBD-4983-92F7-479E088570AD&displaylang=en.
■ For an ntroduct on to brar es n W ndows 7, see http://msdn.microsoft.com/en-us
/magazine/dd861346.aspx
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 8
Securing Remote Desktop

Protocol Connections
■ Core Secur ty Techno og es 402
■ Us ng RDP Encrypt on 409
■ Authent cat ng Server dent ty (Server Authent cat on) 410
■ Authent cat ng C ent dent ty w th Network Leve Authent cat on (NLA) 415
■ Configur ng the Secur ty Sett ngs on the RD Sess on Host Server 417
C hapter 7, “Mo d ng and Secur ng the User Env ronment,” d scussed some approaches
to ock ng down the server or VM to protect them from ma ce or error Isn’t that
enough?
Lock ng down the server s mportant, but t assumes that you’ve already made a
secure connect on to the server That assumpt on doesn’t cons der the poss b ty of the
connect on—or the commun cat on between the c ent and server—be ng comprom sed
n some way For examp e
■ An ex st ng connect on cou d be ntercepted and the data flow comprom sed
■ The user cou d connect to a ma c ous server and type h s or her ogon credent a s
for the owner of the server to capture
■ A c ent not author zed to connect to the Remote Desktop (RD) Sess on Host
server cou d make repeated attempts to connect, ty ng up resources on the RD
Sess on Host server as t tr es to author ze the connect on, thus prevent ng autho-
r zed users from connect ng
The catch to m t gat ng a these connect on vu nerab t es s that the ogon
exper ence s a cr t ca part of a successfu RD Sess on Host server dep oyment If the
connect on exper ence s bad, then the users access ng the RD Sess on Host server w
be unhappy w th the serv ce Therefore, you must keep the data stream secure but a so
make t as fast as poss b e Th s chapter exp a ns the key W ndows components that
tack e th s prob em, nc ud ng the fo ow ng
■ Remote Desktop Protoco (RDP) encrypt on
■ Server authent cat on
401
www.it-ebooks.info
■ Network Leve Authent cat on (NLA)
■ S ng e s gn-on (SSO)
F gure 8-1 shows the features that w be d scussed and the techno og es support ng each
feature
Security Feature Technology
RDP Encryption 56 or 128 bit Key
3DES, SHA 1, RSA
Server Transport Level

Authentication Security (TLS)
Network Level
Authentication
Credential Security
Provider (CredSSP)
Single Sign On
FIGURE 8-1 Key RDS commun cat on secur ty features and support ng techno og es are presented here.
Core Security Technologies

Commun cat on secur ty n RDS depends on three core p eces
■ Encrypt on of the data stream
■ Transport Layer Secur ty (TLS) for estab sh ng a secure connect on between c ent and
server, n wh ch the server has proved ts dent ty
■ The Credent a Secur ty Serv ce Prov der (CredSSP) for enab ng SSO and NLA to prove
that a user has the r ght to og on before the server creates a sess on
Transport Layer Security

TLS s the Internet Eng neer ng Task Force (IETF) standard based on Secure Sockets Layer (SSL)
v3, pub shed by Netscape Some of the enhancements that TLS has nc ude new message
a erts, the ab ty to cha n cert ficates to an ntermed ary cert ficate author ty (CA) cert ficate
nstead of the root CA cert ficate, and s ght y d fferent encrypt on a gor thms from SSL
A though TLS s based on SSL, the two are ncompat b e However, TLS can mp ement a
mechan sm by wh ch t can fa back to SSL v3 f necessary
To estab sh commun cat on between c ent and server us ng TLS, the c ent and server go
through the process descr bed n the fo ow ng steps (Th s sn’t spec fic to RDP connect ons;
RDP just has the opt on of us ng TLS ) Th s process s s m ar to the negot at ons descr bed
402 Chapter 8 Secur ng Remote Desktop Protoco Connect ons
www.it-ebooks.info
n Chapter 7, n wh ch c ent and server negot ate the r mutua capab t es There are two
requ rements for th s to work proper y
■ The c ent must trust the server SSL cert ficate that s used to ver fy the server’s dent ty
■ The connect on between server and c ent must use H gh or FIPS encrypt on Low
encrypt on on y encrypts the traffic from c ent to server, not server to c ent, so t’s not
a secure way to send secur ty capab t es or shared secrets
If these two requ rements are met, the c ent and server estab sh commun cat on as
fo ows
1. The c ent sends a he o message a ong w th a random fixed- ength va ue The server
responds w th a random fixed- ength va ue Dur ng th s exchange, the c ent te s the
server the compress on methods, c phers, and hashes that t supports It a so sends ts
protoco vers on and a sess on ID to the server (The sess on ID dent fies the commun -
cat on channe ; th s s not the Sess on ID on an RD Sess on Host server )
2. The server p cks the h ghest compress on method that they both support and the
c pher and hash funct on from the c ent’s st, and te s the c ent wh ch one t has cho-
sen If there’s a m n mum set on the server and the c ent can’t meet th s m n mum, the
connect on w fa
3. The server sends ts d g ta cert ficate to the c ent Th s cert ficate conta ns the server’s
name, the trusted CA that s gned the cert ficate, and the server’s pub c key
4. The c ent ver fies that the cert ficate s va d and trusted (the cert ficate used to s gn
the server cert ficate s ocated n the c ent’s Trusted Root Cert ficat on Author t es
store) Then t creates a pre-master secret, encrypts t w th server pub c key, and sends
t to server
5. The server rece ves and decrypts the pre-master secret w th ts pr vate key Th s server
s the on y one that can do th s because t s the on y server w th the match ng pr vate
key
6. Now that both server and c ent have the pre-master secret and both random numbers
exchanged at the beg nn ng of the process, they use these va ues to generate the
48-byte master secret (a so known as the shared secret) After the master secret s gen-
erated, they de ete the pre-master secret
7. Both c ent and server then hash the 48-byte master secret and use t to generate the
MAC secret (the sess on key used for hash ng) and the WRITE key (the sess on key used
for encrypt on) The keys are used to encrypt and decrypt the commun cat on for th s
sess on After the sess on s over, the keys are d scarded
See F gure 8-2 for an overv ew of how TLS a ows the c ent and server to set up a secure
commun cat on nk
Core Secur ty Techno og es Chapter 8 403
www.it-ebooks.info
The client sends Hello plus a random number.
Hello + random number
Hello + random value +
Endpoint responds with Hello and sends a random

number plus its digital certificate.
#$%^&
Pre Master
Secret
The client creates a pre master secret, encrypts it using the public key
from the endpoint’s certificate, and sends it to the endpoint.
The endpoint decrypts the pre master key using its private key.
Pre Master Pre Master

Secret Secret
#$%^&
Master Secret Master Secret
Both client and server use the pre master secret plus the random values
to generate the master secret, then use the master secret to generate the
session keys used to encrypt and decrypt during the session.
FIGURE 8-2 Secure commun cat on w th TLS
If any step of th s sequence doesn’t work, the connect on has not been fu y secured What
happens then depends on the sett ngs on the Advanced tab of the Remote Desktop Connec-
t on (RDC) c ent In the case of authent cat on fa ure, a user can choose to do any one of the
fo ow ng
■ Connect anyway, w thout not fy ng the c ent that there was a prob em authent cat ng
the server
■ Warn the c ent but st a ow the connect on (the defau t)
■ Deny the connect on outr ght f t can’t be ver fied
www.it-ebooks.info
The except on s f the server requ res a certa n eve of secur ty (for examp e, H gh encryp-
t on) If the server has requ rements and the c ent can’t meet them, the connect on w fa
By defau t, the c ent and server w negot ate and use the most secure connect on sett ngs
that they both support
Credential Security Service Provider

Credent a cach ng, ntroduced n W ndows V sta and W ndows Server 2008, enab es two
features one that he ps the user and one that he ps protect the server To he p the user,
credent a cach ng a ows users to store credent a s for a part cu ar connect on so they don’t
need to prov de them every t me they connect to that server To he p the server, credent a
cach ng enab es a feature to prov de credent a s to the server before t estab shes a sess on,
thereby avo d ng the overhead of a sess on f the user s not author zed
The p ece that makes credent a cach ng work s the Credent a Secur ty Serv ce Prov der
(CredSSP) CredSSP s ava ab e on W ndows 7, W ndows V sta, W ndows Server 2008, and
W ndows XP SP3 It’s not nked to the vers on of RDC be ng used because CredSSP s part of
the operat ng system
CredSSP de egates user credent a s to a trusted server v a a channe secured us ng TLS
After t has those credent a s, the trusted server can mpersonate the user and og on to tse f
w thout wa t ng for a user to present credent a s
CredSSP enab es two features front authent cat on and SSO
■ For NLA, CredSSP prov des the framework that a ows a user to be authent cated to an
RD Sess on Host server before fu y estab sh ng the connect on
■ For SSO, CredSSP stores user credent a s and passes them to the RD Sess on Host
server to automate ogon
NOTE Because Microsoft Internet Information Services (IIS) doesn’t use CredSSP, you
can’t use CredSSP to pass credentials to RD Web Access. Users will need to authenticate
against RD Web Access to store their credentials in the site (see Chapter 9, “Multi-Server
Deployments”). After users are authenticated, they will not need to authenticate again
to start RemoteApp programs.
■ For reconnect ng to a sess on w th n a farm, CredSSP speeds the process of pass ng the
connect on to the correct server by a ow ng the RD Sess on Host server to see who s
ogg ng on w thout hav ng to create an ent re sess on (us ng NLA n a s ght y d fferent
scenar o)
www.it-ebooks.info
HOW IT WORKS
How CredSSP Authenticates the Server and Client
C redSSP enables mutual authentication of server and client, as shown in the fol-
lowing illustration.
TLS secure channel
SPNEGO Tokens used to mutually authenticate

server and client and to exchange the session key
2
3
+1
4 User name
5 Password
This authentication process is described in the following steps.
1. The client initiates a secure channel with the server using TLS, and the server
passes back its certificate with its name, CA, and public key. Only the server is
identified; the client remains anonymous at this point.
NOTE Although the client uses TLS to establish the secure connection, this
isn’t full server authentication. The client and server don’t need to have a
mutually trusted CA root.
2. When the session has been established and a session key is created, CredSSP uses
the Simple and Protected GSS-API Negotiation (SPNEGO) protocol to authenti-
cate the server and client mutually, so that they know they can trust each other.
www.it-ebooks.info
Basically, this mechanism lets the client and server agree on an authentication
mechanism that they both support, such as Kerberos or NTLM.
3. After the mutual authentication finishes, CredSSP on the client encrypts the
server’s certificate with the session key created during Step 2 and sends it to the
server. The server receives the encrypted certificate, decrypts it using its private
key, and then adds 1 to the most significant bit of the certificate number. It then
encrypts the result and sends it back to the client.
NOTE The purpose of performing a function on the certificate is to ensure

that no one can intercept the exchange between client and server and spoof
the server without being detected.
4. The client reviews the encrypted certificate that it gets from the server and com-
pares it to the certificate it has.
5. Assuming the results match, CredSSP on the client sends the user credentials to
the server.
Managing the CredSSP Store

Users can save, ed t, and de ete credent a s n the CredSSP store To save the credent a s to
use w th SSO n t a y, se ect the Remember My Credent a s check box n the W ndows Secur ty
d a og box shown n F gure 8-3
FIGURE 8-3 You can store credent a s n CredSSP.
After they’re saved and you have made an n t a connect on, you can ed t them (for
examp e, f you change your password, as CredSSP w not automat ca y update password
changes) by c ck ng the Ed t nk n F gure 8-4
www.it-ebooks.info
FIGURE 8-4 You can ed t or de ete stored credent a s.
If you choose to ed t the saved credent a s, you’ see a d a og box ke the one used to
og on Your doma n and user name w be d sp ayed and your password credent a s w be
eft b ank If you choose to save credent a s us ng another user name, you can a so c ck Use
Another Account to start over comp ete y Use th s opt on to update a stored password after
you’ve changed t
If you c ck the De ete nk, you’ remove that stored credent a from the CredSSP store A
d a og box w prompt you to confirm the act on and then c ear that saved user name and
account nformat on from the cache Use th s opt on to de ete credent a s you acc denta y
saved or wh ch are no onger needed
Enabling CredSSP (Windows XP SP3 Only)

CredSSP s enab ed by defau t n W ndows V sta and W ndows 7 A though CredSSP s ava -
ab e n W ndows XP SP3 ( t’s nc uded n the serv ce pack), t’s d sab ed by defau t To enab e
t, you’ need to mod fy two reg stry keys as descr bed here
■ In HKLM/SYSTEM/CurrentContro Set/Contro /Lsa, and n Secur ty Packages, data type
REG MULTI SZ, append Tspkg to the st of secur ty prov ders a ready present
■ In HKLM/SYSTEM/CurrentContro Set/Contro /Secur tyProv ders, make sure that
Credssp d s present You can’t use Group Po cy to configure SSO n W ndows XP SP3
You must reboot the c ent for the changes to take effect
408 CHAPTER 8 Secur ng Remote Desktop Protoco Connect ons
www.it-ebooks.info
Using RDP Encryption
Because there’s a ot of open network between the user runn ng the app cat on on an RD
Sess on Host server and the server runn ng the app cat on, t’s mportant to encrypt the
traffic go ng between them so that t can’t be ntercepted By defau t, RDP traffic w be
encrypted as strong y as the c ent can support t—128-b t, f you’re us ng RDP 5 2 or ater
Both the RD Sess on Host server and the c ent are configured to et the c ent and the server
negot ate the h ghest eve of encrypt on that both can support
Understanding Encryption Settings

RDP c ents support three eve s of encrypt on Low, H gh, and FIPS-comp ant
Low security uses on y a 56-b t key to encrypt traffic and w not support server authent -
cat on [see the sect on ent t ed “Authent cat ng Server Ident ty (Server Authent cat on)” ater
n th s chapter] It a so encrypts on y traffic go ng from c ent to server, not that go ng from
server to c ent Th s secur ty mode s workab e on y f data s flow ng n just one d rect on,
and therefore t s not su tab e for any features enab ng b d rect ona data flow, such as c ent
dr ve mapp ng (Even n th s case, the v deo stream sent to the c ent cou d be ntercepted ) As
you can see, Low secur ty s the eve of ast resort The ma n reason you’ use t s f you are
dep oy ng a w de area network (WAN) acce erat on dev ce, wh ch w need to see the traffic
sent from server to c ent to compress t n the best manner The WAN acce erat on dev ce
can use ts own method of encrypt on s nce the M crosoft encrypt on from server to c ent s
d sab ed
High security uses a 128-b t key to encrypt data go ng between c ent and server; t en-
crypts traffic go ng n both d rect ons You can use H gh secur ty to support TLS-based server
authent cat on H gh secur ty supports server authent cat on
FIPS-compliant security uses FIPS-comp ant a gor thms for encrypt ng the data flow
between the c ent and the server Federa Informat on Process ng Standard (FIPS) descr bes
the standards for key generat on and key management There’s no such th ng as FIPS encryp-
t on, but many encrypt on mechan sms are FIPS-comp ant On y a gor thms subm tted to
the Nat ona Inst tute of Standards and Techno ogy (NIST) can be cons dered FIPS-comp ant
FIPS-comp ant secur ty supports server authent cat on for RDP connect ons
When you requ re FIPS comp ance through the RD Configurat on too , you’re defin ng the
secur ty a gor thms that the server can use For examp e, t defines the way that TLS works
As of th s wr t ng, t w use Tr p e Data Encrypt on Standard (3DES) for encrypt ng the TLS
traffic, RSA for the pub c key exchange, and the Secure Hash ng A gor thm (SHA-1) for the
TLS hash ng
Even f you don’t choose to use server authent cat on, when FIPS comp ance s requ red
v a Group Po cy, RDP encrypt on w use the 3DES a gor thm The server uses FIPS a gor thms
for more than just estab sh ng secure commun cat ons between RDP c ent and server Aga n,
the FIPS-comp ant a gor thms m ght change w th t me as more a gor thms are tested and
Us ng RDP Encrypt on Chapter 8 409
www.it-ebooks.info
determ ned to be comp ant On W ndows Server 2008 R2, the Encrypted F e System (EFS)
behav or won’t change regard ess of th s sett ng; the defau t a gor thm s the FIPS-comp ant
256-b t Advanced Encrypt on Standard (AES) a gor thm On prev ous vers ons of W ndows,
requ r ng FIPS comp ance wou d make EFS fa back to 3DES
You can configure the RD Sess on Host server to use FIPS-comp ant a gor thms e ther from
Group Po cy or from RD Sess on Host Configurat on If you set Group Po cy to requ re FIPS
comp ance, th s w overr de the Remote Desktop Serv ces–spec fic Group Po cy that sets the
RDP Encrypt on eve to H gh
NOTE Because NIST certification takes some time, it is possible that the FIPS-compliant
algorithm might not be the strongest one available. More recent algorithms might not
have been certified yet.
Choosing Encryption Settings

The po cy that you use to set RDP encrypt on eve s depends on the eve of secur ty that
you’re sett ng By defau t, the c ent and server w negot ate the most comp ex a gor thm
that they both support You can change the encrypt on to Low or, far more ke y, requ re a
connect ons to use a H gh or FIPS-comp ant encrypt on a gor thm If you do so, c ents that
do not support these a gor thms w not be ab e to connect to the server The ma n reason
you’d use Low encrypt on today s f you’re a so dep oy ng a WAN acce erator that needs to
be ab e to read the traffic go ng to the c ent and has ts own encrypt on mechan sm
Authenticating Server Identity (Server Authentication)

One danger of commun cat ng w th a remote computer that requ res you to supp y your
credent a s s that the server m ght not be what you th nk t s If t’s a rogue server mperson-
at ng a rea one, you cou d nadvertent y type your credent a s nto the wrong server, thereby
g v ng attackers everyth ng that they need to connect to your doma n or server
RDP nc udes encrypt on, but the protoco does not have any means to authent cate the
server That’s where TLS and CredSSP come n Doma n users and nd v dua servers can
be authent cated w th Kerberos on the oca area network (LAN) Server farms by defau t
can’t because the farm has no dent ty n Act ve D rectory Doma n Serv ces (AD DS) for the
Kerberos t cket to ook up (See the fo ow ng sect on, “Estab sh ng a Kerberos Farm Ident ty,”
to see how you can g ve a farm a Kerberos dent ty and how to set up farms to use Kerberos )
For LAN scenar os, you can use Kerberos to authent cate to the farm To authent cate to a
farm or servers over the Internet, you’ use TLS rather than Kerberos
NOTE For more information on TLS, see the section entitled “Transport Layer Security”
earlier in this chapter.
www.it-ebooks.info
Establishing a Kerberos Farm Identity
Pr or to W ndows Server 2008 R2, Kerberos authent cat on d d not recogn ze farms—just
nd v dua servers Therefore, to authent cate a server’s dent ty, you had to use cert ficates
Beg nn ng n W ndows Server 2008 R2, you cou d add server farms to AD DS and authent cate
the farm Th s a ows you to save the t me and expense requ red to nsta cert ficates on a
servers, and t a so makes t much eas er to dep oy new servers n the farm qu ck y, because
you won’t need to nsta cert ficates on them You st need to know how to use cert ficates,
s nce Kerberos authent cat on st does not work over the Internet, but th s feature can save
you from need ng to nsta cert ficates on a farm members f us ng a fu RDS dep oyment on
the LAN
When the farm has a Kerberos dent ty, the farm’s account credent a s are stored on the RD
Connect on Broker server The broker then prov des each server n the farm w th the farm’s
account credent a s RD Sess on Host servers use the farm’s account credent a s as supp emen-
ta to the nd v dua server credent a s
There s no user nterface to add servers to a farm, but there are scr pts for do ng so To
see how to estab sh a Kerberos farm dent ty programmat ca y, see http://blogs.msdn.com/b
/rds/archive/2009/05/20/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-
the-remote-desktop-services-provider-for-windows-powershell.aspx
Creating Test Certificates for a Server Farm

If you’re sett ng up a p ot before go ng nto product on, you m ght want to do th s before n-
vest ng n cert ficates or sett ng up a pr vate CA for “rea ” cert ficates You can use se f-s gned
cert ficates for th s, but, as th s sect on notes, the process m ght work d fferent y from the way
you expect! The fundamenta ssue s that se f-s gned cert ficates are typ ca y created for a
server, not a farm
NOTE The following instructions are not intended for a production deployment; they are
for testing only. For production, we strongly recommend that you use certificates issued by
a trusted CA or create a Kerberos identity for the server farm.
Computer Certificates versus Farm Certificates

When connect ng to a farm, you use the farm name (such as Farm1 ash oca ) When the cer-
t ficate for an RD Sess on host farm member s be ng checked, you get a d a og box show ng
that RDC s secur ng the remote connect on If you generated a se f-s gned cert ficate on a
server n the farm us ng the RD Configurat on Too , th s cert ficate w be for the server and
s stored n the Remote Desktop/Cert ficates fo der n the Cert ficates M crosoft Management
Conso e (MMC) snap- n SSL and computer cert ficates are stored n the Persona /Cert ficates
fo der n the Cert ficates MMC snap- n
Authent cat ng Server dent ty (Server Authent cat on) Chapter 8 411
www.it-ebooks.info
Server Authent cat on checks the name that you enter n Remote Desktop C ent w th the
name ssued n the cert ficate that s spec fied n RD Configurat on Too on the RD Sess on
Host server that t connects to However, th s cert ficate was generated for a server, not a farm
Therefore, when you try to connect to the farm, you w get the error shown n F gure 8-5
FIGURE 8-5 The cert f cate s not from a trusted CA, accord ng to th s d a og box.
Th s error s a b t m s ead ng The cert ficate w not be seen as trusted because the
se f-s gned cert ficate s not ocated n the c ent’s trusted root store Even f the se f-s gned
cert ficate were ocated n the c ent’s trusted root store, however, the name on the cert ficate
s wrong, and you wou d st get th s error
NOTE You could disregard the error and still connect. If the certificate was generated
from a CA (not self-signed), the inability to validate it would be severe enough to prevent
the user from connecting to the server.
To use a se f-s gned cert ficate to test farm access, you need the name spec fied on the
cert ficate to be the name of the farm, and you need to nsta that cert ficate n the trusted
root store on a c ents so that the c ent trusts the cert ficate
The troub e s, there’s no way to use any RDS too to generate a se f-s gned cert ficate that
meets those needs
If you thought you’d be c ever and use RD Gateway to generate a se f-s gned cert ficate
(see Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the Internet,” to earn
how), you m ght at first th nk that you are successfu It w generate a se f-s gned cert ficate,
and the name w be whatever you spec fy, but you can’t export the pr vate key The resu t
s that you w be ab e to mport that cert ficate nto the cert ficate store on the RD Sess on
www.it-ebooks.info
Host server, but t won’t be usab e n RD Sess on Host Configurat on because t’s m ss ng the
pr vate key If the RD Gateway and one RD Sess on Host server n the farm were on the same
mach ne (wh ch s a bad dea, for reasons that are covered n Chapter 10), th s wou d work for
that server, but you cou dn’t use the farm cert ficate for any other servers n the farm, because
when you mported the cert ficate, t wou d ack the pr vate key
Using SelfSSL.exe
RDS doesn’t have any too s to he p you create a se f-s gned farm cert ficate However, the
IIS6 Resource K t does have a too that w do th s You can down oad the II6 Resource K t
from http://support.microsoft.com/kb/840671. You’re ook ng for the too ca ed Se fSSL exe
Here’s how to generate a se f-s gned farm cert ficate to test server authent cat on n a p ot
dep oyment Aga n, for product on, you shou d get a cert ficate s gned by a trusted CA (You
w get an error f you run Se fSSL on a mach ne that does not have IIS nsta ed; however, the
cert ficate w st be created and s usab e ) There are three steps
■ Generate the cert ficate us ng the farm name
■ Export the cert ficate
■ Import the cert ficate on each server n the farm
GENERATING THE CERTIFICATE

1. Open an e evated command prompt by r ght-c ck ng the command prompt con n
the Start menu and choos ng Run As Adm n strator Then nav gate to the ocat on of
the Se fSSL exe executab e fi e w th the fo ow ng command
cd C:/Program Files/IIS Resources/SelfSSL
2. Type the command to create the cert ficate, fi ng n the name of your farm for CN (for
examp e, farm ash oca )
selfssl.exe /N:CN=<farmname> /K:2048 /V:365 /T
3. When prompted to rep ace the SSL sett ngs for s te 1 (Y/N)? choose Y You shou d get
the fo ow ng success message
The self-signed certificate was successfully assigned to site 1.
EXPORTING THE CERTIFICATE

1. Open an MMC, add the Cert ficates (computer) snap- n, and nav gate to the Persona
store Here, you shou d see your cert ficate R ght-c ck the cert ficate and choose
Export (shown n F gure 8-6)
Authent cat ng Server dent ty (Server Authent cat on) Chapter 8 413
www.it-ebooks.info
FIGURE 8-6 Use the Cert f cates MMC to export the cert f cate.
2. C ck Next and then choose the opt on to export the pr vate key and c ck Next aga n
3. Choose the PFX format and c ck Next
4. Add a password for the fi e and c ck Next
5. Add a path and fi e name to export to, c ck Next, and then c ck F n sh
To use th s cert ficate to test, t w need to be mported to the Persona Store on a RD
Sess on Host servers n the farm, as we as to the Trusted Root Cert ficat on Author t es
Store on the c ents you use to test
NOTE The certificate will contain the private key, and normally you would not add
this type of certificate to clients, which is another reason that this is for testing pur-
poses only. If you would rather add a certificate to clients that does not have the private
key, re-export the certificate without the private key and import that certificate to the
clients.
IMPORT THE CERTIFICATE

1. Open an MMC, add the Cert ficates (computer) snap- n, and nav gate to the Persona
store R ght-c ck and choose Import…
2. Browse to where you stored your PKF fi e represent ng the cert ficate w th the pr vate
key, choose the PKF format n the drop-down box (so you w be ab e to see your fi e),
and then add your fi e
3. Enter the password for the fi e and c ck Next
4. Choose P ace A Cert ficates In The Fo ow ng Store If Persona s not a ready chosen,
se ect t, c ck Next, and then c ck F n sh
5. Repeat steps 1-4 for each test c ent but add the cert ficate to the Trusted Root Cert fi-
cat on Author t es Store
www.it-ebooks.info
Authenticating Client Identity with Network Level
Authentication (NLA)
Authent cat ng the server protects the c ent from connect ng to a ma c ous RD Sess on Host
server masquerad ng as a eg t mate one, but what about protect ng the RD Sess on Host
server from ma c ous connect ons? As d scussed n Chapter 3, “Dep oy ng a S ng e Remote
Desktop Sess on Host Server,” the process of start ng a connect on—even just present ng a
ogon screen—requ res the server to create many of the processes requ red to support a ses-
s on (for examp e, Csrss exe and W n ogon exe) Sess on creat on s expens ve, so creat ng even
th s much of a sess on—on y to be to d that the user try ng to access the RD Sess on Host
server doesn’t have the requ red credent a s— s both a secur ty vu nerab ty and a perfor-
mance h t
One way to reduce both the secur ty h t and the performance h t s to enab e connect ons
on y from computers that support NLA NLA uses CredSSP to present user credent a s to the
server before the server has to create a sess on
You m ght have not ced that when you connect to an RD Sess on Host server w th the RDC
6 x or ater c ent, you don’t connect to the RD Sess on Host server ogon screen to prov de
your credent a s Instead, a oca d a og box pops up to take your credent a s on the c ent (see
F gure 8-7) Th s d a og box s the front end of CredSSP
FIGURE 8-7 The W ndows Secur ty d a og box s the user nterface for CredSSP.
When you type your credent a s nto th s d a og box, even f you don’t choose to save
them, they go to the CredSSP, wh ch then passes the credent a s to the RD Sess on Host server
v a a secure channe On y f the RD Sess on Host server accepts the credent a s w t beg n
bu d ng a sess on for th s user
NOTE You might also see NLA referred to as front-side authentication. It‘s the same thing,
but with a different name.
Authent cat ng C ent dent ty w th Network Leve Authent cat on (NLA) Chapter 8 415
www.it-ebooks.info
On c ents that support CredSSP and RDP 6 x and ater, the c ents w a ways use NLA f t’s
ava ab e You can a so configure the RD Sess on Host server to perm t connect ons on y from
computers that support NLA, us ng Group Po cy or on a per-server bas s us ng RD Sess on
Host Configurat on Because CredSSP, the techno ogy that supports NLA, s part of the oper-
at ng system rather than part of RDP, the c ent operat ng system must support CredSSP for
NLA to work Therefore, a though there s an RDC 6 0 c ent ava ab e for W ndows XP SP2, th s
doesn’t enab e W ndows XP SP2 to use NLA C ents runn ng W ndows XP SP3, W ndows V sta,
and W ndows 7 a support CredSSP A so, RDC w te you f t supports NLA n the About
screen To see th s, c ck the Computer con n the upper- eft corner of the RDC and choose
About The About screen w say f t supports NLA, as shown n F gure 8-8
FIGURE 8-8 The RDC About screen w say f t supports NLA.
NOTE You can also restrict Windows Vista and Windows 7 to accept connection requests
only from clients that support NLA. To do so, go to Control Panel System Remote
Settings. From the Remote tab of the System Properties dialog box, select the option
restricting incoming connections to those that can support NLA.
Speeding Logons with Single Sign-on

T me spent typ ng credent a s nto a d a og box s wasted t me, n the eyes of the user who s
ess concerned about system secur ty than n gett ng work done After a , secur ty s not the
user’s job It’s acceptab e to present credent a s once to an RD Sess on Host server, but when
you access mu t p e servers, t’s much more rksome
SSO enab es doma n-jo ned c ents to store the r credent a s and present them automat -
ca y each t me they connect to a new RD Sess on Host server After you prov de your user
name and password once, you won’t have to do so aga n as ong as you’re connect ng v a the
same credent a s SSO saves credent a s accord ng to the resource you’re connect ng to, so
connect ons to nd v dua RD Sess on Host servers w st prompt you for credent a s n a way
that connect ng to a farm v a ts farm name w not
www.it-ebooks.info
Configuring the Security Settings on the RD Session
Host Server
The sect on ent t ed “Core Secur ty Techno og es” ear er n th s chapter exp a ned the deta s
of us ng var ous connect on secur ty mechan sms Th s sect on exp a ns how to configure
those sett ngs us ng the RD Sess on Host Configurat on and Group Po cy
ON THE COMPANION MEDIA This resource kit also contains a script for config-
uring the security settings programmatically using Windows PowerShell. See the
companion media for the script called Set-RDP-Security.ps1.
Configuring Connection Security Using RD Session Host

Configuration
A per-server connect on secur ty sett ngs are configured from the Genera tab of the proto-
co stener Propert es d a og box To get here, go to Adm n strat ve Too s Remote Desktop
Serv ces Remote Desktop Sess on Host Configurat on and then doub e-c ck RDP-Tcp n the
Connect ons sect on of the m dd e pane The Genera tab s shown n F gure 8-9
FIGURE 8-9 Ed t connect on secur ty from the Genera tab of the RDP Tcp stener Propert es d a og box.
Configur ng the Secur ty Sett ngs on the RD Sess on Host Server Chapter 8 417
www.it-ebooks.info
Configuring Encryption
A per-server connect on secur ty sett ngs are configured from the Genera tab of the
protoco stener Propert es d a og box To get here, go to Adm n strat ve Too s Remote
Desktop Serv ces Remote Desktop Sess on Host Configurat on and then doub e-c ck RDP-
Tcp n the Connect ons sect on of the m dd e pane Set the encrypt on eve You must choose
e ther H gh or FIPS-comp ant encrypt on f you want to support server authent cat on H gh
encrypt on uses the strongest key strength of the server; FIPS-comp ant encrypt on uses an
encrypt on a gor thm that has been tested by NIST
NOTE FIPS-compliant algorithms are not necessarily stronger than High security on all
platforms; it depends on what’s installed and what’s been tested. The point of FIPS compli-
ance is to serve as a policy measure for networks that must conform to these guidelines.
Configuring Server Authentication

Set the server authent cat on sett ngs from the Secur ty Layer sect on The defau t s Nego-
t ate, mean ng that c ent and server w both use TLS for server authent cat on f t’s sup-
ported There’s no rea reason to mandate us ng RDP Secur ty Layer, wh ch does not support
server authent cat on, but you can ed t th s sett ng to force server authent cat on us ng TLS If
the server can’t be authent cated, then the c ent behav or can be set from the c ent RDP fi e
sett ngs configured on the Advanced tab of the RDC
■ Do Not Connect If Authent cat on Fa s
■ Warn Me If Authent cat on Fa s
■ A ways Connect, Even If Authent cat on Fa s
You can choose the cert ficate that the server shou d use to authent cate tse f by c ck ng
the Se ect button near the bottom of the screen If you c ck Se ect, you can get more deta s
about the cert ficate, nc ud ng what t’s used for, the name of the CA back ng t, and when
the cert ficate exp res
Configuring Network Level Authentication

To requ re the use of NLA for connect ng to the RD Sess on Host server, se ect the appropr -
ate check box on the Genera tab Do ng so w prevent any c ents that do not support NLA
(name y, any c ent runn ng RDC pr or to vers on 6 x and any operat ng system not support ng
CredSSP) from connect ng to the server On y c ents runn ng W ndows 7, W ndows V sta, and
W ndows XP SP3 support CredSSP NLA s not requ red by defau t
If users are st prompted for the r credent a s, ook at the Log On Sett ngs tab of the RDP
protoco For credent a cach ng to work, A ways Prompt For Password shou d not be checked
By defau t, t sn’t
www.it-ebooks.info
To requ re NLA connect ons to VMs runn ng c ent SKUs, open the System tem n the Con-
tro Pane and go to the Remote tab In the Remote Desktop sect on, ensure that the opt on
A ow Connect ons On y From Computers Runn ng Remote Desktop W th NLA (more secure)
s se ected
Configuring Connection Security Using Group Policy

RD Sess on Host Configurat on ed ts secur ty sett ngs for on y a s ng e server To ed t sett ngs
on mu t p e servers, you’ need to use Group Po cy Group Po cy a so nc udes secur ty op-
t ons not ava ab e through the RD Configurat on graph ca user nterface (GUI)
Configuring Encryption Levels

To set the m n mum encrypt on eve , go to Computer Configurat on Po c es Adm n strat ve
Temp ates W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host
Secur ty and then enab e the Set C ent Connect on Encrypt on Leve po cy, choos ng Low
Leve , H gh Leve , or C ent Compat b e from the drop-down st
■ To requ re FIPS us ng Group Po cy, go to Computer Configurat on Po c es W ndows
Sett ngs Secur ty Sett ngs, Loca Po c es Secur ty Opt ons F nd The System Cryptog-
raphy Use FIPS Comp ant A gor thms For Encrypt on, Hash ng And S gn ng sett ng and
enab e t
CAUTION Enabling this policy causes the RD Session Host servers to use FIPS-
compliant algorithms for everything, not just for RDP connections. Therefore, be
aware that requiring FIPS can cause problems with some websites and applications
that require inter-server communication.
Configuring Server Authentication

To configure server authent cat on po c es, go to Computer Configurat on Po c es
Desktop Sess on Host Secur ty
To requ re server authent cat on, enab e the Requ re Use Of Spec fic Secur ty Layer For
Remote (RDP) Connect ons Group Po cy object (GPO) and choose SSL (TLS 1 0) from the
st of secur ty ayers (RDP, you m ght reca , does not support authent cat on; choos ng th s
opt on encrypts the traffic but does not authent cate the server ) If you eave the sett ng at
Negot ate (the defau t), the c ents w attempt to use TLS f they support t
Group Po cy a ows you to contro the temp ate used for server authent cat on to make
sure that the RD Sess on Host server presents the r ght one
Configur ng the Secur ty Sett ngs on the RD Sess on Host Server Chapter 8 419
www.it-ebooks.info
NOTE This applies more to companies that maintain their own Public Key Infrastructure
(PKI) and can provide this certificate template name.
To do th s, enab e the Server Authent cat on Cert ficate Temp ate GPO and prov de the
name of the temp ate to use If you do, then the server w choose on y from among cert fi-
cates us ng that temp ate w th a name match ng the server name If there’s more than one
cert ficate to choose among, the server w choose the cert ficate w th the atest exp rat on
date If you’ve a ready spec fied a cert ficate to use for server authent cat on, the RD Sess on
Host server w gnore th s sett ng To configure NLA v a Group Po cy, go to Computer
Serv ces Remote Desktop Sess on Host Secur ty
To requ re NLA, enab e the Requ re User Authent cat on For Remote Connect ons By Us ng
Network Leve Authent cat on po cy D sab ng or not configur ng th s po cy means that NLA
s not requ red
Summary
Secur ng the server s mportant when the c ent s connected, but secur ng the connect on
protects the commun cat on between server and c ent In th s chapter, you’ve earned how to
protect the connect on from ntercept on, spoofed servers, and den a of serv ce (DoS) attacks
us ng connect on secur ty
Some best pract ces for RDS connect on secur ty nc ude the fo ow ng
■ Use H gh or FIPS encrypt on f at a poss b e Low encrypt on does not a ow server
authent cat on, so t shou d be used on y when WAN acce erators requ re t
■ If us ng RDS on y on the LAN, create a Kerberos farm dent ty rather than re y ng on
cert ficates Do ng th s w make t eas er to en arge the farm wh e st a ow ng server
authent cat on
■ Use se f-s gned cert ficates on y for test ng, not n a product on env ronment Se f-
s gned cert ficates, as the name nd cates, are se f-s gned—they are not s gned and
va dated by a trusted th rd party C ents must have the same se f-s gned cert ficate
p aced n the r Trusted Root Cert ficat on Author t es Store n order to trust the
cert ficate
■ Requ re NLA both to prevent DoS attacks on the servers and speed farm connect ons,
because NLA prevents the need to create a fu sess on on the red rect ng RD Sess on
Host server
www.it-ebooks.info
These resources conta n add t ona nformat on re ated to th s chapter
■ If you need a refresher on W ndows PowerShe support for Remote Desktop Serv ces,
see Chapter 1, “Introduc ng Remote Desktop Serv ces ”
■ For more deta s on how c ent-server negot at ons work, see Chapter 6, “Custom z ng
the User Exper ence ”
■ For more nformat on about CredSSP, see http://www.wipo.int/pctdb/en/wo.jsp?IA=WO
2007033087&DISPLAY=DES or http://download.microsoft.com/download/9/5
/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf.
■ For the deta s of how TLS s mp emented n W ndows Server 2008 R2, see
http://msdn.microsoft.com/en-us/library/dd207968(v=PROT.10).aspx.
■ For more about how the connect on sequences work, see “Remote Desktop Protoco
Bas c Connect v ty and Graph cs Remot ng Spec ficat on,” ava ab e for down oad from
http://msdn.microsoft.com/en-us/library/cc240445.aspx.
■ For a descr pt on of the Credent a Secur ty Support Prov der (CredSSP) n W ndows XP
SP3, see http://support.microsoft.com/kb/951608/.
■ A though a compar son of NTLM and Kerberos s outs de the scope of th s book, you
can find the spec ficat ons for NTLM and M crosoft’s mp ementat on of Kerberos on-
ne at http://msdn.microsoft.com/en-us/library/cc236622(v=PROT.10).aspx (NTLM) and
http://msdn.microsoft.com/en-us/library/cc233855(v=PROT.10).aspx (Kerberos)
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 9
Multi-Server Deployments
■ Key Concepts for Mu t Server Dep oyments 423
■ Creat ng and Dep oy ng a Farm 431
■ Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager 454
■ D str but ng RemoteApp Programs 475
■ De ver ng RemoteApp Programs and VMs Through RD Web Access 478
P rev ous chapters n th s book have covered how to set up nd v dua servers for very
s mp e dep oyments of fu desktops on one server ( n Chapter 3, “Dep oy ng a S ng e
Remote Desktop Sess on Host Server”) and a Remote Desktop (RD) V rtua zat on Host
server for prov d ng v rtua mach nes (VMs; n Chapter 4, “Dep oy ng a S ng e Remote
Desktop V rtua zat on Host Server”) However, you haven’t spent a th s t me earn ng
about profi e management w th Remote Desktop Serv ces (RDS) and how to configure
c ent exper ence and secur ty sett ngs v a Group Po cy just to set up a s ng e server
You’ need mu t p e servers for sca e and redundancy
In th s chapter, you’ earn how to de ver VMs and RemoteApp programs from more
than one server, nc ud ng the fo ow ng top cs
■ Creat ng an RD Sess on Host farm
■ Pub sh ng app cat ons from RemoteApp Manager
■ Ass gn ng app cat ons to users
■ D sp ay ng resources from mu t p e farms and RD V rtua zat on host servers
through RD Web Access
■ Enab ng users to d scover RemoteApp programs, RD Sess on Host fu desktop
sess ons, and VMs through the RD Web Access webs te and RemoteApp And
Desktop Connect ons
Key Concepts for Multi-Server Deployments

When ta k ng about mu t -server dep oyments, t’s he pfu to make sure that everyone
agrees on term no ogy
423
www.it-ebooks.info
RD Session Host Farms
An RD Sess on Host farm s a group of RD Sess on Host servers that are a de ver ng the same
app cat on set and are assoc ated under the same farm name For best resu ts, a servers n a
farm are assumed to have the same software the same vers on of the operat ng system, the
same updates, and the same vers ons of app cat ons Th s s mportant because connect ons
to a farm are oad-ba anced across the ent re farm If the servers are d fferent, users’ exper -
ence w vary depend ng on wh ch server they connect to, and th s w confuse users and
ead to He p desk ca s It’s acceptab e f the hardware n the farm var es a b t, as ong as you
take th s nto account when we gh ng the servers A server that has on y 75 percent of the
capac ty of other servers shou d have on y 75 percent of the we ght n oad-ba anc ng
If you need to de ver more than one app cat on set, you can do th s w th more than
one farm In W ndows Server 2008 R2, RD Web Access, as we as RemoteApp and Desktop
Connect ons (a new feature n W ndows 7 and W ndows Server 2008 R2), can be supp ed w th
resources from more than one farm, or even nd v dua RD Sess on Host servers
RemoteApp Internals
RemoteApp programs are app cat ons that run on the endpo nt and d sp ay on the c ent but
are d sp ayed a ongs de the c ent-s de app cat ons A RemoteApp programs runn ng on the
same computer run n the same sess on, a though the desktop s not v s b e Th s reduces the
overhead on the servers and m n m zes the number of cop es of the profi e that are open
(See Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep oyment,” for an
exp anat on of why th s s mportant )
RemoteApp programs work a tt e d fferent y from app cat ons d sp ayed from a fu re-
mote desktop because they must ntegrate w th the oca y nsta ed app cat ons In essence,
the server sends the ent re desktop to the c ent, but you can’t see the desktop The c ent-
s de components create the r own app cat on w ndows to m rror those n the remote sess on
and d sp ay them on the c ent
Chapter 3 exp a ns the processes and startup mechan sm for a remote sess on W th Re-
moteApp programs, the process s a tt e d fferent; the c ent and server must be even more
c ose y a gned When a c ent starts ts first RemoteApp, the process works as ustrated n
F gure 9-1
424 chapter 9 Mu t Server Dep oyments
www.it-ebooks.info
Client creates
corresponding
window Virtual Channel
3
7
MSTSC.exe
Request: Launch
1 2 UserInit.exe
RemoteApp
RDPShell.exe RDPInit.exe
4
RDPInit.exe checks
RDPShell.exe intercepts the allow list
application window opening
instructions and sends them to
the client 5
Application starts,
creates app
window
6
FIGURE 9-1 RemoteApp programs use a spec a she to d sp ay app cat on w ndows.
The fo ow ng steps (numbered accord ng y n F gure 9-1) exp a n th s process

1. The c ent connects to the server and starts a RemoteApp sess on (but does not yet
start the app cat on)
2. The sess on s created User n t exe s started, and t n turn starts Rdp n t exe
Rdp n t exe manages Rdpshe exe, the RemoteApp she ( n eu of W ndows Exp orer)
3. The server-s de and c ent-s de components connect v a a v rtua channe used espe-
c a y for RemoteApp commun cat on
4. Rdp n t exe checks the a ow st for the app cat on If the app cat on s n the a ow st,
the RD Sess on Host server starts the app cat on
5. The app cat on starts and creates an app cat on w ndow
6. Rdpshe exe ntercepts the app cat on w ndow-open ng nstruct on and sends t to the
c ent
7. The c ent creates a correspond ng w ndow to match the one on the RD Sess on Host
server
From here, the user nteracts w th the remote sess on as usua
As you can see, commun cat on between the remote sess on and c ent s key to mak ng
th s work Let’s exp ore RemoteApp components n more deta
Key Concepts for Mu t Server Dep oyments chapter 9 425
www.it-ebooks.info
Server-Side Components
On the server, severa components must cooperate to ensure the fo ow ng
■ On y app cat ons current y n the a ow st can be started as RemoteApp programs
■ The c ent-s de proxy w ndow must open and c ose n sync w th the nv s b e app cat on
w ndow n the remote sess on
The fo ow ng components make th s poss b e
■ Rdp n t exe
■ Rdpshe exe
■ Rdpdd d
■ The app cat on w ndow
F gure 9-2 dep cts how the RemoteApp components work together to create the user
exper ence For more nformat on about the broader RD Sess on Host sess on arch tecture, see
Chapter 3
SYSTEM SPACE SESSION SPACE
TRAY NOTIFY APP WINDOW

ICON
Window Messages:
WM_SYSCOMMAND
User Input Shell_Notify WM_SYSMENU
Icon Function
Window
Hook
RDPINIT.EXE Messages
Window
Virtual Channel Display Info
Communication
RDPSHELL.EXE
USER MODE
KERNEL MODE
Notify Window
Icon Info Info
WINDOWS OBJECT
RDPWD.SYS RDPDD.DLL
WINOBJ MANAGER
Callback
FIGURE 9-2 Server s de components n user mode and kerne mode enab e RemoteApp programs.
Rdp n t exe s the RemoteApp equ va ent of User n t exe, wh ch starts ogon scr pts and
starts the user she Rdp n t exe starts the Rdpshe exe and updates the c ent-s de taskbar
v a Rdpdd d Rdp n t exe a so hand es the ogoff og c When no more RemoteApp program
app cat on w ndows are open and no processes are runn ng n the user sess on that haven’t
www.it-ebooks.info
yet ex ted, Rdp n t exe d sconnects or ogs off the sess on n accordance w th the ru es set n
Group Po cy (You can’t configure th s sett ng on the RD Sess on Host server )
The Group Po cy object (GPO) sett ng that contro s when a RemoteApp s ogged off
s Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Sess on Host Sess on T me L m ts Set T me
L m t For Logoff Of RemoteApp Sess ons To set a t me m t that RemoteApps w stay
d sconnected before they are ogged off, enab e th s sett ng and then choose a t me m t
from the drop-down menu
Rdpshe exe s the she , the RemoteApp equ va ent of Exp orer exe It keeps track of
changes to app cat on w ndows (for examp e, open ng and c os ng) and sends them to the
c ent-s de components so that the app cat on w ndow v s b e to the c ent behaves exact y
ke the app cat on w ndow n the nv s b e she Rdpshe exe a so keeps track of any Con-
nect/D sconnect/Reconnect events to the remote sess on, so the app cat on w ndow on the
c ent s de d sappears or reappears as appropr ate
Rdpdd d s the kerne -mode Remote D sp ay Protoco (RDP) d sp ay dr ver n the sess on
Th s component rece ves the W ndow ng and System Tray Icon not ficat ons from Rdp n t exe
and Rdpshe exe and updates the d sp ay accord ng y It a so sends a d sp ay updates on the
term na server to the c ent
Client-Side Components
On the c ent s de, other components cooperate to make the RemoteApp v s b e on the desk-
top and update the app cat on w ndow n the remote sess on (see F gure 9-3) These compo-
nents of the RDC c ent spec fic to RemoteApp programs nc ude
■ The RemoteApp p ug- n
■ The W ndow ng p ug- n
■ The nput and draw ng orders hand ers
■ The RemoteApp proxy w ndow
■ The Not fy con
RemoteApp Proxy
Window
Window User Input

Updates
Shell Notify
Icon Function
Notify Icon RemoteApp Plug in Shadow Bitmap
MSTSC.EXE
User Input
Windowing Input Drawing Orders

Plug in Handler Handler
FIGURE 9-3 C ent s de components he p enab e RemoteApp programs.
www.it-ebooks.info
These components have the fo ow ng jobs
■ The W ndow ng p ug- n co ects the w ndow pos t on ng nformat on from the remote
sess on and passes t to the RemoteApp p ug- n
■ The draw ng orders hand er co ects the w ndow appearance nformat on and feeds t
to the shadow b tmap
■ The shadow b tmap sends b tmaps to the RemoteApp p ug- n to draw the app cat on
w ndow
■ The RemoteApp p ug- n rece ves a the draw ng and pos t on ng nformat on and co -
ects a the nput for that w ndow to send back to the RD Sess on Host server It a so
co ects user feedback on the w ndow state and pos t on and sends t to the remote
sess on to update the app cat on w ndow there
The RemoteApp proxy w ndow s the w ndow for the RemoteApp; the W ndow ng p ug- n
pos t ons t correct y, and the shadow b tmap draws t The Not fy con d sp ays the Remote-
App program’s con n the taskbar
RemoteApp Programs and Multiple Monitors

When a c ent has more than one mon tor attached, RemoteApp programs m ght work a tt e
d fferent y, depend ng on whether they’re d sp ayed us ng mon tor spann ng ( ntroduced n
W ndows Server 2008) or true mu t -mon tor support ( ntroduced n W ndows Server 2008 R2)
NOTE Generating video display takes some processor power and memory on the RD Ses-
sion Host server; the larger the display, the more power it takes. If every person using the
RD Session host server uses lots of monitors, this could affect scale on the RD Session Host.
One of the new features of W ndows Server 2008 was monitor spanning, where n a sess on
on a term na server expanded to fit a the mon tors connected to the c ent When the c ent
connects to the server us ng mon tor spann ng (for any mon tor configurat on), t te s the RDP
d sp ay dr ver (Rdpdd sys) the s ze of the mon tor attached to t, add ng the mon tor reso u-
t ons together (see F gure 9-4) Rdpdd sys accepts th s and treats the mu t p e mon tors as
one b g mon tor It sn’t aware that mu t p e mon tors are connected; t s mp y uses the s ze of
the tota d sp ay area, up to 4096 × 2048 p xe s, to arrange w ndows (If you exceed the tota
d sp ay area on your mon tors, the d sp ay w on y be up to 4096 × 2048 )
To enab e mon tor spann ng, connect to the remote server by us ng the /span opt on w th
Mstsc exe Type mstsc.exe /span n the Run box of the Start Menu or add the entry span
monitors:i:1 to the RDP connect on fi e In the absence of th s entry, mon tor spann ng s
d sab ed for desktop connect ons
www.it-ebooks.info
2400
800 800 800
0,0
600
FIGURE 9-4 nd v dua mon tors add up to a s ng e arge mon tor s zed 2400 × 600.
Because spanned mon tors are seen by the RDP d sp ay dr ver as a s ng e ent ty, there are
some restr ct ons on configurat on F rst, a the mon tors must be set to the same reso ut on,
because to the server, they’re a the same mon tor If you don’t set a the mon tors to the
same reso ut on, then even f mon tor spann ng s enab ed, the desktop w be confined to
your pr mary mon tor Second, the mon tors must be set up n a hor zonta configurat on, as
n F gure 9-4; the spann ng s ntended to go from eft to r ght Th rd, the eftmost mon tor
must be the pr mary mon tor so that both c ent and server start count ng n the upper eft as
0,0 when dec d ng how to arrange p xe s on the screen
One m tat on of mon tor spann ng s that t rea y sn’t a mu t -mon tor so ut on so much
as a way to support a arge d sp ay The desktop extends across the ent re space (mean ng
that you m ght want to use an odd number of mon tors to avo d message boxes—wh ch
typ ca y pop up n the m dd e of the screen—be ng sp t between two mon tors) In add -
t on, max m zed app cat ons max m ze across the ent re space, wh ch can make them n-
conven ent y w de RemoteApp programs makes mon tor spann ng more mu t -mon tor- ke
by exp o t ng what t knows about the mon tor w ndow s ze to max m ze app cat ons to the
mon tor n wh ch you’ve got them, and at the same t me mak ng t poss b e to move them
around For examp e, start M crosoft PowerPo nt as a RemoteApp wh e two mon tors are
connected to your c ent Both mon tors are set to 1280 × 800 The new y started RemoteApp
w appear max m zed on Mon tor 1 To move t, c ck the Restore Down button and drag
the w ndow to Mon tor 2 When you max m ze t aga n, the RemoteApp w appear n the
confines of the second mon tor nstead of be ng spread across every mon tor connected to
the c ent If you pos t on a RemoteApp across two mon tors, t w max m ze the one n wh ch
more of ts w ndow s d sp ayed, as shown n F gure 9-5
www.it-ebooks.info
RemoteApp
Remo teApp
RemoteApp
FIGURE 9-5 n a spanned sess on, a RemoteApp w max m ze to the mon tor on wh ch more of ts w n
dow s d sp ayed.
How do RemoteApp programs know where to draw the app cat on w ndow? When run-
n ng RemoteApp programs, as you mod fy the app cat on w ndow on the c ent (max m ze
t, m n m ze t, and so forth), these changes are sent to the app cat on w ndow on the RD
Sess on Host server A though the server doesn’t know that there are mu t p e mon tors, the
c ent does When you max m ze a RemoteApp n a c ent-s de mon tor, t max m zes to the
mon tor on wh ch you have t d sp ayed It then reports ts new s ze to the remote app cat on
w ndow The resu t s that the app cat on w ndow s s zed for a s ng e mon tor, not the ent re
spanned area
If you are mon tor spann ng, before connect ng to the RemoteApp, you have to configure
the mon tors on the c ent to the same reso ut on If you don’t, you w see some odd behav-
or RemoteApp programs d sp ayed on one mon tor m ght “ eak” nto the d sp ay on another
one (For examp e, a F e, Open menu m ght be part a y d sp ayed on Mon tor 1 when the
app cat on’s pr mary d sp ay s on Mon tor 2 )
www.it-ebooks.info
True mu t -mon tor support, ntroduced n W ndows Server 2008 R2, doesn’t have the
m tat ons of spann ng The mon tors are hand ed ndependent y, so the arrangement doesn’t
matter to the d sp ay and the mon tor reso ut ons don’t have to match RemoteApp programs
d sp ay as though they’re on a s ng e mon tor, but you can stretch them to fi a the mon tors
f you w sh W ndows 7 has mu t p e mon tor support, but W ndows 7 does not support Aero
when you are us ng mu t p e mon tors n a remote sess on
Creating and Deploying a Farm

Dep oy ng a s ng e RD Sess on Host server has some drawbacks The company can outgrow
the hardware capab t es of a s ng e server, and os ng that server means no one can work
Creat ng a server farm of dent ca RD Sess on Host servers prov des a sca ab e and redundant
app cat on host ng p atform
A RD Sess on Host server farm cons sts of two or more RD Sess on Host servers w th the
same software configurat on (for examp e, secur ty sett ngs and dev ce red rect on po c es)
and app cat on sets, a represented under a s ng e farm name so that they appear to the
c ent as a s ng e server Server farms are oad-ba anced so that the work oad s d str buted
even y among a farm members Because the servers are configured the same way, t does
not matter to users wh ch server they get d rected to A servers shou d prov de the same
user exper ence
Even when RD Sess on Host servers are c ustered nto a farm, the fina connect on s a ways
between a c ent and a s ng e RD Sess on Host server When you’re connect ng to nd v dua
servers, connect ng s s mp e The RDP fi e or RDC c ent po nts to a spec fic server, and as-
sum ng that the user s author zed to connect, the connect on s made There’s no amb gu ty
about where the connect on shou d go A mu t -server dep oyment adds a ayer of comp ex ty
because the user sess on must be d rected to a part cu ar server—w thout the user need ng to
spec fy which server
W thout oad-ba anc ng, RD Sess on Host server oad w not necessar y d str bute even y
accord ng to the number of connect ons com ng n The oad-ba anc ng has to be smart
enough to take nto account the poss b ty of d sconnected sess ons a ready runn ng on RD
Sess on Host servers, the oad that each server s capab e of hand ng as far as usage per
sess on goes, and other factors Therefore, you need two mechan sms to determ ne to wh ch
server a connect on request shou d u t mate y be sent
Creat ng and Dep oy ng a Farm CHAPTER 9 431
www.it-ebooks.info
■ A way to take the n t a connect on requests and send them to a broker ng mechan sm
des gned to take nto account var ab es spec fic to the farm env ronment
■ A broker ng mechan sm that determ nes wh ch farm server s best su ted to accommo-
date the sess on u t mate y and then sends the connect on to the chosen server
The n t a connect on s hand ed by a oad ba ancer or red rector The broker ng s hand ed
by a RDS ro e serv ce ca ed RD Connect on Broker Read on to earn more about each of
these mechan sms
Distributing Initial Farm Connections

C ents don’t ta k to the RD Connect on Broker ro e serv ce d rect y; they connect to a farm,
wh ch sends th s connect on to the RD Connect on Broker to et t find the r ght endpo nt
When a user connects to a farm, the connect on s ntercepted by an RD Sess on Host server
farm member and s red rected to the RD Connect on Broker If there are a ot of ncom ng
connect ons, you can d str bute them v a software oad-ba anc ng among RD Sess on Host
servers n the farm A ternat ve y, you can ded cate an RD Sess on Host server to on y red rect
farm requests, not to support user connect ons as we
There are three n-box ways to d str bute the ncom ng connect ons v a software to avo d
over oad ng a s ng e farm member w th red rect on requests round rob n DNS (RR DNS),
Network Load Ba anc ng (NLB), and a ded cated red rector
NOTE Because hardware load balancers are not included with RDS, this chapter will not
cover them, but they are an option. Remember that a hardware load balancer is a single
point of failure unless you buy redundant hardware.
RR DNS creates mu t p e host records for the same host name Each t me a request for
that host name s made, the Doma n Name System (DNS) server returns the host records
n consecut ve order It’s easy to set th s up The catch to th s method s that, f a host goes
offl ne, DNS cont nues rout ng peop e to that server as ong as the host record rema ns n ts
database
NLB d str butes ncom ng connect ons even y across each oad-ba anced server on the
pr nc p e that f the ncom ng requests are even y d str buted, the traffic shou d be, too NLB
s best for oad-ba anc ng servers when the connect ons are very short, ke web servers, or n
th s case, the n t a connect on n a farm that s part c pat ng n RD Connect on Broker oad-
ba anc ng NLB s more comp cated to set up than RR DNS, but t’s capab e of detect ng when
a server s no onger ava ab e and w not attempt to send connect ons to t
A ded cated red rector s an RD Sess on Host server whose so e ro e s to red rect n t a
connect on requests to RD Connect on Broker To avo d ask ng work ng RD Sess on Host farm
servers to hand e ncom ng connect ons, you can ded cate a server to do th s work The on y
catch to us ng a ded cated red rector s that t represents a s ng e po nt of fa ure
www.it-ebooks.info
HOW IT WORKS
Choosing Between RR DNS or NLB for Initial Routing
B oth RR DNS and NLB come with Windows Server 2008 R2. Which should you
use?
RR DNS is very easy to set up, but it has two limitations: One is that client-side DNS
caching can result in clients resolving DNS requests with cached records instead
of receiving a reply from the DNS server. This means that RR DNS is bypassed
completely. Second, RR DNS does not know when a server goes offline, so it
will continue to reply to requests with the host record of the unavailable server,
resulting in 30-second delays for clients who receive this reply.
For these reasons, you might choose to use NLB, which distributes incoming con-
nections evenly across the load-balanced servers. Although NLB is not ideal for
load-balancing among RD Session Host servers, it’s fine for creating the initial
connections, because they don’t last long. NLB does not rely on DNS the way that
RR DNS does, so it does not have a problem with cached DNS entries. NLB also
detects when a server in the cluster goes offline and will stop sending requests to
the downed server.
You w earn how to mp ement the n t a oad-ba anc ng opt ons n the sect on ent t ed
“Dep oy ng RD Sess on Host Farms” ater n th s chapter
Connection Brokering in a Farm Scenario

That’s the oad-ba anc ng part The broker ng part comes n when t matters where the
ncom ng connect on goes For web serv ces, for examp e, f you’re connect ng to a server, t
rea y doesn’t matter wh ch one you connect to, because your connect on reta ns no state and
won’t ast very ong For RD Sess on Host server sess ons, though, t matters a great dea For
nstance, t’s far better for you to ma nta n a connect ons be ong ng to the same user on a
s ng e server—and n a s ng e sess on—for the fo ow ng reasons
■ On y one copy of your profi e w be open (see Chapter 4 for more deta s)
■ The overhead on the RD Sess on Host servers w be reduced because sess on creat on
s expens ve and there’s a m n mum set of processes needed to support an RDS sess on
(see Chapter 3 for more deta s)
W th NLB, you can define affin ty for a part cu ar server so that a ncom ng requests from
an Internet Protoco (IP) address or c ass of IP addresses w go to a part cu ar server, but th s
sn’t qu te what’s wanted e ther Many connect ons com ng from beh nd a firewa , for ex-
amp e, cou d a appear to be from one address—the firewa ’s IP address The resu t wou d be
one server hav ng to dea w th a those connect ons You rea y need a broker ng opt on that
can answer two quest ons about ncom ng connect ons and route connect ons accord ng y
Creat ng and Dep oy ng a Farm chapter 9 433
www.it-ebooks.info
■ Does the user attempt ng to make th s connect on a ready have a sess on open on an
RD Sess on Host server n the farm?
■ If not, wh ch server has the owest number of sess ons?
RD Connect on Broker makes those dec s ons about how to d str bute ncom ng connec-
t ons to a farm
You earned about RD Connect on Broker w th V rtua Desktop Infrastructure (VDI) n
Chapter 4 In terms of poo ed and persona VMs, RD Connect on Broker commun cates w th
VDI servers and w th Act ve D rectory Doma n Serv ces (AD DS) to co ect data about poo ed
and persona VMs that are ava ab e for connect on RD Connect on Broker determ nes the
k nd of connect on a user s request ng, finds the r ght endpo nt for the request, and keeps
track of c ent connect ons to persona and poo ed VMs For RDS farm scenar os, RD Connec-
t on Broker prov des
■ Sess on-based oad-ba anc ng, wh ch even y d str butes RDS sess ons to servers n the
farm accord ng to the server capab t es and the number of connect ons t’s host ng
■ Sess on reconnect on, reconnect ng users to the r d sconnected sess ons
■ Sess on dra n ng, s ow y dra n ng sess ons from an RD Sess on Host server that must go
offl ne (for examp e, due to ma ntenance needs) by not a ow ng new connect ons to
the server
■ Access to mu t p e RemoteApp sources v a RD Web Access
RD Connect on Broker can run on any vers on of W ndows Server 2008 R2 that supports
RDS The servers connected to t can run W ndows Server 2003 or ater That sa d, servers
runn ng W ndows Server 2003 can take advantage of the sess on reconnect on feature, but
cannot be part of a oad-ba anced farm C ents need a m n mum of RDC 5 2 to use RD Con-
nect on Broker Load Ba anc ng
As descr bed n Chapter 4, the RD Connect on Broker s made flex b e through a mode
of p ug- ns to the base broker ng mechan sm D fferent types of resources have the r own
resource p ug- ns that conta n the og c requ red to find the most appropr ate target for that
type of connect on and to prepare for connect on For examp e, the Sess on P ug- n oad-
ba ances based on the number of sess ons on each RD Sess on Host server Independent
software vendors (ISVs) can change the og c for find ng and prepar ng the endpo nts by
mp ement ng fi ter p ug- ns to the resource p ug- ns, or they can make RD Connect on Broker
support ent re y new types of resources by add ng the r own resource p ug- ns
RDS Farm Connection Brokering in Action

Each RDC request for a farm goes through these steps to reach ts fina dest nat on server (see
F gure 9-6)
1. The c ent requests a connect on to an RD Sess on Host server farm A oad ba ancer
finds a red rector to hand e the n t a connect on and to red rect the connect on to the
RD Connect on Broker
www.it-ebooks.info
2. The user authent cates to that RD Sess on Host server If the c ent supports NLA (see
Chapter 7, “Mo d ng and Secur ng the User Env ronment”), th s reduces the overhead
on the RD Sess on Host server by authent cat ng the user w thout creat ng a sess on
3. The RD Sess on Host server that rece ved the ncom ng connect on (henceforth ca ed
the red rector) passes the contents of the RDP fi e to the RD Connect on Broker
4. RD Connect on Broker exam nes the RDP data to find the des red type of connect on
If t’s for a sess on, t act vates the RD Sess on Host resource p ug- n Th s p ug- n first
determ nes whether there’s a ready a sess on n the farm for th s user It does th s by
check ng ts database, wh ch stores the nformat on shown n Tab e 9-1 If so, the p ug-
n can te wh ch server t’s on and what the Sess on ID s
NOTE It can also tell whether the session is displaying a full desktop or RemoteApp
programs. This is important because the two sessions have different shells.
If the user does not a ready have an act ve sess on, the RD Connect on Broker finds the
server that conta ns the fewest act ve sess ons RD Connect on Broker sends the resu t
of ts efforts (wh ch nc udes the IP address of the RD Sess on Host server that the c ent
shou d connect to) to the red rector
5. The red rector sends the IP address to the c ent
6. The c ent s ent y d sconnects from the RD Sess on Host that red rected the connect on
and reconnects to the RD Sess on Host server us ng that IP address
Farm1.ash.local
5
IP address of
destination Direct connection
server to destination
1 server
Initial Load-Balancing Mechanism
2 6
RD Session Host Server Farm1

RSDH
Plug in
RD Connection
RDSH1 RDSH2 RDSH3 RDSH4 Broker
3
4
FIGURE 9-6 Connect on requests get d rected to RD Sess on Host servers us ng RD Connect on
Broker.
www.it-ebooks.info
TABLE 9-1 Rou ng n orma on S ored by RD Connec on Broker
RD CONNECTION BROKER DB FIELD DESCRIPTION
Source-server-ID Name of the server that the sess on res des on

Sess on-ID Sess on ID for the sess on
Username User name of the user ogged on to the sess on
Doma n Doma n to wh ch the user be ongs
TS-Protoco Protoco used to connect the sess on Th s w be RDP
Sess on-creat on-date-and-t me T me and date the sess on was created
D sconnect on-date-and-t me T me and date that the sess on was d sconnected ( f
app cab e)
App cat on-type Sess on type (d sp ay ng desktop or RemoteApp
programs)
Reso ut on-w dth The reso ut on w dth of the RDP sess on
(for examp e, 1024)
Reso ut on-he ght The reso ut on he ght of the RDP sess on
(for examp e, 768)
Co or-depth The co or depth n the sess on
HOW IT WORKS
RD Connection Broker Routing Methods
R D Connection Broker can support two kinds of load-balancing redirection:

IP address redirection and routing token redirection. RR DNS and NLB use IP
address redirection; hardware load balancers such as Cisco’s Content Switching
Module might use routing token redirection.
IP address redirection, used when clients can connect directly to servers in the farm,
is the default for RD Connection Broker. It works like this.
1. The client connects to the initial load balancer and is routed to an RD Session
Host server, where the client is authenticated. If the client supports NLA, the
client doesn’t have to create a full session to be authenticated, speeding up the
process.
2. The RD Session Host server redirects the connection request to the RD Connec-
tion Broker.
3. The RD Connection Broker finds the most suitable endpoint for the connection
request and gets its IP address.
www.it-ebooks.info
4. RD Connection Broker returns the answer to the RD Session Host server, which
passes the encrypted load-balance packet to the client. The packet contains the
IP address of the chosen RD Session Host server.
5. The client connects directly to the RD Session Host server IP address specified in
the load-balance packet.
When the load-balancing configuration requires that all initial traffic go through
the load balancer, clients can’t connect using IP addresses. In that case, the load
balancer must support RD Connection Broker routing tokens. Clients get routed to
the appropriate RD Session Host server like this.
1. The client connects to the initial load balancer and is routed to an RD Session
Host server, where the client is authenticated.
2. The RD Session Host server queries the RD Connection Broker for the RD Session
Host server to which this client should be redirected.
3. RD Connection Broker returns the answer to the RD Session Host server.
4. The RD Session Host server tells the client to connect again to the load balancer,
but this time, it gives the client a routing token to give to the load balancer.
5. The routing token contains the IP address of the chosen RD Session Host server.
6. The client connects directly to the RD Session Host server IP address specified in
the routing token.
You m ght be wonder ng how RD Connect on Broker keeps track of the RD Sess on Host
servers What happens f one goes offl ne, and how w the RD Connect on Broker know f t
does? For that matter, what w t do f a server goes offl ne?
To keep track of RD Sess on Host server status, the RD Connect on Broker keeps track of
whether the connect ons that t red rects to the RD Sess on Host servers n the farm actu-
a y go through If a red rect on attempt succeeds, that’s great—the RD Sess on Host server
s ava ab e If a red rect on attempt fa s, then there might be a prob em w th the RD Ses-
s on Host server or the network—but t’s not defin te, because there was on y one attempt
Therefore, 60 seconds after the n t a red rect on request, the RD Connect on Broker starts
p ng ng the RD Sess on Host server that d dn’t respond If the RD Sess on Host server does
not respond to a set number of p ngs (a defau t of 3, at a defau t nterva of 10 seconds apart)
then the RD Connect on Broker removes that RD Sess on Host server from ts database
Th s back-and-forth means that, about two to three m nutes from the t me the RD Con-
nect on Broker attempts to send a connect on to an unava ab e RD Sess on Host server, the
RD Connect on Broker w stop ook ng for the server Remov ng an RD Sess on Host server
from the farm by de et ng t from the TS Sess on D rectory Computers group w not de ete t
from the RD Connect on Broker’s database
www.it-ebooks.info
NOTE An RD Session Host server gets re-added to the RD Connection Broker database
by re-adding it to the farm in RD Session Host Configuration and re-adding the RD Session
Host server to the Session Broker Computers group on the RD Connection Broker.
If you take a server offl ne, you can speed up the process of purg ng the database by
shorten ng the nterva s at wh ch t ooks for the RD Sess on Host server These are contro ed
by three reg stry keys ocated under HKLM/SYSTEM/CurrentContro Set/Serv ces/Tssd s
/Parameters n the RD Connect on Broker’s reg stry Conven ent y, a these va ues are n
dec ma , so they’re easy to nterpret The three that you need to concern yourse f w th are the
fo ow ng
■ T meBetweenP ngs (defau t va ue of 78 hex dec ma , or 120 seconds)
■ NumberFa edP ngsBeforePurge (defau t va ue s 3)
■ T meServerS entBeforeP ng (defau t va ue s 60; the va ue s n seconds)
To decrease or ncrease the nterva between when RD Connect on Broker attempts to con-
nect and when t purges the RD Sess on Host server from the database, ed t these sett ngs
Just be aware that a connect on prob em or the server be ng offl ne sn’t the on y reason why
an RD Sess on Host server m ght not respond
ON THE COMPANION MEDIA You can use the SBDatabaseDump.vbs script found
on the companion media to dump the contents of the RD Connection Broker data-
base. Just edit as needed for your deployment.
How NLA Speeds RD Connection Broker Routing

Munindra Das
B efore Windows Server 2008, when a terminal server in a farm received a con-
nection request, it created a temporary session to authenticate the user and
load user policies. If no local disconnected session was present, it queried the TS
Session Directory to see if there was a disconnected session for the user on another
computer in the farm. If a disconnected session was found, a redirection request
was sent to the client to connect to the other server instead. The temporary session
was then discarded.
The temporary session creation resulted in significant delay in completing the con-
nection because a full logon occurs in the session. Also, the user experience was
unpleasant because the user saw two welcome screens, first for the temporary ses-
sion and then again for the redirected session. The new technique addresses these
drawbacks when a connection is made using the new RDC client with CredSSP.
www.it-ebooks.info
W ndows Server 2008 ntroduced a new techn que to mprove the red rect on scenar o
C ents that support NLA can pass the r credent a s to the term na server (now the RD Ses-
s on Host server) The RD Sess on Host server (act ng as a red rector) host ng the temporary
connect on can use those credent a s to authent cate that the user s a owed to og on to
the farm and can pass those credent a s to the RD Connect on Broker to he p t ook for an
ex st ng connect on assoc ated w th those credent a s If RD Connect on Broker finds a d scon-
nected sess on on another computer n the farm, t mmed ate y sends a red rect packet to the
c ent, and the c ent subsequent y connects to the red rected server Hence, no temporary
sess on s created before the connect on s red rected Th s change mproves secur ty because
the c ent must be authent cated even before t makes the connect on, and t a so mproves
performance because the first RD Sess on Host server doesn’t have to create a temporary
sess on
It’s a so worth ment on ng that users w get an error f they try to access nd v dua farm
members from a c ent computer by connect ng to an nd v dua server name However, a
c ent can st access nd v dua farm servers by IP address (the c ent w get warn ngs about
the IP address not be ng the name of the server, but eventua y, the user wou d be a owed
to connect) To stop th s, enforce Server Authent cat on on the c ents by us ng the fo ow ng
GPO

Remote Desktop Serv ces Remote Desktop Connect on C ent Configure Server
Authent cat on For C ent
Enab e the po cy and choose Do Not Connect If Authent cat on Fa s from the drop-down
menu Then c ck Ok to save the changes and app y the GPO to the organ zat ona un t (OU)
where c ent computers res de
NOTE Administrators can access RD Session Host servers by server name even if they are
part of a farm.
Deploying RD Session Host Farms

Techn ca y, you cou d create a farm us ng on y RR DNS or NLB, but th s farm wou dn’t use a
k nd of oad-ba anc ng su tab e for onger connect ons and can’t nform RD Web Access of
ts resources To create a oad-ba anced RD Sess on Host server farm that can de ver a st of
resources to RD Web Access, you must do the fo ow ng
■ Insta the RD Connect on Broker ro e serv ce
■ A ow RD Sess on Host servers to jo n RD Connect on Broker
■ Set up n t a oad-ba anc ng among the RD Sess on Host servers so they can route
temporary sess ons to RD Connect on Broker
■ Configure the RD Sess on Host servers jo n a farm
www.it-ebooks.info
Chapter 4 exp a ns how to nsta the RD Connect on Broker ro e serv ce, wh ch you need
to do because you must have a connect on broker to de ver poo ed and persona VMs To
perform the add t ona setup, read on
Permit RD Session Host Servers to Join RD Connection

Broker
Insta ng the RD Connect on Broker creates a new oca secur ty group named Sess on Broker
Computers You must add RD Sess on Host servers to th s group to perm t them to work w th
the RD Connect on Broker To do so, open Server Manager, expand Configurat on/Loca Users
And Groups/Groups, and then doub e-c ck the Sess on Broker Computers secur ty group n
the r ght pane On the Members tab, c ck Add, type the RD Sess on Host server computer
accounts, and c ck OK tw ce
The same RD Connect on Broker can support mu t p e farms, so a RD Sess on Host servers
w go nto the same secur ty group
NOTE If the RD Connection Broker server is also a domain controller, you can’t use Server
Manager to add RD Session Host servers to the Session Directory Computers group; use
Active Directory Users And Computers to do this instead.
Set Up Initial Load-Balancing

Set up RR DNS or NLB to d str bute ncom ng n t a connect ons even y across the farm
RR DNS
Sett ng up RR DNS s very easy Just add a DNS host entry for the farm name that po nts to
each server n the farm For examp e, one of our farms cons sts of two servers, whose DNS
entr es map to the fo ow ng IP addresses
Fuji.ash.local = 10.10.10.110
Glacier.ash.local = 10.10.10.112
To mp ement RR DNS, add two more host entr es po nt ng to the correspond ng IP ad-
dresses as fo ows
Farm1.ash.local = 10.10.10.110
Farm1.ash.local = 10.10.10.112
NOTE If you use RR DNS, you should also lower the Time To Live (TTL) of the DNS entries
so the DNS cache on the clients gets updated frequently. This will cut down on clients
bypassing RR DNS completely or possibly trying to access a dead server. To change the
TTL on DNS entries in DNS Manager click View, Advanced. Then right click the DNS entry,
select Properties, lower the TTL value, and click OK.
www.it-ebooks.info
NLB
To avo d prob ems w th sta e DNS entr es, you m ght dec de to mp ement NLB To configure
an NLB c uster, you need to comp ete the fo ow ng steps
1. If you have a network adapter ded cated to NLB, you need to configure t
2. Insta the NLB Manager on a host node or other management mach ne
3. Configure the NLB c uster
4. Add a DNS entry mapp ng the farm name to the c uster IP address
Before W ndows Server 2008, t was adv sed to use two network adapters on each c uster
member one for NLB traffic and one for other traffic If you used on y one network adapter
per host n Un cast mode, one host cou d not commun cate w th another—each server wou d
see tse f as both the n t at ng and dest nat on computer Beg nn ng w th W ndows Server
2008, however, NLB was re-eng neered so that mp ement ng NLB n Un cast mode on one
network adapter now a ows for host-to-host commun cat on So now you have a cho ce You
can use one network adapter for a commun cat on, or you can m t NLB traffic to ts own
network adapter In our mp ementat on examp e, you w use two network adapters one
reserved for NLB traffic and one for other traffic ( ke remote adm n strat on)
IMPORTANT Using two network adapters turns off per-session IP virtualization on RD

Session Host servers, so if you need to use per-session IP Virtualization, then use one
network adapter for NLB. Per-program IP virtualization is not affected by two network
adapters.
CONFIGURE THE NLB NETWORK ADAPTER

Configure the NLB network adapter w th a un que IP address and an appropr ate subnet
mask The NLB network adapter does not need a gateway address because the traffic s not
go ng to eave the network
NOTE If your RD Session Host Servers are virtualized and you choose to operate in
Unicast mode, be sure to enable media access control (MAC) address spoofing on the NLB
network adapter or hosts will not converge. For more on MAC address spoofing on virtual
adapters, see “Configure MAC Address Spoofing for Virtual Network Adapters” at
http://technet.microsoft.com/en-us/magazine/ff458341.aspx.
INSTALL NLB MANAGER

Next, you need to nsta the Network Load Ba anc ng feature on each farm member To do
th s, open Server Manager and se ect the Features sect on C ck Add Features, se ect the
check box next to Network Load Ba anc ng, and c ck Insta
www.it-ebooks.info
You can a so nsta the Network Load Ba anc ng feature us ng W ndows PowerShe us ng
th s command
Import-Module Servermanager
add-Windows FeatureNLB
A successfu nsta renders these resu ts

------- -------------- --------- --------------
True No Success {Network Load Balancing}
CONFIGURE THE NLB CLUSTER

Now that NLB s nsta ed on each farm member, t’s t me to configure the c uster To do so,
fo ow these steps
1. Open NLB Manager on one of the farm members from Start, A Programs, Adm n s-
trat ve Too s, Network Load Ba anc ng Manager or by typ ng nlbmgr n the Run text
box on the Start menu R ght-c ck Network Load Ba anc ng C usters and choose New
C uster, as shown n F gure 9-7
FIGURE 9-7 Open NLB Manager and create a new c uster.
2. In the Host nput box, enter the name of one of the NLB hosts (one of the RD Sess on
Host server farm members) and c ck Connect A ava ab e network adapters on that
server show up n the ower pane Se ect the NLB ded cated network adapter that you
have configured to use w th oad-ba anc ng and c ck Next
3. The IP address and subnet mask ass gned to the network adapter w show up n the
next w ndow The pr or ty number s a un que number that d fferent ates the servers
Accept the defau t va ue If you need to make any changes to the address, c ck Ed t
and make your changes Leave the In t a Host State as Started, and c ck Next
4. On the next screen, c ck Add and add a un que IP address and subnet mask that w
be shared by a c uster members, and then c ck OK When users request access to the
farm, they w be sent to th s address nstead of a spec fic RD Sess on Host server ad-
www.it-ebooks.info
dress The address w appear n the C uster IP address w ndow, as shown n F gure 9-8
C ck Next
FIGURE 9-8 Add a un que c uster P address and subnet mask.
5. On the C uster Parameters page, accept the defau ts, nc ud ng Un cast for the C uster
Operat on Mode sett ng, and c ck Next A c uster host adapters must use the same
operat on mode or NLB w not funct on
6. On the New C uster Port Ru es page, you need to make a few changes to the defau t
sett ngs C ck Ed t, and then change the start ng and end ng port range to 3389 ( n
both the To and From fie ds) because you w be us ng th s c uster to oad-ba ance RDP
traffic on y In the Protoco s sect on, se ect TCP In the F ter ng Mode sect on, choose
Mu t p e Hosts to a ow mu t p e hosts to hand e traffic for th s port ru e For Affin ty,
you have three cho ces
■ None Mu t p e connect ons com ng from the same IP address can be spread
among the farm members
■ Single Choos ng th s opt on g ves affin ty to connect ons com ng from the same
IP address; they w be term nated on the same farm member
■ Network Choos ng th s opt on means that c ent connect ons w th n the same
C ass C address space are term nated on the same server
Choose Affin ty None so that ncom ng connect ons can be sent to any member of the
farm (There’s no reason to set affin ty when the connect ons are be ng red rected, and
do ng so cou d make your oad-ba anc ng efforts use ess by send ng repeated connec-
t on requests to the same server ) Then c ck OK F gure 9-9 shows these changes
www.it-ebooks.info
FIGURE 9-9 Change the port range, protoco , and f ter ng mode.
NLB Cluster Operation Modes

Russ Kaufmann
Clustering MVP
W hen configuring an NLB cluster, you will have several options, one of which is
to choose Unicast or Multicast mode.
Unicast uses a virtual MAC address, which is used instead of the physical MAC ad-
dress (which is hard-coded on the network adapter) for all traffic that is covered by
the port rules in the NLB configuration. Multicast adds the virtual MAC address and
the physical MAC address on the network adapter. Multicast uses both the virtual
MAC and the physical MAC addresses. Using both the virtual and the physical MAC
addresses allows NLB members to communicate with each other as well as clients.
In both Unicast and Multicast, the virtual MAC is being used by multiple comput-
ers. If there are multiple servers using the same MAC address, a switch is not able to
learn the port for the virtual MAC and is forced to send the packets destined for the
virtual MAC to all ports of a switch. This is called switch port flooding. To limit the
impact of network switch port flooding, you can use the following solutions.
● Create a virtual local area network (VLAN) for all your NLB servers.
www.it-ebooks.info
● Use a hub or dumb switch for all your NLB servers and then connect the de-
vice to the rest of the network.
● Use Multicast mode and configure static mapping for the NLB cluster nodes
in the switch so that it floods only the mapped ports instead of the entire
switch.
● Use port mirroring so that all ports involved in the NLB cluster mirror each other.
In earlier versions of Windows, Unicast required two network adapters per NLB
member so that one network adapter could be used for NLB traffic and the other
network adapter could be used to manage the servers and used for any intra-cluster
network needs, such as copying files between the nodes. Multicast mode was often
used when only a single network adapter was available, because it would allow
easier management of the servers and would also allow for intra-cluster communi-
cation by using the physical MAC. In Windows Server 2008 R2, there is no longer an
issue with Unicast mode so that it needs a second network adapter in each node.
Multicast mode can have some support issues, such as the following.
● Multicast mode will multicast non-multicast (class D range) addresses, and

many network devices don’t support it.
● The CPU load on some network adapters can increase by 5 percent or more
when handling Multicast traffic as opposed to Unicast traffic.
● Some routers might not support multicast addresses in their ARP implemen-
tation, so default NLB cluster access is limited to its own subnet. In these
cases, you would need to create a static Address Resolution Protocol (ARP)
entry in the router.
● Some routers don’t support mapping the cluster (Unicast IP address) IP address to a
multicast MAC address.
Because Unicast works well when using a single network adapter and does not have
the supportability issues with Multicast, it is generally considered to be the best
solution for NLB implementations.
ADD FARM DNS ENTRY

Now that you have NLB set up, you are ready to prov de access to the farm v a the c uster IP
address Set up a DNS host entry to map the IP address to the farm fu y qua fied doma n
name (FQDN) For examp e, you wou d map farm1 ash oca to 10 10 10 211 (the c uster IP
address)
www.it-ebooks.info
Configuring a Dedicated Redirector
If you have des gnated a ded cated red rector, you no onger need an n t a oad-ba anc ng
mechan sm The RDS farm connect on broker ng steps shown ear er n F gure 9-6 are s ght y
d fferent n th s scenar o, as shown n F gure 9-10
Farm1.ash.local
4
IP address of
destination Direct connection
server to destination
server
1 5
RD Session Host Server Farm1
RSDH
Plug in
Dedicated
redirector
RD Connection
RDSH2 RDSH3 RDSH4 Broker
2
3
FIGURE 9-10 f you use a ded cated red rector, you don t need an n t a oad ba anc ng mechan sm.
To configure a ded cated red rector for oad-ba anc ng n t a RD Sess on Host server farm
connect ons, you must do the fo ow ng
1. G ve the RD Sess on Host server perm ss on to jo n the RD Connect on Broker
2. Configure the RD Sess on Host server to become a ded cated red rector
3. Add a DNS entry that maps the farm name to the IP address of the RD Sess on Host
server that becomes a red rector
F rst, add the RD Sess on Host server to the Sess on Broker Computers Group on the RD
Connect on Broker and then perform the fo ow ng steps
1. On the RD Sess on Broker computer, open RD Sess on Host Configurat on Open the
RD Connect on Broker Propert es w ndow by doub e-c ck ng the Member Of RD Con-
nect on Broker nk ocated n the Ed t Sett ngs w ndow
2. C ck Change Sett ngs, and choose Ded cated Farm Red rect on n the RD Connect on
Broker sett ngs w ndow
www.it-ebooks.info
3. Enter the FQDN of the RD Connect on Broker Server, and the FQDN of the farm name
n the correspond ng nput boxes at the bottom of the screen Then c ck OK You
shou d get the pop-up message shown n F gure 9-11 (As the adm n strator, you can
st connect to the server w th a /adm n connect on )
FIGURE 9-11 A ded cated red rector doesn t support user sess ons, just ncom ng connect on
requests.
4. Add doma n users to the Remote Desktop Users group on th s server f they aren’t
a ready members Even though peop e won’t run sess ons on th s server, they must be
ab e to connect to t
5. On your DNS server, add a DNS host entry that maps the farm FQDN to the ded cated
red rector’s IP address
Join RD Session Host Servers to a Farm

You can jo n RD Sess on Host servers to a farm v a Remote Desktop Sess on Host Configura-
t on, Group Po cy, or W ndows PowerShe
Using Remote Desktop Session Host Configuration to Join a Farm

To jo n a farm us ng Remote Desktop Sess on Host Configurat on, perform the fo ow ng
steps
1. Open the too on the RD Sess on Host server Doub e-c ck the Member Of A Farm In
RD Connect on Broker sett ng sted n the Ed t Sett ngs w ndow The RD Connect on
Broker Propert es tab w appear, as shown n F gure 9-12
www.it-ebooks.info
FIGURE 9-12 You can jo n a server to a farm from the RD Connect on Broker propert es tab n RD
Sess on Host Conf gurat on.
2. C ck Change Sett ngs In the resu t ng RD Connect on Broker Sett ngs w ndow, you
spec fy how th s RD Sess on Host server w nteract w th RD Connect on Broker—that
s, what the re at onsh p s Choose Farm Member and then enter the RD Connect on
Broker server FQDN and the farm name n the nput boxes, as shown n F gure 9-13
FQDN s a h erarch ca nam ng format used w th DNS to denote the ocat on of a
computer or resource n the DNS tree h erarchy It’s a good dea to use the DNS name
for the farm, not ts NetBIOS name, even though NetBIOS names w work for s mp e
dep oyments It’s a form of p ann ng ahead, because you must use the FQDN f any of
the fo ow ng cond t ons app y
● You want to use DNS for name reso ut on (for examp e, f you’re us ng IPv6, wh ch
WINS does not support)
● The farm cert ficate uses the FQDN n e ther the Subject or Subject A ternat ve
Name fie ds
● You want to use Kerberos authent cat on, not NTLM
www.it-ebooks.info
FIGURE 9-13 Add the RD Connect on Broker server name and the farm name.
NOTE For information on creating a Kerberos identity for an RD Session Host server
farm, see http://blogs.msdn.com/b/rds/archive/2009/05/20/creating-kerberos-identity-
for-rd-session-host-farms-part-i-using-the-remote-desktop-services-provider-for-
windows-powershell.aspx.
3. C ck OK and you w be back on the RD Connect on Broker Propert es tab The check
box next to Part c pate n Connect on Broker Load Ba anc ng s se ected by defau t
Leave t se ected
4. Choose the re at ve we ght of th s farm server The we ght descr bes ts capac ty re at ve
to the other RD Sess on Host servers n the farm A though a RD Sess on Host serv-
ers shou d be configured dent ca y, not a w necessar y have the same amount of
memory or the same number of processor cores For examp e, f a server s on y 75
percent as powerfu as other servers n the farm, then you can reduce ts we ght to
a ow t on y 75 percent as many connect ons as the other servers The defau t va ue s
100
www.it-ebooks.info
5. A so by defau t, the red rect on method—how a c ent connects to the RD Sess on
Host server once RD Connect on Broker dec des wh ch server shou d accomodate the
connect on— s set to Use IP Address Red rect on If the n t a oad ba ancer a ows
c ents to connect d rect y to RD Sess on Host servers n the farm, keep th s defau t
sett ng
NOTE Unless you know otherwise, always use IP address redirection. Some initial load-
balancing configurations require all RD Session Host server traffic to be routed through
the initial load balancer. Therefore, clients do not communicate directly with RD Session
Host servers in the farm because they won’t know their IP addresses. Instead, they talk
to the load balancer, and the load balancer passes the communication to the appropri-
ate RD Session Host server. In these situations, the load balancer must use routing token
redirection instead of IP address redirection.
6. In the bottom sect on of th s page, se ect the IP address that w be used for reconnec-
t ons to th s server
NOTE If you have more than one network adapter that you want to use, you can
choose them all by checking the box next to each network adapter.
7. C ck OK to app y the sett ngs

Perform th s process for each member of the farm, tak ng care to use the same farm name
and the same red rect on method on a farm members
Using Group Policy to Join a Farm

It’s hard to keep the sett ngs cons stent f you’re manag ng farm membersh p sett ngs on
each RD Sess on Host server If you m stype the farm name on an RD Sess on Host server, for
examp e, you’ create a new farm and that server w not be oad-ba anced w th the other
RD Sess on Host servers that you had ntended to group t w th Assum ng you have AD DS,
the eas est way to configure an RD Sess on Host server farm and RD Connect on Broker oad
ba anc ng s to use Group Po cy The sett ngs are ocated n Computer Configurat on Po c es
top Sess on Host RD Connect on Broker
Create a GPO and app y t to the organ zat ona un t (OU) where the RD Sess on Host serv-
ers res de Set the po c es as descr bed here
■ Join RD Connection Broker Enab e th s sett ng to jo n the RD Sess on Host servers
to the farm spec fied n the RD Connect on Broker Server Name po cy sett ng
■ Use RD Connection Broker Load Balancing Enab e th s sett ng and the RD Sess on
Host servers w part c pate n RD Connect on Broker Load Ba anc ng
www.it-ebooks.info
■ Configure RD Connection Broker Farm Name Enab e th s sett ng and spec fy a
farm name Because the GPO s app ed to an OU ho d ng the RD Sess on Host servers,
a RD Sess on Host servers w know th s farm name
■ Configure RD Connection Broker Server Name Enab e th s sett ng and type the
IP address or the FQDN of the server where RD Connect on Broker s nsta ed RD Ses-
s on Host servers n the farm w be serv ced by th s RD Connect on Broker Aga n, the
FQDN s recommended
■ Use IP Address Redirection Enab e th s sett ng un ess your n t a oad ba ancer
so ut on requ res token-based red rect on
Any of these po cy sett ngs, f not configured or d sab ed, can be configured us ng RD
Sess on Host Configurat on on a per-serv ce bas s, a though the sett ngs n Group Po cy take
precedence f there s a confl ct One except on to th s ru e s the Jo n RD Connect on Broker
po cy sett ng; f t s d sab ed n Group Po cy, t cannot be configured v a RD Sess on Host
Configurat on If sett ngs are configured v a Group Po cy, then the opt ons to configure them
n RD Sess on Host Configurat on are d mmed, as shown n F gure 9-14
FIGURE 9-14 Conf gur ng the RD Sess on Host server to jo n a farm v a Group Po cy b ocks the ab ty to
ed t these sett ngs n RD Sess on Host Conf gurat on.
Creat ng and Dep oy ng a Farm CHAPTER 9 451
www.it-ebooks.info
Using Windows PowerShell to Join a Farm
On an RD Sess on Host server farm member, open an e evated W ndows PowerShe prompt
and then do the fo ow ng
1. F rst, mport the Remote Desktop Serv ces Modu e w th the fo ow ng command
Import-module remotedesktopservices
2. Set the ocat on to RDS w th the fo ow ng command
set-location rds:
3. Nav gate to the RD Connect on Broker sett ngs d rectory w th the fo ow ng command
cd rdsconfiguration\ConnectionBrokerSettings
When you configure a server to jo n an RD Connect on Broker server farm, a the sett ngs
to do so need to be run n one ne of code Therefore, you need to know what sett ngs to
spec fy beforehand To know what tems you w be sett ng and what the va ue opt ons are
for each sett ng, run th s command
get-childitem | format-list
These tems n the resu t ng st correspond to the tems that you wou d set n the RD Ses-
s on Host Configurat on had you done th s v a the graph ca user nterface (GUI)
Next, get the current red rectab e address opt ons that you have to choose from so that
you can spec fy one or more IP addresses to use for IP address red rect on ater n the scr pt
PS RDS:\> cd RedirectableAddresses
PS RDS:\rdsconfiguration\ConnectionBrokerSettings\RedirectableAddresses>dir
Take a ook at your red rectab e address opt ons; f you have more than one network
adapter configured on the server, you w have mu t p e addresses to choose from The resu ts
w ook s m ar to th s
Directory: RDS:\rdsconfiguration\ConnectionBrokerSettings\RedirectableAddresses

---- ---- ------------ -- ----------------- ---------------------
10.10.10.242 String - Get-Item
www.it-ebooks.info
Now you have a the data that you need to configure the RD Sess on Host server to jo n
an RD Connect on Broker farm Do th s by runn ng the fo ow ng code, nputt ng the va ue
opt ons that work w th your env ronment
Set-Item ServerPurpose -value 3 -ConnectionBroker <FQDN-OF-RD-CONNECTION-

BROKER-GOES-HERE> -FarmName <FQDN-FARM-NAME-GOES-HERE> -IPAddressRedirection 1
-CurrentRedirectableAddresses <IP-ADDRESS-YOU-WANT-TO-USE-GOES-HERE>
NOTE To get help in setting the item ServerPurpose, run the following command.
get-help Set-Item -path .\Serverpurpose
To get help in understanding ServerPurpose parameters and their possible values, run this
command.
get-help Set-Item -path .\Serverpurpose -param <The parameter you for which
you want possible values>
ON THE COMPANION MEDIA A script to perform this process for all servers in an
OU is included on the companion media in the JoinFarm.ps1 file. The script sets IP
address redirection to use the first available network adapter option.
Naming RemoteApp And Desktop Connections

RemoteApp And Desktop Connect ons s a feature of W ndows 7 or W ndows Server 2008
R2 that a ows the c ent to ncorporate RemoteApp programs and VMs w th the Start menu
A though RD Web Access supp es the content to the c ent, RD Connect on Broker has one
mportant ro e to p ay You name the users’ v ew of these RemoteApp And Desktop Connec-
t ons from the Remote Connect on Manager on the RD Connect on Broker To earn how to
set up RemoteApp And Desktop Connect ons on the c ent, see the sect on ent t ed “Us ng
RemoteApp And Desktop Connect ons” ater n th s chapter
On the RD Connect on Broker, open the Remote Connect on Manager n the Remote Desk-
top Serv ces adm n strat ve too s Mak ng sure you’ve se ected the uppermost branch n the eft
pane ( t shou d say Remote Desktop Connect on Manager), c ck D sp ay Name, ocated n the
Propert es group n the centra pane, to open the d a og box shown n F gure 9-15
www.it-ebooks.info
FIGURE 9-15 The name that you choose here w be the D sp ay name for RemoteApp And Desktop
Connect ons on the c ent.
You’ve got a ot of at tude n choos ng a name Names can be ong, conta n spaces, and
w show m xed case There’s one caveat to th s You can’t end the D sp ay name w th any
character that W ndows sees as e ther part of a fi e name ( ) or a w dcard character (* or ?)
That’s why, n F gure 9-15, the “Inc” has no per od You can nc ude any of these characters
e sewhere n the D sp ay name, but you cannot use any of them as the ast character n the
name
Publishing and Assigning Applications Using

RemoteApp Manager
Pub sh ng RemoteApp programs requ res hav ng those app cat ons a ready nsta ed on the
RD Sess on Host server To make nsta ed app cat ons RemoteApp programs, you must per-
form the fo ow ng steps
1. Add those app cat ons to the a ow st of programs that can n t ate a remote sess on,
nc ud ng the appropr ate parameters
2. Package those app cat ons (as MSI fi es or RDP fi es) and app y the appropr ate
sett ngs
3. D str bute those app cat ons
The next sect ons w ook at these steps n more deta
www.it-ebooks.info
Adding Applications to the Allow List
Before add ng app cat ons to the a ow st, t’s mportant to understand what add ng ap-
p cat ons to the a ow st s and sn’t It isn’t a form of software restr ct on po cy or a way to
enab e AppLocker, as d scussed n Chapter 6, “Custom z ng the User Exper ence ” Add ng an
app cat on to the a ow st on y enab es a user to open a sess on w th that app cat on; after
the remote sess on has begun, t’s poss b e to start any other app cat on on the RD Sess on
Host server to wh ch you have access Do not cons der the a ow st as a step toward ock ng
down the server
So what is the a ow st? Add ng an app cat on to the a ow st makes t poss b e to start
that app cat on n a sess on (as a RemoteApp) and a so to package t as a RemoteApp pro-
gram for d str but on If you add an app cat on to the a ow st, package t, g ve that RDP fi e
to someone, and then remove the app cat on from the a ow st, that RemoteApp fi e w
not work any onger In add t on, f you prev ous y configured the app cat on to work w th RD
Web Access and then remove t from the a ow st, t w no onger appear n the porta after
you remove t from the a ow st
To add app cat ons to the a ow st, open the RemoteApp Manager (see F gure 9-16)
from Start, Adm n strat ve Too s, Remote Desktop Serv ces, RemoteApp Manager Th s too
contro s wh ch app cat ons are ava ab e as RemoteApp programs and how users reach those
programs
FIGURE 9-16 Conf gure RemoteApp programs us ng the RemoteApp Manager.
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 455
www.it-ebooks.info
None of these sett ngs app y, however, unt you popu ate the a ow st To add an nsta ed
app cat on to the a ow st, you must add t to the RemoteApp Programs st ocated n the
ower sect on of the m dd e pane (shown n F gure 9-16) by fo ow ng the next set of steps
NOTE You can add only applications on a terminal server running Windows Server 2008
or an RD Session Host server running Windows Server 2008 R2 to the allow list. Terminal
servers running Windows Server 2003 cannot run RemoteApp programs or back an RD
Web Access server, except to connect to a full desktop.
1. C ck the Add RemoteApp Programs button n the Act ons pane or r ght-c ck n the
RemoteApp Programs sect on and choose Add RemoteApp Programs to start the
RemoteApp W zard C ck Next
2. Choose the app cat on(s) that you want to pub sh by se ect ng the correspond ng
check box n the RemoteApp Programs st (see F gure 9-17) If an nsta ed app cat on
does not appear n the st, ocate t by c ck ng Browse and nav gat ng to the execut-
ab e fi e
FIGURE 9-17 Add one or more nsta ed app cat ons to the a ow st.
NOTE Applications are listed in alphabetical order, taken from the Start menu of the
RD Session Host server on which you’re running Remote App Manager. Use Browse to
find applications that are not on the Start menu.
www.it-ebooks.info
3. If add ng a s ng e app cat on, you can ed t the app cat on sett ngs by c ck ng Proper-
t es The Propert es sect on s d scussed n the sect on ent t ed “Ed t ng RemoteApp
Propert es” ater n th s chapter If you’ve se ected more than one app cat on from the
st, you can’t ed t the propert es
4. C ck Next, rev ew the sett ngs that you have chosen, and c ck F n sh The app cat on s
now on the a ow st
Configuring Global RemoteApp Deployment Settings

Now ook at the opt ons n the m dd e pane; you’ use them to configure RemoteApp pro-
gram dep oyment sett ngs The m dd e pane shows a the app cat ons current y n the a ow
st and the opt ons for configur ng the RD Sess on Host server sett ngs, RD Gateway sett ngs,
RDP common and custom sett ngs, and d g ta s gn ng opt ons If you c ck any of the Change
hyper nks here, you’ open the tabbed d a og box shown n F gure 9-18
FIGURE 9-18 C ck a Change nk n the RemoteApp Manager Overv ew sect on to open the RemoteApp
Dep oyment Sett ngs d a og box.
NOTE You can also click the corresponding the RD Session Host Server Settings, RD
Gateway Settings, or Digital Signature Settings options in the Actions pane to open the
RemoteApp Deployment Settings tabbed dialog box.
www.it-ebooks.info
Open the RemoteApp Dep oyment Sett ngs d a og box to ed t the g oba sett ngs used to
configure RemoteApp RDP and W ndows Insta er (MSI) d str but on fi es These sett ngs a so
app y to RDP fi es created when a user c cks a RemoteApp con n RD Web Access or Remote-
App and Desktop Connect ons
NOTE If you change settings in the middle pane, RD Web Access and RemoteApp And
Desktop Connections will use the updated settings. RDP files and .MSI files that you create
from the RemoteApp Manager will not. You’ll need to re-create them to make the new set-
tings take effect.
RemoteApp dep oyment sett ngs app y to a app cat ons that you pub sh (un ess you
exp c t y change the sett ngs dur ng creat on) but w not affect app cat ons you’ve a ready
pub shed If you update these sett ngs, any RDP or MSI fi es that you’ve a ready created w
be out of date You w need to recreate and red str bute them
General RD Session Host Server Configuration

The RD Sess on Host Server tab conta ns three sect ons
■ Connection Settings Spec fy the farm or server name (even though t says “Server,”
the farm name s a va d va ue) and port that c ents w connect to when us ng
RemoteApp programs By defau t, the server name s the FQDN of the oca server Be
sure to ed t th s sett ng to d sp ay the farm name f appropr ate
■ Remote Desktop Access RemoteApp programs aren’t the on y va d connect on
mode You can enab e a fu desktop connect on to the RD Sess on Host server(s) ava -
ab e to users on the RD Web Access webs te by se ect ng the Show A Remote Desktop
Connect on To Th s RD Sess on Host Server In RD Web Access opt on
■ Access To Unlisted Programs By defau t, Do Not A ow Users To Start Un sted Pro-
grams On In t a Connect on s se ected Th s sett ng does not prevent an app cat on
from start ng after the remote connect on has been made, but t prevents users from
start ng RemoteApp programs that are no onger on the a ow st
Configuring RD Gateway Settings

As descr bed n Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the Internet,”
you can dep oy RD Gateway to g ve users secure access to RemoteApp programs from
outs de the company network If you do so, then the sett ngs spec fied on the RD Gateway
tab are app ed when users start RemoteApp programs You can a so define the type of
www.it-ebooks.info
authent cat on that must be used when us ng RD Gateway For examp e, for greater secur ty,
you cou d requ re smart card authent cat on To use the same user credent a s to access RD
Gateway and the RD Sess on Host server, se ect the correspond ng check box Otherw se,
users w be prompted for credent a s tw ce
NOTE Although Kerberos is the default authentication method for Windows Server 2008
R2, clients connecting via RD Gateway uses NTLM (which validates the domain only), not
Kerberos (which validates the full name of the server). This is because you can’t use Kerbe-
ros over the Internet. Kerberos requires that both client and server be domain-joined so
that they can contact the authentication service. Therefore, for RD Gateway, you’ll rely on
either NTLM or smart card access.
You can a so configure RD Gateway sett ngs v a Group Po cy at User Configurat on

Po ces Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces RD
Gateway Read about us ng Group Po cy to set RD Gateway sett ngs n Chapter 10
Signing RDP Files Automatically

Code-s gn ng s probab y fam ar to you You s gn code to va date that you are author z ng
ts execut on and are w ng to state that t sn’t ma ware
Runn ng an RDP fi e starts on y code that’s a ready present on the c ent, but you shou d
st cons der s gn ng the code An RDP fi e ooks nnocuous, but t has one major vu nerab -
ty If you get an RDP fi e n an ema message and are to d to run t when you want to use an
app cat on, then you’re not necessar y go ng to open th s fi e to see where t’s send ng you
It’s tr v a to a ter an RDP fi e to send t to a d fferent server from the one or g na y spec fied
Then, f you connect to the ma c ous server, your credent a s can be ntercepted when you
present them
S gn ng an RDP fi e d g ta y prov des users w th the author’s dent ty so they can make an
nformed dec s on when execut ng the RDP fi e If users do not recogn ze the pub sher of the
code, they don’t have to comp ete the connect on D g ta s gn ng a so proves that the code
s authent c; n other words, that t has not been tampered w th or changed n any way after
pub sh ng If a s gned RDP fi e s a tered n any way that changes how t’s secured, the fi e s
corrupted and won’t start
www.it-ebooks.info
HOW IT WORKS
Background on Digital Certificates
T he digital certificate used to sign an RDP file (or any other file) contains proof
that the subject of the certificate (the web server, the user, the application, the
entity) is indeed who or what it claims to be. Digital certificates are used for a vari-
ety of purposes, like authenticating servers, signing email, or authenticating users
on a network.
When used to sign RDP files generated by the RemoteApp Manager, the digital cer-
tificate provides the software publisher identity to users of the RDP files. This gives
users assurance that they will connect to a trusted RD Session Host server. It also
assures that the RDP file code has not been altered in any way after it was published
and signed using the certificate.
When purchasing a certificate, to prove that the subject of the certificate is real, the
issuer of the certificate (the certificate authority, or CA) must verify the subject’s
identity. The CA does a background check to be sure that the person requesting the
certificate is who he or she says. (The result is that you can’t get signing certificates
from a company that you don’t belong to, or even to a company that you do belong
to if you don’t have authority to get them.) After the CA has verified the requestor’s
identity, the CA signs the certificate with its digital signature to show that the ap-
propriate checking has taken place and to verify that the certificate subject is valid.
You can obtain a digital certificate from a public company such as VeriSign or
Thawte. Alternatively, your company can maintain your own public key infra-
structure (PKI), the system that maintains CAs and other systems related to digital
certificates, and can issue and maintain your own digital certificates. In either case, a
digital certificate is verified as legitimate by verifying the issuing CA signature used
to sign the certificate. To verify the issuing CA signature, that CA certificate—which
contains its digital signature—needs to be installed on the client in the Trusted Root
certificate store. Users can add CA certificates to this store for every source they
trust.
Microsoft operating systems come with some certificate authority CA certificates

already installed in the Computer Certificates Trusted Root CA store, as part of
the Microsoft Root Certificate Program. Member certificates can be downloaded
and installed using Windows Update. What this means is that users do not need to
install anything to trust one of these CAs. This is important if users will be running
RDP files on public or remote computers, where they might not have the permis-
sions to install certificates (or don’t know how to do so).
www.it-ebooks.info
On Windows Vista and Windows 7, when an application needs to verify a certificate
that has been signed by a CA, and that CA is not directly trusted (its certificate is
not installed in the Trusted Root CA store on the computer), then the computer
checks with Windows Update to see if the CA has been added to the Microsoft list
of trusted authorities. If it has, then the certificate is automatically downloaded and
installed in the Trusted Root CA store on the computer.
Computers running Windows XP and earlier can update their trusted root certifi-
cates by downloading the latest root update package from the Microsoft Updates
Catalog.
NOTE For more information on the Microsoft Root Certificate Program,

go to http://www.microsoft.com/technet/archive/security/news
/rootcert.mspx?mfr=true.
Companies that run their own PKI solution can choose to have their CA certificate
signed by a public CA that is part of the Microsoft Root Certificate Program. This
will save them from having to install their CA certificate on each of their clients,
because the public CA that signed the company’s CA root certificate would already
have its certificate placed in the Computer Certificates/Trusted Root Certification
Authorities folder.
To s gn RDP fi es d g ta y, se ect the S gn W th A D g ta Cert ficate opt on Then c ck

Change and choose a d g ta cert ficate from the cert ficates nsta ed on the RD Sess on Host
server
Add ng the d g ta cert ficate a so means that the RDP fi es created when a user c cks an
app cat on con hosted by RD Web Access w a so be s gned Just add the Secure Sockets
Layer (SSL) or code s gn ng cert ficate from the D g ta S gnature tab and RemoteApp Man-
ager w s gn a RDP fi es that t creates
NOTE If you need to distribute already created or manually created RDP files to users via
email or network share, you can use the RDPsign.exe command-line tool to sign the files.
See the section entitled “Signing Already-Created RDP Files” later in this chapter for more
details.
You can te an RDP fi e s s gned f you open t n a text ed tor The s gnature w be n-
c uded n the fi e, as shown n F gure 9-19
www.it-ebooks.info
FIGURE 9-19 A s gned RDP f e nc udes the encrypted s gnature.
If you try to execute a s gned fi e that has been tampered w th, the remote desktop
c ent w open, but the sett ngs once conta ned n the s gned RDP fi e w no onger be
prese ected A so, the pub sher of the RDP fi e w be unknown because you are no onger
runn ng a preconfigured RDP fi e ( t was broken when the fi e was changed after t was
s gned)
When a user opens a s gned RDP fi e, he or she w be presented w th the screen shown n
F gure 9-20
www.it-ebooks.info
FIGURE 9-20 S gned RDP f es show the user the pub sher s dent ty before the code executes.
The user can then ver fy that he or she s execut ng the ntended code from the correct
source The user can then execute the code by c ck ng Connect, or he or she can choose to
c ck Cance and not execute the fi e
If you do not use d g ta s gnatures to s gn RDP fi es, when users open a pub shed RDP fi e,
they w rece ve a warn ng (shown n F gure 9-21) stat ng that the pub sher of the RDP fi e
can’t be dent fied
FIGURE 9-21 f a d g ta s gnature s not used to s gn an RDP f e, the user rece ves a warn ng that the
pub sher of the Remote Connect on can t be dent f ed.
www.it-ebooks.info
The user e ther connects anyway by c ck ng Connect or c cks Cance to cance the
connect on
Common RDP Settings Tab

Configure d sp ay sett ngs and dev ce red rect on sett ngs on the Common RDP Sett ngs
tab These sett ngs w be set n the RDP fi e and w be used as ong as these sett ngs are
not spec fied through Group Po cy See Chapter 6 for more deta s on contro ng dev ce
red rect on
Custom RDP Settings Tab

Add custom sett ngs that are not spec fied n the common dep oyment sett ngs of Remote-
App Manager by typ ng the sett ngs n th s tab (See the fo ow ng s debar, t t ed “Under-
stand ng RDP F e Sett ngs,” for more deta s about ava ab e RDP sett ngs )
Understanding RDP File Settings
T he RDP settings are passed to the endpoint when a user makes a connection.
Not all options for an RDP file are exposed through the GUI of Mstsc.exe. To
change the way a RemoteApp (or desktop) starts, you can edit the contents of the
RDP file from a text editor such as Notepad. Most of these are reasonably self-
explanatory, but it’s good to examine what you can and can’t control with an RDP
file. (Not all settings here will be present in all RDP files, and desktops might have
additional options.)
ON THE COMPANION MEDIA A link to a website that provides all of the RDP file
settings and their possible values is located on this book’s companion media. The
URL is http://blog.kristinlgriffin.com/2010/10/rdp-settings-for-rdc-7.html.
RDP fi e sett ngs shou d not be changed f the RDP fi e s s gned, because th s w break the
s gnature, corrupt the fi e, and render t unusab e
Editing RemoteApp Properties

You can ed t a sett ng for a RemoteApp program e ther wh e add ng t to the a ow st, or
after you’ve added t by r ght-c ck ng ts entry n the st and choos ng Propert es When
you open the propert es of a pub shed app cat on, you’ see a d a og box s m ar to the one
shown n F gure 9-22
www.it-ebooks.info
FIGURE 9-22 Ed t RemoteApp sett ngs n the RemoteApp Propert es d a og box.
Choose an Appropriate Program Name

The RemoteApp program name s the user-fr end y name for the RemoteApp It’s the same
regard ess of how you present the RemoteApp v a RD Web Access, RemoteApp And Desktop
Connect ons, an RDP fi e on a network share, or an MSI fi e d str buted v a Group Po cy
If you’re pub sh ng the app cat on on y once, you’re un ke y to ed t ts name However,
you can pub sh the app cat on more than once, each t me w th nd v dua sett ngs, and you
can name t accord ng to ts sett ngs For examp e, f you wanted to make t easy for members
of the Account ng team to open the r month y reports, you cou d hard-code the RemoteApp
to open the report fi e us ng the command- ne arguments (You’ find out how you wou d
do th s n the sect on ent t ed “Add ng Command-L ne Arguments” ater n th s chapter ) If you
d d so, t wou d make sense to ed t the RemoteApp program name to show the name of the
report nstead of the name of the app cat on
Deliver via RD Web Access

Make the RemoteApp ava ab e v a RD Web Access by se ect ng the opt on RemoteApp
Program Is Ava ab e Through RD Web Access Do ng so makes t poss b e to d sp ay th s ap-
p cat on so t can be started through a webs te You’ st need to do a tt e work to enab e
RemoteApp programs through a webs te (See the sect on ent t ed “De ver ng RemoteApp
Programs and VMs Through RD Web Access” ater n th s chapter for more deta s about the
process )
www.it-ebooks.info
Don’t Change the Alias
The Alias property s a un que dent fier for the app cat on, defau t ng to the app cat on
screen name A though you can ed t th s property, t’s best that you don’t, because th s s how
the computer dent fies each RemoteApp The RemoteApp Manager uses W ndows Man-
agement Instrumentat on (WMI) nterfaces that represent RemoteApp programs The c ass
Win32 TSPublishedApplicationList sts a RemoteApp programs n a st, dent fy ng them by
the r a ases If you change an a as, the c ass w not be ab e to find the RemoteApp n ts st
CAUTION The RD Web Access website populates its list of applications by querying
WMI, so editing the alias can cause a RemoteApp not to display in RD Web Access.
Adding Command-Line Arguments

Peop e are so used to open ng app cat ons from the GUI that t’s easy to forget that many
app cat ons support a number of command- ne parameters You can use them to automat -
ca y open fi es, to d sab e the sp ash screen, or even to open a document and h gh ght a par-
t cu ar sect on— t a depends on the app cat on For nstance, to te a RemoteApp nstance
of M crosoft PowerPo nt 2010 to open Mydoc pptx (stored on the fi e server COLFAX) as a
s deshow when the PowerPo nt app cat on starts, add th s command- ne argument to the
PowerPo nt RemoteApp
/S \\colfax\ash-company-files\Mydoc.pptx
By defau t, command- ne arguments are not enab ed for RemoteApp programs because
no arguments are un versa y appropr ate By a ow ng users to spec fy the r own arguments,
you expose the RD Sess on Host server to attack, for examp e, through rogue webs tes If you
must enab e arguments, se ect one of the fo ow ng cho ces
■ Allow Any Command-Line Arguments Choose th s opt on to a ow users to ass gn
parameters to a RemoteApp Users can then open the RDP fi e n a text ed tor and
add the arguments that they want to use for that connect on, as shown n F gure 9-23
Users cannot add arguments to RemoteApps that they access v a RD Web Access But
they can ed t RemoteApps d str buted by RemoteApp And Desktop Connect ons or by
RDP or MSI fi e d str but on by r ght-c ck ng the RemoteApp and open ng t n a text
ed tor
NOTE If you digitally sign your RDP files, don’t allow users to specify command-line
arguments. If users edit the arguments, they’ll corrupt the file.
www.it-ebooks.info
FIGURE 9-23 Add a command ne parameter to a RemoteApp RDP f e.
■ Always Use The Following Command-Line Arguments If you choose th s opt on

and spec fy arguments, they’ be app ed when that Remote App s started
NOTE For best performance, it’s always best to disable unnecessary images. For example,
to remove the splash screen from the opening of any Microsoft Office application, add the
/q switch to the list of required command-line arguments. See the Additional Resources
at the end of this chapter for pointers to command-line arguments for some sample
applications.
The sett ngs that you p ck w a ways app y to that RemoteApp when t’s started because
they’re defined on the server
Editing the Application Icon

App cat ons come w th a defau t con, but you can change th s For examp e, f you ed t the
RemoteApp to open a document, you can change ts con to one that represents a document
(Word has many a ternate cons), not the app cat on
To change the con that w represent the app cat on, c ck the Change Icon button n the
ower-r ght corner of the screen and choose a d fferent con The path to the con fi e must
be a Un versa Nam ng Convent on (UNC) path so that the path w rema n va d f you export
the RemoteApp to another server
www.it-ebooks.info
Assigning Applications to Users
In W ndows Server 2008, a users access ng the same RD Web Access s te wou d see the same
app cat on set—you cou dn’t fi ter accord ng to user dent ty A though the defau t sett ng
st a ows a authent cated doma n users (who are n the Remote Desktop Users group on
the RD Sess on Host server) to run the app cat ons, you can a so a ow on y certa n users to
see app cat ons To configure th s, turn to the User Ass gnment tab when configur ng the
RemoteApp propert es, as shown n F gure 9-24
FIGURE 9-24 You can f ter the contents of RD Web Access or RemoteApp And Desktop Connect ons by
user dent ty.
To ass gn app cat ons, just se ect the opt on for Spec fied Doma n Users And Doma n
Groups and c ck Add Th s w open the fam ar search too for find ng users and groups n
AD DS F nd the appropr ate user or group and c ck OK, and then c ck OK aga n to confirm
your se ect on when you see the user or group name n the st
CAUTION If you opt to assign the application to specified domain users and do-
main groups but don’t add a user or group name to the input box, then the applica-
tion will not be visible to anyone.
When ass gn ng app cat ons, keep the fo ow ng n m nd
www.it-ebooks.info
■ The user or group accounts you ass gn them to must be doma n accounts You can’t,
for examp e, ass gn app cat ons to a oca user on the RD Web Access computer
■ The RD Web Access computer and RD Sess on Host server host ng the RemoteApp
must be both doma n-jo ned They must be e ther n the doma n for the user accounts
or a trusted doma n
■ You can on y choose users or groups of users; there s no opt on to fi ter accord ng to
wh ch computer the app cat on set s v ewed from
■ If someone can see an app cat on and you don’t th nk he or she shou d be ab e to,
check the groups that have access to the app cat on and the group membersh ps of
the user who can unexpected y see the app cat on
■ The RD Web Access server must be a member of the W ndows Author zat on Access
Group n the doma n, so t has perm ss on to check the group membersh ps for a user
account You can confirm th s membersh p on a doma n contro er—to do th s, open
Act ve D rectory Users And Computers and ook n the Bu t n fo der to st a the bu t-
n groups Check the Members tab for the W ndows Author zat on Access Group The
RD Web Access server, or a group of wh ch t s a member, must appear n th s st
Save the sett ngs that you’ve adjusted The app cat on s now added to the a ow st and
can be d sp ayed w th the sett ngs that you spec fied
Maintaining Allow List Consistency Across the Farm

You can configure Remote App programs manua y on each server n your farm However, do-
ng so s extra work and prone to error Even f you manage to create exact y the same a ow
st on each RD Sess on Host server (wh ch s requ red for RemoteApp to execute aga nst that
server), the chances are good that you won’t ed t a propert es and con sett ngs correct y f
you attempt to set up a the servers manua y If the propert es are ncons stent across serv-
ers, then you m ght end up w th odd behav or, such as an app cat on start ng a fi e when run
on one server but not on another
There are two ways you can dea w th th s Pub sh the RemoteApp programs program-
mat ca y on a RD Sess on Host servers, and export the a ow st from one server to mport t
on the other servers n the farm
Editing Properties via Windows PowerShell

You can pub sh RemoteApp programs (add them to the a ow st and configure d sp ay prop-
ert es) from W ndows PowerShe Th s examp e pub shes MSPa nt exe w th an app cat on
name of MSPa nt, and t s set to appear n the RD Web Access porta
set-location rds:
cd RemoteApp\RemoteAppPrograms
New-Item -applicationpath "c:\windows\system32\calc.exe" -applicationname "Calculator"
-ShowInPortal 1
www.it-ebooks.info
Exporting and Importing the Allow List
To export the a ow st and assoc ated sett ngs, c ck the Export RemoteApp Sett ngs nk n
the Act ons pane of the RemoteApp Manager to open the d a og box shown n F gure 9-25
FIGURE 9-25 Export RemoteApp sett ngs to a f e or to other RD Sess on Host servers.
To export to s ng e RD Sess on Host servers on the same network, choose the first opt on
and prov de the server’s DNS name C ck OK and the sett ngs w appear n the RemoteApp
Manager of the spec fied server Import the programs and sett ngs to a server by c ck ng the
Import RemoteApp Sett ngs nk n the Act on pane of the RemoteApp Manager, and spec fy-
ng the DNS name of the server from wh ch to mport the sett ngs
If you’re configur ng more than one server or the other server sn’t yet on ne, choose
Export The RemoteApp Programs L st And Sett ngs To A F e and then choose the name and
ocat on to store the fi e The created fi e w have an extens on of pub On another RD Ses-
s on Host server, open RemoteApp Manager and c ck the Import RemoteApp Sett ngs nk n
the Act ons pane Locate the pub fi e and c ck Open
ON THE COMPANION MEDIA See the companion media for a link to

http://blog.powershell.no/category/remote-desktop-services/, where you can find a
new Windows PowerShell module for RDS that includes cmdlets for importing and
exporting allow lists.
One caut on about mport ng and export ng the a ow st If you are s gn ng the fi es
d g ta y, you won’t be ab e to create RDP or MSI fi es from a secondary server A though t w
appear that the s gn ng sett ngs have been exported for you to use when creat ng RDP fi es,
th s s ncorrect The requ red certificate w not be stored n the secondary server’s cert ficate
store For th s reason, t’s best to des gnate one server as a management server Create the
RDP and MSI fi es from the des gnated management server and just mport the a ow st to
the secondary servers You can a so nsta the s gn ng cert ficate on each of the other RD Ses-
s on Host servers and manua y ed t the RemoteApp d g ta cert ficate sett ngs on each server
to reflect the correct cert ficate
www.it-ebooks.info
Configuring Timeouts for RemoteApp Sessions
A RemoteApp programs for the same user that are run from the same server are run n
the same sess on for greater effic ency Therefore, when a user c oses one RemoteApp,
th s doesn’t c ose the ent re sess on f other RemoteApp programs are st runn ng There
s no opt on to og off or c ose a sess on from a RemoteApp Do ng so wou d term nate
a RemoteApp programs the user started from that server s mu taneous y because a
RemoteApp programs run n the same sess on
Second, w th RemoteApp programs, users are no onger start ng and us ng app cat ons
from w th n another desktop Instead, they open and c ose RemoteApp programs from the r
own desktop, and they no onger make a defin t ve dec s on about the state of the r sess on
by e ther d sconnect ng or ogg ng off Rather, they open and c ose RemoteApp programs as
needed and do not have to th nk about the sess on Th s s good from a user perspect ve, but
t makes know ng when to d sconnect a sess on a b t more comp cated
Because a RemoteApp sess on depends on the presence or absence of ts RemoteApp
programs, the og c for determ n ng when the sess on shou d end s d fferent from that of
a desktop The sect on ent t ed “RemoteApp Interna s” ear er n th s chapter exp a ned the
commun cat on paths between the c ent-s de app cat on and the remote sess on When the
very ast RemoteApp n a sess on s c osed (s gna ed through a w ndow ng event show ng that
the w ndow s c osed), and key processes are no onger runn ng n the remote sess on, the
connect on determ nes that the sess on s comp ete and can be d sconnected The t me that
the sess on rema ns n a d sconnected state depends on how you configure the Group Po cy
sett ng Set T me L m t For Logoff Of RemoteApp Sess ons, ocated n Computer (or User)
Serv ces Remote Desktop Sess on Host Sess on T me L m ts
NOTE RemoteApp programs and system tray icons that the user starts indirectly are
included in this determination. As an example, let’s assume a user opens a Microsoft Word
document with a Word RemoteApp and the document contains a link to a Microsoft Excel
spreadsheet. If the user also uses Excel as a RemoteApp, then clicking on the link indirectly
opens the Excel RemoteApp. Both of these RemoteApp programs need to be closed for the
session to be disconnected.
You don’t necessar y want to term nate a sess on as soon as the ast RemoteApp s c osed
It’s much faster to reconnect to an ex st ng sess on than to re-create a new one (the process
of oad ng a the processes to support the sess on s expens ve) Therefore, you m ght want to
ed t the user or computer Group Po cy to pro ong the nterva between d sconnect on and
term nat on of RemoteApp sess ons Th s g ves users a tt e t me to rea ze that they have one
more ema to send and start M crosoft Out ook from the ex st ng remote sess on, rather than
wa t ng for a new sess on To do so, when you enab e the GPO sett ng Set T me L m t For Log-
off Of RemoteApp Sess ons, se ect the Enab ed rad o button and choose a t me sett ng from
the RemoteApp Sess on Logoff De ay drop-down menu, as shown n F gure 9-26
www.it-ebooks.info
FIGURE 9-26 Use Group Po cy to set a t me m t for ogoff of RemoteApp sess ons.
NOTE If you also enable the GPO setting Set Time Limit For Disconnected Session, then
choose a time for that GPO that is longer than the time specified for RemoteApp Session
Logoff Delay. Otherwise, sessions will always be terminated before the RemoteApp Session
Logoff Delay Time limit is reached, thus rendering that GPO irrelevant.
There’s a tradeoff between keep ng respons ve sess ons and not over oad ng the RD Ses-
s on Host server If you choose to reta n sess ons for a ong t me, you m ght affect the RD
Sess on Host server because the d sconnected sess ons rema n act ve Be sure that you have
suffic ent page fi e space to accommodate the d sconnected sess ons when they’re not n use
Signing Already-Created RDP Files

But what about RDP fi es that you have a ready created? To s gn them, you can re-create
them us ng the RemoteApp Manager or you can use the RDPs gn exe command- ne too
to s gn RDP fi es To s gn an RDP fi e us ng RDPS gn, you need to retr eve the thumbpr nt
from the s gn ng cert ficate; th s thumbpr nt s a so known as the cert ficate hash Cert ficates
are ocated n the Cert ficate Store on the computer To open the Cert ficate Store, start a
M crosoft Management Conso e (MMC) and open the Cert ficates snap- n Add the oca
computer store, not the user store The SSL or code s gn ng cert ficate w be ocated n the
Persona Store fo der F nd and doub e-c ck the cert ficate that you want to use to s gn the
www.it-ebooks.info
RDP fi e Se ect the cert ficate’s Deta s tab and scro down to the Thumbpr nt va ue, as shown
n F gure 9-27
FIGURE 9-27 The cert f cate thumbpr nt s revea ed n the Deta s tab of the cert f cate.
H gh ght and copy the thumbpr nt to a text ed tor and remove the spaces so that you end
up w th 40 characters, such as 0d1f0dbf0a8accc4fbd80e2f087fc40b4d4aefed You are now
ready to s gn an RDP fi e RDPs gn exe s a command- ne too and conta ns a few parameters
to note Tab e 9-2 exp a ns the parameters
TABLE 9-2 RDPS gn exe Parame ers
PARAMETER DESCRIPTION
/sha1<hash> Rep ace <hash> w th the thumbpr nt of the cert ficate that you want to
use to s gn the RDP fi e
/q Qu et Mode—You w rece ve no output f the command s successfu
and very tt e f t fa s
/v Verbose Mode—The oppos te of Qu et Mode It shows you a
messages re ated to the execut on
/l Tests s gn ng the RDP fi e and te s you the resu ts of the test, but does
not actua y s gn the fi e
/? Typ ca command prompt for d sp ay ng he p for the command You
can a so type rdpsign and get the he p nformat on
www.it-ebooks.info
Open a command prompt, type rdpsign, add the hash, se ect a resu t d sp ay mode f you
want, and then prov de the ocat on of the RDP fi e The fo ow ng examp e shows an Rdps gn
command successfu y executed
C:\Users\admin>rdpsign /sha1 0d1f0dbf0a8accc4fbd80e2f087fc40b4d4aefed /v c:\Olympus.rdp

All rdp file(s) have been successfully signed.
You can a so s gn mu t p e fi es by add ng them to the command ne ke th s
C:\Users\admin>rdpsign /sha1 0d1f0dbf0a8accc4fbd80e2f087fc40b4d4aefed

/v c:\rdpfile1.rdp c:\rdpfile2.rdp c:\rdpfile3.rdp c:\rdpfile4.rdp
Users that start a s gned RDP fi e w get an uned tab e user nterface, as shown n
F gure 9-28
FIGURE 9-28 S gned RDP f es are preconf gured and not ed tab e.
On y f certa n red rect on was a owed at the t me of creat on w the user have the op-
portun ty to d sab e t If red rect on s d sab ed, the user w not be g ven the opportun ty to
enab e t
Setting Signature Policies

Now you have a s gned fi e, but what s to stop a user from tamper ng w th the fi e, remov ng
the s gnature n a text ed tor, mak ng changes to the fi e, and then runn ng t? By defau t, the
answer s “Noth ng ” What you can do s a ow users to run on y RDP fi es that are s gned You
contro th s n Group Po cy w th the A ow RdpF es From Unknown Pub shers po cy; by de-
fau t, th s sett ng a ows users to run uns gned RDP fi es D sab e th s po cy to stop users from
runn ng RDP fi es from unknown pub shers
You can a so spec fy a st of trusted cert ficate thumbpr nts so that when a user opens a
s gned RDP fi e that s s gned by the trusted hash, users do not get the message ask ng them
f they trust the fi e pub sher They w go stra ght to the og n screen Th s s true for RDP
fi es s gned v a RemoteApp Manager or by RDPS gn exe The sett ng to use s Spec fy SHA1
Thumbpr nts Of Cert ficates Represent ng Trusted Rdp Pub shers
www.it-ebooks.info
Both sett ngs are ava ab e n the same ocat on To set the po c es for computers, go
to Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Connect on C ent For users, go to User
Serv ces Remote Desktop Connect on C ent
Distributing RemoteApp Programs

After add ng pub sh ng app cat ons, you must get the RDP fi es to users so they can start
those app cat ons You can do th s n one of three ways
■ Create RDP fi es and make them ava ab e to users from a fi e share or by send ng them
n ema
■ Create MSI fi es (wh ch are nsta ab e vers ons of the same RDP fi es) and d str bute
them to users v a Group Po cy
■ Enab e the app cat ons n the a ow st for d sp ay v a RD Web Access or RemoteApp
And Desktop Connect ons, and create the RDP fi es on demand when users c ck the
cons
Th s sect on w d scuss the first two opt ons; the th rd w be d scussed n the sect on
ent t ed “De ver ng RemoteApp Programs and VMs Through RD Web Access” ater n th s
chapter
Distributing RDP Files

RemoteApp RDP d str but on fi es are se f-conta ned—the user does not nsta them The user
doub e-c cks the fi e, prov des va d user credent a s, an RDP sess on starts, and the app ca-
t on opens Because the fi es are se f-conta ned, you can d str bute them to users v a network
share, webs te, ema , and so on
NOTE To use RDP files from computers outside the corporate local area network (LAN),
you need to deploy RD Gateway to provide secure access to RD Session Host servers in the
network. For information about RD Gateway, see Chapter 10.
When users doub e-c ck a RemoteApp RDP fi e, they see a connect on screen that e ther
revea s the software pub sher dent ty (so users know they are execut ng code from a trusted
source), as prev ous y shown n F gure 9-20, or nd cates that the pub sher s unknown, as
shown n F gure 9-21
To create an RDP fi e for d str but on, c ck the Create rdp F e nk n RemoteApp Manager
C ck Next on the We come screen The Spec fy Package Sett ngs page appears, as shown n
F gure 9-29
D str but ng RemoteApp Programs chapter 9 475
www.it-ebooks.info
FIGURE 9-29 Spec fy RemoteApp MS package sett ngs, nc ud ng a save ocat on and any changes to
server name, port, RD Gateway sett ngs, or the defau t s gn ng cert f cate.
Enter a ocat on where you want to save the MSI package or browse to the ocat on RDP
fi es (and MSI packages) are configured by defau t w th the configurat on sett ngs that you set
n RemoteApp Manager
On th s page, you can make any needed changes to the defau t RemoteApp sett ngs for
the MSI package by c ck ng the Change button next to the appropr ate sett ng C ck Next,
rev ew your sett ngs, and then c ck F n sh The created RDP fi e w be saved to the ocat on
you spec fied n the w zard
Distributing MSI Files

You can a so create MSI fi es and then d str bute them v a a fi e share, ema , or Group Po cy
An advantage of d str but ng MSI fi es s that you can configure the MSI nsta to p ace short-
cuts on the user’s desktop, the Start menu, or both You can a so assoc ate fi e extens ons w th
the RemoteApp program The resu t s that the RemoteApp program w open when a user
doub e-c cks a fi e w th an assoc ated extens on Th s s one of the ma n benefits for d str but-
ng RemoteApps th s way because many users open app cat ons and fi es by doub e-c ck ng
the fi e
To create an MSI fi e for d str but on, perform the fo ow ng steps
1. Open RemoteApp Manager, c ck the Create W ndows Insta er Package nk, and then
c ck Next on the We come page of the RemoteApp W zard The Spec fy Package Set-
t ngs page appears
www.it-ebooks.info
2. Enter a ocat on where you want to save the MSI package, or browse to the ocat on
Make any needed changes to the defau t RemoteApp sett ngs for the MSI package
by c ck ng the Change button next to the sett ng you want to change and enter ng
the new sett ng C ck Next The Configure D str but on Package appears, as shown n
F gure 9-30
FIGURE 9-30 Assoc ate f e extens ons and create shortcut cons for RemoteApp programs.
3. In the top sect on, choose to put a shortcut on a c ent’s desktop, the Start menu, or
both by se ect ng the correspond ng check box If you choose to put a shortcut con on
the Start menu, then enter the name of the fo der n wh ch the con w res de
4. In the bottom sect on, you can choose to assoc ate fi e extens ons w th the RemoteApp
program by se ect ng the correspond ng check box C ck Next, and then c ck F n sh on
the Rev ew Sett ngs page
Creat ng RDP fi es and MSI packages m ght seem very s m ar, but another ma n purpose
of creat ng MSI packages s to dep oy RemoteApp programs v a Group Po cy To use Group
Po cy to dep oy RemoteApp MSI fi es, create a GPO and nk t to an OU for the users or
c ents for wh ch the Group Po cy shou d app y Nav gate to e ther Computer Configurat on
Po c es Software Sett ngs or User Configurat on Po c es Software Sett ngs, as appropr ate
R ght-c ck Software Insta at on and choose New Software Package If you dep oy RemoteApp
MSI fi es us ng a computer po cy, the app cat on s ass gned and nsta ed automat ca y when
the user boots the computer On y adm n strators can un nsta the app cat on
D str but ng RemoteApp Programs chapter 9 477
www.it-ebooks.info
NOTE You can choose to either assign applications (installing them automatically) or
publish applications (making them available for installation). It’s a best practice to assign
MSIs containing RDP files. Otherwise, the file associations linked with those RemoteApp
programs won’t work properly.
Delivering RemoteApp Programs and VMs Through

RD Web Access
RD Web Access makes RemoteApp programs, remote desktops, and poo ed and persona
VMs ava ab e to users v a the RD Web Access webs te or RemoteApp And Desktop Connec-
t ons When a user c cks an con represent ng one of these resources, the RD Web Access ro e
serv ce creates a correspond ng RDP fi e for that resource type, us ng the sett ngs prov ded by
the data source that offers the RemoteApp, remote desktop sess on, or the VM The RDP fi e
starts, and the user accesses the RemoteApp or remote desktop
NOTE RD Web Access also provides a way to connect remotely to other machines on the
network via the Remote Desktop tab on the website interface. This is covered later in this
chapter in the section entitled “Using the RD Web Access Website.”
RD Web Access Sources

The source(s) that the RD Web Access ro e serv ce quer es for the resource data s configured
on the RD Web Access webs te It can be one or more RD Sess on Host servers, an RD Sess on
Host server farm, or RD Connect on Broker, as shown n F gure 9-31
RD Web Access commun cates w th RD Sess on Host server sources us ng W ndows Man-
agement Instrumentat on (WMI), wh e t commun cates w th RD Connect on Broker over
remote procedure ca (RPC) RD Web Access ro e serv ce consumes the data that t rece ves
from ts source(s) and produces two data streams
■ Hypertext Markup Language (HTML) data that RD Web Access webs te d sp ays as web
pages
■ An Extens b e Markup Language (XML) feed that s consumed by the RemoteApp And
Desktop Connect ons on c ents runn ng W ndows 7 or W ndows Server 2008 R2
www.it-ebooks.info
RD Session Host RD Connection
Server or Farm Broker
RD Web Access
Role Service
WMI RPC
HTML XML Feed
RD Web Access RemoteApp And

Website Desktop Connections
FIGURE 9-31 The RD Web Access ro e serv ce gets RemoteApp, desktop sess on, and poo ed and persona
VM nformat on from RD Sess on Host servers or RD Connect on Broker.
NOTE It’s important to understand that the RD Web Access role service is more than just
a website. The role service is what polls the source(s) and gathers the data. The website is
merely a way of telling the role service what source(s) to poll and then also displaying that
data in a web browser.
The source d ctates what kinds of resources are access b e v a RD Web Access, as shown n
F gure 9-32
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 479
www.it-ebooks.info
RD Virtualization
Host Server
Pooled VMs
Personal VMs
RD Session Host RD Connection RD Session Host

Server or Farm Broker Server Farm
RemoteApp(s) RemoteApp(s)
Full Desktop(s)
Full Desktop(s)
RD Web Access
Role Service
WMI RPC
HTML XML Feed
RD Web Access RemoteApp

Website And Desktop
Connections
FIGURE 9-32 The RD Web Access source d ctates the types of resources ava ab e v a RD Web Access.
RD Sess on Host servers prov de access to RemoteApp and fu desktop sess ons If th s
s a you need to make ava ab e, then you have two ways to configure the RD Web Access
source You can configure the RD Sess on Host servers or farms as the RD Web Access sources,
or RD Connect on Broker can be configured to atta n th s data from the RD Sess on host serv-
ers and then pass t on to RD Web Access
However, f you need to prov de access to poo ed and persona VMs, then you must use
RD Connect on Broker as the source, because on y RD Connect on Broker rece ves data from
RD V rtua zat on Host servers regard ng the VMs that they prov de Because RD Connect on
Broker can a so be configured to consume resource data from RD Sess on Host servers and
farms, t can act as an overa source for a ava ab e resources
www.it-ebooks.info
If you ass gn one or more RD Sess on Host servers or farm names as the source, the RD
Web Access ro e serv ce gets the resource data from th s source by query ng the WMI nter-
faces on the source to see what app cat ons are on the a ow st and are configured to be
shown n the porta
If you configure RD Connect on Broker as the source, RD Web Access quer es the RD Con-
nect on Broker us ng RPC RD Connect on Broker quer es the RD Sess on host servers and
farms that t knows about, gets the resource data, and passes t to RD Web Access
L ke RDP fi es created us ng the RemoteApp Manager, the dynam ca y created RDP fi es
on the RD Web Access RemoteApp Programs tab adhere to the configurat on sett ngs spec -
fied n RemoteApp Manager For examp e, f RemoteApp Manager g oba sett ngs spec fy
connect ng to an RD Sess on Host server farm, then the RDP fi es created by RD Web Access
RemoteApp Programs tab w a so conta n th s sett ng L kew se, f RemoteApp Manager con-
ta ns RD Gateway sett ngs, then RD Web Access RDP fi es are a so set up to connect through
RD Gateway
Installing the RD Web Access Role Service

To nsta RD Web Access on a server runn ng W ndows Server 2008 R2, open Server Manager
and fo ow these steps
1. If the RD Sess on Host Serv ces ro e s not nsta ed, r ght-c ck Ro es, c ck Add Ro es,
and then choose the Remote Desktop Serv ces ro e Then add the RD Web Access ro e
serv ce
2. If the server a ready has the Remote Desktop Serv ces ro e nsta ed, r ght-c ck the
Remote Desktop Serv ces Ro e n Server Manager, c ck Add Ro e Serv ce, and choose
the RD Web Access ro e serv ce
3. Because th s server acts as a web server, you must nsta Internet Informat on Serv ces
(IIS) 7 5 for t to work If IIS 7 5 s not nsta ed a ready, you w be prompted to add the
ro e serv ce C ck Add Requ red Ro e Serv ces You w see a screen w th an ntroduc-
t on to IIS 7 C ck Next, rev ew the Web Server ro e serv ces that w be nsta ed for IIS,
and c ck Next
4. Confirm the nsta at on nstruct ons and then c ck Insta
5. When the nsta at on comp etes, the nsta at on resu ts w show that the RD Web Ac-
cess ro e serv ce and the IIS ro e nsta ed successfu y C ck C ose
A ternat ve y, you can use W ndows PowerShe to nsta RD Web Access ke th s
add-WindowsFeature RDS-Web-Access -restart
De ver ng RemoteApp Programs and VMs Through RD Web Access CHAPTER 9 481
www.it-ebooks.info
A successfu nsta g ves the fo ow ng resu ts
WARNING: [Installation] Succeeded: [Remote Desktop Services] Remote Desktop Web Access.
RD Web Access requires additional configuration. On the Configuration page of the RD Web
Access website, you need to specify the source that will provide the RemoteApp programs
and desktops that will be displayed to users. For more information, see <a href="ts_
remoteprograms.chm::/html/e1e047ce-d080-4568-b987-378fef46bea2.htm">Configuring the RD
Web Access Server</a>.

------- -------------- --------- --------------
True No Success {Web Server (IIS) Tools, IIS Management Co...
NOTE If you choose to install via the command line, then any needed components, such
as IIS 7.5, that are not installed already will be installed automatically and will appear in the
Feature Results section of the installation summary.
Imp ement ng RD Web Access nsta s the RD Web Access webs te to the RD Web v rtua
path of the IIS defau t webs te The nsta d rectory s ocated at %W nD r%\Web\RDWeb
Configuring RD Web Access

After you nsta the RD Web Access ro e serv ce, there are two th ngs you must do to config-
ure t
■ G ve the RD Web Access a source or sources to query
■ A ow the RD Web Access source or sources to commun cate w th RD Web Access
Access the RD Web Access webs te by open ng W ndows Internet Exp orer and enter ng
th s URL https://servername/rdweb, where servername s the name of the RD Web Access
server You can a so access the RD Web Access webs te by c ck ng Start, Adm n strat ve Too s,
Remote Desktop Serv ces, Remote Desktop Web Access Configurat on on the RD Web Access
server The s te s made up of three tabbed pages, as shown n F gure 9-33
■ The RemoteApp Programs tab Prov des users w th nks to RemoteApp programs
and the r poo ed and persona VMs The contents of th s page are fi tered to show on y
those resources that the ogged- n user s a owed to use
■ The Remote Desktop tab Prov des users w th a way to connect remote y to other
desktops ocated on the network that a ow ncom ng RDP connect ons
■ The Configuration tab Used to configure the sources that RD Web Access quer es
for RemoteApp programs, remote desktops, and poo ed and persona VMs You have
to be a member of the TS Web Access Adm n strators oca group or the Adm n strators
oca group on the RD Web Access server to see and ed t the sources on th s tab
www.it-ebooks.info
FIGURE 9-33 When you og n to the RD Web Access webs te, you have access to a tabbed nterface.
Configuring the RD Web Access Source

To create the assoc at on between RD Web Access and ts source or sources, perform the fo -
ow ng steps
1. Access RD Web Access by open ng Internet Exp orer and connect ng to https://server-
name/rdweb, or go to Start, Adm n strat ve Too s, Remote Desktop Serv ces, RD Web
Access Adm n strat on
2. On the og n page, enter a user name ( n the form of domain\username) and password
of an account that s a member of the TS Web Access Adm n strators group (doma n
adm n strators have th s r ght)
3. Nav gate to the configurat on sect on of the webs te by c ck ng the Configurat on tab,
as shown n F gure 9-34 Th s tab s ava ab e on y to members of the TSWeb Access
Adm n strators group
www.it-ebooks.info
FIGURE 9-34 C ck the Conf gurat on tab to access the RD Web Access conf gurat on area.
4. Se ect the rad o button correspond ng to the type of sources that w prov de the
RemoteApp and desktop nformat on to RD Web Access
5. Enter the name of the sources you want n the Source Name nput box If you chose
the opt on One Or More RemoteApp Sources, separate each RD Sess on Host server or
RD Sess on Host farm name source w th a comma When you are fin shed, c ck OK
Each source that you choose for RD Web Access must be ab e to commun cate w th the
ro e serv ce Grant th s access by add ng the RD Web Access computer account to the source’s
oca TS Web Access secur ty group
RD Web Access Source Is One or More RD Session Host Servers and

Farms
If you spec fy one or more RD Sess on Host servers or one or more RD Sess on Host server
farms as the RD Web Access source, then each of those servers needs to have the RD Web
Access server added to ts TS Web Access Computers secur ty group, as shown n F gure 9-35
www.it-ebooks.info
Initial Load Balancing RD Web Access Source
NLB or RR DNS RD Session Host Server(s)
and/or Farm(s)
RDSH1 RDSH2 RDSH3 RDSH4
RD Web Access server is added to the TS Web Access

Computers group on each RD Session Host server
FIGURE 9-35 G ve RD Web Access perm ss on to query every RD Sess on Host server that s an RD Web
Access source.
RD Web Access w query every nd v dua RD Sess on Host server for ts a ow st and
RemoteApp configurat on For farms, RD Web Access w choose one of the servers n each
farm to query, but shou d that server become unava ab e, t w query another farm member
nstead
RD Web Access Source Is RD Connection Broker

For farm scenar os, f you spec fy an RD Connect on Broker as the RD Web Access source, add
the RD Connect on Broker server to the TS Web Access Computers group on each farm mem-
ber Then add the RD Web Access computer account to the TS Web Access Computers group
on the RD Connect on Broker, as shown n F gure 9-36

NLB or RR DNS RD Connection Broker
RDSH1 RDSH2 RDSH3 RDSH4 RD Connection Broker
RD Connection Broker server is added to the TS RDWeb Access Server is

Web Access Computers group on each RD added to the TS Web
Session Host server Access Computers group
FIGURE 9-36 f RD Connect on Broker s the RD Web Access source, RD Web Access gets a ow st and
RemoteApp conf gurat on data from RD Connect on Broker.
www.it-ebooks.info
RD Web Access gets a ow st and RemoteApp configurat on data from RD Connect on
Broker, wh ch gets the data from an RD Sess on Host server n each farm
How a Dedicated Redirector Affects the RD Web Access Configuration

Us ng a ded cated red rector as your n t a oad ba ancer n a farm scenar o a so affects your
RD Web Access configurat on, because the red rector w act as the eader for the farm In-
stead of query ng a farm member for ts a ow st and configurat on data, RD Web Access (or
RD Connect on Broker) w query the red rector
In th s scenar o, f you use farm names as the RD Web Access source, you need to add the
RD Web Access server computer account to the TS Web Access Computers group on the farm
red rector or red rectors, as shown n F gure 9-37

Dedicated Redirector RD Session Host
Server Farm(s)
Redirector RDSH1 RDSH2 Redirector RDSH3 RDSH4
RD Web Access server is added to the TS Web Access Computers

group on each RD Session Host server farm redirector
FIGURE 9-37 Add the RD Web Access server account to the RS Web Access Computers group on the
red rector.
If you use RD Connect on Broker as the RD Web Access source, you need to add the RD
Connect on Broker server computer account to the TS Web Access Computers group on the
farm red rector or red rectors, and then add the RD Web Access server computer account to
the TS Web Access Computers group on the RD Connect on Broker, as shown n F gure 9-38
www.it-ebooks.info
Dedicated Redirector RD Connection Broker
Redirector RDSH1 RDSH2 Redirector RDSH1 RDSH2 RD Connection Broker
RDWeb Access
RD Connection Broker server is added to the TS
Server is added to
Web Access Computers group on each RD Session
the TS Web Access
Host server farm redirector
Computers group
FIGURE 9-38 Add the RD Connect on Broker server account to the RS Web Access Computers group on
the red rector and add the RD Web Access server account to the TS Web Access Computers group on the
RD Connect on Broker.
A so, a though the red rector s not accept ng connect ons, t s a farm member n a other
respects, and because RD Connect on Broker or RD Web Access quer es the red rector for
a ow st and RemoteApp configurat on data, the red rector has to be configured dent ca y
to other farm members Th s nc udes hav ng the exact same RemoteApp sett ngs For
examp e, f you do not add the farm cert ficate to a red rector, then when a RemoteApp s
started from the webs te, t w be try ng to reach the farm name, so t w show a cert ficate
error when the name on the red rector cert ficate does not match the farm name, as shown n
F gure 9-39
FIGURE 9-39 Avo d gett ng an error by add ng the cert f cate conta n ng the farm name to the RDP Tcp
Propert es Genera tab of RD Sess on Host Conf gurat on.
www.it-ebooks.info
Configuring WebSSO
To m n m ze the number of t mes users must present credent a s, enab e Web SSO Web SSO
stores the credent a s that a user uses to og on to the RD Web Access webs te and then uses
them to authent cate the user when he or she opens a RemoteApp program v a the webs te
(or v a RemoteApp And Desktop Connect ons on a c ent runn ng W ndows 7) The user does
not rece ve any more og n prompts when the user starts a RemoteApp
NOTE Web SSO works only for authentication to RemoteApp programs. There is no way
to use Web SSO to pass credentials to a full desktop connection or VM connection.
To take advantage of Web SSO, the fo ow ng must be n p ace

■ C ents must run Remote Desktop Connect on (RDC) 7 0 W ndows 7 comes w th RDC
7 0 As d scussed n Chapter 6, RDC 7 0 s ava ab e as an update for W ndows XP SP3
and W ndows V sta SP1 and SP2
■ RemoteApp programs must be s gned w th a SSL cert ficate or code s gn ng cert ficate
If you are d str but ng app cat ons from more than one farm or server, a RemoteApp
programs must be s gned w th the same cert ficate Th s s because Web SSO ooks at
the hash, or thumbpr nt, on the cert ficate If you use d fferent cert ficates for d fferent
farms, SSO w work on y on a per-farm bas s
■ C ents must trust the cert ficate used to s gn the RemoteApp programs, mean ng that
the cert ficate that s gned the SSL cert ficate must be ocated n the c ent’s Computer
Trusted Root Cert ficat on Author t es cert ficate store
Customizing RD Web Access

RD Web Access ends tse f to custom zat on A though a comp ete descr pt on of how to cre-
ate a custom porta s outs de the scope of th s book, et’s take a ook at some of the opt ons
Configuring RD Web Access Remote Desktop Connection Options

Whereas w th RemoteApps you’ configure sett ngs from the RemoteApp Manager, the
sett ngs for Remote Desktops made ava ab e through RD Web Access are configured us ng
sett ngs on the IIS server host ng the webs te We recommend us ng RD Gateway (descr bed
n Chapter 7) to prov de secure access to desktops from the Internet
To use RD Gateway w th the RD Web Access Remote Desktops tab, you w need to pro-
v de the name of the RD Gateway server n IIS on the server that hosts the RD Web Access
webs te
On the RD Web Access server, open IIS Expand the defau t webs te (or the webs te where
you nsta ed RD Web Access), expand the RDWeb fo der, se ect the Pages fo der, and n the
pane on the r ght, doub e-c ck App cat on Sett ngs Doub e-c ck Defau t TSGateway, add
the name of your RD Gateway server, and c ck OK Then choose the TS Gateway authent ca-
www.it-ebooks.info
t on method by doub e-c ck ng GatewayCredent a sSource and spec fy ng the correspond ng
number va ue as fo ows
■ 0 NTLM (password)
■ 1 Smart Card
■ 4 User Chooses Later (the defau t)
Externa users w access the Remote Desktops tab of the RD Web Access webs te and type
n the name of the computer to wh ch they want to connect The connect on w be made
secure y through RD Gateway
If you do not want users to be ab e to use the Remote Desktop capab t es from the RD
Web Access webs te, doub e-c ck Show Desktops and change the defau t entry (True) to
Fa se Th s w h de the Remote Desktops tab The changes take p ace mmed ate y, so f the
web page s open, refresh the page to see those changes A ow or d sa ow the fo ow ng
resource red rect on opt ons by doub e-c ck ng each opt on and chang ng the va ue for the
entry to True (enab e) or Fa se (d sab e)
■ xC pboardxDr veRed rect on
■ xPnPRed rect on
■ xPortRed rect on
■ xPr nterRed rect on
A ternat ve y, you can use a text ed tor such as Notepad to mod fy the Web config fi e for
the RD Web Access webs te ocated at %W nD r%/Web/RDWeb/Pages/Web config Locate
these entr es (under the head ng) and change the va ue to “true” or “fa se” as needed as fo ows
<add key="xPrinterRedirection" value="true" />

<add key="xClipboard" value="true" />
<add key="xDriveRedirection" value="true" />
<add key="xPnPRedirection" value="true" />
<add key="xPortRedirection" value="true" />
NOTE If PnP, Port, and Drive redirection options are shaded and unavailable, add the
website to the web browser’s Trusted Sites list and they will become available.
When you a ow other red rect on capab t es (c pboard and pr nter red rect on s enab ed
by defau t), they w not actua y be enab ed However, by a ow ng other types of red rect on
you g ve users the opt on to enab e that type of red rect on when they n t ate a connect on
v a the Remote Desktops tab When a user nputs a computer name and c cks Connect, the
RDP fi e starts The user can now c ck the Deta s button and enab e the types of red rec-
t on that you have a owed by se ect ng the box next to the type of red rect on that he or she
wants to enab e and then c ck ng Connect
www.it-ebooks.info
Why Do I See “Unknown Publisher” When Connecting to

Remote Desktops?
Janani Venkateswaran
Program Manager
R DP file signing lets you put some user protection in place by allowing an RDP
file’s publisher to sign the file with a digital certificate. So, if you trust the
publisher, you know you can trust the RDP connection. Unsigned files will show a
warning label when they are started.
If you’re using RD Web Access to make both RemoteApps and full remote desktops
available, you might notice something odd if you’re using RDP file signing. When
you start RemoteApps, the dialog box will indicate that the files are signed (that is,
they will identify the publisher of the file). When you start a connection from the
Remote Desktops page, the dialog box will warn that the Publisher is not known,
meaning that the file is unsigned.
Whether you click an icon on the RemoteApp Programs page or the Connect button
on the Remote Desktops page, doing so creates an RDP file. There’s one important
difference between these approaches, however: When you click an icon on the
RemoteApp Programs page, an RDP file that has been created from settings on the
RD Session Host server is channeled to the client. When you click Connect on the
Remote Desktops page, the client creates the RDP file. The following illustrations
show this.
RDP file invoked from RD Web Access RemoteApp Programs page
Client Signed RDP File is RD Session Host

channeled to the client Server
RDP file invoked from RD Web Access Remote Desktop page
RDP file is created

on the client
Web.config settings
Client RD Web Access
are sent to the client
Server
www.it-ebooks.info
RDP signing is available for RemoteApps but not for connections to full desktops.
Here’s why: The RDP file created when you start a RemoteApp from RD Web Access
is created on the RD Session Host server using the configuration settings set in
RemoteApp Manager. You can specify a digital certificate in RemoteApp Manager
with which to sign RemoteApps. If you have specified a digital certificate, the RDP
file will be signed when it’s created and then channeled to the client. Thus, the pub-
lisher of the RDP file will be identified to the client.
In contrast, an RDP file is created on the client when you click the Connect button
on the Remote Desktops page, combining the settings specified in the Web.config
file and Desktop.aspx on the RD Web Access server, along with any input from the
user. There’s no setting on the client to specify a digital certificate to use to sign
RDP files that it creates. The client does not sign the file, and the publisher is shown
as unidentifiable.
Customizing the RDC Client Update Settings

So far, the assumpt on s that the c ent a ready has RDC 6 1 or ater nsta ed, so t can start
RemoteApps from RD Web Access But what f the correct vers on isn’t nsta ed? To make t
eas er for users to get the correct vers on of the c ent, you can custom ze the nk to po nt to
an nterna page host ng the requ red c ents and serv ce packs Th s a ows you to support
users connect ng to RD Web Access from an ntranet w th no Internet access or to standard ze
on a vers on of the c ent that you th nk appropr ate
To mod fy the target URL, og on to the RD Web Access server as an adm n strator and fo -
ow these steps
1. Open IIS Manager by c ck ng Start, Adm n strat ve Too s, Internet Informat on Serv ces
(IIS) Manager
2. In the nav gat on pane of IIS Manager, expand the server name, expand S tes, expand
Defau t Web S te, and then c ck RDWeb (By defau t, RD Web Access s nsta ed to th s
ocat on If you nsta ed RD Web Access to a d fferent s te, ocate t and then c ck the
s te name )
3. Under ASP NET, doub e-c ck App cat on Sett ngs In the Act ons pane, c ck Add, and
then, n the Add App cat on Sett ng d a og box, do the fo ow ng
a. In the Name text box, type rdcInstallUrl
b. In the Va ue text box, enter the target URL for the nk
NOTE To restore the link to point to the default URL, right-click the rdcInstallUrl applica-
tion setting and then click Remove.
A ternat ve y, you can use a text ed tor such as Notepad to mod fy the Web config fi e
for the RD Web Access webs te d rect y By defau t, the path of the configurat on fi e s
www.it-ebooks.info
%W nD r%\Web\RDweb\Web config To mod fy the fi e, under the <appSett ngs> sect on of
the fi e, add an entry ke th s one, where URL s the target URL for the nk
<add key="rdcInstallUrl" value="http://URL" />.
Th s w update the page to the new ocat on
Changing RD Web Access RemoteApp Display

The defau t RD Web Access RemoteApp Programs web page s pretty bas c— t shows the
app cat on cons, and that’s about t However, you can custom ze t to su t your needs For
nstance, you m ght want to prov de other nks to web-based app cat ons, documents,
webs tes, or any other web-based content RD Web Access doesn’t have any easy way to add
more data, but other frameworks, such as M crosoft SharePo nt, do
For examp e, you can ntegrate the Web Part that makes RemoteApp programs ava ab e
on the RD Web Access webs te nto a SharePo nt webs te, as shown n F gure 9-40 The deta s
of how to do th s are outs de the scope of th s book, but there s a nk to the step-by-step
gu de on the compan on med a
ON THE COMPANION MEDIA A link to “Customizing Remote Desktop Web Access

by Using Windows SharePoint Services Step-by-Step Guide��
” is available on the com-
panion media, or you can download it from http://www.microsoft.com/downloads
/details.aspx?displaylang=en&FamilyID=eb2b786f-2a70-4045-a899-6d7c9a794fbc.
FIGURE 9-40 Add RD Web Access support to SharePo nt.
www.it-ebooks.info
Customizing Titles and Subtitles
There are three ma n pages of the RD Web Access webs te RemoteApp Programs, Remote
Desktop, and Configurat on Each page conta ns two nes n the upper- eft port on of the page
■ The Page T t e (the defau t s “Remote Desktop Serv ces Defau t Connect on”)
■ A page descr pt on or Subt t e area (the defau t s “Remote Desktop Serv ces Defau t
Connect on”)
Here s how to rename each page
■ A Page T t es are changed by ed t ng the %W nD r%\Web\RDWeb\App Data\
RDWebAccess Config fi e ne
<WorkspaceSettings Name=”YOUR TEXT HERE” ID=”servername.domain.suffix”

Description=”” />
■ However, f you set the Connect on Sett ngs on an RD Connect on Broker server, these
w show up as the D sp ay name for a RD Web Access webs te pages
■ To change the Subt t e area of the Log n page, open Log n aspx n a text ed tor and
find and ed t th s str ng
const string L_ApplicationName_Text = "YOUR TEXT HERE";
■ To change the “Subt t e area” of the RemoteApp Programs page, ed t the

%W nD r%\Web\RDWeb\Pages\en-US\Defau t aspx page ne
const string L_ApplicationName_Text = "YOUR TEXT HERE"
■ To change the “Subt t e area” of the Remote Desktops page, ed t the

%W nD r%\Web\RDWeb\Pages\en-US\Desktops aspx page ne
■ To change the “Subt t e area” of the Configurat on page, ed t the

%W nD r%\Web\RDWeb\Pages\en-US\Config aspx page ne
Adding a Domain Name When Users Forget To

Users m ght forget to add the doma n name as part of the r og n credent a s You can ed t
the webs te code to check th s and, f the doma n name s not present, add t to the og n user
name To do th s, open the Renderscr pt js fi e ocated n the %W nD r%\Web\RDWeb\Pages
fo der, find the fo ow ng code b ock, and change t from th s
if ( objForm != null )
{
strDomainUserName = objForm.elements("DomainUserName").value;
strPassword = objForm.elements("UserPass").value;
strWorkspaceId = objForm.elements("WorkSpaceID").value;
strRDPCertificates = objForm.elements("RDPCertificates").value;
www.it-ebooks.info
to th s
if ( objForm != null )
{
strDomainUserName = objForm.elements("DomainUserName").value;
// add default domain...

if ( strDomainUserName.indexOf("\\") == -1 )
{
strDomainUserName = "YOUR-DOMAIN-HERE"\\ + strDomainUserName;
objForm.elements("DomainUserName").value = strDomainUserName;
}
strPassword = objForm.elements("UserPass").value;
strWorkspaceId = objForm.elements("WorkSpaceID").value;
strRDPCertificates = objForm.elements("RDPCertificates").value;
Subst tute your doma n NetBIOS name n the code where t says “YOUR-DOMAIN-HERE”
( n bo d n the code shown here)
Force RDC Connections Through RD Gateway via RD Web Access

By des gn, f you connect to a Remote Desktop through RD Web Access, the RDP fi e w
bypass RD Gateway f the RD Sess on Host server and c ent are on the same network RD Web
Access uses Web config to prov de RDP sett ngs to the c ent so the c ent can create ts own
RDP fi e for connect ng to the RD Sess on Host server None of those sett ngs force the use of
RD Gateway
You can force the use of RD Gateway f appropr ate by ed t ng the web page present ng
Remote Desktops The GatewayUsageMethod property to the IMsRdpClientTransportSettings
nterface has five poss b e va ues To force c ents connect ng to Remote Desktops v a RD Web
Access to use RD Gateway, change the va ue of th s property from 2 (wh ch se ects the check
box for the Bypass RD Gateway Server For Loca Addresses opt on n the Remote Desktop
Connect on user nterface) to 1 (wh ch c ears the check box for the Bypass RD Gateway Server
For Loca Addresses opt on n the Remote Desktop Connect on user nterface) See the fo ow-
ng “D rect from the Source” s debar for more deta s
www.it-ebooks.info
Forcing the Use of RD Gateway for Remote Desktops

Rob Leitman
Senior Software Development Engineer
L et’s say that you’re attempting to access a Remote Desktop via RD Web Access.
Although the clients attempting to access the RD Web Access page are all on the
same subnet as the RD Web Access server, you’ve configured the network so that
they’re actually connecting via the Internet, not the intranet. Therefore, you’d like
to require that these clients use RD Gateway.
There’s no check box on the Remote Desktops page to force the use of RD Gateway,
but you can make it happen by editing Desktop.aspx from this
if ((DefaultTSGateway != null) && (DefaultTSGateway.length> 0)) {

RDPstr += "gatewayusagemethod:i:2\n";
to this
if ((DefaultTSGateway != null) &&(DefaultTSGateway.length> 0)) {

RDPstr += "gatewayusagemethod:i:1\n";
All Remote Desktop connections initiated from that RD Web Access site should now
go through RD Gateway.
RDWA Customization: This Is A Private Computer Selected by Default

To prese ect Th s Is A Pr vate Computer on the RD Web Access og n page, open the
Logon aspx page ocated at %W nD r%\Web\RDWeb\Pages\en-US\ us ng a text ed tor and
make the fo ow ng changes
Remove the word “checked” from th s code sn ppet
<label><input id=”rdoPblc” type=”radio” name=”MachineType” value=”public”

class=”rdo” onclick”onClickSecurity()” checked /></label>
Then add the word “checked” to the fo ow ng code sn ppet

<label><input id="rdoPrvt" type="radio" name="MachineType" value="private"
class="rdo" onclick"onClickSecurity()" checked /></label>
F na y, save the fi e
www.it-ebooks.info
Troubleshooting RD Web Access Permissions
If you run nto prob ems mp ement ng RD Web Access, t’s somet mes a perm ss ons prob em
Here are some genera troub eshoot ng t ps
■ Make sure that the correct computer accounts are added to the needed secur ty
groups on RD Sess on Host servers and RD Connect on Broker
■ The W ndows Author zat on Access Group ocated n Act ve D rectory Users And
Computers needs to have the RD Connect on Broker server n t f t s used n RD Web
Access to check access contro sts (ACLs) and do the fi ter ng
■ If you have ver fied that the pert nent perm ss ons have been g ven to the appropr ate
servers and you st rece ve Event d 1011 on the RD Connect on Broker,
● Look n the Event V ewer under App cat ons and Serv ces Logs/M crosoft/
W ndows/RemoteApp and Desktop Connect on Management and and see f any
errors ex st there that w ead you to how to fix your ssue
● Check to see that WMI Secur ty and COM secur ty are correct on each RD Sess on
Host server Th s s norma y taken care of for you, but t s worth check ng f you
are hav ng prob ems add ng an RD Web Access source to the webs te On each RD
Sess on Host server, check the fo ow ng
WMI Security Settings:
1. Start the WMI Contro MMC snap- n
2. R ght-c ck the WMI Contro node and se ect Propert es
3. Go to the Secur ty tab and nav gate to Root, CIMV2, Term na Serv ces
4. H gh ght Term na Serv ces and c ck Secur ty
5. Confirm that oca server\TSWeb Access Computers sted w th Execute Methods,
Enab e Account, and Remote Enab e s set to A ow
DCOM Security Settings:
1. Start the Component Serv ces MMC snap- n and nav gate to Component Serv ces,
Computers, My Computer
2. R ght-c ck My Computer and se ect Propert es
3. Go to the COM Secur ty tab, and under Access Perm ss ons, c ck Ed t L m ts
4. Make sure the TS Web Access Computers have a the perm ss ons set to A ow
5. Under Launch And Act vat on Perm ss ons, c ck Ed t L m ts and confirm that the
oca server \TSWeb Access Computers s sted, w th a the perm ss ons set to
A ow
www.it-ebooks.info
Using the RD Web Access Website
The RD Web Access ro e serv ce supports two ways of present ng app cat ons to users the RD
Web Access webs te and the RemoteApp And Desktop Connect ons too n W ndows 7 In th s
sect on, you’ earn how to use the RD Web Access webs te
NOTE To use RD Web Access, the clients must have RDC 6.1 or later installed. RDC 7.0 or
later is recommended for the best user experience. See Chapter 6 for more information
about RDC and where to get updated versions of the client.
Users access the RD Web Access webs te by brows ng to https://servername/rdweb us ng

Internet Exp orer The user w be presented w th a og n screen
For these pages to work, the M crosoft Remote Desktop Serv ces Web Access Act veX con-
tro must be enab ed C ents ogg ng onto the webs te for the first t me shou d see a pop-up
message that asks for perm ss on to nsta the Act veX contro , as shown n F gure 9-41
FIGURE 9-41 The RD Web Access webs te requ res the M crosoft Remote Desktop Serv ces Act veX con
tro to be enab ed.
www.it-ebooks.info
R ght-c ck the Informat on Bar (a ye ow bar) and choose Run Add-on to nsta the contro
Users runn ng W ndows XP SP3 m ght not see th s pop-up message Instead, the user m ght
og n and get the message shown n F gure 9-42
FIGURE 9-42 Users of W ndows XP m ght rece ve a message te ng them that the Remote Desktop Serv
ces Act veX c ent s not ava ab e.
To nsta the contro , c ck Too s/Internet Opt ons, se ect the Programs tab, and c ck the
Manage Add-ons button at the bottom of the d a og box Se ect Show A Add-ons from the
drop-down menu on the r ght s de of the page Then find the M crosoft RDP C ent Contro n
the eft pane, se ect t, and c ck the Enab e button at the ower-r ght s de of the page Then
c ck C ose
To og onto the webs te, enter a user name n the form of domain\username, such as ASH\
kr st n gr ffin Enter the user’s password Choose a secur ty mode that descr bes the computer
that you are us ng, and then c ck S gn n
Logging In
The RD Web Access og n page has an opt on that spec fies whether the computer used to
access RD Web Access s a pr vate computer, mean ng you are the on y one that uses the
computer, or a pub c computer If you p ck the Pr vate opt on, then the sess on w stay act ve
onger f there s a per od of nact v ty
498 CHAPTER 9 Mu t Server Dep oyments
www.it-ebooks.info
NOTE If you have enabled Computer Configuration Policies Administrative Templates
Security Credentials Delegation Allow Delegating Default Credentials and applied it
to your pooled or personal VMs, you may notice one other effect of choosing Public or
Private mode for RD Web Access. When this GPO is enabled and applied to VMs and you
have set the RD Web Access page to Private Mode, you will not be prompted for creden-
tials when you click the icon for the VM pool or personal VM. Instead, you will be logged
in using the credentials you logged onto the computer with. This is great if those are the
credentials you need to log into VMs, but if the credentials used for local logins differ from
the credentials used to log into VMs, you might want to avoid this GPO for VMs since it will
present the wrong credentials and the login will fail.
When you have ogged on to the webs te, you w be taken to the RemoteApps page
shown n F gure 9-43
FIGURE 9-43 The RD Web Access RemoteApp Programs page offers a number of opt ons.
When users open the RD Web Access webs te, they are prov ded w th a web page w th two
tabs, the RemoteApp Programs tab and the Remote Desktops tab The RemoteApp Programs
tab conta ns nks to ava ab e RemoteApps and VMs and a so nks to fu desktop sess ons for
RD Sess on Host servers or farms as perm tted n RemoteApp Manager The Remote Desktops
tab prov des access to other remote desktops on the network
When a user c cks a RemoteApp con n RD Web Access (or chooses a desktop to connect
to, as d scussed n the next sect on, “Connect ng to Resources), the Act veX contro n the
browser creates a temporary RDP fi e n the user’s Temp fo der on the c ent The RDP fi e w
have a random y generated name that beg ns w th TSPORTAL and nc udes a five-d g t num-
www.it-ebooks.info
ber Next, the Act veX contro ca s Mstsc exe and po nts t to the path of the new RDP fi e, as
n th s examp e for an RDP fi e named TSPORTAL#12345
mstsc.exe /web/ webfilename:%userprofile%\AppData\Local\Temp\TSPORTAL#12345.rdp
Th s command starts Mstsc exe exact y as f you had po nted t to any other RDP fi e, creat-
ng the connect on
Connecting to Resources
You can use the RD Web Access webs te to connect to RemoteApp programs, VMs, fu desk-
tops on a RD Sess on Host server, or even your persona computer
The resources that a user sees are based on h s or her access r ghts—that s, users see on y
resources that they n fact have perm ss on to access When a user c cks an app cat on con,
th s w start an RDP fi e and the RemoteApp executes If you remove an app cat on from the
a ow st on the RD Sess on Host server(s), the app cat on s no onger d sp ayed n the web
part
One of the b ggest advantages of dep oy ng RemoteApps us ng RD Web Access s that the
RDP fi es created through the webs te use the sett ngs spec fied n the RemoteApp Manager
of the assoc ated RD Sess on Host server Therefore, they are a ways up to date You don’t
need to red str bute RDP fi es to users whenever a change occurs n the RemoteApp Manager
NOTE You might notice that some settings do not change immediately in RD Web
Access when you make a change to an RD Web Access source and you use RD Connection
Broker as the source. This is because the RD Web Access service caches settings from RD
Connection Broker for three minutes at a time for performance reasons.
A popu ar feature of RD Web Access (espec a y when comb ned w th RD Gateway, as

d scussed n Chapter 10) has noth ng to do w th RemoteApp programs at a Rather, t’s the
ab ty to connect to a computer desktop (such as your company computer desktop ocated
n your office) from the Internet Th s s usefu for users who need access to the r desktop
computers from other ocat ons (te ecommut ng), or for users who need access to more than
one computer on the corporate network
NOTE The user needs to be a member of the Remote Desktop Users group of the
specified computer to connect remotely to that computer.
From the Remote Desktops tab, a user prov des the name of the computer to connect
w th, and an RDP fi e s created and opened The user prov des proper credent a s, and the
remote desktop sess on starts
www.it-ebooks.info
NOTE The connection options used when RDP files are created from the Remote Desk-
tops tab do not adhere to RemoteApp Manager. Instead, the options are set in IIS. This is
discussed in the section entitled “Configuring RD Web Access Remote Desktop Connection
Options” earlier in this chapter.
To get to your desktop, first make sure that the RD Web Access s te s one of your Trusted
webs tes Then c ck the Remote Desktop nk to open the Remote Desktop page shown n
F gure 9-44
FIGURE 9-44 Access other desktops from the Remote Desktop webpage.
From here, users can connect to servers—and other computers that have Remote Desktop
enab ed—by typ ng n the name of the computer, se ect ng the screen s ze, and c ck ng Con-
nect When a user c cks Connect, an RDP fi e po nt ng to the computer spec fied s created on
the user’s computer, us ng the sett ngs defined n Web config on the RD Web Access server
NOTE A user must be a member of the computer’s Remote Desktop Users security group
to log on remotely.
www.it-ebooks.info
The Opt ons button prov des a set of RDP sett ngs that the user can adjust, nc ud ng
dev ce and resource red rect on, whether to a ow keyboard shortcuts n the remote desktop
sess on, and the speed of the connect on However, f these opt ons are spec fied us ng Group
Po cy or RD Configurat on, then the sett ngs spec fied by the user are gnored
Using RemoteApp And Desktop Connections

RD Web Access s both a ro e serv ce and a webs te The ro e serv ce supp es the webs te w th
the RemoteApp programs and VMs prov ded for the users, but t a so supp es RemoteApp
And Desktop Connect ons, a Contro Pane sett ng on computers runn ng W ndows 7 and
W ndows Server 2008 R2 RemoteApp And Desktop Connect ons connects to a URL that you
prov de and popu ates the Start menu of the c ent w th a new fo der ca ed RemoteApp And
Desktop Connect ons
The RD Web Access webs te s bu t w th HTML generated from the RD Web Access
server, but the RemoteApp And Desktop Connect ons app cat on on the c ent s fed w th
an XML feed from the RD Web Access server Th s XML feed works ke an RSS feed, and ke
an RSS feed, t w be updated regu ar y as the contents of the data source are updated
If the adm n strator adds a RemoteApp or removes a VM poo , the change w appear n
RemoteApp And Desktop Connect ons—there’s no need for the user to og out and og
back n aga n Because the feed aggregator s bu t nto the operat ng system, th s feature s
ava ab e on y on W ndows 7 and W ndows Server 2008 R2 It’s not part of the RDC 7 c ent; t
just works w th t You can’t add t to W ndows XP or W ndows V sta
HOW IT WORKS
The Publishing Feed
T he publishing feed populating RemoteApp And Desktop Connections on

Windows 7 is essentially a Really Simple Syndication (RSS) feed from RD Web
Access. Rather than being a list of new blog entries or news articles, like most com-
mon feeds, this one is a compilation of all the RemoteApp programs and VMs on
the desktop, filtered according to the security credentials the user entered when
logging on. The RSS feed aggregator is desktop-based, so the contents are visible—
even though not accessible—even when the user is not logged on. If the user clicks
a link, he or she will be prompted for credentials.
www.it-ebooks.info
Configuring RemoteApp And Desktop Connections on Unmanaged
Computers
One advantage to us ng RD Web Access to d sp ay RDS resources s that the computer the
user connects from doesn’t have to be a work computer As ong as users know wh ch URL
to connect to and the computer meets the m n mum requ rements for connect ng (RDC 6 1
to use the RD Web Access webs te, or W ndows 7 to connect to RemoteApp And Desktop
Connect ons), then they can og on from anywhere they can connect The computer they use
does not have to be jo ned to the doma n or have ever been connected to t
To set up RemoteApp And Desktop Connect ons manua y, fo ow these steps
1. Open the Contro Pane and c ck the con for RemoteApp And Desktop Connect ons to
open the n t a screen If no RemoteApp And Desktop Connect ons ex st now, the r ght
pane w be b ank
2. C ck the nk to add a new RemoteApp And Desktop Connect on
3. Type the URL the adm n strator prov ded n the text box Th s URL w ook someth ng
ke th s https://servername/rdweb/feed/webfeed.aspx, where servername s the name
of the RD Web Access server C ck Next
4. You’ see a warn ng that you’re connect ng to the feed and th s w down oad content
to your computer C ck Next aga n to agree to th s
5. You’ see a process bar as the connect on s made, and then you’ see a d sp ay screen
show ng that the connect on was made successfu y (see F gure 9-45) Th s page w
show the name of the resource and the RemoteApp programs and VMs ass gned to
you
FIGURE 9-45 When you connect successfu y to a RemoteApp and Desktop Connect on feed, the
number of resources at the t me of connect on w appear n the feed.
www.it-ebooks.info
After you’ve connected to the feed, the contents w appear on the Start menu, as shown
n F gure 9-46 It’s poss b e to connect to more than one feed; the contents of each w ap-
pear as nested fo ders
FIGURE 9-46 A RemoteApp And Desktop Connect ons appear on the Start menu.
Configuring to RemoteApp And Desktop Connections on Managed

Computers
The s mp est way to set up RemoteApp And Desktop Connect ons s us ng a scr pt and Group
Po cy The RDS team has created a W ndows PowerShe scr pt that you can run at user ogon
t me to set up the connect on on a computer—just configure the scr pt to run at ogon n
Group Po cy, as d scussed n Chapter 5 The scr pt s ca ed Configure RemoteApp and Desk-
top Connect on on W ndows 7 C ents, and you w find a nk to t on the compan on med a
ON THE COMPANION MEDIA You can download the Configure RemoteApp and
Desktop Connection on Windows 7 Clients script located at http://gallery.technet.
microsoft.com/ScriptCenter/en-us/313a95b3-a698-4bb0-9ed6-d89a47eacc72 on the
companion media.
Connecting to a RemoteApp from the Start Menu

Connect ng to a RemoteApp n the feed s very s mp e C ck ts con on the Start menu to
start the connect on At th s po nt, one of two th ngs w happen
■ If you’ve a ready ogged nto the RD Web Access webs te and Web SSO s enab ed,
you’ be ab e to start any RemoteApp n any farm w thout prov d ng credent a s aga n
■ If you have not a ready ogged nto RD Web Access or Web SSO s not enab ed, you’
be prompted for your credent a s to start the first RemoteApp n a farm
If you c ck an con for a VM poo or persona VM, you’ a ways need to prov de your cre-
dent a s because WebSSO does not work for VMs, just for RemoteApp programs
www.it-ebooks.info
Updating a RemoteApp and Desktop Connection
The feed w update regu ar y (refresh ng tse f every 24 hours; th s doesn’t mean you w nec-
essar y wa t 24 hours to see changes you made), but you can a so force updates f requ red
To do so, open RemoteApp And Desktop Connect ons n the Contro Pane and choose the
connect on, c ck Propert es, and then c ck Update Then c ck OK
Removing a RemoteApp and Desktop Connection

Remov ng a connect on s extreme y s mp e After you’ve connected the c ent to a feed, th s
connect on w appear every t me that you open RemoteApp And Desktop Connect ons To
remove t, c ck the Remove nk You’ be prompted to confirm that you want to remove the
connect on C ck Yes, and the connect on s gone
CAUTION The URL isn’t cached anywhere, so don’t break a connection that you
might want to return to without having the URL available.
Summary
One of the best th ngs about RDS s that t reduces the cost of add ng one more user to the
company or department Rather than sett ng up a computer for each person, you just g ve
access to the VM poo or to the RD Sess on Host server To rea y take advantage of th s flex-
b ty, you’ need to dep oy more than one server to bu d a farm
At th s po nt, you shou d know
■ How to oad-ba ance n t a connect ons to a farm
■ How you can d sp ay remote resources for users
■ How to configure RD Web Access server to d sp ay RemoteApp programs and VMs and
how to fi ter the r d sp ay accord ng to user dent ty
■ How the ro es support ng farm access work together
■ Methods of custom z ng the resource d sp ay
So far, th s book has focused on access ng VMs and RemoteApp programs from the LAN
In Chapter 10, you’ move on to nformat on about support ng WAN scenar os w th RD
Gateway
Summary chapter 9 505
www.it-ebooks.info
These resources conta n add t ona nformat on and too s re ated to th s chapter
■ For nformat on on creat ng a Kerberos dent ty for an RD Sess on Host server farm, see
the art c e on the team b og ocated at http://blogs.msdn.com/b/rds
/archive/2009/05/20/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-
the-remote-desktop-services-provider-for-windows-powershell.aspx.
■ See the compan on med a for a nk to http://blog.powershell.no/category/remote-
desktop-services/, where you can find a new W ndows PowerShe modu e for RDS that
nc udes cmd ets for mport ng and export ng a ow sts
■ A nk to “Custom z ng Remote Desktop Web Access by Us ng W ndows SharePo nt
Serv ces Step-by-Step Gu de” s ava ab e on the compan on med a, or you can
down oad t from http://www.microsoft.com/downloads/details.aspx?displaylang=
en&FamilyID=eb2b786f-2a70-4045-a899-6d7c9a794fbc
■ Down oad the Configure RemoteApp and Desktop Connect on on W ndows 7 C ents
scr pt from http://gallery.technet.microsoft.com/ScriptCenter/en-us/313a95b3-a698-
4bb0-9ed6-d89a47eacc72. (The nk s a so ava ab e on the compan on med a )
■ You can add command- ne sw tches when start ng Office app cat ons For examp e,
see http://office.microsoft.com/en-us/excel-help/command-line-switches-for-excel-
HA010158030.aspx#BM4 to open Exce w th custom opt ons A so, see http://partners.
adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf#page=5 to earn how
to open Adobe Acrobat fi es w th custom opt ons
www.it-ebooks.info
CHAPTER 10
Making Remote Desktop

Services Available from the
Internet
■ How RD Gateway Works 507
■ nsta ng RD Gateway 512
■ Configur ng RD Gateway Opt ons 521
■ Creat ng a Redundant RD Gateway Configurat on 537
■ P ac ng RD Web Access and RD Gateway 576
S o far n th s book, you have earned how to access RemoteApp programs, v rtua
mach nes (VMs), and Remote Desktop (RD) Sess on Host sess ons when your users are
ocated on your nterna network But what f they want to access these resources from
home, from an Internet café, or another pub c p ace? The RD Gateway ro e serv ce a ows
secure Remote Desktop Protoco (RDP) access from c ents ocated outs de the corporate
network to resources ocated ns de the corporate network, w thout need ng any spec a
software on the c ent, as ong as t supports connect ng v a RD Gateway
How RD Gateway Works

RD Gateway s an RDS ro e serv ce that acts as a ntermed ary between the externa c ent
and the nterna resource that the user wants to use It governs who s a owed to connect
v a RD Gateway (Connect on Access Po c es, or CAPs) and what resources (VMs, sess ons,
even phys ca computers) the peop e who are a owed to connect can use (Resource Ac-
cess Po c es, or RAPs) Th s s how t works
1. A user want ng access to an nterna RDP resource runs the RDP fi e po nt ng to
that resource, whether from a saved RDP fi e, from RemoteApp and Desktop
Connect ons, from RD Web Access, or by start ng a Remote Desktop Connect on
(RDC) and typ ng n the needed nformat on to make the connect on
2. The RDP fi e s configured w th the RD Gateway nformat on defined oca y, or
when the resource was pub shed, and the connect on request goes to RD Gateway
507
www.it-ebooks.info
3. RD Gateway first authent cates the c ent and ver fies that the c ent s author zed to
make th s connect on by check ng the user credent a s aga nst ts RD Connect on Ac-
cess Po c es (RD CAPs)
4. If the c ent s authent cated and author zed, RD Gateway then ver fies that the c ent s
a owed to connect to the requested resource by check ng ts RD Resource Access Po -
c es (RD RAPs)
5. If the c ent s a owed access to the requested resource, RD Gateway estab shes an
RDP connect on to the resource Thereafter, a traffic for th s connect on s prox ed
through RD Gateway, as shown n F gure 10-1 RD Gateway forwards packets back and
forth from the RD Sess on Host server and the remote c ent, send ng RDP packets over
port 3389 to the nterna RDP resource, and Secure Sockets Layer (SSL)–encapsu ated
packets over port 443 to the remote c ent
Remote
Client
SSL tunnel,
Port 443
Internal Network
SSL tunnel, Port 443
RD Gateway checks to make sure

the user is authorized to:
1. Connect to RD Gateway
2. Access the requested resource
RD Gateway
RDP Session Port 3389 RDP Session RDP Session Port 3389
Port 3389
RD Virtualization Host servers RD Session Host server farm
Pooled VMs RemoteApp
Personal VMs Full Desktop

Session
Desktop Computers
FIGURE 10-1 RD Gateway acts as the m dd eman for connect ons to RDP resources.
508 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Understanding RD Gateway Authorization Policies
RD Gateway uses two d st nct types of author zat on po c es, n consecut ve order, to contro
connect ons to nterna RDP resources F rst, the connect ng c ent’s user, and opt ona y com-
puter credent a s, are checked aga nst RD CAPs to see that the connect ng c ent s a owed to
access RD Gateway Spec fica y, RD CAPs define
■ Wh ch users (spec fied by user group membersh p) can connect to RD Gateway
■ From wh ch computers (spec fied by computer group membersh p) users can connect
(opt ona )
■ Supported authent cat on methods (smart card or password)
■ Wh ch c ent dev ces w be red rected to the remote sess on
■ Opt ona t meouts for act ve and d e sess ons
RD CAPs are stored n a Network Po cy Server (NPS), part of the Network Po cy and Ac-
cess Serv ces ro e n W ndows Server 2008 R2 The Network Po cy and Access Serv ces ro e s
nsta ed automat ca y when you nsta RD Gateway; f you ke, you can e ect to store the RD
CAPs on a centra NPS to a ow mu t p e RD Gateway servers to draw the r RD CAPs from the
same server (Th s a so makes sense f you’re us ng NPS for other reasons )
NOTE The section entitled “Using a Central NPS to Store RD CAPs” later in this chapter
provides more information about how to set up centralized RD CAPs.
After the RD Gateway has estab shed that ts RD CAPs a ow the user to connect, t checks
the resource requested aga nst ts RD RAPs RD RAPs spec fy wh ch nterna resources (spec -
fied by computer groups) a user s a owed to access v a RD Gateway Th s two-t ered system
makes t poss b e to spec fy, for examp e, that a user can connect v a the Internet but cannot
connect to h s or her desktop computer v a RD Gateway, even though he or she can do so
when connect ng from the oca area network (LAN)
Th nk of RD CAPs and RD RAPs as spec fy ng who can get to what RD CAPs define who can
connect to RD Gateway, and RD RAPs define what nterna resources user groups can connect
to after they connect to RD Gateway You can have mu t p e RD CAPs and RD RAPs n use at
the same t me A user must meet the requ rements spec fied on at east one RD CAP and one
RD RAP to connect to RD Gateway and then to do anyth ng after that
To use RD Gateway, you must create at east one RD CAP and one RD RAP But you m ght
need more than one of each to contro access to RD Gateway and to network resources more
exp c t y Defin ng mu t p e RD CAPs and RD RAPs a ows you to be very spec fic when grant-
ng network access nstead of g v ng c ents fu access to every RDP-enab ed dev ce on the
network that they cou d get to wh e on the LAN
It’s eas est f you group RD CAPs and RD RAPs conceptua y For nstance, you can use two
RD CAPs and two RD RAPs to spec fy the fo ow ng connect on requ rements
■ Company Account ng Team Remote Access Author zat on Po c es
How RD Gateway Works Chapter 10 509
www.it-ebooks.info
• RD CAP Account ng user group members can estab sh a connect on to RD Gate-
way, but on y when they are us ng computers that be ong to the Account ng com-
puter group These users can connect on y us ng smart cards, and dev ce red rect on
w be d sab ed
• RD RAPAccount ng group users can then connect on y to Account ng computers

as we as the company RDS farm
■ Company Sa es Team Remote Access Author zat on Po c es
• RD CAP Sa es user group members can connect to RD Gateway from any computer
They can use password authent cat on, and c pboard and pr nter red rect on are
a owed
• RD RAP Sa es user group members can connect to computers that are members of
the Sa es computer group
NOTE The next section will show you how to create an RD CAP and RD RAP as part of the
RD Gateway installation procedures. For information on creating RD CAPs and RD RAPs
post-installation, see the section entitled “Creating and Maintaining RD Gateway Authori-
zation Policies” later in this chapter.
RD Gateway Requirements
RD Gateway s an RDS ro e serv ce and therefore runs on W ndows Server 2008 R2 Hardware
requ rements can vary, depend ng on the oad the ro e serv ce w accommodate But n gen-
era , RD Gateway can accommodate a arge number of concurrent connect ons on standard
server hardware For examp e, RD Gateway capac ty p ann ng nformat on prov ded n the
W ndows Server 2008 R2 gu de shows that a dua processor server w th 4 GB of RAM can ac-
commodate more than 1200 connect ons
ON THE COMPANION MEDIA Get the RD Gateway Capacity Planning in

Windows Server 2008 R2 guide at http://www.microsoft.com/downloads/en/
details.aspx?displaylang=en&FamilyID=d31ac8fd-6ad8-4c5e-8dc3-a93fb55abc76.
This link is also available on the companion media.
It’s a so worth not ng that RD Gateway can be v rtua zed RD Gateway can a so be m ted
as to the number of s mu taneous connect ons t can accommodate, depend ng on the ver-
s on of W ndows Server 2008 R2 you are us ng See the sect on ent t ed “L m t ng S mu tane-
ous Connect ons to RD Gateway” ater n th s chapter for more nformat on on th s m tat on
W ndows Server 2008 R2 Standard ed t on can accommodate a max mum of 256 connect ons
Foundat on ed t on can accommodate a max mum of 50 s mu taneous connect ons W ndows
Server 2008 R2 Enterpr se and Datacenter ed t ons are un m ted
www.it-ebooks.info
To mp ement RD Gateway, you’ need cert ficates that a ow the c ent and RD Gateway to
set up a trusted commun cat ons channe , and the c ents w need to use a supported oper-
at ng system and RDP c ent
F rst, you’ need a cert ficate for RD Gateway to use For RD Gateway and remote c ents
to estab sh an encrypted connect on to one another, you must nsta a server authent ca-
t on cert ficate (an SSL cert ficate) n the RD Gateway server cert ficate store You can get the
cert ficate from a pub c cert ficate author ty (CA), or f you ma nta n your own Pub c Key
Infrastructure (PKI), you can generate your own server authent cat on cert ficate
NOTE For testing purposes, you can create a self-signed certificate using RD Gateway
Manager, but it is not recommended to use self-signed certificates in a production
environment.
Regard ess of where you get the cert ficate, remote computers connect ng to the RD
Gateway server w attempt to ver fy the va d ty of the RD Gateway cert ficate They do th s
by search ng the r own trusted root cert ficate store for the root CA cert ficate of the CA that
s gned the RD Gateway cert ficate If the root CA cert ficate s there, the c ent trusts the root
CA and therefore can trust the RD Gateway server (th s s ca ed the chain of trust) If not, then
the connect on w not be estab shed
It’s often eas est f you use pub c cert ficates or have your own cert ficates s gned by a
pub c CA You m ght not have contro over the remote computers used to connect to RD
Gateway f they’re not company assets or computers be ong ng to the users connect ng v a
the Internet Therefore, e ther purchase an SSL cert ficate from a pub c CA that s part of the
M crosoft Root Cert ficate Program or have your root CA cert ficate cos gned by a pub c CA
that s part of th s program Members of th s program have the r root CA cert ficates a ready
nsta ed on W ndows operat ng systems (and they can be updated by W ndows Update), so
you w decrease the chance of user connect ons fa ng due to cert ficate va dat on ssues
If you use cert ficates that aren’t a ready n the c ent’s trusted store, users w need to nsta
them before they can connect to RD Gateway
NOTE For more information on the Microsoft Root Certificate Program and certificates in
general, see Chapter 9, “Multi-Server Deployments.”
To work w th RD Gateway, the SSL cert ficate must have the fo ow ng attr butes
■ The cert ficate must be a computer cert ficate because users w be authent cat ng w th
a server, not a person
■ The extended key usage for the cert ficate must be Server Authent cat on (OID
1 3 6 1 5 5 7 3 1)
■ The cert ficate Subject name shou d match the Doma n Name System (DNS) name
that the c ent w use to connect For nstance, f remote users w connect to the RD
Gateway name of rdgateway ove2sk net, th s needs to be the subject on the cert fi-
cate You can a so use a w dcard cert ficate to work for a subdoma ns (for examp e,
* ove2sk net)
How RD Gateway Works Chapter 10 511
www.it-ebooks.info
NOTE To specify multiple alternative names for a certificate, use a certificate that uses
the Subject Alternative Name (SAN) attribute. For example, if you use both the .com
and .net variations of your domain, you can specify both rdgateway.ilove2ski.net and
rdgateway.ilove2ski.com. If the certificate uses the SAN attributes, then users can con-
nect only using RDP 6.1 (available in Windows Vista SP1, Windows XP SP3, or Windows
Server 2008) and later.
Second, you’ need to ensure that the c ents can use RD Gateway RD Gateway has the
fo ow ng c ent requ rements
■ The c ents must be runn ng W ndows XP (W th Serv ce Pack 2) or ater W ndows CE
and non-W ndows c ents don’t work w th RD Gateway nat ve y
■ The c ents must have RDC 6 0 or ater nsta ed, or RDC 7 to support a the features of
RD Gateway n W ndows Server 2008 R2
NOTE Although you can technically connect to RD Gateway using RDC 6.0, we recom-
mend using RDC 6.1 or later. RDC 6.0 lacks some important features such as the ability
to access RD Web Access and the ability to use SAN certificates on RD Gateway. And
remember, you need RDC 7.0 or later to get the latest feature set.
Installing RD Gateway
To nsta the RD Gateway Ro e Serv ce, og on w th an Adm n strator account and proceed
through the w zard as descr bed n the fo ow ng steps
1. Open Server Manager, add the Remote Desktop Serv ces ro e, and choose the RD
Gateway Ro e Serv ce when prompted If the Remote Desktop Serv ces ro e s a ready
nsta ed, then se ect the Remote Desktop Serv ces Ro e, c ck Add Ro e Serv ce n the
r ght pane, choose RD Gateway, and c ck Next
2. You w be prompted to nsta any requ red ro e serv ces requ red for RD Gateway,
as shown n F gure 10-2 RD Gateway requ res Internet Informat on Serv ces (IIS) 7 5,
wh ch nc udes the requ red RPC over HTTP Proxy feature, RSAT Ro e Adm n strat on
Too s, and Network Po cy and Access Serv ces, wh ch s used to store RD CAPs C ck
Add Requ red Ro e Serv ces and then c ck Next
www.it-ebooks.info
FIGURE 10-2 nsta any requ red ro e serv ces and features for RD Gateway.
3. You w be prompted to prov de a server authent cat on cert ficate to use for estab sh-
ng SSL connect ons If you have a ready nsta ed the requ red server authent cat on
cert ficate n the server’s Computer cert ficate store, t w appear n the st of cert fi-
cates to choose from, as shown n F gure 10-3
Otherw se, you can create a se f-s gned cert ficate (you shou d use th s type of cer-
t ficate on y for test ng n a nonproduct on env ronment) If you don’t current y have
a cert ficate nsta ed, you can sk p th s step by se ect ng Choose A Cert ficate For SSL
Encrypt on Later C ck Next
CAUTION If the RD Gateway server has more than one server authentication
certificate installed, the wizard will preselect the first one that it finds. This might
not be the one that you intend to use, and if it does not meet the requirements and
the user does not trust it, the connections won’t work. If you have more than one
server authentication certificate installed on the server, check to make sure that RD
Gateway is configured with the right certificate.
nsta ng RD Gateway Chapter 10 513
www.it-ebooks.info
FIGURE 10-3 Choose an SSL cert f cate to use w th RD Gateway.
4. On the next page, you’ be prompted to create the requ red RD CAP and author zat on
po c es; do so by se ect ng the opt on Now and then c ck ng Next (You can a so opt
to do th s ater us ng the RD Gateway Management Conso e, but remember that you
must have at east one RD CAP spec fied before users can be author zed to connect to
RD Gateway and at east one RD RAP to enab e users to get to resources )
5. Add the oca or doma n user groups that w be assoc ated w th both the RD CAP and
the RD RAP F rst, you w create an RD CAP By defau t, the oca Adm n strators group
s a ready added to the nput box Members of the user groups added here are a owed
to connect to RD Gateway To add mu t p e user groups, type them and separate them
w th a sem co on, or c ck the Add button to p ck a group from Act ve D rectory Do-
ma n Serv ces (AD DS) If the user groups that you want to add are ocated n d fferent
doma ns, you must use the Add button to add each one C ck Next
6. Spec fy the name for the RD CAP (the defau t when you do th s dur ng nsta at on s
TS CAP 01, but you can change t) and choose the W ndows authent cat on method by
wh ch users spec fied n th s RD CAP can connect to RD Gateway by se ect ng the check
box next to Password or Smart Cards, or both boxes C ck Next
7. Now you w create an RD RAP Enter the name of the RD RAP (the defau t when you
do th s dur ng nsta at on s TS RAP 01) and add a doma n computer group that con-
ta ns the resources to wh ch user groups w connect A ternat ve y, you can g ve users
fu access to nterna RD Sess on Host servers and computers w th Remote Desktop
enab ed by choos ng A ow Users To Connect to Any Computer On The Network C ck
Next
www.it-ebooks.info
NOTE If you choose to create an initial RD RAP while installing RD Gateway, remember
that the wizard associated the same user group(s) with both the RD CAP and RD RAP.
You will need to edit the policies later if this is not specifically what you want.
8. If you are nsta ng NPS, the Network Po cy and Access Serv ces ntroduct on page
appears C ck Next, and then c ck Next to nsta NPS
9. If you prev ous y chose to nsta IIS, then the Internet Informat on Serv ces (IIS) ntro-
duct on page appears C ck Next, and then c ck Next aga n to nsta the se ected IIS
ro e serv ces
10. Confirm the nsta at on se ect ons and c ck Insta When the nsta at on s comp ete,
you w see an Insta at on Resu ts page show ng that the nsta at on s successfu C ck
C ose
Installing RD Gateway Using Windows PowerShell

You can nsta RD Gateway v a W ndows PowerShe by open ng a command prompt and typ-
ng the fo ow ng commands
PS C:\Users\admin> import-module servermanager

PS C:\Users\admin> add-windowsfeature RDS-Gateway
A successfu resu t w return the fo ow ng nformat on

------- -------------- --------- --------------
True No Success {Network Policy Server, Web Server (IIS) T...
If you use W ndows PowerShe to nsta RD Gateway, you are not prompted to nsta any
dependent components; they are nsta ed automat ca y as needed A so, an RD CAP and RD
RAP are not created, so you must configure the po c es manua y before users can use RD
Gateway F na y, RD Gateway w not be configured to use an SSL cert ficate You w need to
nsta an appropr ate cert ficate f you have not done so a ready, and manua y configure RD
Gateway to use t
NOTE To see how to add an SSL certificate to an RD Gateway server, see the section en-
titled “Choosing an SSL Certificate to Use with RD Gateway” later in this chapter.
Creating and Maintaining RD Gateway Authorization

Policies
Post- nsta at on, the first th ng that you want to do to configure RD Gateway s to estab sh
an RD CAP and RD RAP You have the opt on of configur ng an RD CAP and RD RAP when
you nsta RD Gateway from the w zard, so you m ght have a ready configured one of each
www.it-ebooks.info
However, you can sk p th s step and configure them post- nsta at on; you m ght not want to
nk the RD CAP and RD RAP as c ose y as the nsta at on w zard does, and f you nsta v a
W ndows PowerShe , you can’t nsta an RD CAP or RD RAP wh e nsta ng the ro e serv ce
You’ need to know how to configure RD CAPs and RD RAPs post- nsta at on and as your ac-
cess strategy deve ops over t me
RD CAPs and RD RAPs work together to g ve remote users access to nterna resources
A though the resu t re es on both of these tems be ng configured, RD CAPs and RD RAPs are
not necessar y t ed to each other That sa d, f you a ow a user access to RD Gateway but do
not g ve perm ss on to connect to any resources, the connect on w fa Make sure that the
RD CAPs and RD RAPs, a though ndependent, comp ement each other
NOTE Using the installation wizard to create RD CAPs and RD RAPs makes it appear that
the two are more linked than they are. The user groups that you specify in the RD CAP are
merely supplied in the corresponding user group entry box for both RD CAPs and RD RAPs,
but a user group can be associated with more than one RD RAP.
Creating an RD CAP
Creat ng an RD CAP after nsta at on s s m ar to do ng t us ng the nsta at on rout ne de-
scr bed n the sect on ent t ed “Insta ng RD Gateway” ear er n th s chapter However, there
are some d fferences that are po nted out n the fo ow ng steps
1. From RD Gateway Manager ( ocated n the Remote Desktop Serv ces too s), expand the
Po c es fo der n RD Gateway Manager, r ght-c ck the Connect on Author zat on Po -
c es fo der, and choose Create New Po cy, then choose W zard to start the Create New
Author zat on Po c es W zard
2. You st have the opt on to create both an RD CAP and an RD RAP, or to create on y
one or the other If you choose to create both, the w zard w run through both the RD
CAP and RD RAP w zards consecut ve y Th s t me, choose Create On y A RD CAP and
c ck Next
NOTE If you configure RD Gateway to use a centralized NPS, then RD CAPs are not
locally managed and stored. When RD CAPs are stored on a centralized NPS, you can
create only an RD RAP instead of both an RD RAP and RD CAP. You will instead see a
Central Network Policy Servers folder. If you right-click the folder and choose Configure
Central RD CAP, this will actually take you to RD Gateway Properties, where you can
adjust the settings for the centralized store. You have to create centralized RD CAPs on
the centralized NPS server instead. For more information on centralized RD CAPs see
the section entitled “Using a Central NPS to Store RD CAPs” later in this chapter.
www.it-ebooks.info
3. Enter a name for the RD CAP (to he p you d st ngu sh RD CAPs, use a spec fic nam ng
convent on for your author zat on po c es, perhaps re ated to what user group t w
app y) and c ck Next
4. Spec fy the W ndows authent cat on method (password, smart card, or both) that s
requ red, and then add the user groups and the computer groups that are author zed
to connect to RD Gateway, as shown n F gure 10-4 For examp e, you cou d choose to
requ re smart-card author zat on when us ng RD Gateway, even f users can og on w th
passwords wh e on the LAN
FIGURE 10-4 Se ect a supported W ndows authent cat on method and add user and computer
groups to wh ch the RD CAP app es.
NOTE If you add both users and computer requirements to the RD CAP, then the two
are cumulative; a user who is allowed to access RD Gateway must also be using a com-
puter that is allowed to connect to RD Gateway.
Not ce that th s step d ffers from the RD Gateway nsta at on w zard The nsta at on
w zard asks you to supp y oca or doma n user groups that w be assoc ated w th both
the RD CAP and RD RAP Th s w zard does not do th s Instead, t asks you to supp y
user groups for on y the connect on author zat on po cy C ck Next
5. In W ndows Server 2008 R2, RD Gateway can enforce dev ce red rect on; th s s a
change from W ndows Server 2008, wh ch d d not enforce t By defau t, the RD CAP
a ows a dev ce red rect on—the po c es app y ng to the endpo nt can m t further,
but you can use RD Gateway to m t dev ce red rect on even more over the w de area
www.it-ebooks.info
network (WAN) than s common y done on the LAN D sab e dev ce red rect on for
c ents by se ect ng D sab e Dev ce Red rect on For The Fo ow ng C ent Dev ce Types
and then se ect ng the boxes next to the dev ces that shou d not be red rected
Th s d ffers from the RD Gateway nsta at on w zard, wh ch does not g ve you the op-
t on to d sab e or m t dev ce red rect on at a Instead, the n t a RD CAPs created w th
the nsta at on w zard w have dev ce red rect on enab ed for a c ent dev ces
You can a so deny c ent connect ons to RD Sess on Host servers that do not enforce
RD Gateway dev ce red rect on If you choose th s opt on, you w m t connect ons to
W ndows Server 2008 R2 and W ndows 7 endpo nts, because o der operat ng systems
do not enforce RD Gateway secure dev ce red rect on C ck Next
6. On the next page, you can set t meouts for act ve and d e sess ons
To rec a m unused resources on RD Gateway, you can configure the gateway to d scon-
nect d e sess ons after a spec fied t me per od (defined n m nutes) Th s w prevent
users from wa k ng away and eav ng sess ons open
You can a so set a t meout for act ve sess ons ( n m nutes) The sess on can be just d s-
connected; th s forces the user to re n t ate the sess on and og on aga n You can a so
choose to s ent y reauthent cate the user to the sess on Choos ng th s opt on means
that the user and sess on s reauthent cated and reauthor zed, but w thout any mpact
on the user or sess on However, f po c es have changed, then the user wou d have to
reauthent cate when the sess on t meout m t s reached, and the new po ces wou d
then take effect, thus keep ng sess ons cons stent y conform ng to the most up-to-date
po c es
7. Rev ew the Summary page to make sure that you chose the r ght sett ngs, and then
c ck F n sh
518 CHAPTER 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
HOW IT WORKS
Using RD Gateway to Restrict Device Redirection By User

Group
I n Windows Server 2008, disabling drive redirection from the RD CAP would have
no effect if drive redirection was enabled on the client and the destination com-
puters were protected via RD Gateway.
In Windows Server 2008 R2, this has changed. If drive redirection is disabled in RD
Gateway, then it will be disabled no matter what the client and server have con-
figured. If RD Gateway enables drive redirection, but the client or server disables
it, then redirection is likewise disabled. This is great for restricting resources based
on user group (remember that only printer redirection can be restricted in the
user account in Active Directory Users And Computers). For instance, you could
use precreated, signed RDP files to give users access to resources, and the RDP file
would be configured to use RD Gateway for every connection. Then the policies on
the RD Gateway would be configured to restrict certain device redirection based on
user group membership. The file is read-only by the nature of it being signed, so
tampering with it would break it.
Th s new RD CAP defines what comb nat on of users (and opt ona y computers) are
a owed to access RD Gateway, but t doesn’t get users any farther than the RD Gateway
because you haven’t yet defined any resources that they are a owed to access To define what
resources users can access after they are a owed to connect to RD Gateway, you’ need to
create an RD RAP, wh ch s d scussed next
Creating an RD RAP
Creat ng an RD RAP us ng RD Gateway Manager s very s m ar to creat ng one us ng the
nsta at on w zard except that you are asked to assoc ate user groups w th the RD RAP You
can a so create and use RD Gateway–spec fied computer groups n the RD RAP, wh ch sn’t an
opt on when us ng the nsta at on w zard To do th s, perform the fo ow ng steps
1. Expand the Po c es fo der n RD Gateway Manager, r ght-c ck the Resource Author -
zat on Po c es fo der, choose Create New Po cy, and then choose W zard to start the
Create Author zat on Po c es For RD Gateway W zard
NOTE Even if you’re using a centralized NPS to store RD CAPs, you still create RD RAPs
on the local RD Gateway. RD RAPs are not stored by NPS.
www.it-ebooks.info
2. Aga n, you can choose to create both an RD CAP and an RD RAP or to create on y one
or the other If you choose to create both, then the w zard w run through both the
RD CAP and RD RAP w zards consecut ve y Choose Create On y A RDRAP and c ck
Next
3. Enter a name for the RD RAP (aga n, choose someth ng descr pt ve) and c ck Next
4. Add oca or doma n user groups assoc ated w th th s RD RAP that can access the re-
sources spec fied n t To spec fy mu t p e user groups, separate them w th a sem co on
or c ck Add aga n to add another group If the groups that you want to add are n d f-
ferent doma ns, you must use the Add Group button to add the user groups from each
doma n C ck Next
5. Now, choose the resources that the spec fied user group(s) can connect to You can
a ow users to connect to any network resource, spec fy one doma n computer group,
or spec fy one RD Gateway–managed computer group If you are a ow ng access to
an RD Sess on Host server farm, you must choose the Se ect An Ex st ng RD Gateway–
Managed Computer Group Or Create A New One opt on The deta s of th s opt on
are d scussed n the sect on ent t ed “Us ng RD Gateway Computer Groups to Enab e
Access to a Server Farm” ater n th s chapter For now, choose A ow Users To Connect
To Any Network Resources C ck Next
NOTE If you create an RD RAP during the initial installation, you won’t have the option
of choosing an RD Gateway–managed group.
6. Remember that RD Gateway acts as a proxy for the network resources to wh ch users
w remote On the next page, spec fy the port that peop e are ab e to use v a RD
Gateway By defau t, the gateway w a ow connect ons on y v a port 3389, wh ch s the
defau t port for RDP You can opt to configure another port (or ports separated w th a
sem co on), for examp e, f you’ve ed ted the port that RDP uses You can a so choose
to a ow connect ons through any port Most of the t me, you’ use 3389 for RDP traf-
fic, so choose that opt on now C ck Next
7. In the fina page of the w zard, you’ see a summary of the sett ngs that you’ve con-
figured C ck F n sh and the new RD RAP w be v s b e n the Resource Author zat on
Po c es Fo der
NOTE If you are familiar with the process of creating an RD RAP, you can skip the wizard
and just fill in the requirements for the authorization by right-clicking the Resource Autho-
rization Policies folder in RD Gateway and then choosing Create New Policy, Custom. This
opens a tabbed New RD RAP dialog box, which you can use to fill in the same settings for
which you’re prompted in the wizard.
www.it-ebooks.info
Modifying an Existing Authorization Policy
To mod fy an ex st ng RD CAP or RD RAP n RD Gateway Manager, se ect the Connect on Au-
thor zat on Po c es fo der or the Resource Author zat on Po c es fo der, respect ve y You’ see
the re ated author zat on po c es n the center pane Doub e-c ck the po cy that you want to
ed t Ed t the po cy propert es on each of the tabs as appropr ate and then c ck OK to save
and c ose the po cy
You a so have the opt on to d sab e or enab e a po cy (for examp e, you m ght need to test
the mpact of a part cu ar author zat on po cy) By defau t, a created po c es are enab ed
D sab e a po cy by c ear ng the Enab e Th s Po cy check box on the Genera tab of the po cy
Configuring RD Gateway Options

After you have nsta ed RD Gateway and put the r ght RD CAPs and RD RAPs n p ace, you
can tweak the configurat on to su t your needs The RD Gateway configurat on opt ons are
conta ned n the Propert es pane of the RD Gateway server To manage RD Gateway, open
the RD Gateway Management Conso e by go ng to Start/Adm n strat ve Too s/Remote Desk-
top Serv ces/RD Gateway Manager The RD Gateway Manager opens, as shown n F gure 10-5
FIGURE 10-5 Manage RD Gateway v a the RD Gateway Management conso e.
Configur ng RD Gateway Opt ons Chapter 10 521
www.it-ebooks.info
C ck the server n the eft pane to v ew the Connect on Status and Configurat on Status
deta s n the m dd e pane Th s pane conta ns three sect ons, each of wh ch conta ns nforma-
t on and nks to configurat on pages n RD Gateway The three sect ons are
■ The Connect on Status, wh ch shows you how many connect ons are current y estab-
shed w th RD Gateway and how many resources users are connected to When peop e
are us ng RD Gateway, you can mon tor and d sconnect act ve connect ons here Open
the Mon tor Act ve Connect ons page by c ck ng the correspond ng nk
■ The Configurat on Status sect on, wh ch te s you how many RD CAPs and RD RAPs are
present y configured If you have set up an RD Gateway farm, th s sect on nd cates
how many servers are n that farm
NOTE RD Gateway farms are discussed in the section entitled “Creating a Redundant
RD Gateway Configuration” later in this chapter.
You can a so create or mod fy RD CAPs and RD RAPs here by c ck ng the V ew Con-
nect on Author zat on Po c es nk and V ew Resource Author zat on Po c es nk,
respect ve y
Create or mod fy an RD Gateway farm by c ck ng the Add RD Gateway Server Farm
Members nk
■ The Re ated Documentat on sect on, wh ch prov des nks to RD Gateway configurat on
He p fi es
RD Gateway ets you know f you sk pped v ta sett ngs by d sp ay ng a red c rc e w th an X
or a ye ow tr ang e w th an exc amat on po nt next to the sett ngs that need further con-
figurat on For examp e, reca that an nsta at on us ng W ndows PowerShe sn’t comp ete
The RD Gateway Management Conso e w d sp ay the warn ngs shown n F gure 10-4 f you
nsta RD Gateway us ng W ndows PowerShe
NOTE You can edit specific settings by clicking the link next to the green arrows in the
middle pane of RD Gateway Manager.
Tuning RD Gateway Properties

After you have nsta ed RD Gateway, t’s t me to configure t to su t your needs Configure or
ed t RD Gateway sett ngs by r ght-c ck ng the RD Gateway server n the eft pane and choos-
ng Propert es The server Propert es d a og box appears, as shown n F gure 10-6
www.it-ebooks.info
FIGURE 10-6 Conf gure or ed t RD Gateway sett ngs us ng the RD Gateway Propert es d a og box.
From here, you can ed t the sett ngs as descr bed n the fo ow ng sect ons
Limiting Simultaneous Connections to RD Gateway

The Genera tab of the RD Gateway Propert es d a og box s where you spec fy the number
of s mu taneous connect ons that you w a ow RD Gateway to hand e The max mum
depends on the vers on of W ndows that’s nsta ed W ndows Server 2008 R2 Standard
Ed t on supports a max mum of 250 s mu taneous connect ons through RD Gateway, and t
s set by defau t to a ow th s max mum (W ndows Server 2008 R2 Enterpr se and Datacenter
ed t ons have no m t and the Foundat on ed t on supports a max mum of 50 s mu taneous
connect ons)
Instead of us ng the defau t sett ng, you can set a spec fic number of s mu taneous con-
nect ons (for performance reasons, for examp e) To do so, choose L m t Max mum A owed
S mu taneous Connect ons To Then spec fy a number n the correspond ng se ect on box
To dra n connect ons from th s server (for ma ntenance), se ect the D sab e New Connect ons
opt on button Do ng th s does not a ow any more new connect ons to RD Gateway, but t
eaves the ex st ng ones und sturbed unt the user d sconnects or ends the sess on
www.it-ebooks.info
Choosing an SSL Certificate to Use with RD Gateway
If you d dn’t define a cert ficate wh e nsta ng RD Gateway, you’ need to do so afterwards,
or when you’re mov ng from a se f-s gned cert ficate to one s gned by a trusted CA Go to the
SSL Cert ficate tab on the RD Gateway Propert es d a og box to se ect an SSL cert ficate to use
w th RD Gateway
NOTE TLS is based on SSL, so the process to create an encrypted communication

tunnel is the same for both. Refer to the section entitled “Transport Layer Security” in
Chapter 8, “Securing Remote Desktop Protocol Connections,” to see how SSL encryp-
tion works.
If you have a ready configured RD Gateway to use a cert ficate, the cert ficate nformat on
s d sp ayed on th s tab and the Se ect An Ex st ng Cert ficate From The RD Gateway <SERVER-
NAME> Cert ficates (Loca Computer)/Persona Store opt on button s se ected You can
choose another cert ficate that s a ready nsta ed on the server by c ck ng the Import Cert fi-
cate button and choos ng from the cert ficates sted Va d SSL cert ficates that are nsta ed to
the server’s Computer Cert ficate Store Persona fo der w be ava ab e n the Import Cert fi-
cate pop-up d a og box Choose a cert ficate and c ck Import
If you do not have an SSL cert ficate nsta ed on th s server, you can create a se f-s gned
cert ficate to use w th RD Gateway Use th s cert ficate for test ng purposes on y; f t’s used n
a product on env ronment, you cou d have ssues w th users who are not ab e to va date the
cert ficate because t’s not n the r trusted root cert ficate store A se f-s gned cert ficate a so
sn’t ver fied by any author ty
To create a se f-s gned cert ficate, choose the Create A Se f-S gned Cert ficate opt on and
c ck the Create and Import Cert ficate button The Create Se f-S gned Cert ficate d a og box
w appear, as shown n F gure 10-7
FIGURE 10-7 Create a se f s gned cert f cate for RD Gateway.
Enter the fu y qua fied doma n name (FQDN) of the RD Gateway nto the Cert ficate name
nput box; th s s the FQDN that s reso vab e to externa users Because the cert ficate s se f-
www.it-ebooks.info
s gned, t w a so act as ts own root cert ficate C ents must a so have th s cert ficate nsta ed n
the r computers’ cert ficate store n order to va date th s same cert ficate used by RD Gateway
Therefore, the Store The Root Cert ficate check box s se ected by defau t; th s a ows you to save
the cert ficate to a fi e so that you can mport t to the Trusted Root Cert ficat on Author t es
cert ficate store on your test c ent C ck Browse, nav gate to the chosen save ocat on, and type
a fi e name, or type the ocat on and fi e name n the F e Name box, and then c ck OK
NOTE To install the certificate on your test clients, open a Microsoft Management Con-
sole (MMC) on the client and add the Certificates snap-in. Expand the Certificates store
tree and then right-click the Trusted Root Certification Authorities folder. Choose All Tasks,
Import and follow the steps in the wizard to import the self-signed certificate file that you
created from RD Gateway Manager.
You can a so mport a cert ficate to the server’s cert ficate store and configure RD Gateway
to use th s cert ficate To do so, se ect the Import A Cert ficate Into The RD Gateway <SERVER-
NAME> Cert ficates (Loca Computer)/Persona Store opt on button Then c ck the Browse
and Import Cert ficate button Browse to the cert ficate fi e that you want to mport, se ect
the fi e, and c ck Open
Choosing an RD CAP Store

RD Gateway stores RD CAPs n an NPS store, wh ch s why you had to nsta NPS when nsta -
ng RD Gateway The RD Gateway defau t nsta at on uses a oca NPS server to store RD
CAPs, but you can use another NPS server for th s purpose nstead Th s comes n handy when
you have more than one RD Gateway server but both use the same RD CAPs (mu t p e RD
Gateway servers act as a farm) Each RD Gateway server can be set to use a centra NPS stor-
age ocat on and one set of RD CAPs nstead of each ma nta n ng ts own RD CAPs You m ght
a so opt for th s setup f you a ready ma nta n an NPS server and want to use t to store RD
CAPs nstead of us ng NPS on the RD Gateway server Use th s tab to configure RD Gateway to
use a centra NPS store To use a centra server, se ect the Centra Server Runn ng NPS opt on,
enter the centra server’s name or IP address nto the nput box, and c ck Add
RD Gateway Server Farms

Se ect the Server Farm tab Th s tab a ows you to spec fy an RD Gateway server farm If you
oad-ba ance RD Gateway servers but your nbound connect ons are seen as a com ng from
the firewa Internet Protoco (IP address), then you need to add each RD Gateway server that s
part of the fau t-to erant so ut on to an RD Gateway farm on th s tab Th s makes sure that the
two connect ons that occur per SSL connect on (one nbound and one outbound connect on)
get sent to one RD Gateway server nstead of be ng sp t between mu t p e RD Gateway servers
NOTE To load-balance RD Gateway servers, see the section entitled “Creating a Redun-
dant RD Gateway Configuration” later in this chapter.
www.it-ebooks.info
Auditing RD Gateway Events
For troub eshoot ng and p ann ng purposes, aud t ng connect on events s a good dea The
RD Gateway Aud t ng tab, shown n F gure 10-8, a ows you to spec fy the RD Gateway events
that you want to og
FIGURE 10-8 Logg ng RD Gateway events s enab ed by defau t.
These events are ogged n the Event V ewer under App cat on And Serv ces Logs/M crosoft/
W ndows/Term na Serv ces-Gateway By defau t, a ava ab e RD Gateway connect on and autho-
r zat on events are ogged (the opt ons are a checked on th s tab) To mod fy wh ch connect on
and author zat on events are aud ted, se ect or c ear the boxes correspond ng to the ava ab e
events n the Se ect Events To Log d a og box Genera y, fa ed events are more s gn ficant than
successfu ones because they can s gna unauthor zed attempts or annoyed users
Using RD Gateway with SSL Bridging

Se ect the SSL Br dg ng tab Pos t on ng opt ons for RD Gateway are covered n the sect on
ent t ed “P ac ng RD Web Access and RD Gateway” ater n th s chapter One opt on s to use
M crosoft Forefront Threat Management Gateway (TMG) 2010 (the rebranded M crosoft
Internet Secur ty and Acce erat on Server) or another SSL br dg ng dev ce to br dge ncom ng
SSL connect ons n the per meter network to RD Gateway on the nterna network
www.it-ebooks.info
If you do th s, then you need to set up SSL br dg ng on th s tab SSL br dg ng means that
SSL requests com ng from the remote c ent are term nated at the br dg ng app ance and
new requests are then n t ated by the br dg ng app ance to RD Gateway Enab e SSL br dg ng
by se ect ng the Use SSL Br dg ng check box Next, you need to choose a br dg ng method
The first br dg ng method s ca ed HTTPS-HTTPS br dg ng By br dg ng SSL traffic, you
ga n further contro of the commun cat on to and from RD Gateway The br dg ng prod-
uct acts as a po ceman by decrypt ng SSL connect ons com ng from outs de the network,
nspect ng them for ma c ous code, and then re-estab sh ng the SSL sess on w th RD Gate-
way f the packets pass nspect on A traffic flow ng to and from RD Gateway goes through
the br dg ng app ance To enab e HTTPS-HTTPS br dg ng, se ect the HTTPS-HTTPS Br dg ng
(Term nate SSL Requests And In t ate New HTTPS Requests) opt on button
You can a so br dge HTTPS-HTTP commun cat ons between the br dg ng dev ce and RD
Gateway, ca ed SSL offloading and termination HTTPS–HTTP br dg ng saves processor cyc es
SSL packet process ng genera y takes more processor cyc es than regu ar Hypertext Transfer
Protoco (HTTP) traffic By offload ng the SSL commun cat on to TMG or another br dg ng
dev ce, you save process ng power
Enab e HTTPS-HTTP br dg ng by se ect ng the Use HTTPS-HTTP Br dg ng (Term nate SSL
Requests And In t ate New HTTP Requests) opt on button C ck OK to save your se ected
sett ngs
HOW IT WORKS
Does SSL Bridging Offer Performance Benefits?
T he short answer to this question is that it depends on what kind of bridging

you’re doing.
When deployed with a simple firewall, the RD Gateway server is still processing all
the incoming SSL traffic. During SSL communication, there is a lot of back-and-forth
to establish a secure communication between client and server. The client must ini-
tiate the connection, and the server’s digital certificate must be validated by the cli-
ent. Then a secret session key must be established to encrypt the communications.
While all this communication is going on, the RD Gateway server must still act as a
proxy for the incoming connection requests. On a busy server, this can consume a
lot of processor cycles.
HTTPS-HTTPS SSL bridging adds an additional layer of security to the SSL commu-
nication by examining the contents of the SSL traffic and ensuring that it contains
no malicious packets before sending it to the RD Gateway. However, HTTPS-HTTPS
bridging does not offload the SSL processing; it only decrypts the Hypertext
Transfer Protocol Secure (HTTPS) traffic to examine it before encrypting it again to
send to the RD Gateway. The RD Gateway must still do all the SSL communication
processing—but now it is just safer to do so. For any performance benefit, you
www.it-ebooks.info
must implement SSL offloading and termination with HTTPS-HTTP bridging. The
catch is that you must balance the performance benefit of not processing the SSL
traffic with the fact that, after it leaves the bridging device, the traffic is no longer
encrypted. The traffic should be passing over the private network at this point, but
for some implementations, this might still be a consideration.
RD Gateway Messaging
In RD Gateway for W ndows Server 2008 R2, you now can send messages to users when they
request access to resources v a RD Gateway (Use these messages to educate peop e on com-
pany po c es, warn them of serv ce outages, and the ke ) To do so, you configure the sett ngs
on the RD Gateway Messag ng tab, shown n F gure 10-9
FIGURE 10-9 Enab e system and ogon messag ng from RD Gateway.
You can configure two types of messages

■ Logon Message Th s message d sp ays before a user s ogged onto the requested
sess on; for examp e, t cou d be a ega not ce or company remote access po cy
www.it-ebooks.info
■ System Message Th s message s d sp ayed to users after they og on to a system,
and on y for a spec fied t me per od System messages are good for not fy ng users of
some future event, ke a ma ntenance w ndow, other p anned downt me, or a pend ng
change n access po c es
Logon messages are d sp ayed each t me that a user requests access to a resource v a RD
Gateway, but before they are ogged onto the sess on Configure a ogon message by se ect-
ng the Enab e Logon Message check box Then c ck the Browse button and choose a text fi e
that conta ns the ogon message
When a user requests a resource v a RD Gateway before he or she s ogged onto that
resource, the user w see a ogon message w ndow ke the one shown n F gure 10-10
FIGURE 10-10 A user w see a ogon message when attempt ng to access a resource v a RD Gateway and
RD Gateway ogon messag ng s enab ed.
To og onto the remote desktop sess on, users must s gn fy that they agree to the terms of
the message by se ect ng the I Understand And Agree To The Terms Of Th s Po cy check box
After users check the box and c ck OK, they are ogged onto the remote sess on If users do
not agree to the terms of the message, then the r on y opt on s to c ck C ose and cance the
request If users agree to the message terms, then they can a so se ect the Do Not Ask Aga n
Un ess Changes To The Po cy Occur check box to suppress the ogon message unt the po cy
changes
System messages are d sp ayed r ght after a user ogs onto a system, but on y dur ng the
t me per od that you spec fy n the RD Gateway Messag ng nterface To configure a system
message, se ect the Enab e System Message check box on the Messag ng tab of the RD Gate-
way Propert es d a og box Type the message that you want to send nto the system message
nput box F na y, adjust the start and end t me to reflect the t me per od dur ng wh ch users
w see the message Un ke ogon messages, users cannot opt to suppress system messages
They w d sp ay every t me that users nvoke a new remote sess on dur ng the spec fied t me
w ndow, as shown n F gure 10-11
www.it-ebooks.info
FIGURE 10-11 Users w rece ve a system message after they ogon to the requested remote sess on.
Because system messages d sp ay on y once per sess on, f a user opens mu t p e Remote-
App programs on the same RD Sess on Host server, the message w d sp ay on y once A
RemoteApp programs run n the same sess on
CAUTION If you use round robin DNS (RR DNS) or a dedicated redirector for RD
Session Host farm initial load balancing RD Gateway, system messages will appear
twice. This is because RD Gateway sees both the initial connection to the RD Session
Host server and also the final connection to the determined destination server. Use
network load balancing (NLB) to avoid double messaging.
Messages on y d sp ay for connect ons made from RDC 7 or ater To prevent peop e from
c rcumvent ng ogon or system messages, you can deny RD Gateway connect ons from c ents
not runn ng RDC 7 0 by se ect ng the On y A ow Connect ons From Remote Desktop Serv ces
C ents That Support RD Gateway Messag ng check box
Using RD Gateway Computer Groups to Enable Access to a

Server Farm
As exp a ned n the sect on ent t ed “Creat ng and Ma nta n ng RD Gateway Author zat on
Po c es” ear er n th s chapter, RD RAPs define wh ch resources a user can access v a RD
Gateway However, AD DS does not have any way to represent a RD Sess on Host server server
farm To enab e peop e to use a farm, you must e ther a ow access to any network resource
or create an RD Gateway–managed group that maps to the farm
You can create an RD Gateway–managed computer group when creat ng an RD RAP us ng
the Create Author zat on Po c es For RD Gateway w zard When creat ng the RD RAP, you’ be
prompted to determ ne whether the access shou d extend to the fo ow ng
■ A spec fic doma n computer group
■ A computers w th the spec fied port (norma y 3389) open
■ Members of an RD Gateway–managed computer group
www.it-ebooks.info
If you opt to enab e access to a computer group, you’ open a new page n the Author za-
t on Po c es W zard, where you can create anew RD Gateway–managed computer group or
se ect an ex st ng one
NOTE You can also create or manage RD Gateway – managed computer groups by
selecting the Resource Authorization Policies folder and then clicking the Manage Local
Computer Groups link in the Actions panel on the right side of the RD Gateway Manager.
Associating RD RAPs with Computer Groups

To create a new RD Gateway–managed computer group, se ect Create A New RD Gateway-
Managed Computer Group, enter a descr pt ve name for the group, and add the NetBIOS
and FQDN names of each farm, as we as each farm member If you want users to be ab e to
connect to the farm by IP address, you can enter the IP address of the farm
You must add a farm members to the group to enab e access to the nd v dua RD Sess on
Host servers n the farm The name of the farm must a so be part of the managed computer
group For examp e, f your farm (“FarmName”) nc udes two RD Sess on Host servers named
RDSH1 and RDSH2 that be ong to the doma n ca ed Mydoma n oca , you must add the fo -
ow ng names to the RD Gateway Computer Group mapp ng to FarmName.
■ RDSH1 and RDSH1 mydoma n oca
■ RDSH2 and RDSH2 mydoma n oca
■ FarmName and FarmName.mydoma n oca
If you change farm membersh p or add new servers, you w need to update the computer
group to match Each RD Gateway–managed computer group shou d nc ude servers from
on y one farm Th s w a ow you to keep your resource perm ss ons spec fica y defined
NOTE The names of RD Gateway–managed computer group members have to be resolv-

able in DNS or a host file, or you will see the error message shown in Figure 10-12 and you
will not be allowed to add the entry.
FIGURE 10-12 RD Gateway Managed Computer Group member names must be reso vab e.
If you have a ready created an RD Gateway–managed computer group, then choose the
Se ect An Ex st ng RD Gateway–Managed Computer Group opt on and then h gh ght the
group n the Ex st ng Computer Groups box
www.it-ebooks.info
You can a so ed t an ex st ng RD RAP to enab e access to an RD Gateway–managed com-
puter group In RD Gateway, c ck the Resource Author zat on Po c es fo der, then doub e-
c ck the RD RAP that you want to ed t Se ect the Network Resource tab and then choose
the Se ect An Ex st ng RD Gateway-Managed Computer Group Or Create a New One opt on
From here, you can create a new group or se ect an ex st ng one as descr bed prev ous y
Managing Computer Group membership

To create, mod fy, or de ete RD Gateway–managed computer groups, c ck the Resource Au-
thor zat on Po c es fo der n RD Gateway Choose Manage Loca Computer Groups from the
Act ons menu n the r ght pane to open the d a og box shown n F gure 10-13
FIGURE 10-13 Ed t or create RD Gateway managed computer groups us ng the Manage Loca y Stored
Computer Groups d a og box.
C ck ng ex st ng computer groups revea s the RD RAPs that they are assoc ated w th n the
ower sect on of the eft pane and the computer group members n the ower sect on of the
r ght pane ( n F gure 10-13, for examp e, the group conta ns members of an RD Sess on Host
server farm, so the farm FQDN and NetBIOS name are sted, a ong w th a farm members
and a NetBIOS names and IP addresses of the nd v dua servers)
To create a new computer group, c ck Create Group On the Genera tab, enter a name
for the computer group On the Network Resources tab, enter the names and opt ona y the
IP addresses of the RD Sess on Host servers or computers that you want to add to the group
C ck OK
To ed t an ex st ng group, se ect the group and then c ck Propert es and adjust the
computer group name or the servers n the group as necessary To de ete an RD Gateway–
managed computer group, c ck the group and c ck Remove
www.it-ebooks.info
Bypassing RD Gateway for Internal Connections
It’s understandab e that you want remote users to estab sh secure encrypted connect ons to
desktops and servers ocated on the nterna network But for oca users access ng resources
on the same nterna network, you can choose to bypass RD Gateway and a ow them to con-
nect d rect y to the resource There are two p aces to do th s RDC on the c ent and Remote-
App Manager on the server, as fo ows
■ Remote Desktop Client Open the RDC and c ck Opt ons C ck the Advanced tab
and then c ck the Sett ngs button n the Connect From Anywhere sect on Se ect Use
These RD Gateway Server Sett ngs, supp y the server name, and then se ect the box
next to Bypass RD Gateway Server For Loca Addresses
■ RemoteApp Manager Use th s sett ng to bypass RD Gateway for RemoteApp pro-
grams and for RDP fi es created by RD Web Access Open RemoteApp Manager, c ck
the RD Gateway Sett ngs nk, se ect Use These RD Gateway Server Sett ngs, supp y the
server name, and then se ect the box next to Bypass RD Gateway Server For Loca Ad-
dresses
NOTE To see how to force RDC connections initiated from RD Web Access to use RD
Gateway, see the section entitled “Force RDC Connections Through RD Gateway via RD
Web Access” in Chapter 9.
Using Group Policy to Control RD Gateway Authentication

Settings
Three user Group Po cy sett ngs w he p you contro when c ents use RD Gateway to con-
nect to RDP resources, what authent cat on method(s) can be used to connect, and wh ch RD
Gateway server they use The po c es are ocated at User Configurat on Po c es Adm n stra-
t ve Temp ates W ndows Components Remote Desktop Serv ces RD Gateway and nc ude
the fo ow ng opt ons
■ Set RD Gateway Authentication Method Th s po cy spec fies the authent cat on
method that c ents must use to connect to RD Gateway, as spec fied n the RemoteApp
program sett ngs on the RD Sess on Host server, n saved RDP fi es, or from the RDC
The cho ces are
■ Ask For Credentials, Use NTLM Protocol Secure credent a pass ng us ng a hash
NOTE For more information on NTLM, see http://msdn.microsoft.com/en-us/library

/aa378749(VS.85).aspx.
www.it-ebooks.info
• Ask For Credentials, Use Basic Protocol Th s opt on s on y ava ab e us ng
group po cy— t s not ava ab e v a RemoteApp Manager Credent a s are sent n
c eartext and therefore are not secure
• Use Locally Logged-On Credentials (enab es s ng e s gn-on w th RD Gateway)
• Use Smart-Card
You can a ow users to change the authent cat on method by se ect ng the A ow Us-
ers To Change Th s Sett ng check box, or you can enforce the sett ng you choose by
c ear ng th s box If users cannot change th s sett ng, t w be n effect for a connec-
t ons through RD Gateway If th s po cy s not configured and no opt on s spec fica y
se ected by the user, then NTLM and smart cards can be used
■ Enable Connection Through RD Gateway Enab ng th s sett ng means that when
users cannot create an RDP connect on to a computer, they w attempt to connect v a
an RD Gateway that you spec fy n the Set RD Gateway Server Address po cy descr bed
next
You can enforce th s sett ng by c ear ng the A ow Users To Change Th s Sett ng check
box If the po cy s enforced, then users w attempt to connect through the RD Gate-
way address g ven n the Set RD Gateway Server Address po cy descr bed next C ear-
ng the check box means users w not use the address spec fied n the Set RD Gateway
Server Address po cy; nstead, they are a owed to spec fy the RD Gateway that they
w sh to use
■ Set RD Gateway Server Address Spec fies the RD Gateway address that users w
attempt to connect to f they are unab e to connect d rect y to an RDP resource To
enforce th s sett ng, check the A ow Users To Change Th s Sett ng check box n the eft
pane
CAUTION If you enable the Enable Connection Through RD Gateway policy, you
also must enable Set RD Gateway Server Address and provide the address. If you en-
able that policy but do not specify the address here, then user connections will fail.
Monitoring and Managing Active RD Gateway Connections

RD Gateway connect ons are mon tored and managed from the Mon tor ng fo der n RD
Gateway Manager The mon tor ng feature gathers data po nts about each act ve sess on and
reports them n a tab e n the mon tor ng w ndow You can see a act ve RD Gateway connec-
t ons by se ect ng the Mon tor ng fo der of RD Gateway Manager, as shown n F gure 10-14
www.it-ebooks.info
FIGURE 10-14 V ew a RD Gateway act ve sess on nformat on from the Mon tor ng fo der.
The spec fic data reported for each connect on nc udes the fo ow ng
■ Connection ID The Connect on ID s formatted as <A:B>, where A s the Tunne ID
and B s the Channe ID The Tunne ID represents the c ent’s connect on to the RD
Gateway, wh e the Channe ID represents the c ent’s connect on to the requested
resource The Tunne ID s ncremented each t me a new connect on s made to RD
Gateway; f you restart the Remote Desktop Serv ces Gateway serv ce, the Tunne ID
count restarts at 1
■ User ID The User ID shows the doma n and user name of the user who estab shed
the sess on, tak ng the form domain\username
■ User Name The sess on user’s fu name as spec fied n AD DS
■ Connection On States when a sess on was estab shed
■ Connection Duration States how ong a sess on has been act ve
■ Idle Time States how ong a sess on has been d e
■ Target Computer The computer that the sess on s connected to
NOTE If there is no redirection, then RD Gateway monitoring displays the farm name
(for example, Farm.ash.local). If there is redirection, RD Gateway monitoring displays
the “host name” (for example, Fuji.ash.local).
www.it-ebooks.info
■ Client IP Address The IP address of the c ent that s connect ng If you are connect-
ng to RD Gateway from the other s de of a firewa , the IP address sted w be the
address of the firewa
■ Target Port The port to wh ch the user s connected
C ck ng any of the act ve sess ons a so shows the nformat on about the se ected sess on n
the bottom pane, but w a so revea the tota k obytes sent and rece ved n that sess on
By defau t, RD Gateway updates the connect on data every 30 m nutes To change th s
nterva , r ght-c ck the Mon tor ng fo der, choose Set Automat c Refresh Opt ons from the
context menu, and spec fy the new nterva Don’t refresh too often; samp ng takes processor
cyc es, so a h gh refresh rate can affect server performance You can a so d sab e automat c
data refresh ng by choos ng the Do Not Refresh Automat ca y opt on C ck OK for the set-
t ngs to take effect
You can use th s data to ana yze the connect ons and tweak po cy accord ng y For ex-
amp e, f your ana ys s nd cates that a ot of connect ons go d e after 30 m nutes, you cou d
configure RD CAP t meouts to d sconnect connect ons that are d e for more that 30 m nutes
and free resources for other users
From the Mon tor ng fo der, not on y can you v ew connect on data but you a so can per-
form some tasks, such as d sconnect ng connect ons and chang ng the number of s mu tane-
ous connect ons a owed to RD Gateway D sconnect connect ons from th s fo der accord ng
to the fo ow ng ru es
■ To d sconnect a s ng e sess on, r ght-c ck the sess on and choose D sconnect Th s
Connect on
■ A user can estab sh more than one RD Gateway sess on To d sconnect a a user’s
sess ons, r ght-c ck a user’s connect on and choose D sconnect Th s User
■ To d sconnect a RD Gateway sess ons at once, r ght-c ck the Mon tor ng fo der,
choose Se ect A , and then r ght-c ck any of the h gh ghted sess ons and choose
D sconnect These Connect ons
■ To d sconnect mu t p e connect ons at once, press Ctr -c ck or Sh ft-c ck to se ect
mu t p e connect ons, then r ght-c ck and choose D sconnect These Connect ons
536 CHAPTER 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
You can a so ed t the RD Gateway connect on m t from the Mon tor ng fo der R ght-c ck
the Mon tor ng fo der and choose Ed t Connect on L m t from the context menu Th s br ngs
up the Genera tab of the RD Gateway server Propert es d a og box L m t the sess ons to a
spec fic number, or put the RD Gateway nto dra n mode and c ck OK
Creating a Redundant RD Gateway Configuration

For the most part, prev ous sect ons have tac t y assumed that you have one RD Gateway
server As w th RD Sess on Host and RD V rtua zat on Host servers, however, one s not
enough The troub e sn’t the number of s mu taneous connect ons (the RD Gateway job sn’t
very tax ng; one server can hand e hundreds of s mu taneous connect ons), but rather that a
s ng e RD Gateway server means a s ng e po nt of fa ure The job that RD Gateway performs s
cr t ca Lose the gateway and you ose remote access to your corporate network, exc us ve of
other v rtua pr vate network (VPN) or D rect Access so ut ons
Therefore, t’s best to have two (or more) RD Gateway servers Th s sect on d scusses how
to make th s as easy as poss b e, nc ud ng
■ Configur ng RD Gateway to work w th NLB for oad ba anc ng and fa over
■ Centra z ng the connect on author zat on po c es
■ Centra z ng the resource author zat on po c es
Using NLB to Load-Balance RD Gateway Servers

RD Gateway doesn’t have any oad-ba anc ng og c; a oad ba ancer ke NLB must prov de
th s funct ona ty and a ows you to group mu t p e servers nto a og ca c uster If one RD
Gateway goes offl ne, any connect ons for wh ch t was act ng as a proxy w be d sconnected
However, when the users automat ca y reconnect, they are sent to the work ng RD Gateway
server and w be reconnected to the r prev ous sess ons In the absence of the oad-ba anced
farm, those connect ons wou d be severed comp ete y
NLB oad-ba ances based on ncom ng network traffic to a v rtua IP address, or cluster IP
address, as shown n F gure 10-15
Creat ng a Redundant RD Gateway Configurat on Chapter 10 537
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Internal Network
Cluster IP:
X.X.X.X
RD Gateway RD Gateway
IP: Y.Y.Y.Y IP: Z.Z.Z.Z
RDP Connections RDP Connections

to Resources to Resources

Session
Desktop Computers
FIGURE 10-15 For redundancy, oad ba ance ncom ng connect ons to RD Gateway among mu t p e servers.
NOTE Figure 10-15 does not include the RD Connection Broker because, although the
broker plays a part in choosing which resource ultimately gets a connection, the final con-
nection does not go through RD Connection Broker.
When you c uster RD Gateway servers, network traffic over port 443 sn’t d rected to a spe-
c fic RD Gateway server Instead, t goes to the c uster IP address represent ng the co ect on
of RD Gateway servers Then the oad-ba anc ng mechan sm determ nes to wh ch RD Gateway
server the connect on shou d be sent, genera y based on the current oad
www.it-ebooks.info
In th s examp e, NLB s used as the oad-ba anc ng mechan sm, and two network nterface
cards (NICs) are nsta ed on each RD Gateway computer One NIC w support ncom ng
connect ons for management purposes, and NLB w use the other for oad ba anc ng We
recommend us ng stat c address ng for the management NIC; the NIC used for oad ba anc ng
must be configured w th a stat c IP address, subnet mask, and gateway address When you
have nsta ed the NICs on the RD Gateway servers, nsta NLB on each RD Gateway server
that w become part of the c uster E ther use Server Manager or nsta us ng W ndows
PowerShe us ng the fo ow ng code
Add-WindowsFeature NLB
After nsta ng NLB, create a server c uster and add the RD Gateway servers as members
Open the Network Load Ba anc ng Manager by c ck ng Start, Programs, Adm n strat ve Too s,
Network Load Ba anc ng Manager, or by typ ng nlbmgr n the Start, Run box Comp ete the
fo ow ng steps to create a server c uster
1. C ck C uster and se ect New
2. In the Host nput box, enter the name of one of the RD Gateway servers and c ck
Connect NICs ava ab e to use w th NLB w appear n the ower text box Se ect the
ded cated NIC that you have configured to use w th oad ba anc ng (remember, t must
have a stat c IP address) and c ck Next
3. The IP addresses ass gned to the NIC w appear The pr or ty number s a un que num-
ber that d fferent ates the servers Accept the defau t va ue The IP address n the ower
text box w be ded cated to oad ba anc ng It’s poss b e that both NICs w show up
n the text box (assum ng that you have dua NICs); use the Ed t and Remove buttons
to adjust the ded cated IP address sett ngs as needed Leave the In t a HostState as
Started and c ck Next
4. Spec fy the c uster IP address by c ck ng Add and spec fy ng the IPv4address and sub-
net mask or IPv6 address When users request access to RD Gateway, they w be sent
to th s c uster address nstead of a spec fic RD Gateway server address Then the con-
nect on s sent by the oad ba ancer to the appropr ate RD Gateway server C ck Next
5. Enter the pub c FQDN name that remote users use to access RD Gateway (for examp e,
rdgateway ove2sk net) and choose the c uster operat on mode (Un cast or Mu t cast)
A host adapters must use the same operat on mode or NLB w not funct on In th s
examp e, choose Un cast C ck Next
6. For NLB to do ts job, you need to nd cate the ports that t shou d sten on for traffic
By defau t, t stens on ports 0 to 65535, and t oad-ba ances the connect ons f the
traffic appears on one of those ports However, to accept ncom ng SSL connect ons, t
needs to sten on y on port 443 Ed t the defau t ru e to change the range From and To
fie ds to 443
7. Under F ter ng Mode, choose Mu t p e Hosts to a ow mu t p e hosts to hand e traffic
for th s port ru e Now you have three Affin ty cho ces
www.it-ebooks.info
• None Choos ng th s opt on means that mu t p e connect ons com ng from the
same IP address can be spread among the farm members
• Single Choos ng th s opt on g ves affin ty to connect ons com ng from the same
IP address; they w be term nated on the same RD Gateway farm member
• Network Choos ng th s opt on means that c ent connect ons w th n the same
C ass C address space are term nated on the same RD Gateway server
S ng e s a most a ways the best cho ce F rst, th s w prevent RemoteApp connec-
t ons n a s ng e RDP sess on from be ng d str buted across more than one RD Gateway
server Second, troub eshoot ng connect on prob ems s eas er when the connect ons
for each sess on are com ng through one RD Gateway server Most mportant, each
sess on connect on requ res two SSL connect ons one from the c ent to the RD Gate-
way server, and one from RD Gateway to the c ent W thout server affin ty, t’s poss b e
for a sess on’s two needed SSL connect ons to get sp t between two servers Because
both the ncom ng and the outgo ng connect ons are necessary to support the sess on,
sp tt ng the sess on between two servers doub es the chances that the sess on w be
ost due to a downed RD Gateway server
8. Choose the appropr ate affin ty sett ng and c ck OK Then c ck F n sh
Why You Should Use Single Affinity

Bohdan Velushchak
Operations Engineer
I f SSL connections of a session get split between two servers, it actually reduces the
resilience of the RD Gateway farm for failover. Here’s how it happens. Imagine that
you have many clients connecting to RD Gateway server A and also to RD Gateway
server B. If either of the servers fails, clients connected through the failing server
need to reconnect, but so do all those who have the split connections between
servers A and B. The only circumstance under which you should not set affinity is if
many clients are coming in from one IP address (for example, are working through a
proxy server).
Not setting affinity adds complexity to the environment in several ways. You can
have SSL connections split up and redirected to different servers, and as the admin-
istrator, you have no control over this. Second, in case of a failed server, more clients
suffer (those who go through this server plus those who have a single SSL session
served on the failed server). Third, in general, it reduces the predictability.
When you have any IP-based affinity on the NLB, the Server Farm feature is not
used. There will be no situation when different SSL connections from the single cli-
ent (so, from the same IP) will be sent to different RD Gateway servers, as IP
www.it-ebooks.info
affinity is set on NLB. So it doesn’t matter if the Server Farm setting in RD Gateway
is configured or not.
Don’t use the affinity option included with some hardware load balancers. It does
not provide any additional benefits to RD Gateway as opposed to using IP affinity,
and it still requires the Server Farm setting to be configured.
CAUTION Don’t enable Single if all connections are proxied and appear to be
coming from the same IP address (the address of the proxy server or firewall). In
that situation, the Single option will direct all connections to the same RD Gateway
server. When using a proxy server or firewall, choose None.
Next, you w need to add the other RD Gateway farm members by r ght-c ck ng the
c uster and choos ng Add Host To C uster G ve the name of the server and then choose the
ded cated IP address that you w use for th s host, just as you d d when sett ng up the first
host Because th s server w be jo n ng th s c uster, you do not get to choose any other set-
t ngs Do th s for each c uster member
After you’ve created the c uster and added a RD Gateway c uster hosts, the Network Load
Ba anc ng Manager shou d ook s m ar to F gure 10-16
FIGURE 10-16 Network Load Ba anc ng Manager has a c uster created and hosts converged.
A hosts shou d converge (note that hosts appear w th a green square around the com-
puter cons) If NLB can’t hear a server heartbeat, the server state w d sp ay as “unreachab e”
w th a red X on the computer con When the heartbeat resumes, the server reconverges The
deta s of changes n the env ronment show n the bottom pane
To use RD Gateway, you w need to map the externa DNS name (rdgateway ove2sk net,
the same name that you spec fied as the NLB) to the externa IP address you des gnate that
comes to your firewa , and then map that IP address to the nterna c uster IP address NLB
w take care of pass ng the connect on to the proper RD Gateway mach ne Th s s shown
ear er n F gure 10-15
www.it-ebooks.info
Preventing Split SSL Connections on RD Gateway
Sett ng affin ty n a oad ba ancer to a s ng e server s the dea , but t won’t a ways work For
nstance, f a arge number of the RD Gateway connect ons w be com ng from users beh nd
a proxy, the r IP addresses w a appear to be the same, and they w a get routed to one
RD Gateway farm member If you can’t use IP affin ty, then you must set up an RD Gateway
farm on each RD Gateway farm member to avo d sp tt ng up ncom ng and outgo ng SSL
connect ons for each sess on
NOTE Every SSL connection to RD Gateway actually consists of two SSL channels
(RPC IN DATA and RPC OUT DATA).
By sett ng up the farm on each RD Gateway server, you’re te ng a the RD Gateway serv-
ers about each other Do ng so ensures that the SSL channe s that are support ng the same
connect on w be routed through the same RD Gateway
To set up an RD Gateway farm, fo ow these steps
1. Open RD Gateway Manager, r ght-c ck the server, and choose Propert es from the
context menu to open the server Propert es d a og box C ck the Server Farm tab,
shown n F gure 10-17
FIGURE 10-17 Add RD Gateway servers to the Server Farm tab f you don t use P aff n ty n your
oad ba anc ng mechan sm.
www.it-ebooks.info
2. Add a server farm member to the RD Gateway Server Farm Member text box and c ck
Add
3. Do th s for a server farm members and then C ck OK
4. Repeat th s process for each RD Gateway server farm member Connect ons support ng
the same sess on shou d now be sent through the same RD Gateway server
Maintaining Identical Settings Across an RD Gateway Farm

A RD Gateway servers n the server farm need to be configured dent ca y or you’ get
ncons stent exper ences depend ng on wh ch gateway server you connect to You can make
sure of th s by export ng sett ngs from a “master” server or by configur ng a servers at the
same t me us ng W ndows PowerShe
Exporting and Importing Settings

One way to ensure that the server sett ngs match s to export the sett ngs from one RD Gate-
way server to a fi e and then mport those sett ngs to the other farm members To export RD
Gateway po cy and configurat on sett ngs, open RD Gateway Manager, r ght-c ck the server,
and choose Export Po cy And Configurat on Sett ngs Spec fy a name for the XML fi e n
wh ch the sett ngs w be stored, po nt to a storage ocat on, and then c ck OK
To mport RD Gateway server sett ngs, r ght-c ck the RD Gateway server and choose
Import Po cy And Configurat on Sett ngs Then spec fy the fi e that you want to mport by
typ ng the ocat on or brows ng to the fi e and then c ck ng OK
Import ng the sett ngs s techn ca y s mp e, but t does have a coup e of potent a
“gotchas ” To mport sett ngs from one RD Gateway server to another, the mport ng server
must have an SSL cert ficate spec fied for the RD Gateway Propert es, even f t s a se f-s gned
cert ficate and not the u t mate cert ficate that you w use If you do not spec fy a cert ficate
and you try to mport po cy and configurat on sett ngs, you w see the fo ow ng error
The file cannot be imported because it might have been modified or corrupted.
If you cannot mport po c es from one RD Gateway server to another, t’s poss b e that the
exported sett ngs refer to oca secur ty groups that don’t ex st on the server you’re mport ng
them to
NOTE You will also get this error if RD RAPs are centrally stored. See the section entitled
“Configuring a Central RD RAP Store” later in this chapter for more details.
Configuring the RD Gateway Farm Using Windows PowerShell

If you have more than one RD Gateway server, ed t ng RD Gateway sett ngs programmat ca y
can he p you to keep the RD Gateway configurat on cons stent across a RD Gateway farm
members You can use W ndows PowerShe to make configurat on changes on mu t p e RD
www.it-ebooks.info
Gateway servers In fact, you cou d create one scr pt conta n ng a RD Gateway configurat on
sett ngs and run t aga nst the organ zat ona un t (OU) that conta ns the RD Gateway servers
anyt me you needed to make a change For examp e, f you want to add the ASH-RDS-Users
user group to an RD RAP ca ed RD-RAP-01 on a RD Gateway mach nes n an OU ca ed
ASH RDG Farm, you wou d run the fo ow ng scr pt
$objOU = "ASH_RDG_Farm"
$Domain = "ash"
$Suffix = "local"
$OU = [ADSI] "LDAP://OU=$objOU, DC=$Domain, DC=$suffix"
foreach ($child in $ou.psbase.children)
{
invoke-Command -computerName $child.name -scriptBlock {
$RDRAPName = "RDS-RAP-01"
$UserGroup = "ASH-RDS-Users@ASH"
set-location rds:
cd gatewayserver\rap\$RDRAPName\
new-item usergroups -Name $UserGroup
}
}
To he p you understand the RD Gateway fo der structure n W ndows PowerShe , run the
fo ow ng commands to nav gate to the RD Gateway conta ner, as shown n F gure 10-18
PS C:\Users\admin> import-module remotedesktopservices

PS C:\Users\admin> set-location rds:
PS RDS:\> cd gatewayserver
PS RDS:\gatewayserver> dir
FIGURE 10-18 Manage RD Gateway sett ngs programmat ca y us ng W ndows PowerShe .
www.it-ebooks.info
A RD Gateway configurab e sett ngs are ocated n the root or n conta ners n the
gatewayserver d rectory Use the d r and cd commands to enter subconta ners to get a fu
understand ng of sett ng names and perm ss b e operat ons
ON THE COMPANION MEDIA The script shown in this example is located on the
companion media as the Add-RDRAP-UserGroup.ps1 file.
Using a Central NPS to Store RD CAPs

Ma nta n ng dent ca sett ngs gets you one-th rd of the way toward keep ng the farm cons s-
tent The second th rd s to prov de a centra storage ocat on for the author zat on po c es
To create a s ng e store for RD CAPs, you can create a centra NPS, e ther on one of the RD
Gateway servers or on a d fferent server a together, and set a RD Gateway servers to use the
centra NPS You m ght a so do th s f you a ready have an NPS runn ng n your env ronment
for other reasons and you dec de to conso date NPS funct ons onto one server
The RD CAP Store tab n the RD Gateway Propert es d a og box, shown n F gure 10-19,
a ows you to choose where to store RD CAPs
FIGURE 10-19 The RD Gateway Propert es RD CAP Store tab shows you opt ons for stor ng RD CAPs.
www.it-ebooks.info
If you choose to use a centra NPS, the new NPS w act as a Remote Authent cat on D a -In
User Serv ce (RADIUS) server to the RD Gateway servers, and the RD Gateway servers w act
as RADIUS c ents to the NPS, as shown n F gure 10-20
Remote
Client
SSL tunnel,
Port 443
Internal Network

1
Cluster IP:
X.X.X.X
• RD Gateway
servers act as
RADIUS clients
• Forward RD 3 3
CAP and NAP • Acts as a
check to NAP RADIUS
server server
• Checks RD • Checks RD
RAP if needed CAP and
2
optionally
NPS NAP policies
RDP RDP
Connections Connections
to Resources 4 to Resources

Session
Desktop Computers
FIGURE 10-20 RD Gateway servers act as RAD US c ents when you store RD CAPs on a centra NPS.
www.it-ebooks.info
If you set up a centra NPS for stor ng RD CAPs, the process to connect v a RD Gateway w
work ke th s
1. A remote user requests connect on to a resource v a RD Gateway
2. The RD Gateway server forwards the request to the centra zed NPS, wh ch checks the
RD CAPs (and poss b y other network access po c es, too) and e ther a ows or den es
access based on whether the requester meets po cy cr ter a
NOTE NPS can be used to check computer system health and uses network policies to
accomplish this. You will learn more about this in the section entitled “Using NAP with
RD Gateway” later in this chapter.
3. If the requestor meets po cy requ rements as defined n the connect on and resource
author zat on po c es, then the user s a owed to connect to RD Gateway
4. RD Gateway does an RD RAP check and the connect on s estab shed or den ed based
on the resu ts
To configure RD Gateway to use a centra zed NPS, you need to do the fo ow ng
1. Insta the Network Po cy and Access Serv ces ro e on a server (or use an ex st ng one)
2. Configure RD Gateway servers to use the new NPS ocat on
3. Configure the RD Gateway servers to forward network access requests to the new NPS
4. Manua y create new RD CAPs on the des gnated NPS
These steps are descr bed n the next sect ons
INSTALL NETWORK POLICY AND ACCESS SERVICES (NPS)

F rst, nsta the Network Po cy and Access Serv ces ro e v a Server Manager, or use W ndows
PowerShe to nsta NPS by runn ng these commands
Import-module servermanager
add-WindowsFeature NPAS
DIRECT THE RD GATEWAY SERVERS TO THE NPS

When the NPS server s ready, po nt the RD Gateway servers to the centra zed RD CAP stor-
age ocat on Perform the fo ow ng steps on each RD Gateway Server
1. Open RD Gateway Manager, r ght-c ck the server, and c ck Propert es Se ect the RD
CAP Store tab and choose Centra NPS Server Type the name or IP address for the NPS
and c ck Add
2. The NPS must trust the RD Gateway to a ow t to use ts author zat on po cy store
Enter a shared secret password to use n va dat ng the connect on to the new NPS and
c ck OK
www.it-ebooks.info
NOTE After you point an RD Gateway server to another NPS, you can no longer create
RD CAPs using RD Gateway Manager. The tools to create RD CAPs are disabled, and the
RD CAP folder is replaced with a Central Network Policies folder that shows which NPS RD
Gateway now uses to store RD CAPs, which are really Network Policies in NPS. In this case,
you create and edit RD CAPs on the centralized NPS server instead.
CONFIGURE RD GATEWAY SERVERS AS RADIUS CLIENTS

Next, configure each RD Gateway server as a RADIUS c ent and po nt each server to the
RADIUS server By do ng th s, you are spec fy ng where to forward NPS requests On each RD
Gateway server, do the fo ow ng
1. Open Network Po cy Server (by c ck ng Start, Programs, Adm n strat ve Too s, and
fina y Network Po cy Server)
2. Expand RADIUS C ents And Servers and se ect Remote RADIUS Server Groups
3. In the r ght pane, doub e-c ck TS GATEWAY SERVER GROUP The name of the cen-
tra NPS server shou d be v s b e here If t s not, add t by c ck ng Add and fi ng n
the server name, then c ck OK If there are any other servers sted, remove them by
se ect ng them and c ck ng Remove, then c ck OK
ENABLE ACCESS REQUEST FORWARDING

Next, make sure the NPS nsta ed on each RD Gateway computer (the RADIUS c ent) for-
wards network access requests to the new centra zed NPS (the RADIUS server) On each RD
Gateway server, open NPS and comp ete these steps
1. Expand the Po c es fo der C ck the Connect on Request Po c es fo der, r ght-c ck TS
GATEWAY AUTHORIZATION POLICY, and c ck Propert es
2. On the Overv ew tab, make sure that the po cy s enab ed and that the Type Of Net-
work Access Server sett ng s Remote Desktop Gateway
3. On the Cond t ons tab, make sure that NAS Port Type w th a va ue of V rtua VPN s
added If t s not, c ck Add and then scro down and se ect NAS Port Type C ck Add
and then se ect the check box next to V rtua (VPN) n the Common D a -Up And VPN
Types box C ck OK
4. On the Sett ngs tab, c ck Authent cat on and confirm that the Forward Requests To
The Fo ow ng RADIUS Server Group For Authent cat on check box s se ected, and that
the TS GATEWAY SERVER GROUP s se ected from the drop-down st
5. C ck Account ng Confirm that the check box next to Forward Account ng Requests To
Th s Remote RADIUS Server Group s se ected and that TS GATEWAY SERVER GROUP s
se ected from the drop-down st
www.it-ebooks.info
ENABLE NPS TO TRUST THE RD GATEWAY SERVERS
To respond to requests from the RD Gateway servers, the centra NPS server must trust them
1. On the des gnated NPS, open the Network Po cy Server management conso e, expand
the RADIUS C ents and Servers fo der, r ght-c ck RADIUS C ents, and choose New
from the context menu
2. Enter the name of an RD Gateway server n the Fr end y Name nput box, and ts DNS
name or IP address n the Address nput box
NOTE If you are using NLB with multiple NICs installed on your RD Gateway servers, be
sure to input the NLB IP address when creating RADIUS clients.
3. Next, accept the defau t Shared Secret Temp ate (None), make sure the Manua opt on
s se ected, and enter the shared secret that you spec fied on the RD Gateway server
RADIUS c ent On the Advanced tab, accept the defau t configurat on, and then c ck
OK
4. Repeat th s for each RD Gateway server that w act as a RADIUS c ent
The RADIUS c ents w show up n the r ght pane, as shown n F gure 10-21
FIGURE 10-21 Add each RD Gateway server as a RAD US c ent on the NPS.
Next, create a Connect on Request Po cy to a ow RD Gateway servers to estab sh a con-

nect on to the NPS, as fo ows
1. Expand the Po c es fo der, r ght-c ck Connect on Request Po c es, and choose New
2. G ve the po cy a descr pt ve name, se ect Remote Desktop Gateway from the Type Of
Network Access Server drop-down st, and c ck Next
3. On the Cond t ons tab, c ck Add and se ect a cond t on for wh ch the Connect on
Request Po cy w be eva uated (and for wh ch RD Gateway w pass) C ck Add and
enter the needed va ue for the cond t on For examp e, add the C ent IPv4 Address of
the RD Gateway server Leave the Sett ngs tab sett ngs as they are by defau t C ck OK
An RD Gateway Server must pass at east one Connect on Request Po cy, and t must
a so pass every cond t on w th n the po cy Therefore, you need to create a Connect on
www.it-ebooks.info
Request Po cy for each RD Gateway server n your farm, each conta n ng on y cond -
t ons re evant to the nd v dua RD Gateway server For examp e, say that you have two
RD Gateway servers w th the fo ow ng names and IP addresses
• Cowboy ash oca , 10 10 10 120

• P ke ash oca , 10 10 10 119
4. C ck Next through the rest of the W zard screens and at the ast screen c ck F n sh
To enab e connect ons from both RD Gateway servers w th these sett ngs, set up two
Connect on Request Po c es, one for each server, w th the fo ow ng cond t ons and
va ues to a ow connect ons from e ther of these two servers, as shown n Tab e 10-1
TABLE 10-1 Create Connect on Po c es for Each RD Gateway Server Separate y
CONNECTION POLICY NAME CONDITION VALUE
Cowboy C ent Fr end y Name Cowboy ash oca

Cowboy C ent IPv4 Address 10 10 10 120
P ke C ent Fr end y Name P ke ash oca
P ke C ent IPv4 Address 10 10 10 119
RECREATE RD CAPS ON THE NETWORK POLICY AND ACCESS SERVER

RD CAPs do not get transferred to the NPS when you choose to use a centra NPS for stor ng
them, so your next step s to re-create any ex st ng RD CAP(s) on the new NPS
An RD CAP s rea y a Network Access Po cy; RD Gateway just makes t eas er to create a
po cy w th the sett ngs that w work w th RD Gateway If you create an RD CAP on RD Gate-
way and then open the Network Po cy Server conso e on the RD Gateway server, you w find
that the RD CAP s created and stored under the Network Po c es fo der Creat ng a network
po cy can accomp sh the same th ng as an RD CAP, and more For examp e, a network po cy
can restr ct access to RD Gateway based on the t me of day or m t connect ng c ents to
on y those runn ng a certa n vers on of W ndows or ater It’s a so mportant to know that a
connect on request must meet a sett ngs and constra nts configured n the network po cy
for the c ent to be a owed to access RD Gateway Of course, just ke oca RD CAPs, you can
create more than one network po cy to accommodate d fferent c ents
It’s he pfu to ook at oca NPS po c es created by RD Gateway Tab e 10-2 descr bes net-
work po cy sett ngs and constra nts, the r va ues, and what RD CAP sett ng they correspond
to when mak ng a oca RD CAP w th the RD Gateway W zard
www.it-ebooks.info
TABLE 10-2 Ne work Po cy Cond ons and Va ues Tha Correspond o Spec c RD CAP Se ngs
NETWORK NETWORK CORRESPONDS

POLICY POLICY NETWORK POLICY TO RD CAP
PROPERTIES TAB SETTING VALUE SETTING RD CAP VALUE
Cond t ons tab Mach ne A oca or AD DS C ent Computer A oca or AD DS

Groups group Group group
Membersh p
Cond t ons tab Ca ed PW Supported Password
Stat on ID W ndows
Authent cat on
Methods
Cond t ons tab Ca ed SC Supported Smart card
Stat on ID W ndows
Authent cat on
Methods
Constra nts tab Id e Number of m nutes Enab e Id e Defau t = 120
T meout T meout m nutes
Constra nts tab Sess on Number of m nutes Enab e Sess on Defau t = 480
T meout T meout m nutes
Sett ngs tab Vendor Vendor = M crosoft Dev ce Enab e a dev ce
Spec fic Attr bute = TSG- Red rect on red rect on
Dev ce-Red rect on
Attr bute Va ue =
1073741824
Sett ngs tab Vendor Vendor = M crosoft Dev ce Enab e a dev ce
Dev ce-Red rect on p us sett ng
On y a ow
Attr bute Va ue =
connect ons
1207959552
to RDSH
that enforce
RDG Dev ce
red rect on
Sett ngs tab Vendor Vendor = M crosoft Dev ce D sab e dr ve
Dev ce-Red rect on
Attr bute Va ue = 1
Spec fic Attr bute = TSG- Red rect on and c pboard
Dev ce-Red rect on red rect on
Attr bute Va ue = 9
www.it-ebooks.info
NETWORK NETWORK CORRESPONDS
POLICY POLICY NETWORK POLICY TO RD CAP
PROPERTIES TAB SETTING VALUE SETTING RD CAP VALUE

Spec fic Attr bute = TSG- Red rect on and c pboard
Dev ce-Red rect on and pr nter
red rect on
Attr bute Va ue = 11
Sett ngs tab Vendor Vendor = M crosoft Dev ce D sab e dr ve,
Spec fic Attr bute = TSG- Red rect on c pboard,
Dev ce-Red rect on pr nter and ports
red rect on
Sett ngs tab Vendor Vendor = M crosoft Dev ce D sab e dr ve,
Spec fic Attr bute = TSG- Red rect on c pboard,
Dev ce-Red rect on pr nter, ports
and PnP
red rect on
Sett ngs tab Vendor Vendor = M crosoft Dev ce D sab e
Dev ce-Red rect on for a dev ces,
p us sett ng
Attr bute Va ue =
On y a ow
134217759
connect ons
to RDSH
that enforce
RDG Dev ce
red rect on
A though the ntr cac es of network po cy creat on on an NPS are outs de the scope of th s
book, here s an examp e of how to create a s mp e po cy that a ows access to RD Gateway
based on user group membersh p
1. In the Network Po cy Server Management Conso e, expand the Po c es fo der, r ght-
c ck Network Po c es, and choose New
2. G ve the po cy a name, and for Type Of Network Access Server, choose Remote Desk-
top Gateway from the drop-down st Th s spec fies the type of network access server
that w send connect on requests to the NPS C ck Next
3. At east one cond t on s requ red for th s po cy to be eva uated when a connect on
request s sent to NPS C ck Add and then choose a cond t on category For examp e,
choose W ndows Groups C ck Add and then c ck Add Groups to add the group(s),
one of wh ch a user must be a member to access the RD Gateway server C ck OK a
coup e of t mes to return to the ma n d a og box and then c ck Next
www.it-ebooks.info
4 On the Spec fy Access Perm ss on page, choose the Access Granted opt on and c ck
Next
5. On the Configure Authent cat on Methods page, c ear a the check boxes and then
se ect the A ow C ents To Connect W thout Negot at ng An Authent cat on Method
check box C ck No on the nformat on pop-up w ndow Then c ck Next
6. Accept the defau ts on the Configure Constra nts page and c ck Next
7. On the Configure Sett ngs page, se ect the RADIUS Attr butes Standard opt on and
then remove the defau t Framed-Protoco and Serv ce-Type attr butes C ck Next
8. On the Comp et ng New Network Po cy page, c ck F n sh
NOTE To save the NPS configuration to an XML file, run netsh nps export. For example,
export the NPS configuration from a server named COWBOY to a network share with the
following code.
netsh nps export filename =

"\\colfax\ash-company-files\IT\Cowboy-NPS-Export.xml" exportPSK = YES
Run the netsh nps import command to import an NPS configuration file.
netsh nps import filename = \\colfax\ash-company-files\IT\Cowboy-NPS-Export.xml
Configuring a Central RD RAP Store

Un ke RD CAPs, RD RAPs can’t be managed by NPS; they’re actua y mp emented through
the Author zat on Manager The Author zat on Manager supports ro e-based access, so t’s a
good fit for RD RAPs There s one fa ng from the po nt of creat ng a oad-ba anced farm t
does not support remote connect ons
By defau t, RD RAP configurat ons are stored n an XML fi e ocated at %SystemRoot%\
System32\Tsgateway\Rap xm However, you can tweak RD Gateway to get ts RD RAPs from a
centra ocat on so that a RD Gateway servers n the same oad-ba anced farm can have the
same resource author zat on po c es w thout mak ng you regu ar y export and mport the RD
RAPs There’s no user nterface n the RD Gateway manager to do th s, but you can change
the ocat on of the Rap xm fi e by ed t ng the reg stry
F rst, copy the ex st ng RD RAP to the network share (If you don’t, then when you update
the storage ocat on, RD Gateway w create a new copy of Rap xm ) Next, open the Reg stry
Ed tor and go to HKLM\SOFTWARE\M crosoft\W ndows NT\CurrentVers on\Term na Server-
Gateway\Config\Core\RAPStore Ed t the va ue of th s key to po nt to a network ocat on For
examp e, change the reg stry key va ue from
msxml://%SystemRoot%\System32\tsgateway\rap.xml
to th s
msxml://\\colfax\ash-company-files\IT\rap.xml
www.it-ebooks.info
Be sure to set the perm ss ons on the network share that conta ns the Rap xm fi e proper y
so that on y RD Gateways are a owed wr te/read access Otherw se, someone can c rcumvent
the RD RAPs eas y by ed t ng the fi e
A so, f you do not configure your RAP share w th the correct perm ss ons to a ow RD
Gateway servers to access the XML fi e, then NPS quarant nes the user The RDC that the
c ent n t ated w stop respond ng You w have to use Task Manager to k the attempted
connect on The server w show an error n the event ID 6276 n the Secur ty Event Log as
fo ows
Network Policy Server quarantined a user.
On the RD Gateway server, you w see
Event ID 642: The RD Gateway server cannot open the resource authorization policy store
on Authorization Manager (Azman).The following error occurred: "5".
There are a few ssues w th centra y stored RAPs that you shou d be aware of F rst, mak ng
changes to centra y ocated RD RAPs takes some work, because you cannot ed t the centra y
ocated fi e from RD Gateway Manager You have to repo nt them to the oca store ocat on,
mod fy the RD RAPs, and then re-copy the RAP xm fi e to the centra ocat on and repo nt
the reg stry key to the centra ocat on A so, to successfu y export and mport RD Gateway
sett ngs from one server to another, you a so have to repo nt RD RAPs to be stored oca y,
do the export and mport, and then repo nt the RD RAPs storage ocat on reg stry entry to
the centra ocat on For these reasons, f you make changes to your RD Gateway configura-
t on frequent y, centra y stored RD RAPs m ght not work for you, due to the effort nvo ved n
keep ng them centra y ocated
Using NAP with RD Gateway

RD Gateway makes t easy to enab e peop e to connect to nterna network resources secure y
v a the Internet One troub e w th a ow ng computers outs de the network nto the network
to connect to RD Sess on Host servers s that you don’t know where those computers have
been More to the po nt, you don’t know what they br ng w th them
It’s easy to enforce certa n po c es on computers that are attached to the corporate
network you can update v rus s gnatures, check for app cat on updates, and so forth But
computers connect ng to RD Sess on Host servers from outs de the network, not updated ac-
cord ng to the po c es of that network, pose a d fferent prob em How do you keep comput-
ers that you don’t contro from nfect ng the network?
One way s to check those computers before they connect to the network, make sure they
conform to your organ zat on’s hea th po c es, and perm t access on y f they do The M -
crosoft techno ogy that makes th s poss b e s Network Access Protect on (NAP) Us ng NAP,
you can define a m n mum set of po c es to wh ch a computer must conform before t can
connect to a server v a RD Gateway, and even he p the computer become comp ant f t sn’t
a ready These hea th requ rements can nc ude po c es such as the fo ow ng
www.it-ebooks.info
■ The computer must have an act ve firewa
■ The computer must have current ant v rus s gnatures
■ Spyware protect on must be enab ed
Basic NAP Concepts

NAP s a very b g top c that covers a ot more than work ng w th RD Gateway; t can a so
contro access to other network resources ke the w re ess network and even gett ng an IP
address from a Dynam c Host Configurat on Protoco (DHCP) server
Bas ca y, when used w th RD Gateway, NAP works ke th s The c ent reports on ts state-
ment of hea th (SoH) NPS (on the RD Gateway server or on a centra y managed server) reads
the reports and checks ts network po c es to determ ne whether the c ent comp es w th
network and hea th po cy requ rements If the c ent comp es w th po cy, then RD Gateway
checks ts RD RAPs for a match If the c ent matches an RD RAP, the c ent can connect to the
requested resource
As d scussed n the sect on ent t ed “Us ng a Centra NPS to Store RD CAPs” ear er n th s
chapter, the RD Gateway nsta at on nsta s and uses a oca NPS, but t can a so access a cen-
tra NPS The configurat on ma n y depends on two factors (1) whether you’re c uster ng the
RD Gateway servers and don’t want to ma nta n CAPs on both servers; and (2) whether you’re
p ann ng to use NAP for contro ng access to any other network resources For examp e, f
you a so use t to govern access to the w re ess network, you’ most ke y set up a centra NPS
to hand e both cases
To use NAP, a c ent must be runn ng W ndows XP SP3 or ater
How NAP Supports RD Gateway

To understand NAP, you must be fam ar w th the fo ow ng NAP server and c ent
components
■ NPS The Network Po cy Server ro e serv ce of the Network Po cy And Access ro e n-
sta ed on a W ndows Server 2008 R2 server NPS s a RADIUS and proxy server It a so
acts as an NAP network po cy and hea th po cy server, eva uat ng c ents and deter-
m n ng the r hea th comp ance w th company po c es
■ System Health Validators (SHVs) Spec fies the sett ngs that define what the orga-
n zat on cons ders a “hea th-comp ant system ” Each SHV nterprets the hea th report
sent from the c ent and creates a response report ca ed the Statement of Hea th
Response
■ Statement of Health Response (SoHR) A report conta n ng data about what net-
work po cy the c ent matched, and ts resu t ng eve of access
■ System SoHR (SSoHR) A comb nat on of a SoHRs from a SHVs Th s s sent from
NPS to the c ent
■ NPS Administration Server (NPS AS) Passes SoHs to the SHV and passes SoH
responses (SoHRs) to the NPS Serv ce
www.it-ebooks.info
■ NPS Service Eva uates SoHRs and determ nes whether the NAP c ent s Comp ant,
Noncomp ant, or Non-NAP-Capab e, and packages SoHR responses nto a System
SoHR (SSoHR) report
■ NAP Enforcement Server (NAP ES) Commun cates w th the c ent-s de NAP En-
forcement C ent (NAP EC) component
NAP c ent components nc ude the fo ow ng
■ NAP Enforcement Client (NAP EC) The NAP c ent component that commun cates
w th the NPS ES component
■ System Health Agent (SHA) The c ent-s de agent that mon tors and creates a
report of the c ent hea th as regards to var ous system hea th e ements (for examp e,
Ant v rus, Ant spyware, W ndows Updates, and so on) The SHA g ves th s report to the
NAP Agent The SHA a so performs system hea th updates as set forth by the remed a-
t on process Every SHA has a correspond ng SHV on the NPS
■ Statement of Health (SoH) The report that the SHA creates Each SHA creates ts
own SoH w th data on the e ements that the SHA reports on (for examp e, W ndows
Secur ty e ements, th rd-party ant v rus, and so on)
■ System Statement of Health (SSoH) A report that conta ns a SHA reports
■ NAP Agent Th s s a c ent-s de agent that s bu t nto W ndows XP SP3 and ater It
unpacks SSoHRs and d str butes resu t ng SoHRs to the SHAs It a so packages SoHs
nto one SSoH that s sent to the server
These components work together as shown n F gure 10-22
RD
SHA
CAPs SHV
1 6
Network
SoHR Policies SoH
Health SoHR
SoH
Policies
5
10 NPS
NAP Agent Administration
2 Server
SSoHR NAP Service

7
SSoH
SSoH SSoHR
RD RAPs
9 8
NAP EC NAP ES
3 4
FIGURE 10-22 A c ent sends an SSoH, and the NPS responds w th an SoHR.
www.it-ebooks.info
1. When a c ent requests remote access to a resource (a remote desktop sess on,
RemoteApp, or a VM), the c ent must send an SoH report to the NPS The c ent SHAs
create the SoH report(s), and each SHA passes the SoH to the NAP Agent
NOTE There can be more than one active SHA and corresponding SHV at a time. For
example, you can implement third-party antivirus or antispyware SHAs and SHVs. For
the purposes of this chapter, use the built-in client-side Windows SHA (WSHA) and
server-side Windows SHV (WSHV), which monitor and report on the Windows Security
Center settings (Windows Firewall, Windows Updates, and so on).
2. The NAP Agent comb nes the SHAs nto the SSoH and passes th s SoH to NAP EC
3. The NAP EC passes the SSoH to the NPS ES on the NPS v a RD Gateway
4. The NPS ES passes the SSoH to the NPS Serv ce, wh ch unpacks the SSoH and passes
each resu t ng SoH to the NPS Adm n strat on Server (NPS AS) component
5. NPS AS passes each SoH made from the c ent-s de SHA to ts correspond ng SHV
6. The SHV checks the SoH aga nst ts requ rements and sends the resu t ng SoHR to the
NPS AS The NPS AS passes the SoHR to the NPS Serv ce
7. The NPS Serv ce compares the SoHR(s) aga nst ts network and hea th po c es It
ocates a network po cy (wh ch a so references a hea th po cy) that best matches the
c ent hea th state Hea th po c es m ght ook ke the examp es n Tab e 10-3
TABLE 10-3 Examp e Hea h Po c es Tha Descr be he S a e o Connec ng C en s
HEALTH POLICY NAME HEALTH POLICY DEFINITION
Hea th-Po cy-Pass C ent passes a SHV checks

Hea th-Po cy-Fa C ent fa s one or more SHV checks
NOTE NPS needs access to AD DS to perform health validation for domain-joined

clients.
Each network po cy not on y references a hea th po cy, t conta ns access restr ct ons
and remed at on nstruct ons as needed Because of th s, a computer c ent w a ways
match a network po cy (pass, fa , or not capab e of us ng NAP) For examp e,
Tab e 10-4 shows an examp e of Network Po c es referenc ng Hea th Po c es and
d ctat ng access and remed at on accord ng y
www.it-ebooks.info
TABLE 10-4 Examp e Ne work Po c es Tha Re erence Hea h Po c es and De erm ne he eve o
C en Access
NETWORK POLICY NAME HEALTH POLICY NAME NAP ENFORCEMENT
NAP-RD-Gateway-Pass Hea th-Po cy-Pass A ow fu access

NAP-RD-Gateway-Fa Hea th-Po cy-Fa L m ted access Auto
remed at on and access
w th d sab ed dev ce
red rect on
NAP-RD-Gateway- Hea th-Po cy- Deny access
NonNAPC ent NonNAPCapab e
The NPS Serv ce creates an SSoHR that conta ns both ts find ngs and the resu tant
eve of access (and, f you want, remed at on nstruct ons) and sends t to the NAP ES
8. The NAP ES passes the report to the NAP EC on the c ent v a RD Gateway
9. The NAP EC sends the SSoHR to the NAP Agent
10. The NAP Agent unpacks t and sends each SoHR made from a spec fic SHV to the cor-
respond ng SHA
If the po cy and the c ent’s hea th status are such that the c ent s a owed access to RD
Gateway, then access to RD Gateway s granted RD Gateway then checks ts RD RAPs If an RD
RAP grants the c ent access to the requested resource, then the c ent s a owed to connect
The network po cy that the c ent matched a so determ nes the type of dev ce red rect on
a owed
NPS supports ndependent software vendors (ISVs) creat ng SHAs and correspond ng
SHVs The nat ve W ndows SHVs (WSHVs) conta n sett ngs concern ng the status of the
categor es shown n Tab e 10-5
TABLE 10-5 Con en s o he W ndows S a emen o Hea h
SYSTEM EXAMPLE OF WSHV SETTINGS WITH WHICH

HEALTH AGENT THE CLIENT MUST COMPLY
F rewa Status The firewa must be enab ed and current y runn ng on a

connect ons
Ant spyware An ant spyware app cat on must be enab ed and up to date
Ant v rus An ant v rus app cat on must be enab ed
Automat c Updates Auto-updat ng must be enab ed
Secur ty Updates The c ent must have checked for updates n the ast 24 hours and
must have Important and Cr t ca updates nsta ed
The correspond ng WSHA (remember, every SHV has a correspond ng SHA), nat ve to
c ents runn ng W ndows XP SP3 and ater, mon tors the W ndows Secur ty Center sett ngs
www.it-ebooks.info
NOTE The NPS does not save any SoH client data, so every time that the client reports on
its state of health, the NPS will be looking only at the latest information. There’s no cache
to go out of date.
RD Gateway and NAP Remediation

In W ndows Server 2008, f a c ent d d not comp y w th enforced network po cy, the c -
ent was ocked out—the remed at on that NAP supported was not ava ab e to RD Gateway
c ents In W ndows Server2008 R2, noncomp ant c ents can take advantage of NAP reme-
d at on When a c ent does not pass a hea th check and Auto-Remed at on s enab ed n the
match ng network po cy, the NAP agent on the c ent w be nstructed to make necessary
changes to the c ent to make t comp ant For examp e, f the network po cy requ res that a
firewa be enab ed, and the c ent uses W ndows F rewa but t s turned off, the NAP Agent
on the c ent w attempt to turn t on W th the firewa now enab ed, the next t me the c ent
tr es to connect, t w comp y w th the hea th po cy and access w be granted to RD Gate-
way W ndows Updates can be nstructed to get the atest updates from W ndows Update
servers or from W ndows Server Update Serv ces server W ndows Defender can be enab ed
f the hea th po cy requ res an ant spyware program be enab ed and the c ent uses W ndows
Defender Th s s true for th rd-party software too, as ong as t s reg stered w th the W ndows
Secur ty System on the c ent
If the c ents to be auto-remed ated need access to other servers to update themse ves,
then those servers need to be access b e from outs de the corporate network For examp e,
f you spec fy that W ndows Updates need to be current and a c ent needs to get some up-
dates to be comp ant, and the way the c ent gets the updates s through W ndows Software
Update Serv ces (WSUS), then the WSUS server must be access b e from the Internet so the
remote c ent can get the updates The same s true for th rd-party products If your c ents
have a th rd-party firewa that they use, and t s reg stered w th W ndows Secur ty Center,
then the NAP Agent can report on ts status
CAUTION If you use a third-party tool with a Windows equivalent and auto-
remediation cannot update the state of the third-party tool, then it will attempt to
update the state of the Windows equivalent. For example, if you have a third-party
firewall installed (but disabled) and auto-remediation cannot enable it, it will enable
Windows Firewall instead. This could lead to unexpected results.
That s how NAP works Th s next sect on exp a ns configur ng RD Gateway and NPS to
use NAP to keep c ents that don’t meet system hea th po c es away from RD Sess on Host
servers, VMs, and other computers w th remote desktop enab ed A fu d scuss on of NAP s
outs de the scope of th s book, so the nformat on here concentrates on us ng NAP w th RD
Gateway on y
www.it-ebooks.info
NOTE For a broader discussion of NAP, see Windows Server 2008 Networking and Net-
work Access Protection (NAP) (Microsoft Press, 2008), by Joseph Davies and Tony Northrup
with the Microsoft Networking Team.
Configuring NAP for Use with RD Gateway

In the fo ow ng examp e, you w see how to make RD Gateway farm servers and a centra -
zed NPS server work together to store and enforce RD CAPs and to perform c ent system
hea th checks To mp ement NAP w th an RD Gateway farm and a centra zed NPS, you need
to do the fo ow ng
■ Configure RD Gateway to work w th NAP on the centra zed NPS Th s s the same setup
you go through when configur ng RD Gateway to use a centra zed RD CAP storage
ocat on
■ Configure the NPS server to accept connect ons from RD Gateway and to eva uate
ncom ng hea th reports
■ Configure c ents as NAP c ents
Th s examp e assumes an RD Gateway farm and a centra zed NPS server If you have on y
one RD Gateway server and no separate NPS server, a setup w take p ace on the RD Gate-
way server
CONFIGURING RD GATEWAY TO WORK WITH CENTRAL NAP

To configure RD Gateway to work w th Centra NAP, you need to do the fo ow ng
■ Configure each RD Gateway server’s oca NPS w th a Remote RADIUS Server Group to
wh ch the oca NPS w forward requests
■ Configure each RD Gateway server’s oca NPS w th a Connect on Request Po cy to
forward connect on requests to the Remote RADIUS Server Group
■ Enab e hea th po cy check ng on each RD Gateway server
■ Note the RD Gateway SSL cert ficate Issued To name (shown on the SSL cert ficate) for
future use n NAP c ent setup
F rst, set up each RD Gateway server to forward connect on requests to the centra zed
NPS It w act as a RADIUS c ent, and the centra NPS w act as the RADIUS server Do th s
by creat ng a remote RADIUS server group on each RD Gateway server, as fo ows
1. Open NPS, r ght-c ck Remote RADIUS Server Group, and choose New
2. Enter a name for the group and add the centra NPS server by c ck ng Add and enter-
ng the centra NPS server’s FQDN nto the Server nput box
3. Se ect the Authent cat on/Account ng tab and enter the shared secret that the RD
Gateway servers and the centra NPS use to commun cate Then c ck OK
www.it-ebooks.info
NOTE By default, when you set an RD Gateway server to store its RD CAPs on a central-
ized NPS, it creates a remote RADIUS server group named TS GATEWAY SERVER GROUP.
If you have this group, then just edit it by double-clicking it and adding the FQDN of the
central NPS and the shared secret. Then click OK.
Next, make sure you have a Connect on Request Po cy configured n each RD Gateway
server’s oca NPS Th s po cy w forward connect on requests to the remote RADIUS server
group that you configured n the prev ous step, as fo ows
1. In the NPS Management Conso e, r ght-c ck the Connect on Request Po c es fo der
and se ect New Enter a po cy name, and from the Type Of Network Access Server
drop-down box, choose Remote Desktop Gateway C ck Next
2. Add the NAS Port Type cond t on by c ck ng Add, choos ng NAS Port Type from the
bottom of the st C ck Add and then se ect the check box next to V rtua (VPN) and
c ck OK Then c ck Next
3. On the Spec fy Connect on Request Forward ng page, se ect Authent cat on and then
se ect the Forward Requests To The Fo ow ng Remote RADIUS Server Group For Au-
thent cat on opt on
4. In the drop-down box, make sure the remote RADIUS server group that you created
ear er s se ected C ck Next tw ce and c ck F n sh
NOTE If you first installed RD Gateway and created RD CAPs using the wizard, then you
will already have a policy created for you called TS GATEWAY AUTHORIZATION POLICY.
You can just double-click the policy and change the Authentication to forward requests to
the remote RADIUS server group.
Next, et’s ook at check ng the hea th po cy on RD Gateway To do th s, perform the fo -

ow ng steps
1. Open RD Gateway Manager, r ght-c ck the server, and choose Propert es
2. On the RD CAP Store tab, se ect the Request C ents check box to send an SoH C ck
OK
CAUTION If you are using a single RD Gateway server instead of a central NPS
server, delete or disable any RD CAPs. During this process, you will create new ones
that will include health checking, and you don’t want new policies conflicting with
old policies.
www.it-ebooks.info
Note the Issued To name on the SSL cert ficate that you configured the RD Gateway server
to use You w use th s name n the NAP c ent configurat on The name s ocated on the SSL
cert ficate tab n the RD Gateway Propert es
CONFIGURING THE CENTRALIZED NPS TO WORK WITH RD GATEWAY

To configure the centra zed NPS to work w th the RD Gateway servers and to prov de hea th
check ng, you need to do the fo ow ng
■ Configure WSHV sett ngs to reflect the organ zat on defin t on of a hea thy mach ne
■ Add the RADIUS c ents to NPS
■ Add connect on, network, and hea th po c es to NPS
F rst, configure the WSHV to reflect the hea th requ rements you want computers to meet,
as fo ows
1. To ed t the WSHV n the NPS conso e, expand Network Access Protect on, expand Sys-
tem Hea th Va dators, expand W ndows Secur ty Hea th Va dator, and then h gh ght
Sett ngs
2. You can create a New WSHV sett ngs configurat on by r ght-c ck ng Sett ngs and
choos ng New You can a so ed t the Defau t Configurat on by doub e-c ck ng Defau t
Configurat on n the r ght pane Do ng so opens the WSHV shown n F gure 10-23
FIGURE 10-23 W ndows Secur ty Hea th Va dator conta ns sett ngs app y ng to W ndows 7,
W ndows V sta, and W ndows XP c ents.
3. WSHV nc udes tabs that perta n to configurat ons for W ndows XP, W ndows 7, and
W ndows V sta c ents Se ect the boxes next to tems you want to nc ude as requ re-
ments for c ents to ga n access to RD Gateway If your company uses W ndows XP,
W ndows 7, and W ndows V sta c ents, then you need to set requ rements on each of
the appropr ate tabs When you’re done, c ck OK
www.it-ebooks.info
Next, configure the centra NPS w th RADIUS c ent nformat on so that connect on re-
quests can be rece ved from the RD Gateway servers You a so need to configure the connec-
t on, network, and hea th po c es requ red for RD Gateway to use NAP
Fortunate y, there s a w zard that w perform these dut es The NAP W zard w do the
fo ow ng
■ Add spec fied RD Gateway servers as RADIUS c ents
■ Create a Connect on Request Po cy that te s the NPS to process connect on requests
■ Create three network po c es (RD CAPs) one for comp ant computers, one for non-
comp ant computers, and one for non-NAP-capab e computers
■ Create two hea th po c es that w be referenced by the comp ant and noncomp ant
network po c es
Run the NAP W zard and do the fo ow ng
1. On the centra NPS, open the Network Po cy Server conso e and se ect NPS (Loca )
From the Standard Configurat on sect on n the m dd e pane, choose Network Access
Protect on (NAP) from the drop-down st and c ck the Configure NAP hyper nk to
open the Configure NAP w zard shown n F gure 10-24
FIGURE 10-24 Choose the type of connect on for wh ch you re conf gur ng NAP.
www.it-ebooks.info
2. From the drop-down st, choose Remote Desktop Serv ces Gateway (RD Gateway)
Name your po cy and c ck Next
3. In the d a og box shown n F gure 10-25, add the RD Gateway servers that wact as
NAP RADIUS c ents You shou d add a RD Gateway servers n the farm, as shown n
F gure 10-25
FIGURE 10-25 Add RD Gateway servers as NAP RAD US c ents.
Add RD Gateway servers by c ck ng Add and enter ng the nformat on for an RD Gate-
way server, as shown n F gure 10-26
www.it-ebooks.info
FIGURE 10-26 Add each RD Gateway as an NAP Enforcement server.
Input a fr end y name (for examp e, the FQDN of the RD Gateway server), enter and
ver fy each server’s IP address, and type n the shared secret that w be used to jo n
the RADIUS c ent w th the RADIUS server C ck OK Do th s for each RD Gateway server
n the RD Gateway farm C ck Next
NOTE The shared secret that you input here must match the shared secret that you
entered when you configured each RD Gateway server’s remote RADIUS server.
From here, the process s much ke creat ng an RD CAP, w th the add t on of se ect ng
a WSHV
4. Next, choose the dev ce red rect on sett ngs to app y to the RD Gateway connect ng
c ents and se ect the author zat on methods that they’re a owed to use For examp e,
the d a og box shown n F gure 10-27 s configured to a ow password authent cat on
and dev ce red rect on, and on y a ow c ents support ng the red rect on po c es to use
RD Gateway C ck Next
www.it-ebooks.info
FIGURE 10-27 Conf gure the c ent dev ce red rect on and authent cat on methods.
5. On the next page, you can enab e d e sess on t meouts and act ve sess on t meouts;
th s m m cs the same sett ngs that are set when creat ng an RD CAP Configure these
sett ngs to your k ng and then c ck Next
6. On the next page, configure the user or computer group(s) that you want to a ow to
use RD Gateway C ck Add User or Add Mach ne to choose user or computer groups
C ck Next
7. Now, choose the System Hea th Va dator to use w th th s configurat on In th s ex-
amp e, we ed ted the defau t W ndows Secur ty Hea th Va dator (WSHV) so th s s the
on y one ava ab e It s a so se ected by defau t
NOTE Although Windows Server 2008 R2 comes with only one SHV, the NAP model is
extensible. ISVs can write their own sets of rules to cover conditions not accounted for
in the default health validator.
www.it-ebooks.info
A so on th s page, choose what shou d happen when computers that are NAP- ne -
g b e attempt to connect By defau t, they’re den ed access, but you can a so perm t
access and og the connect on C ck Next to move to the rev ew page
8. F na y, the w zard w show your opt ons for your rev ew as shown n F gure 10-28 If
the RADIUS c ents and po c es are what you ntended, c ck F n sh
FIGURE 10-28 Rev ew your NAP Enforcement po cy sett ngs and RAD US c ent conf gurat on
sett ngs.
After the NAP Creat on W zard fin shes, you w find that t created one connect on
request po cy, three network po c es, and two hea th po c es These po c es work together,
first to accept connect on nformat on from RD Gateway, and then to eva uate whether c ents
request ng a connect on to RD Gateway shou d be a owed or den ed based on the hea th of
the computer from wh ch they are connect ng, as we as the computer account and user ac-
count from wh ch the c ent n t ates the connect on
F gure 10-29 shows the re at onsh ps among these po c es Th s s what each type of po cy
does
■ The Connect on Request po cy a ows RD Gateway to send connect on requests to
NPS
Creat ng a Redundant RD Gateway Configurat on CHAPTER 10 567
www.it-ebooks.info
■ Each of the three Network Po c es conta ns nformat on on the computer accounts and
user accounts from wh ch t accepts connect ons, as we as spec fics on sess on t meout
dev ce red rect on In other words, a network po cy shou d be very fam ar to you— t
s what an RD CAP rea y s
■ The two hea th po c es—one a “pass ng” po cy, the other a “fa ng” po cy—
determ ne the hea th of a computer request ng connect on to RD Gateway Us ng
spec ficat ons that are set n the WSHV, the connect ng c ent’s SoH s eva uated It w
a ways meet the requ rements of one of these po c es (that s, t w e ther pass or fa )
Connection Request Policy Allows connection request

information to be sent from RD Gateway to NPS
Network Policy Network Policy Network Policy

Compliant Non-Compliant Non NAP Capable
Client meets condition: Client meets condition: Client meets condition:

Health Policy Compliant Health Policy NAP Non Capable and
and is given Full Access Non Compliant and is is given Limited Access to
to the network given Limited Access to the network
the network
Health Policy -- Health Policy --

Compliant Non-Compliant
Client passes all Client does not pass all

requirements specified in requirements specified in
the Windows Security the Windows Security
Health Validator (WSHV) Health Validator (WSHV)
Windows Security Health Validator (WSHV)
FIGURE 10-29 The re at onsh ps of po c es created by the NAP W zard make sure that a remote c ent w
a ways meet the requ rements of one network po cy.
NAP c ents w a ways fa nto one of three scenar os shown n F gure 10-29 The c ent
w meet the cond t ons spec fied n the Comp ant or Non-Comp ant network po cy, or they
w not be NAP-capab e and therefore meet the cond t on of the Non-NAP-Capab e network
po cy The computers that meet the requ rements for the Comp ant network po cy w be
g ven fu access to RD Gateway Those computers that meet the requ rements for e ther of
the other two po c es w be g ven the amount of access spec fied by the NAP Enforcement
sett ngs n each network po cy respect ve y NAP Enforcement sett ngs were configured by
www.it-ebooks.info
the w zard, but you can tweak them as you see fit They are ocated n each network po cy on
the Sett ngs tab Se ect NAP Enforcement
CONFIGURING REMEDIATION SETTINGS

When you’re try ng to connect to the network through RD Gateway, t’s he pfu f a computer
that doesn’t meet the hea th po cy can be fixed so that t does rather than the user just be ng
to d that t can’t connect NAP-enab ed c ents runn ng RDC 7 0 and ater can take advantage
of auto-remed at on C ents runn ng o der vers ons of RDC cannot take advantage of auto-
remed at on, but they can st have the r SoH eva uated
NAP auto-remed at on sett ngs are configured automat ca y when you run the NAP W z-
ard and you create the three network po c es To see them, open the Network Po cy Server
Management too on the NPS server, expand Po c es, se ect Network Po c es, and doub e-
c ck the NAP RD Gateway Noncomp ant po cy Se ect the Sett ngs tab, and n the eft pane,
c ck NAP Enforcement You w see that the A ow L m ted Access opt on s se ected, a ong
w th the Enab e Auto-Remed at on Of C ent Computers check box You can turn auto-
remed at on on for other po c es as we by check ng the Enab e Auto-Remed at on Of C ent
Computers check box
Your c ents need access to other serv ces from other servers to become comp ant—for
examp e, they cou d be noncomp ant because the r v rus s gnatures are out of date or they
need W ndows Updates A server used for NAP remed at on s ca ed a remediation server. A
remed at on server must be ava ab e ndependent y of RD Gateway for obv ous reasons, and
you’ need to te c ents about them Create a remed at on server group n NPS and then add
the group to your NAP Non-Comp ant po cy so that c ents that match th s po cy w know
where to go for remed at on
To configure remed at on groups from the NPS Management conso e, fo ow these steps
1. Expand Network Access Protect on, r ght-c ck Remed at on Server Group, and choose
New
2. Enter a name for the group Add the remed at on servers by c ck ng Add and enter ng
a descr pt ve name for the server and ts pub c y ava ab e FQDN or IP address (re-
member that you can’t use RD Gateway to get to a remed at on server) Then c ck OK
NOTE You can also create Remediation Server Groups by clicking New Group on this
same screen.
After you create a remed at on server group, add t to the NAP RD Gateway Non-Comp -
ant po cy by fo ow ng these steps
1. Doub e-c ck the network po cy, se ect the Sett ngs tab, and se ect NAP Enforcement
2. In the Remed at on Server Group And Troub eshoot ng URL sect on, c ck Configure
www.it-ebooks.info
3. In the resu t ng d a og box, se ect the remed at on server group from the drop-down
st and c ck OK
On the network po cy Sett ngs NAP Enforcement pane , not ce that you can a so enter a
Troub eshoot ng URL when you c ck the Configure button n the Remed at on Server Group
And Troub eshoot ng URL sect on Add a URL to a webs te that te s users how to update the r
mach nes to come nto comp ance w th the corporate system hea th po c es
CAUTION If you enable auto-remediation, do not add a troubleshooting URL to

your noncompliant policy. This might look helpful, but if you do, auto-remediation is
not performed on the client; instead, the client is just denied access.
CONFIGURING NAP ENFORCEMENT CLIENTS

For c ents to be checked aga nst NAP po c es, you must perform the fo ow ng steps
■ Enab e the NAP c ent
■ Enab e the RD Gateway Quarant ne enforcement c ent (wh ch te s the c ent to com-
mun cate the computer hea th status to the NPS)
■ Add the RD Gateway to the Trusted Gateways st on the c ent
■ Add the RD Gateway cert ficate n Trusted Root Cert ficat on Author t es of the oca
computer cert ficate store
NOTE Although online documentation on whether Windows Server 2008 can be a NAP
client is conflicting, it cannot be a NAP client for RD Gateway using only components that
come with the operating system. This is because the WSHA is not supported on Windows
Server 2008. It is possible that you could integrate a third-party SHV and SHA and then use
Windows Server 2008 as a NAP client for RD Gateway.
NOTE Windows Vista has the NAP client enabled by default. Windows XP SP3 and
Windows 7 do not. Enable it by starting the Network Access Protection Agent service and
then restarting the computer.
Enab e the RD Gateway Quarant ne enforcement c ent by add ng the NAP C ent Configu-
rat on snap- n to an MMC C ck Enforcement Agents, r ght-c ck the RD Gateway Quarant ne
enforcement c ent, and c ck Enab e An eas er way to do th s s to open an e evated com-
mand prompt and run th s command
netsh nap client set enforcement ID = "79621" Admin = "Enable"
www.it-ebooks.info
NOTE There is no NAP Client Configuration snap-in for Windows XP, so enable the RD
Gateway Quarantine enforcement client by using the command line.
Add the RD Gateway to the Trusted Gateways st by open ng Reged t exe and nav gat ng
to HKLM/SOFTWARE/M crosoft/Term na Server C ent/TrustedGateways Add a new str ng
va ue ca ed GatewayFQDN Then doub e-c ck GatewayFQDN and enter the FQDN name of
the RD Gateway
Eas er yet, M crosoft prov des a scr pt that performs a these tasks Down oad the text fi e
Tsgqecc entconfig txt (http://www.microsoft.com/downloads/
details.aspx?familyid=cb986639-20e5-4f16-8e48-be68d23dc888&displaylang=en) and rename
t Tsgqecc entconfig cmd You w need to run the scr pt w th e evated pr v eges Open an
e evated command prompt, nav gate to the d rectory where the scr pt res des, and type
tsgqecclientconfig <RD Gateway FQDN> Successfu resu ts ook ke th s
tsgqecclientconfig.cmd rdgateway.ilove2ski.net
Setting the list of trusted TS Gateway servers to rdgateway.ilove2ski.net ...
The operation completed successfully.
Enabling the TS Gateway Quarantine Enforcement Client
The operation completed successfully.
Setting the Network Access Protection service startup type to Automatic...
[SC] ChangeServiceConfig SUCCESS
Starting the Network Access Protection service...
The Network Access Protection Agent service is starting.
The Network Access Protection Agent service was started successfully.
Restart the computer, and you’re done
ON THE COMPANION MEDIA The link to the Tsgqecclientconfig file is also located
on the companion media.
Testing NAP with RD Gateway

To test NAP w th RD Gateway, configure a c ent to match each of the three network po c es
(Comp ant, Noncomp ant, and Non-NAP-capab e) and then try to connect to an RDS re-
source through RD Gateway When test ng each c ent configurat on, check the system event
ogs on the NPS Each connect on shou d og successes or fa ures w th deta s about what
NAP network po cy the c ent matched and why they den ed access ( f that s the case) Secu-
r ty Event IDs to ook for are Event ID 6276 and Event ID 6272 Secur ty Event IDs w show the
status of Aud t Success even f the c ent s den ed access to RD Gateway because, techn ca y,
a noncomp ant c ent matched a network po cy You w need to ook at the deta s of these
event ogs to see wh ch po cy the c ent matched, what connect on authent cat on they used,
and other connect on deta s
www.it-ebooks.info
NOTE Some NPS-related events are listed in the System Event log, but most connection-
related event logs are located in the Security Event log.
AUTO-REMEDIATING NON-COMPLIANT CLIENTS

C ents that match the NAP RD Gateway Noncomp ant po cy w not be ab e to connect n -
t a y, even f configured as NAP Enforcement They must first be brought nto comp ance As
shown n F gure 10-30, the c ent rece ves a message te ng them that the computer d d not
meet the NAP hea th requ rements
FIGURE 10-30 f your computer does not comp y w th NAP hea th po c es, you w see th s error message
when attempt ng to connect.
If you have kept the defau t configurat on of th s network po cy and auto-remed at on s

enab ed, then the NAP Agent w d sp ay a message te ng you that t s try ng to br ng your
computer nto comp ance For examp e, f your WSHV requ res that the firewa on the c ent be
enab ed and t s not, then the NAP Agent w attempt to turn t on, as shown n F gure 10-31
FIGURE 10-31 The WSHV w send nstruct ons to the NAP Agent to get t to enab e the W ndows
F rewa .
www.it-ebooks.info
NOTE If you do not see this message on the client, open a command prompt and run
Napstat.exe to invoke the NAP Agent.
If the NAP Agent s successfu , t w report that t has updated the computer and that the
computer s now NAP-comp ant, as shown n F gure 10-32
FIGURE 10-32 After the c ent s updated and s NAP comp ant, the user can try the connect on request
aga n.
After the c ent has been updated and made comp ant w th the hea th po c es, then the
user can retry the connect on Th s t me, the computer w match the NAP-Comp ant net-
work po cy and the c ent w be ab e to connect to RD Gateway Because the hea th po cy
s part of the connect on po cy, the RD Gateway w just have to check ts RD RAPs before
perm tt ng the fina connect on
Troubleshooting Declined Connections

You’ve set up the RD CAPs, RD RAPs, and network po c es, but peop e st can’t connect Why
not?
A too often, the error messages for a den ed ogon are crypt c You know that a user was
den ed a connect on to RD Gateway, but you don’t know why The Event Logs on both the RD
Gateway server(s) and the NPS can he p you find the source of the prob em
Identifying RADIUS Errors

For nstance, f you have a fundamenta prob em between the RADIUS c ent (RD Gateway)
and the NPS ( f run on a separate computer), you w rece ve an error te ng you that the
connect on was den ed because the c ent d d not meet the connect on author zat on requ re-
ments Natura y, you w suspect that an RD CAP s b ock ng access But n some cases, a
www.it-ebooks.info
prob em between the RADIUS c ent and server m ght ex st To determ ne the rea reason for
a b ocked connect on, corre ate the event ogs n these three Event V ewer og p aces
■ In the RD Gateway server og ocated at App cat on Logs and Secur ty/M crosoft/
W ndows/Term na Serv ces-Gateway/Operat ona The den ed connect on w show
up n th s og as Event ID 201 You can see who tr ed to og on and genera y why they
were den ed Corre ate th s w th the fo ow ng Secur ty og ocated at W ndows Logs/
Secur ty Look for Aud t Fa ure og entr es (event IDs 6273 and 6274) that correspond
to the attempted ogon t me Scro to the bottom of these ogs to find a reason code
and a reason for the b ocked connect on
■ In the NPS Event V ewer Check the System og for events w th a source of NPS For
nstance, f your RADIUS c ents have dua NICs and they start commun cat ng w th the
NPS from the wrong one (mean ng that they are us ng an IP address not spec fied n
the RADIUS C ent fie d n the NPS Conso e), you w see Event ID 13 n your event ogs
Identifying RD RAP Errors

Connect ons that are b ocked due to RD RAP po c es are often s mp e If a user s b ocked
by an RD RAP, he or she s mp y doesn’t be ong to a group that has access to the requested
resource The event s ogged on the RD Gateway server at App cat on Logs and Secur ty/M -
crosoft/W ndows/Remote Desktop Serv ces-Gateway/Operat ona
RD RAPs can be tr cky, though You need to make sure that peop e connect ng to resources
can get to the resources a ong the way that the user m ght encounter before they reach the r
u t mate dest nat on
For examp e, f pub sh ng poo ed VMs, you must add not on y the VMs to the RD RAP but
a so the red rector because the connect on goes to the red rector first If you don’t add the
red rector, the connect on can’t be red rected The errors w be subt y d fferent depend ng
on the operat ng system on the c ent
Connect ng from a W ndows 7 c ent w resu t n Event 301 be ng ogged n the Operat on
og
The user "ASH\kristin.griffin", on client computer "10.10.10.1", did not meet resource
authorization policy requirements and was therefore not authorized to resource
"humpback.ash.local". The following error occurred: "23002".
Connect ng from a W ndows XP c ent w a so resu t n Event 301 be ng ogged n the Op-
erat on og, but not ce that the resource name s the down eve DNS name of the red rector
The user "ASH\hao.chen", on client computer "10.10.10.1", did not meet resource
authorization policy requirements and was therefore not authorized to resource
"humpback-vmredir". The following error occurred: "23002".
To do th s n the eas est way, create an RD Gateway–managed group to accommodate

both DNS names (the regu ar one and the one used for c ents runn ng W ndows XP) for the
purposes of red rect on and then add the group to an RD RAP
www.it-ebooks.info
Identifying NAP Errors
Connect ons that are b ocked due to NAP po c es are fa r y stra ghtforward The og fi es are
found n two p aces
■ On the NPS, open Event V ewer, expand Custom V ews/Server Ro es, and c ck Network
Po cy And Access Serv ces Th s custom event og v ew conta ns a the event ogs per-
ta n ng to NPS, nc ud ng account ng events that occur on th s server
■ By defau t, NPS ogs account ng and authent cat on requests to a og fi e ocated at
%SystemRoot%\System32\LogF es To adjust wh ch events are ogged or other sett ngs
such as the og ocat on, open the Network Po cy Server conso e, c ck Account ng, and
then c ck the Configure Loca F e Logg ng nk
If you are hav ng prob ems w th your NAP hea th po cy setup or remed at on, the fo ow-
ng troub eshoot ng t ps can he p
■ If your c ents match on y the NAP-Non-Capab e network po cy and they are rea y
NAP-Capab e c ents, and your NAP c ent setup s correct, then you m ght have m ssed
configur ng each RD Gateway to request c ents to send an SoH Because no SoH s
sent, the c ent s seen as Non-NAP-Capab e To fix th s, on each RD Gateway server,
n the RD Gateway Manager, r ght-c ck the server and se ect Propert es Nav gate to
the RD CAP Store tab and make sure that the Request C ents To Send A Statement of
Hea th check box s se ected
■ Runn ng the Napstat exe command at a command prompt shows the current NAP
Agent status on the c ent You can use th s to see exact y what the NAP Agent s ac-
comp sh ng when the c ent attempts to connect to a remote desktop resource
■ Use the fo ow ng commands on each c ent to make sure that the NAP c ent configu-
rat on s correct
• netsh NAP client show state Te s you f the NAP agent serv ce s runn ng It
shou d be If t s not, then enab e the serv ce
• netsh NAP client show group If you used Group Po cy to set up the NAP c ent
configurat on, ver fy that the enforcement c ent s enab ed v a Group Po cy by run-
n ng th s command The enforcement c ent shou d return the fo ow ng data
Name = RD Gateway Quarantine Enforcement Client

ID = 79621
Admin = Enabled
• netsh nap client show config If you manua y set up the NAP c ent configura-
t on, ver fy that the enforcement c ent s enab ed v a the oca po cy by runn ng th s
command The enforcement c ent shou d return the fo ow ng data
Name = RD Gateway Quarantine Enforcement Client

ID = 79621
Admin = Enabled
www.it-ebooks.info
■ NAP c ent event ogs cou d show you errors to he p you correct c ent-s de NAP ssues
The NAP c ent event ogs are ocated at App cat on and Serv ces Logs/M crosoft/W n-
dows/Network Access Protect on/Operat ona
■ If the c ent NAP Agent s configured correct y and your network po c es are work ng
except for auto-remed at on, check to see f you have both enab ed auto-remed at on
and set a remed at on server group and troub eshoot ng URL n the noncomp ant
po cy You cannot have a URL set and have auto-remed at on work at the same t me
■ Look n the System and Secur ty Event Logs on the NPS for events perta n ng to suc-
cessfu and dec ned connect ons
■ For auto-remed at on to work, the c ent must be ab e to mod fy the firewa and other
secur ty sett ngs Make sure that Group Po cy s not b ock ng the c ent from tak ng
remed at on act on
Placing RD Web Access and RD Gateway

RD Web Access s a good way to make RemoteApp programs ava ab e to users when t s
mpract ca to d str bute RDP fi es To prov de secure Internet access to RemoteApp programs
through RD Web Access, you can pub sh RemoteApp programs to use RD Gateway Th s sec-
t on w focus on the p acement of both RD Web Access and RD Gateway n your network
NOTE Regardless of whether you place the RD Web Access server in a perimeter network
or on the internal network, it’s a good idea to replace the self-signed SSL certificate on the
RD Web Access server with one signed by a public CA so that users can continue have an
encrypted session with the website and also be able to trust the certificate without having
to manually the website SSL cert to their trusted root store. As explained in Chapter 4,
“Deploying a Single Remote Desktop Virtualization Host Server,” a fresh install of the RD
Web Access website will configure the site as a secured site, using a self-signed SSL certifi-
cate. Although this is fine for testing, using self-signed certificates is not recommended in
production environments.
RD Gateway a so uses SSL cert ficates to encrypt commun cat on We recommend SSL
cert ficate opt ons for both RD Gateway and RD Web Access, depend ng on the r ocat on n
the network
RD Web Access for External Access

One popu ar use of RD Web Access s to make RemoteApp programs eas y ava ab e to users
outs de your network
www.it-ebooks.info
If you have a per meter network, then t s w se to p ace the RD Web Access server n the
per meter to m n m ze your attack surface That way, f your web server s comprom sed, your
nterna network w not be You can a so put RD Web Access n the nterna network and
pub sh the webs te through ISA/TMG or another firewa app ance You can configure the RD
Web Access webs te to have the same URL for both nterna and externa access, or create a
separate URL for nterna and externa use
If both nterna and externa users get RemoteApp programs from RD Web Access, you can
prov de the same externa URL to peop e connect ng from ns de and outs de the network
Externa users w reso ve the URL through pub c DNS servers For nterna users to reso ve
th s externa URL, you w need to take one of the fo ow ng approaches, sp t DNS or DNS
doctor ng, as fo ows
■ Sp t DNS creates a zone n your nterna DNS servers for the externa doma n You add
an entry that maps the externa DNS name to the nterna IP address of the RD Web
Access s te
At a h gh eve , DNS doctor ng maps nterna and externa addresses (you’ need to make
sure your firewa supports th s) An nterna network c ent connects to an externa DNS server
for DNS reso ut on, and the externa DNS server responds to the query The firewa sees that
the externa DNS reso ut on IP address rea y trans ates to an IP address on the nterna net-
work The firewa ntercepts the DNS reso ut on response from the externa DNS server and
rep aces t w th the nterna address The common name of your SSL cert ficate shou d reflect
the externa name of the webs te as fo ows
■ Obta n a regu ar SSL cert ficate w th the common name n the form <external-DNS-
hostname>.<external-domain-name>.<top-level-domain-name>. For examp e,
rdweb ove2sk net
■ You cou d a so use a w dcard SSL cert ficate w th a common name reflect ng the exter-
na doma n space, such as * ove2sk net
NOTE To save money, you can get a wildcard certificate that references the external
domain name space and use it for both RD Gateway and RD Web Access, as well as to sign
RemoteApps.
A ternat ve y, you cou d set up the RD Web Access server to use one URL for nterna use
and one for externa use To accomp sh th s, you can obta n a Subject A ternat ve Name (SAN)
cert ficate A SAN cert ficate (a so known as a Un fied Commun cat ons Cert ficate, or UCC
cert ficate) conta ns mu t p e subjects When you app y the SAN cert ficate to the webs te, the
cert ficate w match both nterna and externa URLs, so a user won’t get warn ng messages
when try ng to connect For nstance, n th s examp e, the test env ronment nterna doma n
name s Ash oca , but for users outs de the nterna network, the doma n name I ove2sk net s
used So you wou d use a SAN SSL cert ficate on the RD Web Access webs te w th the fo ow-
ng two subjects Apps ash oca and Rdweb ove2sk net
P ac ng RD Web Access and RD Gateway Chapter 10 577
www.it-ebooks.info
SAN cert ficates are more expens ve If your budget w not accommodate a SAN cer-
t ficate, you cou d use a standard SSL cert ficate (w th one common name), a ow HTTP and
HTTPS access to the webs te, and then b ock port 80 at the firewa Th s means that nterna
users cou d access an nterna unencrypted HTTP address (no SSL cert ficate needed), and
externa users wou d st have to use an encrypted HTTPS address Of course, th s assumes
that your company secur ty po cy a ows unencrypted access to ntranet s tes from ns de the
corporate network
NOTE See the Additional Resources at the end of this chapter for links to information on
DNS doctoring and SAN/UCC certificates.
RD Gateway Inside the Private Network

If you do not have a per meter network, you can put RD Gateway n the nterna network, as
shown n F gure 10-33, w th on y port 443 opened n the firewa The firewa perm ts ncom-
ng traffic to the RD Gateway on port 443 (SSL), and the gateway processes the ncom ng
connect ons to make sure that they’re perm tted to access the network When comp ete, the
RD Gateway routes the connect ons to the resource v a port 3389 (RDP)
Putt ng RD Gateway ns de the network enab es RD Gateway to commun cate d rect y
w th AD DS so that t can pu ts user and computer groups from a centra ocat on (W thout
th s ab ty, you’ need to set up oca user groups and can’t use doma n computer groups to
create RD CAPs and RD RAPs ) However, t a so means that when an ncom ng connect on s
perm tted, the network s w de open You can restr ct ncom ng connect ons to port 3389, and
you can restr ct the st of servers that the ncom ng connect ons can use However, you can’t
eas y define a set of perm tted ports to use after the connect on makes t ns de the network
More mportant, f ma c ous code cou d reaches RD Gateway and RD Gateway s compro-
m sed, the pr vate network s vu nerab e
NOTE See the Direct from the Source sidebar entitled “TMG and RD Gateway Topology
Scenarios” later in this chapter for information on protecting RD Gateway positioned in the
internal network.
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Internal Network
Port 443 open
AD DS RD Gateway
Port 3389

Session
Desktop Computers
FIGURE 10-33 RD Gateway s p aced n the pr vate network.
RD Gateway in the Perimeter Network

To have a b t more contro over wh ch ports are open, you can use an add t ona firewa , as
shown n F gure 10-34 Th s way, you can be sure that on y port 3389 s open A ternat ve y,
you have the opt on of not m t ng the ports that RD Gateway w perm t and us ng the fire-
wa to contro the k nds of traffic that are ava ab e The first firewa w have port 443 open
The second w have port 3389 open to perm t RDP traffic to pass to the pr vate network
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Perimeter Network
Port 443 open in firewall
RD Gateway
RDP Sessions, Port 3389
Internal Network Port 3389 open in firewall
RDP Session Port 3389 RDP Session Port 3389

RDP Session
Port 3389

Session
Desktop Computers
FIGURE 10-34 RD Gateway can be pos t oned n the per meter network.
If you dec de to pos t on RD Gateway n the per meter network, bear n m nd that for RD
Gateway to create RD CAPs that refer to doma n accounts, t has to be ab e to commun cate
w th AD DS Otherw se, your users w have to present the r credent a s more often They’
have to authent cate once to RD Gateway (p aced n a workgroup w th oca accounts) and
then aga n when RD Gateway a ows the user to access an nterna resource
www.it-ebooks.info
If you dec de to prov de RD Gateway n the per meter network w th access to AD DS, t’s
poss b e to do th s w thout d rect y expos ng AD DS to threats For examp e, you can create a
separate forest n the per meter network, and create a one-way trust between the per meter
network AD DS and the nterna corporate AD DS You can a so p ace a read-on y doma n
contro er n the per meter network
In these scenar os, you need to open spec fic ports to a ow the needed traffic to pass
between the per meter network and the nterna network Refer to the fo ow ng b og post
(a so nc uded on the compan on med a) for nformat on on firewa ru es and port access
needs w th regards to RD Gateway n the per meter network http://blogs.msdn.com/b/rds/ar-
chive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
RD Gateway in the Internal Network and Bridged

To a ow you to connect RD Gateway to AD DS wh e protect ng the nterna network, you can
a so use M crosoft Forefront Threat Management Gateway (TMG) 2010 (the new re ease of
M crosoft ISA Server) or another SSL br dg ng dev ce Us ng SSL br dg ng s safer because TMG
w first be decrypt ng the SSL traffic, nspect ng packets, and deny ng packets w th ma c ous
code before traffic ever reaches RD Gateway
TMG and RD Gateway Network Topology Scenarios

Tom Shinder
Microsoft DAIP
UAG Direct Access/Anywhere Access Team
T here are several network topologies that work for using TMG or ISA as an HTTP/
HTTPS bridge for RD Gateway.
Model 1: TMG in the Perimeter Network

In Model 1, TMG is located in the perimeter network between two other firewalls,
and RD Gateway is located in the internal network. This scenario is popular with
companies that already have a perimeter network in place. TMG, located in the
perimeter network, receives the incoming packets destined for RD Gateway. TMG
performs stateful and application-layer inspection of incoming packets for malware
or exploits, denies any packets containing malicious code, and then repackages and
forwards all good packets. One of the benefits of this model is that because TMG
does not do any preauthentication of SSL traffic, there is no need for TMG to be
part of the domain and there is no need to expose AD DS in the perimeter network.
RD Gateway is located in the internal network and can therefore use domain user
and computer groups in its RD CAPs and RD RAPs (see Figure 10-35).
www.it-ebooks.info
Model 2: TMG as Back-end Firewall
In this model, TMG is the back-end firewall. This scenario is more popular in small to
mid-sized companies. TMG performs the role of internal network edge firewall and
also bridges incoming SSL traffic destined for RD Gateway on the internal network
(see Figure 10-36). The benefit of this model is that companies don’t have to invest
in an extra firewall to create a perimeter network. It’s also worth mentioning that
ISA/TMG has had no documented exploits and has had fewer than 10 fixes in the
history of the product’s existence, so TMG is a good firewall solution.
Model 3: TMG in the Internal Network

In this model (shown in Figure 10-37), TMG is placed inside the internal network.
Some might think that this poses security risks, but it really does not. First, consider
that TMG is a firewall. So traffic coming in destined for RD Gateway must first pass
through one or more edge firewalls and is then passed to another firewall, TMG.
The benefit here is that no perimeter network is needed. Because of the way TMG
publishes RD Gateway access, only the folder of the RPC directory is exposed.
Further, TMG can be locked down further to provide access only to a particular file
as well. TMG in this scenario can be a domain member or part of a workgroup—
neither way poses an AD DS security risk because the TMG firewall protects itself
from network attack—no traffic other than that enabled by System Policy is allowed
to the firewall itself. And because of the design of the TMG firewall architecture,
there is no practical mechanism that can be used to exploit the firewall itself
for traffic that is exposed to the stateful packet and application layer inspection
engines. In practice, the threat profile exposed by the workgroup TMG firewall
is little different than that exposed by the domain member TMG firewall. And in
fact, because of the increased number of security options available with a domain
member TMG firewall, the over security posture of the domain member firewall is
better than the workgroup firewall (assuming that you are using the TMG firewall
for something other than publishing Remote Desktop Gateway).
For more information on TMG network topology, see http://technet.microsoft.com

/en-us/library/dd896975.aspx.
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Perimeter Network
Port 443 open
X.X.X.1
Microsoft Threat
DMZ switch Management
X.X.X.100
Gateway 2010
X.X.X.2
Internal Network Port 443 open or 80open

Y.Y.Y.1
HTTPS or HTTP traffic bridged

from TMG to RD Gateway
AD DS RD Gateway
Port 3389

Session
Desktop Computers
FIGURE 10-35 TMG can be pos t oned n the per meter network.
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Perimeter Network
Port 443 open
X.X.X.1
DMZ switch
Microsoft Threat Management
X.X.X.2 Gateway 2010
Internal Network Y.Y.Y.1
Port 443 open or 80 open

or HTTP, port 80
Y.Y.Y.100
RD Gateway
Port 3389

Session
Desktop Computers
FIGURE 10-36 TMG can act as the nterna network edge f rewa and can a so br dge RD
Gateway traff c.
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Internal Network
Port 443 open
Microsoft Threat
Management
Gateway 2010
HTTPS or HTTP traffic

bridged to RD Gateway
AD DS RD Gateway
Port 3389

Session
Desktop Computers
FIGURE 10-37 TMG can be pos t oned n the nterna network and st nspect and br dge
traff c to RD Gateway.
For more nformat on on configur ng RD Gateway w th TMG/ISA Server, see http://technet.

microsoft.com/en-us/library/cc731353(WS.10).aspx. M crosoft has a so made a scr pt ava ab e
to he p configure ISA Server for use w th RD Gateway Informat on about th s scr pt can be
found at http://blogs.msdn.com/b/rds/archive/2010/01/08/publish-rd-gateway-on-an-isa-
server-using-a-script.aspx
www.it-ebooks.info
ON THE COMPANION MEDIA These links are also available on the companion
media.
Summary
One of the great va ues of RDS s that t enab es peop e to work norma y over the Internet
RD Gateway s an RDS ro e serv ce that makes t poss b e to do th s secure y Th s chapter has
ntroduced you to a number of best pract ces for mp ement ng RD Gateway
■ Load-ba ance RD Gateway servers to ncrease gateway upt me
■ When us ng an RD Gateway farm, centra ze the RD CAP and RD RAP sources to s m-
p fy configurat on If centra z ng sn’t poss b e for some reason, use the export and
mport capab t es on the RD Gateway servers to ma nta n servers w th dent ca set-
t ngs
■ Enab e server affin ty to keep a SSL connect ons for a s ng e sess on on the same RD
Gateway server and to reduce the r sk that a downed server w take down the sess on
■ Use NAP to conduct c ent system hea th checks and to determ ne f a c ent s comp -
ant w th company system hea th standards before t connects to the network us ng RD
Gateway
The fo ow ng resources are re ated to top cs covered n th s chapter You can find the nks
and scr pts on th s book’s compan on med a A ot of the nformat on n th s chapter has fo-
cused on the var ous cond t ons under wh ch connect ons are made, and you’ see resources
here re ated to that as we
■ For more nformat on on RD Gateway ava ab ty, configurat on, and connect on Event
ID codes and poss b e reso ut ons, see http://technet.microsoft.com/en-us/library
/ee891285%28WS.10%29.aspx.
■ For more nformat on on TMG network topo ogy, see http://technet.microsoft.com
/en-us/library/dd896975.aspx
■ For more nformat on on configur ng RD Gateway w th TMG/ISA Server, see
http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx.
■ M crosoft has made a scr pt ava ab e to he p configure ISA Server for use w th RD
Gateway Informat on about th s scr pt can be found at http://blogs.msdn.com/b/rds
/archive/2010/01/08/publish-rd-gateway-on-an-isa-server-using-a-script.aspx
■ To earn more about NAP, see Windows Server 2008 Networking and Network Access
Protection (NAP), by Joseph Dav es and Tony Northrup w th the M crosoft Network ng
Team, ava ab e at http://www.microsoft.com/mspress/books/11160.aspx.
www.it-ebooks.info
■ For the NAP c ent configurat on too (Tsgqecc entconfig cmd), go to
http://www.microsoft.com/downloads/details.aspx?familyid=cb986639-20e5-4f16-8e48-
be68d23dc888&displaylang=en.
■ “Remote Desktop Serv ces Gateway Server Protoco Rout ng Spec ficat on” s ava ab e
for down oad from http://msdn.microsoft.com/en-us/library/cc248485.aspx
■ “W ndows Secur ty Hea th Agent (WSHA) and W ndows Secur ty Hea th Va dator
(WSHV) Protoco Spec ficat on” s ava ab e for down oad from
http://msdn.microsoft.com/en-us/library/cc215773.aspx.
■ “Statement of Hea th for Network Access Protect on (NAP) Protoco Spec ficat on” s
ava ab e for down oad from http://msdn.microsoft.com/en-us/library/cc212976.aspx.
■ For more nformat on on the M crosoft Root Cert ficate Program and cert ficates n
genera , see Chapter 9, “Mu t -Server Dep oyments ”
■ Refer to the sect on ent t ed “Transport Layer Secur ty” n Chapter 8, “Secur ng Remote
Desktop Protoco Connect ons,” to see how SSL encrypt on works
■ To see how to force RDCs n t ated from RD Web Access to use RD Gateway, see the
sect on ent t ed “Force RDC Connect ons Through RD Gateway v a RD Web Access” n
Chapter 9
■ Refer to the compan on med a for a scr pt to add RD RAP user groups ca ed
Add-RDRAP-UserGroup ps1
■ To understand RD Gateway dep oyment n a per meter network and what firewa ru es
you w need to mp ement, see http://blogs.msdn.com/b/rds/archive/2009/07/31
/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
■ For an ntroduct on to Network Access Protect on, see http://technet.microsoft.com
/en-us/network/cc984252.aspx
■ For nformat on on NAP server s de arch tecture, go to http://msdn.microsoft.com
/en-us/library/cc895519(v=VS.85).aspx
■ For nformat on on NAP c ent arch tecture, go to http://msdn.microsoft.com/en-us
/library/aa369702(VS.85).aspx.
■ For more nformat on on dep oy ng RD Gateway w th NAP, see http://blogs.msdn.com
/b/rds/archive/2009/08/17/deploying-rd-gateway-r2-server-with-nap.aspx# Steps to
configure 2
■ More nformat on on configur ng the RD Gateway NAP scenar o s prov ded at
http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx.
■ Informat on on NAP C ent Configurat on can be found at http://technet.microsoft.com
/en-us/library/cc754803.aspx
■ Qu ck fixes for NAP can be found at http://technet.microsoft.com/ru-ru/library
/dd348494%28WS.10%29.aspx
www.it-ebooks.info
■ For a descr pt on of the Remote Desktop Connect on 7 0 c ent update for Remote
Desktop Serv ces (RDS) for W ndows XP SP3, W ndows V sta SP1, and W ndows V sta
SP2, as we as down oad nks, see http://support.microsoft.com/kb/969084
■ Informat on on mprov ng RD Gateway ava ab ty us ng NLB can be found at
http://blogs.msdn.com/b/rds/archive/2009/03/24/improving-ts-gateway-availability-
using-nlb.aspx
■ For nformat on on custom z ng RD Gateway authent cat on and author zat on
schemes, see http://blogs.msdn.com/b/rds/archive/2010/01/06/customizing-rd-gate-
way-authentication-and-authorization-schemes.aspx
www.it-ebooks.info
CHAPTER 11
Managing Remote Desktop

Sessions
·■ ntroduc ng RD Sess on Host Management Too s 590
·■ Organ z ng Servers and VMs n the Remote Desktop Serv ces Manager 600
·■ Mon tor ng and Term nat ng Processes 602
·■ Mon tor ng and End ng User Sess ons 605
·■ Prov d ng He p w th Remote Contro 610
·■ Prepar ng for Server Ma ntenance 619
·■ App y ng RDS Management Too s 631
P rev ous chapters n th s book exp ored how to set up and configure a Remote
Desktop (RD) Sess on Host server and the support ng ro es Sett ng up the RD Sess on
Host server puts users n a pos t on to og on and use t but adm n strators need a
too to keep track of what those users are do ng and to he p them, f necessary That too
s the Remote Desktop Serv ces Manager
Th s chapter w exp ore how to use the sess on management too s—both command-
ne and graph ca —to v ew and nteract w th runn ng sess ons Th s chapter d scusses
■ The too s ava ab e n W ndows Server 2008 R2 to he p you manage sess ons
■ How to find and manage sess ons on an RD Sess on Host server
■ How to find and manage processes on an RD Sess on Host server
■ How to get remote contro of user sess ons
■ How to create custom server management groups n the Remote Desktop Serv ces
Manager
■ How to use the command- ne too s, scr ptab e nterfaces, and W ndows
PowerShe to get nformat on the graph ca user nterface (GUI) doesn’t offer
589
www.it-ebooks.info
Introducing RD Session Host Management Tools
W ndows Server 2008 R2 has a set of too s for manag ng user sess ons The Remote Desktop
Serv ces Manager GUI and command- ne too s to supp ement t and enab e scr pt ng Before
de v ng nto the r usage, et’s take a qu ck tour so that you can see what’s poss b e
HOW IT WORKS
Differences in Managing VMs and Sessions
T he RDS session management tools work—with some limitations—for virtual

machines (VMs), but fundamentally they’re more designed for sessions than
VMs. This means that you will work differently with sessions than with VMs.
Many people can use an RD Session Host server at the same time and can all be
logged onto the same computer. Therefore, it’s possible to aggregate information
about processes and logons to individual sessions on a per-user basis. But while one
RD Virtualization Host supports multiple VMs, the RD Virtualization Host does not
see processes in each VM. You have to go to each VM for this information. If you
know the server name and user name, you can control VMs remotely, disconnect or
log off VM sessions, and even terminate processes in individual VMs, but you can’t,
say, terminate every instance of Sol.exe that’s running on an RD Virtualization Host
just by choosing to kill the process on that server.
Similarly, one VM has only one session so you might as well address users by name
as by session ID. A user could have more than one session on an RD Session Host,
but there’s always a 1:1 mapping of users to sessions on a pooled or personal VM.
In short, most too s work for manag ng poo ed and persona VMs as ong as you’re ogged
on to a sess on on an RD Sess on Host server to use the management too s Th s chapter
covers these too s n terms of manag ng RD Sess on Host sess ons, but understand that these
processes w work for poo ed and persona VMs, too, and the chapter w note exp c t y
when they do not However, be aware that the way you’ nteract w th a VM d ffers from how
you’ nteract w th a sess on For examp e, you m ght be check ng an RD Sess on Host server
to figure out f the amount of user sess ons s caus ng a s owdown n user exper ence, but th s
wou d not be an ssue for a poo ed or persona VM
590 Chapter 11 Manag ng Remote Desktop Sess ons
www.it-ebooks.info
The Remote Desktop Services Manager
Let’s start by gett ng or ented After you nsta the RDS ro e, the Remote Desktop Serv ces
Manager too n F gure 11-1 s access b e by brows ng to Start, A Programs, Adm n strat ve
Too s, Remote Desktop Serv ces, and fina y Remote Desktop Serv ces Manager Us ng th s
too , you can
■ D sp ay rea -t me data about current users, sess ons, and processes
■ Mon tor, d sconnect, and reset sess ons
■ V ew or nteract w th a user’s sess on
■ Send messages to users
■ Term nate sess ons and og off users
FIGURE 11-1 Use the Remote Desktop Serv ces Manager to manage sess ons on RD Sess on Host servers
and poo ed and persona VMs.
The eft pane d sp ays the ava ab e RD Sess on Host servers; by defau t, t w d sp ay on y
the server that you’re current y ogged on to, but you can add more A though you can man-
age on y one server at a t me (you can’t, for examp e, k a nstances of So exe runn ng n
the farm from th s too ), you can add more servers and even poo ed and persona VMs You’
earn about how to do th s ater n th s chapter, n the sect on ent t ed “Organ z ng Servers and
VMs n the Remote Desktop Serv ces Manager ”
The center pane d sp ays the nformat on for the current y se ected server, nc ud ng con-
nected users, the sess ons on the server, and the processes runn ng on the server Some of
th s data m ght be redundant, as t’s just d fferent ways of d sp ay ng data about the peop e
ogged on to the RD Sess on Host server, what they’re do ng there, and wh ch sess ons are
open It’s d fferent ways of ook ng at the same data
The r ght pane d sp ays the context-sens t ve act ons that you can take depend ng on the
tem you’ve se ected n the eft or center panes
The Users tab conta ns current data perta n ng to the users connected to the RD Sess on
Host server and the assoc ated sess ons, as shown n Tab e 11-1
ntroduc ng RD Sess on Host Management Too s Chapter 11 591
www.it-ebooks.info
TABLE 11-1 Da a on he Users Tab o he Remo e Desk op Serv ces Manager
DATA DESCRIPTION
Server The server that the user s ogged onto

User The account name of the user who started the sess on
Sess on The sess on assoc ated w th the user
ID The Sess on ID that the RD Sess on Host server uses to dent fy sess ons; each
Sess on ID s un que on ts server
State The current state of the sess on (act ve, d sconnected, reset, or d e)
Id e T me The number of m nutes s nce the ast keyboard stroke or mouse movement
n the sess on
LogOnT me The date and t me the user ogged on
Much of the data ocated on the Sess ons tab (see Tab e 11-2) m m cs the data on the Users
tab However, the Sess ons tab d sp ays a few more sess on deta s, a ow ng you to v ew the
protoco used to connect to the RD Sess on Host server ( f app cab e) and the names of the
computers that users connect from ( f the sess on s act ve)
TABLE 11-2 Da a on he Sess ons Tab o he Remo e Desk op Serv ces Manager
DATA DESCRIPTION
Server The RD Sess on Host server on wh ch the sess on s runn ng

Sess on The sess on type
User The user name assoc ated w th the sess on
ID The number that dent fies the sess on to the RD Sess on Host server
State The current state of the sess on (act ve, d sconnected, reset, or d e)
Type The type of c ent used n the sess on (that s, RDP c ent or conso e
connect on)
C ent Name The name of the c ent that estab shed the sess on
Id eT me The number of m nutes s nce the ast keyboard stroke or mouse movement
n the sess on
LogonT me The date and t me the user ogged on
Comment An opt ona fie d that sn’t genera y app cab e because a user can’t add a
comment when connect ng
The Processes tab (see Tab e 11-3) d sp ays deta s about the processes current y runn ng
on each server, the assoc ated sess ons, and the users who nvoked them
www.it-ebooks.info
TABLE 11-3 Da a on he Processes Tab o he Remo e Desk op Serv ces Manager
DATA DESCRIPTION
Server The server on wh ch the process s runn ng

User The user account that started the process
Sess on The sess on number assoc ated w th the process
ID The ID that dent fies the sess on to the RD Sess on Host server
PID The ID that dent fies the process to the RD Sess on Host server
Image The executab e assoc ated w th the process
The Remote Desktop Serv ces Manager d sp ays s m ar nformat on n many d fferent ways
to support var ous start ng po nts that you m ght take to gather needed nformat on For
examp e, f user K m Akers has a prob em w th a program freez ng or otherw se m sbehav ng
n her sess on, you can use the Processes tab to stop the process and be sure that you p cked
the nstance that be ongs to her If K m needs he p w th her sess on, you can h gh ght the root
of the Remote Desktop Serv ces Manager to find out wh ch server she s ogged on to, shadow
her sess on, and ass st her Fundamenta y, though, the nformat on that you can get about ses-
s ons s pretty stra ghtforward wh ch users are ogged on, whether they’re us ng the r sess on,
wh ch app cat ons they’re runn ng, and wh ch RD Sess on Host server they’re connected to
When you understand what nformat on you can get from the Remote Desktop Serv ces
Manager, you can answer many quest ons even f the GUI doesn’t ant c pate them For
examp e, you can find out how many users are ogg ng on dur ng a part cu ar nterva n the
morn ng or how many peop e are us ng a part cu ar app cat on Know ng e ther of these
p eces of nformat on, you can take appropr ate act on end processes, term nate sess ons,
or connect to a user’s sess on to he p h m or her out Go ng outs de the Remote Desktop
Serv ces Manager, you cou d even use the nformat on you get here to prompt you to
purchase more censes or add more servers, just to meet ncreas ng demand
Th s chapter w cover a the act ons that you can perform us ng the Remote Desktop
Serv ces Manager However, when you automate quer es or changes, you’ want to know
about the command- ne too s and somet mes comb ne them w th scr pt ng such as W ndows
PowerShe or VBScr pt Unfortunate y, the GUI does not a ways refresh we , even n a sma
farm To get the most re ab e nformat on about sess on status, the command- ne too s
m ght be more re ab e
ON THE COMPANION MEDIA You can run the Remote Desktop Services
Manager tool from Windows 7 (Professional, Enterprise, or Ultimate editions only)
with the Remote Server Administration Tools (RSAT), which includes both the
Remote Desktop Services Manager and Remote Desktops. Download RSAT for
Windows 7 from the Microsoft website at http://www.microsoft.com/downloads
/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en.
www.it-ebooks.info
Using the Status Dialog Box in the Remote Desktop Services

Manager
James Baker
Program Manager II
I f you right-click an active remote connection in the Sessions or Users tab, you’ll
see a Status option in the context-sensitive menu. Click it, and you’ll see a dialog
box like the one shown in Figure 11-2.
FIGURE 11-2 Exam ne a sess on s status to expose more deta s about a remote sess on, such as
c ent co or depth.
You can learn the following information from this dialog box.
● The User Name field, populated only when you open the Status dialog box
from the Sessions tab, shows the name of the currently logged in user.
www.it-ebooks.info
● Network Adapter tells you the name of the network adapter the user is
connected to on the RD Session Host server. The information here will match
what’s in the Remote Desktop Session Host Configuration/RDP-Tcp/Network
Adapter tab.
● Client Address tells you the client’s Internet Protocol (IP) address for local
connections. If the connection was started through RD Gateway, this address
will not display.
● Client Build Number tells you the build number of the client operating
system.
● Client Directory points you to the location on the client where the dynamic-
link library (DLL) supporting the RDP client is stored.
● Client Color Depth indicates the color depth used in the RDP session.
● Encryption Level shows you the encryption setting managed through Group
Policy or in RD Session Host Configuration, showing not the actual encryption
setting but the option that the client sets as the encryption level.
● Client Resolution shows the resolution of the remote session.
● The Input/Output Status section shows the traffic passing between the remote
session and the client.
Notice that a couple of the settings that you can see in the dialog box were left out
of this list. Both the Client Hardware ID and the Client Product ID are hard-wired
fields that will be the same for all clients. (They’re here for legacy reasons.) There-
fore, they don’t give you any useful information.
Apart from those two fields, however, this dialog box shows you some information
about the client experience that you can’t get anywhere else. Want to understand
why users are saying that their application looks grainy? Check the screen resolu-
tion here. Need to know the IP address that a client is using to connect to the RD
Session Host server? Check it here. Beta-testing a new version of the client operat-
ing system? You can tell who’s using the beta version by checking the build number.
You can even use the Input/Output Status data to confirm that a session is not
frozen; when the user moves the mouse, the number of incoming and outgoing
bytes should update.
Command-Line Tools
In add t on to the graph ca too s, W ndows Server 2008 R2, ke prev ous vers ons of W ndows
Server, has command- ne too s that you can use to v ew sess on nformat on, manage a ses-
s on’s contents, contro a user’s sess on remote y, and so forth These command- ne too s are
bu t on the same nterfaces as the graph ca too s, so any nformat on you get from one (for
examp e, Process ID) can be used n another
www.it-ebooks.info
Both W ndows Server 2008 R2 and W ndows 7 support the Remote Desktop Serv ces
command- ne too s; these too s are part of the operat ng system Tab e 11-4 sts the ava -
ab e command- ne too s
TABLE 11-4 Remo e Desk op Serv ces Command- ne Too s
COMMAND DESCRIPTION
change ogon or chg ogon Enab e, d sab e, dra n, or query nformat on about ogons
from sess ons on an RD Sess on Host server
change port or chgport L st or change the COM port mapp ngs to be compat b e
w th MS-DOS app cat ons
ogoff Log off users and de ete the r sess on from the RD Sess on
Host server
msg Send a message to a user or mu t p e users on an RD Ses-
s on Host server
query process or qprocess D sp ay nformat on about a the processes current y run-
n ng on an RD Sess on Host server
query sess on or qw nsta D sp ay nformat on about sess ons on an RD Sess on Host
server
query termserver or qappsrv L st a the RD Sess on Host servers on a network
query user or quser D sp ay nformat on about the users connected to an RD
Sess on Host server
reset sess on or rw nsta Term nate a sess on on an RD Sess on Host server
shadow Enab e an adm n strator to v ew or nteract w th an act ve
sess on of another user remote y on an RD Sess on Host
server You must run th s command from w th n an RDP
sess on on an RD Sess on Host for t to work
tscon Connect to another sess on on an RD Sess on Host server
(you have to be n a remote sess on to connect to another
remote sess on)
tsd scon D sconnect a sess on from a server
tsk Term nate a process runn ng on an RD Sess on Host
server You can dent fy the process by mage name or
Process ID
tsprof Cop es the Remote Desktop Serv ces user profi e from
one user to another Th s command- ne too s not
ava ab e for W ndows 7, and a though t s ava ab e for
W ndows Server 2008 R2, t does not work It was used n
prev ous vers ons of Term na Serv ces
www.it-ebooks.info
The fo ow ng command- ne too s were removed n W ndows Server 2008
■ tsshutdn Th s command was used to shut down a term na server Use the shutdown
command nstead
■ register Th s command was used to reg ster a program
■ cprofile Th s command was used to remove wasted space n a user profi e and to
de ete fi e assoc at ons from the reg stry that were made to certa n app cat ons
NOTE For those who like working in Windows PowerShell, Shay Levy, a Windows
PowerShell MVP, built a Terminal Services PowerShell Module to help manage and monitor
RDS sessions and processes. Download the module at http://code.msdn.microsoft.com
/PSTerminalServices. The Uniform Resource Locator (URL) is located on the companion
media. This tool is good for programmatically interacting with sessions or gathering
information from multiple machines.
A Custom PowerShell Module for RDS Session Management

Shay Levy
Windows PowerShell MVP
T here are many command-line utilities to manage Remote Desktop Services from
the command line. The major drawback of these utilities is that they output
the result in text; you’ll run a command, such as query.exe, against a server, get the
result on screen, find a session ID or any other information you’re looking for, and
then execute a second command to manage that session. From an automation per-
spective, text output is not ideal, because you need to further parse the result and
extract the information you need. In addition, text parsing is not always the safest
method, because it is prone to errors and can lead to incorrect results.
To make the process of managing Remote Desktop Session Host servers more
robust and accurate, I wrote the PSTerminalServices PowerShell module. Unlike
command-line utilities, the functions of the module gives you back rich .NET objects
that you can use to manage Remote Desktop users, sessions, and processes.
NOTE Rich .NET objects are not just a string of characters from a command-
line tool. Each object implements a set of methods and properties. For
example, a session object you get with the Get-TSSession function has an
IdleTime property or a Logoff method.
www.it-ebooks.info
One advantage of the functions is the ability to pipe the output of one command
to another. For example, you can get all session objects from each RD Session Host
server in a farm that have been idle for a certain length of time and pipe them to
another command that disconnects them. Another advantage is the support of the
risk mitigation common parameters: WhatIf and Confirm. The first parameter dis-
plays a message that describes the effect of the command instead of executing it,
and the second one prompts you for confirmation before executing the command.
For example, this script finds sessions on domain-joined RD Session Host servers
that have been idle for over an hour and disconnects the sessions.
"Server1","Server2" | Foreach-Object{
Get-TSSession -ComputerName $_ -Filter {$_.IdleTime -gt (New-TimeSpan
-Hours 1) }
} | Disconnect-TSSession–WhatIf
The example script shown here and other examples are available at
http://blogs.microsoft.co.il/blogs/scriptfanatic/archive/2010/09/16/remote-desktop-
services-r2-resource-kit.aspx. The link is also available on the companion media. For
information on installing the module, please refer to the module project Web page
at http://code.msdn.microsoft.com/PSTerminalServices.
Connecting Remotely to Servers for Administrative

Purposes
Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server,” and Chapter 9,
“Mu t -Server Dep oyments,” exp a ned how connect on broker ng works When you want to
connect to a spec fic RD Sess on Host server to change ts sett ngs or manage a user sess on,
you want to connect to a spec fic server You don’t want to go a random server n a farm and
you don’t want to pay an RDS c ent access cense (CAL) when you aren’t us ng the server, just
manag ng t
Pr or to W ndows Server 2008, to make an adm n strat ve connect on, you’d use the
/console sw tch w th the server name Beg nn ng n W ndows Server 2008, th s changed to the
/admin sw tch, wh ch does not connect you to the conso e but does a ow you to adm n ster
the server Funct ona y, /admin s equ va ent to /console
A though the /admin sw tch s funct ona y equ va ent, t s not syntact ca y equ va ent If
you use the /console sw tch from Remote Desktop Connect on (RDC) 6 or ater, you m ght not
not ce that t doesn’t work The /console sw tch s gnored—you st og on, but you w use
up an RDS CAL To start a remote sess on for adm n strat ve purposes, start RDC from the Run
d a og box or command prompt and add the /admin sw tch ke th s
mstsc /admin
www.it-ebooks.info
You can a so spec fy the /admin sw tch when add ng connect ons to the RSAT The /console
sw tch creates an adm n connect on when connect ng from an o der RDP c ent to a W ndows
Server 2008 R2 RD Sess on Host server P ug n /admin when work ng from RDC 5 2 and
Mstsc exe w open a d a og box that exp a ns the proper syntax for the command, because
that vers on of the RDC c ent s not aware of the /admin sw tch Unfortunate y, th s means
that you’ need to change the connect on syntax depend ng on whether you’re connect ng
from a current or o der vers on of Mstsc exe
HOW IT WORKS
Avoiding Administrative Lockouts
I n Windows Server 2003, you could make two remote administrative connections
and one console connection from the physical console, all without using a
Terminal Services client access license (TS CAL). Windows Server 2008 and later
permit two simultaneous administrative connections. This might look like a
reduction in licensed connections, but the previous model was also a convenience.
It was possible for two administrators to make connections, leave them connected,
and effectively block anyone else from making an administrative connection to the
terminal server because the remote logon count was at capacity. You had to have
the console connection just to reset one of those remote connections.
Beginning in Windows Server 2008, you could choose to disconnect an administra-

tive connection if you needed to make one and the number of admin connections
was already at capacity. The other administrator will find his or her session as it was
left, and you are not forced to log on from the console to disconnect the session.
Managing RD Session Host Servers from Windows 7

If you have on y one RD Sess on Host server, you can probab y do everyth ng you need to do
w th the Remote Desktop Serv ces Manager from the conso e If you have mu t p e servers,
you can even add them to one nstance of the too so that you can do everyth ng from one
p ace But f you don’t have phys ca access to an RD Sess on Host server, you can st get the
same funct ona ty to work from a W ndows 7 aptop or workstat on The RSAT s a co ect on
of too s used to manage W ndows Server 2008 R2 (and W ndows Server 2008) servers
NOTE For those who have worked with Windows Server 2003, RSAT is equivalent to the
Windows 2003 Server Administration Tools Pack (Adminpak.exe). There’s also a version of
RSAT for Windows Vista SP1 that allows management of Windows Server 2008 terminal
servers.
www.it-ebooks.info
RSAT s compat b e w th 32-b t and 64-b t W ndows Server 2008 and 32-b t and 64-b t
W ndows V sta SP1 c ents runn ng W ndows V sta Bus ness, Enterpr se, or U t mate ed t ons
RSAT for W ndows 7 s not compat b e w th prev ous vers ons of W ndows
RSAT conta ns many more too s than that are d scussed n th s chapter, as t encompasses
too s to manage other W ndows Server 2008 R2 ro es The nformat on n th s chapter concen-
trates on the fo ow ng RDS-spec fic RSAT too s
■ Remote Desktop Services Manager Used to manage RD Sess on Host servers
■ Remote Desktops Used to connect to remote desktops from one w ndow
Both of these too s get nsta ed on W ndows Server 2008 R2 when you nsta the Remote
Desktop Serv ces ro e They work more or ess the same way when nsta ed on a computer
runn ng W ndows 7
To nsta RSAT on a W ndows 7 c ent, down oad RSAT for W ndows 7 from
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-
4e344e43997d.
NOTE RSAT for Windows Vista SP1 is located at http://support.microsoft.com/kb/941314.
Be sure to down oad the correct vers on (32-b t or 64-b t) of the RSAT MSU fi e Insta the
too by doub e-c ck ng the M crosoft Update Standa one Package (MSU) fi e and c ck ng OK
to nsta the Update For W ndows (KB958830)
After you’ve nsta ed RSAT, you w need to enab e t, because the nsta er does not en-
ab e a the too s by defau t Open Contro Pane and doub e-c ck Programs And Features
Then c ck Turn W ndows Features On Or Off Se ect the Remote Server Adm n strat on Too s
check box, expand Ro e Adm n strat on Too s, and then expand th s se ect on and se ect the
check boxes next to Remote Desktop Serv ces Too s Then c ck OK
When you have enab ed the too s, you w find that a Remote Desktop Serv ces fo der s
now v s b e n Adm n strat ve Too s Th s fo der conta ns nks to the Remote Desktop Serv ces
Manager and Remote Desktops too s
Organizing Servers and VMs in the Remote Desktop

Services Manager
When you first start the Remote Desktop Serv ces Manager, t w show you on y the oca
server—not very usefu f you’re manag ng a server farm You can add more servers to the
conso e v ew n a coup e of ways by creat ng a custom group (or popu at ng an ex st ng
group) or by mport ng a known farms and poo s from an RD Connect on Broker
www.it-ebooks.info
NOTE After you add servers to a particular group, they’re there unless you manually
delete them. You can’t drag RD Session Host servers or VMs to a new group, although you
can add one server to multiple groups if you wish.
To create a new group, r ght-c ck the Remote Desktop Serv ces Manager con n the eft
pane and choose New Group from the context menu In the d a og box that appears, type the
name of the new group and c ck OK Th s group w now appear n the eft pane
The Remote Desktop Serv ces Manager starts w th one defau t—and empty—group
named My Group To popu ate an ex st ng group, r ght-c ck ts con n the eft pane of the
Remote Desktop Serv ces Manager and choose Add Computer from the context menu Th s
w open the Se ect Computer d a og box, wh ch you m ght have seen before when work ng
w th the M crosoft Management Conso e (MMC) From here, you can add computers to the
group n one of three ways
■ If you know the name of the server or VM that you want to add to the conso e, se ect
Another Computer, type the name nto the text box, and then c ck OK The server w
appear n My Group
■ If you don’t know the fu name but know the etters that t beg ns w th, c ck Browse In
the d a og box that opens, type the name or part a name of the server or VM and c ck
Check Names The name w appear n the Enter The Object Name To Se ect text box
w th an under ne If you typed the prefix and there’s more than one match, then you
can p ck the r ght name from a st (You can’t add more than one name at a t me )
■ If you have no dea of the name of the server, you’ need to search Act ve D rectory
Doma n Serv ces (AD DS) for t From the second Se ect Computer d a og box, c ck
Advanced to search AD DS C ck Locat ons to spec fy the organ zat ona un t (OU) that
the RD Sess on Host servers are n and then c ck F nd Now to st a servers n that
OU From there, you can se ect servers one at a t me to appear n the Se ect Computer
d a og box
Manua y popu at ng groups s t me-consum ng Operat ng on the pr nc p e that you’d ke
to manage a the RD Sess on Host servers and VMs n one or more farms, regard ess of the r
names, you can mport server nformat on from the RD Connect on Broker To do th s, r ght-
c ck the Remote Desktop Serv ces Manager and choose Import From RD Connect on Broker
Enter the name or IP address of the RD Connect on Broker server from wh ch you want to
mport and c ck OK A new server management group w be created named RD Connect on
Broker(servername), and groups w be created beneath t named after your farm name(s) or
VM poo s, as shown n F gure 11-3
Organ z ng Servers and VMs n the Remote Desktop Serv ces Manager Chapter 11 601
www.it-ebooks.info
FIGURE 11-3 mport RD Sess on Host farms and VM poo s from the RD Connect on Broker nto the
Remote Desktop Serv ces Manager.
NOTE When you import VM farms from the RD Connection Broker, it will import the VMs
according to their VM names in Hyper-V Manager, not according to their computer names.
Because the application programming interface (API) that the Remote Desktop Services
Manager and the command-line tools are built on uses the computer name, you must
make the VM name listed in Hyper-V Manager and the computer name match to manage
VM sessions at all. If you don’t, you won’t see any activity inside the VMs from the Remote
Desktop Services Manager (all tabs will be blank), and you won’t be able to connect to the
VMs using the Query command-line tools.
After mport ng the poo s and farms nto the Remote Desktop Serv ces Manager, you must
connect to each server to g ean any usefu data Th s s a one-t me process; after th s, they
w be connected when you open th s too on th s part cu ar server or workstat on R ght-
c ck each server and choose Connect After a servers n each farm or a VMs n the poo
are connected, you can h gh ght the group, user, sess on, and process data for a servers n
the group appear together n the m dd e conso e pane You can a so c ck each server n the
group and v ew just the data for that server
Monitoring and Terminating Processes

One of the bas c quest ons about remote sess ons s what processes are execut ng ns de
those sess ons As d scussed n prev ous chapters, some processes are common to a sess ons,
but other processes te you what users are do ng n the r remote sess ons You can even use
processes to determ ne whether a user s connected to a fu desktop or to a RemoteApp
program In add t on, you m ght need to term nate a sta ed process n a sess on or term nate
a nstances of a spec fic app cat on
www.it-ebooks.info
Monitoring Application Use
You can mon tor processes on an RD Sess on Host server or VM from the Remote Desktop
Serv ces Manager or by us ng the query command- ne too w th the process parameter, as
shown here
query process
From the Remote Desktop Serv ces Manager, connect to the server or VM that you want to
mon tor and then se ect the Processes tab n the m dd e pane to d sp ay a processes runn ng
on that server You can then sort the tab e by c ck ng the co umn head ng you want to sort by
(Server, User, Sess on, ID, PID, or Image)
You can accomp sh the same th ng at the command prompt by runn ng the query process
or qprocess command aga nst an RD Sess on Host server or a VM The syntax for both of
these commands fo ows
QUERY PROCESS [* | processid | username | sessionname | /ID:nn | programname]

[/SERVER:servername]
* Display all visible processes.

processid Display process specified by processid.
username Display all processes belonging to username.
sessionname Display all processes running at sessionname.
/ID:nn Display all processes running at session nn.
programname Display all processes associated with programname.
/SERVER:servername The RD Session Host server or VM to be queried.
You can get a st of a processes runn ng on an RD Sess on Host server For examp e, the
fo ow ng command returns a processes runn ng on the RD Sess on Host server FUJI
query process * /server:fuji
You can a so get more deta ed nformat on by spec fy ng d fferent parameters For n-
stance, to find a the processes runn ng under sess ons started by the user nancy anderson on
server FUJI, the command and data returned wou d ook ke th s
query process nancy.anderson /server:fuji

USERNAME SESSIONNAME ID PID IMAGE
nancy.anderson rdp-tcp#2 4 3296 taskeng.exe
nancy.anderson rdp-tcp#2 4 3736 rdpclip.exe
nancy.anderson rdp-tcp#2 4 2680 dwm.exe
nancy.anderson rdp-tcp#2 4 3700 explorer.exe
Mon tor ng and Term nat ng Processes Chapter 11 603
www.it-ebooks.info
Another examp e of gett ng spec fic process-re ated nformat on from the command ne
s to find a nstances of a part cu ar app cat on runn ng on an RD Sess on Host server For
nstance, to find a sess ons n wh ch users are runn ng Exce exe on server FUJI, the command
and resu ts wou d ook ke th s
query process excel.exe /server:fuji

adam.barr rdp-tcp#1 2 3156 excel.exe
nancy.anderson rdp-tcp#2 4 3044 excel.exe
kristin.griffin rdp-tcp#3 5 4088 excel.exe
christa.anderson rdp-tcp#4 6 3176 excel.exe
If you’ve used W ndows PowerShe , you m ght be fam ar w th the Get-Process cmd et
It’s a usefu too that te s you a ot about the processes runn ng on a computer, nc ud ng
work ng set, CPU t me, and more nformat on than qprocess can convey Unfortunate y,
Get-Process s not mu t -user-aware and reports on y on the processes runn ng n the current
sess on S m ar y, you can’t use the Stop-Process cmd et very we on an RD Sess on Host
server, because t s on y aware of the processes runn ng n the same sess on that t s
Terminating Applications
When you know where an app cat on s runn ng, you can term nate t f you need to A user’s
app cat on m ght be unrespons ve or a user m ght get past your ockdown schemes (for more
nformat on, see Chapter 7, “Mo d ng and Secur ng the User Env ronment”) It’s even poss b e
to term nate a process for one user so that another user can use t w thout v o at ng your
app cat on cens ng To term nate a process from the Remote Desktop Serv ces Manager,
connect to the server or VM where the process s runn ng, se ect the Processes tab, r ght-c ck
the process, and choose End Process
You a so can end a process from the command ne by runn ng the tsk command The
syntax s
TSKILL processid/processname [/SERVER:servername] [/ID:sessionid//A] [/V]
processid Process ID for the process to be terminated.

processname Process name to be terminated.
/SERVER:servernameThe RD Session Host server or VM where the process is running (if
not specified, the local machine is the default).
/ID or /A must be specified when using processname and /SERVER
/ID:sessionid End process running under the specified session.
/A End process running under ALL sessions.
/V Display information about actions being performed.
Not ce that you can k e ther a spec fic nstance of an app cat on on a server or a
nstances To term nate an app cat on runn ng n a spec fic sess on, use the /ID:sessionid
parameter to spec fy that sess on You need to know the sess on ID where the process s
runn ng, so you must first run the query sess on command to find out what the sess on ID s
www.it-ebooks.info
To ustrate, et’s comb ne these two commands to effect ve y shut down one nstance of
an app cat on Th s examp e w term nate the Exce exe process runn ng n the sess on for
user adam barr on server FUJI F rst, run the query sess on command to find the correct ses-
s on ID
C:\windows\system32>query session /server:FUJI

SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
console Administrator 1 Active
rdp-tcp#1 adam.barr 2 Active rdpwd
rdp-tcp#0 administrator 3 Active rdpwd
nancy.anderson 4 Disc
kristin.griffin 5 Disc
christa.anderson 6 Disc
rdp-tcp 65536 Listen
Then term nate M crosoft Exce by spec fy ng the process name, the server, and the sess on
ID
C:\windows\system32>tskill excel /server:FUJI /ID:2
What f you forget to d sab e nsta at ons and d scover a mahjong tournament tak ng
p ace among the users on an RD Sess on Host server? You can a so term nate a process ( n th s
examp e, mahjong) runn ng n a sess ons on an RD Sess on Host server by us ng the /A sw tch
n th s way
tskill mahjong /server:FUJI /A
Monitoring and Ending User Sessions

Before you start mon tor ng and end ng sess ons n the Remote Desktop Serv ces Manager,
you shou d recogn ze the d fferent sess on types that you w see and what they are for Four
types of sess ons appear n the Remote Desktop Serv ces Manager
■ Console Sess on supports someone ogged on oca y (at the phys ca conso e) Th s
sess on s not access b e v a RDP
■ RDP-Tcp Remote RDP sess on
■ Services Sess on used by server serv ces
■ Listener Sess on stens for ncom ng connect on requests
For our purposes, you’re go ng to work most often w th the RDP-Tcp sess ons
Mon tor ng and End ng User Sess ons CHAPTER 11 605
www.it-ebooks.info
Switching Between Sessions
Let’s say that you have ogged on to your W ndows 7 desktop v a RDP w th your doma n cre-
dent a s so that you can work on that computer from a remote ocat on When you do so, the
conso e sess on sw tches to the RDP sess on and the conso e goes back to the ogon screen
The same funct ona ty s beh nd the ab ty to move between sess ons on an RD Sess on Host
server, us ng the Remote Desktop Serv ces Manager or the tscon command You can sw tch
between your own sess ons f you have more than one, or ( f you know the password) you can
connect to another user’s sess on and d sconnect your own Connect ng to a sess on us ng th s
funct ona ty automat ca y d sconnects the sess on you started from
There are a few caveats to us ng the Connect funct ona ty
■ It works on y to connect to an RDP-Tcp sess on from another RDP-Tcp connect on on
the same server You can connect to an act ve or a d sconnected sess on
■ You cannot connect to a RemoteApp sess on, on y a fu desktop
■ A though you can connect to another sess on from an adm n strat ve (/admin)
connect on, you can’t connect to an adm n strat ve connect on from another RDP-Tcp
connect on
■ When you are prompted for a password wh e connect ng to a sess on from the
Remote Desktop Serv ces Manager, the password s obscured on the screen When
you supp y the password to the command- ne too , the password m ght be d sp ayed
on the screen, n c eartext, f you want Therefore, be carefu how you use tscon when
anyone s stand ng beh nd you!
NOTE If you attempt to connect to a local logon session from tscon, you’ll see error code
31, telling you, “A device attached to the system is not functioning.” If you attempt to con-
nect to an /admin remote connection, you’ll get an error message that access is denied.
What Happens to the Password I Type into tscon?

Al Henriquez
Meher Malakapalli
Senior Development Lead
T he Connect tool (whether implemented from the command line or the GUI) im-
plements this functionality through the WTSConnectSession function described
on MSDN at http://msdn.microsoft.com/en-us/library/bb394782(VS.85).aspx. For
the purposes of the IT pro, this function takes three important parameters: logonID,
targetlogonID, and password.
www.it-ebooks.info
Basically, this function accepts the domain name and user name of the person
initiating the request. If these do not match, then the person initiating the request
must type in the password of the account that owns the target session. One key fact
to note is that Connect works only on the same RD Session Host server—you can’t
connect to a session on another server. Therefore, the credentials don’t go over
the network except when you type them into the RDP window, and then they’re
protected by RDP encryption.
The bottom line is that when you connect to another session, the credentials that
you provide are protected. They never leave the RD Session Host server and they
are removed from memory as soon as the function is finished with them.
To use the Connect funct ona ty from the Remote Desktop Serv ces Manager or the tscon
command, fo ow these steps
1. Start an RDP sess on to the RD Sess on Host server host ng the sess on to wh ch you
want to connect
2. F nd the correct sess on From the Remote Desktop Serv ces Manager, find the cor-
rect sess on from the Users or Sess ons tab n the center pane If us ng the command
prompt, find the sess on ID by typ ng query session
3. Connect to the sess on From the Remote Desktop Serv ces Manager, r ght-c ck the
sess on and choose Connect from the context menu From the command prompt, type
tsconsessionID /password:password to enter the password w th the command, or
/password* to be prompted for the password You’ need to nc ude a of th s nfor-
mat on n the command
NOTE You must supply the password when connecting from the command prompt or
the command will fail. When connecting from the Remote Desktop Services Manager,
you are prompted for the password if connecting to a session that is not your own.
4. Assum ng that you prov de the correct password and t’s poss b e to connect to the
sess on, you w connect mmed ate y to the new sess on and see any app cat ons or
fi es open n the other sess on The person whose sess on that was w be d sconnected
If the password sn’t va d, you’ see an error message
So why do th s? The funct ona ty s most usefu f RemoteApp funct ona ty sn’t n the p c-
ture In W ndows Server 2003 and ear er, the on y way to pub sh nd v dua app cat ons was
by m t ng a sess on to a s ng e app cat on By us ng Connect, t was poss b e ( f awkward) for
a user to move between nd v dua app cat ons on the same term na server
Today, th s command sn’t app cab e to most s tuat ons because the on y sess ons that
you shou d be ab e to connect to (assum ng reasonab y secure doma n password protect on)
Mon tor ng and End ng User Sess ons Chapter 11 607
www.it-ebooks.info
are your own One poss b e scenar o for us ng Connect n th s present vers on of RDS s f you
were ogged on to an RD Sess on Host server as both a user and an adm n strator, us ng two
d fferent accounts You cou d sw tch to your adm n strator persona by connect ng to the ses-
s on, but you’d d sconnect your user persona
Closing Orphaned Sessions

An orphaned session s one that s no onger be ng used An orphaned sess on can occur for a
number of reasons For examp e, f you do not m t users to one sess on and don’t set a t me
m t for resett ng d e and d sconnected sess ons, you m ght encounter sess ons that were eft
open by users You m ght a so find orphaned sess ons f users get d sconnected from the r
sess ons and you are not us ng the RD Connect on Broker (wh ch w reconnect users to d s-
connected sess ons) In th s nstance, when the users reconnect to the farm, they m ght open
a new sess on and unknow ng y abandon the other sess on
There are severa ways to decrease orphaned sess ons You can configure Group Po cy
objects (GPOs) to end d e and d sconnected sess ons automat ca y after a certa n per od of
nact v ty, or you can use the RD Connect on Broker to reconnect users to the r d sconnected
sess ons However, f these avenues are b ocked for you, you shou d know how to term nate
orphaned sess ons
F rst, you must determ ne wh ch sess ons are rea y abandoned A good way to te f a ses-
s on s not be ng used s to ook for act ve and d sconnected sess ons that have been d e for
a certa n per od of t me, such as f you have sh ft workers and a sess on s d e for onger than
the norma da y sh ft hours Check the Users or Sess ons tab of the Remote Desktop Serv ces
Manager or use the query user command to figure out wh ch sess ons to term nate by find ng
out how ong sess ons have been d e For examp e, to check the Id e T me sett ng for a ses-
s ons on server FUJI, you can run the fo ow ng command
C:\windows\system32>query user /server:FUJI
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME

administrator console 1 Active none 7/26/2010 6:51 PM
adam.barr rdp-tcp#1 2 Active 57 7/30/2010 4:55 PM
administrator rdp-tcp#0 3 Active . 7/27/2010 6:37 PM
nancy.anderson rdp-tcp#2 4 Active 48 7/30/2010 4:55 PM
kristin.griffin rdp-tcp#3 5 Active 7 7/30/2010 4:56 PM
NOTE See the section entitled “Auditing User Logons” later in this chapter for more ex-
amples of how to use the query user command.
The resu ts w show the state, d e t me ( f app cab e), and ogon t me of each sess on
www.it-ebooks.info
At th s po nt, you have a coup e of opt ons you can d sconnect the sess on or term nate t
D sconnect ng the sess on causes t to use fewer resources on the server wh e eav ng open
the app cat ons and data n use n the sess on Term nat ng the sess on (a so ca ed resetting
the sess on) w end the sess on comp ete y D sconnect ng s not nvas ve; users can get back
to where they were by ogg ng on aga n, but t does cont nue to use resources on the server
Term nat ng sess ons frees resources, but t can ead to fi e ock ng ssues because t’s an un-
gracefu ex t and fi es m ght not c ose proper y
NOTE RDS does not support concurrent user licensing, just per-user or per-device.
Therefore, if you’re using a native RDS environment (and aren’t running add-ons that are
licensed on a concurrent-user basis), it’s immaterial from a licensing perspective whether
you disconnect or terminate a session. Adding third-party software that does support con-
current user licensing can affect the best practices that apply to you.
Disconnecting Sessions
D sconnect ng a sess on us ng the Remote Desktop Serv ces Manager s easy F nd the sess on
to d sconnect, r ght-c ck t, and choose D sconnect from the context menu You must be con-
nected to the same server as the sess on you’re d sconnect ng
To d sconnect a sess on from the command prompt, use tsd scon The syntax s s mp e
TSDISCON [sessionid/sessionname] [/SERVER:servername] [/V]

Sessionid The ID of the session.
Sessionname The name of the session.
/SERVER:servername Specifies the RD Session Host server (default is current).
/V Displays information about the actions performed.
As you can see, when us ng the command- ne too , you can spec fy the server on wh ch
you want to d sconnect a sess on
CAUTION If you run tsdiscon without arguments, you’ll disconnect your own ses-
sion even if you’re sitting at the console. You won’t lose any data because the session
will continue running and you can just reconnect, but disconnecting yourself is
disconcerting and should be avoided.
Terminating Sessions
You can term nate a sess on eas y from the Remote Desktop Serv ces Manager or the com-
mand prompt
To term nate a sess on from the Remote Desktop Serv ces Manager, h gh ght the sess on
on the Users or Sess ons tab, r ght-c ck, and choose Reset You’ see a d a og box te ng you
Mon tor ng and End ng User Sess ons Chapter 11 609
www.it-ebooks.info
that you’re resett ng th s user’s sess on C ck OK, and then the sess on w reset A processes
be ong ng to that user w be term nated mmed ate y
You can a so term nate act ve and d sconnected sess ons from the command ne us ng one
of these three ut t es (the r syntax s shown here)
RESET SESSION {sessionname | sessionid} [/SERVER:servername] [/V]

RWINSTA {sessionname | sessionid} [/SERVER:servername] [/V]
LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V]
Reset sess on and rw nsta are funct ona y the same n that they term nate the connect on
ungracefu y—the sess on never has a chance to c ose open fi es or save the profi e changes
Logoff s a tt e d fferent n that, a though t won’t save open fi es, t w at east wr te back
changes to the profi e
The syntax for a three commands requ res that you use the sess on name or sess on ID
to dent fy the sess on you want to c ose, so you w need to get th s nformat on from the
Remote Desktop Serv ces Manager or from the command ne by us ng the query user com-
mand The syntax s
QUERY USER [username | sessionname | sessionid] [/SERVER:servername]
For nstance, to reset a d sconnected sess on for user pau koch on server FUJI, run these
commands The fo ow ng examp e checks for Pau ’s sess on after resett ng t just to make the
po nt that th s sess on no onger ex sts
C:\Users\Administrator>query session paul.koch /server:FUJI

SESSIONNAME USERNAME ID STATE TYPE DEVICE
paul.koch 5 Disc
C:\Users\Administrator>reset session 5 /server:FUJI
C:\Users\Administrator>query session paul.koch /server:FUJI
No session exists for paul.koch
Providing Help with Remote Control

In add t on to the methods just descr bed, another way to nteract w th user sess ons s to
shadow them Inev tab y, every user, at one t me or another, ca s the He p desk to get ass s-
tance from the IT staff And as he pfu as staff can be, and as w ng to descr be the r unfortu-
nate c rcumstances as users can be, t s somet mes best to exper ence the prob em to so ve t
effic ent y W ndows Server 2008 R2 ( ke ts predecessors) g ves you the ab ty to observe the
user sess on or even take contro of the sess on so that you can act as the user and exper ence
the d fficu t es a user has Hopefu y, th s exper ence prov des a c earer p cture of the s tuat on
and eads to a speedy reso ut on of the He p desk t cket
You can contro Remote Contro sett ngs from three ocat ons
■ Group Policy Used to spec fy Remote Contro sett ngs for a RD Sess on Host servers
n a farm
www.it-ebooks.info
■ Remote Desktop Session Host Configuration Used to spec fy Remote Contro set-
t ngs on a per-server bas s
■ Active Directory Users And Computers Used to spec fy Remote Contro sett ngs
on a per-user bas s
The ab ty to contro or shadow a user’s sess on remote y s enab ed by defau t on the
Remote Contro tab of each user’s account Propert es d a og box, as shown n F gure 11-4
NOTE Even though Remote Control is enabled by default in domain user account
properties, these settings are used only when you use Remote Desktop Session Host
Configuration (instead of Group Policy) to stipulate Remote Control settings, and only
when Remote Desktop Session Host Configuration is set to Use Remote Control With
Default User Settings. You will look at Remote Desktop Session Host Configuration Remote
Control settings later in this section.
FIGURE 11-4 Remote Contro s enab ed by defau t on AD DS user accounts.
If you do not want to be ab e to v ew or nteract w th sess ons opened by the user, c ear
the Enab e Remote Contro check box
By defau t, the user’s perm ss on s requ red for an adm n strator to nteract w th the user’s
sess on When you nvoke remote contro of a user sess on, the user rece ves a prompt s m ar
to F gure 11-5 request ng that he or she grant you perm ss on to contro the sess on If the
Prov d ng He p w th Remote Contro Chapter 11 611
www.it-ebooks.info
user c cks No or doesn’t respond, the person request ng remote contro w see a message
that access s den ed
FIGURE 11-5 f the user s perm ss on s requ red for shadow ng the sess on, the user w see th s not ce.
Not everyone wants users to be aware that the r sess ons are be ng shadowed; some
compan es use th s feature for aud t ng the work hab ts of the r emp oyees If Requ re User’s
Perm ss on s not enab ed, then you can ga n remote contro (for v ew ng or nteract ng, de-
pend ng on the eve of contro opt on se ected) of the user sess on w thout her know edge or
perm ss on
When you attach to the sess on n these c rcumstances, the user sees noth ng and s not
aware of your presence un ess you nteract w th the sess on n some way
CAUTION If you decide to interact with user sessions without user knowledge or
permission, check with your company’s legal and human resources (HR) departments
first, to make sure that the company is legally protected and that HR policies reflect
this need.
By defau t, adm n strators have fu contro of the user sess on Th s means you can ma-
n pu ate the sess on (use the keyboard and mouse, and so on) as f you are the user Th s eve
of contro can be changed to a ow on y observat on by se ect ng the opt on V ew The User’s
Sess on At th s eve , you can observe the user’s sess on, but you cannot contro t n any way
Remote Contro sett ngs can a so be set us ng RD Sess on Host Configurat on on each
server or by us ng Group Po cy Group Po cy sett ngs take precedence over RD Sess on Host
Configurat on sett ngs
Enabling Remote Control via Group Policy

You can configure Remote Contro sett ngs w th e ther a user Group Po cy (to affect certa n
groups of users) or a computer Group Po cy (to affect a users who og on to a server or
server farm) These sett ngs are ocated at
Remote Desktop Serv ces RD Sess on Host Connect ons Set Ru es For Remote
Contro Of Remote Desktop Serv ces User Sess ons
www.it-ebooks.info
■ User Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces RD Sess on Host Connect ons Set Ru es For Remote
Contro Of Remote Desktop Serv ces User Sess ons
NOTE If both of these Group Policy settings are enabled and there is a conflict, the
computer policy settings will take precedence.
Open ng e ther of these GPO sett ngs revea s the screen shown n F gure 11-6
FIGURE 11-6 The Set Ru es For Remote Contro Of Remote Desktop Serv ces User Sess ons GPO sett ng
d a og box a ows you to choose the sett ngs you want for remote sess ons.
Enab e the GPO sett ng and then spec fy whether user perm ss on s requ red for
nteract on w th the user sess on and what eve of contro w be a owed Do th s by choos ng
the appropr ate opt on from the Opt ons drop-down menu The opt ons ava ab e are the
fo ow ng
■ Full Control With User’s Permission W th the user’s perm ss on, you can take ac-
t on n the sess on just as f you were the user
■ Full Control Without User’s Permission W thout the user’s perm ss on and w thout
the user rece v ng any not ficat on beforehand, you can take act on n the sess on just
as f you were the user
■ View Session With User’s Permission W th the user’s perm ss on, you can v ew the
sess on but cannot nteract w th t n any way
www.it-ebooks.info
■ View Session Without User’s Permission W thout the user’s perm ss on and w th-
out the user rece v ng any not ficat on, you can v ew the sess on but cannot nteract
w th t n any way
If these Group Po cy sett ngs are set to Not Configured, then Remote Contro sett ngs are
contro ed by RD Sess on Host Configurat on Enab ng e ther of these Group Po cy sett ngs
overr des Remote Contro from the RD Sess on Host Configurat on, and the sett ng opt ons
there w be d sab ed
To d sab e remote contro of user sess ons, choose the No Remote Contro A owed opt on
from the Opt ons drop-down menu
NOTE Disabling the Set Rules For Remote Control Of Remote Desktop Services policy has
the same effect as not configuring it.
Enabling Remote Control via RD Session Host

Configuration
RD Sess on Host Configurat on s used to set Remote Contro sett ngs on a per-server bas s
On a server, open RD Sess on Host Configurat on, doub e-c ck the RDP-Tcp connect on, and
then c ck the Remote Contro tab shown n F gure 11-7
FIGURE 11-7 Conf gure Remote Contro v a the RD Sess on Host Conf gurat on
RDP Tcp Propert es d a og box.
www.it-ebooks.info
There are two ways to enab e remote contro
■ Enab e remote contro and spec fy whether user perm ss ons are requ red to shadow
the user sess on and the eve of contro (v ew on y or nteract) perm tted when shad-
ow ng the sess on
■ Enab e remote contro and use the Remote Contro sett ngs set n each user’s account
propert es to spec fy whether shadow ng that user’s sess on s a owed, whether the
user’s perm ss on s requ red, and the eve of contro (v ew on y or nteract) perm tted
when shadow ng the sess on
You can d sab e remote contro of user sess ons created on the server by choos ng Do Not
A ow Remote Contro
By defau t, on y adm n strators have the r ght to shadow sess ons To g ve another user or
user group perm ss ons to shadow sess ons, fo ow these steps
1. Open RD Sess on Host Configurat on and doub e-c ck RDP-Tcp
2. Nav gate to the Secur ty tab and c ck OK to the warn ng that pops up te ng you to
mod fy the Remote Desktop Sess ons group Then c ck Advanced
3. Add the user account or the user group whose sess ons you wou d ke to be ab e to
shadow by c ck ng Add and enter ng the name of the user or group Then c ck OK
4. In the Perm ss ons Entry For RDP-Tcp d a og box, se ect the Remote Contro check box
5. Then c ck OK n each of the three d a og boxes that are open to save the changes
The sett ngs are app ed at ogon, so the users to whom you granted th s r ght must og off
and og back on before they can remote contro others’ sess ons
Shadowing a User Session

Before you try to shadow a sess on, there are two th ngs to keep n m nd F rst, you can
shadow a sess on on y from another RDP sess on because you’re bas ca y ntercept ng the
graph cs output of the shadowed sess on and send ng t to your own sess on You can’t send
RDP updates to a oca ogon, just as you can’t connect to an RDP sess on from a oca ogon
(You’ see th s when you start the Remote Desktop Serv ces Manager from the conso e ses-
s on; there’s a warn ng that these too s w be d sab ed )
Somewhat more ns d ous y, you can’t shadow a remote sess ons To be prec se, you can
on y shadow sess ons connect ng to a fu desktop us ng a s ng e mon tor It w appear that
you can shadow other sess ons, because noth ng n the user nterface prevents you from con-
nect ng to a sess on host ng RemoteApp programs, and you won’t see any warn ngs However,
shadow ng RemoteApp programs sn’t supported and rea y doesn’t work we The prob em
s that enab ng RemoteApp programs requ res deta ed commun cat on between server
and c ent to pos t on the w ndow correct y Th s commun cat on doesn’t extend to both the
computer from wh ch the adm n strator s shadow ng the sess on and the or g na c ent If the
adm n strator shadow ng the sess on moves the app cat on w ndow, t m ght d sappear from
the sess on when the adm n strator restores contro , or t m ght just render the app cat on un-
www.it-ebooks.info
respons ve Therefore, a though t s techn ca y poss b e to shadow a RemoteApp sess on, t’s
pretty use ess Before shadow ng, be sure that you’re connect ng to a fu desktop sess on
NOTE Neither the Remote Desktop Services Manager nor the command-line tools make
it easy to distinguish between full desktops and RemoteApp sessions. To learn how to dis-
tinguish between sessions running RemoteApp programs and those running a full desktop,
see the section entitled “Differentiating RemoteApp Sessions from Full Desktop Sessions”
later in this chapter.
Shadow ng a sess on s s mp e, and you can do t from the Remote Desktop Serv ces Man-
ager or from a command prompt
To shadow from the GUI, create an RDP connect on to a server or desktop and run the
Remote Desktop Serv ces Manager On the Users tab n the m dd e pane, r ght-c ck the user
whose sess on you want to shadow and se ect Remote Contro If the user’s perm ss on s
requ red, the user w rece ve a remote contro request and can accept or deny t
On the server, you w see a d a og box ask ng you to spec fy a key sequence to end the
shadow sess on (shown n F gure 11-8) Ctr +Tab s the defau t cho ce, but you can choose
other opt ons f the defau t doesn’t work for you
FIGURE 11-8 Choose a hot key sequence to end a shadow sess on.
Your screen m ght freeze br efly wh e the user s a erted to your shadow request f
shadow ng s configured to not fy the user (and the user’s screen m ght b nk once when you
connect)
After the user grants you perm ss on to shadow the sess on, your sess on w be rep aced
w th the user’s sess on desktop If sett ngs on y perm t you to v ew the sess on, then you w
be ab e to see the user’s act ons, but you won’t be ab e to nteract w th the sess on Other-
w se, you can take part n the sess on as f you were the user To stop shadow ng, s mp y press
the hot key sequence that you se ected when estab sh ng the sess on; the shadow sess on w
d sappear and you w be back to your desktop The user’s sess on w cont nue as norma
You can a so start a shadow sess on from the command ne Aga n, you’ need to estab-
sh an RDP sess on first and run the command from t To get remote contro of a sess on
from the command ne, use the shadow command and prov de the name of the sess on ID to
www.it-ebooks.info
wh ch you want to connect To shadow a sess on on a remote computer, add the name of the
server, as n th s examp e of shadow ng sess on 2 on server FLAPJACK
shadow /SERVER:flapjack 2
When you start a shadow sess on from the command ne, there s no prompt for you to
choose a hot key sequence to end the shadow sess on To end the shadow sess on, use the
hot key sequence Ctr +*
NOTE The asterisk above the number 8 does not work to stop shadowing. Use the
asterisk on your numeric keypad.
Troubleshooting Session Shadowing

If you try to shadow a user sess on and can’t, there are a coup e of steps you can take to
troub eshoot the prob em
F rst, make sure that the user’s sess on s a owed to be shadowed Th s sett ng can be con-
figured through Group Po cy (for users or computers), the user account propert es, or n RD
Sess on Host Configurat on If you find that the sett ngs n these areas are set correct y and
you are st be ng den ed, check w th the user It m ght be that the user s m staken y answer-
ng “No” to the request to et you remote-contro the sess on
Second, use the error messages to he p you d agnose the prob em Any error messages
that you m ght rece ve when try ng to shadow a sess on are most he pfu when you’re try ng
to shadow a sess on from the same server as the sess on you’re try ng to shadow s connected
to For nstance, f you are try ng to shadow a user sess on from the same server that the user
s ogged on to, and RD Sess on Host Configurat on s set not to a ow remote contro , you w
rece ve a message ke th s
shadow 3
Your session may appear frozen while the remote control approval is being negotiated.
Please wait...
Remote control failed. Error code 7051
Error [7051]:The requested session is not configured to allow remote control.
However, f you are n t at ng the shadow ng operat on from a computer other than the
one that hosts the sess on that you want to shadow, you w not get such a stra ghtforward
message Instead, f there’s a prob em, you w rece ve a crypt c message ke th s
shadow 3 /SERVER:FUJI
Your session may appear frozen while the remote control approval is being negotiated.
Please wait...
Error [2]:The system cannot find the file specified.
www.it-ebooks.info
Typ ca y, f you see error code 2, t means e ther that the user den ed your request to
shadow the sess on or shadow ng the sess on s not a owed
If you’d ke to save yourse f the troub e of try ng three d fferent too s to find the current
Remote Contro sett ngs and where they’re set, query the Win32 TSRemoteControlSetting
W ndows Management Instrumentat on (WMI) c ass from W ndows PowerShe
NOTE The methods and properties for this class can be found at http://msdn.microsoft.com
/en-us/library/aa383817(VS.85).aspx.
To v ew the Remote Contro sett ngs for a computer, open W ndows PowerShe and enter
the fo ow ng command
get-wmiobject -namespace "root\cimv2\terminalservices" -class

Win32_TSRemoteControlSetting
The mportant part of the output s at the bottom, where you’ see va ues such as th s
Caption :
Description :
InstallDate :
LevelOfControl : 0
Name :
PolicySourceLevelOfControl : 0
RemoteControlPolicy : 1
Status :
TerminalName : RDP-Tcp
The key propert es LevelOfControl, PolicySourceLevelOfControl, and RemoteControlPolicy

prov de answers to the fo ow ng quest ons Do you have perm ss on to shadow th s sess on?
Where s th s po cy set?
ON THE COMPANION MEDIA The Windows PowerShell script, Shadowcheck.ps1,

helps automate the commands detailed here.
LevelOfControl can have va ues from 0 to 4, w th the fo ow ng mean ngs

■ 0 = Remote contro s d sab ed
■ 1 = Adm n strator has fu contro ; user must grant perm ss on to be shadowed
■ 2 = Adm n strator has fu contro ; user perm ss on s not requ red
■ 3 = Adm n strator can v ew the shadowed sess on; user must grant perm ss on to be
shadowed
■ 4 = Adm n strator can v ew the shadowed sess on; user perm ss on s not requ red
www.it-ebooks.info
The PolicySourceLevelOfControl shows where the va ue of LevelOfControl comes from A
va ue of 0 means that th s va ue s set on a per-server bas s, a va ue of 1 nd cates that t’s set
by Group Po cy, and a va ue of 2 means that t’s the user account po c es
The va ue of the RemoteControlPolicy property nd cates whether Remote Contro sett ngs
are configured on a per-user bas s (1) or a per-server bas s (0)
You can observe the changes to these sett ngs by ed t ng the Remote Contro sett ngs
from RD Sess on Host Configurat on Try ed t ng the sett ngs to see how the va ue of the
LevelOfControl property changes when you d sab e remote contro , and you’ see the va ue
change when you run the scr pt
Another reason you m ght see errors when try ng to shadow sess ons has to do w th screen
s ze If you try to shadow a sess on that s us ng one mon tor from another sess on that s
spann ng mu t p e mon tors, you w not be ab e to shadow the sess on Try ng to shadow
from a W ndows 7 c ent us ng mu t p e mon tors to a sess on us ng fewer mon tors resu ts n
the sess on be ng d sconnected and you w get the fo ow ng error

Error [120]:This function is not supported on this system.
NOTE Shadowing from a Windows XP client to an RD Session Host server remote session
does not work. It results in the session being disconnected, and you will get this error.

Error [31]:A device attached to the system is not functioning.
Preparing for Server Maintenance

When you need to update an app cat on, you certa n y don’t want users to be connected to t
at the t me Therefore, you’ need some method of keep ng users off the server when neces-
sary Th s s genera y known as putt ng the server nto drain mode, where ex st ng connec-
t ons are a owed to cont nue but no new ones are a owed n (and the RD Connect on Broker
won’t route any connect ons there)
When prepar ng for ma ntenance, there are three steps you shou d perform, n order
1. D sab e new ogons
2. Inform users of the p anned downt me
3. Shut down the RD Sess on Host server programmat ca y
Disabling New Logons

You can put a server nto dra n mode v a RD Sess on Host Configurat on or the command ne
From RD Sess on Host Configurat on, move to the Ed t Sett ngs area n the m dd e pane
and doub e-c ck User Logon Mode Th s w open a d a og box present ng three opt ons
Prepar ng for Server Ma ntenance Chapter 11 619
www.it-ebooks.info
■ Allow All Connections Th s s the defau t user mode A connect ons are a owed
■ Allow Reconnections, But Prevent New Logons Th s s dra n mode Users w th
ex st ng sess ons are a owed to reconnect or to stay connected to the server, but new
connect ons are b ocked
■ Allow Reconnections, But Prevent New Logons Until The Server Is Restarted
Th s s temporary dra n mode The server w not accept new connect ons (and the RD
Connect on Broker w not route connect ons to t) unt the server s rebooted After
the server has rebooted, th s sett ng w revert to A ow A Connect ons
Choose the opt on that su ts your needs and c ck OK
To change user ogon mode from the command prompt, you’ use the change ogon
command You must execute th s command from the server whose user ogon mode you’re
chang ng; the too does not offer a remote opt on The change ogon syntax s pretty s mp e
■ /query Returns the state of the server
■ /enable Enab es ogons that had been d sab ed
■ /disable D sab es a ncom ng connect ons, nc ud ng reconnect ons
■ /drain Puts the server nto dra n mode
■ /drainuntilrestart Puts the server nto temporary dra n mode (unt the system s
restarted)
If you’re fam ar w th th s too from prev ous vers ons of W ndows Server, you m ght not ce
the opt ons for enab ng dra n mode and temporary dra n mode Otherw se, the syntax hasn’t
changed s nce W ndows Server 2003
Not ce that change ogon offers an opt on that RD Sess on Host Configurat on does not
/disable. Dra n mode proh b ts new connect ons but does a ow users to reconnect to ex st ng
sess ons If you’re ser ous about remov ng users from the server, use change ogon /disable to
prevent any ncom ng connect ons, even reconnect ons However, use th s opt on w th care
D sab ng ogons when users have ex st ng sess ons open can resu t n ost data or profi e
changes n the orphaned sess ons Dra n mode, comb ned w th rem nders to users that you
w be shutt ng down the server and requests to users to og off the r sess ons, s a safer
opt on
Each of these opt ons a ows you to configure on y one server, though To set the ogon
mode on more than one server at a t me, use e ther Group Po cy or scr pt the ogon mode v a
WMI To ed t the User Logon Mode v a Group Po cy, go to Computer Configurat on Po c es
top Sess on Host Connect ons A ow Users To Connect Remote y Us ng Remote Desktop
Serv ces
Group Po cy s most usefu for onger-term changes affect ng many servers (you wou dn’t
ed t Group Po cy for a temporary change to two servers), whereas WMI s better for faster
or more d rected changes Group Po cy sn’t pract ca for, say, chang ng the ogon mode for
two RD Sess on Host servers n the farm wh e the other two keep accept ng ogons, but WMI
works we for th s
www.it-ebooks.info
One way to check for the current ogon mode v a WMI on the oca computer s to run the
fo ow ng W ndows PowerShe scr pt (To run th s scr pt on a remote computer, rep ace the
va ue of $strComputer w th the name of the other computer )
$strComputer = "."
$RDSH = get-wmiobject -class "Win32_TerminalServiceSetting" -namespace
"root\CIMV2\terminalservices" `
-computername $strComputer
switch ($RDSH.AllowTSConnections)
{
0 {"User logons are disabled."}
1 {"User logons are enabled."}
default {"The user logon state cannot be determined."}
}
switch ($RDSH.SessionBrokerDrainMode)
{
0 {"Allow all connections."}
1 {"Allow incoming reconnections but prohibit new connections."}
2 {"Allow incoming reconnections but until reboot prohibit new connections."}
default {"The user logon state cannot be determined."}
}
For examp e, th s scr pt w return the fo ow ng message f the server s n temporary dra n
mode
User logons are enabled.

Allow incoming reconnections but until reboot prohibit new connections.
ON THE COMPANION MEDIA This script is also available on the companion media
as CheckLogon.ps1.
Not ce that th s scr pt has to query two propert es to return a the nformat on The
AllowTSConnections property corresponds to the /enable and /disable sw tches, and
SessionBrokerDrainMode corresponds to the /drain and /drainuntilrestart sw tches As before,
you are us ng the sw tch statement to eva uate the actua va ues and make nterpret ng the
output eas er The effic ency of runn ng a scr pt to get the nformat on you need s somewhat
reduced f you have to ook up the return va ues on MSDN to know what they mean
Sending Messages to Users

Shutt ng down an RD Sess on Host server or VM w thout te ng users s apt to annoy them
Even f you p an to start ma ntenance after work hours, t’s st a good dea to et users know
that they shou d shut down the r sess ons comp ete y, not just d sconnect them You can a so
send messages for ess drast c reasons, such as te ng a user to resend a pr nt job or warn ng
users to shut down an app cat on
www.it-ebooks.info
One way to commun cate w th your user base s by send ng messages from the Remote
Desktop Serv ces Manager or by us ng the msg command- ne too Us ng these too s, you
can commun cate w th nd v dua s, se ected groups, or everyone ogged on to the server You
can even wa t for acknow edgement of your message
NOTE Using the techniques described in the rest of this chapter, you can send messages
to users logged on to VMs as well as users logged on to sessions. Only one person will be
logged on to each VM, however, so the broadcast functionality won’t work on VMs as it
does for sessions. That is, you can’t use it to send a message to all VMs on an RD Virtualiza-
tion Host.
From the Remote Desktop Serv ces Manager, r ght-c ck a sess on on an RD Sess on Host or
VM and se ect Send Message You w see a d a og box ke the one n F gure 11-9
FIGURE 11-9 Send a message to a user ogged on to an RD Sess on Host server or a VM w th the Send
Message too .
The message conta ns the sender’s user name and the t me that the message s sent Type
your message n the Send Message d a og box and c ck OK The user w see a message box
ke the one n F gure 11-10
FIGURE 11-10 Users get your messages n a pop up w ndow.
Un ke the shadow ng feature, send ng messages s supported for RemoteApp programs

Users runn ng RemoteApp programs or fu desktop sess ons rece ve the same message box;
the on y d fference s that RemoteApp programs users get a message box on the r oca desk-
top, whereas users runn ng a fu desktop sess on rece ve the message n that sess on w ndow
www.it-ebooks.info
You can a so use the msg command- ne ut ty to send a message to a sess on ke th s
msg nancy.anderson /SERVER:FUJI Nancy, Tech Support has reviewed your case, and will be
with you in 5 minutes.
If you are not runn ng the msg command from the same RD Sess on Host server as the
one where the sess on s hosted, then you must spec fy the server (or VM) as shown n the
examp e You can spec fy sess ons based on user name, sess on ID, or sess on name Use the
query command or the Remote Desktop Serv ces Manager to get any of these data po nts
If you have not m ted users to one sess on per server, then you m ght need to send a
message to every sess on that user has open If you prov de the user name as an argument,
the message w appear n a sess ons be ong ng to that user To send a message to a ses-
s ons on a server, use the * argument For examp e, to send a message to every sess on on
server FUJI, run th s command
msg * /SERVER:FUJI This server will be rebooted at 3pm. Please close your RemoteApp
programs.
You can a so send a message to a users on an RD Sess on Host server, sess on IDs, or
sess on names conta ned n a fi e Us ng a fi e to spec fy who shou d rece ve a message can
be he pfu f you need to commun cate w th a group of users, but not every s ng e person
us ng the server For nstance, maybe you need to te a users from the account ng
department on server FUJI to shut down the account ng app cat on To do th s, first create a
fi e conta n ng the user names of the account ng department users Th s s most eas y done
from W ndows PowerShe w th the fo ow ng scr pt, wh ch gets the names of the users n
the ASH Account ng Users OU and adds them to a fi e named c \scr pts\ash-acct-users txt
Obv ous y, you’ need to mod fy the L ghtwe ght D rectory Access Protoco (LDAP) paths and
fi e name for your purposes
$OU = [ADSI] "LDAP://OU=ASH_Accounting_Users, DC=ASH, DC=local"

$UserList = "c:\scripts\ash-acct-users.txt"
foreach ($child in $ou.psbase.children)
{
out-file -filepath $UserList -append -inputobject $child.name
}
When you have the names n the fi e, then you can run the msg command as shown here
msg @ c:\scripts\ash-acct-users.txt /SERVER:FUJI Please close the accounting

application.
Prepar ng for Server Ma ntenance CHAPTER 11 623
www.it-ebooks.info
Shutting Down and Restarting RD Session Host Servers
When you’ve dra ned the server of users and not fied anyone who s st connected to the
server, you can shut t down You’ve probab y shut down a server from the GUI; shutt ng
down an RD Sess on Host server s no d fferent However, because you m ght not have shut t
down from the command prompt, the focus s on that opt on here
NOTE The tsshutdown command used in Windows Server 2003 was discontinued in
Windows Server 2008 and Windows Vista. Use the shutdown command instead. You must
be an administrator to shut down or reboot an RD Session Host server. Users do not get
access to the Shut Down, Restart, Hibernate, or Sleep option on the Start menu when
working in a session. Nor can they execute the shutdown command.
Shutt ng down and reboot ng an RD Sess on Host server from the Start menu s no d f-
ferent from shutt ng down or reboot ng a W ndows Server 2008 R2 server (w thout RDS
nsta ed) or a W ndows 7 c ent Go to Start and then c ck the arrow to the r ght of the ock
button on the ower r ght of the menu A menu pops up; choose e ther Restart or Shut Down
When you choose to shut down or restart a server, you w see a pop-up w ndow n wh ch
you need to choose a reason for the shutdown/reboot from the Opt on drop-down menu
A so, nd cate whether the act on was p anned or unp anned, type any comments that you
want to add n the Comments w ndow, and c ck OK Th s nformat on s recorded n the server
System Event Log (Event ID 1074) Th s ogg ng s he pfu for keep ng track of who rebooted
or shut down a server, and why they d d so G v ng deta ed nformat on n the Comments
area can make t eas er for another adm n strator to figure out the exact reason for a reboot
For nstance, f you nsta an app cat on update, you can add a comment n the Shut Down
W ndows d a og box nd cat ng exact y wh ch one t was, wh ch saves t me f someone e se
needs the deta s ater
You can a so use the shutdown command to shut down or restart a server from the
command ne Th s command can be run from a W ndows Server 2008 R2 server or even a
W ndows 7 c ent The command syntax s
shutdown [/i | /l | /s | /r | /g | /a | /p | /h | /e] [/f] [/m \\computer][/t xxx]

[/d [p|u:]xx:yy [/c"comment"]]
NOTE Typing shutdown at a command prompt gives you the same command syntax and
arguments as typing shutdown /?.
Tab e 11-5 shows a st of the command- ne arguments ava ab e for the shutdown
command
www.it-ebooks.info
TABLE 11-5 Argumen s or he shu down Command
ARGUMENT INPUT DETAILS
No arguments D sp ays the command syntax and arguments Th s s

the same as typ ng /?
/? D sp ays the command syntax and arguments
/i D sp ays the GUI Shutdown Th s must be the first
opt on f used w th other opt ons Use th s opt on to
shut down or reboot more than one computer at a
t me
/l Log off the computer Th s cannot be used w th the
/m or /d opt on
/s Shuts down the computer
/r Restarts the computer
/g Restarts the computer and then starts reg stered
app cat ons
/a Aborts a system shutdown, but can be used on y
aga nst the shutdown command g ven w th a t meout
per od (/t xxx)
/p Turns off the oca computer w th no t meout or
warn ng Can be used w th the/d and /f opt ons
/h H bernates the oca computer Can be used w th the
/f opt on
/e Supposed to be used to document the reason for
an unexpected shutdown of a computer, but t does
noth ng Use the /c argument nstead
/m \\computername Spec fies the target computer to shutdown or reboot
/t xxx Set the t meout per od before shutdown or reboot to
xxx seconds The va d range s 0–600, w th a defau t
of 30 Us ng /t xxx mp es the /f opt on
/c “comment” Add a comment about the reason for the restart or
shutdown Max mum of 512 characters a owed
/f Forces runn ng app cat ons to c ose w thout
forewarn ng users; /f s automat ca y set when used
n conjunct on w th /t xxx.
www.it-ebooks.info
ARGUMENT INPUT DETAILS
/d [p u:]xx:yy Ind cates the reason for the restart or shutdown; p

nd cates that the restart or shutdown s p anned; u
nd cates that the reason s user-defined If ne ther
p nor u s spec fied, the restart or shutdown s
unp anned; xx s the major reason number (pos t ve
nteger ess than 256); yy s the m nor reason number
(pos t ve nteger ess than 65536) (See Tab e 11-6 for
a reason code reference )
Instead of runn ng through every opt on the shutdown command offers, the fo ow ng
nformat on h gh ghts some opt ons app cab e to an RDS env ronment
Us ng the command- ne ut ty means that you can shut down or reboot a server remote y
For nstance, to shut down the server FUJI from a remote W ndows 7 c ent, the command
ooks ke th s
shutdown /m \\FUJI
Use the /r command to reboot a server ke th s
shutdown /r /m \\FUJI
As w th shutt ng down or reboot ng from the GUI, t’s good to document why the event s
occurr ng Use the /c argument to add a comment to the event to get recorded n the event
og For examp e, th s command shuts down FUJI and adds a comment to exp a n the reason
for the shutdown
shutdown /r /m \\FUJI /c Installed accounting application update.
To document the p anned reason for a shutdown or to restart v a the command- ne

nterface (CLI), use codes that correspond to the Opt on drop-down menu n the W ndows
Shut Down d a og box The syntax for choos ng a reboot code s shutdown /d [p u:]xx:yy.
The etters p and u nd cate a p anned act on or user-defined act on, respect ve y The etter
comb nat on xx nd cates the major reason number code; yy nd cates the m nor reason error
code Tab e 11-6 shows the reasons and correspond ng code numbers
TABLE 11-6 Major and M nor Number Codes Correspond ng o Reasons or a Server Shu down or Reboo
TYPE
E = EXPECTED
U = UNEXPECTED
P = PLANNED MAJOR MINOR TITLE/EXPLANATION
U 0 0 Other (Unp anned)

E 0 0 Other (Unp anned)
EP 0 0 Other (P anned)
www.it-ebooks.info
TYPE
E = EXPECTED
U = UNEXPECTED
P = PLANNED MAJOR MINOR TITLE/EXPLANATION
U 0 5 Other Fa ure System Unrespons ve

E 1 1 Hardware Ma ntenance (Unp anned)
EP 1 1 Hardware Ma ntenance (P anned)
E 1 2 Hardware Insta at on (Unp anned)
EP 1 2 Hardware Insta at on (P anned)
P 2 3 Operat ng System Upgrade (P anned)
E 2 4 Operat ng System Reconfigurat on (Unp anned)
EP 2 4 Operat ng System Reconfigurat on (P anned)
P 2 16 Operat ng System Serv ce pack (P anned)
2 17 Operat ng System Hot fix (Unp anned)
P 2 17 Operat ng System Hot fix (P anned)
2 18 Operat ng System Secur ty fix (Unp anned)
P 2 18 Operat ng System Secur ty fix (P anned)
E 4 1 App cat on Ma ntenance (Unp anned)
EP 4 1 App cat on Ma ntenance (P anned)
EP 4 2 App cat on Insta at on (P anned)
E 4 5 App cat on Unrespons ve
E 4 6 App cat on Unstab e
U 5 15 System Fa ure Stop error
E 5 19 Secur ty ssue
U 5 19 Secur ty ssue
EP 5 19 Secur ty ssue
E 5 20 Loss of network connect v ty (Unp anned)
U 6 11 Power Fa ure Cord Unp ugged
U 6 12 Power Fa ure Env ronment
P 7 0 Legacy API shutdown
For nstance, to reboot the server FUJI and document the reboot as be ng due to app ca-
t on ma ntenance, the command s
shutdown /r /m \\FUJI /d p:4:1
www.it-ebooks.info
Runn ng the preced ng command remote y produces Event ID 1074 n the System Event
Log on the server that s rebooted, w th a descr pt on of the act on that occurs The data
nc udes the user name that n t ated the request, the IP address of the computer the request
comes from, and the reason for the request
The process wininit.exe (10.10.10.23) has initiated the restart of computer FUJI on
behalf of user ASH\Administrator for the following reason: Application: Maintenance
(Planned)
Shutdown exe s a so he pfu f you need to reboot many servers To do so, run the fo ow-
ng command
shutdown /i
Th s command br ngs up the d a og box named Remote Shutdown D a og, shown n

F gure 11-11, wh ch g ves you the ab ty to spec fy more than one computer to shut down or
restart
FIGURE 11-11 The Remote Shutdown d a og box a ows you to shut down spec f c computers.
C ck Add and type the name of the computer that you want to shut down or restart Do
th s for a computers you want to shut down or restart and then choose the act on you want
to perform from the What Do You Want These Computers To Do drop-down menu
■ Restart
■ Shutdown
■ Annotate Unexpected Shutdown
www.it-ebooks.info
NOTE The Annotate Unexpected Shutdown option works only if you previously had an
unexpected shutdown or restart.
Choose the reason for th s act on by se ect ng the appropr ate cho ce from the Opt on
drop-down menu and add any comments n the Comment text box Then c ck OK
As an examp e, f you perform schedu ed server ma ntenance, such as runn ng some up-
dates every Sunday, and nc ude a reboot, you can automate the reboot process by creat ng a
schedu ed task w th the W ndows Server 2008 Task Schedu er or by us ng the command- ne
too schtasks. For examp e, to reboot the server FUJI every Sunday n ght at m dn ght, use the
schtasks command as shown here
schtasks.exe /create /SC WEEKLY /D SUN /RU admin@ash.local /RP "xxxxxxxx" /TN RebootFUJI
/TR "C:\windows\system32\shutdown.exe /m \\FUJI /r /c FUJI-WindowsUpdates-Reboot" /ST
12:00
ON THE COMPANION MEDIA This scheduled task is located on the companion

media as Schedreboot.bat.
If a shutdown or reboot attempt fa s, Event ID 1073 s ogged n the System Event Log of
the server that fa s to reboot The og won’t te you why the act on fa ed, but t w at east
et you know that t d d fa and wh ch user account ssued the command If you ke, you can
use Schtasks exe to create a task that performs an act on such as runn ng a scr pt that ema s
you every t me the event ID appears The deta s of Server-reboot-fa ed vbs are n the next
s debar, “D rect from the F e d Ema Yourse f When a Reboot Fa s ”
schtasks.exe /Create /TN EventLog-1073 /TR "cscript\\colfax\ash-company-files\IT\

Scripts\server-reboot-failed.vbs" /SC ONEVENT /EC System /MO *[System/EventID=1073]
ON THE COMPANION MEDIA This scheduled task is located on the companion

media as Emailonfail.bat. The scheduled task executes Server-reboot-failed.vbs,
which you can access from http://theessentialexchange.com/blogs/michael
/default.aspx. This link is also on the companion media.
www.it-ebooks.info
Email Yourself When a Reboot Fails

Michael Smith
Exchange MVP, Smith Consulting
W hen performing remote reboots, you’re not present to see whether the
reboot works . . . and it can waste a lot of time if you think a server reboots
when it doesn’t. One solution is to email yourself when a shutdown or reboot fails.
You’ll need a Simple Mail Transfer Protocol (SMTP) server running in your domain
(you can install the SMTP server feature built into Windows Server 2008 or you
can use another SMTP server), the Microsoft Collaboration Data Objects (CDOs)
installed on the computer creating the email, and a script to do the emailing. You
can edit this sample script to conform to your needs.
Option Explicit
'''----- script configuration area
Const strSMTPServer = "arvon.ash.local"
Const strFrom = "alerts@ash.local"
Const strTo = "adam.barr@ash.local "
'''----- end configuration area
Dim objMail ' the CDO object

Dim objWSHNetwork ' windows-script-host network object
Dim strNetBIOSComputer ' the netbios name of our computer
''' get the NetBIOS computer name

Set objWSHNetwork = CreateObject ("WScript.Network")
strNetBIOSComputer = objWSHNetwork.ComputerName
Set objWSHNetwork = Nothing
''' do the real work to send the message

Set objMail = CreateObject ("CDO.Message")
objMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/
configuration/sendusing") = 2
configuration/smtpserver") = strSMTPServer
configuration/smtpserverport") = 25
objMail.Configuration.Fields.Update
objMail.From = strFrom
objMail.To = strTo
objMail.Subject = "Critical error!! " &strNetBIOSComputer& " failed to
reboot " & Now
www.it-ebooks.info
objMail.Textbody = "Critical error!! " &strNetBIOSComputer& " failed to
reboot " & Now &vbCRLF
objMail.Send
Set objMail = Nothing
ON THE COMPANION MEDIA A link to the preceding code is provided on

this book’s companion media. You can access it from the blog at
http://theessentialexchange.com/blogs/michael/archive/2008/10/06/script-for-from-
the-field.aspx. The CDO installer can be downloaded from http://www.microsoft.com
/downloads/en/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e.
Applying RDS Management Tools

Thus far, the examp es n th s chapter have focused on the too s themse ves Th s sect on w
show you how to comb ne these too s to get the nformat on that you need when t’s not sup-
p ed d rect y by the too s themse ves
Differentiating RemoteApp Sessions from Full Desktop

Sessions
One good examp e of app y ng the RDS management too s s when you have to determ ne
whether you can shadow a sess on As exp a ned ear er n th s chapter, shadow ng Remote-
App sess ons sn’t supported and can ead to some very odd behav or Therefore, t’s good to
avo d shadow ng a RemoteApp sess on Unfortunate y, th s s eas er sa d than done, because
the Remote Desktop Serv ces Manager doesn’t spe out the d fference You can find the
RemoteApp sess ons f you know that RemoteApp sess ons use Rdpshe exe and fu desktops
use Exp orer exe as the she You a so have to know where to find th s nformat on
Here’s how to find t From the Remote Desktop Serv ces Manager, the User tab and
Sess on tab revea no d fferences between desktop and RemoteApp sess ons Go to the
Processes tab, however, and you can see one d fference The she processes for the two
types of sess ons are d fferent, as d scussed n Chapter 2, “Key Arch tectura Concepts for
Remote Desktop Serv ces,” and Chapter 6, “Custom z ng the User Exper ence ” As you m ght
remember, desktop sess ons use Exp orer exe as a she and User n t exe to start W ndows
Exp orer; RemoteApp sess ons use Rpdshe exe and Rdp n t exe, respect ve y Therefore, f
user Hao Chen ca s you to ask for he p w th h s app cat on, you can check the Processes tab
to determ ne f Hao s runn ng a desktop sess on that you can shadow
App y ng RDS Management Too s Chapter 11 631
www.it-ebooks.info
HOW IT WORKS
Identifying Full Desktop Sessions
Y ou can find RemoteApp sessions from the command line using the query com-
mands. The query session command will help you find the sessions hosting
Rdpinit.exe and Rdpshell.exe, and query process will help you find out whether a
user’s session contains those processes.
To find out which sessions on server FUJI are running Rdpshell.exe, run this
command.
query process RDPshell.exe /SERVER:FUJI
The results show that Paul Koch is running a RemoteApp and therefore should not
be shadowed.

paul.koch rdp-tcp#1 3 3132 rdpshell.exe
Let’s say that you know the user whose session you want to shadow. You can ask the
user to describe the session’s appearance and figure out if he is running a Remote-
App, but that’s slow and unreliable. The better alternative is to query the Remote
Desktop Services Manager for the processes that the user is running. To query the
processes running for user Kim Akers on server FUJI, run this command.
query process kim.akers /SERVER:FUJI
In this example, Kim Akers is not running Rdpinit.exe or Rdpshell.exe, so shadowing

the session is supported.

kim.akers rdp-tcp#1 3 2276 taskeng.exe
kim.akers rdp-tcp#1 3 3480 rdpclip.exe
kim.akers rdp-tcp#1 3 3884 dwm.exe
kim.akers rdp-tcp#1 3 3560 explorer.exe
kim.akers rdp-tcp#1 3 2660 winword.exe
kim.akers rdp-tcp#1 3 3676 splwow64.exe
kim.akers rdp-tcp#1 3 3880 powerpnt.exe
kim.akers rdp-tcp#1 3 3436 excel.exe
The preceding command also reveals the session ID, which you need to shadow
Kim’s session, like this.
shadow /SERVER:FUJI 3
www.it-ebooks.info
Auditing Application Usage
Many adm n strators want to know f the r company s comp ant w th the r app cat on cens-
ng requ rements Unfortunate y, th s sn’t easy to determ ne at the best of t mes, and t gets
harder when an RD Sess on Host dep oyment s nvo ved F rst, app cat on cens ng for an RD
Sess on Host server can be tr cky You need to read the app cat on’s fine pr nt (the app ca-
t on vendor determ nes the cens ng requ rements, not M crosoft), and f you must be ab e to
demonstrate comp ance for ega reasons, you m ght need to c ar fy the deta s w th the ap-
p cat on’s vendor (Not a cense agreements are wr tten w th v rtua zat on n m nd ) Second,
W ndows Performance Mon tor doesn’t offer a way to keep track of how many nstances of
a process are open on a server, other than add ng a process counter and manua y count ng
how many processes have the same name
You could count app cat on nstances from the Remote Desktop Serv ces Manager by
count ng processes on each RD Sess on Host server and add ng up the resu ts of each count,
but why wou d you? The query process or qprocess command prov des a way to do the same
th ng programmat ca y W th a tt e he p from some other scr pt ng objects, the query pro-
cess command can be the bas s of a rud mentary app cat on meter ng too
NOTE The Get-Process Windows PowerShell cmdlet isn’t session-aware, so it will return
only processes in the current session.
Th s ser es of scr pts w do the fo ow ng

■ F nd a RD Sess on Host servers n an OU
■ Query a servers to get a st of the processes runn ng on each one
■ Ignore a processes that aren’t the app cat on that the scr pt s des gned to count
■ Ema you f more peop e are us ng the app cat on than you have censes
■ Keep a og fi e of th s data for trend ng
ON THE COMPANION MEDIA Some of these tasks also apply to other

inventory tasks. To make it easier for you to reuse the code, they are included
on the companion media as RDSHServerFarmNames.vbs, RDSHNames.bat,
QueryRDSH.vbs, ProcCleanup.vbs, CheckFile.vbs, and Count-Email.vbs.
Appaudit.vbsis the combination of these scripts into one application metering
script, and it is also available on the companion media.
Use th s too not on y to keep track of your cens ng, but a so to et you know f an app -
cat on’s usage s decreas ng If you’re cons der ng ret r ng an app cat on, record ng how many
nstances are runn ng over t me can g ve you the data you need to know about how many
peop e are st us ng t
www.it-ebooks.info
NOTE The code snippets in the following sections are not full working scripts. For the
sake of space, the script lines that define variables have been removed. The full working
scripts are located on the companion media.
Get the Server Names

F rst, you’ need the names of a the RD Sess on Host servers How you do th s depends on
whether the servers are n a doma n or a workgroup (The workgroup mode w support both
doma ns and workgroups, but the doma n mode doesn’t work for workgroups because t de-
pends on read ng OU membersh ps ) In both cases, you’ co ect the names of the RD Sess on
Host servers and put them nto a fi e
Assum ng that a dent ca y configured RD Sess on Host servers are n the same OU, one
way to do th s s to query that OU and return ts members, wr t ng the names to a fi e The
compan on med a conta ns a W ndows PowerShe scr pt that does th s (ca ed Getservers ps1),
but you can a so do th s w th VBScr pt (RDSHServerFarmNames vbs on the compan on med a),
as shown n the fo ow ng code sn ppet
' =====Configuration Area================

strRDSTextFile = "FarmServers.txt"
strRDSLDAPPath = "LDAP://OU=ASH_RD_Farm1, DC=ash, DC=local"
sScriptDirPath = "\\colfax\ash-company-files\IT\AUDIT\"
' =====End Configuration Area============
Set objRDSOU = GetObject(strRDSLDAPPath)
objRDSOU.Filter = Array("Computer")
' ===================================
' If file exists add data, if not, then create file and add data
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(sScriptDirPath&strRDSTextFile) Then
'do nothing
Else
Set objRDSTextFile = objFSO.CreateTextFile(sScriptDirPath&strRDSTextFile)
objRDSTextFile.Close
End If
Set objRDSTextFile = objFSO.OpenTextFile(sScriptDirPath&strRDSTextFile, ForWriting)
For Each objRDSItem in objRDSOU
strRDSComputer = objRDSItem.CN
objRDSTextFile.WriteLinestrRDSComputer
Next
objRDSTextFile.Close
WScript.Quit
Th s won’t work n the workgroup scenar o, because workgroups don’t have OUs In that
case, you’ need to re y on the query termserver command, as n the fo ow ng examp e
Th s s a b t more comp cated, because the command- ne too returns some extra data and
www.it-ebooks.info
you’ need to remove t from the fi e Th s sect on re es on both RDSHNames bat and
QueryRDSH vbs on the compan on med a

objRDSBATFile = "\\colfax\ash-company-files\IT\scripts\RDSHNames.bat"
' Run batch file query termserv
' requires batch file
' batch file code is: query termserv>\\colfax\ash-company-files\IT\scripts\RDSHNames.txt
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run (objRDSBATFile),0, True
' Query termserv command adds two lines of header info to file
' This removes this extraneous information
strRDSFile = "\\colfax\ash-company-files\IT\scripts\RDSHNames.txt"
Set objRDSFile = objFSO.OpenTextFile(strRDSFile, ForReading)
Do until objRDSFile.AtEndOfStream
objRDSFile.SkipLine
objRDSFile.SkipLine
strRDSLines = objRDSFile.ReadAll
Loop
objRDSFile.close
' Remove carriage return at end of file
Set objNewRDSFile = objFSO.OpenTextFile(strRDSFile, ForWriting)
objNewRDSFile.WritestrRDSLines
Set objNewRDSFile = objFSO.OpenTextFile(strRDSFile, ForReading)
strRDSLines = objNewRDSFile.ReadAll
objNewRDSFile.close
strFileContents = strRDSLines
intLength = Len(strFileContents)
strEndofString = Right(strFileContents, 2)
If strEndofString = vbCrLf Then
strFileContents = Left(strFileContents, intLength - 2)
Set objNewRDSFile = objFSO.OpenTextFile(strRDSFile, ForWriting)
objNewRDSFile.WritestrFileContents
objNewRDSFile.Close
End if
Set objRDSFile = Nothing
Set objNewRDSFile = Nothing
wscript.quit
www.it-ebooks.info
List Processes on the RD Session Host Servers
When you know the names of the RD Sess on Host servers n an OU, query each server by
typ ng query process <executable> /server:<server name> To make t easy, automate
th s process by runn ng a batch fi e that runs the query process command aga nst the saved
server st and p pes that data to a fi e, as shown here
FOR /F %%G IN (\\colfax\ash-company-files\IT\AUDIT\FarmServers.txt) DO query process *

/server:%%G >>\\colfax\ash-company-files\IT\AUDIT\Processes\processes.txt
Why use a batch fi e? Most y because t’s easy There’s no reason to re nvent the whee and
try to pu a the process data from a the servers when query process does the same th ng
so succ nct y Th s batch fi e s on the compan on med a as Processes bat
Extract the Application Name

When you saved to a fi e the st of a processes runn ng on a servers n an OU, you w need
to focus on the part cu ar process for wh ch you need a usage count Run th s scr pt to keep
on y nes n the text fi e that conta n the app cat on name In th s scr pt, you are ook ng for
Exce exe, but you can ed t the scr pt to adjust the app cat on name as requ red The scr pt s
on the compan on med a as ProcC eanup vbs

sFldrProcesses = "Processes"
sProcDirectoryPath = sScriptDirPath& "\" &sFldrProcesses
sProcessesTxt = "processes.txt"
objProcessesFile = sProcDirectoryPath& "\" &sProcessesTxt
objFindApp.Pattern = "excel.exe"
Set objFindApp = CreateObject("VBScript.RegExp")
Set objTextFile = objFSO.OpenTextFile(objProcessesFile, ForReading)
Do Until objTextFile.AtEndOfStream
strSearchString = objTextFile.ReadLine
Set colMatches = objFindApp.Execute(strSearchString)
If colMatches.Count> 0 Then
For Each strMatch in colMatches
strNewContents = strNewContents&strSearchString&vbCrLf
Next
End If
Loop
objTextFile.Close
Set objTextFile = objFSO.OpenTextFile(objProcessesFile, ForWriting)
objTextFile.WritestrNewContents
objTextFile.Close
WScript.Quit
www.it-ebooks.info
ON THE COMPANION MEDIA The text file contents produced by the preceding
script contains a carriage return at the end of the file, which for line-counting
purposes will increase the count by 1. This carriage return has been deleted in
CheckFile.vbs, which is located on the companion media.
Record Application Instances and Email Alerts

Now run Count-Ema vbs (on the compan on med a) to count the nes eft n Processes txt
(the fi e produced by the preced ng scr pts) and send an ema to a spec fied address f the
count s h gher than the number of censes that you own Th s sect on w a so record the
count to a text fi e each t me that you run the scr pt so that you can te how app cat on us-
age changes over t me

sFldrProcesses = "Processes"
sProcDirectoryPath = sScriptDirPath& "\" &sFldrProcesses
sProcessesTxt = "processes.txt"
objProcessesFile = sProcDirectoryPath& "\" &sProcessesTxt
If objFSO.FileExists(objProcessesFile) Then
'do nothing
Else
Wscript.Echo "Error - Processes file missing."
WScript.Quit
End If
'Count the lines in the file processes.txt
Set objProcessesFile = objFSO.OpenTextFile(objProcessesFile, ForReading)
objProcessesFile.ReadAll
' If the count > licenses owned then email alert
Dim objLicensesOwned 'The number of application licenses owned
objLicensesOwned = 0
' WScript.EchoobjProcessesFile.line& " " & "objects still counted"
If objProcessesFile.line>objLicensesOwned then
Const strSMTPServer = "cathedral.ash.local"
Const strFrom = "admin@ash.local"
Const strTo = "kristin@ash.local"
' get the NetBIOS computer name
Set objWSHNetwork = CreateObject ("WScript.Network")
strNetBIOSComputer = objWSHNetwork.ComputerName
www.it-ebooks.info
Set objWSHNetwork = Nothing
Set objMail = CreateObject ("CDO.Message")
objMail.Configuration.Fields.Item
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = strSMTPServer
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMail.Configuration.Fields.Update
objMail.From = strFrom
objMail.To = strTo
objMail.Subject = "Licensing Check!! " & Now
objMail.Textbody = "Licensing Check!! " & " The application count in use is "
&objprocessesFile.line& " which is higher than number of licenses purchased " & Now
objMail.Send
Set objMail = Nothing
End if
' Create or append data to log file
objApp = "excel.exe"
strProcLogDir = "\\colfax\ash-company-files\IT\Reports"
strProcLogFile = "processcountlog.txt"
Sub subAppend
' Append count to the log file processcountlog.txt
Set objProcLogFile = objFSO.OpenTextFile(strProcLogDir& "\" &strProcLogFile,
ForAppending, true)
strProcLogText = NOW & "/The # of instances of " &objApp& " running is "
&objProcessesFile.Line
' Writes strText to processcountlog.txt
objProcLogFile.WriteLine(strProcLogText)
objProcLogFile.close
End Sub
' Check that the directory folder exists, if not create file
If objFSO.FolderExists(strProcLogDir) Then
'do nothing
Else
Set objProcLogFolder = objFSO.CreateFolder(strProcLogDir)
objProcLogFolder.close
End If
' If log file exists append data, if not, then create file and append data
If objFSO.FileExists(strProcLogDir& "\" &strProcLogFile) Then
call subAppend
Else
Set objProcLogFile = objFSO.CreateTextFile(strProcLogDir& "\" &strProcLogFile)
objProcLogFile.Close
www.it-ebooks.info
call subAppend
End If
WScript.Quit
ON THE COMPANION MEDIA The AppAudit.vbs script found on the companion

media combines all the scripts in this section into one script. This sample is designed
for our environment, so you’ll need to edit it to work for your specific situation.
Areas to change are highlighted in the script as Configuration Areas. Any batch files
referenced will need to be edited to suit your environment and put in appropriate
path locations as specified in the script. Batch files are also located on this resource
kit’s companion media.
Auditing User Logons

L ke app cat on usage aud t ng, you can use the bu t- n too s to get you some nformat on
to he p w th capac ty p ann ng One part of capac ty p ann ng, after a , s know ng how many
peop e are us ng an RD Sess on Host server and how these numbers are ncreas ng over t me
That way, you can sca e the hardware before users start wonder ng why the server s s ow
It’s a so he pfu to rev ew ogon patterns As d scussed n Chapter 2, there s a great dea of
process creat on assoc ated w th estab sh ng a user sess on If many users og on to the server
at the same t me, you m ght need to adjust the amount of memory ava ab e to support th s
pattern Start ng a process requ res two to three t mes the memory that t takes to keep t
runn ng
It’s hard to p an for ntense ogon per ods or ncreas ng numbers of users f you don’t know
about them Us ng the query user command, you can create a rud mentary user aud t ng too
To find out how many users have a sess on open on an RD Sess on Host server, open the
Remote Desktop Serv ces Manager and se ect the Users tab A users w th sess ons w be
sted there You can a so get th s nformat on by runn ng the fo ow ng command from a
W ndows 7 c ent or a W ndows Server 2008 R2 server
query user /server:SERVERNAME
That approach s fine for gett ng rea -t me data to he p you so ve a rea -t me ssue, such as
determ n ng f your server s over oaded w th user connect ons and perform ng poor y But to
get a sense of the average number of users ogg ng onto a server, you w need to comp e a
user count over t me To get th s count over t me, you can run query user and p pe the data to
a fi e ke th s
query user /server:SERVERNAME>> c:\userlogons.txt
www.it-ebooks.info
NOTE As demonstrated in the section entitled “Record Application Instances and Email
Alerts,” you can also count the entries in the text file and append the count to another file
so you can see the count increase over time. To see how to count lines in a file and append
this count to a log file, refer to the Check-email.vbs script on the companion media.
Closing Unresponsive Applications

If a user’s app cat on sta s, one way to hand e the prob em s to stop the process for that ap-
p cat on How you do th s depends on whether you want to stop a nstances of that process
on the RD Sess on Host server or just the one that’s caus ng troub e
In th s scenar o, the user’s app cat on s not respond ng You must term nate the process
assoc ated w th the app cat on If you have a farm, first you w need to find out wh ch server
hosts the user sess on
Do th s by open ng the Remote Desktop Serv ces Manager and add ng the servers for an
RD Connect on Broker farm Then, for each server, c ck the Users tab and find the user If
you have not m ted users to one sess on, then you w need to check a servers and find a
sess ons the user m ght have estab shed After you know a the p aces the user s connected,
you must ocate the sta ed app cat on
How s mp e th s s depends on your po c es on hav ng mu t p e sess ons If you support
on y one sess on per user, then a you need to do s c ck the Processes tab on the server that
hosts the user sess on conta n ng the sta ed app cat on, sort by Image, find the process as-
soc ated w th the user and the sta ed app cat on, r ght-c ck anywhere n the ne entry, and
choose End Process If your user has mu t p e sess ons, then you need to check the processes
on each server, ocate the spec fic server and user sess on n wh ch the process s runn ng, and
term nate the process
You can a so accomp sh a th s from the command ne In th s examp e, hao chen, a user
n the ash oca doma n, has been runn ng the Exce RemoteApp It has become unrespons ve
and needs to be term nated Th s doma n has a server farm and m ts users to one sess on at
a t me
F rst, you need to ocate the server that hosts hao chen’s sess on Run the qprocess com-
mand aga nst every server n the farm unt you find hao chen
C:\windows\system32>qprocess excel.exe /server:bigfrog

paul.koch rdp-tcp#1 4 2720 excel.exe
adam.barr rdp-tcp#2 5 3228 excel.exe
C:\windows\system32>qprocess excel.exe /server:FUJI

hao.chen rdp-tcp#1 4 2776 excel.exe
nancy.anderson rdp-tcp#3 5 3392 excel.exe
alex.robinson rdp-tcp#4 6 3532 excel.exe
www.it-ebooks.info
Now stop the Exce exe process assoc ated w th hao chen Do th s by spec fy ng the PID
assoc ated w th the process shown n the preced ng query
C:\windows\system32>tskill 2776 /server:FUJI
NOTE You can also specify the process by using the session ID and process name switches.
Refer to the section entitled “Monitoring and Terminating Processes” earlier in this chapter
for other examples of terminating processes.
If other users a so comp a n, and t s apparent that a nstances of Exce are sta ed, you
can term nate them a by runn ng tsk , but use the processname parameter (the mage name
m nus the executab e extens on) and the sw tch /A (wh ch te s tsk to k a nstances of the
processname)
C:\windows\system32>tskill excel /server:FUJI /A
Then run qprocess aga n and see that there are no onger any nstances of Exce exe
runn ng
C:\windows\system32>qprocess excel.exe /server:FUJI

No Process exists for excel.exe
Summary
Th s chapter has exp a ned how to manage current RDP sess ons us ng the graph ca and
command- ne too s Some of the best pract ces covered nc ude the fo ow ng
■ If you p an to mport VM poo s from RD Connect on Broker to work n the Remote
Desktop Serv ces Manager, make sure the computer names match the VM names n
Hyper-V The mport ng funct on w report the VM names, not the computer names,
and the management API uses the computer names
■ For the most accurate nformat on across mu t p e servers, use the command- ne too s
■ For best password secur ty, do not use tscon from the command ne, because t d s-
p ays the password on the screen n c eartext
■ If you must remove a sess on from an RD Sess on Host server forc b y, use the ogoff
command rather than resett ng the sess on A though ogoff won’t save user data, t
w wr te profi e changes back to the profi e server, whereas resett ng the sess on does
not
■ Don’t try to shadow RemoteApp sess ons Use the Remote Desktop Serv ces Manager
or the query sess on or query process command to determ ne whether a sess on s
d sp ay ng a fu desktop or a RemoteApp
Summary Chapter 11 641
www.it-ebooks.info
■ When prepar ng for user ma ntenance, use the /drain sw tch w th the change ogon
command to dra n users s ow y from the RD Sess on Host server rather than us ng the
/disable sw tch
■ You can use the command- ne too s to he p you earn patterns of app cat on usage
and user ogons and save those nventor es to a og fi e
Th s chapter nc udes a number of too s for check ng sett ngs and runn ng nventory, a of
wh ch are on the compan on med a
■ For more deta s about how there can be mu t p e nstances of the same process on an
RD Sess on Host server, see Chapter 2, “Key Arch tectura Concepts for Remote Desktop
Serv ces ”
■ For more deta s about the sess on startup process, see Chapter 3, “Dep oy ng a S ng e
Remote Desktop Sess on Host Server ”
■ To earn how to configure Remote Contro sett ngs v a Group Po cy rev ew the sect on
ent t ed “Enab ng Remote Contro v a Group Po cy” n th s chapter
■ To down oad RSAT for W ndows 7, go to http://www.microsoft.com/downloads
/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en.
■ M crosoft MVP Shay Levy has created the Term na Serv ces PowerShe Modu e, wh ch
a ows you to perform many Remote Desktop Serv ces Manager tasks from W ndows
PowerShe Get t here http://code.msdn.microsoft.com/PSTerminalServices.
■ Informat on on the W n32 TSRemoteContro Sett ng C ass can be found at
http://msdn.microsoft.com/en-us/library/aa383817(VS.85).aspx.
■ A W ndows PowerShe modu e for mon tor ng VDI and RD Sess on Host server sess ons
s ava ab e at the M crosoft Scr pt Center at http://gallery.technet.microsoft.com
/ScriptCenter/en-us/e8c3af96-db10-45b0-88e3-328f087a8700.
■ Other scr pts to accomp sh other management tasks such as enab ng or st ng the
remote contro sett ngs for a user account, farm and VDI usage reports, report ng
sess on d e nformat on, and more can be found at the M crosoft Scr pt Center n the
Remote Desktop Serv ces sect on at http://gallery.technet.microsoft.com/ScriptCenter
/en-us/.
■ M crosoft MVP M chae Sm th created a scr pt that sends an ema when an event ID
occurs Get th s scr pt at http://theessentialexchange.com/blogs/michael
/archive/2008/10/06/script-for-from-the-field.aspx.
■ The CDO nsta er can be down oaded from http://www.microsoft.com/downloads/en
/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e.
642 CHAPTER 11 Manag ng Remote Desktop Sess ons
www.it-ebooks.info
CHAPTER 12
Licensing Remote Desktop

Services
■ The RDS L cens ng Mode 644
■ RDS L cens ng 644
■ VD L cens ng 646
■ L cense Track ng and Enforcement 648
■ How RD L cense Servers Ass gn RDS CALs 648
■ Sett ng Up the RDS L cens ng nfrastructure 651
■ M grat ng RDS CALs from One L cense Server to Another 663
■ Rebu d ng the RD L cense Server Database 665
■ Back ng Up an RD L cense Server and Creat ng Redundancy 665
■ Manag ng and Report ng L cense Usage 667
■ Prevent ng L cense Upgrades 673
■ Us ng the L cens ng D agnos s Too 673
R emote Desktop Serv ces (RDS) works on y for a m ted t me w thout cens ng, so to
comp ete th s book, you’ earn more about that ssue, nc ud ng
■ The cens ng mode s for RDS
■ How to nsta the RDS L cens ng ro e serv ce
■ How to act vate cense servers
■ How to nsta and manage cense packs
■ How to po nt an RD Sess on Host server to a cense server
■ How RD Sess on Host ass gns censes
■ How to run usage reports
643
www.it-ebooks.info
The RDS Licensing Model
As RDS ga ns more funct ona ty, the cens ng mode has to adjust to nc ude th s new func-
t ona ty In W ndows 2000 Server, the cens ng mode was ent re y per-dev ce (mean ng that
every dev ce connect ng to a term na server needed a cense) W ndows Server 2003 ntro-
duced per-user cens ng for term na servers, g v ng compan es a cho ce of how they wanted
to cense access W ndows Server 2008 ntroduced new ro es ke Term na Serv ces Gateway,
wh ch d dn’t perform a cense check but st requ red a cense to use them
The add t on of nat ve v rtua mach ne (VM) support n W ndows Server 2008 R2
ntroduced added comp ex ty F rst, remote access to c ent operat ng systems s governed
by ru es separate from those for remote access to a server operat ng system Second, VM
dep oyments are he ped by some partner techno og es (for examp e, System Center V rtua
Mach ne Manager and App-V) that were not part of the former TS c ent access cense (CAL)
Th rd, some peop e want VMs on y, and some peop e want a the funct ona ty of RDS VMs,
RD Sess on Host sess ons, remote access to RDS resources, and so forth
The fina vers on has worked out to a two-t er mode
NOTE For answers to frequently asked questions about RDS licensing, see
http://www.microsoft.com/windowsserver2008/en/us/rds-product-licensing.aspx.
■ RDS Licensing L cens ng to access RD Sess on Host sess ons ( nc ud ng VMs) and to
use other RDS ro e serv ces (such as RD Gateway, RD Connect on Broker, and RD Web
Access)
■ VDI Licensing L cens ng to access poo ed or persona VMs hosted on the RD V r-
tua zat on Host server and to use RD Connect on Broker prov de access to poo ed
and persona VMs Th s cens ng mode s ntended for peop e who need on y V rtua
Desktop Infrastructure (VDI) and don’t need other RDS ro e serv ces (for examp e, RD
Gateway for WAN access)
RDS Licensing
RDS CALs g ve users or dev ces the r ght to access and use any of the RDS ro e serv ces Th s
s why RDS CALs are part of the requ rements for VDI access, as shown n the sect on ent t ed
“VDI L cens ng” ater n th s chapter RDS CALs a so nc ude the r ghts to use App-V to dep oy
app cat ons to RD Sess on Host servers There are four RDS cens ng opt ons to choose from,
and wh ch opt on you choose depends on how your company operates The four RDS cens-
ng opt ons are
■ Per-User Licensing Each user that w use RDS ro e serv ce(s) needs to have an RDS
User CAL Purchase RDS User CALs when your users w access RDS ro e serv ce(s) from
mu t p e mach nes Th s mode a ows users to access RDS resources from any computer
644 Chapter 12 L cens ng Remote Desktop Serv ces
www.it-ebooks.info
because the cense s t ed to the user, not the dev ce RDS Dev ce CALs, converse y, are
t ed to the access ng dev ce
■ Per-Device Licensing Each dev ce that w use RDS ro e serv ce(s) needs to have an
RDS Dev ce CAL Purchase RDS Dev ce CALs when mu t p e users w access RDS ro e
serv ce(s) from a set number of c ent dev ces A good examp e of when RDS Dev ce
CALs are the better cho ce s sh ft work—when mu t p e users at d fferent t mes of the
day w use one mach ne to access RDS resources RDS Dev ce CALs are a so requ red
to access poo ed or persona VMs
■ RDS External Connector Th s cense opt on a ows mu t p e externa users (users
who are not part of your company and for whom you do not prov de cens ng) to
access one spec fic server Each server accessed wou d need a cense For examp e, f
you were go ng to cense access to an RD Sess on Host server on one server, v a RD
Gateway on another server, you wou d need a cense for both servers
■ Services Provider License Agreement (SPLA) Th s cens ng s spec fica y for host-
ng prov ders and ndependent serv ce vendors (ISVs) that host RDS and prov de RDS
access r ghts as part of the r offer ng
NOTE For more information on SPLA, see http://www.microsoft.com/hosting/en/us/

licensing/splabenefits.aspx.
Of the four opt ons, RDS (Per-User or Per-Dev ce) CALs are most common y used w th
RDS RD Sess on Host servers can be configured on y n Per-User or Per-Dev ce mode, but not
both Most peop e purchase one type of RDS CAL You m ght use both f prov d ng both VMs
and sess ons Per-User CALs to access RD Sess on Host servers and RDS Per-Dev ce CALs to
use poo ed and persona VMs
HOW IT WORKS
2008 TS CALs vs. 2008 R2 RDS CALs
W indows Server 2008 R2 is a minor release, not a major one. So Windows

Server 2008 TS CALs can be used for licensing connections to both Windows
Server 2008 terminal servers and Windows Server 2008 R2 RD Session Host servers.
Older licenses would need to be replaced with Windows Server 2008 R2 RDS CALs.
Windows Server 2008 TS CALs and Windows Server 2008 RDS CALs both include
the right to use App-V to install applications on RD Session Host servers. Windows
Server 2008 TS CALs are no longer offered for sale and have been replaced with RDS
CALs.
RDS L cens ng Chapter 12 645
www.it-ebooks.info
VDI Licensing
The VDI cens ng mode s dev ce-based, mean ng that you buy a cense for each dev ce
that w access poo ed or persona VMs hosted on RD V rtua zat on Host servers It has three
components
■ L cens ng for the c ent dev ces that w access v rtua desktops
■ RDS CALs for each dev ce that w access RD V rtua zat on Host server and use RD
Connect on Broker to ga n access to the VMs
■ L cens ng for management components
Connection Licensing with and Without Software Assurance

Software Assurance (SA) s mp fies VDI cens ng VDI cens ng has changed a b t Pr or to Ju y
2010, you needed to purchase a VECD cense for each dev ce that wou d access poo ed or
persona VMs VECD r ghts are now nc uded as part of SA
NOTE Non-SA customers will need to purchase Virtual Desktop Access (VDA) licensing,
which is discussed in the next section.
Dev ces covered by SA can run up to four VMs oca y on the desktop and access up to four
VMs on servers n the datacenter Dev ces covered by SA a so nc ude “roam ng r ghts”—the
s ng e pr mary user of an SA- censed dev ce can access poo ed or persona VMs from any PC
w thout hav ng to purchase any add t ona censes
Compan es w need to purchase V rtua Desktop Access (VDA) cens ng for dev ces not cov-
ered by SA that w be used to access poo ed and persona VMs , You’ need VDA for dev ces
ke th n c ents, non-W ndows-based dev ces, and dev ces that are not part of your organ za-
t on (such as contractors’ computers) It a so covers W ndows dev ces for compan es that don’t
subscr be to SA Each VDA cense does the fo ow ng
■ Inc udes SA benefits for W ndows such as 24x7 ca and web support (how much
depends on your nvestment n SA) and access to dep oyment p ann ng serv ces
■ A ows concurrent connect ons to up to four VMs
■ Inc udes pr mary user roam ng r ghts
The pr mary user of a dev ce that s covered by a VDA cense can access h s or her VDI
desktop from non-corporate mach nes, such as persona aptops or hote computers
Licensing for Management Components

To manage a VDI mp ementat on us ng more than just the too s n Remote Desktop Serv ces,
you need cens ng for each management product that you want to use w th your VDI and
RDS mp ementat on These products nc ude
www.it-ebooks.info
■ System Center Virtual Machine Manager (SCVMM) To prov s on and manage VMs
■ Microsoft Desktop Optimization Pack (MDOP) Inc udes use of App-V to de ver
app cat ons to v rtua desktops
■ System Center Configuration Manager (SCCM) To configure RD V rtua zat on
Host servers
■ System Center Operations Manager (SCOM) To manage RD V rtua zat on Host
hea th and performance mon tor ng
The r ght to use these products to manage your VDI mp ementat on s nc uded n the VDI
Su te censes, d scussed next
VDI Suites
Instead of requ r ng the purchase of separate RDS cens ng and management cens ng,
M crosoft prov des two subscr pt on-based VDI cens ng bund es VDI Standard Su te and VDI
Prem um Su te
VDI Standard Su te nc udes
■ Per-Dev ce CAL for access ng VDI desktops on y, not sess ons
■ Use of management products to manage VMs and hosts (SCVMM, MDOP, SCCM, and
SCOM)
■ Use of RD Connect on Broker to prov de access to poo ed and persona VMs
VDI Prem um Su te nc udes a the benefits of the VDI Standard Su te, as we as the
fo ow ng
■ RDS CAL for access ng both v rtua desktops and sess ons
■ Use of App-V to de ver app cat ons to RD Sess on Host servers
In certa n c rcumstances, you w not need to purchase anyth ng extra to have the r ght
to access poo ed or persona VMs For examp e, f you don’t need to use extra management
too s to manage VDI, your c ent dev ces are covered by SA, and you a ready own RDS Per-
Dev ce CALs, then you don’t need any further cens ng to access poo ed or persona VMs
However, f you want to use the management too s (SVCMM, SCCM, SCOM, and MDOP), then
you have to e ther purchase VDI Su te CALs (wh ch nc udes the r ghts to these too s) or pur-
chase nd v dua cens ng for the too s you want to use
NOTE A brochure with licensing examples to help you understand what VDI licenses you
will need given different scenarios is available at http://download.microsoft.com
/download/7/8/4/78480C7D-DC7E-492E-8567-F5DD5644774D/VDA Brochure.pdf. The
link is available on the companion media.
VD L cens ng Chapter 12 647
www.it-ebooks.info
License Tracking and Enforcement
Some RDS cense opt ons are enforced wh e others are not The same s true for track ng
cense a ocat on Tab e 12-1 shows wh ch censes are tracked, enforced, both, or ne ther
TABLE 12-1 Track ng and En orcemen o RDS censes
RDS LICENSE TYPE TRACKED ENFORCED
RDS User CAL Yes No

RDS Dev ce CAL Yes Yes
Externa Connector L censes No No
VDI Standard Su te No No
VDI Prem um Su te No No
NOTE VDI Licensing will be tracked and enforced in Windows Server 2008 R2 SP1.
Per-User cens ng s tracked but not enforced, whereas Per-Dev ce cens ng s tracked and
enforced Th s does not mean that you are not bound by your cense agreement, however—
you are requ red to purchase the proper amount of censes for your env ronment whether or
not the cens ng mode s enforced You can have up to two concurrent adm n strat ve con-
nect ons to an RD Sess on Host server for adm n strat ve purposes Adm n strat ve connect ons
do not requ re an RDS CAL
NOTE Putting the RD Session Host servers into Per-User mode can help you avoid
outages because Per-User licensing isn’t enforced. It’s okay to run in Per-User mode, even
if you have purchased Per-Device RDS CALs. For that reason, in an emergency, flip the
switch. You won’t be able to use the License Server application to keep track of how many
RDS Per-Device CALs are used, but as long as you have enough licenses to accommodate
your connecting devices, this is in compliance with the End User License Agreement
(EULA). Then you can fix your downed license server. To be clear, this does not remove your
responsibility to be licensed according to EULA.
How RD License Servers Assign RDS CALs

When a c ent connects to an RD Sess on Host server, the server requests the type of cense
from the c ent that the server s configured to understand If the RD Sess on Host server s
n Per-Dev ce mode, t requests a Per-Dev ce cense The c ent presents the cense from ts
store n the reg stry If the RD Sess on Host server s n Per-User mode, t requests a Per-User
www.it-ebooks.info
cense Per-User censes are stored as a property on a user account object n Act ve D rectory
Doma n Serv ces (AD DS), so the RD Sess on Host server can check th s when user credent a s
are presented (If you use Per-User cens ng n a workgroup, then Per-User censes aren’t
tracked )
A censes are ass gned for a random per od of 52 to 89 days so that unused censes can
return to the cense poo automat ca y Beg nn ng seven days before the cense exp res,
when that cense s presented at ogon, the RD Sess on Host server w try to renew t for
another per od of 52 to 89 days
NOTE It’s possible to revoke a Per-Device CAL manually if you don’t want to wait for
the automatic revocation to kick in. The section entitled “Revoking RDS CALs” later in this
chapter talks more about this.
If the c ent does not have a va d cense or f the cense t has s w th n seven days of
exp r ng, then the RD Sess on Host server must attempt to obta n a cense for the c ent at
each og n If the server cannot find a cense server to renew the cense before t exp res or
no cense s ava ab e, the cense w exp re What happens then depends on the c rcum-
stances descr bed n Tab e 12-2 Not ce that there are c rcumstances n wh ch an RD Sess on
Host server n Per-User mode w perm t the connect on when an RD Sess on Host server n
Per-Dev ce mode w not
TABLE 12-2 Processes When a C en Reques s a cense
CIRCUMSTANCE PER-USER PER-DEVICE
The RD Sess on Host server The RD Sess on Host server The RD Sess on Host server
has never found a cense w ssue a temporary cense w ssue a temporary cense
server but s n ts grace that asts up to 90 days that asts up to 90 days
per od
The RD Sess on Host server The RD Sess on Host The RD Sess on Host
has never found a cense server w not perm t the server w not perm t the
server and s out of the grace connect on connect on
per od
The RD Sess on Host server The c ent w be a owed The c ent w be a owed
has found a cense server access for up to 120 days access for up to 120 days
but the cense server has no
RDS CALs nsta ed and s not
act vated The cense server
s n the grace per od
How RD L cense Servers Ass gn RDS CALs Chapter 12 649
www.it-ebooks.info
CIRCUMSTANCE PER-USER PER-DEVICE
The RD Sess on Host server The RD Sess on Host server The RD Sess on Host
has found a cense server but w perm t the connect on server w not perm t the
the cense server has no RDS connect on
CALs nsta ed The cense
server s out of ts grace
per od
The RD Sess on Host server The RD Sess on Host server The RD Sess on Host server
has found a cense server w g ve the cense server the w contact the cense server
w th RDS CALs ava ab e name of the user attempt ng w th the hardware ID (HWID)
to connect to the RD Sess on of the computer attempt ng
Host server The cense to connect to the RD Sess on
server w then contact AD Host server The cense
DS to set a property on that server w then ass gn an RDS
user’s account object to show CAL to that HWID and create
that the person has used a a record of the ass gnment
cense
If you watch a cense server when a user s ogg ng onto an RD Sess on Host server n
Per-Dev ce mode, you m ght not ce that before ssu ng a permanent cense to the dev ce, the
cense server w first ssue a temporary cense Th s temporary cense s g ven to the c ent
dev ce pr or to the user ogon The reason s that you need a cense to connect, but unt the
user who n t ated the connect on has presented credent a s, the RD Sess on Host server can’t
te whether that user has perm ss on to og on to the RD Sess on Host server and therefore
w not a ocate a cense unnecessar y
NOTE Prior to Windows Server 2000 SP2, a terminal server issued a permanent RDS CAL
when the connection was initiated. Unfortunately, this meant that it was very easy for a
malicious person to drain TS CALs from a license server because the person didn’t even
need a valid account to attempt the connection and have TS CAL assigned to the connect-
ing computer.
When the user ogs on from a c ent dev ce a second t me, then the RD Sess on Host server
w attempt to get a va d RDS Dev ce CAL for the dev ce If the RD L cense server does not
have any, then the c ent can cont nue to access the server for up to 90 days, or unt the c ent
s ssued a rea RDS Dev ce CAL, wh chever comes first
What f a cense server the RD Sess on Host server connects to doesn’t have any censes
of the r ght k nd ava ab e? Pr or to W ndows Server 2008 R2, the cense server wou d forward
the request to another cense server that t had d scovered (the cense servers wou d search
for and d scover other cense servers), a feature ca ed CAL Forward ng W ndows Server 2008
R2 no onger uses cense server d scovery (d scovery cou d be nterrupted by so many s tua-
t ons t wasn’t re ab e), so CAL Forward ng has been removed Instead, you must po nt a RD
Sess on Host server to the cense server(s) t shou d use If one cense server cannot fu fi the
www.it-ebooks.info
request, the RD Sess on Host server w proceed to the next one n the st unt t finds one
that can fu fi the request or unt t runs out of cense servers
CAL Forwarding Deprecated in Windows Server 2008 R2

Silvia Doomra
Software Design Engineer, Test
B ecause CAL Forwarding is deprecated in Windows Server 2008 R2, how can you
make sure that your RD Session Host server contacts the second license server in
case the first one doesn’t have the requested type of CALs?
In Windows Server 2008 R2, the concept of auto-discovery of license servers

doesn’t exist. Hence, you need to configure each RD Session Host server with the
license server name to make sure that the RD Session Host server can contact the
RD License server. If you have multiple license servers in your environment, to make
sure that if all the CALs of one license server are consumed, your RD Session Host
server will contact the next one in the list automatically, then specify all the license
servers on the RD Session Host server. It will always contact the first license server
specified in the list. If the first license server is out of CALs, the RD Session Host
server will then contact the second license server in the list and so on.
In summary, to ensure that all the license servers can be contacted by RD Session
Host servers, specify their names on each RD Session Host server.
You w earn how to spec fy RD L cense servers n the Spec fied L cense Server L st n the sec-
t on ent t ed “Configur ng RD Sess on Host Servers to Use L cense Servers” ater n th s chapter
Setting Up the RDS Licensing Infrastructure

To set up the cense server so that there s a source for RDS CALs, you’ need to do the
fo ow ng
1. Insta the RD L cens ng ro e serv ce
2. Act vate the cense server(s) to reg ster t w th the M crosoft C ear nghouse
3. Add the RD L cense server(s) to AD DS
4. Insta RDS CALs on RD L cense server(s)
5. Configure RD Sess on Host server(s) to use the RD L cense server(s)
6. A ow RD Sess on Host server(s) to commun cate w th RD L cense server(s)
The next sect ons exp a n how to accomp sh each of these steps
Sett ng Up the RDS L cens ng nfrastructure Chapter 12 651
www.it-ebooks.info
Installing RD License Server
RDS L cens ng can be nsta ed on any W ndows Server 2008 R2 server that supports RDS You
can nsta th s ro e serv ce on a doma n contro er or member server To nsta the Remote
Desktop L cens ng ro e serv ce, fo ow these steps
1. If you haven’t prev ous y nsta ed any RDS ro es on the computer, start Server Man-
ager, r ght-c ck Ro es n the tree v ew on the eft, and choose Add Ro es
NOTE If you are installing RDS Licensing on a computer that already has RDS installed,
then you’ll start from the Role Services section of Server Manager. In the Remote
Desktop Services section, the screen will show the installed role services. Click Add
Role Services to jump to the page in the wizard where you choose to add the licensing
service.
2. C ck through the ntroduct on to RDS and on the next page, se ect the check box next
to the Remote Desktop L cens ng ro e serv ce C ck Next
3. Do not set a d scovery scope, as t does not app y to W ndows 2008 R2 cense servers
C ck Next
NOTE Discovery settings apply only to terminal servers running Windows Server 2008
and earlier. RD Session Host servers cannot use discovery to find license servers; you
must explicitly specify the licensing server that an RD Session Host server will use.
If needed, you can change the defau t ocat on of the cens ng database by c ck ng the
Browse button and choos ng a d fferent ocat on C ck Next
4. C ck the Insta button on Confirm Insta at on Se ect ons page
5. After the nsta at on s comp ete, you’ see a confirmat on message and a rem nder to
configure the RD Sess on Host servers to po nt to the cense server C ck C ose
You can a so nsta the Remote Desktop L cens ng ro e serv ce us ng W ndows PowerShe
ke th s
PS C:\Users\admin> import-module servermanager

PS C:\Users\admin> add-WindowsFeature RDS-Licensing
Insta ng us ng W ndows PowerShe doesn’t g ve you the opt on of do ng any configura-

t on When you nsta th s way, the cense server w be set up w th a the defau t sett ngs,
w not be act vated, and w have no RDS CAL packs nsta ed The cens ng database w be
nsta ed to the defau t ocat on
To remove the RD L cens ng ro e serv ces us ng W ndows PowerShe , run th s command
You m ght need to restart the server to comp ete the remova
Remove-WindowsFeature RDS-Licensing
www.it-ebooks.info
RD License Server Connection Methods
RD L cense servers must commun cate w th the C ear nghouse when you add or m grate
censes, and act vate or deact vate a cense server
NOTE For details on how the communication with the Clearinghouse works, see the sec-
tion entitled “Background: How RDS CALs Are Tied to an RD License Server” later in this
chapter.
There are three methods that the RD L cense server can use to commun cate w th the
C ear nghouse when perform ng these tasks
■ Automatic Connection W th th s method, you enter the needed nformat on nto
the appropr ate RD L cense server w zard nterface and the RD L cense server contacts
the C ear nghouse automat ca y to perform the chosen act v ty When poss b e, th s s
the eas est method
■ Web Browser Use th s method when the RD L cense server does not have Internet
access but you can access the Internet from another computer The RD L cense server
d rects you to a webs te (https://activate.microsoft.com/) to perform the chosen act v ty
The RD L cense server a so g ves you the nformat on you w need
■ Telephone Use th s method when you do not have Internet access The RD L cense
server w ask you for your country or reg on and then prov de you w th the appropr -
ate phone number to ca the C ear nghouse
The method by wh ch you w commun cate w th the C ear nghouse s spec fied n the
RD L cense server’s Propert es d a og box When you nsta the RD L cense server, th s s set
to Automat c Connect on, but you can change t when you act vate RDS CALs You can a so
change th s method n the RD L cense Server Manager at any t me Change the connect on
method n the RD L cense Server Manager by r ght-c ck ng the server and choos ng Proper-
t es On the Connect on Method tab, use the Connect on Method drop-down box to choose
a connect on method and c ck OK Aga n, however, the Automat c Connect on method of
commun cat ng w th the C ear nghouse s s mp est
Activating the License Server

You’re not qu te ready to nsta cense packs on the cense server The cense server has not
yet been act vated and therefore cannot ssue permanent RDS CALs Th s s nd cated n the
RD L cens ng Manager pane by a red X (see F gure 12-1)
FIGURE 12-1 Act vate the RD L cense server to ssue permanent RDS CALs.
www.it-ebooks.info
Act vat ng a cense server reg sters t w th the C ear nghouse so that any censes that you
nsta on t w be assoc ated w th that server
NOTE Beginning in Windows Server 2008 R2, RD Licensing allows you to move licenses
from one license server to another without having to call the Clearinghouse. For details
on this process, see the section entitled “Migrating RDS CALs from One License Server to
Another” later in this chapter.
To act vate the cense server, open the RD L cens ng Manager The nterface here s pretty
stra ghtforward Any cense servers ( oca y nsta ed, or to wh ch you connected) w appear
under A Servers L cense servers that are marked w th a red X are not yet act vated and can
on y ssue temporary RDS CALs You can’t make RDS Per-User CAL reports yet because you
have no RDS Per-User CALs nsta ed for wh ch to create reports
NOTE To manage more than one license server from RD Licensing, right-click All Servers
and choose Connect. When prompted, type the name of the license server to connect to.
Why Are There Windows 2000 TS CALs on My Windows 2008

R2 License Server?
B ecause you haven’t yet installed any RDS CALs on the license server, you may
wonder why the license server contains a reference to Windows 2000. That’s
the result of a decision made in the Windows 2000 era. At that time, any Windows
2000 Professional computer had a license to access a Windows 2000 Server terminal
server. Many people referred to this as a “built-in” license, but this is misleading.
There was no license built into Windows Server 2000 Professional, just the ability to
pull from the Unlimited pool on the license server.
Beginning with Windows XP and Windows Server 2003, no client operating system
has been able to draw from this Unlimited pool, but it’s still available if you have
(a) Windows 2000 Server terminal servers using the license server and (b) Windows
Server 2000 Professional clients that will be using those license servers. If you
don’t have both, this Unlimited license pool is totally irrelevant. Even if you have
Windows 2000 Professional clients, they cannot draw from the Unlimited pool to
access a Windows Server 2008 RD Session Host server or a Windows Server 2008 or
Windows Server 2003 terminal server.
To act vate the cense server, se ect t, choose Act on, Act vate Server, or r ght-c ck the
cense server and then choose Act vate Server from the context st Th s w start the Act vate
Server W zard
www.it-ebooks.info
C ck Next and then choose a method to contact the C ear nghouse to act vate the server
If at a poss b e, use the Automat c Connect on opt on, as t’s ess prone to error than e ther
the webs te or the te ephone opt ons The C ear nghouse manages cens ng for M crosoft,
nc ud ng act vat ng cense servers, ssu ng RDS CALs and assoc at ng them w th a cense
server, and recover ng censes When you contact the C ear nghouse to act vate a server,
you’ rece ve an X 509 cert ficate to dent fy the server Insta ng RDS CALs on the act vated
server assoc ates them w th that cert ficate and va dates the r authent c ty
Next, you’ need to prov de some bas c company nformat on to the C ear nghouse to as-
soc ate you w th the act vated server Th s nformat on s requ red Type n your first name, ast
name, and company name, and then se ect your country or reg on from the correspond ng
drop-down menu
CAUTION If you’re tempted to put in a false name, as some people do when asked
to provide contact information, be aware that this information is designed to allow
the Clearinghouse to find you in its system if you need to have licenses reissued or
need other support. We recommend using your real name. If you put in a false name,
remember it!
Next, the w zard w prompt you for some add t ona opt ona nformat on that the
C ear nghouse can use to contact you and further dent fy you ema address, organ zat ona
un t (OU), company address, c ty, state or prov nce, and posta code
C ck Next, watch the status bar for a few seconds unt you see the act vat on s comp ete,
and you’re fin shed The cense server s now act vated and ready for you to nsta RDS CALs
When you go back to the RD L cens ng Server conso e, the server w now have a green con
w th a check mark nd cat ng that t s act vated
NOTE Although the Activate Server Wizard will prompt you to install RDS CALs right
away, you can skip this step for now and the license server will allow access for up to 120
days (until the grace period expires). The grace period ends at 120 days or when you install
at least one license pack.
Activating an RD License Server Using Windows PowerShell

You can a so act vate an RD L cense server us ng W ndows PowerShe Act vate the RD L cense
server us ng the Automat c Connect on method w th the fo ow ng command (Tab e 12-3
shows the Act vat on reason codes), but most reason codes app y on y to react vat on If act -
vat ng the server for the first t me, a ways use code 5
PS RDS:> Set-Item -path LicenseServer\ActivationStatus -Value 1 -ConnectionMethod AUTO

-Reason <REASON FOR ACTIVATION GOES HERE>
www.it-ebooks.info
TABLE 12-3 RD cense Server Ac va on Reason Codes
CODE REASON
0 The server was redep oyed

1 The cert ficate was corrupt
2 The pr vate key was comprom sed
3 The act vat on key exp red
4 The server was upgraded
5 The server s be ng act vated for the first t me
After the L cense server s act vated, you shou d note the L cense Server ID and the re-
qu red and opt ona nformat on that you used to act vate the cense server If you ever need
to contact the C ear nghouse (for examp e, to get your RDS CALs re ssued), th s s the nfor-
mat on that they w use to ver fy who you are and to he p you further If your cense server
d es n the future and you cannot get to th s nformat on, then work ng w th the C ear ng-
house becomes much harder
In the RD L cens ng Manager, r ght-c ck the cense server and choose Propert es from the
context menu Wr te down the L cense Server ID ocated on the Connect on Method tab and
a so a nformat on on the Requ red Informat on and Opt ona Informat on tabs We recom-
mend that you keep a your or g na purchase nformat on and rece pts
656 CHAPTER 12 L cens ng Remote Desktop Serv ces
www.it-ebooks.info
Background: How RDS CALs Are Tied to an RD License
Server
When you act vate an RD L cense server w th the C ear nghouse, the C ear nghouse ssues an
X 509 d g ta cert ficate to the RD L cense server Th s cert ficate s used to encrypt commu-
n cat ons w th the C ear nghouse F gure 12-2 dep cts the process of act vat ng an RD L cense
server and nsta ng RDS CALs
Clearinghouse
1
RD License server sends Name, Company,
Country, and License Server Product ID
(LS PID) to the Microsoft Clearinghouse.
LS-PID
LSID
2
The Clearinghouse sends an X.509
3 certificate and a unique License Server
RD CALs created based on ID (LSID) to the RD License server.
35 character representation
of the certificate, which
also contains the LSID.
RD License Server
FIGURE 12-2 The C ear nghouse ssues an LS D to the RD L cense server, wh ch s matched to the LS D
conta ned n the RDS CALs.
1. You act vate the RD L cense server The RD L cense server sends nformat on to the
C ear nghouse dent fy ng the RD L cense server Th s nformat on nc udes
■ F rst Name and Last Name
■ Company
■ Country
■ L cense Server Product ID (LS-PID)
The LS-PID s server-spec fic because t s created from the W ndows Product ID (PID),
a un que dent fier created when you nsta the operat ng system It conta ns the
M crosoft Product Code (MPC) that dent fies the operat ng system and the Channe ID
that spec fies the channe through wh ch you purchased your operat ng system (Reta ,
Or g na Equ pment Manufacturer [OEM], Vo ume L cens ng Programs, Eva uat on, or
Checked Bu d)
www.it-ebooks.info
2. The C ear nghouse ssues an X 509 cert ficate to the RD L cense server The cert ficate s
used to estab sh secure commun cat ons between the RD L cense server and the C ear-
nghouse The C ear nghouse a so sends a un que L cense Server ID (LSID) to the server
Th s cert ficate s not stored n the regu ar computer cert ficate store on the server
Instead, t s stored n the reg stry at HKLM\SYSTEM\CurrentContro Set\Serv ces\
TermServL cens ng\Parameters The fo ow ng four keys ex st here
■ L$TermServLiceningSignKey-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
Th s key s created from the cense server’s cert ficate
■ L$TermServLicensingExchKey-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
Th s key s created from the cense server’s cert ficate
■ L$TermServLicensingServerId-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
The un que LSID sent from the C ear nghouse
■ L$TermServLicensingStatus-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
The ast run state of the cense server database
3. You nsta RDS CAL packs RDS CALs are created based on a 35-character a phanu-
mer c representat on of the d g ta cert ficate that was ssued to the RD L cense Server
Th s 35-character sequence conta ns the LSID When RDS CALs are nsta ed, the RD
L cense server matches the LSID n the 35-character sequence w th ts own LSID, wh ch
was ssued by the C ear nghouse If they match, then the RDS CALs are nsta ed If they
do not match, the server rejects the nsta at on
NOTE If you see Event ID 17 logged and you find the license server is only issuing tem-
porary licenses, see http://support.microsoft.com/kb/2021885. You might have a corrupted
certificate. Reactivate the license server as described in the Knowledge Base article to
resolve the problem.
The key po nt s that the LSID issued to the RD License server is created from the LS-PID The
LS-PID s created from the un que operat ng system PID Th s process t es the RDS CALs to the
RD L cense server operat ng system nsta at on
Commun cat on from the RD Sess on Host servers and the c ents s encrypted based on
the RD L cense server cert ficate, as shown n F gure 12-3
www.it-ebooks.info
RD License Server RD License server gets an
X.509 certificate from
Microsoft Clearinghouse and
uses it as the root certificate
for the certificates it creates.
RD License server
creates and sends
RD Session certificates to the RD RD Session
Host Server Session Host servers. Host Server
RD Session Host servers use their

digital certificates to establish
secure communications with clients.
Client Client
FIGURE 12-3 The RD L cense server ssues cert f cates to the RD Sess on Host servers.
1. The cense server gets an X 509 cert ficate from the C ear nghouse based on ts PID
2. The cense server creates d g ta cert ficates s gned w th ts own cert ficate and ssues
them to the RD Sess on Host servers (RD Sess on Host servers request RDS CALs on
beha f of the users or computers connect ng to them)
3. The RD Sess on Host servers use the r d g ta cert ficates to estab sh secure commun -
cat ons w th c ents to check for and to ssue RDS CALs
The resu t s that to estab sh secure commun cat on, the c ent ver fies the RD Sess on Host
server cert ficate by check ng the s gnature on the cert ficate
The RD Sess on Host server cert ficate s s gned by the RD L cense server cert ficate After t
gets a cert ficate from a cense server, t w never try to get another cert ficate, even f the -
cense server s changed Th s s because the cert ficate ssued by one RD L cense server s va d
for a other RD L cense servers Commun cat on happens us ng the or g na cert ficate on y
NOTE For Per-User licensing, the RD Session Host server doesn’t have to send anything
to or get anything from the client because all the RDS CAL usage information is stored in
AD DS.
www.it-ebooks.info
Adding License Servers to AD DS
After the n t a nsta at on and act vat on, the RD L cens ng Manager w show a ye ow warn-
ng s gn next to the cense server, as shown n F gure 12-4 Th s s because the cense server
has not yet been added to the Term na Server L cense Servers group n AD DS You must
add the cense server to th s group for every doma n for wh ch the cense server w a ocate
censes
FIGURE 12-4 Add the RD L cense server to the Term na Server L cense Servers group n AD DS by
se ect ng Rev ew Conf gurat on n the RD L cens ng Manager.
To do so, se ect the server n RD L cens ng Manager, r ght-c ck t, and se ect Rev ew Con-
figurat on C ck Add To Group and then c ck Cont nue n the resu t ng pop-up box that te s
you that you must have Doma n Adm ns pr v eges to do th s Then c ck OK n the second
pop-up box that te s you the account was added to the Term na Serv ces L cense Group n
AD DS
Installing RDS CALs

To nsta the RDS CAL cense packs us ng the automat c connect on method, perform the
fo ow ng steps
1. Open RD L cens ng Manager and choose Act ons, Insta L censes or r ght-c ck the
server and se ect Insta L censes C ck through the open ng d a og box of the Insta
L censes W zard to get to the page shown n F gure 12-5
www.it-ebooks.info
FIGURE 12-5 Choose the type of cense packs you nsta .
2. From the L cense Program drop-down menu, choose the cense program that you
used to purchase your RDS CALs (for th s examp e, you w choose to nsta a reta
cense pack) The correspond ng Format and Locat on nformat on area w te you
what further nformat on you w need to prov de on the next page(s) C ck Next
3. The next page(s) can vary s ght y, depend ng on wh ch L cense Program you chose,
because the nformat on that you need to enter next s un que to the cense program
However, the genera step s the same enter the cense nformat on that the nterface
prompts for For examp e, for CALs purchased from the Reta Purchase program, type
n the cense code or key for your CAL purchase and c ck Add The code w show up
n the st of entered cense codes You can enter as many here as you have ava ab e
When you’re fin shed, c ck Next
NOTE The Microsoft RDS team has provided an example of how to use Windows
PowerShell to add a License Key Pack to an RD Licensing server (and how to perform
other license server management) online at http://blogs.msdn.com/b/rds/archive
/2010/04/07/manage-remote-desktop-licensing-by-using-windows-powershell.aspx.
www.it-ebooks.info
4. After you have entered a the requ red nformat on, the RD L cense server w contact
the C ear nghouse, nsta the censes, and then d sp ay them n the r ght pane of the
RD L cens ng Manager
Configuring RD Session Host Servers to Use RD License

Servers
S nce W ndows Server 2003 R2, t’s been recommended that you po nt a term na server to
a part cu ar cense server to avo d the uncerta nty that automat c d scovery ntroduces In
W ndows Server 2008 R2, th s s the on y opt on L cense Server D scovery has been removed
CAL Forward ng (the ab ty of one cense server to forward a request to another cense
server because a term na server wou d find one cense server and then stop ook ng, even f
the cense server had no censes ava ab e) has a so been removed Now you must configure
the RD Sess on Host server(s) to use spec fied RD L cense server(s), and an RD Sess on Host
server can request censes from more than one cense server f t must
An RD Sess on Host server can get censes from any of the RD L cense servers t s config-
ured to use If the first cense server that t quer es does not have the requested RDS CAL, the
RD Sess on Host server w cont nue query ng RD L cense servers that t knows about unt t
e ther gets a CAL to ssue to a c ent, or determ nes that no CALs are ava ab e from any of ts
known RD L cense servers
NOTE For more information on how this change replaces CAL Request Forwarding
in Windows 2008, see the sidebar entitled “Direct from the Source: CAL Forwarding
Deprecated In Windows Server 2008 R2” earlier in this chapter.
Make RD L cense servers known to RD Sess on Host servers by do ng e ther of the

fo ow ng
■ Add RD L cense servers to RD Sess on Host Configurat on on a per-server bas s
■ Add RD L cense servers to RD Sess on Host Configurat on v a Group Po cy
To spec fy an RD Sess on Host server’s known cense server(s), do the fo ow ng
1. Open RD Sess on Host Configurat on, and, n the m dd e pane, doub e-c ck Remote
Desktop L cense Servers
2. Se ect the cens ng mode by se ect ng the Per Dev ce or Per User opt on
3. C ck the Add button at the bottom of the page, h gh ght a cense server ocated n
the Known L cense Servers pane, and c ck the Add> button to add t to the Spec fied
L cense Servers pane Do th s for every cense server that you want to add to the RD
Sess on Host server configurat on
On y oca cense servers and those reg stered as SCP ent t es n AD DS w appear n
the Known L cense Servers pane To add RD L cense servers that do not appear n the
pane, type the server name or IP address n the ower- eft nput box and c ck the cor-
respond ng Add> button to add t to the Spec fied L cense Servers st Then c ck OK
www.it-ebooks.info
To use Group Po cy to configure RD Sess on Host servers w th known RD L cense servers,
do the fo ow ng
1. Create a Group Po cy Object (GPO) and enab e th s po cy Computer Configurat on
Remote Desktop Sess on Host L cens ng Use The Spec fied Remote Desktop L cense
Servers
2. Spec fy the RD L cense server or servers that you want the RD Sess on Host servers
to use Do th s by name (NetBIOS or FQDN) or by server IP address, separated w th a
comma as shown here
colfax.ash.local,blueridge.ash.local.
3. App y the GPO to the OU where the RD Sess on Host servers res de
NOTE You can point an RD Session Host server to a license server in another domain, but
if the RD Session Host server is configured for Per-User licensing, a trust relationship must
exist between the domain where the license server is located and the AD DS for the user
accounts. This is because RDS Per-User CAL usage is stored in AD DS. When a user gets a
CAL, the RD License server updates their user account property to show that that user has
a CAL, so it must be able to write to the user account. It must also be able to query it to run
a report on Per-User CAL usage.
Configuring RD License Servers to Allow Communication

From RD Session Host Servers
If you restr ct RD L cense servers to on y answer ng requests from spec fied RD Sess on Host
servers, then you must add those servers to the Term na Server Computers group on each RD
L cense server
NOTE For more information on restricting RD License server responses to specific RD

Session Host servers, see the section entitled “Restricting Access to RDS CALs” later in this
chapter.
Migrating RDS CALs from One License Server to

Another
In o der vers ons of Term na Serv ces, f you ost your TS L cense server, or f you wanted to
move your TS CALs to another TS L cense server, you had to ca the C ear nghouse to get
your TS CALs re ssued Th s process has been automated n W ndows Server 2008 R2 so that
m grat ng CALs from one RD L cense server to another s now eas y done v a the RD L cens ng
M grat ng RDS CALs from One L cense Server to Another Chapter 12 663
www.it-ebooks.info
Manager You can a so m grate RDS CALs from offl ne RD L cense servers to on ne RD L cense
servers So f you on y have one RD L cense Server and t d es, creat ng another RD L cense
server and m grat ng the RDS CALs to the new ocat on s s mp e You just need to reenter
your CAL L cense nformat on to comp ete the process To m grate RDS CALs from one cense
server to another, do the fo ow ng
1. Open the RD L cens ng Manager on the RD L cense server to wh ch you want to m -
grate censes, expand A Servers, r ght-c ck the RD L cense Server, and choose Man-
age RDS CALs Th s starts the Manage RDS CALs W zard
2. C ck Next on the We come page and, on the next page, choose the M grate RDS CALs
From Another L cense Server To Th s L cense Server opt on In the correspond ng drop-
down box, choose the reason for the m grat on Then c ck Next
3. Depend ng on the m grat on reason you chose n the prev ous step, the next screens
w vary
■ If you are rep ac ng the source cense server w th th s cense server, then the fo -
ow ng w happen
a. You w be prompted for the source cense server name or IP address
b. Then you w reenter your cense CAL program and code nformat on as you d d
when you or g na y nsta ed t
■ If the source server s not on ne, then
a. Se ect the check box for the opt on The Spec fied Source L cense Server Is Not
Ava ab e On The Network Do ng so w then requ re you to choose the operat-
ng system of the source cense server from the ava ab e drop-down box You
w a so need to enter the source server L cense Server ID
b. Reenter your cense CAL program and code nformat on as you d d when you
or g na y nsta ed t
■ If your source server s no onger funct on ng, se ect the check box for the opt on
The Source Server Is No Longer Funct on ng Then c ck Next
4. If you nd cated that your source cense server was not ava ab e or not funct on ng, on
the next page, you are requ red to agree not to use the censes nsta ed on the source
server Se ect the check box next to the agreement and c ck Next
5. On the next pages, reenter your L cense Program nformat on and correspond ng -
cense nformat on as you d d when you first nsta ed the censes on the source cense
server C ck Next and the censes w be m grated to the dest nat on server
www.it-ebooks.info
Rebuilding the RD License Server Database
You can a so comp ete y rebu d the cens ng database us ng the Manage RDS CALs W zard
You m ght do th s f your cense server database or cense server cert ficate becomes corrupt
or comprom sed, or f the cense server s be ng redep oyed To do th s, perform the fo ow-
ng steps
1. Open the RD L cens ng Manager on the RD L cense server to wh ch you want to
m grate censes, expand A Servers, r ght-c ck the RD L cense Server, and choose
Manage RDS CALs Th s starts the Manage RDS CALs W zard
2. C ck Next on the We come page and, on the next page, choose the Rebu d The
L cense Server Database opt on In the correspond ng drop-down box, choose the
reason for the rebu d Then c ck Next
3. Rebu d ng an RD L cense server database de etes any RDS CALs nsta ed on t, so have
your purchase agreement nformat on on hand The next page te s you th s Se ect the
Confirm De et on Of RDS CALs Current y Insta ed On Th s L cense Server check box
Then c ck Next
4. The next page confirms that the RD L cens ng database has been de eted C ck Next
and then fo ow the prompts to reenter your RDS CAL purchase nformat on as you d d
when you or g na y nsta ed the RDS CALs
Backing Up an RD License Server and Creating

Redundancy
Before W ndows Server 2008 R2, creat ng redundancy for your TS L cens ng mp ementat on
meant creat ng mu t p e cense servers, sp tt ng TS CALs between them, and re y ng on
the cense servers to forward CAL requests to other cense servers (CAL Forward ng) W th
W ndows Server 2008 R2, th s redundancy s done a tt e d fferent y Now the RD Sess on
Host servers are respons b e for check ng w th each cense server that t knows about to
sat sfy a CAL request
We recommend hav ng more than one cense server mp emented n your env ronment
Th s way, you can sp t your RDS CALs among two (or more) cense servers and configure
the RD Sess on Host servers to use a the cense servers If one cense server goes down,
then there s another that cont nues to ssue RDS CALs wh e you br ng the downed server
back on ne And f one cense server runs out of RDS CALs, the requests are re-sent to the
next cense server sted n the RD Sess on Host server’s Known RD L cense Servers st If
you’re comp ete y out of censes, then server redundancy won’t he p you (a though Per-User
censes are not enforced)
Th s takes care of redundancy But what about os ng data f an RD L cense server d es? As
exp a ned n the fo ow ng s debar, what you ose depends on the c rcumstances
Back ng Up an RD L cense Server and Creat ng Redundancy Chapter 12 665
www.it-ebooks.info
HOW IT WORKS
Does Backing Up a Windows Server 2008 R2 License Server

Help You?
I n previous versions of Terminal Services, you had to contact the Clearinghouse if

you wanted to rebuild a license server. Beginning in Windows Server 2008 R2, this
became unnecessary, because you can now migrate RDS CALs to a new server. This
is true even if the original server is out of commission.
If you don’t back up a license server and the server fails, what have you lost?
You haven’t lost the licenses. Using the RD Licensing tool, you can migrate them to a
new server. If the original license server has failed, you can still reinstall the licenses
on a new server by saying that the server is out of commission and agreeing not to
use the licenses twice.
You haven’t lost the ability for people or devices that already had licenses to con-
nect. An RD Session Host server does not check with the license server every time
someone connects. It checks only when a user or a device without a license or one
with a license that needs to be renewed connects. Anyone who still has a currently
working license will continue to be able to connect.
You don’t lose the ability for new devices to connect, because they would get a
temporary RDS CAL and would be able to use it until it expired or the device could
be issued a real RDS CAL.
Devices with expired licenses would not be able to get a license and so would
not be able to connect. But this is dealt with easily by running more than one RD
License server.
You might have lost your usage reports, depending on whether you were issuing
Per-Device or Per-User licenses. Per-User licensing records are stored in AD DS,
since the license usage is reported as a property set on a user’s account. Per-Device
license reports are stored on each license server. Therefore, losing a license server
would prevent you from reporting accurately on Per-Device RDS CALs already is-
sued. However over time, as client RDS Per-Device licenses expire and they get new
ones, your reporting will become accurate again.
Because nsta at on of an RD L cense server and RDS CAL m grat on s an easy and qu ck
process to accomp sh, f you have redundancy bu t nto your cens ng mp ementat on
(mean ng that you have mp emented more than one cense server and sp t the RDS CALs
among them), you m ght not need to back up the nd v dua cense servers
www.it-ebooks.info
If your report ng s cruc a to you, and you cannot wa t for c ents to be re ssued censes
and for your count to become accurate over t me once aga n, then you can ma nta n backups
of your RD L cense servers so you can restore them f necessary and rega n fu funct ona ty
and report ng An RD L cense server cens ng database s stored as part of the system state
data ( t’s n %SystemRoot%\W ndows\System32\Lserver) As ong as the system state s
backed up, you can restore t to the same mach ne and get a fu recovery of the RD L cense
server
Each operat ng system nsta at on uses server-spec fic encrypt on that s un que to that
nsta at on Every new nsta at on of the operat ng system changes the crypto keys used n
the server-spec fic encrypt on
To be fu y funct ona w thout hav ng to m grate censes, the RD L cense Server restore
needs three th ngs
■ RD L cense Server database d rectory
■ L cens ng reg stry keys
■ Crypto keys from the operat ng system (those that crypto app cat on programm ng
nterfaces [APIs] use; these are mach ne-spec fic) Th s s requ red to prevent p racy
If you back up the RD L cense server system state, then you can restore to the same
hardware and you w have a fu y funct on ng RD L cense server Un ssued RDS CALs w be
restored and ava ab e
M crosoft a so supports restor ng a system state backup to a d fferent phys ca computer f
the new computer has the same hardware and f you take bare meta restore (BMR) backups
W ndows Server 2008 R2 W ndows Backup can make BMR backups
S tuat ons n wh ch you wou d need to do a new nsta at on and then m grate the RDS
CALs to the new nsta at on are those n wh ch you are unab e to restore the system state and
the LServer fo der successfu y For nstance, M crosoft does not support restor ng the system
state to d ss m ar hardware In th s case, t’s poss b e that you w need to start over w th a
new cense server and then m grate the censes
ON THE COMPANION MEDIA See http://support.microsoft.com/kb/249694 for

more information on requirements for restoring a system state to different hard-
ware. The link is also located on the companion media.
Managing and Reporting License Usage

When users og onto an RD Sess on Host server that s set to Per-User mode, the RD Sess on
Host server checks to see f each user has the cens ng property set n the user account prop-
ert es n AD DS If the cens ng property s set, then a user can og on; f not, the cens ng
Manag ng and Report ng L cense Usage Chapter 12 667
www.it-ebooks.info
server w ask the doma n contro er to update the user account to show that t’s us ng an RDS
CAL To track per-user cens ng, you must have a doma n
You can’t find ev dence of th s user CAL n the user account propert es n AD DS; th s s not
exposed n the user nterface However, you can run a report on the cense server to see how
many user CALs have been a ocated To do so, open RD L cens ng, r ght-c ck a server, and
choose Create Report, Per User CAL Usage
CAUTION Only choose an activated server to create the report. The Create Report
command will function if the server has no CALs or hasn’t been activated, but it will
return an empty set.
Choos ng th s opt on w open the d a og box shown n F gure 12-6
FIGURE 12-6 Choose a ocat on for wh ch to run the Per User RDS CAL Usage Report.
To generate the report, spec fy the part of AD DS to search for the data, as fo ows
■ Entire Domain The doma n that the cense server be ongs to
■ Organizational Unit A part cu ar OU where user accounts are stored that s a so part
of the doma n where the cense server res des Choose th s opt on to restr ct a search
to a part cu ar OU, f you want to get usage for on y a subset of users
■ Entire Domain And All Trusted Domains Inc udes doma ns n other forests n the
search, but choos ng th s opt on w ncrease the t me needed to generate the report
For th s examp e, choose Ent re Doma n (the defau t) and c ck Create Report After RD
L cens ng Manager creates the report, t appears n the RD L cens ng Manager, as shown n
F gure 12-7
www.it-ebooks.info
FIGURE 12-7 Use an RDS CAL usage report to determ ne how many per user CALs you ve consumed.
To v ew the report, save the data to a fi e R ght-c ck the report, se ect Save As from the
context menu, and prov de a ocat on to save the report to create a comma-de m ted fi e
at that ocat on Open the fi e n Notepad (or any program that can open csv fi es) to v ew a
report ke the one shown n F gure 12-8
FIGURE 12-8 RDS UCAL usage report resu ts can be seen.
A though Per-User RDS CAL usage s not enforced, the data ga ned from th s report ng
feature w he p you to demonstrate comp ance w th the RDS EULA The report conta ns the
fo ow ng data
■ The cense server the report was run on
■ The RDS CAL type (wh ch w be a ways per-user; at th s t me, W ndows Server does
not create reports on Per-Dev ce RDS CAL usage)
■ The Report date
■ The Report scope (doma n, OU, and so on)
■ The number of CALs nsta ed on the server, how many are current y n use, and how
many are current y ava ab e
■ Wh ch users have been ssued a CAL, and when that CAL w exp re and be returned to
the poo
NOTE A script to generate RDS Per-User CAL usage across domains is available at
http://blogs.msdn.com/b/rds/archive/2009/11/09/per-user-cal-reporting-script.aspx.
Manag ng and Report ng L cense Usage Chapter 12 669
www.it-ebooks.info
RD L cens ng Manager a so shows you exp c t y wh ch mach nes have been a ocated an
RDS Per-Dev ce CAL In the RD L cens ng Manager, expand the cense server and se ect the
Per Dev ce L cense CALs group A ocated censes appear n the r ght pane
ON THE COMPANION MEDIA A script that counts allocated RDS Per-Device CALs
for servers in a named OU is available on the companion media. The script also sends
an email if the count is higher than the specified threshold value. The script is called
PerDeviceCAL-Count-Alert.vbs.
NOTE A script for tracking Per-Device licensing on a per server basis is available at
http://blogs.msdn.com/b/rds/archive/2007/08/10/generating-per-device-license-usage-
reports-for-ts-license-servers-running-windows-server-2008.aspx.
Revoking RDS CALs

Un ke Per-User cens ng, Per-Dev ce cens ng s enforced When a user ogs on to an RD
Sess on Host server that s set to Per-Dev ce cens ng mode, the computer from wh ch the
user ogged on s ssued an RDS Per-Dev ce CAL on ts second ogon (remember that the
computer gets a temporary CAL on ts first ogon) The CAL s assoc ated w th a computer for
an nterva of 52 to 89 days E ther t must be renewed before t exp res, or the CAL goes back
nto the poo so that the cense server can a ocate t to another c ent
If you are rep ac ng a few computers w th new ones and have few enough CALs that you
can’t wa t for the o d a ocat ons to exp re, you m ght choose to revoke some RDS CALs to fi
n the gap
You can’t revoke a RDS CALs at once M crosoft has m ted the ab ty to revoke RDS
CALs to 20 percent of the Per-Dev ce RDS CALs nsta ed For examp e, f your cense server
manages 100 RDS Per-Dev ce CALs and 200 W ndows Server 2003 Dev ce CALs, you can
revoke 20 and 40 CALs, respect ve y Manua revocat on s not ntended to be used as
concurrent-connect on cens ng by a ow ng you to revoke RDS CALs on dev ces not current y
be ng used
To revoke an RDS Per-Dev ce CAL, n the RD L cens ng Manager, r ght-c ck the CAL entry
correspond ng to the computer and se ect Revoke CAL from the context menu The RD
L cens ng Manager w d sp ay a message confirm ng that the RDS CAL has been revoked, and
the RDS CAL status n the L cens ng Manager w be d sp ayed w th a status of Revoked
Th s CAL s then ava ab e mmed ate y n the dev ce CAL poo and can be ass gned to an-
other computer When you reach your m t for revok ng censes, you cannot revoke a cense
aga n for two months
You m ght not ce that you can st og on to the RD Sess on Host server from a computer
whose dev ce CAL you have revoked, but ts cense w st be revoked n the L cens ng Man-
www.it-ebooks.info
ager and the c ent dev ce won’t get a new one The revocat on worked; what you’re see ng
s the way the bookkeep ng assoc ated w th revocat on funct ons If you revoke a c ent’s RDS
CAL, that computer can st connect unt the RDS CAL that t was or g na y g ven exp res If
you’re fo ow ng cens ng gu de nes, th s shou d be a moot po nt, because the who e po nt
of revok ng censes s to remove them from a computer that w no onger be used as an RD
Sess on Host server c ent Just don’t be surpr sed f that c ent PC can st connect to the RD
Sess on Host server for a wh e onger
Restricting Access to RDS CALs

RDS CALs cost money You probab y want some contro over who’s ab e to use them You
m ght want to ensure that users don’t set up RD Sess on Host servers to exper ment and use
the product on RDS CALs, or that the department pay ng for the RDS CALs s the one us ng
them If other departments want to use RDS CALs, they can purchase the r own
If your cense server s part of a workgroup, you probab y don’t have much to worry
about, because on y RD Sess on Host servers n the workgroup can use t If the cense server
s n a doma n, the cense server s reg stered as a serv ce connect on po nt (SCP) n AD DS
when the ro e serv ce s nsta ed The cense server w then show up as a “known cense
server” n RD Sess on Host Configurat on when you beg n add ng cense server(s) Because
the cense server s known, t’s more eas y access b e by RD Sess on Host servers n the same
forest
But there’s a so a way to ensure that on y certa n RD Sess on Host servers can a ocate
censes from a part cu ar RD L cense server If your cense server s part of a doma n, then
you can enab e a group po cy to m t RDS CAL d sbursement to those RD Sess on Host
servers that are part of the cense server’s Term na Server Computers oca computer group
Manag ng and Report ng L cense Usage CHAPTER 12 671
www.it-ebooks.info
The Term na Server Computers oca computer group s created on the RD L cense server
the first t me the Remote Desktop Serv ces L cens ng Serv ce starts By defau t, th s group
s empty To b ock rogue RD Sess on Host servers from stea ng RDS CALs (or users n other
departments from “borrow ng” them), fo ow these steps
1. Add RD Sess on Host servers to the Term na Server Computers group on the RD
L cense server
2. Create a GPO and enab e the Secur ty Group sett ng of the RD L cense server
3. App y the GPO to the OU where the RD L cense server res des
In Server Manager, expand Configurat on/Loca Users and Groups/Groups
NOTE If you install your license server on a domain controller, then the Terminal Server
Computers group is located in the AD DS/Users folder.
In the Term na Server Computers group add the author zed RD Sess on Host server(s)
to the group, and c ck OK You must add the RD Sess on Host servers nd v dua y to th s
group—you can’t group a the RD Sess on Host servers together and then add that group to
the RD Sess on Host servers group
You can a so use W ndows PowerShe to add RD Sess on Host server(s) to the Term na
Server Computers group w th th s command
PS RDS:\> new-item -path licenseserver\terminalservercomputers -name <servername@domain>
Remove computers w th th s command
PS RDS:\>remove-item -path licenseserver\terminalservercomputers\<servername@domain>
NOTE Replace <servername@domain> with your server name and domain, such as
olympus@ash, for example.
On the doma n contro er, open the Group Po cy Management conso e and create a new
GPO named someth ng descr pt ve, such as RD L cense Restr ct ons R ght-c ck the new GPO
and choose Ed t Nav gate to Computer Configurat on Adm n strat ve Temp ates W ndows
Components Remote Desktop Serv ces RDS L cens ng Locate the L cense Server Secur ty
group sett ng, doub e-c ck t, se ect Enab e, and then c ck OK
App y th s po cy to the OU conta n ng the RD L cense server and then reboot the cense
server
If the L cense Server Secur ty Group GPO s enab ed and app ed to the cense server, the
RD L cense server w show a message to that effect n the RD L cens ng Configurat on d a og
box To see the message, r ght-c ck the server and choose Rev ew Configurat on
www.it-ebooks.info
NOTE If you want to specify that RD Session Host servers allocate CALs from different
license servers, then don’t add the RD License server role service to only servers that are
also DCs. If you do, then all license servers will allocate RDS CALs to servers added to the
Terminal Server Computers group in AD DS.
Preventing License Upgrades

An RD L cense server w a ways attempt to ssue the most appropr ate vers on of RDS CAL to
an RD Sess on Host server that requests t on beha f of a connect ng c ent For examp e, f you
have a cense server w th both W ndows Server 2003 CALs and W ndows Server 2008 R2 RDS
CALs nsta ed, and a c ent connects to a W ndows Server 2003 term na server, the RD L cens-
ng server w attempt to ssue a W ndows Server 2003 CAL But f the cense server runs out
of W ndows Server 2003 CALs, t w ssue an ava ab e RDS CAL nstead Th s s because RDS
CALs can be used w th the vers on of W ndows for wh ch they were made, as we as for any
prev ous vers on back to W ndows 2000
It cou d be that you don’t want your o der systems to use RDS CALs when they run out of
the r own You can choose to a ow an RD L cense server to d str bute on y CALs that are made
for the vers on of RD Sess on Host server or term na server that the c ent accesses Do th s by
enab ng the fo ow ng po cy, e ther oca y or v a the Group Po cy Management conso e
Computer Configurat on Po c es Adm n strat ve Temp ates/W ndows Components

Remote Desktop Serv ces RD L cens ng Prevent L cense Upgrade
If you enab e th s po cy, then nstead of d str but ng RDS CALs when ower vers on CALs
wou d be more appropr ate but are not ava ab e, the RD L cense server w ssue temporary
CALs, wh ch w ast 90 days After 90 days, the c ent w be den ed access f you are us ng
Per-Dev ce cens ng
Using the Licensing Diagnosis Tool

After sett ng up cens ng so that your RD Sess on Host servers and RD L cense servers can
find each other, you can doub e-check your work us ng the L cens ng D agnos s too on the
RD Sess on Host servers
On the RD Sess on Host server, open the Remote Desktop Sess on Host Configurat on
conso e, and then c ck L cens ng D agnos s The too runs and produces a report ke the one
shown n F gure 12-9
Us ng the L cens ng D agnos s Too Chapter 12 673
www.it-ebooks.info
FIGURE 12-9 The L cens ng D agnos s too g ves RD L cens ng spec f c nformat on about prob ems.
The report shown n F gure 12-9 states that L cens ng D agnos s d scovered that a though
th s RD Sess on Host server s configured to use RDS Per-Dev ce CALs, none are ava ab e
To get more deta s, c ck the entry for the cense server ocated n the Summary w ndow to
show more deta s, ke those shown n F gure 12-10
FIGURE 12-10 C ck on the d scovered cense server n the L cens ng D agnos s report summary sect on to
get more RD L cens ng nformat on.
www.it-ebooks.info
As you can see, L cens ng D agnos s reports on a few other tems you m ght find usefu for
troub eshoot ng cens ng ssues or for gett ng qu ck RD L cens ng nformat on The report
a so shows the fo ow ng
■ The vers on of the operat ng system that the RD L cense server s runn ng
■ The Prevent L cense Upgrade Group Po cy sett ng If enab ed, th s GPO defines how
RDS CALs are g ven to c ents f no appropr ate vers on of CAL s ava ab e for the
c ent’s operat ng system vers on If no ear er vers on of RDS CAL s ava ab e for a pre-
W ndows Server 2008 R2 RD Sess on Host server connect ng to your cense server, by
defau t the cense server w ssue an RDS CAL If you don’t want th s to happen, then
enab e th s GPO
■ The L cense Server Secur ty Group Po cy sett ng If th s po cy s enab ed, then the RD
Sess on Host server must be sted n the RD L cense server’s Term na Server Comput-
ers group to use the RD L cense server
■ Wh ch RDS CALs are nsta ed and ava ab e If you just want a qu ck g ance at your RDS
CAL ava ab ty, you can v ew t here nstead of us ng the RDS L cens ng Manager on
the RD L cense server
Summary
RDS cens ng has changed n W ndows Server 2008 R2, both to accommodate the add t on of
VMs (and the management too s many peop e want to support them) and to make the cens-
ng more robust Th s chapter has exp a ned those changes and descr bed best pract ces to
keep cens ng ava ab e, nc ud ng the fo ow ng
■ Per-Dev ce cens ng for sess ons s enforced, but Per-User cens ng s tracked VDI
cens ng s not enforced
■ If you requ re VDI on y, you m ght be ab e to use the VDI cens ng CAL
■ D scovery of other cense servers s no onger an opt on You must configure an RD
Sess on Host server to use a cense server or mu t p e cense servers
■ For max mum ava ab ty, we recommend hav ng more than one cense server, w th
the censes sp t between them
■ Use Group Po cy to prevent unauthor zed RD Sess on Host servers from consum ng
censes
■ For more on SPLA, see http://www.microsoft.com/hosting/en/us/licensing
/splabenefits.aspx.
■ For examp es to he p you understand VDA, see http://download.microsoft.com
/download/7/8/4/78480C7D-DC7E-492E-8567-F5DD5644774D/VDA Brochure.pdf.
www.it-ebooks.info
■ For an exp anat on of the cens ng grace per od, see http://technet.microsoft.com
/en-us/library/cc738962(WS.10).aspx.
■ For more on RDS CALs, see http://technet.microsoft.com/en-us/library/cc753650.aspx.
■ Locate a number for the M crosoft C ear nghouse at http://support.microsoft.com
/kb/291795.
■ For more nformat on on backup and recovery n W ndows Server 2008 R2, see
http://technet.microsoft.com/en-us/library/dd979562(WS.10).aspx.
■ For nformat on on how to move the system state to new hardware, see
http://support.microsoft.com/kb/249694.
www.it-ebooks.info
Index
A MSI mode nsta at on, 172–173

overwr t ng user profi e data, 170–171
access tokens, 43 performance ssues, 167
Act ve D rectory Users and Computers, 366, 611 popu at ng shadow keys, 171–174
AD DS (Act ve D rectory Doma n Serv ces) pre-MSI mode nsta at on, 172
creat ng test user accounts, 80 pr vacy ssues, 167
persona v rtua desktops, 214 pub sh ng and ass gn ng, 454–475
RDS L cens ng and, 660 record ng nstances, 637
RDS support, 35 restr ct ng execut on, 376–390
VDI support, 177 stor ng data, 168
Add Features W zard, 146 term nat ng, 604–605, 640–641
Add Ro es W zard, 135 AppLocker, 381–390
Add-W ndowsFeature cmd et, 192, 194, 515 App-V, 176
adm n strat ve ockouts, 599 Ass gn Persona V rtua Desktop W zard, 213
Adm n strat ve Too s nterface, 134–137 aud o red rect on, 326–330
Aero G ass nterface, 20, 22, 305 aud t ng
AES (Advanced Encrypt on Standard) a gor thm, app cat on usage, 633–637
409 AppLocker ru es, 389–390
A as property, 466 ogons, 639
a ow st, 455–457, 469–470 RD Gateway events, 526
app cat ons authent cat on
add ng to a ow st, 455–457 cert ficate cons derat ons, 34
ass gn ng to users, 468–469 Kerberos, 411
aud t ng usage, 633–637 NLA and, 136
browser dependency, 165 RD Gateway, 533–534
compat b ty cons derat ons, 21, 165, 218–222 server, 410–414, 418–419
concurrent resource usage, 167 author zat on po c es, 509–510, 515, 521
de ver ng, 478–505 AWEs (Address W ndow ng Extens ons), 41
dev ce red rect on and, 167
d str but ng, 475–477
ed t ng cons, 467
extract ng names, 636
B
nsta ng, 166 back ng up RD cense servers, 665–667
mon tor ng usage, 603–604 Best Pract ces Ana yzer, 162–164
677
www.it-ebooks.info
bidirectional audio
b d rect ona aud o, 329 command- ne too s, 595–597

branch offices, 18 nsta ng RD Sess on Host servers, 142–144
browsers prevent ng access, 372
app cat on dependency, 165 RDS support, 12
restr ct ng access to, 373–374 computer groups, 530–532
bus ness cont nu ty, 11 Configure V rtua Desktops W zard, 197
Contro Pane , restr ct ng access, 367
Copy To button, 254
C copy-on-wr te techn que, 54–56
cprofi e command, 597
cach ng CredSSP (Credent a Secur ty Serv ce Prov der),
graph cs remot ng and, 300 136, 405–408
Group Po cy, 269
user profi es, 231, 246–247, 269–275
CALs (c ent access censes)
confirm ng ava ab ty, 122–123
D
nsta ng, 660 data management See user accounts; user
m grat ng, 663–664 profi es
RDS L cens ng and, 31, 648–651, 657–659 ded cated red rectors, 446–447, 486–487, 530
restr ct ng access to, 671–672 dep oyments
revok ng, 670 configur ng sett ngs, 457–464
TS versus RDS, 645 de ver ng programs, 478–505
CD-ROMs, prevent ng access, 372 d str but ng programs, 475–477
cert ficates key concepts, 423–431
creat ng test, 411–414 pub sh ng and ass gn ng app cat ons,
d g ta , 459–464 454–475
RD Gateway and, 524 server farms, 431–454
RDS requ rements, 34 Desktop Exper ence, 142, 150
Change user command, 174 Desktop fo der, 245
ch d part t ons Desktop W ndow Manager Sess on Manager, 119
dev ce access, 64 desktops
memory management and, 61–62 AD DS schema requ rements, 214
processor a ocat on and, 61 ass gn ng, 212–214
C tr x Mu t W n, 2 connect ng to, 187
c ean rooms, 10 creat ng read-on y, 286
c ent, defined, 179 defined, 14
c ent-centr c remot ng, 301 d fferent at ng sess ons, 631
c ent/server arch tecture nam ng connect ons, 453–454
authent cat on cons derat ons, 410–416 poo ed, 14
dep oyment cons derat ons, 426–428 RemoteApp and Desktop Connect ons feature,
pass ng data, 128–131 20, 34, 502–505
c pboard red rect on, 316–318 remov ng cons, 372
command- ne management sav ng fi es to, 245
add ng arguments, 466–467 dev ce red rect on
678
www.it-ebooks.info
Group Policy
app cat ons and, 167 en ghtenments techno ogy, 64

c ent-s de ports and, 320–321 Event ID 1111, 358
configur ng ro e serv ce manua y, 200 extrapo at ng system requ rements, 91–93
enab ng for P ug and P ay, 150, 322–325
restr ct ng, 365–367
user exper ence and, 314–325
DFSS (Dynam c Fa r Share Schedu ng), 13, 24
F
DHCP (Dynam c Host Configurat on Protoco ), 156 farms See server farms
d g ta cert ficates, 459–464 fi e system red rect on, 318–319
D r cmd et, 152 F e System V rtua Channe Extens on, 318
d saster recovery, 11 fi es, sav ng to desktop, 245
d sk m rror ng, 58 fi ter ng GPOs, 266
d sk performance, app cat on de very and, 56–59 FIPS (Federa Informat on Process ng Standard),
DoS (den a -of-serv ce) attacks, 136 409
dra n mode, 619 firewa s, 205, 582
DVCs (dynam c v rtua channe s), 34, 296, 298 floppy dr ves, prevent ng access, 372
fo der red rect on
centra z ng persona data w th, 275–278
E enab ng, 269

troub eshoot ng t ps, 287
Easy Pr nt techno ogy user profi es and, 243
64-b t cons derat ons, 42 fo ders
arch tectura overv ew, 342–344 assoc at on w th profi es, 233–236
extend ng to c ent p atforms, 23 de et ng profi e, 273
Gener c Text On y mode, 359 nam ng for user profi es, 249
m tat ons, 350–354 Forefront Threat Management Gateway (TMG),
pr nter red rect on, 321 31, 526, 581
pr nt ng process, 347–350
remov ng dr vers, 350
requ rements, 344–347
troub eshoot ng ssues, 358–359
G
EFS (Encrypted F e System), 409 GDI pr nters, 335
ema a erts, 637 Get-Ch dItem cmd et, 452
encrypt on GPMC (Group Po cy Management conso e), 259
configur ng, 418–419 GPOs (Group Po cy objects)
RDP support, 409–410 b ock ng nher tance, 259
endpo nts creat ng, 260
configur ng, 220 secur ty fi ter ng, 266
contro ng pr nter red rect on, 355 graph cs remot ng, 299–305
defined, 179 green comput ng, 11
d sconnected sess on t me m ts, 222 Group Po cy
d str but ng dr vers to, 351–352 cach ng, 269
mapp ng dr ver names, 352–354 configur ng connect on secur ty, 419–420
RDP FAQs, 306 contro ng process ng, 258–261
defin ng roam ng profi es, 267–268
679
www.it-ebooks.info
Group Policy
jo n ng servers to farms, 450–451

m t ng profi e s ze, 246
K
oopback po cy process ng, 258, 262–264 Kerberos authent cat on, 411
manag ng pr nt sett ngs, 355–356 keys, defined, 229
manag ng roam ng profi es, 257–266
process ng asynchronous y, 247
RD Gateway authent cat on and, 533–534 L
Remote Contro sett ngs, 610, 612–614
restr ct ng dev ce/resource red rect on, anguage bar red rect on, 295
365–366 Last Wr te W ns prob em, 241
updat ng, 262 LDAP (L ghtwe ght D rectory Access Protoco ), 623
brar es, contro ng, 375–376
cens ng See RDS L cens ng
H L cens ng D agnos s too , 673–675

oca profi es
hard dr ves, restr ct ng access, 374–375 ba ance flex b ty and ockdown, 243
hard page fau ts, 52 convert ng to roam ng profi es, 254
HKCU (HKEY CURRENT USER) creat ng, 228
defined, 229 decreas ng ogon t mes, 286–287
env ronment changes and, 229 defined, 227
sess on data and, 231 stor ng, 243
subkeys sted, 229 troub eshoot ng prob ems, 243
HKLM (HKEY LOCAL MACHINE), 229 Loca Sess on Manager, 119
host-centr c remot ng, 302 Loca System Author ty, 119
HTTPS-HTTP br dg ng, 527 ogoff scr pts, 253
Huffman compress on, 303 ogons
Hyper-V aud t ng, 639
app cat on compat b ty and, 218–222 configur ng user ogon mode, 154–155
RD V rtua zat on Host and, 34, 59 d sab ng, 619–621
VDI support, 178 enab ng, 126–127
Hyper-V Manager, 184, 602 RD Web Access, 498–500
hyperv sors, 60 s ng e s gn-ons, 22, 416
speed ng up, 268–275, 286–287
oopback po cy process ng, 258, 262–264
I
IIS (Internet Informat on Serv ces), 26, 34
mpersonat on nformat on, 43
M
Import-Modu e cmd et, 192, 452, 469 mandatory profi es
nher tance, b ock ng for GPOs, 259 ba ance flex b ty and ockdown, 243
IP v rtua zat on, 13, 155–157 convert ng roam ng profi es to, 283
ISA (Internet Secur ty and Acce erat on) Server, 31 creat ng, 284–286
decreas ng ogon t mes, 286–287
defined, 228
fo der red rect on and, 237
680
www.it-ebooks.info
Performance Monitor
secur ty and, 282 enab ng Remote Desktop, 204

sett ng standards, 281 ogon process and, 124
MDOP (M crosoft Desktop Opt m zat on Pack), NLB (Network Load Ba anc ng)
647 choos ng affin ty sett ngs, 540
memory d str but ng connect ons, 432
ch d part t ons and, 61–62 funct ona ty, 441–445
RD Sess on Host requ rements, 67 RD Gateway support, 537–541
shar ng, 54–56 RR DNS compar son, 433
thrash ng and, 54 NLB Manager, 441
v rtua address space, 45–46 non-paged poo , 53
memory manager, 48, 54 NPS (Network Po cy Server), 509, 545–553
M crosoft RemoteFX, 301 NSCodec, 303
M crosoft Term na Serv ces See Term na Serv ces NTDLL d , 169
M crosoft W ndows Insta er, 13 NTUSER DAT fi e, 226, 239
mon tor spann ng, 21 NTUSER MAN fi e, 226
mon tor ng
app cat ons, 603–604
connect ons w th RD Gateway, 534–537
sess ons, 605–610
O
MPPC (M crosoft Po nt-to-Po nt Compress on), orchestrat on, 179, 184
304 orphaned sess ons, 608–610
MSI fi es, d str but ng, 476–477 OUs (organ zat ona un ts), 259
MTP (Med a Transfer Protoco ), 325 outsourc ng, 19
mu t med a, 22, 328–329
mu t -mon tor remot ng, 21, 292, 428–431
mu t p e user profi es, 241 P
PAEs (Phys ca Address Extens ons), 41
page fi es, 52–53
N page tab es, 49
NAP (Network Access Protect on) parent part t ons, 61
funct ona ty, 31 PDUs (protoco data un ts), 299
RD Gateway and, 554–573 performance
troub eshoot ng, 575–576 app cat on ssues, 167
NATs (Network Address Trans ators), 30 d sk, 56–59
network defau t profi es, 256 tun ng for RDP, 304
network requ rements, 68 VM cons derat ons, 65
network shares, roam ng profi es, 248 Performance Mon tor
NIST (Nat ona Inst tute of Standards and Techno - best pract ces, 72
ogy), 409 co ect ng data, 71–75
NLA (Network Leve Authent cat on) configur ng, 88
authent cat ng c ent dent ty, 415–416 rev ew ng data, 75–77
configur ng, 418 rev ew ng report, 90
DoS and, 136 start ng, 88
stopp ng, 90
681
www.it-ebooks.info
peripheral media
tak ng base ne capture, 88 RD Sess on Host and, 68

per phera med a, restr ct ng access, 372 profi e cach ng
perm ss ons manag ng, 270–275
configur ng, 206–208 profi e b oat and, 269
RD Web Access, 496 roam ng profi es and, 247
roam ng profi es, 248 speed ng up ogons and, 231, 246
phys ca memory, 45, 48–52 profi es See user profi es
PIDs, 43 PTE (page tab e entry), 49
p acement, defined, 179 PTP (P cture Transfer Protoco ), 325
P ug and P ay, 150, 322–325 pub c computers, 10, 17
poo ed desktops, 14 pub sh ng
poo ed VMs nfrastructure cons derat ons, 178
configur ng propert es, 216–218 v a RemoteApp Manager, 454–475
connect ng to, 185–186, 215
creat ng, 209–211
dep oy ng, 212
fo der red rect on and, 237
Q
organ z ng nto OUs, 259 query process command, 636
ro ng back, 208, 243 query sess on command, 632
troub eshoot ng connect ons, 223 quest, defined, 179
user profi es and, 251
Pr nter Dr ver Iso at on feature, 356–358
pr nt ng R
from RDS, 344–350
mapp ng dr ver names, 352–354 RADIUS errors, 573
pr nter red rect on, 321, 337–344, 354–358, RAID d sks, 58–59
366 RD CAPs
restr ct ng dr ver nsta at on, 368 choos ng NPS store, 525
to d rect y connected pr nters, 335–337 creat ng, 516–518
troub eshoot ng ssues, 358–359 stor ng, 509, 545–553
processes RD Connect on Broker
defined, 43 centra ro e, 179
dent fy ng, 129 configur ng, 197–203
mage names and, 43 funct ona ty, 18, 27–29, 182–184
key system, 125 mport ng VM farms, 602
st ng on servers, 636 nsta ng, 193–194
mon tor ng and term nat ng, 602–605 RD Sess on Host and, 440–447
PIDs and, 43 RD Web Access and, 485
support ng W ndows env ronment, 128 RDS support, 24
processor cyc es/t me rout ng speed, 438
a ocat ng, 145–162 server farms and, 433–439
ch d part t ons and, 61 s z ng cons derat ons, 96
HTTPS-HTTP br dg ng, 527 RD Gateway
overv ew, 43–44 aud t ng events, 526
bypass ng for nterna connect ons, 533
682
www.it-ebooks.info
RD Virtualization Host
configur ng sett ngs, 458, 521–537 Configure Later opt on, 138
forc ng RDC connect ons, 494 configur ng, 144–164, 458
funct ona ty, 16, 29–31, 507–512 configur ng Performance Mon tor, 88
IIS requ rements, 34 configur ng secur ty sett ngs, 417
nsta ng, 512–521 creat ng sess ons, 119–134
ma nta n ng dent ca sett ngs, 543–554 dep oyment cons derat ons, 424, 439
messag ng support, 528–530 determ n ng system requ rements, 66–99
mon tor ng connect ons, 534–537 enab ng Remote Contro , 614–615
NAP support, 554–573 extrapo at on as test ng a ternat ve, 91–93
NLB support, 537–541 funct ona ty, 24–25
p ac ng, 576–585 gett ng server names, 634
RDS support, 24 mproved funct ona ty, 13
requ rements, 510–512 nsta ng app cat ons, 164–174
server farms and, 510, 530–532 nsta ng servers, 134–144
s z ng cons derat ons, 96 jo n ng servers to farms, 447–454
sp t SSL connect ons, 542 keep ng ava ab e, 393–394
SSL br dg ng and, 526 st processes on servers, 636
troub eshoot ng connect ons, 573–576 ock ng down servers, 377
tun ng propert es, 522–530 management too s, 590–600
RD Gateway Manager, 31, 516, 534 manag ng profi e cache, 270–275
RD Load S mu at on Too (RDLST) manag ng servers, 599–600, 624–629
configur ng test parameters, 81–87 memory cons derat ons, 45–56
creat ng test accounts, 80 merger/outsourc ng support, 19
creat ng USER ACTIVITY scr pt, 81 poo ed desktops and, 14
funct ona ty, 77–79 processor cyc es, 43–44
nsta ng agents, 79 RD Connect on Broker and, 440–447
Performance Mon tor and, 88, 90–91 RD Web Access and, 484
s mu at ons and, 88–161 RDS L cens ng and, 662–663
start ng agents, 81 RDS support, 24
tak ng base ne capture, 88 restart ng servers, 624–629
RD RAPs roam ng profi es, 250
assoc at ng w th computer groups, 531–532 serv ces support ng, 117–119
configur ng store, 553–554 shutt ng down servers, 624–629
creat ng, 519–520 user exper ence, 332–334
troub eshoot ng, 574 RD V rtua zat on Host See also VDI (V rtua Desk-
RD Sess on Host See also VDI (V rtua Desktop top Infrastructure)
Infrastructure) 64-b t cons derat ons, 42
64-b t cons derat ons, 41–42 app cat on de very and, 40
app cat on de very and, 40 configur ng RDP perm ss ons, 206–208
app cat on support, 101–109 funct ona ty, 25–26
best pract ces, 25 Hyper-V and, 34, 59
cach ng Group Po cy, 269 nsta ng, 190–192
cert ficate cons derat ons, 34 nsta ng v a W ndows PowerShe , 192
c os ng server back doors, 369–375 RDS support, 24
683
www.it-ebooks.info
RD Web Access
s z ng cons derat ons, 95–96 protoco data un ts, 299

RD Web Access RD Gateway support, 30
chang ng d sp ay, 492 tun ng performance, 304
configur ng, 195–197, 482–488 v rtua channe s, 296–299
custom z ng, 488–495 W ndows 2000 and, 3
desktop connect ons, 502–505 RDP fi es
funct ona ty, 26–27 connect ng users v a, 13
IIS requ rements, 26, 34 creat ng, 215
nsta ng ro e serv ce, 481–482 d str but ng, 475
p ac ng, 576–578 ed t ng, 221
RDS support, 24 sett ng cons derat ons, 464
RemoteApp and Desktop Connect ons feature, shar ng, 182
502–505 s gn ng, 459–464, 472–474
RemoteApp support, 465, 502–505 unknown pub shers and, 490
secur ty and, 17 RDPs gn exe too , 472–474
s z ng cons derat ons, 96 RDS (Remote Desktop Serv ces)
sources for, 478–481 app y ng management too s, 631–641
troub eshoot ng perm ss ons, 496 dep oy ng roam ng profi es, 248–288
VDI support, 176 evo v ng remote c ent access, 6–7
webs te usage, 497–502 funct ona ty, 7–12
RDC (Remote Desktop Connect on) egacy pr nt ng mode , 338–342
c ent connect on, 33–34 new features, 12–32
configur ng opt ons, 488–489 or g ns, 2–7
connect ng for adm n strat on purposes, 598 pr nt ng from, 344–350
custom z ng sett ngs, 491 RDC support, 119
forc ng connect ons, 494 ro e support ng, 32–35
funct ona ty, 33 UserMode Port Red rector, 118
user exper ence and, 293–296, 330–334 RDS App cat on Ana yzer, 102–106
vers on cons derat ons, 109–113, 330–334 RDS L cens ng
RDP (Remote Desktop Protoco ) act vat ng server, 653–655
c ent connect on, 33–34 act vat ng w th W ndows PowerShe , 655–656
compress ng data, 302–303 add ng servers to AD DS, 660
configur ng perm ss ons, 206–208 ass gn ng RDS CALs, 648–651
creat ng firewa except ons, 205 back ng up servers, 665–667
defin ng c ent user exper ence, 293–296 configur ng sett ngs, 157–160
enab ng, 204–205 creat ng redundancy, 665–667
encrypt on support, 409–410 d agnost cs too , 673–675
FAQs, 306 funct ona ty, 31–32, 644–645
funct ona ty, 33 nsta ng server, 652
graph cs remot ng, 299–305 manag ng usage, 667–672
h gh-fide ty over, 18 m grat ng CALs, 663–664
network requ rements, 68 mode cons derat ons, 100–101, 644
new features, 292 prevent ng upgrades, 673
pr nt ng cons derat ons, 334–359 RD Sess on Host and, 662–663
684
www.it-ebooks.info
roaming profiles
RDS support, 24 RemoteApp and Desktop Connect ons feature, 20,

rebu d ng server database, 665 34, 502–505
report ng usage, 667–672 RemoteApp Manager
server connect on methods, 653 add ng app cat ons to a ow st, 455–457
sett ng up nfrastructure, 651–663 Common RDP Sett ngs tab, 464
spec fy ng servers, 159–160 configur ng dep oyment sett ngs, 457–464
track ng and enforc ng, 648 configur ng t meouts, 471–472
Recyc e B n, 237 Custom RDP Sett ngs tab, 464
refresh nterva , 262 d str but ng MSI fi es, 476–477
reg ster command, 597 d str but ng RDP fi es, 475
reg stry, system See system reg stry ed t ng propert es, 464–469
reg stry reflect on, 170 ma nta n ng a ow sts, 469–470
reg stry v rtua zat on, 107 sett ng s gnature po c es, 474
regu atory comp ance, 19 s gn ng RDP fi es, 472–474
Remote Contro too , 394–398, 610–619 RemoteApp techno ogy
Remote Desktop Connect on Manager, 212, 216 A as property, 466
Remote Desktop IP V rtua zat on feature, 13 configur ng dep oyment sett ngs, 457–464
Remote Desktop Protoco See RDP (Remote connect v ty exper ence, 331–332
Desktop Protoco ) de ver ng programs, 478–505
Remote Desktop Serv ces See RDS (Remote Desk- d fferent at ng sess ons, 631
top Serv ces) d str but ng programs, 475–477
Remote Desktop Serv ces Manager funct on, 424–425
funct ona ty, 591–593 funct ona ty, 15–16
organ z ng servers, 600–602 Hyper-V support, 218–222
send ng user messages, 622 ntegrat ng, 17, 20
Status d a og box, 594 ock ng down servers, 364
Remote Desktop Sess on Host Configurat on too mu t p e mon tors and, 428–431
check ng configurat on, 162–164 nam ng connect ons, 453–454
configur ng connect on secur ty, 417–420 poo ed desktops and, 15
configur ng IP v rtua zat on, 155–157 RD Web Access and, 500–502
genera sess on sett ngs, 153–155 sess on t meouts, 471–472
jo n ng servers to farms, 447–450 RemoteFX (M crosoft), 301
cens ng sett ngs, 157–160 report ng cense usage, 667–672
open ng, 150–153 resource usage
protoco -spec fic sett ngs, 160–162 concurrent, 167
Remote Contro sett ngs, 611 red rect on pros and cons, 313–314, 365–367
restr ct ng red rect on, 367 v rtua zat on and, 59–65
Remote Desktop Users group, 178, 204–205 RFC 2118, 304
Remote Serv ce Management, 205 roam ng profi es
remote sess ons ba ance flex b ty and ockdown, 243
add ng c ent dev ces, 307–313 cach ng, 246–247
enumerat ng pr nters, 338–341 centra z ng persona data, 275–278
pr nt ng from, 341–342 configur ng paths for VMs, 268
convert ng to, 254
685
www.it-ebooks.info
rolling back VMs
convert ng to mandatory profi es, 283 server farms

creat ng, 248–253 cach ng Group Po cy, 269
custom z ng, 255–257 connect on broker ng and, 433–439
defined, 228 creat ng test cert ficates, 411–414
defin ng w th Group Po cy, 267–268 dep oyment cons derat ons, 431–432
manag ng w th Group Po cy, 257–266 d str but ng n t a connect ons, 432–433
manag ng w thout adm n access, 253 ma nta n ng a ow sts, 469–470
read-on y desktops and, 286 ma nta n ng dent ca sett ngs, 543–554
sett ng standards, 281–283 organ z ng n OUs, 259
shar ng fo ders, 279–280 RD Gateway and, 525, 530–532
speed ng up ogons, 268–275 RD Web Access and, 484
ro ng back VMs, 186–187, 208, 243 RDS support, 18
RPCs (remote procedure ca s), 205 s ng e s gn-ons, 22, 416
RR DNS (round rob n DNS), 432–433, 440, 530 Server Manager, 190, 193, 305
RSAT (Remote Server Adm n strat on Too s), 593, Serv ces and Contro er App cat on, 119
599–600 Sess on Manager, 119
sess ons
adjust ng genera sett ngs, 153–154
S bas c graph cs remot ng and, 299
c os ng orphaned, 608–610
SA (Software Assurance), 646 commun cat ng w th servers, 130–131
SCCM (System Center Configurat on Manager), configur ng t me m ts, 222, 471–472
647 connect ng to d sconnected, 186
SCOM (System Center Operat ons Manager), 647 creat ng, 121–124
SCVMM (System Center V rtua Mach ne Man- creat ng base env ronments, 127–128
ager), 647 d fferent at ng, 631
secur ty See also authent cat on d sconnect ng, 609
app cat on execut on and, 376–378 enab ng user ogons, 126–127
core techno og es, 402–408 fo der red rect on and, 244
fi ter ng GPOs, 266 dent fy ng processes, 129
nformat on, 8 key processes oaded at boot t me, 119–121
ock ng down servers, 364–376 manag ng, 590, 631–641
mandatory profi es and, 282 mon tor ng and end ng, 605–610
RD Gateway and, 31 overv ew d agram, 132–134
RD Sess on Host and, 393–394, 417–420 RDP FAQs, 307
RD Web Access and, 17 reg stry data and, 231
RDP encrypt on, 409–410 remote contro of, 394–398, 610–619
RDS support, 8–9 ro e of serv ces n, 124–126
read-on y Start menu and, 391–392 send ng updates when act ve, 305
remote contro of sess ons, 394–398 server ma ntenance and, 619–629
Se fSSL exe too , 413–414 sett ng sess on count, 154
SendKeys method, 81 sett ng t me m ts, 394
Ser a and Para e Port V rtua Channe Extens on, shadow ng, 615–619
320 speed ng up ogons, 246
686
www.it-ebooks.info
thin clients
structure cons derat ons, 128–129 system arch tecture

sw tch ng between, 606–607 app cat on de very systems, 40–41
system support, 119 c ent use profi es, 99–114
term nat ng, 609–610 determ n ng system requ rements, 66–99
Set-Item cmd et, 453 pass ng data, 128–131
SHA-1 (Secure Hash ng A gor thm), 409 W ndows Server nterna s, 41–65
shadow keys system cache, 57
defined, 168 system processes, 125
d sab ng reg stry wr tes, 171 system reg stry
ed t ng t mestamps, 170 env ronment changes and, 229
popu at ng, 171–174 prevent ng access, 368–369
remov ng sect ons, 171 reg stry reflect on, 170
shadow ng sess ons reg stry v rtua zat on, 107
funct ona ty, 615–617 se ect ve y d sab ng wr tes, 171
troub eshoot ng, 617–619 up oad ng sett ngs n background, 246
shared fo ders, 278–280 user profi es and, 229–232
shared memory, 54–56 system requ rements
SIDs (secur ty dent fiers), 231 des gn ng ve test, 69–70
s mu at ons, 88–90 execut ng tests, 70–77
s ng e s gn-ons for server farms, 22, 416 extrapo at ng, 91–93
s z ng cons derat ons overv ew, 66
RD V rtua zat on Host, 95–96 RD Load S mu at on Too , 77–91
server s z ng, 93–95 s z ng cons derat ons, 93–99
user profi es, 236, 246, 270
SRPs (Software Restr ct on Po c es), 378–381
SSL (Secure Sockets Layer), 17, 402, 542
SSL br dg ng, 526
T
SSL cert ficates, 524 Task Manager, remov ng access, 373
SSL offload ng and term nat on, 527 te ecommut ng, 9–10, 16–17
Start menu Term na Serv ces
connect ng to RemoteApp, 504 evo ut on of, 1, 3–4
ntegrat ng RemoteApps nto, 20 mapp ng to RDS, 5
read-on y, 391–392 pr nter dr vers and, 23
restr ct ng access, 369–371 v rtua z ng, 34
stat c v rtua channe s, 296–299 term nat ng
Status of Te ework Report to the Congress, 9 app cat ons, 604–605, 640–641
stor ng sess ons, 609–610
app cat on data, 168 tests
oca profi es, 243 des gn ng, 69–70
RD CAPs, 509, 545–553 execut ng, 70–77
user profi es, 56, 237–241 extrapo at on as a ternat ve, 91–93
str pe sets w th par ty, 59 NAP w th RD Gateway, 571–573
swap fi es, 52–53 RD Load S mu at on Too , 77–91
Sysprep command, 256 th n c ents, 10, 99–100
687
www.it-ebooks.info
thrashing
thrash ng, 54 c ent hardware, 99–100

threads, processes and, 43 compartmenta z ng, 244
t me zone red rect on, 325 contents externa to reg stry, 233–239
t meouts, sess on, 222, 471–472 creat ng, 228–233
t mestamps, ed t ng for shadow keys, 170 creat ng mandatory, 284–286
TLS (Transport Layer Secur ty), 402–405 custom z ng, 255–257
Tr p e Data Encrypt on Standard (3DES), 409 decreas ng ogon t mes, 286–287
troub eshoot ng defined, 226
oca profi es, 243 des gn gu de nes, 242–248
poo ed VM connect ons, 223 fo der red rect on and, 243
pr nt ng ssues, 358–359 fo ders assoc ated w th, 233–236
RD Web Access perm ss ons, 496 funct ona ty, 226
shadow ng sess ons, 617–619 Last Wr te W ns prob em, 241
user profi es, 287 cense mode s, 100–101
TS Gateway (Term na Serv ces Gateway), 16 mu t p e, 241
TSAppCompat component, 173 nam ng fo ders, 249
tsshutdn command, 597 overwr t ng data, 170–171, 241
prov d ng cons stent env ronment, 241
read-on y desktops and, 286
U reg stry and, 229–232
sett ng standards, 281–283
UDP (User Datagram Protoco ), 326 shar ng fo ders, 278–280
Unattend xm fi e, 255 s ze cons derat ons, 236, 246, 270
user accounts stor ng, 56, 237–241
configur ng roam ng profi es, 250 troub eshoot ng t ps, 287
creat ng test accounts, 80 types of, 227–228
enab ng Remote Contro , 611 v rtua mach nes and, 237, 251
USER ACTIVITY scr pt, 81
user exper ence
add ng to remote sess ons, 307–313
defin ng for c ents, 293–296
V
dev ce and fi e system red rect on, 314–325 VDA cens ng, 646
graph cs remot ng and, 299–305 VDI (V rtua Desktop Infrastructure)
p ay ng aud o, 326–330 ass gn ng persona desktops, 212–214
pr nt ng w th RDP, 334–359 configur ng propert es, 216–218
RDC vers on and, 330–334 configur ng RD Connect on Broker, 197–203
RDP support, 296–299 configur ng RD Web Access, 195–197
red rect ng resources, 313–314 creat ng poo s, 209–211
User Profi e H ve C eanup Serv ce, 247 funct ona ty, 4–5, 175–212
user profi es See also roam ng profi es nsta ng RD Connect on Broker, 193–194
app cat on support, 101–109 nsta ng RD V rtua zat on Host, 190–192
cach ng, 231, 269–275 nsta ng support ng ro es, 188
caut ons de et ng, 247 cens ng cons derat ons, 646–647
change cons derat ons, 232–233 M crosoft supported, 178–188
sett ng up VMs, 203–209
688
www.it-ebooks.info
XPS printers
VDI L cens ng, 646–648

VECD cense, 646
W
v rtua address space, 45–46 WebSSO, 488
v rtua channe s W n32k sys dr ver, 132
defined, 34, 295–296 W ndows 2000 Server, 3
dynam c, 34, 296, 298 W ndows Automat c Updates, 369
F e System V rtua Channe Extens on, 318 W ndows Exp orer, 273
Ser a and Para e Port V rtua Channe Exten- W ndows Insta er, 13
s on, 320 W ndows PowerShe
stat c, 296–299 act vat ng RDS L cens ng, 655–656
V rtua Desktop Infrastructure See VDI (V rtua configur ng RD Gateway, 543–545
Desktop Infrastructure) ed t ng propert es, 469
v rtua mach nes See VMs (v rtua mach nes) nsta ng RD Gateway, 515
v rtua memory nsta ng RD V rtua zat on Host, 192
defined, 45 jo n ng servers to farms, 452–453
funct ona ty, 52–53 W ndows Server 2003, 3
mapp ng to phys ca memory, 48–52 W ndows Server 2008
v rtua zat on 64-b t cons derat ons, 41, 169
hyperv sor support, 60 nterna s overv ew, 41–65
IP, 13, 155–157 mapp ng TS names, 5
profi e storage and, 237–239 RDS and, 4–5
RDS support, 97–99 recommended nsta at on opt ons, 164
reg stry, 107 W ndows Startup Manager, 119
resource usage and, 59–65 W ndows System Resource Manager See WSRM
VMs (v rtua mach nes) See also poo ed VMs; VDI (W ndows System Resource Manager)
(V rtua Desktop Infrastructure) WMI (W ndows Management Instrumentat on), 12
ass gn ng persona desktops, 212–214 WMIC too , 208
configur ng propert es, 216–218 WSRM (W ndows System Resource Manager)
configur ng roam ng profi e paths, 268 a ocat ng processor t me, 145
de ver ng, 478–505 configur ng, 146–149
dep oy ng, 212 funct ona ty, 21
fo der red rect on and, 244 nsta ng, 146
h bernat ng, 28 WTS API, 184
host ng, 34
manag ng, 590
orchestrat ng, 184 X
organ z ng, 600–602
performance cons derat ons, 65 XP Mode feature, 219
RD V rtua zat on Host and, 40 XPS pr nters, 335
RDS support, 14–15, 97–99
resource usage and, 25
ro ng back, 186–187, 208, 243
sett ng up, 203
user profi es and, 237, 251
689
www.it-ebooks.info
www.it-ebooks.info
About the Authors
KRISTIN GRIFFIN was born n Ca forn a and grew up a m tary brat, part of a
ov ng and happy fam y She has worked with Term na Serv ces/Remote Desktop
Serv ces s nce W ndows 2000 and has mp emented RDS for a d verse set of
customers, nc ud ng d str butors, aw offices, and commerc a contract ng firms
Former y a sen or IT consu tant for a V rg n a-based Internet and app cat on
serv ce prov der, she s now a Seatt e-based ndependent consu tant and author
Kr st n was honored to rece ve the M crosoft MVP award for Remote Desktop
Serv ces beg nn ng n 2009 You can find her answer ng quest ons on the
M crosoft RDS Technet Forum (http://social.technet.microsoft.com/Forums/en
/winserverTS/threads) She a so keeps a b og concentrated on RDS t ps, setup, and
troub eshoot ng adv ce at b og kr st n gr ffin com In her spare t me Kr st n enjoys
photography, computer graph cs, camp ng, trave ng, sta ned g ass, woodwork ng,
and buy ng more too s from the hardware store Most of a she enjoys be ng w th
her fam y She takes her German shepherd dog w th her wherever she goes
A former m tary brat, CHRISTA ANDE RSON ved n var ous p aces n the
western Un ted States unt a v s t to V rg n a ended n a 20-year stay on the East
Coast She returned to Seatt e n 2007, where she enjoys the arts and outdoors
n a c ty w th a ot of both Chr sta’s nterest n trave and env ronmenta ssues
contr buted to her enthus asm for presentat on remot ng, beg nn ng w th C tr x
W nFrame n the m dd e 1990s A former Term na Serv ces MVP and free ance
techn ca author and speaker for over a decade, she s now a program manager on
the Remote Desktop V rtua zat on team at M crosoft She prom ses to ta k about
someth ng other than the book now
www.it-ebooks.info
www.it-ebooks.info
System Requirements
To use th s book’s compan on CD-ROM, you need a computer equ pped w th the
fo ow ng m n mum configurat on
■ M crosoft W ndows Server 2008 R2, W ndows Server 2008, W ndows 7,
W ndows V sta, W ndows Server 2003, or W ndows XP
■ An appropr ate processor depend ng on the m n mum requ rements of the
operat ng system)
■ At east 2 GB of system memory (depend ng on the m n mum requ rements
of the operat ng system)
■ A hard d sk part t on w th at east 1 GB of ava ab e space
■ Appropr ate v deo output dev ce
■ Keyboard
■ Mouse or other po nt ng dev ce
■ Opt ca dr ve capab e of read ng CD-ROMs
Some tems on the compan on med a have spec fic requ rements The compan-
on CD-ROM conta ns numerous nks to scr pts, too s, Know edge Base art c es,
and other nformat on To v ew these nks, you w need a Web browser and
Internet access
The compan on CD-ROM a so nc udes scr pts that are wr tten n VBScr pt
(w th a vbs fi e extens on), W ndows PowerShe (w th a ps1 fi e extens on) and a
few batch fi es The W ndows PowerShe scr pts requ re that you have W ndows
PowerShe 2 0 nsta ed To run these scr pts, your system must meet the fo ow ng
add t ona requ rements W ndows Server 2008 R2 and W ndows 7 nc ude
W ndows PowerShe 2 0 For W ndows XP SP3, W ndows V sta SP1, and W ndows
Server 2003 you must down oad and nsta W ndows PowerShe 2 0 The
W ndows PowerShe 2 0 down oad s ocated at http://support.microsoft.com
/kb/968929
■ Scr pts ntended for execut on on the oca server that depend on spec fic
counters and nterfaces w not execute correct y un ess the appropr ate
Remote Desktop Serv ces ro e serv ce s nsta ed (For examp e, a scr pt that
quer es RD Gateway nterfaces w not return resu ts un ess the RD Gateway
ro e serv ce s nsta ed )
The scr pts on the CD are not s gned To run them on your computer, we recom-
mend sett ng the W ndows PowerShe Execut on Po cy to “RemoteS gned ” To do
th s, start W ndows PowerShe and type Set-ExecutionPolicy RemoteSigned
www.it-ebooks.info
Th s sett ng w a ow you to run the scr pts on the CD, and t s more secure than
sett ng th s po cy to”Unrestr cted
NOTE For more information on using the Set-ExecutionPolicy cmdlet see:

http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set execution
policy.mspx.
When you run a W ndows PowerShe scr pt, you need to prov de the fu path
to the scr pt To use the VBScr pt scr pts and batch fi es, doub e-c ck them, or
execute them d rect y from a command prompt
F na y, the CD conta ns a few fi es created n V s o 2010, so you w need to
have the V s o 2010 v ewer to v ew these fi es It a so conta ns a few PDF fi es so
you w need a PDF reader to v ew these fi es
www.it-ebooks.info
What do
you think of
this book?
We want to hear from you!
To participate in a brief online survey, please visit:
Tell us how well this book meets your needs—what works effectively, and what we can
do better. Your feedback will help us continually improve our books and learning
resources for you.
Thank you in advance for your input!
Stay in touch!
To subscribe to the Microsoft Press® Book Connection Newsletter—for news on upcoming
books, events, and special offers—please visit:
microsoft.com/learning/books/newsletter
SurvPage_corp.indd 1 www.it-ebooks.info 8/14/09 4:40 AM

Windows Server 2008 R2 Remote Desktop Services Resource Kit - Microsoft Press (2010) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows Server 2008 R2 Remote Desktop Services Resource Kit - Microsoft Press (2010) PDF

Uploaded by

Copyright:

Available Formats

www.it-ebooks.

Pr nted and bound n the Un ted States of Amer ca

Acquisitions Editor: Mart n De Re

CHAPTER 1 Introducing Remote Desktop Services 1

Chapter 1 Introducing Remote Desktop Services 1

What do you think of this book? We want to hear from you!

Chapter 3 Deploying a Single Remote Desktop Session Host Server 117

Chapter 4 Deploying a Single Remote Desktop Virtualization Host

Chapter 5 Managing User Data in a

CHAPTER 6 Customizing the User Experience 291

Chapter 7 Molding and Securing the User Environment 363

Chapter 8 Securing Remote Desktop Protocol Connections 401

Chapter 9 Multi-Server Deployments 423

Chapter 10 Making Remote Desktop Services Available from the Internet

Chapter 11 Managing Remote Desktop Sessions 589

What do you think of this book? We want to hear from you!

ON THE COMPANION MEDIA See the team partner page at

What’s New in Remote Desktop Services in

Simplified Application Delivery and Display

Improved Farm Support

Simpler and Broader Device Redirection

Simplified License Management

How This Book Is Structured

READER AID MEANING

NOTE Sidebars are provided by individuals in the industry as examples

%Var ab eName% Used for env ronment var ab es

Find Additional Content Online As new or updated mater a becomes ava -

We Want to Hear from You

■ What Can You Do w th RDS? 7

■ RDS for W ndows Server 2008 R2: New Features 12

■ How Other Serv ces Support RDS 32

■ Funct ona ty for RDS Scr pters and Deve opers 35

Y ou m ght be read ng th s book for any of a number of reasons Perhaps you’re an o d

Where Did RDS Come From?

A First Experience with Multi-User Windows

C hrista first experienced multi-user Windows through WinFrame 1.7 in 1997 at

Windows NT, Terminal Server Edition

2 Chapter 1 ntroduc ng Remote Desktop Serv ces

Windows 2000 Server

Windows Server 2003

Where D d RDS Come From? Chapter 1 3

Windows Server 2008

Windows Server 2008 R2 and RDS

4 Chapter 1 ntroduc ng Remote Desktop Serv ces

DIRECT FROM THE SOURCE

M icrosoft added VDI support to Windows Server 2008 R2 to allow customers

Where D d RDS Come From? Chapter 1 5

FORMER NAME WINDOWS SERVER 2008 R2 NAME

Term na Serv ces Remote Desktop Serv ces

The Evolving Remote Client Access Experience

6 Chapter 1 ntroduc ng Remote Desktop Serv ces

What Can You Do with RDS?

What Can You Do w th RDS? Chapter 1 7

8 Chapter 1 ntroduc ng Remote Desktop Serv ces

What f you want peop e to be ab e to ed t confident a documents when they are n a

Provisioning New Users Rapidly

Enabling Remote Work

What Can You Do w th RDS? Chapter 1 9

Bringing Windows to PC-Unfriendly Environments

10 Chapter 1 ntroduc ng Remote Desktop Serv ces

Business Continuity and Disaster Recovery

Supporting Green Computing

There’s a lot of waste n desktop-centr c comput ng Accord ng to IDC, average server