Professional Documents
Culture Documents
info
PUBLISHED BY
M crosoft Press
A D v s on of M crosoft Corporat on
One M crosoft Way
Redmond, Wash ngton 98052-6399
Copyr ght © 2010 by Chr sta Anderson
A r ghts reserved No part of the contents of th s book may be reproduced or transm tted n any form or by any
means w thout the wr tten perm ss on of the pub sher
L brary of Congress Contro Number 2010934986
M crosoft Press books are ava ab e through bookse ers and d str butors wor dw de For further nformat on
about nternat ona ed t ons, contact your oca M crosoft Corporat on off ce or contact M crosoft Press
Internat ona d rect y at fax (425) 936-7329 V s t our Web s te at www m crosoft com/mspress Send comments to
ms nput@m crosoft com
M crosoft and the trademarks sted at http //www m crosoft com/about/ ega /en/us/Inte ectua Property/
Trademarks/EN-US aspx are trademarks of the M crosoft group of compan es A other marks are property of
the r respect ve owners
The examp e compan es, organ zat ons, products, doma n names, e-ma addresses, ogos, peop e, p aces, and
events dep cted here n are fict t ous No assoc at on w th any rea company, organ zat on, product, doma n name,
e-ma address, ogo, person, p ace, or event s ntended or shou d be nferred
Th s book expresses the author’s v ews and op n ons The nformat on conta ned n th s book s prov ded w thout
any express, statutory, or mp ed warrant es Ne ther the authors, M crosoft Corporat on, nor ts rese ers, or
d str butors w be he d ab e for any damages caused or a eged to be caused e ther d rect y or nd rect y by
th s book
www.it-ebooks.info
I dedicate this book to my family, who has always been supportive, always pushes me to do
my very best I can do, and always has a “Go team!” waiting when I really need one.
—Chr sta
I dedicate this book to Elizabeth Nelson Lyda and Michael B. Smith for taking me under your
wing back in the day, and for always believing in me. You were great mentors and are great
friends.
—Kr st n
www.it-ebooks.info
www.it-ebooks.info
Contents at a Glance
Acknowledgments xv
Introduction xvii
Index 677
www.it-ebooks.info
www.it-ebooks.info
Contents
Acknowledgments xv
Introduction xvii
microsoft.com/learning/booksurvey
vii
www.it-ebooks.info
Chapter 2 Key Architectural Concepts for Remote Desktop
Services 39
Know Your App cat on De very System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
RD Sess on Host Servers 40
RD V rtua zat on Host Servers 40
Re evant W ndows Server 2008 R2 nterna s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
W ndows Server 2008 R2 s 64 B t On y 41
How Does an RD Sess on Host Server Do e Out Processor
Cyc es? 43
How Do RD Sess on Host Servers Use Memory More
Effic ent y? 45
How Does D sk Affect App cat on De very? 56
How Does V rtua zat on Affect Resource Usage? 59
Determ n ng System Requ rements for RD Sess on Host Servers . . . . . . . . . . . . . . . 66
Des gn ng a L ve Test 69
Execut ng the Tests 70
Us ng the RD Load S mu at on Too 77
An A ternat ve to Fu Test ng: Extrapo at on 91
Other S z ng Quest ons 95
Support ng C ent Use Profi es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
C ent Hardware: PC or Th n C ent? 99
What s the Best L cense Mode ? 100
What App cat ons Can Run on an RD Sess on Host Server? 101
What Vers on of Remote Desktop Connect on Do Need? 109
What Ro e Serv ces Do Need to Support My Bus ness? 114
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
viii Contents
www.it-ebooks.info
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Contents ix
www.it-ebooks.info
Speed Up Logons 246
Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces. . . . . . . . . . . . . . . . . . 248
Creat ng a New Roam ng Profi e 248
Convert ng an Ex st ng Loca Profi e to a Roam ng Profi e 254
Custom z ng a Defau t Profi e 255
Us ng Group Po cy to Manage Roam ng Profi es 257
Us ng Group Po cy to Define the Roam ng Profi e Share 267
Speed ng Up Logons 268
Centra z ng Persona Data w th Fo der Red rect on 275
Shar ng Persona Fo ders Between Loca and Remote Env ronments 278
Shar ng Fo ders Between W ndows Server 2003 and W ndows Server 2008
R2 Roam ng Profi es 279
Sett ng Standards w th Mandatory Profi es 281
Convert ng Ex st ng Roam ng Profi es to Mandatory Profi es 283
Creat ng a S ng e Mandatory Profi e 284
Creat ng a Safe Read On y Desktop 286
Decrease Logon T mes w th Loca Mandatory Profi es 286
Profi e and Fo der Red rect on Troub eshoot ng T ps. . . . . . . . . . . . . . . . . . . . . . . . . 287
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
x Contents
www.it-ebooks.info
Restr ct ng Dev ce and Resource Red rect on 365
Prevent ng Users from Reconfigur ng the Server 367
Prevent ng Access to the Reg stry 368
C os ng Back Doors on RD Sess on Host Servers 369
Contro ng L brar es 375
Prevent ng Users from Runn ng Unwanted App cat ons . . . . . . . . . . . . . . . . . . . . . 376
Us ng Software Restr ct on Po c es 378
Us ng AppLocker 381
Creat ng a Read On y Start Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Keep ng the RD Sess on Host Server Ava ab e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
A ow ng or Deny ng Access to the RD Sess on Host Server 393
L m t ng the Number of RD Sess on Host Server Connect ons 393
Sett ng Sess on T me L m ts 394
Tak ng Remote Contro of User Sess ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Contents xi
www.it-ebooks.info
D str but ng n t a Farm Connect ons 432
Connect on Broker ng n a Farm Scenar o 433
RDS Farm Connect on Broker ng n Act on 434
Dep oy ng RD Sess on Host Farms 439
Perm t RD Sess on Host Servers to Jo n RD Connect on Broker 440
Jo n RD Sess on Host Servers to a Farm 447
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager. . . . . . . . . . . 454
Add ng App cat ons to the A ow L st 455
Configur ng G oba RemoteApp Dep oyment Sett ngs 457
Ed t ng RemoteApp Propert es 464
Ma nta n ng A ow L st Cons stency Across the Farm 469
Configur ng T meouts for RemoteApp Sess ons 471
S gn ng A ready Created RDP F es 472
Sett ng S gnature Po c es 474
D str but ng RemoteApp Programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
D str but ng RDP F es 475
D str but ng MS F es 476
De ver ng RemoteApp Programs and VMs Through RD Web Access. . . . . . . . . . 478
RD Web Access Sources 478
nsta ng the RD Web Access Ro e Serv ce 481
Configur ng RD Web Access 482
Custom z ng RD Web Access 488
Troub eshoot ng RD Web Access Perm ss ons 496
Us ng the RD Web Access Webs te 497
Us ng RemoteApp And Desktop Connect ons 502
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
xii Contents
www.it-ebooks.info
Creat ng a Redundant RD Gateway Configurat on. . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Us ng NLB to Load Ba ance RD Gateway Servers 537
Prevent ng Sp t SSL Connect ons on RD Gateway 542
Ma nta n ng dent ca Sett ngs Across an RD Gateway Farm 543
Us ng NAP w th RD Gateway 554
Troub eshoot ng Dec ned Connect ons 573
P ac ng RD Web Access and RD Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
RD Web Access for Externa Access 576
RD Gateway ns de the Pr vate Network 578
RD Gateway n the Per meter Network 579
RD Gateway n the nterna Network and Br dged 581
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Contents xiii
www.it-ebooks.info
Chapter 12 Licensing Remote Desktop Services 643
The RDS L cens ng Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
RDS L cens ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
VD L cens ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
L cense Track ng and Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
How RD L cense Servers Ass gn RDS CALs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Sett ng Up the RDS L cens ng nfrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
nsta ng RD L cense Server 652
RD L cense Server Connect on Methods 653
Act vat ng the L cense Server 653
Background: How RDS CALs Are T ed to an RD L cense Server 657
Add ng L cense Servers to AD DS 660
nsta ng RDS CALs 660
Configur ng RD Sess on Host Servers to Use RD L cense Servers 662
Configur ng RD L cense Servers to A ow Commun cat on From
RD Sess on Host Servers 663
M grat ng RDS CALs from One L cense Server to Another. . . . . . . . . . . . . . . . . . . . 663
Rebu d ng the RD L cense Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Back ng Up an RD L cense Server and Creat ng Redundancy. . . . . . . . . . . . . . . . . . 665
Manag ng and Report ng L cense Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Revok ng RDS CALs 670
Restr ct ng Access to RDS CALs 671
Prevent ng L cense Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Us ng the L cens ng D agnos s Too . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
ndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
microsoft.com/learning/booksurvey
xiv Contents
www.it-ebooks.info
Acknowledgments
T h s book sn’t the work of just two peop e We owe many thanks to the com-
b ned efforts of a ot of peop e at M crosoft, our terr fic set of ed tors, and the
greater commun ty (A th s sa d, any errors n th s book are the so e respons b ty
of the authors )
One of the best th ngs about work ng at M crosoft s that a ot of very smart (and
very he pfu ) peop e work there, and we are gratefu for the ns ghts of these peop e
Throughout th s book, you’ find D rect from the Source s debars contr buted by
members of the product team We a so extend our heartfe t thanks to the members
of the product team who sat down w th us to exp a n the finer deta s of how
someth ng worked From the Remote Desktop V rtua zat on (RDV) team, we’d ke
to thank N raj Agarwa a, James Baker, Ara Bernard , Tad Brockway, V kash Bucha,
Yuvraj Budhraja, Hammad Butt, Rommy Channe, Mun ndra Das, S v a Doomra,
Sam m Erdogan, Rajesh Ganta, Cost n Hag u, A Henr quez, Trav s Howe, O ga
Ivanova, Gop kr shna Kannan, Sergey Kuz n, Rob Le tman, Raghu L ngampa y, Meher
Ma akapa , Benjam n Me ster, Ranjana Rath nam, Rajesh Rav ndranath, Ray Reskus ch,
Sr ram Sampath, Bhaskar Swarna, and Janan Venkateswaran Even peop e from other
teams got nvo ved Many thanks to Ky e Beck, Jeff Heatton, M chae K eef, T mothy
Newton, Mark Russ nov ch, Tom Sh nder, Makarand Patwardhan, Bohdan Ve ushchak,
Pau Vo osen, and Jon Wojan for your nva uab e ass stance We’d a so ke to thank
Chr sta’s manager, Ashw n Pa ekar, for h s support dur ng th s project
RDS expert se sn’t m ted to peop e at M crosoft, e ther Remote Desktop
Serv ces MVPs as we as MVPs and experts from other d sc p nes a so p tched n
to contr bute D rect from the F e d s debars and exp a n the ntr cac es of re ated
techno og es Many thanks go to Jan que Carbone, Br an Eh ert, Ross Harvey,
He ge K e n, Russ Kaufmann, Shay Levy, Br an Madden, Patr ck Rouse, Greg Sh e ds,
M chae Sm th, and M tch Tu och
The great team at M crosoft Press had a huge hand n turn ng th s project from
an dea nto the book you ho d n your hands We’d ke to thank Mart n De Re at
M crosoft Press for ask ng us to wr te the first ed t on of the book n the first p ace,
Megan Sm th-Creed at Custom Ed tor a Product ons, Inc , for great ed t ng and
project management on th s ed t on, and A ex Jusch n for tech ed t ng the book
The rest of the ed tor a team at Custom Ed tor a Product ons, Inc , d d a terr fic
job of copyed t ng and proofing th s text Thank you a !
F na y, we’d ke to thank our fr ends and fam es for the r support dur ng
th s b g project We cou dn’t have done t w thout you We prom se to ta k about
someth ng e se now
xv
www.it-ebooks.info
www.it-ebooks.info
Introduction
W e come to the Windows Server 2008 R2 Remote Desktop Services Resource
Kit! Th s s a deta ed techn ca resource for p ann ng, dep oy ng, and run-
n ng M crosoft Remote Desktop Serv ces (RDS) Because some features of RDS
are brand new, th s book s va uab e both for those comp ete y new to RDS and
those who have used Term na Serv ces ( ts former name) n prev ous vers ons of
M crosoft W ndows
W th n th s resource k t, you’ find n-depth nformat on about the mprove-
ments n RDS ntroduced n W ndows Server 2008 R2 Th s book comb nes under-
y ng arch tectura concepts w th pract ca hands-on nstruct ons that a ow you to
set up a work ng RDS ecosystem, understand why t’s work ng, and g ve you some
gu dance about how to fix t when t’s not You’ a so find deta ed nformat on
and task-based gu dance on manag ng a aspects of RDS, nc ud ng dep oy ng
RD Sess on Host servers, ntegrat ng RDS ro e serv ces w th other key parts of the
W ndows Server 2008 R2 operat ng system, and extend ng the reach of RDS to
outs de the corporate network F na y, the compan on med a nc udes add t ona
too s and documentat on that you can use to manage and troub eshoot RDS ro e
serv ces A though we ment on some th rd-party too s n the course of th s book,
th s book s fundamenta y about runn ng RDS us ng on y the too s found n the
operat ng system You can do what we’ve done here us ng only W ndows Server
2008 R2 Nor do we get nto extens ve d scuss on of any of the th rd-party too s
that many peop e use w th nat ve Remote Desktop Serv ces For examp e, many
peop e w th h gh-comp ex ty RDS dep oyments use management software from
C tr x or Quest or other RDS partners, but we don’t d scuss t here because t’s not
nc uded w th the operat ng system
www.it-ebooks.info
fewer ogons, secur ty fi ter ng, s mp fied d scovery of ava ab e app cat ons and
v rtua mach nes (VMs)? It’s n the new vers on of RD Web Access Want to address
prob ems d scovered v a Network Access Po c es (NAP), not just shut peop e out
of the network? It’s n the new ed t on of RD Gateway Want mproved app cat on
compat b ty? See RD Sess on Host for IP address v rtua zat on and dynam c fa r
share schedu ng that proact ve y prevents one sess on from tak ng a the proces-
sor cyc es Want to stop nsta ng pr nter dr vers on both sess ons and VMs? Easy
Pr nt now works for both v rtua zat on opt ons
For those who went stra ght to W ndows Server 2008 R2 from W ndows Server
2003, et’s take a ook at what the new features add to the former mode of a
term na server and a cense server
xviii ntroduct on
www.it-ebooks.info
Secure Internet Access
One of the key benefits of Remote Desktop Serv ces s ts ab ty to support mob e
workers We had a great (and extreme y t nerant) tech ed tor, RDS MVP A ex
Jusch n, for th s ed t on of the book He’s got a great descr pt on of how he used
Remote Desktop Serv ces wh e comp et ng h s part
In your book you can mention that I have been reviewing your
book all over the world using the RDP protocol to connect to my
home in Dublin via 3G or WiFi . I’ve worked while on a smelly
Kebap Bus in Poland, in a freezing hotel in Latvia, while being
driven in a high-end coach in Estonia, on the ferry to England, in
a pub in Ireland, on a train going down the coast from Belfast,
while tasting wine in France, sitting in a nice Brasserie on the
island of Jersey, eating Belgian chocolate in Brussels, on a plane
to Germany, on a bench with a beautiful view in Zurich, in a café
near the Berlin Wall, in a prison in Finland (ok, hotel, but it used
to be a prison), and on the highest point of Germany (Zugspitze).
In W ndows Server 2003, Term na Serv ces d dn’t support secure Internet ac-
cess except across v rtua pr vate networks In W ndows Server 2008 R2, Remote
Desktop Serv ces supports connect v ty over Secure Sockets Layer (SSL) v a RD
Gateway RD Gateway a ows you to set up d fferent ru es for oca and remote
access and does not requ re any c ent-s de setup Introduced n W ndows Server
2008, n R2, RD Gateway now enforces dev ce and resource red rect on dec s ons
made at the gateway and supports NAP remed at on
ntroduct on xix
www.it-ebooks.info
Part of the r ch remote work exper ence s us ng oca dev ces Support for
oca dev ces has been expanded through the P ug and P ay Dev ce Red rect on
Framework, ntroduced n W ndows Server 2008
ON THE COMPANION MEDIA The authors will post data that is rel-
evant to the Windows Server 2008 R2 Remote Desktop Services Resource
Kit on the book’s blog, located at http://blog.kristinlgriffin.com/. You can
find this link on the companion media.
www.it-ebooks.info
■ Chapter 3, “Dep oy ng a S ng e Remote Desktop Sess on Host Server,”
shows you how RD Sess on Host servers work, and how to nsta and con-
figure th s ro e serv ce
■ Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server,”
exp a ns what VDI s, how M crosoft VDI works, and how to nsta and con-
figure a RD V rtua zat on Host and the support ng ro es
■ Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep oy-
ment,” d scusses the d fferent types of profi es that work w th RDS and how
to dep oy and troub eshoot user profi e so ut ons and fo der red rect on
■ Chapter 6, “Custom z ng the User Exper ence,” d scusses how remot ng
works, promot ng good c ent exper ence n the remote sess on, and how
to pr nt from RDS sess ons
■ Chapter 7, “Mo d ng and Secur ng the User Env ronment,” exp a ns why
you shou d ock down the RDS env ronment and how you shou d do t, and
descr bes how to prov de remote ass stance to users from w th n the user
sess on
■ Chapter 8, “Secur ng Remote Desktop Protoco Connect ons,” d scusses
RDP encrypt on, server and c ent authent cat on, and how to configure
secur ty sett ngs on the RD Sess on Host server
■ Chapter 9, “Mu t -Server Dep oyments,” ntroduces key concepts for mu t -
server dep oyments, shows how to create RD Sess on Host farms, and ex-
p a ns how to pub sh app cat ons and d sp ay resources through RD Web
Access
■ Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the Internet,”
shows you how to nsta and configure RD Gateway to prov de access to
RemoteApps, desktop sess ons, and poo ed and persona VMs to users
ocated outs de the corporate network
■ Chapter 11, “Manag ng Remote Desktop Sess ons,” shows you how to
mon tor and term nate processes and users sess ons runn ng on an RD
Sess on Host server, how to prov de he p w th remote contro , and how to
dra n RD Sess on Host servers for ma ntenance
■ Chapter 12, “L cens ng Remote Desktop Serv ces,” d scusses the new RDS
cens ng parad gm, nc ud ng both RDS and VDI cens ng Th s chapter ex-
p a ns how censes are tracked and enforced; how RD L cense server ass gn
RDS CALs; how to nsta , configure, and ma nta n RDS L cense servers; how
to d agnose cens ng ssues w th the L cens ng D agnos s too ; and how to
m grate censes from one server to another
ntroduct on xxi
www.it-ebooks.info
Document Conventions
The fo ow ng convent ons are used n th s book to h gh ght spec a features or
usage
Reader Aids
The fo ow ng reader a ds are used throughout th s book to po nt out usefu deta s
Caut on Warns you that fa ure to take or avo d a spec fied act on
can cause ser ous prob ems for users, systems, data nteg-
r ty, and so on
Note Underscores the mportance of a spec fic concept or
h gh ghts a spec a case that m ght not app y to every
s tuat on
On the Ca s attent on to a re ated scr pt, too , temp ate, job a d,
Compan on Med a or URL on the compan on CD that he ps you perform a
task descr bed n the text
Sidebars
The fo ow ng s debars are used throughout th s book to prov de added ns ght,
t ps, and adv ce concern ng d fferent Remote Desktop Serv ces features
SIDEBAR MEANING
D rect from Contr buted by experts from the product group who pro-
the Source v de “from-the-source” ns ght nto how Remote Desktop
Serv ces works, best pract ces, and troub eshoot ng t ps
D rect from Contr buted by experts externa to the product group
the F e d who have rea -wor d exper ence work ng w th Remote
Desktop Serv ces Some experts are M crosoft fie d eng -
neers; others are M crosoft MVPs or other experts
How It Works Prov des un que g mpses of Remote Desktop Serv ces
features and how they work
xxii ntroduct on
www.it-ebooks.info
Command-Line Examples
The fo ow ng sty e convent ons are used n document ng command- ne examp es
throughout th s book
STYLE MEANING
Bold font Used to nd cate user nput (characters that you type
exact y as shown)
Italic font Used to nd cate var ab es for wh ch you need to sup-
p y a spec fic va ue (for examp e, file name can refer to
any va d fi e name)
Monospace font Used for code samp es and command- ne output
Companion Media
In add t on to the book tse f, you a so get a CD that conta ns some great too s
and other resources System requ rements for runn ng the CD are at the back of
th s book The CD nc udes the fo ow ng resources
Links
The compan on med a nc udes many nks to URLs that ead to more nformat on
about Remote Desktop Serv ces-re ated top cs, Remote Desktop Serv ces
resources, partner web s tes, and more Some of the URLs are referenced
throughout the book and some are not
Management Scripts
On the compan on med a, you w find a co ect on of scr pts ustrat ng ways
to work w th Remote Desktop Serv ces us ng W ndows PowerShe and VBScr pt
We’ve a so nc uded st ngs n re evant ocat ons n the book so that you can bet-
ter understand how these scr pts support the funct ona ty you’re ook ng for A -
though these scr pts are ntended as samp es nstead of fin shed products, they do
usefu work such as a ow ng you to eas y determ ne the shadow ng perm ss ons
on a server or prov d ng app cat on-usage meter ng not prov ded n the GUI
www.it-ebooks.info
Support for This Book
Every effort has been made to ensure the accuracy of th s book As correct ons
or changes are co ected, they w be added the O’Re y Med a webs te To find
M crosoft Press book and med a correct ons
1. Go to http://microsoftpress.oreilly.com
2. In the Search box, type the ISBN for the book, and c ck Search
3. Se ect the book from the search resu ts, wh ch w take you to the book’s
cata og page
4. On the book’s cata og page, under the p cture of the book cover, c ck
V ew/Subm t Errata
If you have quest ons regard ng the book or the compan on content that are
not answered by v s t ng the book’s cata og page, p ease send them to M crosoft
Press by send ng an ema message to mspinput@microsoft.com
http://www.microsoft.com/learning/booksurvey
Your part c pat on w he p M crosoft Press create books that better meet your
needs and your standards
NOTE We hope that you will give us detailed feedback via our survey. If
you have questions about our publishing program, upcoming titles, or
Microsoft Press in general, we encourage you to interact with us via Twitter
at http://twitter.com/MicrosoftPress. For support issues, use only the email
address shown above.
xxiv ntroduct on
www.it-ebooks.info
CHAPTER 1
Introducing Remote
Desktop Services
■ Where D d RDS Come From? 2
www.it-ebooks.info
■ How RDS ro e serv ces depend on other W ndows Server ro es
■ What app cat on programm ng nterfaces (APIs) ex st for deve opers to use, and what
are some examp es of the k nds of features that deve opers can add to RDS
Citrix MultiWin
The or g na Mu t W n arch tecture was des gned not by M crosoft but by C tr x, who censed
the M crosoft W ndows NT 3 51 source code from M crosoft to create mu t -user W ndows
[Mu t W n was or g na y go ng to be based on IBM Operat ng System/2 (OS/2) when M cro-
soft was part of the OS/2 project, but W ndows won ] C tr x created ts own product ca ed
W nFrame, wh ch was a mu t -user vers on of W ndows NT 3 51 and tota y separate from the
operat ng system that M crosoft produced
www.it-ebooks.info
Term na Server Ed t on was very much a start ng po nt The operat ng system was pretty
bas c, to put t m d y A most every nsta at on of Term na Server Ed t on ran MetaFrame
on top of t, because the base product d d tt e more than prov de a mu t -user operat ng
system Even bas c funct ona ty such as c pboard mapp ng was not nc uded The fact that
Term na Server Ed t on and the core operat ng system were d fferent products wasn’t great
for e ther M crosoft or ts customers M crosoft had to dea w th two sets of operat ng system
serv ce packs, and customers had to purchase a separate product to test server-based com-
put ng and jugg e two d fferent serv ce packs that were not re eased at the same t me On
the p us s de, when there was a prob em w th Serv ce Pack 6 (SP6) for W ndows NT 4 0, t was
so ved by the t me SP6 for Term na Server Ed t on was re eased
www.it-ebooks.info
c ent exper ence Let’s enab e dr ve mapp ng, fu co or, sound, and other features that were
prev ous y poss b e on y w th th rd-party products, so that the remote exper ence can be a ot
more ke the oca desktop exper ence
Another b g change to W ndows Server 2003 was n management W ndows 2000 term na
servers cou d be managed on y s ng y You cou d configure them remote y, but not co ect ve y
W ndows Server 2003 ntroduced some Group Po cy sett ngs for configur ng and manag ng
term na servers, and Term na Server Manager supported management of remote servers
NOTE Although Windows Server 2003 included the Session Directory Server for basic
farm support, this role was available only in the Enterprise Edition and was not widely
deployed.
If your needs extended beyond remote access to a fu desktop on the oca area network
(LAN), then you needed th rd-party add t ons to the ro e to he p you fu fi them W th W n-
dows Server 2008, Term na Serv ces ga ned the fo ow ng advantages
■ V sua ntegrat on between oca y and remote y runn ng app cat ons
■ A web nterface for present ng app cat ons on the term na servers nd v dua y
■ A secure gateway to enab e support for secure access v a the Internet
■ A sess on broker to route ncom ng connect ons to the most appropr ate term na
server
■ A pr nt ng subsystem that d d not requ re pr nt dr vers to be nsta ed on the term na
servers
■ Red rect on of new types of dev ces
www.it-ebooks.info
■ Improved app cat on compat b ty and resource management on RD Sess on Host
Support for Aero G ass remot ng and other user exper ence mprovements to RDP 7
■ Support for forms-based s ng e s gn-on through RD Web Access so that users need
authent cate on y once n the webs te to get to a the RemoteApp programs ass gned
to them
■ Improvements to Remote Desktop Gateway to enforce dr ve red rect on po c es and
enab e c ent remed at on when c ents do not conform to software ru es
■ Improved d scoverab ty for cense servers for a more re ab e connect on
Why VDI?
Michael Kleef, Senior Product Manager
Windows Server Marketing
Most obv ous y, Term na Serv ces s now ca ed Remote Desktop Serv ces, and a subro es
are renamed to go a ong w th the change The serv ce was renamed to reflect the much
broader scope of the server ro e, nc ud ng sess ons and the ro e serv ces needed to get peo-
p e connected to them, but a so host ng of VMs and secure w de area network (WAN) access
NOTE Because this book is about Windows Server 2008 R2, it uses the current names
for the server role and its role services. See Table 1-1 for a list of some of the names you’ll
come across most often. For a complete mapping of the old and new name for RDS, see
http://technet.microsoft.com/en-us/library/dd560658(WS.10).aspx.
www.it-ebooks.info
TABLE 1-1 Mapp ng TS Names o RDS Names
The pattern s pretty obv ous; f any names you see don’t make sense, ook at the st pro-
v ded at the nk
www.it-ebooks.info
NOTE Generally speaking, most 32-bit applications can run on a 64-bit platform as long
as these applications don’t include drivers and don’t have a 16-bit installation routine. Web
applications designed to run in Microsoft Internet Explorer 6 are one exception to this
rule. Internet Explorer 6 is included with Windows Server 2003, but can’t be installed on
Windows Server 2008 R2. Therefore, if you have Internet Explorer 6–dependent applica-
tions and want to display them as RemoteApp programs, you can host them in VMs using
RemoteApp for Hyper-V.
RDS shows up n the c ent vers ons of W ndows even when you don’t expect t It’s the
techno ogy that enab es Fast User Sw tch ng and Remote Ass stance (to name just two), and a
vers on of the RDP protoco s the bas s of L ve Mesh
In short, the story of Remote Desktop Serv ces s the story of how mu t -user comput ng
has become ess of a n che techno ogy and more of a M crosoft strategy for enab ng var ous
scenar os that b ur the ne between the PC and the data center Even when they’re not ca ed
RDS, mu t -user comput ng and the Remote Desktop Protoco have become cruc a parts of
the core W ndows p atform
www.it-ebooks.info
Improved Security for Remote Users
Tota y PC-based comput ng has prob ems w th data secur ty More and more peop e work
on aptops, and aptops are meant to be taken p aces But aptops w th data stored on them
are a secur ty r sk, even f you password-protect the aptop Un ess you take the aptop w th
you everywhere, nc ud ng ugg ng t a ong to d nner nstead of eav ng t n the hote room
when you’re on the road, the data on your aptop s vu nerab e to theft And f someone
really wants the aptop, t doesn’t matter f you take t w th you Th s doesn’t even address
the d emma of eav ng the aptop n a tax or on a tra n by acc dent It happens B tLocker
techno ogy on W ndows 7 and W ndows V sta protects aga nst theft but does not protect
aga nst oss from a m sp aced or broken aptop that wasn’t backed up
If the data s on the aptop and you ose the aptop, the data’s gone The obv ous so ut on
s not to keep the data on the aptop—store t n the data center nstead But f you’re access-
ng the data center from a remote ocat on v a a v rtua pr vate network (VPN) and work ng
w th arge fi es ( n th s day of heavy-duty formatt ng, what fi e isn’t arge?), t’s tempt ng to
keep the fi e on the oca dr ve wh e work ng on t remote y and then copy t back to the net-
work when you’re done w th t However, f you work th s way, you’re back where you started
w th the data on the oca dr ve
Information Insecurity
I t’s not practical to make sensitive information accessible only to people within the
four walls of the office, but it’s been shown again and again what happens when
that information leaves the data center. In November 2009, the Army Corps of Engi-
neers lost a hard drive containing the names and social security numbers of as many
as 60,000 current and former Army service members and some civilians. As of this
writing, the drive has not yet been recovered. This isn’t the first time that sensitive
data has been lost to a misplaced laptop or other portable media.
It’s not always feasible to store sensitive information only in the data center, acces-
sible solely via secure connection to a Remote Desktop Session Host server behind
the perimeter network. Sometimes, the information must be available even when
a network connection isn’t. But when it is feasible, it’s much more secure to keep
information where it’s least likely to be compromised, stolen, or lost: in the data
center.
One so ut on to the d emma of how to secure data wh e keep ng t access b e to the peo-
p e who need t s to keep everything n the data center, nc ud ng the app cat ons requ red to
ed t the data If both the app cat ons and the confident a data are on the network, then t’s
e ther mposs b e to ed t the data oca y (because no app cat on for do ng the ed t ng s n-
sta ed oca y) or not as des rab e to do so because there’s no reason to down oad the remote
fi e to the oca computer for a more respons ve exper ence No sens t ve data ends up on the
c ent computer; t a stays w th n the boundar es of the data center
www.it-ebooks.info
NOTE Given a sufficiently long distance or sufficiently slow Internet connection, the
remote connection will also be slow; and if the network connection isn’t totally reliable, it
can be frustrating as the session disconnects. As you know all too well, even high-speed
networks experience some latency when you’re working on one continent and the data
center is on another one. But these problems apply to any remote-access scenario and
have less chance of accidentally corrupting the original document by attempting to write
to it over a slow connection. A disconnected session doesn’t lead to data loss—it’s just
there waiting for its user to reconnect to it.
www.it-ebooks.info
But work ng from home has ts own set of cha enges, not east be ng the quest on of
how the company can support the desktop env ronment Home-based computers can’t be
eas y managed by Group Po cy; they can break down w th no IT staff mmed ate y ava ab e
to prov de ass stance, and peop e work ng from home can’t a ways read y ta k through a
computer-based prob em w th he p desk staff And how do you update an app cat on when
t’s t me to move from, say, M crosoft Office 2007 to Office 2010? If you’ve worked remote y
for even a br ef span of t me, you probab y have exper enced the advantages of mob ty and
the d sadvantages of ack of oca support It’s great be ng ab e to work from the coffee shop,
hote , or a rport obby; t’s not so great act ng as your own he p desk
Server-based comput ng he ps enab e remote scenar os n severa ways You don’t have
to worry about home users nsta ng app cat ons that they shou dn’t run on the Remote
Desktop Sess on Host servers f you fo ow bas c secur ty procedures (more ater on th s top c)
S nce the app cat ons are stored on the RD Sess on Host servers, they’re nsta ed and up-
dated there, not on the c ents And, as d scussed n the prev ous sect on, “Prov s on ng New
Users Rap d y,” us ng RDS a ows the adm n strator to determ ne the k nd of resource shar ng
that the oca and remote computers shou d do and wh ch app cat ons are ava ab e, depend-
ng on the ocat on from wh ch a user s connect ng
www.it-ebooks.info
It has been sa d that there’s no po nt to gett ng th n c ents because f you buy PCs, you
get more power for the same money W th th n c ents, you’re not pay ng for the comput ng
power; you’re us ng very tt e, comparat ve y speak ng You’re pay ng for the reduced adm n-
strat on and sma er phys ca footpr nt and energy use Th s so ut on s not for everyone, but
somet mes th n c ents are a better cho ce than PCs
NOTE A December 2007 paper from McKinsey & Company, “Reducing U.S. Greenhouse
Gas Emissions: How Much at What Cost?” (http://www.mckinsey.com/clientservice/ccsi/pdf
/US ghg final report.pdf ), shows the marginal costs of reducing carbon dioxide emissions.
The cost of reducing the carbon emissions for combined heat and power in commercial
buildings is negative. That is, it pays companies to go green.
www.it-ebooks.info
Improved Command-Line Support
W ndows Server 2008 had a w de array of programmab e nterfaces that dup cated—and
even extended—the capab t es of the GUI What t d dn’t have was the best way to get at
them W ndows PowerShe supported W ndows Management Instrumentat on (WMI) but
had no remote access capab t es (and find ng the r ght WMI object sn’t tr v a un ess you
a ready know what you’re ook ng for), so you cou dn’t use W ndows PowerShe to manage
sett ngs on a server farm VBScr pt d d support remote access and WMI, but t requ red know-
ng how to scr pt (You a so need to earn to use W ndows PowerShe to use t, but t’s s mp er
and a ot of bas c tasks have cmd ets a ready prepared )
Command- ne management s s mp er n W ndows Server 2008 R2 for two reasons F rst,
the W ndows PowerShe team ntroduced remote access support n W ndows PowerShe
2 0 Second, the RDS team created W ndows PowerShe objects to map to ts WMI structure
It’s now poss b e to eas y find the capab ty that you want accord ng to server ro e, and the
objects are fu y supported by standard W ndows PowerShe cmd ets You’ be rev ew ng
throughout th s book how to use W ndows PowerShe to manage the RDS farms
www.it-ebooks.info
For example, did you know that its Dynamic Fair Share Scheduling ensures that
each user on the same server gets an equal amount of processor attention? With it,
a lightweight user running Microsoft Word can collocate with a heavyweight user
performing a software build, or crunching a database query, or any other CPU-
intensive activity. Neither session is impacted by the actions of the other.
Remote Desktop IP Virtualization is also new for those finicky applications that
require unique IP addresses to function. Without it, all applications running from
the same RD Session Host will appear to have the same IP address. With it, an RDS
server can virtualize a set of IP addresses so that those applications execute without
problems.
Even Windows Installer gets improved with Windows Server 2008 R2. In previous
operating system versions, Windows Installer wasn’t fully Terminal Services–aware.
This limitation made the installation of some applications very difficult as concur-
rent installs would block each other. That awareness is finally present in R2, improv-
ing the success rate of installing applications to RDS. Installing MSI packages on an
RD Session Host server is the same as installing them on a client computer—they
serialize and don’t block.
With R2, your options for connecting users to applications become as important as
the application delivery itself. This “feature” isn’t so much a feature as a completely
new way of thinking about application delivery. The incorporation of RemoteApp
and Desktop Connection in Windows 7 with the RD Web Access in Windows Server
2008 R2 gives you more options for how you connect users to their applications.
Depending on your needs, you can deliver RemoteApp programs and VMs via a web
page in Internet Explorer, through an .RDP file delivered to the user, or, for those
using Windows 7, you can simply populate your users’ Start menu.
www.it-ebooks.info
■ Users are more ke y to use a PC (w th some oca y nsta ed app cat ons) than a term -
na dev ce
■ Users m ght work from a branch office but st are connected to the doma n
■ Some users w run very demand ng app cat ons from the data center
■ App cat ons w be served from a farm of dent ca servers more often than a s ng e
server
■ Some users w be a owed to nsta app cat ons even n a hosted workspace
■ Some app cat ons shou d be so ated for best compat b ty
You w earn about some RDS ro e serv ces here, but a techn ca wa kthrough of these
features s ess mportant r ght now than understand ng the bus ness prob ems that they’re
des gned to so ve The rest of th s book w prov de des gn, dep oyment, and operat ons
gu dance
Supporting VM Users
Sess ons are a good way to enab e that a ot of peop e use the same phys ca hardware How-
ever, sess ons don’t work for everyone, espec a y not f desktop rep acement s the goa A
sess on can’t perm t ts users fu adm n strat ve access to tweak sett ngs through the Contro
Pane , sn’t a ways fr end y to resource-hungry app cat ons (at east, the resource-hungry
app cat ons are not a ways fr end y to the other sess ons), and doesn’t perm t users to nsta
app cat ons to use ater n exact y the same env ronment Nor can you h bernate a sess on to
eas y save not just data, but a so the work that you were n the m dd e of comp et ng when
you dropped everyth ng and ran to catch the bus Us ng a VM, t s tera y poss b e to save
your work state
One new feature n W ndows Server 2008 R2 s nat ve support for V rtua Desktop Infra-
structure (VDI), wh ch s a short name for “managed v rtua mach nes ” M crosoft VDI supports
two k nds of VMs Personal desktops are ass gned to an nd v dua and can be custom zed ac-
cord ng to whatever ru es are n p ace n the organ zat on Pooled desktops are genera y ava -
ab e to anyone w th access to the poo A though t s poss b e n some cases to make changes
to them, there s no guarantee that a user chang ng a poo ed desktop w get the same one
the next t me they og n—ro ng back changes s often norma , to avo d peop e contam nat-
ng the desktop poo w th app cat ons and sett ngs they w never reuse
Each k nd of desktop s des gned for a d fferent purpose Persona desktops are for fu
desktop rep acement A though access b e on y v a RDP, a persona desktop s contro ed by
the user t s ass gned to, and f a person has a persona desktop, the RD Connect on Broker
w a ways attempt to connect them to t first A persona desktop can rep ace a phys ca
computer and even has the advantage of mak ng the mach ne state easy to back up, so mov-
ng to a new phys ca p atform doesn’t mean os ng a sett ngs
Poo ed desktops are more for support ng peop e who need to run app cat ons that aren’t
we hosted on an RD Sess on Host server, even w th the new support for fa r share process ng
www.it-ebooks.info
that prevents a s ng e sess on from us ng a the processor power They can be pre nsta ed
w th any app cat ons that the peop e who need the poo w need
Poo ed desktops can a so support an app cat on-compat b y feature re eased after
W ndows Server 2008 R2 sh pped RemoteApp on Hyper-V Th s feature a ows you to run
RemoteApp programs from a VM rather than from an RD Sess on Host server It’s des gned
to a ow computers runn ng W ndows 7 that need to run an app cat on that can’t run on
W ndows 7 (for examp e, a web app cat on based on Internet Exp orer 6) from a computer
runn ng W ndows XP ocated n the data center A though each VM can st on y support one
ncom ng connect on at a t me, RemoteApp for Hyper-V makes t poss b e to support these
o der app cat ons wh e reta n ng the features of W ndows 7 on the desktop
R emoting technology is great for displaying applications that can’t run on the
client. For example, you can run really demanding applications from a session
or a VM to integrate with an older operating system or on hardware that won’t
support them.
Supporting older applications that won’t run on an operating system later than
Windows Server 2003 and Windows XP is a bit more problematic. Windows
Server 2003 didn’t include support for RemoteApp technology, so to run the
older applications there would mean publishing only from a full desktop. And up
until now, Windows XP didn’t support RemoteApp connections (although some
companies had solutions that did something functionally similar).
Microsoft has several different technologies that support RemoteApp from client
operating systems such as Windows XP. They’re all intended for different user
scenarios.
The catch to XP Mode is that it requires the RemoteApp VM to run locally. Not all
computers have the hardware to run two full machines at the same time (required
with Type 2 hypervisors like Virtual PC). To make it possible to support RemoteApp
from Windows XP, there’s RemoteApp for Hyper-V. This model runs the Windows XP
guest VMs hosting the RemoteApp programs in a data center and uses RDP to
www.it-ebooks.info
display them on a computer running Windows 7. To get the updates required to use
RemoteApp for Hyper-V, go to http://support.microsoft.com/kb/961742.
MED-V and XP Mode are outside the scope of this book because they do not use
the RDS infrastructure, but RemoteApp for Hyper-V is discussed in more detail in
Chapter 3, “Deploying a Single Remote Desktop Session Host Server.”
www.it-ebooks.info
RD Gateway enab es users to access the corporate network—and the centra zed data
poo —secure y v a SSL from the hote or a rport or even the beach ( f you can keep sand out
of your aptop) When comb ned w th RDP fi e s gn ng and server authent cat on, RD Gate-
way prov des secure Internet access, g v ng users some assurance that the RDP fi e that they
aunch s a eg t mate resource and not a spoofed server set up to capture the r ogon cre-
dent a s RD Gateway can a so set po cy to protect the data center, contro ng wh ch peop e
and computers are a owed to access the data center v a th s path and ett ng adm n strators
contro what resources they have access to once they get there
NOTE RD Gateway and SSL aren’t the only ways to create a secure connection to the data
center from a remote location—VPNs and Direct Access are other access options. But RD
Gateway has some advantages, including controlled access to specific resources, which is
discussed in detail in Chapter 10, “Making Remote Desktop Services Available from the
Internet.”
www.it-ebooks.info
One feature of RDS depends on a capab ty n the c ent operat ng system and s ava ab e
on y to c ents runn ng W ndows 7 RemoteApp and Desktop Connect ons (For those us ng
W ndows Server 2008 R2 as a c ent, t’s a so poss b e to set up th s feature from th s operat ng
system ) You w earn about th s feature n deta n Chapter 9, “Mu t -Server Dep oyments,”
but n short, t a ows users to add cons automat ca y from app cat ons runn ng n the data
center to the r Start menu
NOTE For the best user experience, you should use the latest version of RDP (7, as of
this writing) but many features are available even to older versions of the RDP client. See
Chapter 6, “Customizing the User Experience,” for more details.
www.it-ebooks.info
Other Business Cases for RDS
Complex Applications
In an environment with complex applications such as line-of-business (LOB) or
customized older software, or in situations in which large and complex applications
are frequently updated but are difficult to automate, RDS can help simplify the
process by reducing the burden of managing multiple applications across the entire
environment. The client machines can access the applications they require from a
central source, rather than requiring applications to be installed locally.
www.it-ebooks.info
Integration of RemoteApp Programs and Desktops into the Start Menu
Techn ca y, t was poss b e to ntegrate RemoteApp cons w th the Start menu n W ndows
Server 2008 To do so, you had to
1. Package the RemoteApp from the RD Sess on Host server as a M crosoft W ndows
Insta er (MSI) fi e
2. Pub sh th s MSI fi e through Group Po cy
3. Repackage and repub sh manua y as requ red when the RemoteApp sett ngs
changed
It’s not a bad system, and MSI pub sh ng s st the on y way that you can support fi e
assoc at ons w th RemoteApp programs (It’s a so the on y way you can ntegrate RemoteApp
programs w th the Start menu on W ndows XP and W ndows V sta ) However, t doesn’t up-
date automat ca y, and you can’t add more RemoteApp programs to the Start menu w th-
out ed t ng Group Po cy F na y, s nce t requ res Group Po cy, you can’t use th s method to
pub sh app cat ons to computers outs de the doma n
A new feature ca ed RemoteApp and Desktop Connect ons avo ds these drawbacks A new
app cat on Contro Pane tem n W ndows 7 (and W ndows Server 2008 R2) ca ed Remote-
App and Desktop Connect ons can accept a Un form Resource Locator (URL) for the publish-
ing feed created from the farm Th s feed aggregates a the RemoteApp programs, VM poo s,
and persona desktops ava ab e When a user connects to the URL for the feed and presents
the r credent a s, RD Web Access fi ters the d sp ay so that they get nks on y to resources that
they are perm tted to use These nks then popu ate the c ent’s Start menu
Us ng RemoteApp and Desktop Connect ons has the fo ow ng advantages
■ It a ows users to start oca y nsta ed app cat ons and RemoteApp programs n the
same way through the Start menu
■ It does not requ re the computer runn ng W ndows 7 to be connected to the doma n
■ It updates automat ca y whenever RemoteApp programs or VMs are added to or
removed from the feed, or when perm ss ons change
■ Users have to og on on y once to create the connect on
■ F na y, th s feed s wr tten n XML, an ndustry standard, and s ava ab e to deve opers
to consume n other ways
www.it-ebooks.info
NOTE Although you can get Aero remoting from Windows Vista to Windows Vista, Aero
remoting from Windows 7 or Windows Server 2008 R2 requires the Windows 7 client oper-
ating system.
www.it-ebooks.info
RDS rep aces mon tor spann ng w th true mu t -mon tor support W th mu t -mon tor sup-
port, each mon tor on the c ent mach ne s red rected nd v dua y, so that each mon tor (up
to 16) s seen as a separate mon tor to the remote sess on (Group Po cy m ts t to 10, but t’s
techn ca y poss b e up to 16 f you set th s va ue programmat ca y ) Therefore
■ The mon tors can be arranged n any configurat on that makes sense to the user a row,
a box, an L, and so forth
■ Ind v dua app cat ons w max m ze to the s ze of the mon tor they’re current y d s-
p ayed n, not the ent re row of mon tors
■ Each mon tor can have a max mum reso ut on of up to 4096 × 2048
True mu t -mon tor s not supported w th Aero G ass remot ng If mu t -mon tor and Aero
G ass remot ng are both configured, mu t -mon tor w take precedence
Remot ng huge and h gh-reso ut on d sp ays can take a to on server performance, so you
m ght want to tweak the max mum supported reso ut on and max mum supported mon tors
For more deta s, see Chapter 6
www.it-ebooks.info
go for coffee and forget about work ng, s nce product v ty c ear y sn’t happen ng f you have
to og on every t me you start an app cat on
S ng e s gn-on was ntroduced n W ndows Server 2008, but t was mproved n W ndows
Server 2008 R2 w th forms-based authent cat on Whereas the prev ous vers on a owed you
to cont nue to work w thout re-present ng your credent a s when ogg ng nto the same
server, the current terat on caches your credent a s n a secure web form to present any t me
you attempt to connect to a RemoteApp program
www.it-ebooks.info
operat ng system to work In W ndows Server 2008 R2, both those m tat ons are addressed
Whereas NET s requ red to convert the XPS of the data stream to the GDI commands re-
qu red to pr nt, n W ndows Server 2008 R2 and W ndows 7, the operat ng system does th s
To earn more about Easy Pr nt, see Chapter 6
RD Session Host
The RD Sess on Host (known as the term na server n W ndows Server 2008) rema ns the core
p ece of the Remote Desktop Serv ces arch tecture for de ver ng nd v dua app cat ons and
for gett ng the h ghest user dens ty for fu desktops A RD Sess on Host server s d fferent
from other types of W ndows servers n severa ways Fundamenta y, a server w th th s ro e
nsta ed works a ot more ke a workstat on than a server
For examp e, other server ro es are des gned to serve one genera purpose, such as han-
d ng ema or database quer es The r pr or t es are c ear Whatever s at the foreground of
that server’s purpose gets the on’s share of the processor A shared server s d fferent Many
peop e are us ng t at the same t me, so t can’t just assume that wh chever app cat on s n
the foreground s the one that shou d get a the process ng t me—wh ch foreground of the
40 or so sess ons shou d t p ck? Therefore, a user processes on a Remote Desktop Sess on
Host server have the same pr or ty so that they share the processor more or ess even y
among a remote users
NOTE In Windows Server 2008 R2, a new feature called Dynamic Fair Share Scheduling
(DFSS) proactively ensures that the scheduler doesn’t allocate too much processor time to
any single session. This feature is on by default.
Users connect to an RD Sess on Host server v a the RDP They make th s connect on by
start ng an RDP fi e that deta s a the sett ngs for the connect on Users can get to th s fi e
from a network share or n ema , and t can be automat ca y generated from a browser or
(for c ents runn ng W ndows 7) the Start menu through RemoteApp and Desktop Connec-
t ons When a user starts a remote sess on, t’s protected from other remote sess ons runn ng
on that computer Users can’t see each other’s sess ons, and the app cat ons runn ng n those
www.it-ebooks.info
sess ons don’t share read/wr te memory They can have an mpact on each other nadver-
tent y (for examp e, by us ng demand ng app cat ons that take memory away from other us-
ers) but there’s m n ma secur ty r sk n hav ng mu t p e peop e runn ng sess ons on the same
RD Sess on Host server To say “no secur ty r sk” s, of course, not poss b e, because there are
some except ona cases that cou d be exp o ted by an expert w th the r ght too s, but th s s
genera y true
BEST PRACTICE RD Session Host servers have a heavy workload supporting all the re-
mote client sessions, so it’s generally best to reserve them only for that use.
Chapter 2, “Key Arch tectura Concepts for Remote Desktop Serv ces,” ta ks about how
to s ze an RD Sess on Host server; nformat on about how to nsta and set up the ro e s n-
c uded n Chapter 3; and how to set up server farms w th the RD Connect on Broker s covered
n Chapter 9
RD Virtualization Host
W ndows Server 2008 R2 ntroduces a new k nd of supported resource VMs (VMs, of course,
are not new w th W ndows Server 2008 R2, but support for them w th n the RDS nfrastructure
s ) Th s ro e serv ce uses Hyper-V to host VMs VMs can be poo ed (genera y ava ab e to
anyone w th access to the VM poo ) or persona (ass gned to a part cu ar user n AD DS)
Why support VMs as we as sess ons? The answer s s mp e both are va d means of v rtua -
z ng the desktop For h gher dens ty, you want sess ons Many more peop e can run sess ons
on a s ng e computer than can run VMs, because sess ons share a ot of bas c nfrastructure n
the operat ng system (even though they can’t see each other) VMs are a v rtua man festat on
of a phys ca mach ne and thus comp ete y separate from each other Th s takes many more
resources to support You can run a dozen sess ons on a server w th 4 GB of RAM and a mod-
ern processor, but th s same server wou d have a hard t me support ng more than a coup e of
VMs runn ng at the same t me
NOTE True story: At one virtualization event, some people said they had heard about
virtualized desktops through VMs first. They’d never heard of sessions and were excited by
the possibilities of “lightweight VDI.”
The reason why VMs are va uab e s re ated to why they’re so resource- ntens ve they’re a
comp ete y so ated env ronment A VM s configured w th a certa n amount of memory and
a certa n number of processors, reserved for t and not ava ab e to other VMs The operat ng
system s ent re y reserved for the use of the VM That means that whatever happens w th n
the VM does not affect other VMs runn ng on the same phys ca server Users can nsta
app cat ons and they w be nsta ed on y on that VM Users can run the most processor-
ntens ve CAD (computer-a ded des gn) software around and they won’t dra n resources from
other VMs Users can comp ete y m sconfigure a VM and cause t to crash, and th s w affect
on y the person current y us ng t
www.it-ebooks.info
In RDS, VMs are often ass gned to power users Those w th persona desktops are those who
need a comp ete desktop rep acement (a be t one that can be backed up and has a the pro-
tect on of the data center) those who need to be ab e to nsta app cat ons and configure the r
computers Persona desktops are a so good cand dates for app cat ons that requ re a pers s-
tent oca data source (that s, they can’t store a the r data on a network share) Those us ng
poo ed desktops are often those who need to run app cat ons that aren’t good cand dates for
v rtua zat on on an RD Sess on Host for one reason or another—they requ re a prev ous ver-
s on of the browser, are 16-b t (W ndows Server 2008 R2 s 64-b t on y, and 16-b t app cat ons
won’t run on that p atform), or otherw se just don’t fit but w work on a poo ed VM
Chapter 2 covers how to s ze an RD V rtua zat on Host server; Chapter 4, “Dep oy ng a
S ng e Remote Desktop V rtua zat on Host Server,” d scusses how to set up the ro e for a
s ng e-server nsta at on; Chapter 9 teaches you how to dep oy the ro e n a farm; and Chap-
ter 10 deta s how to manage arger dep oyments
RD Web Access
Remote Desktop Web Access (RD Web Access) ntegrates w th M crosoft Internet Informat on
Serv ces (IIS) to d sp ay the cons of author zed RemoteApp programs and VMs n a porta
d sp ayed n Internet Exp orer and aunch the connect ons A user author zes aga nst the por-
ta and can see the cons for a the remote resources a ocated to them by the adm n strator
When he or she c cks an con, t creates and starts a RemoteApp program n much the same
way t wou d f the RDP fi e were stored on the user’s computer Us ng the new forms-based
authent cat on n RDS, after a user authent cates to a porta once, h s or her credent a s can be
used for any resource the user s author zed to access
When a user starts a RemoteApp program, a sess on s started on the RD Sess on Host
server that hosts the RemoteApp program, or the VM back ng the VM con The RD Web Ac-
cess server does not start the app cat on As shown n F gure 1-1, t just d sp ays the app ca-
t on con, creates the RDP fi e for that app cat on when the user doub e-c cks that con (1),
and then passes the RDP fi e to the user to start the app cat on from the RD Sess on Host (2)
RemoteApp programs and desktops started v a RD Web Access do not d sp ay n the browser
but n the r own w ndows (3) and are ndependent of the browser w ndow C os ng the
browser won’t d sconnect or term nate the connect ons to the RD Sess on Host or VM
1 2
FIGURE 1-1 RD Web Access d sp ays app cat on cons n a browser for the conven ence of users.
www.it-ebooks.info
RD Web Access has many benefits, nc ud ng the fo ow ng
■ Users can access RemoteApp programs from a webs te over the Internet or from an
ntranet To start a RemoteApp program, they just doub e-c ck the program con
■ W th the new Web SSO feature, after the user authent cates to the webs te, those
credent a s are stored and prov ded for any other connect ons they n t ate—even con-
nect ons on other servers or other farms
■ RD Web Access can d sp ay resources from more than one farm and aggregate them
nto a s ng e w ndow
■ RD Web Access w d sp ay on y the resources ass gned to a part cu ar person
■ By us ng RD Web Access, there s much ess adm n strat ve overhead than that requ red
to ma nta n and d str bute RDP fi es for connect ng to an RD Sess on Host farm You
can eas y dep oy programs from a centra ocat on and don’t have to worry about
ensur ng that RDP fi es conta n ng connect on nformat on are up to date
■ RD Web Access nc udes Remote Desktop Web Connect on, wh ch enab es users to
connect remote y to the desktop of any computer where they have Remote Desktop
access from the RD Web Access porta
■ RD Web Access works w th m n ma configurat on, but the RD Web Access web page
nc udes a custom zab e Web Part, wh ch can be ncorporated nto a custom zed web
page or a M crosoft SharePo nt s te
That’s how RD Web Access benefits peop e us ng a browser but n W ndows Server
2008 R2, th s ro e serv ce supports even peop e connect ng w thout a browser RemoteApp
and Desktop Connect ons s a new feature n W ndows 7 ( t’s part of the operat ng system,
not the RDP c ent, so t s not ava ab e n prev ous vers ons of W ndows) that a ows Remote-
App and VM cons to be added to a c ent’s Start menu and started from there The tr ck s that
RD Web Access gets ts nformat on about wh ch RemoteApp programs and desktops are ava -
ab e to wh ch users from the pub sh ng serv ce on the RD Connect on Broker and makes those
resources ava ab e through a URL One URL supports the webs te you see w th a browser, and
another supports connect ons de vered to RemoteApp and Desktop Connect ons
Chapter 9 exp a ns how to configure and use RD Web Access and RemoteApp and Desktop
Connect ons
RD Connection Broker
For the sake of redundancy, t’s good pract ce to have more than one RD Sess on Host server
host ng your remote app cat on set and to oad-ba ance your servers And t’s essent a y a
g ven that there w be more than one VM n any dep oyment us ng VDI—there m ght even
qu te poss b y be more than one RD V rtua zat on Host to run those VMs
Hav ng mu t p e endpo nts and servers support ng those endpo nts a ows you to spread
out the user oad and e m nates the poss b ty that one server cou d go down and take out
your ab ty to serve centra zed app cat ons The troub e s that connect ons are fundamen-
ta y made to nd v dua RD Sess on Host servers, not to groups of them That s, the fina
www.it-ebooks.info
connect on s made to the RD Sess on Host server named RDSH01 (or whatever other name
you’ve g ven t)
But f your RDP fi es nc ude the names of nd v dua RD Sess on Host servers, the connec-
t ons won’t be oad-ba anced Nor w they be flex b e enough to determ ne that a user rea y
shou d be connect ng to another RD Sess on Host server when start ng a new app cat on,
because he or she a ready has an app cat on open there If you’ve dep oyed VMs, t’s poss b e
to po nt an RDP fi e to a part cu ar VM w thout mak ng any ass gnments n Act ve D rectory
Doma n Serv ces— t’s essent a y the same th ng as us ng RDP to connect to a phys ca mach ne
dent fied by name But ass gn ng VMs by name doesn’t a ow you to use poo ed VMs Nor can
RDP fi es automat ca y wake up a VM that’s h bernat ng and prepare t for the connect on If
you attempt to make a d rect connect on to a h bernat ng VM, the connect on w fa
HOW IT WORKS
RDSH
Farm 1
RD Connection
Broker
RDSH
Farm 2
FIGURE 1-2 The RD Connect on Broker routes ncom ng connect ons to the appropr ate
RD Sess on Host server.
www.it-ebooks.info
For VM connections (see Figure 1-3), the RD Connection Broker makes its decision
based on similar criteria.
Pooled VMs
RDVH1
RD Connection
Broker
Personal VMs
RDVH2
FIGURE 1-3 The RD Connect on Broker a so brokers connect ons to VMs on RD V rtua za
t on Host servers.
Chapter 9 exp a ns how to use RD Connect on Broker to support RD Sess on Host farms
and poo ed and persona VMs
RD Gateway
In the dark days before W ndows Server 2008, f you wanted to connect to a term na server
from the outs de wor d us ng on y the too s n the box, you m ght have cons dered open ng
port 3389 (the port that RDP stens on by defau t) so that the term na server cou d accept
ncom ng connect ons Most peop e d dn’t do th s, however, because of the secur ty ho e t
opened
One of the ro e serv ces of RDS n W ndows Server 2008 R2 s Remote Desktop Gateway (RD
Gateway) RD Gateway enab es author zed remote users to connect to resources on an nterna
corporate or pr vate network, from any Internet-connected dev ce, whether or g na y part of
www.it-ebooks.info
the doma n or a pub c computer or k osk As shown n F gure 1-4, the network resources can
be RD Sess on Host servers support ng fu desktops or RemoteApp programs, VMs, or com-
puters w th Remote Desktop enab ed In other words, peop e access ng the corporate network
from the Internet can use RDP to connect to fu desktops, nd v dua app cat ons, or even the r
own desktop computers— t a depends on what the adm n strator has set up
Perimeter
Network PC
Mobile User
Pooled VMs
RPC Over HTTPS
Mobile User
Mobile User
RemoteApp
FIGURE 1-4 RD Gateway prov des secure access to the corporate network from other networks such as
the nternet.
RD Gateway uses RDP over HTTPS to estab sh a secure encrypted connect on between
remote users on the Internet and the nterna network on wh ch the r app cat ons run; th s
requ res on y port 443 to be open (wh ch t probab y s a ready for secure Internet connect v-
ty) By do ng th s, RD Gateway does the fo ow ng
■ Enab es remote users to connect to nterna network resources over the Internet by
us ng an encrypted connect on, w thout need ng to configure VPN connect ons
■ Prov des a comprehens ve secur ty configurat on mode that enab es you to contro
access to spec fic nterna network resources
■ Prov des a po nt-to-po nt RDP connect on that can be m ted, rather than a ow ng
remote users access to a nterna network resources
■ Enab es most remote users to connect to nterna network resources that are hosted
beh nd firewa s n pr vate networks and across Network Address Trans ators (NATs)
W th RD Gateway, you do not need to perform add t ona configurat on for the RD
Gateway server or c ents for th s scenar o (as de from open ng port 443 n the firewa )
www.it-ebooks.info
The RD Gateway Manager conso e enab es you to configure author zat on po c es to de-
fine cond t ons that must be met for remote users to connect to nterna network resources
For examp e, you can spec fy
■ Who can connect to RD Gateway ( n other words, the users and computers who can
connect)
■ Wh ch network resources (computers or computer groups) users can connect to
■ Whether dev ce and d sk red rect on s a owed
■ Whether c ents must use smart card authent cat on or password authent cat on, or
e ther one
To enhance secur ty further, you can configure RD Gateway servers and RDC c ents to use
Network Access Protect on (NAP) NAP s a hea th po cy creat on, enforcement, and remed a-
t on techno ogy nc uded n W ndows XP Serv ce Pack 3 (W ndows XP SP3), W ndows V sta,
W ndows Server 2008, W ndows 7, and W ndows Server 2008 R2 Us ng NAP, system adm n s-
trators can enforce c ent computer hea th requ rements, wh ch can nc ude software requ re-
ments, secur ty update requ rements, requ red computer configurat ons, and other sett ngs to
connect to RD Gateway
You can a so use RD Gateway server w th M crosoft Internet Secur ty and Acce erat on (ISA)
Server or Forefront Threat Management Gateway (TMG) to enhance secur ty In th s scenar o,
you can host RD Gateway servers n a pr vate network rather than a per meter network and
host ISA or TMG n the per meter network The SSL connect on between the RDC c ent and
ISA or TMG Server can be term nated at the Internet-fac ng server
The RD Gateway Manager conso e prov des too s to he p you mon tor RD Gateway con-
nect on status, hea th, and events W th RD Gateway Manager, you can spec fy events (such as
unsuccessfu connect on attempts to the RD Gateway server) that you want to mon tor
RD Gateway can be used w th RDP fi es stored on c ents, w th RD Web Access, or w th
RemoteApp and Desktop Connect ons Comb ned w th RD Web Access or RemoteApp and
Desktop Connect ons, you can set up a remote workspace that presents a webs te w th
the appropr ate app cat on cons and then makes sure that the person connect ng or the
computer he’s connect ng from meets the RD Gateway ru es
RD Gateway uses few resources and f s zed proper y can support hundreds of ncom ng
users, so t can safe y be comb ned w th other ro es that m ght be n the per meter network
RDS Licensing
The RDS L cens ng ro e serv ce s respons b e for keep ng track of who has a cense to use the
RD Sess on Host servers Not who’s authorized to use the RD Sess on Host server—AD DS user
r ghts or RD Gateway makes that ca , depend ng on what eve the adm n strator s author z-
ng th s connect on RDS L cens ng s the cense management system that enab es RD Sess on
Host servers to obta n and manage RDS c ent access censes (RDS CALs) for dev ces and us-
ers that are connect ng to an RD Sess on Host server
www.it-ebooks.info
NOTE RDS Licensing supports previous versions of terminal servers as far back as
Windows 2000 Server. Also, the operating system supports two concurrent connections to
administer a computer remotely, so you do not need a license server for these connections.
RD Sess on Host servers can be configured to requ re e ther per-user or per-dev ce RDS
CALs You’ earn more about the deta s of RDS L cens ng n Chapter 12, “L cens ng Remote
Desktop Serv ces,” but the bas c story s th s Each RD Sess on Host server determ nes f the
user or the computer connect ng to t has a va d cense If t does (and the user has perm s-
s on to og on), then the RD Sess on Host server grants the connect on If t does not, then the
RD Sess on Host server attempts to contact a cense server to see f a cense for that dev ce
or user s ava ab e The cense server then e ther a ocates a cense to the dev ce (per-dev ce
RDS CAL) or ed ts the propert es of the user’s account n AD DS to show that a cense has
been used (per-user RDS CAL) If the RD Sess on Host server cannot connect to an RDS
L cens ng server, t w ssue a temporary cense f the RD Sess on Host server s w th n ts
grace per od Access w be granted for up to 120 days
Servers support ng the RDS L cens ng ro e ma nta n a database that tracks how RDS CALs
have been ssued For per-dev ce RDS CALs, the cense s ass gned to a computer For per-
user RDS CALs, the cense s not actua y ass gned but ts usage s reg stered n AD DS and
can be tracked
RD L cens ng s a ow- mpact serv ce, requ r ng very tt e processor t me or memory for
regu ar operat ons Memory usage s ess than 10 MB Its hard d sk requ rements are sma ,
even for a s gn ficant number of c ents The cense database grows n ncrements of 5 MB for
every 6,000 RDS CALs ssued The cense server s act ve on y when an RD Sess on Host server
s request ng an RDS CAL, and ts mpact on server performance s very ow, even n h gh- oad
scenar os Therefore, n sma er dep oyments, the RDS L cens ng ro e serv ce can be nsta ed
on the same computer as the RD Sess on Host ro e serv ce In arger dep oyments, the RD
L cens ng ro e w often be on a separate computer
A though on y access ng the RD Sess on Host ro e w tr gger the consumpt on of an RDS
CAL, us ng any part of the RDS nfrastructure requ res an RDS CAL (or, for VDI-on y dep oy-
ments, a VDI CAL)
www.it-ebooks.info
The Client Connection
Yes, t m ght be obv ous, but t’s st worth ook ng at The way the c ent nteracts w th the
ro e serv ces of RDS defines what the user exper ence to a part cu ar endpo nt w be
Whether the endpo nt s a sess on on an RD Sess on Host server, a VM hosted on RD V rtu-
a zat on Host, or even a phys ca mach ne, the fundamenta re at onsh p between c ent and
endpo nt has three parts the RDC c ent, the RDP connect on, and the endpo nt
■ The RDC c ent component n t ates the connect on to the endpo nt and rece ves the
data that the server sends to t
■ The server component on the endpo nt nteracts w th the core operat ng system and
takes the nformat on rece ved (for examp e, sounds be ng produced, b tmaps be ng
d sp ayed), converts t to RDP commands, and ser a zes t to be passed to the c ent
■ The protoco enab es the connect on between the c ent and the endpo nt; t defines
the k nd of nformat on that s passed between them v a v rtua channe s
NOTE Why the distinction between RDP and RDC? RDP is the Remote Desktop Protocol,
the protocol that passes user input and application output between client and server. RDC
is the Remote Desktop Connection, the client component that initiates and manages the
RDP connection.
In short, the c ent requests the connect on, the endpo nt formats the ca s to the ap-
p cat ons and operat ng system n a way that the c ent (or server, depend ng on wh ch way
the nformat on flow s go ng for a part cu ar transact on) can understand, and RDP passes
the r ght nformat on that ets the user commun cate w th the app cat ons on the server as
though they were runn ng oca y
Th s commun cat on re es on virtual channels, b -d rect ona connect on streams prov ded
through RDP They estab sh a data p pe between the RDC c ent and the endpo nt to pass
spec fic k nds of nformat on, such as dev ce red rect on or sound, between c ent and server
V rtua channe s are a way to extend the funct ona ty of RDP that’s been ava ab e s nce W n-
dows 2000 Server, and they are a so used by some features of RDS, such as dev ce and sound
red rect on
But a ot has changed s nce W ndows 2000 Server, and one of the components that’s
changed s that the 32 stat c v rtua channe s or g na y made ava ab e w th RDP 5 1 aren’t
enough anymore More k nds of data are now ava ab e, and t’s c ear that there m ght be
more not yet cons dered In add t on, stat c v rtua channe s had a prob em They were cre-
ated at the beg nn ng of the connect on and torn down at the end If you added a dev ce
dur ng the sess on, t cou dn’t use v rtua channe s un ess you term nated the connect on and
then reconnected
www.it-ebooks.info
Therefore, RDS supports dynamic virtual channels, v rtua channe s that the c ent creates
on demand and then shuts down when t’s done w th them If you’re cur ous about the nter-
faces to make dynam c v rtua channe s work for you (or how they work at a ), see the PDF
t t ed “Funct ona ty for RDS Scr pters and Deve opers” on the compan on CD
Hosting VMs
For some t me, t has been poss b e to v rtua ze Term na Serv ces ro es, but Hyper-V was not
a requ red component of a Term na Serv ces dep oyment In RDS, Hyper-V s requ red to use
the VM host ng feature
Hyper-V s nsta ed automat ca y f you choose to nsta the RD V rtua zat on Host Ro e
serv ce Because RD V rtua zat on Host requ res Hyper-V, t s the on y RDS ro e serv ce that
cannot be v rtua zed
IMPORTANT All RD Session Host servers in the same farm must use the same certificate
for certificate-based authentication.
www.it-ebooks.info
IIS s a so requ red for RD Gateway RD Gateway encapsu ates RDP traffic over HTTPs, so t
requ res certa n components of IIS
IIS s nsta ed automat ca y when you nsta an RDS ro e serv ce that requ res t
ON THE COMPANION MEDIA For a detailed description of the RDS API, please see
“Functionality for RS Scripters and Developers” on the companion media. Detailed
instructions for using this API are on MSDN.
NOTE Public interfaces (also known as APIs) are interfaces that are, well, publicly available
and documented on MSDN so that developers can use them. Private interfaces are not
documented. The main difference is supportability. A private interface might change at
any time if required by the people who developed it (in this case, Microsoft). An API won’t
change without notice. Even if you had the option to build solutions based on private
interfaces, it would be better to build on the public APIs than on private ones.
Summary
Th s chapter ntroduced you to RDS n W ndows Server 2008 R2 At th s po nt, you shou d
understand
■ How th s ro e has deve oped s nce t became part of W ndows 10 years ago
Summary Chapter 1 35
www.it-ebooks.info
■ What RDS s used for
■ The new bus ness cases that W ndows Server 2008 R2 RDS now supports
■ The RDS ro es that support these new bus ness cases and how they nteract
■ How other W ndows ro es (and the c ent) support RDS funct ona ty
■ How RDS s a deve opment p atform and some of the funct ona ty that scr pters and
deve opers can add to t
In Chapter 2, you’ find out how W ndows arch tecture supports RDS
Additional Resources
These resources conta n add t ona nformat on and too s re ated to th s chapter
■ To earn more about some fundamenta concepts of the operat ng system that affect
RD Sess on Host and RD V rtua zat on Host funct ona ty (and s z ng), see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces ”
■ To earn how to set up an RD Sess on Host server, see Chapter 3, “Dep oy ng a S ng e
Remote Desktop Sess on Host Server ”
■ To earn how to set up an RD V rtua zat on Host server to support poo ed VMs and
persona desktops, see Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on
Host Server ”
■ To earn how to set up user profi es w th RDS, see Chapter 5, “Manag ng User Data n a
Remote Desktop Serv ces Dep oyment ”
■ To understand how RDP ntegrates the c ent and server operat ng systems for d sp ay,
pr nt ng, and aud o and dev ce red rect on, see Chapter 6, “Custom z ng the User Expe-
r ence ”
■ To earn how to ock down the user env ronment w th Group Po cy, see Chapter 7,
“Mo d ng and Secur ng the User Env ronment ”
■ To earn how RDP connect ons are secured for LAN connect ons, see Chapter 8, “Secur-
ng Remote Desktop Protoco Connect ons ”
■ To earn how to use RD Connect on Broker to dep oy a farm of RD Sess on Host servers
or a poo of RD V rtua zat on Host VMs, see Chapter 9, “Mu t -Server Dep oyments ”
■ To earn how to pub sh resources to RD Web Access and RemoteApp and Desktop
Connect ons, see Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the
Internet ”
■ To earn how to use RDS on the Internet, see Chapter 10, “Mak ng Remote Desktop
Serv ces Ava ab e from the Internet ”
■ To earn how to manage sess ons on an RD Sess on Host server, see Chapter 11, “Man-
ag ng Remote Desktop Sess on Host Sess ons ”
www.it-ebooks.info
■ To earn how RDS cens ng works and how to use an RD L cense server, see Chapter 12,
“L cens ng Remote Desktop Serv ces ”
■ To earn about RDS fe-cyc e management, see Chapter 13, “L fe-Cyc e Management
for Remote Desktop Serv ces ”
■ For more deta s on the APIs ava ab e to deve opers, see the RDS Reference at
http://msdn.microsoft.com/en-us/library/aa383494(VS.85).aspx or, for onger
documents and source code, see the RDS Code Ga ery s te at
http://code.msdn.microsoft.com/rdsdev
■ For n-depth deve oper resources ( nc ud ng code samp es and deta ed documents),
see the RDS team Code Ga ery s te at http://code.msdn.microsoft.com/rdsdev
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 2
B efore you start nsta ng Remote Desktop Serv ces (RDS) ro e serv ces, you must
understand the bus ness and techn ca dec s ons you’ need to make Th s chapter
addresses those quest ons, nc ud ng both the deta s of the system arch tecture that
are essent a to support ng the two mode s of app cat on de very that RDS supports
and some of the bus ness dec s ons that you’ need to make before mp ement ng the
techno ogy Both w he p you better p an for the resources requ red to support what
you want to do The chapter covers such top cs as
■ W ndows Server 2008 R2 nterna s part cu ar y re evant to s z ng RDS ro es
■ How to s ze Remote Desktop (RD) Sess on Host and RD V rtua zat on servers
■ The c ent requ rements for us ng some new features of RDS
■ Character st cs of an app cat on that w run proper y on an RD Sess on Host
server
■ Techno ogy dec s ons rooted n bus ness needs, such as the cens ng mode or the
k nds of c ent hardware that make the best bus ness sense for your company
NOTE In parts of this chapter, you’ll learn about how to do performance scaling on
an existing RD Session Host server. When determining how to order the chapters in
this book, the decision was made to put planning before installing. For details of the
installation process, see Chapter 3, “Deploying a Single Remote Desktop Session Host
Server,” or Chapter 4, “Deploying a Single Remote Desktop Virtualization Host Server.”
39
www.it-ebooks.info
Know Your Application Delivery System
Before gett ng too deep y nto the quest on of the nterna s of memory arch tecture or t ps
for server s z ng, you need to know what an RD Sess on Host server and an RD V rtua zat on
Host server do Understand ng how each app cat on de very p atform works s essent a to
understand ng s z ng gu de nes
RDS supports two app cat on de very p atforms sess ons on an RD Sess on Host and VMs
on an RD V rtua zat on Host
40 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Each mode for app cat on de very works a b t d fferent y, but they’re fundamenta y
do ng the same th ng ett ng a arge number of peop e use the same hardware at the same
t me Both mode s requ re a b t of jugg ng on the part of the operat ng system Your job s to
g ve each type of server enough resources to jugg e as effic ent y as poss b e To do your job,
t’s he pfu to know how the RD Sess on Host does a these th ngs
NOTE The Windows Server 2008 edition of this book discussed Physical Address Exten-
sions (PAEs) and Address Windowing Extensions (AWEs). However, neither is supported—or
necessary—on a 64-bit operating system, so neither has been included in this edition.
For RD Sess on Host servers, the move to 64-b t s a most ent re y good news (You’ earn
why t’s an “a most” n just a moment ) On 32-b t operat ng systems, the b ggest bott eneck
for term na servers has genera y been memory, w th d sk reads and wr tes com ng a c ose
second A 32-b t operat ng system can’t address more than 4 GB of v rtua memory, no matter
how much phys ca memory you nsta on the server W ndows Server Standard Ed t on d dn’t
even support the nsta at on of more than 4 GB of phys ca memory, so t cou d not take ad-
vantage of such workarounds as PAEs and AWEs that et the operat ng system store and refer
www.it-ebooks.info
to data n more than 4 GB of phys ca memory even f t cou dn’t “see” t a at one t me Now,
64-b t W ndows can “see” up to 44 exabytes of v rtua memory addresses, so t can use a the
memory t cou d ever need w thout the memory tr cks that the 32-b t vers on of the operat ng
system wou d have to use
The reason why 64-b t W ndows s a most ent re y good news nvo ves the support for
o der dev ce dr vers and o der app cat ons You’ find that 32-b t app cat ons w genera y
run on a 64-b t operat ng system w thout ssues In most cases, an app cat on that can run
successfu y on a 32-b t term na server shou d run on a 64-b t RD Sess on Host However, a
64-b t operat ng system requ res 64-b t dr vers O der c ent pr nters that you’re st attempt-
ng to support, for examp e, m ght not have 64-b t dr vers
However, even reca c trant pr nter dr vers don’t have to crush your p ans to v rtua ze app -
cat on de very F rst, f you can use Easy Pr nt (d scussed n Chapter 6, “Custom z ng the User
Exper ence”) for your pr nters, then you won’t need pr nter dr vers on the RD Sess on Host
Servers and can just use the dr vers nsta ed on the c ent Second, f Easy Pr nt sn’t an opt on,
you can use RD V rtua zat on Host to support the users who need the o d pr nt dev ces
For RD V rtua zat on Host, hav ng the host run a 64-b t operat ng system s an unm t -
gated w n—the reason why Hyper-V has a ways been 64-b t The guest VMs on the host don’t
have to run a 64-b t operat ng system, so they rea y don’t have any app cat on or dr ver
ssues as ong as the user env ronment w work n W ndows XP SP2 or ater Hav ng 64-b t
operat ng systems just mean that you can nsta as much memory as you need to support a
your VMs
W e have recently moved to 64-bit on many of our servers. We see that the
same physical server that could support, say, 55 users in 32-bit mode with
4 GB of RAM, can support 150 users with little stress on 64-bit with 8 GB of RAM.
The 64-bit solution seems to work extremely well, and I suspect that in our environ-
ment, we could scale up further just by adding more RAM. Some servers have seen
more than 300 sessions with no performance issues.
We find that with our application the workload is variable by region for the same
application, because users have different work patterns in the different regions. The
European folks are heavy hitters, whereas the folks in the United States and Asia
give the RDS farms an easier time.
42 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
How Does an RD Session Host Server Dole Out Processor
Cycles?
Noth ng happens on a computer w thout a processor When a computer serves dozens of
users, there’s a ot of compet t on for any ava ab e processor cyc es Here, you’ earn about
how the RD Sess on Host server dec des who’s go ng to get processor t me
Users run app cat ons, but operat ng systems don’t know anyth ng about app cat ons The
operat ng system dea s w th processes and threads that support the app cat on executab e
A process defines the work ng env ronment for an app cat on, nc ud ng ts pr or ty when t
comes to be ng a ocated processor t me, the mage name of the app cat on assoc ated w th
the process (for examp e, W nword exe), the process dent fier (process ID, or PID) that the
operat ng system uses to un que y dent fy the process, the memory reg ons a ocated to th s
process by the memory manager, nks to parent processes that spawned th s new process,
and anyth ng e se the app cat on wou d have to know to run and cooperate w th other run-
n ng app cat ons
HOW IT WORKS
W hy does a process need both an image name (this is the same as the execut-
able name) and a PID? The reason is that image names are not necessarily
unique on a server, particularly on an RD Session Host, it’s highly likely that more
than one instance of the same application will be running, and it is guaranteed that
more than one instance of required system processes will be running (see Chapter 3
for more information about the processes common to all sessions).
Since more than one instance could be running in the same session, you can’t iden-
tify the processes by session. To give Windows and the administrator more control
over individual processes, the process manager creates new processes with a PID.
You’ll often work with PIDs when using the Remote Desktop Manager and query
process command-line tools, both discussed in Chapter 11, “Managing Remote
Desktop Sessions.”
Processes don’t do anyth ng themse ves Rather, they define the execut on env ronment
and re at onsh ps that the executab e part of a process, the thread, must know about Threads
know deta s such as the process they’re assoc ated w th, and the r secur ty nformat on, such
as the r access token (the record of the r ghts the thread has, g ven the dent ty of the account
who started t) and impersonation information (the secur ty credent a s be ng used) They a so
keep track of the r pend ng nput/output (I/O) requests L ke processes, threads have a pr or-
ty They nher t the r pr or ty range from the r process but can adjust the r own pr or ty w th n
that range
www.it-ebooks.info
One key property of a process or thread s ts pr or ty, s nce that determ nes how often
a thread gets some processor cyc es As you m ght guess, the h gher the pr or ty, the more
often a thread gets processor t me S nce noth ng happens on a computer w thout processor
t me to execute nstruct ons, th s s cr t ca
NOTE If you’re curious to see how a processor thread priority compares to that of other
types of processes, use the Process: Priority Current or Thread: Priority Current perfor-
mance counters in the Performance Monitor. For example, the Win32 Subsystem process
(which has the image name Csrss.exe) has a higher base priority than user applications, so
it will get more processor time. This is intentional, as it doesn’t matter if an application is
responsive if Windows isn’t.
One way n wh ch RD Sess on Host servers d ffer from other types of servers s n the r use
of process pr or ty Other types of servers are genera y des gned to do one th ng rea y we
They search databases, or manage ema , or support webs tes The r pr or t es are c ear The
app cat on n the foreground s the one to support Therefore, the processes and threads
be ong ng to the app cat on n the foreground have a h gher pr or ty than those n the
background
NOTE Just because the application in the foreground is the main one supported doesn’t
mean that the foreground application processes have the highest priority. See Microsoft
Windows Internals, Fifth Edition, by Mark E. Russinovich and David A. Solomon, with Alex
Ionescu (Microsoft Press, 2009), for more background on the relative priority of various
types of processes.
Un ke other servers, RD Sess on Host servers don’t have one c ear pr or ty ( n contrast to
a server runn ng M crosoft Exchange Server, for examp e, wh ch focuses on one task “I must
get the ma through!”) They have dozens of users to support, a of whom are do ng d fferent
th ngs and a of whom are expect ng a respons ve work env ronment Because of ts confl ct-
ng pr or t es, the on y way for a server w th the RD Sess on Host ro e nsta ed to cope s to
pr or t ze a user app cat on processes and threads equa y Because the processes back ng
user app cat ons have the same pr or ty, you can approx mate the oad a server can take by
determ n ng how much of the tota processor t me a user sess on w requ re You’ find out
more about how to do th s w th the Performance Mon tor ater n th s chapter n the sect on
ca ed “Us ng Performance Mon tor ” But a key po nt to remember s that the act on of nsta -
ng the RD Sess on Host ro e opt m zes the operat ng system for p ay ng th s ro e n your net-
work An RD Sess on Host server does not pr or t ze processes n the same way as a database
server or ma server, because the needs of th s server are d fferent
If one sess on were runn ng a arge number of demand ng app cat ons, t cou d potent a y
affect the performance of other sess ons, even though the user app cat ons a have the same
pr or ty W ndows Server 2008 addressed th s w th the W ndows System Resource Manager
44 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
(WSRM), wh ch wou d reduce a thread’s pr or ty f other user threads n other sess ons were
be ng starved for processor cyc es WSRM made sure that processor t me was d v ded even y
among sess ons, but t engaged on y f a sess on was be ng affected W ndows Server 2008 R2
adds a new feature ca ed Dynam c Fa r Share Schedu ng (DFSS), wh ch changes the way that
the schedu er works n the kerne W th DFSS engaged—as t s by defau t—the schedu er w
make sure that the processor t me s schedu ed even y among sess ons from the beg nn ng
You’ earn more about how DFSS works n Chapter 3
www.it-ebooks.info
phys ca storage p aces the phys ca memory of RAM and an area on the hard d sk ca ed the
page file or swap file Therefore, even f a computer runn ng a 64-b t operat ng system has on y
8 GB of RAM nsta ed, t st has an 8-terabyte range of v rtua addresses for data storage
NOTE If you’ve done the math, you’ll notice that 2 to the 64th power is more than 16
terabytes—it’s actually 16 exabytes. Windows (and currently available processors) don’t
currently support 264 bytes, however—they support only up to 244, or 16 terabytes split
evenly between kernel mode and user mode.
Th s 16 terabytes of v rtua memory address space s d v ded nto two reg ons kerne space
and user space, and the processes that store data n each reg on are ca ed user-mode or
kerne -mode processes Kerne space, the upper 8 terabytes, s shared by a processes that
store data here User space s spec fic to each user-mode process Conceptua y, the memory
ayout ooks ke that shown n F gure 2-1 A kerne -mode processes know they must share a
memory reg on, but a user-mode processes—not just a sess ons, but a processes—th nk
they have the r own persona 8 terabytes of user-mode storage Because th s means that
v rtua memory addresses are dup cated from process to process, one key job of the memory
manager s to make sure that user-mode processes don’t affect each other when stor ng
memory n the r v ew of user-mode memory
KERNEL MODE
8 TB
Virtual Memory
Winword.exe
Outlook.exe
Taskmgr.exe
Explorer.exe
iexplore.exe
Excel.exe
Visio.exe
8 TB
8 TB
8 TB
8 TB
8 TB
8 TB
8 TB
USER MODE
FIGURE 2-1 Kerne mode memory s common to a processes that store nformat on there; user mode
memory appears spec f c to each process.
46 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
HOW IT WORKS
Think of the memory structures are a set of interoffice mailboxes. The kernel-
mode components have access to the mailboxes themselves—the physical bins
that line the wall. User-mode components don’t have access to the boxes; instead
they indicate that a piece of data should go into the box belonging to, say, Kim
Abercrombie or to Michael Pfeiffer. The kernel-mode component creates the
mapping that identifies which physical location is associated with Kim Abercrombie
and routes the data there, so that even if the boxes are shuffled or Kim gets a new
mailbox, the data ends up in the right place. Similarly, if a user-mode component
needs data from a location, that component doesn’t know the physical location
of the data, but calls on it according to its virtual data—“I need the data stored
in Kim Abercrombie’s mailbox.” The kernel-mode component then maps Kim
Abercrombie’s name to a mailbox location and retrieves the data. The area of
memory that a component is designed to use depends on what that component
needs to do, how quickly it needs to do it, and how likely it is to have a problem
doing it. Almost everything that you see happening on a computer occurs in user
mode: applications open, windows move, characters appear on the screen as you
type, and so forth. Operations running in user mode are protected from each
other because they write to virtual locations, not to physical ones. Kernel-mode
components ensure that these operations don’t write to the same physical locations.
For this reason, user mode is also called protected mode. If an application running in
user mode crashes, it does not affect other applications.
www.it-ebooks.info
structures shared among all components on the same computer, so it’s possible that
two applications could attempt to store information in the same memory space.
When this happens, the components crash and it might crash the entire operating
system. Printer drivers running in kernel mode on a shared server, therefore, put not
just one person’s workspace at risk but that of everyone using that same computer.
Although printer drivers are more reliable on shared servers than they used to be,
it’s best to use only user-mode drivers. If you absolutely must use kernel-mode driv-
ers, you must test them before putting them into production.
48 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
TABLE 2-1 Phys ca Memory m s by SKU (Ed ons Suppor ng RDS On y)
Not on y does the amount of v rtua memory exceed the nsta ed RAM, but each user-
mode process th nks that t has a ded cated 8 terabytes of storage Someth ng has to sort out
where the data that a process th nks t stored at a part cu ar ocat on s rea y ocated That
funct on s hand ed by the memory manager
The way the memory manager keeps track of how v rtua addresses correspond to phys -
ca ocat ons s much the way you’d do t f someone gave you the same job It ma nta ns sts
mapp ng each v rtua address to a phys ca ocat on These sts are ca ed page tables. The co -
ect on of page tab es s organ zed n the page table directory (A page s a cont guous b ock of
memory and the sma est un t of data that the memory manager can work w th ) An nd v dua
entry on the page tab e s ca ed a page table entry (PTE) A PTE conta ns the po nter to an
area of phys ca memory If you find page d rector es and PTEs confus ng, th nk of t th s way
The page tab e d rectory s ke a te ephone book for each process W th n the te ephone
book are the pages of st ngs—the pages are the page tab es Ind v dua addresses on the
page tab es are the page tab e entr es W th any one of the addresses, you can find a phys ca
ocat on for the nformat on (the page)
www.it-ebooks.info
Page tab es and page tab e d rector es are stored n an area of kerne -mode memory re-
served for th s memory mapp ng nformat on The re at onsh p between v rtua memory, PTEs,
and phys ca storage s shown n F gure 2-2
Page at
address: Page Table RAM
11111111 Virtual Memory Directory
Addresses
11111111
22222222
33333333
44444444
PTE
55555555
66666666
MYAPP.EXE
Page Table
FIGURE 2-2 V rtua addresses get mapped to phys ca ocat ons w th PTEs.
W ndows ma nta ns a two- eve page tab e structure of page tab e d rector es and page
tab es Each process has ts own page tab e d rectory W th n that page d rectory are the page
tab es st ng the pages (A process has to have more than one page tab e—and hence the
page tab e d rectory—because the page tab es are m ted n s ze ) W th n the page tab es,
the entr es are ndexed accord ng to where they are on the page The va ue of the ndex te s
the memory manager wh ch area of phys ca storage a v rtua memory address po nts to A
v rtua address conta ns a po nter to the correct page tab e d rectory, ndex ng nformat on
that po nts to the correct page tab e, and ndex ng nformat on po nt ng to the correct PTE, as
shown n F gure 2-3
50 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Virtual Memory
Addresses
11111111
Page Directory Page Table Byte
22222222 Index Index Index
33333333
44444444
55555555
66666666
PTE RAM
MYAPP.EXE
Page
Table
FIGURE 2-3 V rtua memory addresses store ndex ng nformat on that po nts to the page tab e d rectory,
the page tab e, and the PTE
One of the m tat ons of Term na Serv ces on 32-b t W ndows s that the te ephone book
can be on y so b g because there’s a m ted amount of space to store the pages It’s as f the
s ze of a commun ty were m ted by the s ze of the te ephone book that wou d fit n each
ma box No more space ava ab e nd cates there can be no add t ona pages n the te ephone
book Th s means that you’ never be ab e to v s t the new fam y n the ne ghborhood
because they have no entry n the te ephone book and you can’t find them In the same
way, the s ze of the space ava ab e to store PTE records m ts the number of processes that
can run even f you have a the RAM n the wor d ava ab e The number of v rtua memory
addresses ava ab e to user-mode processes appears enormous because each process sees the
ent re 8-terabyte area But for th s area to be usefu , the memory manager must be ab e to
map the v rtua address to a phys ca ocat on, wh ch means creat ng a page d rectory, page
tab es, and PTEs for each process If the memory manager can’t do the mapp ng, then the
process can’t start
Before W ndows Server 2008, the area of kerne -mode memory ded cated to PTEs was
fixed n s ze In W ndows Server 2008 and ater, kerne -mode memory for these storage struc-
tures s a ocated dynam ca y, so that f the memory sn’t needed for one structure, t m ght
be ava ab e to another W ndows Server 2008 R2 uses more memory than W ndows Server
2003, due n part to some changes n the user she But f W ndows Server 2003 Term na
Server was constra ned by the amount of space ava ab e for PTEs, t’s poss b e that on the
same hardware, the W ndows Server 2008 R2 RD Sess on Host Server cou d support more
users
www.it-ebooks.info
Note that 64-b t W ndows has another advantage It’s got a ot more room to store System
PTEs (the PTEs used to map the ocat on of memory the system s us ng) The amount of stor-
age n 32-b t W ndows s 660 MB; 64-b t W ndows has 128 GB
52 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
BEST PRACTICES Microsoft’s best practices for RD Session Host servers suggest that your
page file should be two to three times the size of the installed RAM to support all the indi-
vidual user-mode memory areas for each process. The reasoning is that process creation is
expensive—two or three times more so than maintaining the process in memory. Because
many people are using the same computer, it’s likely that the computer will be creating
a lot of processes for all those people. Therefore, every time users start an application,
they’re engaging in this expensive activity. To keep the RD Session Host server running
smoothly, you need more memory than just enough to keep the processes running.
L ke other key structures, the page fi e s arger n 64-b t W ndows than 32-b t W ndows;
64-b t W ndows supports a 256-terabyte page fi e, and for 32-b t W ndows, the max mum
s ze s 16 terabytes
HOW IT WORKS
First, the fewer write actions the operating system has to take, the better, because
every action has a cost. To reduce the number of necessary write options in
Windows Server 2003, the memory manager could write only up to 64 KB of data
in a single action. Today, that limit has been removed so the memory manager can
write data in larger chunks. Most write operations now are approximately 1 MB.
Another improvement to the page file beginning in Windows Server 2008 is that
it takes the amount of free physical memory into account before writing to the
page file. In previous versions of Windows, the decision to write to the page file
was based on the number of dirty pages in RAM, or areas where data had been
modified. Now, if there’s no shortage of RAM, the memory manager will leave the
modified data in RAM.
Not a data can be paged to d sk Some mportant data ( mportant to the funct on ng of
the operat ng system, not mportant to a user) must be ma nta ned n RAM at a t mes Data
that never gets paged s stored n an area of kerne -mode memory ca ed the non-paged pool
Kerne -mode processes that store data that can be paged to d sk store t n the paged poo In
prev ous vers ons of W ndows, paged poo s and non-paged poo s had fixed s zes depend ng
on the amount of RAM nsta ed on the server; beg nn ng w th W ndows Server 2008, these
www.it-ebooks.info
memory areas had no fixed s ze but cou d fluctuate depend ng on the needs of the operat ng
system (see F gure 2-4)
NON-PAGED POOL
SYSTEM CACHE
PAGED POOL
NON-PAGED POOL
SYSTEM CACHE
FIGURE 2-4 Kerne mode memory areas support ng mportant system structures are s zed dynam ca y n
W ndows Server 2008.
On 64-b t W ndows, the max mum s ze of the non-paged poo s 128 GB, as opposed to
256 MB for 32-b t W ndows
Not a page fau ts are hard page fau ts Somet mes, the data s st stored n RAM, but not
n the process work ng set For examp e, t’s poss b e another process m ght be us ng the data
(see the next sect on, “Memory Shar ng and Copy-on-Wr te”) Soft page fau ts cost tt e n
terms of t me or system resources, so you don’t need to worry about them Hard page fau ts,
n wh ch the memory manager has to n t ate a process to retr eve the data from d sk, are
much more expens ve When a computer s very ow on ava ab e RAM and must store a ot of
data n the page fi e, the constant reads and wr tes are ca ed thrashing
The fo ow ng po nts sum up th s sect on
■ A user process expects to find the data t’s ook ng for n ts work ng set
■ If the data s not n the work ng set, then the memory manager w check to see f t’s
stored anywhere e se n RAM and add t to the process work ng set (a soft page fau t)
■ If the data s not n memory, then the memory manager prompts the I/O manager to
find the data n the page fi e on hard d sk so t can be added to the process work ng
set (a hard page fau t)
54 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
oad of many modern app cat ons s qu te arge On an RD Sess on Host server support-
ng dozens or hundreds of sess ons, each runn ng memory-hungry app cat ons that are not
des gned to be effic ent w th memory (because app cat ons are st typ ca y des gned for a
s ng e-user computer), how do you avo d runn ng out of page fi e as we as RAM?
One way, of course, s to ensure that you’ve got enough page fi e Another way that
doesn’t requ re any work on your part s a memory-shar ng techn que mp emented n
W ndows that a ows processes to share memory space—somet mes Th s techn que s ca ed
copy-on-write and s re ated to shared memory
At the bas s of copy-on-wr te s the fact that there’s a ot of redundancy n a computer If
two processes need to use the same dynam c- nk brary (DLL), for examp e, t s better f they
can use the same one— f one can “read over the shou der” of the other So ong as ne ther
process s mod fy ng the data, th s works fine, and t decreases the amount of data that a
process must store n memory to support a ts threads
The tr cky b t comes when a p ece of data that two processes are us ng needs to be
changed by one of them There are two ways you can avo d hav ng a change by Process B
make an mpact on Process A One way s to make a copy of the data for Process B as soon as
Process B accesses the shared memory area Th s can be wasted effort, though—what f the
second process won’t change the shared data?
Another way that avo ds th s wasted effort s the approach that W ndows takes When
Process B needs to change the data at the shared ocat on, the memory manager cop es the
ed ted data to a new ocat on The or g na data s not affected, and the process that must
change the data can cont nue, now us ng ts own copy, as shown n F gure 2-5 W ndows
works ke th s; other operat ng systems m ght make a copy of the page at the t me the sec-
ond process must access the same data as the first process
Need to
make a change!
Shared.dll
Shared.dll Shared.dll Shared.dll
(Copy)
FIGURE 2-5 Copy on wr te a ows for more eff c ent use of phys ca memory.
www.it-ebooks.info
The catch to copy-on-wr te s that app cat ons must be wr tten n a way that a ows them
to take advantage of t The W ndows operat ng system can use copy-on-wr te for tse f, but
deve opers must p an for ts use n user app cat ons
IMPORTANT User profiles should not be stored on an RD Session Host server, but rather
on a central file share so that there’s only one copy of the profile. However, the profile will
be cached on the RD Session Host server for the duration of the session it’s supporting.
See Chapter 5, “Managing User Data in a Remote Desktop Services Deployment,” for more
details about combining profiles and RDS.
You not on y need to th nk about where you’re stor ng data to fac tate backups and
prov de a cons stent user exper ence, you need to take d sk performance nto account One
approach to stor ng a the data that shou d be on the RD Sess on Host or the VMs s to get
one b g hard d sk and keep a the data on t That way, you can m rror the hard d sk and have
a backup configurat on For sma env ronments or p ot programs, th s m ght work fine
56 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
For arger dep oyments, best pract ce s genera y to d v de up the three types of data
(page fi e, user profi e cache, and the operat ng system and app cat ons) among three
separate hard d sks, to avo d wa ts for d sk I/O requests The prob em s that a user act v ty
requ res a ot of d sk reads and wr tes Beg nn ng a user connect on, oad ng a user profi e,
start ng an app cat on, pag ng some data n memory to d sk (or read ng data prev ous y
paged to d sk back nto memory)—these are just some of the events that generate d sk I/O
requests If these requests beg n to stack up, users w see de ayed response t mes Pag ng
data back nto memory from d sk, for examp e, s a ready re at ve y s ow compared to access-
ng the same data from phys ca memory
Processors and memory are extreme y fast D sks, a though fast, are much s ower than
e ther RAM or processors (If you’ reca from the sect on t t ed “How V rtua Memory Is
Supported” ear er n th s chapter, th s s why t’s good to m n m ze use of the page fi e, even
though t’s cr t ca to your server funct on ng we ) Idea y, try to have one hard d sk sp nd e
for every 20 to 30 users on a g ven RD Sess on Host or RD V rtua zat on Host server That way,
the users’ d sk requests w be ess ke y to de ay each other
www.it-ebooks.info
How Does RAID Affect Disk Performance?
What about RAID? RAID (wh ch stands for “redundant array of ndependent d sks”) s one way
to ncrease the upt me of your servers by decreas ng the ke hood of a d sk fa ure The bas c
dea of RAID s that, rather than us ng a mono th c d sk for a your storage, you comb ne
part t ons on mu t p e d sks nto a s ng e og ca un t The part t on can encompass the ent re
phys ca d sk or on y part of t
The purpose for comb n ng the mu t p e d sks depends on the scenar o Some forms of
RAID are ntended for data secur ty by nk ng two or more d sks n a way that ma nta ns a
copy of your data Some ncrease d sk throughput by ett ng you use two or more I/O paths
to support a s ng e og ca d sk (one spann ng mu t p e phys ca d sks)
NOTE Not all forms of RAID increase server reliability. Some even reduce it by linking
two physical disks and making a volume spanning both, so that if one disk fails the entire
volume is inaccessible. For the purposes of this book, assume that references are only to
the fault-tolerant forms of RAID.
There are two bas c k nds of fau t-to erant RAID d sk m rror ng (RAID 1) and str pe sets
w th par ty (RAID 5) (RAID 10 s fau t-to erant, but essent a y comb nes 5 and 1 ) M rror ng s
the obv ous w nner when t comes to RD Sess on Host servers, but we’ rev ew both to make t
c ear why t s a better cho ce
DISK MIRRORING
D sk m rror ng s the preferred configurat on for an RD Sess on Host server In th s RAID con-
figurat on, you have two d sks back ng a s ng e og ca vo ume One d sk conta ns the pr mary
part t on, and one conta ns the m rror part t on Each t me you wr te data to the pr mary
part t on, t’s a so wr tten to the m rror part t on When you read data from the pr mary part -
t on, t can be read s mu taneous y, on some mp ementat ons, from the m rror part t on Th s
means that reads from a RAID 1 configurat on cou d theoret ca y be tw ce as fast as read ng
from a vo ume encompass ng on y a s ng e phys ca d sk Wr tes do not take tw ce as ong
because they can happen asynchronous y
If one d sk of a m rror set fa s, then a perfect and a ways up-to-date copy rema ns on the
other d sk If one d sk fa s, you can restore redundancy eas y by break ng the m rror set and
rep ac ng the fa ed d sk, then add ng the new d sk to the m rror set The d sks w re-create
the nformat on on the ex st ng d sk onto the one you’ve just added to the m rror set
RAID 1 reduces the t me requ red to read from d sk wh e not rea y affect ng the wr te
t me It a so makes t easy to recover from a d sk fa ure s nce the data s a ready fu y assem-
b ed About the on y d sadvantage s that t does not make very effic ent use of space because
there are two fu cop es of a data
58 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
STRIPE SETS WITH PARITY
Another contender for a fau t-to erant system s RAID 5, or str pe sets w th par ty RAID 5
works d fferent y from RAID 1 Whereas RAID 1 ma nta ns a perfect copy of a the data on a
part t on on a second d sk part t on, RAID 5 takes a more space-effic ent approach It wr tes
a s ce of data to each d sk n the array (a m n mum of three d sks), but on y once across the
ent re array Each phys ca part t on then conta ns both actua data and par ty nformat on
for data stored on another dr ve Therefore, so ong as no more than one d sk fa s, you have
e ther the or g na data or the par ty nformat on requ red to create the or g na data
CAUTION Be aware that if a second disk fails before you replace one failed disk in a
stripe set, you will lose data. This is why some people choose RAID 10, which mirrors
striped volumes.
RAID 5 has ts advantages It can use many more d sks than RAID 1, and t s more effic ent
n the way that t stores data because t’s not ma nta n ng dup cates of a data—just some
of t, p us par ty nformat on needed to re-create t n case of d sk fa ure It can a so be more
effic ent for reads because more than one I/O path can be used But wr t ng data takes more
t me w th RAID 5 because every t me you wr te data, you must a so ca cu ate and wr te ts
par ty nformat on G ven the arge number of reads and wr tes that an RD Sess on Host or RD
V rtua zat on Host server w necessar y do, th s sn’t a good RAID mode
One caut on about us ng RAID on an RD Sess on Host server Don’t use software RAID
In part cu ar, don’t use software RAID 5 (str pe sets w th par ty), because the ca cu at ons
requ red w ut ze processor cyc es that cou d be used more profitab y e sewhere Hardware
RAID systems have the r own processor and w ncrease d sk performance
www.it-ebooks.info
HOW IT WORKS
Hardware Hardware
The main reason to choose each right now depends on where you’re planning on
running the VM: the data center or the desktop. Since RDS is a data-centric comput-
ing model, you’d expect that this model would prefer running the VMs from the
data center on a Type 1 hypervisor, and you’d be right. However, if there is a valid
reason to use a VM on a desktop computer (for example, to run a demo), as of 2010,
it will most likely be on a Type 2 hypervisor. (Type 1 client hypervisors aren’t a trivial
problem, in part due to the wide variety of client hardware; servers are certified for
Hyper-V support.) Because RDS uses Hyper-V, a Type 1 hypervisor, you’ll focus on
that model in our discussion of virtualization.
You’ve earned a ot n th s chapter about how v rtua memory, d sk, and processor work
n W ndows Server 2008 R2 As you’d expect, when VMs are nvo ved, the story gets a b t
60 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
more comp cated To understand t, you’ wa k qu ck y through the arch tecture of a Type 1
hyperv sor, nc ud ng
■ The ro e of the parent part t on
■ How ch d part t ons use memory and processor cyc es
■ How ch d part t ons access other hardware
■ Why you w get better performance us ng a v rtua zat on-aware guest operat ng
system
If you’d ke more deta s on how hyperv sors work, the add t ona resources at the end of
th s chapter po nt you to some sources to earn more about hyperv sor arch tecture
PROCESSOR TIME
Ch d part t ons don’t d rect y access the processor schedu er; f they d d, they’d nterfere w th
each other and t wou d be mposs b e to coord nate a the requests A og ca processor (a
core n a phys ca processor s referred to as a logical processor) m ght be used by more than
www.it-ebooks.info
one VM (and ke y s), and a VM m ght be us ng more than one og ca processor To manage
a the processor t me requests, the hyperv sor represents processors n a ch d part t on as
v rtua processors (VPs) A ch d part t on can have zero (a though you won’t get a ot done
ke that) or more VPs The number of VPs s not re ated to the number of og ca processors—
aga n, a processor m ght be accessed by more than one ch d part t on or not accessed at a
by some A v rtua processor can be
■ Runn ng, when t’s act ve y execut ng nstruct ons
■ Ready, when t’s not execut ng nstruct ons but s ready to
■ Wa t ng, when the VP s wa t ng for nstruct ons that te t what to do next
■ Suspended, when t’s temporar y d sab ed and won’t execute nstruct ons aga n unt
taken out of the suspended state
The hyperv sor keeps track of the state of each VP and wh ch og ca processor a VP s
us ng The root part t on can access th s nformat on
MEMORY MANAGMENT
Memory management s a so more comp ex on a VM host than on a phys ca mach ne The
VMs themse ves can’t share memory for many reasons, nc ud ng secur ty so at on, and the
memory manager has three areas of memory to manage, not just two (see F gure 2-7) These
three areas are
■ The system phys ca address (SPA) space
■ The guest phys ca address (GPA) space
■ The guest v rtua address (GVA) space
The GPA s the representat on of phys ca memory from the perspect ve of the guest Op-
erat ng systems expect the r memory addresses to be numbered beg nn ng at 0 and expect
some structures to be n memory at a certa n address range, so guests can’t rea y share a
v ew of phys ca memory w thout gett ng confused The GPA s mapped to the SPA more or
ess n the same way that the memory manager maps v rtua memory addresses to phys ca
memory addresses, as d scussed n the sect on t t ed “How Do RD Sess on Host Servers Use
Memory More Effic ent y?” ear er n th s chapter When a guest operat ng system accesses
memory n the GVA, the request s mapped to the GPA, and from there mapped to the actual
phys ca address of the SPA
A th s memory management can use up processor cyc es, so VMs—espec a y those w th
a ot of memory reads and wr tes, ke RD Sess on Host servers—w benefit from Second-
Leve Address Trans at on (SLAT) techno ogy, as d scussed n the sect on “Can I Run RDS n a
VM?” ater n th s chapter
62 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Parent Partition Child Partition
Guest Virtual
Address
Guest Physical (GVA) Space
Address (GPA) Space
GVA memory
GPA memory page in use
Guest System Physical page in use
Virtual Address Address (SPA)
Empty GVA
(GVA) Space Space
memory page
GVA memory System memory
page in use page in use
FIGURE 2-7 Memory management w th a hyperv sor, from “Second Leve Address Trans at on Benef ts n
Hyper V R2,” by Jan que Carbone. Used w th perm ss on.
www.it-ebooks.info
Device Access from Child Partitions
Dev ces other than processors and RAM are managed separate y Rather than be ng managed
d rect y by the hyperv sor, other types of dev ces ( ke network cards and hard d sks) use VM
worker processes that contro the v rtua dev ces (VDs) and g ve the VMs a way to nteract
w th the dev ces nd rect y VDs can be emulated or synthetic
Emu ated dev ces are access b e to a guest VMs They’re bas ca y a set of I/O ports, mem-
ory ranges, and nterrupts (a represent ng dev ce access) that the guest can access and wh ch
the hyperv sor contro s When a guest tr es to use an emu ated dev ce (for examp e, a Legacy
Network Card), then the VM worker process s not fied The worker process bas ca y emu ates
the act on requested (for examp e, a d sk read) Wh e the guest VM s d stracted, the worker
process sends the request to the hyperv sor to be executed by the actua d sk, then works the
resu ts back up the cha n to the guest VM
Emu at on s s ow but s mp e, and t works even f the operat ng system sn’t v rtua zat on-
aware It’s a so ava ab e dur ng nsta at on (wh ch s why, after t s nsta ed, you need to n-
sta a too set onto the guest operat ng system to mprove the VM performance and d sp ay)
But t’s not rea y up to the demands of modern hardware For better performance, you’ use
synthet c dev ces
Synthet c dev ces are supported by VSPs, v rtua zat on serv ce c ents (VSCs), and the VMBus
VSPs run n the parent part t on When a ch d part t on attempts to use a synthet c dev ce (for
examp e, to read a fi e from a v rtua d sk), the VSC n charge of that part cu ar dev ce sends the
request to the VMBus The VMBus nks the ch d part t on and the parent part t on The VMBus
then sends the request to the VSP for d sk, and th s trave s v a the m n port dr ver to the hard-
ware The hyperv sor doesn’t get nvo ved at a , and th s mode s much faster
64 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
that cache En ghtenments a ow the guest operat ng system to et the processor know that
t shou d flush th s cache on y for the ch d part t on do ng the request ng Other parts of the
kerne operate w th the same nte gence When poss b e, they ask the hyperv sor to pass on
nstruct ons to carry out only for the ch d part t on request ng them, not the ent re host and
every guest runn ng on t
W ndows 7 and W ndows V sta were des gned w th v rtua zat on n m nd W ndows XP,
however, was bu t before Hyper-V Therefore, you m ght d scover that you can host more
W ndows 7 VMs than W ndows XP VMs per RD V rtua zat on Host for VMs w th the same re-
source profi e S nce W ndows 7 guest VMs w a so g ve the best user exper ence due to the r
fu support for RDP 7 features and W ndows XP endpo nts can on y d sp ay RDP 5 2 features,
n most cases W ndows 7 VMs w be the best cho ce
For example, a guest operating system that does not implement enlightenments
for spinlocks, which execute low-level multiprocessor synchronization, would
simply spin in a tight loop waiting for a spinlock to be released by another virtual
processor. The spinning might tie up one of the hardware CPUs until the hypervisor
scheduled the second virtual processor. On enlightened operating systems, the
spinlock code notifies the hypervisor via a hypercall when it would otherwise spin
so that the hypervisor can immediately schedule another virtual processor and
reduce wasted CPU usage.
www.it-ebooks.info
hardware resource to inform the root partition, which performs device I/O using
standard Windows device drivers on behalf of the child VM’s operating system.
Since a single high-level I/O operation, such as a read from a disk, might involve
many discrete hardware accesses, it can cause many transitions, called intercepts,
into the hypervisor and the root partition.
66 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Baseline RD Session Host Requirements
S aying that you can’t know how many people can use an RD Session Host server
at the same time given a certain hardware profile isn’t to say that there are no
guidelines at all. Before getting into some procedures for load testing, let’s look at
some basic recommendations for RD Session Host hardware.
Memory
Load up on memory. This is always true for an RD Session Host server, because
many people will be using applications and loading data into memory at the same
time, all in parallel. One person working on eight Microsoft PowerPoint presenta-
tions at the same time is bad enough, but 50 individuals doing the same thing can
take quite a toll on a server.
Memory was an issue with terminal servers running Windows Server 2003, but it will
be more of an issue for RD Session Host servers running Windows Server 2008 R2.
The base operating system uses more memory now, for reasons that have nothing
to do with RDS. First, the server operating system runs Windows Internet Explorer
8, which uses more memory than Microsoft Internet Explorer 6. Any scenarios that
require the Microsoft native browser will be affected by this. Second, the shell
in Windows Server 2008 R2 and Windows 7 is more memory-intensive than that
in Windows Server 2003 and Windows XP. And with Windows Server 2008, these
additional memory consumers will affect an RD Session Host server in particular,
because these programs are all about the user experience.
Remember that 64-bit Windows uses more memory than 32-bit; a lot of the stan-
dard processes use more memory in the 64-bit version than they do in the 32-bit
version. You need about 8 GB of RAM in an RD Session Host Server to bring it to
parity with a 32-bit terminal server with 4 GB. However, at 16 GB, the RD Session
Host server will start being able to support more users than the 32-bit server can.
Disk
As you saw previously, you must be sure to pay attention to your physical hard
disk layout. Everyone thinks about memory when sizing an RD Session server, with
processor power another obvious consideration. Not everyone takes disk I/O into
consideration, but a server supporting reads and writes for many users needs a wide
and unobstructed I/O path. Split data among multiple hard disks (20 to 30 users to a
disk spindle, as a guideline) for best performance and use hardware RAID 1 for disk
fault tolerance.
Network
Of course, network speed is important to a centralized computing environment. In-
house, bandwidth should not be a problem, although you might consider a multi-
www.it-ebooks.info
homed server so you can dedicate one network card to Remote Desktop Protocol
(RDP) traffic and one to serving file and print requests. Out of the corporate
network, you’re dependent on networks you might not be able to control. To
support remote users, consider a test run to determine the usability via the
networks your users have available. What works well on the LAN might be difficult
over a digital subscriber line (DSL); what works well via DSL is likely to be difficult
over dial-up. Disable any features that use a large amount of bandwidth but aren’t
required and be sure to set the RDP clients’ network hint appropriately for their
connection type (see Chapter 6 for more about RDP).
Processor
Processor speed was unlikely to be your biggest bottleneck when running the 32-bit
version of Windows Server 2008, but it’s more important in 64-bit Windows where
memory is no longer constrained. Quad-core processors are common these days;
get a motherboard that has additional sockets. The amount of cache is more critical
to processor responsiveness than the processor’s speed. More cache provides more
space to store instructions that are quickly available to the processor to execute.
Incremental changes in megahertz (MHz) made a lot more difference when you
were moving from 66 MHz to 100 MHz. DFSS, introduced in Windows Server 2008
R2, automatically apportions processor time evenly among sessions.
Timothy Newton
Support Escalation Engineer Defining Acceptable Performance
68 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Due to the number of factors involved, any estimate would likely be wrong for
more than 90 percent of all scenarios. However, if you want to do some testing on
your own, you can use a third-party application that measures network traffic. One
option Tim uses is a tool called NetMeter, which shows a little graph of upload and
download in real time. Using a tool like this, you can easily see how much is going
up and coming down from a given client (or you could run it on the server and see
the overall load).
Your goa s to create an effic ent and effect ve user exper ence That user exper ence w
be defined subject ve y by three ma n cr ter a
■ The ogon process, nc ud ng both how ong t takes to og on, whether the server
seems unrespons ve or g ves some feedback data, and how many t mes the user needs
to supp y credent a s A though the dea user exper ence s to avo d ogons tota y—
just s tt ng down and hav ng app cat ons open s eas est—you can create a reasonab e
exper ence f the wa t sn’t unacceptab y ong and the process s fa r y transparent
■ App cat on respons veness s cruc a Users must fee as though app cat ons are re-
spons ve from the RD Sess on Host server or VM A tt e ag m ght be acceptab e, but
not much, and f the de ay s so great that users are typ ng ahead of the d sp ay, the IT
department w ke y rece ve comp a nts
■ F es shou d oad qu ck y when requested, and pr nt jobs shou d pr nt When us ng the
centra zed app cat on mode , you m ght get better response t mes than are poss b e
w th desktop-based app cat ons
NOTE Consider each of these criteria separately when designing a live test. That is, don’t
try to measure performance data at the same time you’re measuring the number of simul-
taneous logons the server can support. If you mix scenarios, the two tests will interfere
with each other. How can you tell how a server will perform on a daily basis if it’s stressed
out at that moment from too many logons? Sort out the logon bottleneck, and then look
to see how the servers will respond to day-to-day usage requirements.
www.it-ebooks.info
app cat ons you expect to be runn ng, not w th a random or nvented scenar o that does not
app y to your rea - fe expectat ons If the server sn’t do ng the work under norma c rcum-
stances, then your test resu ts w be mean ng ess
NOTE Because of the memory sharing discussed earlier, the first RD Session Host server
session might use more memory than that of subsequent consecutive sessions—it depends
on the application usage profile. This is why running the live test helps: It shows the effect
of multiple instances running.
NOTE You might see references to knowledge workers and task-based workers when
researching RD Session Host server sizing. Knowledge workers conform to the profile that
was described in Chapter 1, “Introducing Remote Desktop Services”; they need access to
the data stored in the data center to do their job. Knowledge workers use many business
applications such as Office. Task-based workers generally input or review discrete chunks
of data, such as working a cash register displayed as a Windows application. Each profile
can involve light, medium, or heavy usage. Someone who’s using an RD Session Host server
to check their email a few times a day is a knowledge worker, but a light one.
If your fina env ronment w be runn ng a m x of users, try to get that m x represented n
your ve test Does your work group nc ude 75 know edge workers and 25 task-based work-
ers? If so, se ect three know edge workers for every task-based worker for your test run
Idea y, get rea workers to part c pate n th s test so that you can rece ve usage data that
accurate y dep cts typ ca user act ons and needs throughout your workday For nstance, you
m ght know that users typ ca y open fi es ocated on a fi e server from the r RD Sess on Host
sess ons You m ght not know that these fi es are typ ca y 100 MB each It wou d be best f
th s s d scovered dur ng your test phase and not dur ng ro out
70 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
1. Start an nstance of the Performance Mon tor, the W ndows Server 2008 R2 perfor-
mance mon tor ng too Beg n mon tor ng the counters that are not sess on-spec fic
2. Have the users og on
3. Tune the Performance Mon tor to record performance data for the act v ty n each of
the user sess ons for sess on-spec fic counters
4. Ask ogged-on users to start app cat ons, oad fi es, check ema ( f that’s a part of your
test), surf the Web— n short, have them work as they wou d norma y
5. Let the test cont nue for a reasonab e amount of t me—perhaps an hour, or even
onger
6. Rev ew the resu ts and see the stra n on the RD Sess on Host server as recorded by
Performance Mon tor
NOTE The process name for this tool hasn’t changed from previous versions of Windows
Server. You can also start it by selecting Start, Run, Perfmon.exe.
F rst, bu d a data co ector set Browse to Data Co ector Sets R ght-c ck User Defined and
se ect New, Data Co ector Set, as shown n F gure 2-8
www.it-ebooks.info
BEST PRACTICES Although you can monitor the counters from the Performance Monitor,
creating a data collector set makes it easier for you to reproduce your results.
Name your data co ector set us ng a descr pt on of what you are co ect ng, such as “RDS
User Test 1 ” As shown n F gure 2-9, choose Create Manua y (Advanced) and c ck Next
The goa s to og data, not n t ate a erts for error cond t ons, so choose to create data ogs
based on performance counters, as shown n F gure 2-10 C ck Next
72 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Next, you need to add performance counters to the co ect on set What counters shou d
you nc ude as part of a fu test pass? S nce you’re oad ng the server w th many users, you
can take a ho st c v ew of the server rather than just focus ng on what’s happen ng w th n a
s ng e sess on See Tab e 2-2 for an examp e of counters that can te you about the stra n on
the server
COUNTER DESCRIPTION
To add a counter, find the appropr ate object n the st, as shown n F gure 2-11 C ck the
con to expand the st of counters for that object If you’re choos ng a sess on-spec fic coun-
ter, choose the sess ons to add t to; to choose a of them, choose <A Instances>
www.it-ebooks.info
FIGURE 2-11 Choose counters for each object that you want to mon tor.
FIGURE 2-12 Spec fy the ocat on to save your data co ect on set.
You can e ther save the data co ector set to be n t ated manua y or ed t the propert es to
set a schedu e of when t shou d start and how ong t shou d ast For the moment, assume
that you’re go ng to start t manua y, so choose that opt on from the st shown n F gure 2-13
and c ck F n sh
74 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
FIGURE 2-13 Save the data co ector set to start t ater.
When you’re ready to beg n test ng, return to the ma n screen of Performance Mon tor
and choose the saved set from the fo der of user-defined data co ector sets R ght-c ck to
open the context-sens t ve menu and choose Start, or c ck the green Start button, as shown
n F gure 2-14
When you have fin shed w th the test, go back to Performance Mon tor, r ght-c ck the co -
ector set, and choose Stop, or c ck the square-shaped Stop button ocated to the r ght of the
green Start button
www.it-ebooks.info
FIGURE 2-15 F nd your report.
A report doesn’t have to show a the counters that you nc uded n the or g na data co ec-
tor set, but by defau t t does To remove a counter that you don’t need, h gh ght t n the bot-
tom sect on on the r ght pane and c ck the red X button at the top of the pane (or press the
De ete key on your keyboard) Converse y, to add counters you want to show, c ck the green
p us s gn at the top of the pane on the r ght to open the d a og box shown n F gure 2-16 On y
the objects for wh ch you se ected counters for the spec fied report w be ava ab e
FIGURE 2-16 Choose the counters and spec f c object nstances to d sp ay n your report.
Choose the object and the counters that you want to nc ude, and because you are
measur ng the tota user oad, make sure that <A Instances> s se ected n the Instances Of
Se ected Object st <A Instances> s represented by the aster sk (*) symbo n the pane at
r ght C ck OK when you’ve chosen a the counters
NOTE The Total option makes a total count for all selected instances; <All instances> tabs
each instance individually but monitors all of them.
76 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
F na y, c ck the Change Graph Type drop-down menu to the eft of the green p us s gn
and choose to d sp ay the nformat on as a report (or press Ctr +G tw ce), as shown n
F gure 2-17
You shou d see data s m ar to F gure 2-18, d sp ay ng the resu ts of your tests
www.it-ebooks.info
One way to do th s s to go through a test ng phase, where you have test users og n and
use the system wh e you take read ngs w th Performance Mon tor Th s s fine f you have
those test users and they can spare the t me to do th s k nd of test ng
Another way to understand what your RD Sess on Host can and can’t hand e s to s mu ate
user sess ons and user act v ty and mon tor the server’s performance wh e t’s be ng taxed
The RD Load S mu at on Too (RDLST) does just that It s mu ates user sess ons and nd v dua
user act v ty on an RD Sess on host server, g ven a set of parameters You spec fy how many
users you want to s mu ate, and what you want these users to do (for examp e, open a docu-
ment, type some text, create a graph c mage, or save the document) The too w program-
mat ca y start remote desktop sess ons to the spec fied RD Sess on Host from the des gnated
c ents and execute spec fied act ons w th n each sess on Based on how the server reacts to
the oad you put on t, you can get an dea of whether your server hardware s adequate for
your needs, exceeds your needs (so you cou d add more users), or about r ght By rev ew ng
the performance data, you can a so see wh ch counters are show ng stra n
RDLST nc udes a contro er component, a c ent agent, and a server agent, as shown n
F gure 2-19
Simulation Script
Simulation Configuation File Controller
Contains simulation
configuration parameters
Starts, controls, and ends
the simulation
Switch
RD Session Host
Hosts client sessions
Clients Machines 1...n
Initiates a remote desktop
connection for each test user
FIGURE 2-19 The RDLST cons sts of the contro er, server agent, and c ent agent.
78 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
The contro er s respons b e for configur ng the test parameters The test c ents and RD
Sess on Host agents connect to the contro er The contro er starts the test, mon tors ts prog-
ress, and ends the test
The c ents are used to start remote desktop sess ons on the RD Sess on Host Then the RD
Sess on Host hosts the remote desktop sess ons started from the c ents
The RDLST s not a so ut on on ts own It requ res scr pts to perform the act ons t s bu t
to run, ke start ng user sess ons, runn ng app cat ons, and perform ng act v t es n each user
sess on (such as open ng an app cat on and do ng some work) Scr pts a so perform other
pre-test and post-test funct ons, ke start ng and stopp ng Performance Mon tor on the RD
Sess on Host server and end ng user sess ons
The RDLST comes w th nsta at on nstruct ons, gu dance on how to bu d scr pts to
perform tasks spec fic to your env ronment, and a reference gu de, so there’s no need to
dup cate that effort However, you shou d wa k you through an examp e of how to set up and
run a s mp e test aga nst an RD Sess on Host server us ng the fo ow ng bas c steps
1. Insta the agents on the des gnated test servers and c ents
2. Create test user accounts n Act ve D rectory Doma n Serv ces (AD DS)
3. Create the scr pt that w automate the user act v t es ns de the user remote desktop
sess on
4. Start the server and c ent agents
5. Configure Performance Mon tor on the RD Sess on Host
6. Take a base ne Performance Mon tor capture on the RD Sess on Host
7. Configure the contro er test parameters
8. Start a Performance Mon tor capture on the RD Sess on Host
9. Start the s mu at on from the contro er
10. Run the s mu at on
11. Stop the s mu at on
12. Stop Performance Mon tor data co ect on on the RD Sess on Host
13. Rev ew the Performance Mon tor report
In the next sect ons, you’ go through these steps n more deta
www.it-ebooks.info
■ To set up the server, run RDLoadS mu at onToo s MSI on the RD Sess on Host server
and choose the Server Too s opt on Take care to run the 32- or 64-b t vers on of the
MSI that matches your operat ng system vers on
NOTE This simulation tool example assumes the availability of basic networking services
(AD DS, Domain Name System, Dynamic Host Configuration Protocol) and that all test
servers and clients can communicate with the other test machines.
1..30 | ForEach-Object {
New-QADUser `
-ParentContainerASH_Users `
-Name "ASHTEST$_" `
-UserPassword "P@ssword" `
-UserPrincipalName "ASHTEST$_" `
-DisplayName "ASHTEST$_" `
-SamAccountName "ASHTEST$_" `
}
NOTE This script uses Quest Software’s free Windows PowerShell commands for AD DS,
which you can download at http://www.quest.com/powershell/activeroles-server.aspx (the
link is also provided on the CD).
80 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Create the USER ACTIVITY Script
As noted ear er, the RDLST doesn’t run any app cat ons on ts own— t’s the eng ne that
makes t poss b e You’ need to create scr pts to execute the app cat ons and s mu ate user
act v ty The RDLST gu des te you how to create these scr pts, but they a so nc ude one
examp e to get you started For the purpose of demonstrat ng how to use the too , you’
use the samp e nc uded n the box me ded nto a s ng e scr pt and nc uded on the CD as
Notepad vbs Th s scr pt starts a remote desktop sess on, ogs n a user, opens Notepad, wr tes
some text, and saves the text fi e It s started for each of the user sess ons nvoked by the
contro er
NOTE The SendKeys method will be very helpful to you in developing an interactive
script. See http://msdn.microsoft.com/en-us/library/8c6yea83(VS.85).aspx.
Th s starts the Remote Desktop Load S mu at on Contro er, shown n F gure 2-20 The con-
tro er shows the mach nes that connect successfu y n the Status Events sect on
www.it-ebooks.info
FIGURE 2-20 The Remote Desktop Load Contro er shows the test progress on and act ve test users.
In the Target Server nput box, type the name of the RD Sess on Host server Then c ck
Configure to open the Configurat on d a og box shown n F gure 2-21
82 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
FIGURE 2-21 Conf gure the Genera tab to d ctate events that shou d occur on the RD Sess on Host server
before and after the s mu at on runs.
Man pu ate the data on each tab to create the deta s of how the s mu at on w work In
the upper sect on of the Genera tab, d ctate events that shou d occur on the RD Sess on Host
server before and after the s mu at on has run ts course For nstance, to reboot the server
before the test (one way to start the server agent and to end any pre-ex st ng user sess ons),
se ect the Reboot Server Before Test check box The three nput boxes n th s sect on are for
nputt ng paths to opt ona scr pts that can be run before or after a s mu at on to prepare or
c ean up the RD Sess on Host server For nstance, at the end of a s mu at on, you m ght want
to stop the Performance Mon tor capture and og off the test users The second sect on per-
forms s m ar tasks for the c ents
ON THE COMPANION MEDIA Note that the first two sections in this simulation
example are not used here, but you might need to use them in your testing. A script
to log off the test users is located on the CD in the LogOffUsers.cmd file. A script to
stop the Performance Monitor capture is on the CD in the StopPerfMon.cmd file.
www.it-ebooks.info
The Test End Mode drop-down box prov des four cho ces that govern when the contro er
w conc ude that the test s ended
■ Stay Alive The test does not end
■ Users Finished The test ends when a users te the contro er that they are fin shed
us ng the EndScr pt funct on
■ Users Launched The test ends as soon as the contro er starts the ast user scr pt
■ Users Launched –Timeout The contro er w wa t for the spec fied t meout after
aunch ng the ast user before the test ends
Th s examp e uses the Users Launched opt on
F rst, configure the user accounts On the User sect on of the Genera tab, spec fy the
user names of your test user accounts, the password for these accounts (now you see why
they shou d a have the same password), the name of the server runn ng Exchange Server ( f
needed), and the doma n name Test user account names n AD DS shou d match the sett ngs
here User Name Pad Count s the number of d g ts that w be added to the user name prefix
to reference the user names n the s mu at on For nstance, f the User Prefix s TEST and the
User Name Pad Count s 3, then the test w reference the user names TEST001, TEST002, and
TEST003
Next, c ck the C ents tab and check that the r ght c ents are se ected and that each s
runn ng the r ght number of sess ons A c ents current y commun cat ng w th the contro er
w be added automat ca y as test subjects on th s tab Se ect the Run Test On y On Se ected
C ents opt on to mod fy the part c pat ng c ent st At the bottom of the page, enter the
number of user sess ons that you w run from each c ent Th s examp e spec fies that 20 user
sess ons w be run per c ent (M crosoft has tested the too w th up to 50 users per c ent, but
the number that w be ab e to run u t mate y depends on the c ent hardware )
Next, des gn how the oad bu ds from the Test Progress on tab Enter the fo ow ng num-
bers accord ng to the s mu at on needs and then c ck Add to add the data to the s mu at on
configurat on
■ User range Spec fies how many users you w act vate w th th s s mu at on
■ User Group Size Spec fies how many users n a group
■ Interval between users (sec) Spec fies the number of seconds that the contro er
wa ts before start ng the next user w th n the group
■ Interval Between Groups (sec) Spec fies how many seconds w pass n between
the end ng of one group’s sess ons start ng and the beg nn ng of the next user group’s
sess ons start ng
■ Speed Factor Spec fies how fast the scr pts w be run The scr pts w run at the nor-
ma speed when the speed factor s set to 1 They w run at doub e speed when speed
factor s 2, and so on
F gure 2-22 shows the numbers used n th s examp e s mu at on
84 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
FIGURE 2-22 Add a st entry on the Test Progress on tab.
Next, c ck the Scr pts tab to p ck the scr pt or scr pts that you’ use for the s mu at on C ck
Add Scr pt to open the Add Scr pt d a og box, shown n F gure 2-23
FIGURE 2-23 Enter the fu f e path to the scr pt to be used n the s mu at on.
Enter the fu path or browse to each scr pt that the RDLST too w ca to start the user
sess ons on the c ents, open remote desktop sess ons on the test server, and do some work
Enter a fr end y name of each scr pt The fr end y name w be used as the name of the con-
figurat on INI fi e created next Enter any opt ona parameters to be passed to the scr pt n the
www.it-ebooks.info
Parameters nput box Th s can be eft empty f no opt ona parameters are requ red In th s
examp e, none are needed Ignore the Scr pt type pu -down menu because t s d sab ed n
th s vers on of the too C ck OK Now h gh ght the scr pt n the Ava ab e Scr pts pane and
c ck the Add>> button n the m dd e pane to add the scr pt to the Se ected Scr pts st, as
shown n F gure 2-24
C ck the Custom Command Schedu e tab Th s examp e does not use any extra added
commands, but th s tab box a ows for custom commands that w be run on servers based
on user events For examp e, you cou d configure the test to run a scr pt on the servers when
50 user sess ons are started and aga n when 100 user sess ons are started After you have
configured the contro er parameters, c ck OK n the bottom-r ght corner Then c ck the Save
Configurat on button on the Genera tab of the contro er Th s saves the configurat on to an
INI fi e that can be used to popu ate the contro er configurat on for future tests Ca the con-
figurat on fi e when start ng the program to autopopu ate the contro er configurat on w th
the parameters from the INI fi e The examp e’s INI fi e ooks ke th s
86 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
[SCALCONTROLLER]
UserIndexMode=0
ServerAgentMode=1
TClientMode=0
RebootServerMode=0
RebootClientMode=0
UserPadCount=1
UsersPerMachine=20
TestEndMode=2
CommandTimeout=25
TestEndTimeout=0
UserPrefix=ASHTEST
UserPassword=P@ssword
DomainName=ash.local
ExchangeServer=
ServerName=LOGAN
ServerPreRebootCommand=
ServerPreTestCommand=
ServerTestCleanupCommand=
ClientPreRebootCommand=
ClientPreTestCommand=
ClientTestCleanupCommand=
TestDescription=Test to launch 30 user sessions, open Notepad, type some text and
;save the file...;
ProgressionListCount=1
Progression1=1-30-5-5-10-1
CommandListCount=0
ScriptListCount=1
ScriptName1=test.vbs - Notepad Test
[AVAILABLESCRIPTS]
ScriptsCount=1
ScriptName1=test.vbs - Notepad Test
[test.vbs - Notepad Test]
filepath=C:\test.vbs
parameters=
type=3
If you’re runn ng the 32-b t vers on, the INI fi e w be saved by defau t to the c \Program
F es (x86)\TSPerfToo s\ fo der The name of the fi e s the same name as the fr end y name of
the scr pt nput on the Scr pts tab To ca t n the future, open a Run box on the Start menu
and type
www.it-ebooks.info
Configure Performance Monitor on the RD Session Host
Configure Performance Mon tor on the RD Sess on Host server to capture data that shows the
oad that the user sess ons p ace on the server Refer to the sect on t t ed “Us ng Performance
Mon tor” ear er n th s chapter for how to set up a data co ect on set Th s examp e uses a
data co ector set conta n ng the counters sted n Tab e 2-2
FIGURE 2-25 The RD Sess on Host server s base ne Performance Mon tor resu ts show tt e act v ty.
NOTE You can only start Performance Monitor manually if you are not choosing the
Reboot Server Before Test option on the General tab. Otherwise the perfmon log will stop
when the server reboots. In the reboot case, you need to set the Perfmonstart.cmd script
to run by adding it to the Server Setup Before Test box on the General tab of the controller.
88 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Run The Simulation
After you start the s mu at on, the first th ng you’ see s the user sess ons start ng on the
c ents The act ve test users w beg n appear ng n the Act ve Test Users box on the Contro -
er graph c user nterface (GUI) The user sess ons w a so start appear ng n the RD Sess on
Hosts Users tab n Task Manager, as we as n the S mu at on agent on the c ent
As the s mu at on progresses, the contro er ogs status events; you can a so v ew them n
rea t me on the contro er’s GUI, as shown n F gure 2-26
FIGURE 2-26 The Remote Desktop Load S mu at on Contro er shows user sess on act v ty and ogs
s mu at on status events.
www.it-ebooks.info
Stop the Simulation and Performance Monitor
The s mu at on s cons dered over when the Test End Mode spec fied on the contro er’s
configurat on Genera tab occurs Th s examp e spec fies Test End Mode Users Launched Th s
means that when a the users have been started, the contro er cons ders the test comp ete
When the spec fied Test End Mode s reached, a Test Comp eted event w be ogged on the
contro er n the Status Events w ndow
At th s t me, the user sess ons need to be ogged off from the RD Sess on Host e ther
manua y us ng Task Manager or the Remote Desktop Manager or programmat ca y us ng a
scr pt that s spec fied n the s mu at on configurat on
Next, stop the Performance Mon tor capture; aga n, you can e ther do th s manua y by
c ck ng Stop or programmat ca y by us ng a scr pt spec fied n the s mu at on configurat on
F gure 2-27 shows the act v ty n th s examp e s mu at on from beg nn ng to end
FIGURE 2-27 The Task Manager on the RD Sess on Host shows the act v ty throughout the s mu at on.
Where the peak starts to drop on the Phys ca Memory usage h story s where the s mu a-
t on ends The very next p ateau shows the user sess ons d sconnect ng Then the fina drop
shows the user sess ons ogg ng off
90 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
FIGURE 2-28 The report conta ns data captured when mon tor ng an RD Sess on Host base ne
conf gurat on.
FIGURE 2-29 The report conta ns data captured when mon tor ng a RD Load S mu at on test runn ng on a
RD Sess on Host server.
In short, us ng the RDLST w he p you determ ne how many users can work s mu tane-
ous y on your RD Sess on Host servers and how we the oad corresponds to the hardware
you have
ON THE COMPANION MEDIA See the book’s CD for a link to the RDLST to help
you programmatically determine how many people can use an RD Session Host
server based on your application set.
www.it-ebooks.info
record the resu ts w th the Performance Mon tor, and extrapo ate the number of users that
the server can hand e from the resu ts
You w st need to set up your RD Sess on Host server and oad the app cat ons that you
w host (To earn how to set up an RD Sess on Host server, see Chapter 3 ) Where you can
save t me s n user test ng Instead of m m ck ng your user env ronment w th mu t p e user
sess ons and w th rea user he p, you can make some est mates by test ng w th one represen-
tat ve user sess on and do ng some math
In th s test mode , most of the counters checked for the fu test pass w not he p you
You can’t rea y te much about page fi e usage w th on y one user, and w th on y one sess on
you’re not ke y to be putt ng much stra n on d sk I/O You can, however, te what’s go ng on
w th n the sess on tse f
To find out, create a data co ector as d scussed ear er n th s chapter, nc ud ng on y the
Term na Server Sess on counters for Work ng Set Peak and % Processor T me
NOTE Because your report doesn’t have to include every counter you collect data for, you
can reuse the one from the earlier walkthrough if you created it as you read.
Run the test as descr bed prev ous y, try ng to m m c a user sess on (that s, open programs
your users w open, do some work, pr nt pages, save fi es, and so on) When you’ve fin shed
co ect ng data, se ect the counters to v ew, as descr bed prev ous y n th s chapter, and
choose to show a report of what’s happen ng n that sess on (as opposed to choos ng counter
data for <A nstances> as n the test pass) V ew th s step n F gure 2-30
Now that you have th s report, what does t mean and how can you use t? You can v ew
the data n severa ways
92 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
The data shows that the % Processor T me s approx mate y 10 percent To determ ne the
max mum users that can be supported w th th s processor, d v de 100 percent by 10 percent;
the resu t s 10 users
NOTE You might have multiple processors in your RD Session Host server. Be aware that
two processors don’t render twice the power of one. Instead, there is a sliding scale.
■ Approx mate y 1.8:1 when go ng from one to two processors
■ Approx mate y 1.65:1 when go ng from two to four processors
Therefore, if you have four processors in your RD Session Host server, you would use the
following calculations to compute Max Users.
100 percent divided by 5 percent = 10 users. Now take into account the other three pro-
cessors: 10*1.8*1.65 = 30 users at full load.
The processor n th s examp e wou d be the bott eneck, but that m ght not a ways be
the case You must ook at the peak work ng set for the sess on and we gh that aga nst the
amount of RAM n the computer In th s examp e, the peak work ng set was about 179 MB
D scount ng for the requ rements of the operat ng system, take the rema nder and d v de
t by 250 As you can see, f the RD Sess on Host has 4 GB of RAM (a very ow number for a
product on RD Sess on Host server), the RAM shou d be ab e to support 16 users runn ng the
app cat ons that you ran n your test
So can th s server support 30 users or 16 users? For best resu ts, t pays to be conservat ve
You shou d a ways use the ower number On a server w th th s processor, w th th s amount of
RAM, t’s safe to guess that you can reasonab y support rough y 16 concurrent users
Hammad Butt
Software Development Engineer II (Test), Microsoft
www.it-ebooks.info
94 CHAPTER 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
■ You will have to buy RD Session Host servers. This is especially true if you
propose to virtualize the RD Session Host servers and want to get the benefits
of Second-Level Address Translation (SLAT). Older servers won’t have this
technology.
■ You will have to buy RDS client access licenses (RDS CALs) for users to connect
to those servers, regardless of how many servers they’re connecting to. If
you’re using any additional management software on those RD Session Host
servers, you’ll need to purchase those components as well. For example, if
you install Citrix XenApp on your RD Session Host servers, you’ll also need to
purchase both RDS CALs and per-connection licenses from Citrix.
People use RDS for many, many reasons and frequently discover that it’s possible
to reduce long-term costs and increase productivity. Upfront costs aren’t the best
way to determine how to build a sustainable platform, however. Reducing capital
expenditure isn’t generally the goal; reducing operations cost is.
Going back to the original question: Should you have one large server or two (or
more) smaller ones? Most often, you’ll find more servers—scaling out, not up—to
be the more cost-effective and fault-tolerant option. The larger the dual inline
memory modules (DIMMs), the more they’ll cost. More servers also means more
disk I/O paths. In addition, even in a small deployment, with a second or third
server, you create some redundancy in your environment by not relying solely on
one RD Session Host server.
www.it-ebooks.info
One cons derat on you m ght not th nk of s the operat ng system that you’re us ng n the
guest VMs Counter ntu t ve as t m ght seem, W ndows 7 m ght sca e better than W ndows XP
even though the W ndows XP she uses ess memory The reason, as d scussed ear er n th s
chapter, s that W ndows 7 was des gned to take advantage of v rtua zat on and W ndows XP
was not Therefore, W ndows XP s ess effic ent when t comes to memory management and
processor requests—or any kerne act v ty, rea y A though you m ght need to run W ndows
XP for app cat on compat b ty reasons n some cases, t m ght be better to use W ndows 7
Aga n, try t and see
96 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Can I Run RDS in a VM?
V rtua zat on s one of the hot top cs today Does v rtua zat on m x w th RDS?
The answer to the quest on s, of course, that t depends
Part of the answer depends on what ro es you want to v rtua ze Obv ous y, RD V rtua -
zat on Host requires you to use Hyper-V to host the VMs For many other ro e serv ces (for
examp e, RD Gateway, RD Connect on Broker, RD Web Access or RD L cens ng), runn ng n
a VM w probab y work fine, a though you m ght be ab e to support fewer s mu taneous
connect ons n a VM than you can n a phys ca mach ne In fact, for years, Term na Serv ces
adm n strators have run cense servers n v rtua computers to make t eas er to ma nta n a
backup (Th s sn’t necessar y supported by M crosoft, depend ng on the VM p atform used,
but t s done )
V rtua z ng RD Sess on Host servers on Hyper-V s supported, but the performance w
depend on a few factors The b ggest factor s whether the hardware p atform supports SLAT
As was d scussed ear er n th s chapter, v rtua z ng comp cates memory management Any
operat ng system has to map v rtua memory addresses to phys ca RAM to retr eve data
Hyperv sors have a harder job n that they must keep track of three th ngs
■ Phys ca memory
■ The phys ca memory each VM guest s us ng
■ The v rtua memory each VM guest s us ng
Remember the page tab e that the memory manager uses to map v rtua memory ad-
dresses to RAM? The hyperv sor ma nta ns a shadow page tab e for every guest VM On a
memory- ntens ve server ke an RD Sess on Host, that’s a ot of memory mapp ng for the
hyperv sor to keep track of Every t me the guest VM updates the page tab e, the hyperv sor
has to update ts shadow page tab e A though these tab es have to be stored n memory,
the prob em sn’t rea y runn ng out of memory addresses—on a 64-b t operat ng system ke
W ndows Server 2008 R2, that’s not ke y to be an ssue It’s actua y a prob em of processor
cyc es, because the processor has to chew up cyc es updat ng the shadow page tab es
SLAT-enab ed processors mprove the s tuat on by ma nta n ng the address mapp ngs n
hardware, not software In other words, on a SLAT-enab ed server, the hyperv sor does not
need to ma nta n the shadow page tab es, but th s can be done n hardware The resu t s that
a v rtua zed RD Sess on Host server can support more sess ons than the number of a v rtua -
zed RD Sess on Host runn ng on non-SLAT hardware Both memory usage and processor
overhead w drop
www.it-ebooks.info
DIRECT FROM THE FIELD
If you’re runn ng the RD Sess on Host servers on o der Hyper-V hosts that don’t support
SLAT, then t’s st supported f you’re us ng Hyper-V, but your resu ts w depend on how
heav y used the RD Sess on Host servers are If the oad s very ght—say on y a few users per
server—then th s m ght be pract ca and a ow you to avo d ded cat ng a phys ca server to an
undemand ng ro e For RD Sess on Host servers w th heav er usage, however, th s sn’t ke y to
be a good fit for severa reasons
98 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
■ Disk I/O bottlenecks You’ve earned about how best pract ces for RD Sess on Host
servers recommend that you have one d sk sp nd e—one phys ca d sk, usua y—for
each 20 to 30 users
■ Memory constraints RD Sess on Host and RD V rtua zat on Host servers are
memory-hungry A VM host must have a ot of RAM to support many RD Sess on Host
servers Th s VM host cou d a so end up be ng very expens ve Most servers top out at
e ght s ots for RAM As of th s wr t ng, 8-GB DIMMs cost three to four t mes as much
as 4-GB DIMMs F nanc a y, you’re better off w th a second server than one server w th
tw ce as much RAM—just us ng sma er DIMMs
There s a p ace for host ng RDS ro e serv ces (such as a cense server) on VMs, however—
even f the host does not support SLAT Connect on brokers and cense servers don’t need a
ot of resources to keep runn ng
NOTE For those new to RDS, a thin client is a simple computer that is intended to act
entirely or almost entirely as a client to a remote endpoint (for example, RD Session Host
or VM on an RD Virtualization Host). Clients supporting RDP connections typically run
Microsoft Windows CE or an embedded version of Windows. (You’ll see some Linux-based
thin clients, but the RDP clients on Linux are neither developed by nor supported by
Microsoft.)
PCs w th oca process ng power have become so nexpens ve that they’re a commod ty
tem n many p aces— ook at netbooks for one examp e Purchas ng th n c ents won’t gener-
a y save you money on hardware The reasons why you’d choose th n c ents are d fferent, as
fo ows
■ When or where PCs won’t work we because of space, v brat on, and other env ron-
menta ssues
■ When the cost of ma nta n ng nd v dua , persona zed computers s very h gh because
of frequent user turnover
www.it-ebooks.info
■ When c ent ockdown s v ta S nce th n c ents don’t genera y run app cat ons oca y
and don’t have access to data un ess they’re connected to the remote endpo nt, t’s
eas er to secure them—a secur ty s on the endpo nt
■ When a user desktop needs to be extreme y rep aceab e If a PC stops work ng and
you need to rep ace t, a fu rep acement s bu ky and, f the PC s custom zed at a for
the user, t me-consum ng Rep ac ng a th n c ent means unp ugg ng one term na and
p ugg ng n the new one
Th n c ents genera y work best when t’s acceptab e for a app cat ons to execute on the
remote endpo nt (sess on or VM) It s techn ca y poss b e to pre oad a th n c ent runn ng a
fu W ndows operat ng system such as W ndows XP Embedded w th app cat ons, but th s
wou d be extreme y expens ve because of the amount of flash memory and RAM requ red to
store and run those app cat ons oca y
NOTE As of this writing, thin clients running Windows CE Embedded do not support
RemoteApp programs, discussed in Chapter 3 and Chapter 9, “Multi-Server Deployments.”
Outs de of those spec a zed sett ngs where term na s sh ne, PCs (whether desktops,
netbooks, or aptops) are genera y the preferred opt on for one or more of the fo ow ng
reasons
■ Not a app cat ons m ght be runn ng remote y If some app cat ons don’t remote we ,
they m ght need to be nsta ed on the c ent
■ The user needs access to the app cat ons when d sconnected Mob e workers often do
we w th RDS, as d scussed n Chapter 1, but trave ers a so go offl ne at t mes, such as
when they are on a rp anes
■ You p an to use secure access from the Internet v a RD Gateway At th s t me, RD Gate-
way does not work w th W ndows CE, so the ghtest-we ght th n c ents won’t work
■ You need oca process ng power to opt m ze the remote exper ence RDP 7 sends
W ndows Med a P ayer content from the remote endpo nt to the c ent for process ng,
wh ch ooks terr fic However, th s requ res be ng ab e to process the content oca y
In short, you’re most ke y to use th n c ents to support task-based workers runn ng app -
cat ons on a LAN, and PCs for users w th more comp ex usage scenar os (offl ne access, WAN
access, and/or a m x of oca y execut ng app cat ons and RemoteApp programs)
100 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
are assoc ated w th a part cu ar user A RD Sess on Host knows wh ch type of censes to ask
for based on whether you’ve configured t to be n per-user or per-dev ce mode RDS does
not have concurrent-user cens ng
The answer to “Wh ch cense mode s better?” can best be answered by “Wh ch w cost
the east amount of money wh e st a ow ng us to comp y w th the End User L cense Agree-
ment (EULA)?” To ca cu ate the answer, just cons der whether you have more computers or
more users Organ zat ons do ng sh ft work, where three peop e m ght use the same com-
puter, w benefit from the per-dev ce mode Organ zat ons n wh ch the rat o s one user to
every computer, or even two computers to every user (for examp e, f many users have both a
desktop computer and a aptop), w benefit from the per-user mode
Each cens ng mode has a m tat on, or at east a cons derat on Per-user cens ng works
on y w th W ndows Server 2003 or ater and requ res Act ve D rectory/AD DS; you cannot
use t n a workgroup or w th n a doma n pr or to W ndows Server 2003 Th s s because the
cense usage s stored as a property to the user’s account object In add t on, the cense
server must be ab e to update the doma n contro er to wr te th s property A though per-
dev ce cens ng does not have th s m tat on, the cense s assoc ated w th a part cu ar dev ce
Th s can somet mes ead to comp cat ons when you ret re a PC or are us ng a th n c ent that
does not store the per-dev ce RDS CALs proper y and keeps request ng a new one whenever
t connects (not often a prob em anymore, but t used to be w th some mode s)
There is one other major d fference between per-user and per-dev ce cens ng n
W ndows Server 2008 R2 per-dev ce cens ng s enforced, whereas per-user cens ng s on y
tracked Th s does not mean t s okay to break the EULA You st need to buy a per-user
cense for each person access ng one of your RD Sess on Host servers
NOTE Only RD Session Host enforces or even tracks licensing, but using any RDS role
service (RD Gateway, RD Connection Broker, etc.) requires an RDS CAL. To learn more about
how licensing works, see Chapter 12.
www.it-ebooks.info
NOTE Although application vendors might not test on RD Session Host servers, if an ap-
plication is certified to run on Windows 7, it should run on an RD Session Host server. Not
all features might work as well as they would if the application was installed locally (it de-
pends on what you want the application to do and whether that strains what can be done
on a shared server displaying the application on a remote client), but the main features
of most applications certified to run on Windows 7 should work on Windows Server 2008
R2RD Session Host servers.
There are three ma n ways that you can find out f an app cat on w work on an RD Sess on
Host server (or what you’ need to do to t to make t work we ) before actua y nsta ng t
■ Ask f the vendor supports the app cat on on an RD Sess on Host server, and ask about
the recommended configurat on If the vendor has not tested the app cat on on a
shared server, you m ght need to get nto some deta s about the app cat on des gn
Tab e 2-3 nc udes some of the deta s that you shou d earn about an app cat on
before attempt ng to run t on an RD Sess on Host server Th s s espec a y app cab e
to o der or propr etary app cat ons; most app cat ons cert fied to run on W ndows 7
shou d not have any prob ems runn ng on a W ndows Server 2008 R2RD Sess on Host
server They m ght be resource- ntens ve, depend ng on the app cat on (few app ca-
t on deve opers des gn w th a shared computer n m nd), but they w avo d the des gn
flaws that prevent an app cat on from runn ng proper y
■ Check to see f anyone e se has successfu y run the app cat on on an RD Sess on Host
server Th s can be as s mp e as do ng a web search for the name of the app cat on
p us “RD Sess on Host server” (“term na server” shou d a so work and m ght generate
more h ts, because that name has been around onger) or go ng to the webs te of an
ndependent software vendor (ISV) who packages app cat ons for automat c dep oy-
ment on an RD Sess on Host server Know ng that t’s been done m ght not te you
how to tweak the app cat on to make t work on an RD Sess on Host server, but t w
at east nform you that t’s been done
NOTE See the Remote Desktop Services Comunity Verified Compatibility Center for
a list of applications that have been tested on RDS. The site is at http://www.microsoft.
com/rds/compatibility/Default.aspx.
■ Use the RDS App cat on Ana yzer to exam ne how the too operates and whether t’s
do ng anyth ng that w cause prob ems n a mu t -user env ronment n wh ch a user
does not have adm n strat ve pr v eges
102 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
TABLE 2-3 App ca on Des gn Ques ons
W the app cat on setup An RD Sess on Host server has If an app cat on does
automat ca y beg n Add/Re- a spec a mode ca ed Insta not nsta n Insta
move Programs? (App es to Mode for nsta ng app cat ons Mode, t w not support
non-MSI programs on y ) proper y for mu t p e users, persona zat on for each
wh ch the adm n strator can set person us ng t
from the command ne or by
us ng Add/Remove Programs If
the setup rout ne s started from
W ndows Exp orer or the com-
mand ne, the server shou d
change modes
W the app cat on perm t D fferent vers ons of an ap- If more than one vers on
mu t p e vers ons to be run p cat on m ght use dent ca y of an app cat on s
on the same RD Sess on Host named but d fferent DLLs runn ng on the same RD
server? Sess on Host server, the
app cat ons m ght have
a DLL confl ct and not
run proper y Th s ssue
often can be avo ded by
creat ng a server farm to
dep oy app cat ons or by
us ng App-V
Does the app cat on separate App cat ons m ght store S nce many peop e are
per-user and per-mach ne configurat on data n runn ng app cat ons on
reg stry data, or does t as- HKEY LOCAL MACHINE the same RD Sess on Host
sume that one user equates (the reg stry h ve re at ng to server, for persona zat on
to one computer? the computer) or n to be supported, the
HKEY CURRENT USER (the app cat on must separate
reg stry h ve re at ng to the per-mach ne and per-user
current y ogged- n user) RD data
Sess on Host servers w have
one nstance of HKCU for each
ogged- n user
Does the app cat on separate App cat ons m ght store con- S nce many peop e are
per-user and per-mach ne figurat on data n the system runn ng app cat ons on
configurat on data, or does t fi es, but these m ght not be the same RD Sess on Host
assume that one user equates (and shou d not be) ava ab e server, for persona zat on
to one computer? to everyone ogged on to the to be supported, the
shared server App cat ons app cat on must separate
shou d store persona zed data per-mach ne and per-user
structures by user data
Continued on the next page
www.it-ebooks.info
CHARACTERISTIC BACKGROUND IMPLICATIONS
Does the app cat on a ow (or Some adm n strat ve app ca- More than one nstance
d sa ow) mu t p e nstances of t ons shou d on y be started of a management
tse f to run as appropr ate? once to work best (A d sk-man- app cat on cou d end up
agement ut ty that can mount n ncons stenc es n user
or format d sks s one good or mach ne configurat on
examp e ) Bus ness app cat ons that m ght resu t n
on an RD Sess on Host server ser ous prob ems For
shou d start more than once, bus ness app cat ons,
but o der apps m ght perm t f t w run on y one
on y one nstance of themse ves nstance, t’s use ess on an
RD Sess on Host server
It m ght st run n a VM,
however
Does the app cat on separate Some o der network app ca- If an app cat on dent fies
computer and user dent t es? t ons dent fy themse ves by tse f by the computer t’s
computer name (or IP) address, runn ng on, then t can’t
but on a shared computer, th s map to a spec fic user
doesn’t work proper y Ap- runn ng that app cat on
p cat ons that have a network on a shared computer IP
presence shou d be user-spec fic v rtua zat on n W ndows
( ke MSN Messenger, for exam- Server 2008 R2 does not
p e), not computer-spec fic ( ke enab e stat c mapp ngs
the o d W nChat used to be) of user dent ty to IP
addresses
Does the app cat on assume App cat ons shou d not assume If an app cat on assumes
that the W ndows Exp orer that the W ndows Exp orer w the W ndows Exp orer
she s a ways present? be ava ab e—espec a y now she s be ng used, then t
that RemoteApp programs are m ght not work proper y
used (In add t on, your user w th RemoteApps
configurat on for F e-Save Loca-
t ons shou d not assume that
the Desktop s ava ab e )
How does the app cat on If the app cat on needs to Hardware requ r ng ports
commun cate w th any exter- commun cate w th any exter- that are not supported
na hardware resources? na hardware resources, then t for red rect on won’t work
shou d use ports that are sup- from w th n an RD Sess on
ported for red rect on Host server sess on
Does the app cat on assume A user’s TEMP d rectory w be If the app cat on stores
that the TEMP d rectory s c eaned up when the user ogs data n Temp fi es, then
pers stent? off a sess on that data w be de eted
w th the TEMP d rectory
when the user ogs off
104 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
CHARACTERISTIC BACKGROUND IMPLICATIONS
Does the app cat on re y on a You can’t nsta Internet If a web app cat on
part cu ar vers on of Internet Exp orer 6 (for examp e) on an requ res a prev ous
Exp orer? RD Sess on Host server, wh ch vers on of Internet
comes w th W ndows Internet Exp orer, then you’ need
Exp orer 8 to run t on an operat ng
system that supports t
Th s m ght be worked
around by us ng W ndows
XP n a VM as a host
The app cat on s ava ab e n W ndows Server 2008 R2 s a A 16-b t app cat on w
16-b t on y 64-b t operat ng system It can not run on W ndows
run both 32-b t and 64-b t ap- Server 2008 R2
p cat ons, but not 16-b t
If an app cat on won’t work on RD Sess on Host for one of the reasons sted ear er, that
doesn’t necessar y mean that you must nsta t on the c ent, as shown n the fo ow ng
examp es
■ If the app cat on requ res a prev ous vers on of Internet Exp orer and won’t work w th
Internet Exp orer 8, then you can run the app cat on on a VM runn ng W ndows XP
As Chapter 4 w d scuss, you can run t e ther from a desktop or as a RemoteApp pro-
gram from the c ent operat ng system
■ If an app cat on stores data n Temp fi es, you m ght be ab e to keep t work ng us ng
the Flattemp command to keep a temporary data n one fo der nstead of d v d ng t
dur ng each sess on
■ If an app cat on assumes that the she w be Exp orer exe, then you can run t from a
fu desktop
■ If you need to support mu t p e vers ons of an app cat on, then you can dep oy the
app cat on us ng a server farm or so ate t w th App-V
■ If an app cat on requ res adm n strat ve pr v eges to run, you m ght be ab e to host t
n a VM on RD V rtua zat on Host
■ You m ght be ab e to run 16-b t app cat ons on 32-b t guest VMs runn ng W ndows 7
or ( f requ red) W ndows XP
www.it-ebooks.info
Us ng the too s fa r y stra ghtforward To beg n, down oad and nsta the too and make
sure that the RDS Ana yzer Serv ce s runn ng (a though the too does not requ re a reboot,
the serv ce won’t start just by be ng nsta ed) When the serv ce s runn ng, start the too You
shou d see a screen ke the one shown n F gure 2-31
FIGURE 2-31 Start the RDS App cat on Ana yzer by c ck ng the Launch button.
Don’t worry about the Log F e sect on; that’s used on y f you’re oad ng a og fi e from
memory To test an app cat on, c ck Browse to ocate the program executab e fi e or type the
path to the executab e You don’t need to change the symbo s path Before c ck ng Launch,
ook at the Launch Opt ons st and choose the r ght opt on depend ng on what you want to
test, as fo ows
■ To run the app cat on w th adm n strat ve pr v eges, se ect E evate Users won’t gener-
a y have these pr v eges, but se ect ng th s opt on w a ow you to get past any n t a
pr v ege ssues that m ght norma y shut the app cat on down For n t a test ng, don’t
se ect th s box
■ To run the app cat on as a norma user, c ear the E evate opt on and eave D sab e
V rtua zat on c eared as we
■ To rea y check an app cat on’s compat b ty, se ect D sab e V rtua zat on Th s w turn
off the reg stry v rtua zat on enab ed n W ndows V sta and ater to work around ap-
p cat on compat b ty ssues (see the How It Works s debar here for more deta s)
106 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
HOW IT WORKS
Registry Virtualization
The goal of this feature is to enable support for applications that write to areas of
the registry that the user doesn’t have permission to edit or view.
When you’ve configured the Launch Sett ngs opt ons appropr ate y, type the path or
browse to the executab e fi e to test and c ck Launch From here, use the app cat on norma y
for a wh e—open and c ose fi es, mport mages, whatever you m ght do—so you can get a
good sense of what fi e ocat ons and reg stry keys t’s touch ng You m ght see some Debug
nformat on updat ng n the background, but th s s on y a sma part of the resu ts When
you’re done, c ose the app cat on Th s w prompt the RDS App cat on Ana yzer to og a
the data t co ected and d sp ay the resu ts, as n F gure 2-32 (show ng saved og data and
obscur ng the name of the app cat on be ng tested, wh ch s not mportant to understand ng
the resu ts)
www.it-ebooks.info
FIGURE 2-32 The Compat b ty Summary conta ns the resu ts of runn ng the RDS App cat on Ana yzer.
As you read th s, you can see that on y members of the Bu tIn\Adm n strators group
can de ete fo ders n th s ocat on, so the act on fa ed
■ INI Writes Few modern app cat ons st reference INI fi es, but f you run one that
does, you’ see t here
■ Token The Token sect on notes perm ss ons aga n If the token requ red for th s app -
cat on to run s Bu tIn\Adm n strators, then that app cat on s un ke y to work we on
an RD Sess on Host, where users do not have adm n strat ve pr v eges An app cat on
m ght use the Adm n strator r ghts to do c eanup w thout assum ng that t has them to
do the ma n funct ons of the app cat on, though
108 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
■ Privilege Th s tab te s you more about the eve of access that the app cat on
demands If t requ res SeDebugPr v ege, then t won’t run proper y w thout e evated
pr v eges; t’s runn ng as a serv ce SeAud tPr v eges s not a prob em, though—that
just a ows the process to generate secur ty aud t data
■ Name Space Name space ssues refer to app cat ons attempt ng to create system
objects n a protected namespace App cat ons that try to do th s w need too many
pr v eges to work w thout adm n strat ve r ghts
■ Other Objects Th s tab nc udes ssues nvo v ng object access that aren’t re ated to
the fi e system or reg stry entr es Anyth ng sted here s a fa ed access attempt The
app cat on m ght st work, but t wasn’t ab e to do someth ng t was attempt ng to do
■ Process Th s tab sts any ssues w th process e evat on Aga n, th s w po nt to an
app cat on attempt ng to e evate ts pr v eges beyond those of a norma user account
Prob ems here w genera y ead to an app cat on fa ng on an RD Sess on Host
server
IMPORTANT Both the client and server pieces of RDP determine the user experience,
and the earlier version will always take precedence if there is a conflict. For example, if you
are connecting to Windows XP from an RDC 7 connection, you’ll get the remote experience
of RDP 5.2, because Windows XP does not have the RDP 7 server component. If connecting
to Windows Server 2008 from RDC 7, you’ll get the RDC 6 user experience.
www.it-ebooks.info
110
TABLE 2-4 The RDC Connec v y Exper ence
WINDOWS 7/
WINDOWS
CONNECTING SERVER 2008 WINDOWS WINDOWS WINDOWS XP WINDOWS XP WINDOWS XP WINDOWS XP DISCUSSED
FROM R2 VISTA SP+ VISTA SP+ SP3 SP3 SP2 SP2 IN
www.it-ebooks.info
sona desktop
Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
by us ng RD
Connect on
Broker
Access to v rtua Yes Yes Yes Yes Yes Yes Yes Chapter 9
desktop poo s
by us ng RD
Connect on
Broker
WINDOWS 7/
WINDOWS
CONNECTING SERVER 2008 WINDOWS WINDOWS WINDOWS XP WINDOWS XP WINDOWS XP WINDOWS XP DISCUSSED
FROM R2 VISTA SP+ VISTA SP+ SP3 SP3 SP2 SP2 IN
www.it-ebooks.info
nect system tray
con
WINDOWS 7/
WINDOWS
CONNECTING SERVER 2008 WINDOWS WINDOWS WINDOWS XP WINDOWS XP WINDOWS XP WINDOWS XP DISCUSSED
FROM R2 VISTA SP+ VISTA SP+ SP3 SP3 SP2 SP2 IN
www.it-ebooks.info
port
Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
Enhanced Yes Yes No Yes No No No Chapter 6
B tmap
Acce erat on
Language Bar Yes No No No No No No Chapter 6
Dock ng
Easy Pr nt Yes Yes Yes Yes Yes Yes No Chapter 6
TABLE 2-6 The RDC Secur y Fea ure Exper ence
CONNECTING DISCUSSED
FROM WIN7/R2 VISTA SP1 VISTA SP1 XP SP3 XP SP3 XP SP2 XP SP2 IN
www.it-ebooks.info
Background
Author zat on &
Authent cat on
Gateway Id e & Yes Yes No Yes No No No Chapter 10
Sess on T meouts
NAP remed at on Yes Yes No Yes No No No Chapter 10
w th RD Gateway
Summary
After read ng th s chapter, you shou d have a good understand ng of the nterna work ngs
of W ndows Server 2008 R2 and how they app y to the RDS ro es You shou d a so have some
not on of how to des gn a test program, how to use the Performance Mon tor to est mate the
number of users that a server can support, and how to use the Load S mu ator You’ve cov-
ered the c ent requ rements and d scussed what server ro es you’ need to support d fferent
bus ness needs (for examp e, remote workers)
Best pract ces for p ann ng a W ndows Server 2008 RDS dep oyment nc ude the fo ow ng
■ Try to have one d sk sp nd e for each 20 to 30 s mu taneous users of the term na server
to avo d I/O bott enecks
■ Don’t nsta the RD Sess on Host ro e serv ce on a VM un ess the host supports SLAT
VMs aren’t we su ted to the d sk I/O and memory demands of term na servers
■ Choose app cat ons w se y App cat ons cert fied for W ndows 7 shou d genera y
run w thout prob ems on an RD Sess on Host server (as de from any ssues re at ng to
resource- ntens ve app cat ons) A proven track record or offic a support for execut on
on an RD Sess on Host server s dea
■ Use rea -wor d test ng to understand the system and network requ rements for the ap-
p cat ons and usage profi es you want to support Est mates based on theory are ess
usefu than exper ence
114 Chapter 2 Key Arch tectura Concepts for Remote Desktop Serv ces
www.it-ebooks.info
Now that you understand the bas c operat ons of your RD Sess on Host and RD V rtua za-
t on Host servers, the next step s to start sett ng t up In Chapter 3, you’ go through the
process of sett ng up your bas c RD Sess on Host env ronment, and n Chapter 4, you’ do the
same for an RD V rtua zat on Host for a very s mp e dep oyment
Additional Resources
A ot of nformat on s covered n th s chapter, and even more background s ava ab e If
you’d ke more deta s about W ndows nterna s that are re evant to p ann ng RDS dep oy-
ments, these resources conta n add t ona nformat on
■ For some t ps on capac ty p ann ng, see the “Remote Desktop Sess on Host Capac ty
P ann ng n W ndows Server 2008 R2” wh te paper posted at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
ca837962-4128-4680-b1c0-ad0985939063.
■ You’ve scratched the surface of RDS nterna s here For more nformat on about
W ndows Server nterna s, see Microsoft Windows Internals, 5th ed , by Dav d So omon
and Mark Russ nov ch, w th A ex Ionescu (M crosoft Press, 2009)
■ See the CD for a nk to the RD Load S mu at on and RDS App cat on Ana yzer too s
■ The RDS Team B og ocated at http://blogs.msdn.com/rds.
■ Jan que Carbone’s art c e “Second Leve Address Trans at on Benefits n Hyper-V R2”
can be found at http://www.virtualizationadmin.com/articles-tutorials
/microsoft-hyper-v-articles/general/second-level-address-translation-benefits-hyper-
v-r2.html.
■ To earn what app cat ons others have tested n RD Sess on Host servers, see
http://www.microsoft.com/rds/compatibility/Default.aspx
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 3
Y ou don’t need a comp ex dep oyment to test Remote Desktop (RD) Sess on Host
server capab t es To beg n, t s more mportant that you understand what the RD
Sess on Host (and the RD V rtua zat on Host, but that w be covered n Chapter 4,
“Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server”) are do ng and how to
get them set up proper y Do ng th s we on a s ng e server w serve you we as you
expand and add other ro es to your dep oyment Therefore, n th s chapter, you’ earn
about the bas cs of th s ro e
■ How RD Sess on Host servers work
■ How to nsta the RD Sess on Host ro e serv ce
■ Configur ng an RD Sess on Host server for the best user exper ence
117
www.it-ebooks.info
NOTE All three services run on computers running both Windows Server 2008 R2 and
Windows 7 because both can accept remote interactive connections. You’ll use these
services on the client if you deploy the RD Virtualization Host. A major difference between
the two is licensing. A computer running Windows Server 2008 R2 can run multiple active
connections; a computer running Windows 7 can have only one active connection at any
given time. Even if the computer running Windows Server 2008 isn’t an RD Session Host
server, it can still accept multiple connections for remote administration: two remote and
one local.
The Remote Desktop Serv ces serv ce enab es a computer to accept an nteract ve ogon
from another computer Remote Desktop Configurat on enab es system configurat on that
needs to happen n the System Context (mean ng that t’s h gh y pr v eged, even more so
than the adm n strat ve context) The Remote Desktop Serv ces UserMode Port Red rector
enab es remote dev ce mapp ng (used for pr nters, MP3 p ayers, or c ent-s de dr ves)
To see the mpact of these three serv ces, try stopp ng them
CAUTION Before Windows Server 2008, the Remote Desktop Services service
(known as the Terminal Services service) could not be stopped; if you tried, you’d
get an error message. Today, you can stop it, even from a remote session. However,
unless you’re prepared to either restart the service remotely using VBScript or
Windows PowerShell, or you can get to the console physically to restart the service,
you might want to skip the first experiment!
If you stop Remote Desktop Serv ces, a remote connect ons to the computer— nc ud-
ng the one you’re us ng ( f you stop the serv ce from a remote connect on)—w d sconnect
mmed ate y That s, any app cat ons open n a remote sess on w st run on the RD Sess on
Host server, but the remote connect on s ended and anyone us ng that connect on w need
to og n aga n to reconnect If you need to d sconnect everyone from the RD Sess on Host
server mmed ate y, stopp ng th s serv ce w make that happen It w a so on y d sconnect
the r sess ons, not og them off, so the r app cat ons w rema n open
If you stop the Remote Desktop Serv ces UserMode Port Red rector, any c ent-s de dev ces
or dr ves that you have n the remote sess on w d sappear nstant y from My Computer n
the remote sess on Restart ng the serv ce w not br ng the red rected resources back after
stopp ng the serv ce de etes them If you restart th s serv ce, anyone who has c ent-s de de-
v ces red rected to the r term na sess on must d sconnect from and reconnect to the r sess on
to remap those resources to the remote sess on Th s s because when you stop the serv ce,
you’re c os ng down the v rtua channe s n the Remote Desktop Protoco (RDP) that support
dev ce red rect on To br ng them back, s mp y restart the connect on
www.it-ebooks.info
NOTE For more about virtual channels, see Chapter 6, “Customizing the User Experience.”
The Remote Desktop Configurat on serv ce s respons b e for a Remote Desktop Serv ces
and Remote Desktop–re ated configurat on and sess on ma ntenance act v t es that requ re
the SYSTEM context These nc ude per-sess on temporary fo ders, themes, and cert ficates
• W ndows user nterface and app cat on screens (from endpo nt to c ent)
• Mouse c cks and keystrokes (from c ent to endpo nt)
• Sound (both d rect ons)
• Red rected dev ces such as pr nters and dr ves
• Mu t med a d sp ay (endpo nt to c ent)
■ Package the RDP data for transport over the network protoco [Transm ss on Contro
Protoco (TCP/IP), n th s case]
www.it-ebooks.info
At boot t me, the server comp etes a ser es of steps to enab e RD Sess on Host funct ona ty
1. The System process oads the Sess on Manager
NOTE The System process is different from other processes (described in Chapter 2,
“Key Architectural Concepts for Remote Desktop Services”). It does not host an execut-
able image but exists solely to host operating system threads for the memory manager,
cache manager, and other subsystems, as well as device driver threads. See Chapter 2
for more on what these subsystems do.
ON THE COMPANION MEDIA Download Process Monitor from the following link,
available on this book’s companion media: http://technet.microsoft.com/en-us
/sysinternals/bb896645.aspx.
www.it-ebooks.info
Gett ng the serv ces runn ng n Sess on 0 sets the stage for the RD Sess on Host server to
beg n accept ng ncom ng sess ons The fo ow ng sect ons w exp a n the ro es these serv ces
p ay n sett ng up the user env ronment for each sess on
NOTE To see which processes run in Session 0, run Task Manager. From the Process tab,
choose View, Select Columns to open the Select Process Page Columns dialog box. From
the list, make sure that the box is selected for Session ID. On the Process tab, you’ll now be
able to see which processes run in Session 0.
www.it-ebooks.info
Connection data
(color depth, redirection
settings, etc.) Creates connection object
3
Connection RDP
request Listener
FIGURE 3-1 The connect on object prepares the computer to accept a connect on.
www.it-ebooks.info
License info: includes
name of the client
Connection RDP
request Listener
1 Opens communications
FIGURE 3-2 The Remote Desktop Serv ces serv ce hand es connect on cens ng needs.
Connection RDP
request Listener
www.it-ebooks.info
Here are the steps n th s process
1. The Remote Desktop Serv ces serv ce te s the connect on object the Sess on ID and ts
g oba y un que dent fier (GUID) for the new sess on
2. Set up the v deo and mouse/keyboard connect ons for base connect v ty between the
c ent and the sess on At th s po nt, the sess on s n t a zed The user s not connected
to the sess on at th s po nt; the sess on s just prepared for the connect on
3. At th s po nt, the RD Sess on Host does one fina check G ven the user’s name and
doma n (and the r secur ty token) and the sess on ID to wh ch they’re attempt ng to
connect, are they a owed to og onto th s sess on? If so, the connect on cont nues; f
not, the connect on ends
4. Is the user a owed to have more than one sess on? If so, what are the sess on IDs for
the sess ons that they have ava ab e?
At th s po nt, the user ogs on and the Group Po cy sett ngs correspond ng to the user
(reca that the computer po c es were app ed ear er) are app ed to the sess on
Those are the steps to set up a funct on ng connect on Let’s ook a tt e more at how the
serv ces on the RD Sess on Host support th s process
NOTE If you’re using Network Level Authentication (NLA) for pre-authentication, the
logon process works a little differently. NLA and securing RDP connections are covered in
Chapter 8, “Securing Remote Desktop Protocol Connections.”
www.it-ebooks.info
User 1 SESSION 1
User 2
User n SMSS.EXE
CSRSS.EXE
SESSION 0 WINLOGON.EXE
SESSION MANAGER
(SMSS.EXE) SESSION 2
SMSS.EXE
Local Session Manager
(LSM.EXE) CSRSS.EXE
SESSION n
SMSS.EXE
CSRSS.EXE
WINLOGON.EXE
FIGURE 3-4 The Sess on Manager n W ndows Server 2008 R2 can start mu t p e sess ons at once by oad
ng mu t p e cop es of tse f.
When the ch d nstance of the Sess on Manager starts, t starts the W ndows subsystem
(Csrss exe and W n ogon exe) and then ex ts
When Smss exe enab es new sess ons, t does so w th the he p of severa other serv ces
The Loca Sess on Manager accepts the ncom ng connect ons and he ps determ ne whether
a computer can connect to the server The Remote Desktop Serv ces serv ce a ows a server
to nteract w th ncom ng connect ons A these serv ces are managed by the Serv ce Contro
Manager To recap, see Tab e 3-1
Create, destroy, enumerate, and man pu ate Loca Sess on Manager Lsm exe
sess ons Pr or to W ndows Server 2008, t
was ncorporated nto the Term na Serv ces
serv ce It s now an ndependent process
Continued on the next page
www.it-ebooks.info
FUNCTION SUPPORTING COMPONENT FILE NAME
Check credent a s co ected by the credent a Loca Secur ty Author ty Lsass exe
prov der and create a token dent fy ng the
user
Start, stop, restart, and pause W ndows Serv ce Contro Manager Serv ces exe
serv ces
Create new sess ons Sess on Manager Smss exe
Enab e mu t p e sess ons on a server and RDS Termsrv d
prov de the run-t me nterfaces for com-
mun cat on between c ent sess on and the
operat ng system A so known as the Remote
Connect on Manager
Want to earn more about what happens w th n that new sess on? Read on
NOTE In versions of Windows prior to Windows Vista, Winlogon.exe started the Graphi-
cal Identification and Authentication (GINA) dynamic-link library (DLL) specified in the
registry. Windows Vista and Windows Server 2008 (as well as Windows Server 2008 R2 and
Windows 7) replaced the GINA with a credential provider, identified (if not the default) in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provid-
ers. It has a different name, but plays the same basic role for storing credentials. (It doesn’t
do some other things that a custom GINA could do, however.)
www.it-ebooks.info
4. The credent a prov der passes the credent a s to the Loca System Author ty, wh ch
checks them aga nst the secur ty database, wh ch s Act ve D rectory Doma n Serv ces
(AD DS) for a doma n account or the oca computer’s secur ty account manager for a
oca account
F gure 3-5 ustrates how these components work together to a ow you to og onto the
RD Sess on Host server
User Session
Windows Subsystem
(CSRSS.EXE)
User name
Credential Provider
Password
www.it-ebooks.info
Tab e 3-2 shows the user-mode processes that create the common user env ronment
(m nus the app cat ons that you’d a so expect to see runn ng) You won’t actua y see a these
from Task Manager
TABLE 3-2 User-Mode Processes Tha Suppor Each Sess on s W ndows Env ronmen
Create graph ca effects used n Aero G ass Desktop W ndow Manager Dwm exe
(for examp e, F p and transparent thumbna
v ews of m n m zed app cat ons) n v deo
memory, then sends them to the screen
when composed
D sp ay the W ndows She for desktops W ndows Exp orer Exp orer exe
Enab e c pboard red rect on between the C pboard red rect on too Rdpc p exe
sess on and the c ent
D sp ay RemoteApp programs The W ndows she for Re- RDPShe exe
moteApp programs
Supp y nformat on to management nter- W ndows Remote Desktop Wtsap d
faces on the RD Sess on Host server Serv ces API
Remote sess ons aren’t nterest ng w thout nteract on, however That’s where the ast step
of pass ng data between c ent and server comes n
SESSION STRUCTURE
One connect on to an RD Sess on Host server s norma y equ va ent to one sess on In other
words, there’s never any quest on on the c ent as to wh ch sess on some nput shou d go to,
because each sess on’s commun cat on w th the RD Sess on Host server w be hand ed sepa-
www.it-ebooks.info
rate y from w th n the sess on Even RemoteApp programs w a run w th n the same sess on
as ong as they’re on the same server The on y t me you’d have more than one sess on on the
same server s f you de berate y connected to a second desktop and the RD Sess on Host
server was configured to perm t more than one sess on on the same server
Sess on so at on has evo ved over the years As you can see from F gure 3-6, the operat ng
system can be sess on-aware n var ous areas At the kerne eve , the memory manager (for
examp e) must be sess on-aware so t can map data to the r ght set of user-mode addresses
(as d scussed n Chapter 2) New kerne -mode awareness of sess ons was ntroduced n W n-
dows Server 2008 R2 w th Dynam c Fa r Share Schedu er (DFSS), wh ch a ocates processor
t me even y among sess ons (DFSS s part of the Process Schedu er component n F gure 3-6)
At the serv ce eve , a serv ces run n Sess on 0 and are sess on-aware to the extent that
they are not mapped to any s ng e user dent ty In W ndows Server 2008 and ater, even sys-
tem adm n strators don’t nteract w th Sess on 0 anymore
At the sess on eve , there’s a separate nstance of the W ndows subsystem, W ndows
Logon, W n32k sys (to prevent one sess on from be ng ab e to man pu ate w ndows n another
sess on), and now n W ndows Server 2008 R2, even Internet Protoco (IP) v rtua zat on for
W nSock app cat ons (any app cat on wr tten to use the W ndows Socket API for commun -
cat ng w th TCP/IP)
SESSION 1
SESSION 2
SESSION n
WINLOGON
CSRSS New in
Windows Server
Win32K Subsystem 2008 R2
IP Virtualization
IDENTIFYING PROCESSES
If you’re n a s ng e sess on, how do you get the r ght data to the r ght nstance of an ap-
p cat on and send the feedback to the correct sess on? One way s that each sess on has a
un que dent fier on the RD Sess on Host server (the Sess on ID that you can see n the Remote
www.it-ebooks.info
Desktop Serv ces Manager d scussed n Chapter 11, “Manag ng Remote Desktop Sess ons”)
Act v ty w th n a sess on s dent fied to the RD Sess on Host server by ts Sess on ID, not by the
name of the person ogged on to the sess on Therefore, even f one person has more than
one sess on open on the same server, the server won’t confuse the sess ons
The RD Sess on Host server a so avo ds confus on through the way the operat ng system
dent fies processes W ndows Server 2008 R2 dent fies processes runn ng on an RD Sess on
Host server not on y by the r names but by the r Process IDs (Th s s true on any W ndows
operat ng system, but on an RD Sess on Host server, t’s even more mportant because of the
ke hood that many processes w be dup cated ) A Process ID s a so un que on an RD Ses-
s on Host server Process IDs are covered n more deta n Chapter 11, as part of the d scus-
s on about manag ng user sess ons and processes
• The Mu t po nt Commun cat on Serv ce (MCS), wh ch ass gns data to v rtua chan-
ne s and sets the pr or ty of each so that GCC can work w th a the v rtua channe s
as a s ng e p pe
■ The RDP stack has three jobs
• Rdpwd sys transforms d sp ay data nto RDP commands to be transm tted to the
sess on
TABLE 3-3 Key Dr vers and Serv ces Sess ons or he En re RD Sess on Hos Server
www.it-ebooks.info
FUNCTION SUPPORTING COMPONENT FILE NAME
The c ent a so has some work to do to pass data between the sess on and the RD Sess on
Host server for process ng (see Tab e 3-4) W n32k sys s the kerne -mode component of the
W ndows subsystem that manages mouse and keyboard nput and sends t to the r ght app -
cat on Rdpdd sys s the d sp ay dr ver that packages W ndows neat y to be processed by the
Remote Desktop Serv ces Dev ce Dr ver
TABLE 3-4 Key Serv ces and Dr vers Runn ng W h n Sess ons on he RD Sess on Hos
Manage the W ndows graph ca user Kerne -mode component of the W n32k sys
nterface (GUI) env ronment by tak ng the W ndows subsystem
mouse and keyboard nputs and send ng
them to the appropr ate app cat on
Capture the W ndows user nterface and RDP d sp ay dr ver Rdpdd d
trans ates t nto a form that s read y con-
verted by Rdpwd sys nto the RDP protoco
The commun cat on between each sess on and c ent ogged nto t uses v rtua channe s
Each k nd of data has ts own v rtua channe so that data transfer can be enab ed or d sab ed
se ect ve y For nstance, t’s poss b e to d sab e c pboard red rect on wh e st a ow ng other
types of data to pass between c ent and server
V rtua channe s can be stat c or dynam c Stat c v rtua channe s are created at the beg n-
n ng of a sess on and rema n unt that sess on s d sconnected or term nated You can’t create
new stat c channe s dur ng a sess on Dynam c v rtua channe s are created and torn down on
www.it-ebooks.info
demand, such as when a new dev ce s connected to a term na sess on For more nformat on
about v rtua channe s, see Chapter 6
The Win32k.sys driver is also responsible for loading and managing the display
driver associated with each session; this allows different display drivers to be loaded
in different sessions. As an example, the NVIDIA driver can be loaded in the physi-
cal console session and the RD Session Host server display driver, RDPDD, can be
loaded in a different session.
Some other subsystems of the operating system that are session-aware in this man-
ner are
www.it-ebooks.info
= Protocol-Dependent Component Session Space
System Space LPC/RPC
SVCHOST.EXE LPC/RPC
RDPWSX.DLL Session n
User Mode TERMSRV.DLL
Protocol Session 2
Remote Connection
Extensions Manager Session 1
GCC (Network Service)
WINLOGON.EXE
MCSMUX Windows Logon
Process WINSTA.DLL
Remote
LogonUI Desktop
DMW Services RPC
SMSS.EXE UserInit/RDPInit Client DLL
Session LMS.EXE
Manager Local Session
Manager Explorer/RDP Shell WTSAPI.DLL
(System) LPC RDS
DWM Administration
CSRSS.EXE
Client-Server
Command Channel Runtime Application n
Subsystem Application 2
Application 1
Static Virtual User application
RDPCLIP.EXE
Channel running in session
Clipboard
Redirector
Static Virtual TSAppCompat
RDPENDP.DLL
Channel
Remote Audio
User Mode Endpoint
Kernel Mode
RDPDR.SYS TERMDD.SYS
RDP Device
Redirection
Remote Desktop Services
Driver
protocol-agnostic device WIN32K.SYS
driver. Primary function Beep Channel
Dynamic Virtual Channel Manager
GDI
Stack Instance 2 Keyboard Channel
Stack Instance 1 BASEVIDEO
Video Channel
RDPWD.SYS
RDP Winstation
Driver
WDTSHARE.SYS
TDTCP.SYS
TCP/IP Device RDPDD.DLL
Driver RDP Display
Driver
FIGURE 3-7 These are the components of Remote Desktop Serv ces arch tecture n
W ndows Server 2008 R2
www.it-ebooks.info
Th s mode has been d scussed n the preced ng pages, but there’s a ot of data here F rst,
here s a qu ck descr pt on of what’s happen ng n each quadrant of th s ustrat on, wh ch s
broken out between system space (common to a sess ons on the RD Sess on Host server)
and sess on space (un que to each sess on), and between kerne mode and user mode
In the �����������������������������������������������������������������������������������
upper������������������������������������������������������������������������������
- eft quadrant (System Space, User Mode), the RD Sess on Host server s start-
ng sess ons, accept ng ncom ng connect ons, and organ z ng v rtua channe s In the upper-
r ght quadrant (Sess on Space, User Mode), the sess on runs the fo ow ng ts W ndows ogon
processes, the W ndows subsystem (CSRSS exe) for present ng a aspects of the user nterface,
ts she , and ts app cat ons
In the �������������������������������������������������������������������������������
ower��������������������������������������������������������������������������
- eft quadrant (System Space, Kerne Mode), the server s oad ng and man-
ag ng the protoco -spec fic funct ona ty of the sess on That s, RDP s on y one poss b e
protoco that you can use to nteract w th a RD Sess on Host server ICA, used for connect ng
to servers w th C tr x’s XenApp extens ons to RD Sess on Host nsta ed, s another
In the ower-r ght quadrant (Sess on Space, Kerne Mode), the sess on packages the d sp ay
data and nput data to be processed by the d sp ay protoco when work ng n the Kerne
Mode sect on of System Space
NOTE There is a lot of time spent installing roles during the course of this book, and you
might notice some steps are skipped to avoid unnecessary repetition, but it’s worth going
into detail once so you understand the processes involved.
NOTE Do not install the RD Session Host role on a server that already has the Active
Directory Domain Services role installed. First, it’s not good security practice to allow users
to connect to a domain controller. Second, should some problem with a user or applica-
tion require you to bring down the RD Session Host server for maintenance, you’ll have a
domain controller offline.
www.it-ebooks.info
FIGURE 3-8 Choose the Remote Desktop Serv ces ro e from the st.
Now, you can see why the Add Ro es W zard offered on y Remote Desktop Serv ces on the
Se ect Server Ro es page; from here (see F gure 3-9), you can choose any of the re ated ro e
serv ces For now, st ck w th add ng RD Sess on Host and c ck Next
FIGURE 3-9 Choose Remote Desktop Sess on Host from the st of RDS ro e serv ces.
Next, you’ see the App cat on Compat b ty page te ng you that f you nsta ed app ca-
t ons on the server pr or to nsta ng RDS, some of the ex st ng app cat ons m ght not work n
a mu t p e user env ronment (You’ earn more about the reasons for th s ater n th s chap-
ter ) C ck Next
www.it-ebooks.info
Unt now, most quest ons have been fa r y se f-exp anatory As shown n F gure 3-10, how-
ever, you need to make a dec s on about whether you want computers ogg ng nto the RD
Sess on Host server to support NLA
FIGURE 3-10 Choose NLA to protect the server from fa ed ogon attacks or do not requ re t to support
broader access to the RD Sess on Host server.
NLA requ res users to be authent cated before they make a fu connect on to the RD Ses-
s on Host server, thus protect ng the server from den a -of-serv ce (DoS) attacks us ng fa ed
ogon attempts to use up a the server’s processor t me
NLA s supported on y for RDC 6 x and ater, but more mportant y, t emp oys the Creden-
t a Secur ty Prov der (CredSSP) to authent cate the user ear y n the process You’ find out
more about the deta s n Chapter 8, but for now, you need to know three th ngs
■ Requ r ng NLA enab es you to force users to authent cate themse ves before they can
create a connect on to the RD Sess on Host server
■ If you requ re NLA, on y c ents support ng CredSSP (at east those runn ng W ndows 7,
W ndows V sta SP1 or ater, or W ndows XP SP3) w be ab e to connect to the RD Ses-
s on Host server
■ NLA s not ava ab e w th W ndows V sta RTM or W ndows XP SP2; t requ res the ser-
v ce pack updates that add support for CredSSP NLA s not a serv ce of RDP
NOTE The decision to require NLA isn’t final; as with many configuration settings, you can
change your mind later by reconfiguring the host.
www.it-ebooks.info
Next, you can choose the cense mode of the RD Sess on Host server (see F gure 3-11) An
RD Sess on Host server can be n per-user or per-dev ce mode—that s, t can accept e ther
per-user censes or per-dev ce censes—but not both at the same t me The ncom ng con-
nect on must present the k nd of cense that the server s expect ng, f the mach ne or user
mak ng the connect on a ready has one It a so means that f the ncom ng connect on doesn’t
present a Remote Desktop Serv ces c ent access cense (RDS CAL) at connect on t me, and
the RD Sess on Host server has to request one from the cense server, then the censes on
the cense server must be a type the RD Sess on Host server s ab e to accept Th s s d s-
cussed n more depth n Chapter 12, “L cens ng Remote Desktop Serv ces ”
NOTE In Windows Server 2003, you had to choose the license mode when installing a
terminal server. In Windows Server 2008 and later, you can delay this decision until you
are certain what types of licenses will be available. An RD Session Host server in Configure
Later mode will not ask incoming connections for a license, but an RD Session Host server
can be in this mode only during its grace period (120 days). After that, it will not accept
connections without a license server and a licensing mode.
FIGURE 3-11 Choose the appropr ate cense mode or de ay the dec s on unt you have more nformat on.
www.it-ebooks.info
HOW IT WORKS
S o, why should people use the Configure Later option? Why not just require
people to choose a license mode when they install the server? After all, they can
change this mode later using the Remote Desktop Session Host Configuration tool.
The reason is simple: That’s the way it worked in Windows Server 2003 and it caused
some problems.
Before Windows Server 2003, there was only one license mode for terminal servers:
per-device. This model was enforced, meaning that a terminal server set up to ac-
cept per-device Terminal Services client access licenses (TS CALs) would eventually
stop accepting connections from computers unable to present one. This model was
also the default mode for terminal servers running Windows Server 2003, but Win-
dows Server 2003 introduced a new license mode for terminal servers: per-user.
The trouble started when people installed the terminal servers without really look-
ing at the license mode option, since this had not mattered before Windows Server
2003. They installed the terminal servers in per-device mode, because that was the
default, but often got per-user licenses, because that model fit their needs better.
Because the terminal servers weren’t set up to use or issue per-user TS CALs, the
terminal servers stopped accepting connections. Although the Event Log recorded
the problem and (with Service Pack 1 for Windows Server 2003) pop-up windows
warned administrators when they logged in, this didn’t entirely fix the problem.
Because RD Session Host servers must now be in one mode or the other, part of
the solution in Windows Server 2008 and later is a Configure Later option. The RD
Session Host licensing mode will eventually need to be configured, but at least the
administrator is making a conscious choice when configuring it.
Next, you’ choose who has access to the RD Sess on Host Server access s part a y
determ ned by user membersh p n the Remote Desktop Users group (see F gure 3-12) On y
members of th s group can connect to the RD Sess on Host server
www.it-ebooks.info
FIGURE 3-12 Add groups to the Remote Desktop Users group to enab e user connect ons.
By defau t, the oca Adm n strator’s group s added a ready To add more peop e to the
Remote Desktop Users group, c ck Add to open the Se ect Users d a og box Enter the secu-
r ty group or users to add, c ck Check Names to va date the name of the accounts, and then
c ck OK For examp e, you m ght add the Doma n Users group to the Remote Desktop Users
group (You can do th s because Doma n Users s a g oba group and Remote Desktop Users s
a oca group; g oba groups can be members of oca groups ) Then, you can deny access to
groups or users se ect ve y
Why wou d you m t who s a owed to use the server? Three reasons, as fo ows
■ You have a m ted number of RDS CALs ava ab e, and you don’t want to g ve them to
users who don’t rea y need them
■ You have a m ted number of app cat on user censes ava ab e for app cat ons on the
RD Sess on Host server, and you don’t want to use them unnecessar y
■ You s zed the server for a certa n number of users, and you want to m t the number
a owed to og on to your s ze m t
NOTE You can deny even members of the Remote Desktop Users group the right to log
on by editing their user account properties in Active Directory Users And Computers, or
through Group Policy. They just can’t log on if they’re not members of the Remote Desktop
Users group.
www.it-ebooks.info
Another opt on to m t user access s to create a secur ty group ca ed, for examp e, Com-
pany RDS Users Add on y users that need access to the RD Sess on Host server to th s group,
and then add the Company RDS Users group to the Remote Desktop Users group
NOTE If you’re not sure of the name of the group or user accounts you want to add, click
Advanced, choose the proper domain or computer, and click Find Now to populate the
Search Results area. Then you can select the users or groups to add.
After you have added the appropr ate users and groups, c ck Next On the next page
(shown n F gure 3-13), you have a few opt ons ava ab e to make the user exper ence on the
RD Sess on Host nc ude some funct ona t es users wou d exper ence us ng W ndows 7 Th s
screen s new to W ndows Server 2008 R2
FIGURE 3-13 Opt ons are ava ab e to enhance the user exper ence on the RD Sess on Host server.
www.it-ebooks.info
NOTE The Desktop Experience feature (which includes features included in the typi-
cal Windows 7 experience such as Windows Calendar, Desktop Themes, Windows Media
Player, and Snipping Tool) will be installed automatically if you select either the Audio And
Video playback or Desktop Composition options.
One th ng to cons der when enab ng these opt ons s the potent a mpact on the band-
w dth prov ded for the sess on connect ons A user p ay ng back aud o and v deo fi es w take
up more bandw dth than a user ed t ng spreadsheets How much more depends on how the
users work, so f you are enab ng these features, t’s a good dea to make sure your RD Ses-
s on Host server oad test ng nc udes representat ve data of these act v t es (See Chapter 2
for more nformat on on oad test ng )
The ast stage s confirm ng the sett ngs that you spec fied dur ng the w zard, as shown n
F gure 3-14
FIGURE 3-14 Conf rm the sett ngs n your setup before nsta ng.
www.it-ebooks.info
After you c ck Insta , the server w take some t me nsta ng the serv ce When t’s fin-
shed, you’ be prompted to restart the server and get a second chance at pr nt ng or sav ng
the configurat on report When you c ck C ose, you w be prompted to restart the server
After reboot ng, as you start up aga n, the RD Sess on Host server w spend a few m nutes
process ng and mak ng fina recommendat ons, as shown n F gure 3-15
You m ght have a ready nsta ed Desktop Exper ence f you chose to enab e aud o and
v deo p ayback and/or Desktop Compos t on features Desktop Exper ence s mportant As
you’ earn n Chapter 6, t’s requ red to enab e the P ug and P ay framework for automat -
ca y detect ng c ent-s de p ug-and-p ay dev ces such as cameras If you don’t nsta Desktop
Exper ence, you won’t be ab e to red rect these dev ces seam ess y to the remote connect on
You’ a so need t for aud o and mu t med a red rect on
NOTE To install Windows roles, role services, and features via Windows PowerShell, you
must run Windows PowerShell with elevated privileges.
www.it-ebooks.info
To run server manager cmd ets n W ndows PowerShe , first mport the Servermanager
modu e ke th s
Import-Module servermanager
To see wh ch commands are ava ab e for th s modu e, ass gn the act on of gett ng the
Servermanager modu e to a var ab e, as shown here
$sm
ModuleType Name ExportedCommands
---------- ---- ----------------
Manifest servermanager {Remove-WindowsFeature, Get-WindowsFeat...
You can see from the resu t ng text that there are mu t p e ExportedCommands ava ab e
w th th s modu e, but they are a not sted here (some are h dden by the e ps s) To see
c ear y a the commands offered by th s modu e, type the fo ow ng command
$sm.exportedcommands
Name Value
---- -----
Remove-WindowsFeature Remove-WindowsFeature
Get-WindowsFeature Get-WindowsFeature
Add-WindowsFeature Add-WindowsFeature
You want to add the RD Sess on Host server ro e serv ce, so type Add-WindowsFeature to
get a ong st of a the features you cou d nsta on th s server The Remote Desktop Serv ces
ro e serv ces that you can nsta are shown here
From the resu t ng st, you now know both the d sp ay name (Remote Desktop Sess on
Host) and ts correspond ng “name” (RDS-RD-Server) Insta the Remote Desktop Sess on
Host ro e by referenc ng the server ro e name ke th s
Add-WindowsFeature RDS-RD-Server
www.it-ebooks.info
A successfu nsta returns the fo ow ng
Reboot the server to fin sh the nsta at on process, as nstructed To reboot from W ndows
PowerShe , type
Shutdown /r
Insta ng RD Sess on Host v a W ndows PowerShe doesn’t g ve you the opt on of config-
ur ng any opt ons When you nsta th s way, the RD Sess on Host server w be set up w th a
the defau t sett ngs The Remote Desktop Users group w be empty In add t on, the server
w not prompt you for NLA opt ons or the enhanced user exper ence opt ons (enab ng desk-
top compos t on, and so on)
NOTE If you have installed and removed this role service in the past, take care to double-
check your settings, because some settings (NLA, users added to the Remote Desktop Users
group, and so on) will retain the information from the previous install, and if Desktop Expe-
rience was installed before, it is likely be installed now unless you specifically removed it.
To remove the ro e serv ce, type the fo ow ng command and then reboot the server as
spec fied by the resu t ng nstruct ons
remove-windowsfeature RDS-RD-Server
WARNING: [Removal] Succeeded: [Remote Desktop Services] Remote Desktop Session
Host. You must restart this server to finish the removal process.
www.it-ebooks.info
Allocating Processor Time
One of the n ghtmare scenar os for a shared computer s that of the user who s such a heavy
user of RAM and processor t me that he or she affects even ght users Th s s somet mes a
reason for organ z ng users based on how much they w stress a server, and somet mes a
reason for not putt ng heavy users onto the shared server at a
Iso at ng users on the r own computers sn’t a ways dea (or even poss b e), and what do
you do f peop e’s use patterns change over t me? A better answer s to do what you can to
even out resource usage automat ca y
In W ndows Server 2008, to make sure that processor t me wou d be fa r y a ocated
among sess ons, you’d configure the W ndows System Resource Manager (WSRM) Th s
too evens out processor t me by mon tor ng processes and ower ng the r pr or ty f they
start affect ng the performance of the processes runn ng n other sess ons When a process
rece ves more processor t me than others, WSRM owers ts pr or ty for a wh e so that t wa ts
for threads n other processes to execute (It’s s m ar to the way n wh ch a process that sn’t
gett ng enough t me can have ts pr or ty temporar y boosted to get ts threads through
some processor cyc es ) WSRM s react ve; for t to get nvo ved, a process must take too many
processor cyc es
NOTE A bug in Windows Server 2008 made WSRM very resource-intensive. If you had
this problem on Windows Server 2008, see http://support.microsoft.com/kb/970067 for a
solution. This issue was fixed in Windows Server 2008 R2.
The catch w th WSRM s that t is react ve Not on y that, but t’s not enab ed by defau t In
other words, you have to configure t proper y, and even f you do, there has to be a prob em
before WSRM can respond (the de ay wou dn’t norma y be more than a few seconds, but t’s
worth ment on ng) In W ndows Server 2008 R2, W ndows Server added DFSS, a new feature
that operates n the kerne and makes sure that each sess on s us ng no more than ts fa r
share of processor t me That s, f a server has five sess ons runn ng, then each sess on shou d
get no more than 20 percent of processor t me, but a sess on does not have to use that much
Th s feature s enab ed by defau t You can d sab e th s feature by sett ng the va ue of the fo -
ow ng reg stry entry to 0, as fo ows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SessionManager\DFSS\EnableDFSS
If a ocat ng processor t me even y across a sess ons works for you, then you’re done If
you’re nterested n we ght ng sess ons—perhaps to et the peop e fac ng a t ght dead ne
crunch numbers n the r spreadsheets faster—then you can set up we ghted sess ons us ng
WSRM, as descr bed n the fo ow ng sect ons
www.it-ebooks.info
CAUTION WSRM has a memory management feature that can limit the size of a
process’s working set or committed memory. Do not use this feature on an RD Ses-
sion Host server. First, it is not session-aware; it just limits the memory available to
a particular process regardless of where it’s running. Second, starving a process of
memory will make it run more slowly, which is very frustrating in an interactive ap-
plication (less so for an application running in the background). If a process is taking
up too much memory, then add more memory to the RD Session Host server or (as a
last resort) remove the application in question from the farm.
Installing WSRM
To nsta WSRM, start Server Manager R ght-c ck Features and c ck Add Features to start the
Add Features W zard Scro down the st to se ect W ndows Server Resource Manager When
you se ect t, you m ght be prompted to nsta an add t ona component WSRM requ res that
you have a database to store h stor ca data, so f the W ndows Interna Database sn’t a ready
nsta ed (and t cou d be; t’s a so used by severa other features), you’ be prompted to add
that feature Go ahead and nsta t f prompted to do so by c ck ng Add Requ red Features
When you c ck Next, you’ see a confirmat on page show ng the features that you w
nsta C ck Insta to perform the nsta at on
When the nsta at on s fin shed, Server Manager w show you that the two features are
fu y nsta ed C ose the d a og box; you don’t need to reboot
To nsta WSRM from W ndows PowerShe , use the fo ow ng code to mport the modu e
and then start the serv ce
Import-Module servermanager
add-WindowsFeature WSRM
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {Windows Internal Database, Windows System...
www.it-ebooks.info
CAUTION If you have not already configured Weighted Remote Sessions as the
managing policy, then first make sure that no one is logged into the RD Session Host
server that you’re configuring and then put it into drain mode from RD Session Host
Configuration. Changing the managing policy requires a reboot.
R ght-c ck the We ghted Remote Sess ons po cy and choose Propert es from the menu
to open the d a og box n F gure 3-17 Th s d a og box shows a the groups for wh ch you’ve
configured th s po cy, so t shou d be empty
www.it-ebooks.info
To add a group, c ck Add to open the d a og box n F gure 3-18 The Pr or ty opt ons n the
drop-down st are Prem um, Standard, and Bas c They’re n descend ng order of the r pr or ty
for gett ng processor t me
C ck Add to add a new user or group to the st Th s w open the d a og box shown n
F gure 3-19 Th s s the standard d a og box for p ck ng users or groups; use t as you norma y
wou d for choos ng user groups
When you’ve chosen the r ght users, they’ appear n the Add Users Or Groups d a og box,
shown n F gure 3-20 Choose the r ght pr or ty and c ck OK To add more users, c ck Add
www.it-ebooks.info
FIGURE 3-20 Set user or group pr or ty.
When you c ck OK, a the users you’ve configured so far w be n the We ghted Remote
Sess ons Propert es d a og box, as shown n F gure 3-21 As you can see, the pr or ty of each
s sted here If you need to change a pr or ty, c ck Ed t to return to the Add Users Or Groups
d a og box and change the pr or ty as needed C ck OK when you’re done
To fin sh, c ck Set As Manag ng Po cy n the r ght pane to change the defau t po cy to
We ghted Remote Sess ons; do ng th s makes t poss b e to g ve some groups or users more
we ght Th s w requ re a reboot to start work ng (You can a so take th s step before config-
ur ng the po cy, but one way or another, you’ need to reboot the server after chang ng the
defau t po cy n WSRM )
www.it-ebooks.info
Enabling Plug and Play Redirection with the Desktop
Experience
To enab e P ug and P ay red rect on on the RD Sess on Host server, nsta Desktop Exper ence
Th s feature requ res no configurat on and tt e setup To nsta t, s mp y open the Server
Manager and m grate to the st of features C ck the nk to add a new feature and then wa k
through the w zard to se ect and nsta Desktop Exper ence
You can a so enab e th s feature from W ndows PowerShe n W ndows Server 2008 R2,
us ng the fo ow ng code
You w not need to reboot the RD Sess on Host server after nsta ng or un nsta ng
Desktop Exper ence
NOTE Not all settings are relevant to a single-server RD Session Host deployment like the
one discussed here. For more information about farm and RD Connection Broker settings,
see Chapter 9, “Multi-Server Deployments.”
Open the Remote Desktop Sess on Host Configurat on too by c ck ng Start Adm n s-
trat ve Too s Remote Desktop Serv ces Remote Desktop Sess on Host Configurat on To
change a sett ng (or sett ngs), doub e-c ck any s ng e entry n the Ed t Sett ngs sect on to
open the Propert es d a og box shown n F gure 3-23
www.it-ebooks.info
FIGURE 3-22 Use Remote Desktop Sess on Host Conf gurat on to ed t each RD Sess on Host server s
conf gurat on.
FIGURE 3-23 C ck ng any sett ng n Remote Desktop Sess on Host Conf gurat on Ed t Sett ngs sect on
opens th s tabbed Propert es d a og box.
www.it-ebooks.info
You can a so configure a these sett ngs through W ndows PowerShe , us ng the new Re-
mote Desktop Serv ces prov der, nsta ed a ong w th the RDS ro e serv ce To use t, first oad
the modu e us ng the mport-modu e command from w th n W ndows PowerShe , as fo ows
Next, nav gate to the RDS prov der by ssu ng e ther the Set-Location rds: or Cd rds: cmd et
(they’re the same; Cd s just an a as for Set-Locat on to make t eas er for those accustomed to
us ng the command- ne nterface), as shown here
To st the contents of the RDS conta ner, use the Dir cmd et as fo ows
PS RDS:\> dir
Directory: RDS:
The configurat on opt ons for an RD Sess on Host server are n the RDSConfigurat on con-
ta ner Nav gate to the RDSConfigurat on conta ner ke th s
PS RDS:\> cd rdsconfiguration
PS RDS:\rdsconfiguration> dir
Directory: RDS:\rdsconfiguration
Name Type CurrentValue GP PermissibleValues PermissibleOperations
---- ---- ------------ -- ----------------- ---------------------
Connections Container - Get-Item,
Get-ChildItem,
New-Item
LicensingSettings Container - Get-Item,
Get-ChildItem
ConnectionBrokerSettings Container - Get-Item,
Get-ChildItem
TempFolderSettings Container - Get-Item,
Get-ChildItem
ProfileSettings Container - Get-Item,
Get-ChildItem
SessionSettings Container - Get-Item,
Get-ChildItem
www.it-ebooks.info
VirtualIPSettings Container - Get-Item,
Get-ChildItem
UserLogonMode Integer 0 - 0, 1, 2 Get-Item,
Set-Item
RDSessionHostServerMode Integer 1 - 0, 1 Get-Item
TimeZoneRedirection Integer 0 No 0, 1 Get-Item, Set-Item
Now that you’ve got the too s to ed t the configurat on from the GUI or command prompt,
the fo ow ng sect ons exp a n the sett ngs found n Remote Desktop Sess on Host Configura-
t on You’ come back to some of these sett ngs throughout th s book
www.it-ebooks.info
Configure the Use Temporary Fo ders Per Sess on opt on ke th s
SESSION COUNT
W th RemoteApp programs, there s a so genera y no reason to a ow users to ma nta n more
than one sess on on the same RD Sess on Host server A RemoteApp programs started from
the same server run n the same sess on, so they can a use the core processes needed to
support the sess on (for examp e, Csrss exe, W n ogon exe, and W n32k sys) and save memory
Runn ng n the same sess on a so a ows a those app cat ons to use the same nstance of
the user profi e (Profi e ssues are d scussed n Chapter 5, “Manag ng User Data n a Remote
Desktop Serv ces Dep oyment,” but for now, understand that t’s good to have on y one copy
of your profi e open )
To configure ogon restr ct ons us ng Group Po cy, go to Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote Desk-
top Sess on Host Connect ons The sett ng n quest on s Restr ct Remote Desktop Serv ces
Users To A S ng e Remote Sess on
Configure the opt on to restr ct users to a s ng e user sess on us ng W ndows PowerShe
ke th s
www.it-ebooks.info
unt you’re done If you’re tak ng an RD Sess on Host server offl ne, then t’s much eas er and
faster to adjust th s sett ng us ng the configurat on too s on the server
Configure the user ogon mode from W ndows PowerShe ke th s
PS RDS:\RDSConfiguration\sessionsettings>Set-item USerLogonMode X
Configuring IP Virtualization
When mu t p e peop e are a work ng from the same server, they’re a us ng the same IP
address For most app cat ons, th s s acceptab e Some app cat ons, however, don’t work
proper y un ess they have a un que IP address for every connect on Some c ent/server ap-
p cat ons, for examp e, requ re th s To a ow app cat ons ke th s to be used on RD Sess on
Host, W ndows Server 2008 R2 added IP v rtua zat on to ass gn a s ng e IP address to each
sess on or to certa n app cat ons w th n a sess on
To configure IP v rtua zat on, open RD Sess on Host Configurat on and choose IP
V rtua zat on (or, f you have the server’s Propert es d a og box a ready open, turn to the
appropr ate tab) to show the sett ngs n F gure 3-24
www.it-ebooks.info
Most of the steps here are pretty ntu t ve F rst, enab e IP v rtua zat on You w need a
Dynam c Host Configurat on Protoco (DHCP) server ava ab e for th s, but you won’t need to
do any configurat on on the DHCP server— t’s not aware of th s feature but just ass gns IP
addresses as t wou d norma y
Enab e or d sab e IP V rtua zat on from W ndows PowerShe us ng th s code
NOTE When using Windows PowerShell, you must specify the Network Adapter by the
adapter media access control (MAC) address, not name.
Next, change the v rtua zat on mode f needed Genera y, per-program s the best cho ce
f you can use t You probab y know wh ch app cat ons requ re un que IP addresses, and a
sess on won’t use a v rtua IP address f that app cat on s not runn ng In add t on, per-sess on
IP v rtua zat on won’t work on mu t homed RD Sess on Host servers, even f you on y p ck one
NIC Per-program works on mu t homed servers
Set the V rtua IP mode us ng W ndows PowerShe us ng th s command
PS RDS:\RDSConfiguration\VirtualIPSettings\applications>
New-Item -Name 'Notepad' -AppPath 'c:\windows\system32\Notepad.exe'
www.it-ebooks.info
Sett ng the exact path s opt ona Add the app cat on name w thout the exact path to
ass gn a v rtua IP address to any program runn ng ns de a user sess on that has the spec fied
app cat on name The fo ow ng s an examp e
PS RDS:\RDSConfiguration\VirtualIPSettings\applications>
New-Item -Name 'Notepad' -AppName 'Notepad.exe'
Two Group Po cy sett ngs contro th s feature F rst, you can enab e the feature from Com-
puter Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote
Desktop Serv ces Remote Desktop Sess on Host App cat on Compat b ty The sett ng n
quest on s Turn On Remote Desktop IP V rtua zat on Second, you can prevent a sess on from
us ng the RD Sess on Host server’s IP address f no IP address s ava ab e for the sess on by
enab ng the Do Not Use Remote Desktop Sess on Host IP Address When V rtua IP Address s
Not Ava ab e sett ng
One po nt to be aware of w th IP v rtua zat on s that us ng t can doub e the IP addresses
that your organ zat on w need Everyone’s c ent w have a un que IP address, and every-
one’s sess on w have ts own IP address (a be t on y for the durat on of the sess on) There s
no way to configure DHCP to m t the number of addresses n a part cu ar range that shou d
be a ocated to sess ons In add t on, IP v rtua zat on s enab ed on the server, not on a per-
user bas s, so you can’t p ck and choose wh ch peop e shou d use t The best way to use t
s to m t t to certa n app cat ons Many app cat ons don’t need t; use th s feature on y for
app cat ons that do
www.it-ebooks.info
FIGURE 3-25 Remote Desktop Serv ces L cens ng sett ngs are cr t ca to RD Sess on Host ava ab ty.
You can change the cens ng mode, but wh chever mode you p ck, you must be sure that
the match ng cense types are nsta ed on the cense server that you’re us ng Otherw se,
even f the RD Sess on Host server can find a cense server, t w not be ab e to a ocate
censes to users or computers
To configure the cens ng mode us ng Group Po cy, se ect Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host L cens ng The sett ng n quest on s Set The Remote Desktop
Serv ces L cens ng Mode Th s s an exce ent sett ng to ed t us ng Group Po cy, as a RD
Sess on Host servers n a farm are ke y to have the same cens ng mode Us ng th s sett ng
avo ds acc denta errors
Set the cense server mode from W ndows PowerShe ke th s
www.it-ebooks.info
SPECIFYING A LICENSE SERVER
Prev ous vers ons of Term na Serv ces supported cense server d scovery, but th s method had
so many cond t ons that cou d cause t not to work proper y that RDS removed th s feature
You must now spec fy a cense server Do th s n the GUI by c ck ng Add on the L cens ng tab
of the Propert es d a og box Then e ther se ect a cense server from the st of known cense
servers or add a cense server by name or IP address and then c ck Add Then c ck OK
To add a cense server us ng W ndows PowerShe , use the fo ow ng command and fi n
the requested parameters
PS RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers> New-Item
cmdlet New-Item at command pipeline position 1
Supply values for the following parameters:
Path[0]: Liberty.ash.local
Path[1]:
PS RDS: \RDSConfiguration
LicensingSettings\SpecifiedLicenseServers> dir
Directory: RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers
PS RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers>
remove-item LIBERTY.ash.local –force
NOTE You have to use the –Force parameter if the license server you are removing is the
last or only license server listed.
www.it-ebooks.info
Spec fy ng a cense server sn’t a ways as easy as just typ ng n a server name, for the fo -
ow ng reasons
■ The cense servers that you spec fy must be runn ng W ndows Server 2008 or ater It s
not poss b e for a cense server runn ng W ndows Server 2003 to ssue W ndows Server
2008 R2 RDS CALs (A cense server runn ng W ndows Server 2008 R2 can ssue TS
CALs for term na servers runn ng W ndows Server 2003, however )
■ You can po nt to a cense server outs de the forest However, f th s cense server w
be ssu ng per-user RDS CALs, there must be a trust re at onsh p between the two do-
ma ns When ssu ng per-user RDS CALs, the cense server needs to be ab e to contact
AD DS on beha f of the person request ng an RDS CAL
Protocol-Specific Settings
The Connect ons port on of Remote Desktop Configurat on conta ns nformat on about
any protoco s supported on the server (doub e-c ck RDP-Tcp to see them) In th s examp e,
you’ see on y Remote Desktop Protoco because that’s the nat ve protoco used by Remote
Desktop Serv ces and the on y one that s nsta ed Were C tr x XenApp extens ons to Remote
Desktop Serv ces nsta ed, for examp e, there’d be another entry here for ICA, the defau t
protoco for user sess ons when Xenapp s nsta ed
Most protoco -spec fic sett ngs are contro ed from the user account propert es v s b e
from Act ve D rectory Users and Computers, and the sett ngs that aren’t there are nc uded n
Group Po cy (If they are set us ng Act ve D rectory Users and Computers, Group Po cy can
st overr de them ) The sett ngs n Remote Desktop Configurat on (see Tab e 3-5) are ma n y
adv sory In th s sect on, you’ earn what the sett ngs mean and how you m ght use them
TABLE 3-5 Pro oco Con gura on Se ngs n Remo e Desk op Con gura on
www.it-ebooks.info
TAB SETTINGS CONTAINED WHEN YOU WOULD EDIT
Sess ons Sett ngs determ n ng behav or Rare y These sett ngs can be set from
when a sess on has been act ve, Group Po cy or Act ve D rectory
d sconnected, or d e for a certa n Users and Computers, and both w
ength of t me overr de the sett ngs here Use Group
Po cy to set cons stent connect on
po c es across a term na servers;
Act ve D rectory Users and Comput-
ers to set connect on po c es for
nd v dua s
Logon Whether to use the c ent ogon Rare y You m ght use th s sett ng for
Sett ngs nformat on or gener c ogon a spec a -use RD Sess on Host server
credent a s support ng anonymous connect ons,
but genera y you’ want to use the
user ogon credent a s
Remote The ru es govern ng remote contro Rare y These sett ngs can a so be
Contro of a user’s sess on set n Act ve D rectory Users and
Computers and Group Po cy and by
defau t those sett ngs take prece-
dence Remote Contro sett ngs can
a so be defined on a per-mach ne
bas s through Group Po cy
C ent Max mum co or depth and dev ce Occas ona y, to overr de c ent-s de
Sett ngs red rect on ru es Most supported sett ngs
dev ces are enab ed by defau t
Network Chooses the network adapters to Occas ona y, to m t the network
Adapter support RDP traffic and m ts the adapters be ng used for RDP con-
number of connect ons that the nect ons or to keep connect ons to
term na server w support the RD Sess on Host server w th n the
bounds of what t can support
Secur ty Users and groups perm tted access to Rare y As He p w rem nd you when
the term na server you sw tch to th s tab, t s best prac-
t ce to contro access v a contro ng
the membersh p of the Remote Desk-
top Users group because the resu ts
are more pred ctab e
www.it-ebooks.info
NOTE There are some discrepancies between the user account properties visible in Ac-
tive Directory Users and Computers and the settings visible in Server Configuration on
the Environment and Sessions tabs. The corresponding tab in Active Directory Users and
Computers shows settings that don’t apply to RDP; the Remote Desktop Session Host
Configuration console settings and Group Policy settings are current. (The option on the
Sessions tab of the Active Directory Users and Computers user Properties dialog box to Al-
low Reconnections From Any Client Or Originating Client Only does not apply to RDP.)
You can a so configure most of these sett ngs us ng Group Po cy Some of the more usefu
ones are descr bed n the rest of th s chapter; you’ earn more about what these sett ngs are
for throughout the book The Network Adapter and Secur ty tabs do not have re ated Group
Po cy sett ngs
To configure connect on secur ty ( nc ud ng enab ng server authent cat on and network-
eve authent cat on and c ent encrypt on eve ), se ect Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote
Desktop Sess on Host Secur ty Chapter 7 w d scuss the sett ngs n more deta , but the
po c es n quest on are as fo ows
■ Set C ent Connect on Encrypt on Leve
■ Requ re Use Of Spec fic Secur ty Layer For Remote (RDP) Connect ons
■ Requ re User Authent cat on For Remote Connect ons By Us ng Network Leve
Authent cat on
To configure dev ce red rect on and env ronment sett ngs, se ect Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Dev ce And Resource Red rect on The Pr nter Red rect on and
Remote Sess on Env ronment subkeys n th s same path a so nc ude po c es to contro the
user env ronment, wh ch s d scussed n more deta n Chapter 5
To configure the ru es for remote contro of a user’s sess on by an adm n strator, se ect
Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Sess on Host Connect ons The sett ng n
quest on s Set Ru es For Remote Contro Of Remote Desktop Serv ces User Sess ons You’
find out more about the use of remote contro n Chapter 11
www.it-ebooks.info
Best Pract ces Ana yzer (BPA) s a server management too n W ndows Server 2008 R2
BPA can he p you conform to recommended best pract ces by scann ng nsta ed ro es on a
server and report ng any v o at ons (Some v o at ons w requ re mmed ate act on and some
are adv sory, but a are ntended to h gh ght any potent a prob ems w th the server con-
figurat on ) You can run the BPA for the oca computer or remote y, and because t’s bu t on
W ndows PowerShe , t a so works from the command ne so that you can run reports on an
ent re farm programmat ca y
In th s examp e, we’ show you how to run the BPA for Remote Desktop Serv ces The
product group can update BPA as part of recommended updates, so you m ght have add -
t ona opt ons by the t me you read th s book
The BPA works by dent fy ng certa n best pract ces for a ro e and then programmat ca y
check ng the configurat on to make sure that the sett ngs support the best pract ces [A con-
figurat on s stored n W ndows Management Instrumentat on (WMI) ] If a sett ng does not
support a recommended best pract ce, then the report g ves feedback about the ssue and a
recommended fix
To start us ng the BPA, open the Server Manager and scro down to the Remote Desktop
Serv ces ro e, as shown n F gure 3-26 You’ see a nk that says Scan Th s Ro e (c rc ed here)
C ck the nk to d sp ay the page shown n F gure 3-27 You’ see a progress bar as the
scan cont nues When t’s done, you’ see a report In th s case, t’s show ng that the Remote
Desktop Users Group s not popu ated
www.it-ebooks.info
FIGURE 3-27 The BPA Report on RD Sess on Host
Aga n, add t ona ru es w be added to the BPA as you add W ndows updates, so you
m ght see other ru es to check Other ro es have ru es, too, so the resu ts of the scan w de-
pend on what ro es are nsta ed
www.it-ebooks.info
OPTION COMMON SETTINGS CURRENT USER
There are few surpr ses here the per-user nsta at on stores a re evant data n the user’s
profi e An a -users nsta at on stores the re evant data on a per-computer bas s (or n the
Pub c fo der so that the RD Sess on Host server s ready to add more users to the app cat on)
www.it-ebooks.info
Application Installation
Many app cat on nsta at ons are des gned for a s ng e-user computer Th s means that such
an app cat on was created w th certa n assumpt ons—for examp e, that t’s acceptab e to
store persona sett ngs n HKLM (wh ch wou d mean that the app cat on doesn’t custom ze
proper y; mach ne-w de means a sett ngs app y to a users), or to store sett ngs n INI fi es n
the W ndows d rectory (wh ch causes a users to have the same app cat on sett ngs)
One app cat on-compat b ty sett ng that s ava ab e to deve opers to avo d these k nds
of prob ems s the /TSAWARE opt on, wh ch s n a program’s header fi e For examp e,
app cat ons des gned to be mu t -user-aware shou d not use INI fi es to store sett ngs The
/TSAWARE sw tch prov des a workaround for app cat ons that were not necessar y des gned
for a mu t -user env ronment so that f an app cat on does use INI fi es, the RD Sess on Host
server w accommodate th s dur ng nsta at on by creat ng v rtua W ndows d rector es
for each user n wh ch to store the INI fi es W thout th s opt on, app cat ons us ng INI fi es
w have a s ng e configurat on fi e, and everyone us ng the app cat on w have the same
sett ngs
Unfortunate y, there’s no way for an adm n strator to check to see f the /TSAWARE opt on
has been set n an app cat on If you have a homegrown app cat on that depends on INI
fi es, however, you can check w th the deve oper to see f t s TS-aware so that INI fi es w be
stored on a per-user bas s
Another potent a nsta at on ssue ntroduced w th W ndows Server 2008 R2 s that of
16-b t nsta ers, spec fica y the stub component some app cat ons use to check the ma-
ch ne type before the 32-b t nsta at on eng ne runs 32-b t app cat ons can run on a 64-b t
p atform; the 64-b t W ndows Insta er can hand e them 16-b t app cat ons cannot That sa d,
M crosoft rea zed that th s cou d be an ssue and addressed t for certa n nsta ers If an ap-
p cat on uses any of the fo ow ng nsta ers ( sted n HKLM\Software\M crosoft\W ndows NT\
CurrentVers on\NtVdm64)
■ M crosoft Setup for W ndows 1 2
■ M crosoft Setup for W ndows 2 6
■ M crosoft Setup for W ndows 3 0
■ M crosoft Setup for W ndows 3 01
■ Insta Sh e d 5 x
then, when you start the nsta at on, W ndows w remove the 16-b t nsta er that starts the
32-b t nsta at on eng ne and rep ace t w th a 32-b t vers on Th s st can’t be extended If
your app cat on uses another nsta at on eng ne, you w need to convert t to use a 32-b t
nsta er to make t work on W ndows Server 2008 R2
www.it-ebooks.info
Concurrent Resource Usage
Many nstances of the same app cat on run concurrent y on an RD Sess on Host server If the
app cat ons want to use the same phys ca port, wr te to the same fi es, or wr te to the same
port ons of the reg stry, they won’t work on an RD Sess on Host server If two app cat ons at-
tempt to wr te to the same fi e at the same t me, th s can ead to data corrupt on; f they wr te
to the same fi e at d fferent t mes (perhaps to the same INI fi e, as d scussed n the prev ous
sect on), then th s can ead to unexpected behav or
Privacy Issues
A though the arch tecture of an RD Sess on Host server sess on s des gned to keep sess on
memory areas separate, app cat ons a so must honor th s n the way they share fi es If those
fi es store any pr vate data (for examp e, the web pages that a user has v ewed), then the ap-
p cat ons can’t use the same fi es
Performance Issues
By defin t on, app cat ons runn ng on an RD Sess on Host server must share hardware
resources, nc ud ng d sk nput/output (I/O), processor t me, and phys ca memory If an ap-
p cat on needs a ot of any of those, then t’s probab y not a good fit for an RD Sess on Host
server (Even the DFSS mechan sm on y d v des processor t me more even y— t doesn’t make
more of t ) S m ar y, some app cat ons don’t remote we over h gh- atency networks As
you’ see n Chapter 6, RDP 7 has cont nued the trend of more effic ent usage of resources to
better d sp ay h gh-qua ty mu t med a n W ndows Med a P ayer, but some F ash and S ver-
ght app cat ons m ght not d sp ay we over a w de area network (WAN)
Device Redirection
As d scussed n Chapter 5, W ndows Server 2008 R2 RD Sess on Host servers can red rect new
k nds of resources They can’t, however, red rect everything—or at east, they can’t support a
features (for examp e, Act veSync) f they do Dev ces that need but don’t get th s red rect on
w not work n a remote sess on
What can you do about these m tat ons of app cat ons and dev ce red rect on? F rst,
you can do some check ng ahead of t me so that you w know wh ch app cat ons w work
and wh ch w not One opt on s to search some webs tes to find out what app cat ons have
been packaged to work on a shared server, because f someone e se has been ab e to make
the app cat on work, then at east you know that t can be done (The software prov der
v s onapp, for examp e, ma nta ns a st of th s k nd at http://visionapp.com/1701.0.html?&ftu=
7074772b28 ) Another opt on s to ana yze the app cat ons themse ves, us ng the App cat on
Ana yzer too ava ab e on the compan on CD and descr bed n Chapter 2
www.it-ebooks.info
Storing Application-Specific Data
Insta ng app cat ons on a shared server s somewhat d fferent from both the per-user or
a -users nsta at on opt on performed on a s ng e-user operat ng system The s tuat on s d f-
ferent; n th s case, you want a users who access the RD Sess on Host server to be ab e to use
the app cat on, but you a so want them to be ab e to ma nta n the r sett ngs n the r profi es
so those sett ngs w fo ow them between servers Therefore, when you nsta app cat ons
on an RD Sess on Host server, the operat ng system comb nes the two approaches App ca-
t on b nar es are stored to be access b e to anyone connected to the server, but the operat ng
system stores some sett ngs n a part cu ar part of HKLM ca ed the shadow key The ocat on
of th s key w vary w th the operat ng system and app cat on type, as fo ows
■ 64-b t vers ons of W ndows Server 2008 R2 store shadow key nformat on for
32-b t app cat ons n HKLM\Software\Wow6432Node\M crosoft\W ndows NT\
CurrentVers on\Term na Server\Insta \Software
■ 64-b t vers ons of W ndows Server 2008 R2 store shadow key nformat on for
64-b t app cat ons n HKLM\Software\M crosoft\W ndows NT\CurrentVers on\
Term na Server\Insta \Software
NOTE Like APIs, registry key names didn’t change when Terminal Services became
Remote Desktop Services in Windows Server 2008 R2. That would have broken applications
that relied on the Terminal Server name.
The shadow key stores configurat on sett ngs for a the app cat ons nsta ed on the RD
Sess on Host server, d v ded by pub sher When a user ogs on, the contents of th s key are
cop ed to her profi e, so ong as the contents of the key are newer than the contents n the
profi e The operat ng system determ nes the re at ve age of the configurat on data n the
user profi e and n the shadow key by compar ng t mestamp va ues of two reg stry keys, both
of wh ch have recorded ast wr te-t me n seconds s nce 1970 The key n the user profi e
s LastUserIn SyncT me, stored n HKCU\Software\M crosoft\W ndows NT\CurrentVers on\
Term na Server; the date of the shadow key s stored n LatestReg stryKey n HKLM\
SOFTWARE\M crosoft\W ndows NT\CurrentVers on\Term na Server\Insta \In F eT mes
NOTE The iniFileTimes key is hidden, so don’t expect to see it in the registry if you look
for it.
If the profi e s newer, the sett ngs aren’t cop ed; f the configurat on n the shadow key s
newer, the user profi e s updated w th the data n the shadow key You don’t want to update
the centra data source, so the user profi e w never update the shadow key
www.it-ebooks.info
HOW IT WORKS
W indows Server 2008 R2 is only 64-bit, but it’s not practical to assume that
64-bit versions of all applications will be available. To work around this prob-
lem, 64-bit Windows implements the WOW64 emulator. This user-mode emulator
loads a 32-bit version of NTDLL.dll, used by applications to make system calls. When
a 32-bit application calls on NTDLL.dll to interact with the operating system in some
way (for example, to read from or write to disk), WOW64 intercepts the call (this is
not an expensive operation because it, like the application it’s working with, runs in
user mode) and sends the request to the 64-bit operating system. In other words,
the 32-bit application and the 64-bit operating system don’t have to know about
each other.
In addition to needing some way to communicate with the operating system, it’s
important to separate registry data for 32-bit and 64-bit applications so that they
don’t load the wrong DLLs or overwrite each other’s configuration data. Therefore,
64-bit applications on a 64-bit server use the keys and values stored in HKLM\
Software, and the 32-bit applications use the keys and values stored in HKLM\
Software\Wow6432Node. Under each key, the structure is approximately the same.
Sometimes both 32-bit and 64-bit applications need the same data, but they must
read it from their own section of the registry. For data that both versions need, the
operating system employs registry reflection. Registry reflection updates both the
32-bit section and the 64-bit section. This is done mainly for operations such as file
association (HKLM\Software\Classes) to ensure that the same application always
opens a file with a particular extension. Registry reflection ensures that the contents
www.it-ebooks.info
of the Classes key are maintained in parallel for both the 32-bit and 64-bit sections
of the registry.
For our purposes here, the implications of this are that 64-bit versions of Windows
maintain two areas for shadow keys: one for 32-bit applications and one for 64-bit
applications.
www.it-ebooks.info
Removing Sections from Shadow Keys
Another way to prevent the keys from be ng updated n the user profi e s to de ete them
from the shadow key If you do so, of course they won’t be added to the user profi e, and
you’ need to app y them w th ogon scr pts
The advantage to th s approach s that t ensures that the keys won’t overwr te the user
profi e The d sadvantage s that t takes some work to set th s up, and more to ma nta n t
You need to de ete the contents of the shadow key on a RD Sess on Host servers, and you
must ensure that a users get the keys added to the r sess on In add t on, f you add more
app cat ons, you must update the ogon scr pts
NOTE For 32-bit applications on a 64-bit operating system, edit the path to HKLM\
Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\
Compatibility\RegistryEntries\PathName.
The tr cky part here es n the va ue ass gned to th s key to contro propagat on By de-
fau t, M crosoft\W ndows\CurrentVers on\Exp orer\She Fo ders has a va ue of 108 hexadec -
ma Th s va ue s actua y the resu t of compat b ty b ts A va ue of 8 hex means that the path
po nts to a 32-b t app cat on The 100 hex comes from the configurat on of reg stry mapp ng
If th s b t s set (wh ch means t has a va ue of 100), then new entr es from the system master
reg stry mage w be added to the user profi e when the app cat on s started, but no ex st-
ng data n the profi e w be de eted or changed If th s b t s not set (has a va ue of 0, or sn’t
present), the operat ng system de etes and overwr tes the user’s reg stry data f t s o der than
the system master reg stry data
Therefore, to prevent W n32 app cat on reg stry sett ngs from be ng updated n the user
profi e, prov de the path to the key n HKEY USERS where that app cat on data s stored and
g ve t a va ue here of 108 n hex
www.it-ebooks.info
DIRECT FROM THE SOURCE
N ot all applications install in exactly the same way. The following information
describes how MSIs differ from applications that do not install from MSIs.
The related commands are Change user /install and Change user /execute.
The “recording” of registry key changes is saved in the registry under HKLM\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\
Software.
While in Install Mode, changes to the Start menu are also tracked, and then those
changes are moved to the public menu so that shortcuts are visible to all users.
When a user logs on, Userinit.exe checks to see if the user’s hive under HKCU\
Software has or is missing keys from the equivalent path above. If anything is
added, or changed, it compares the two paths and takes appropriate action by
adding keys/values from the HKLM path.
www.it-ebooks.info
When you run an MSI fi e to nsta an app cat on, th s act on sends a message to the
TSAppCompat component to prepare for nsta at on Th s component then creates a snap-
shot of HKCU\ Defau t\Software and saves t
Now, the TSAppCompat component checks the contents of HKCU\ Defau t\Software to
compare the before and after vers ons, nc ud ng a nsert ons, de et ons, and changes Hav ng
done so, t creates a de ta of a the changes Th s de ta s what now popu ates the shadow key
www.it-ebooks.info
On y the contents of HKCU\ Defau t\Software are mon tored If the MSI starts another DLL
(an nfrequent y used opt on), then the effects of that DLL w be gnored
The Change user command that comes w th RDS and used when you run an nsta at on
rout ne such as Setup exe s another matter When you put the RD Sess on Host server ses-
s on nto Insta Mode w th the command Change user /install, a d fferent component named
Advap 32 mon tors a reg stry changes—all changes, not just the changes that have anyth ng
to do w th nsta ng the app cat on So ong as the server s n Insta mode, then the changes
are recorded and cop ed to the user profi e when they og on For examp e, f you change the
home page for Internet Exp orer, you’ be record ng th s data and chang ng t for everybody
Summary
Th s chapter has d scussed the essent a s of sett ng up a Remote Desktop Sess on Host server
nfrastructure By now, you shou d be fam ar w th how RD Sess on Host servers create ses-
s ons, va date user ogons, and ssue censes to author zed users or computers
Best pract ces for RD Sess on Host server configurat on nc ude the fo ow ng
■ When configur ng more than one server, use Group Po cy, not the RD Sess on Host
Configurat on too When adjust ng sett ngs on a per-server bas s, t’s too easy to
ntroduce ncons stenc es among servers, and ncons stenc es now can ead to a ot of
troub eshoot ng ater
■ DFSS even y d str butes processor t me across user sess ons; you need to use WSRM
on y f g v ng some users greater pr or ty than others
■ Do not use the memory management features of WSRM on an RD Sess on Host server
■ Insta the Desktop Exper ence feature to enab e P ug and P ay red rect on
■ Use the BPA to check RD Sess on Host sett ngs
Additional Resources
The fo ow ng resources conta n add t ona nformat on and too s re ated to th s chapter
■ To earn more about sett ng up Group Po cy objects for manag ng user sett ngs, see
Chapter 6, “Custom z ng the User Exper ence ”
■ To earn more about how to manage RD Sess on Host servers as a group, see
Chapter 9, “Mu t -Server Dep oyments ”
■ For more deta s about re ated W ndows Server 2008 R2 arch tecture, see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces ”
www.it-ebooks.info
CHAPTER 4
P r or to W ndows Server 2008 R2, V rtua Desktop Infrastructure (VDI) was not part
of M crosoft’s presentat on remot ng package [even though M crosoft techno ogy
n the form of Remote Desktop Protoco (RDP) and the W ndows operat ng system was
used to enab e another company’s VDI so ut on] In th s chapter, you w earn about th s
new ro e, how t works, and how to set t up for a s ng e-server dep oyment (Dep oy ng
mu t p e RD V rtua zat on Host servers works the same way as dep oy ng one A though
SCVMM s out of scope for th s book, t w he p you manage VMs across mu t p e hosts
See http://www.microsoft.com/systemcenter/en/us/virtual-machine-manager.aspx for
more nformat on on SCVMM )
What Is VDI?
But first, what is VDI?
At ts most bas c, V rtua Desktop Infrastructure (VDI) s a dep oyment des gn that
puts the user desktop on a v rtua mach ne (VM) n the datacenter, rather than on the
phys ca computer at someone’s desk Some degree of connect on and mage manage-
ment s usua y mp ed n VDI
Speak ng genera y, VDI can range n comp ex ty, as fo ows
■ Examp e 1 One VM ass gned to each person w th a v rtua desktop, w th that per-
son connect ng to that desktop v a the Remote Desktop Connect on (RDC) c ent,
spec fy ng the desktop s name or Internet Protoco (IP) address
175
www.it-ebooks.info
■ Examp e 2 A persona desktop ass gned to a user, but the user doesn’t have to know
what the VM’s name s—just that he or she wants to connect to the mach ne
■ Examp e 3 A poo of desktops ava ab e to a set of users on a temporary bas s
A few th ngs vary w th the d fferent k nds of comp ex ty
■ The d scovery process
■ The user contro over the VM
■ The ease of de very
F rst, there’s the process of d scover ng and connect ng to the r ght VM In the first ex-
amp e, t’s obv ous You go to the desktop that you have spec fied by name n the RDP fi e
and hope that the VM s turned on In the second and th rd examp es, there must be some
nte gence somewhere to get you to the r ght endpo nt and make sure the VM s ready to
accept connect ons
The degree of adm n strat ve contro a so var es w th the type of VDI In the first two
examp es, one user w a ways use the same VM As the IT manager, you can a ow that user
whatever degree of contro over th s v rtua desktop that you see fit In the poo ed case, users
can’t a ter the shared poo of desktops If they d d, they’d e ther ose whatever changes they
made ( f you’d configured the VM to d scard changes and ro back to ts saved state at ogoff)
or they’d be mess ng up the VM for the next user ( f you hadn’t)
F na y, the VDI de very mode s d ffer n how easy t s to persona ze the VM and the
app cat ons nsta ed on t Aga n, the first two mode s make t easy Even f you don’t a ow
users to nsta the r own app cat ons, the VMs can st have a spec fic set of app cat ons
des gned for a spec fic user’s needs The poo ed mode makes t d fficu t to support much
persona zat on because a VMs n the poo must have the r ght app cat ons for a peop e
who use them, and persona nsta s don’t work n th s mode
NOTE App-V can offer some degree of personalization. For more information on App-V,
see http://www.microsoft.com/systemcenter/appv/default.mspx.
If the VMs n a poo are assumed to be homogeneous, persona changes w ead to user
confus on
In the end, though, t’s a VDI putt ng a c ent operat ng system on a VM to be accessed
remote y The steps requ red for the user to find the VM, the degree of custom zat on the user
can make, and eve of user contro over th s VM are the var ab es
One more th ng about M crosoft VDI It’s not just about a s ng e ro e serv ce A though the
Remote Desktop V rtua zat on Host (RD V rtua zat on Host) ro e serv ce s essent a to en-
ab ng th s VDI mode , t’s comp emented by two other ro e serv ces As shown n F gure 4-1,
RD Web Access d sp ays the VM cons for users to d scover, and RD Connect on Broker gets a
user to the r ght endpo nt based on the k nd of connect on requested and the oad ba anc-
ng ru es n p ace Even the RD Sess on Host gets nvo ved n a sma way Th s ro e serv ce
supports the red rector, an essent a p ece requ red for send ng connect on requests to RD
Connect on Broker
www.it-ebooks.info
Act ve D rectory Doma n Serv ces (AD DS) a so p ays a key part n support ng VDI AD DS
stores the user account objects that the RDS ro es can use to see what the user shou d see
when they og nto RD Web Access (s nce not a users m ght have access to a poo s) The
user account objects a so store the mapp ngs for persona desktops to users, as app cab e
VM_User1
User 1
VM_User2
RDVH1
Pooled VM 1
Pooled VM 2
RD Session Host in
redirection mode
User 2
VM_User3
IP Address of
Personal Desktop
VM_User4
DesktopPool1
RDVH2
Pooled VM 3
Pooled VM 4
RD Connection
Broker
VM_User5
VM_User6
User n
RDVH n
Pooled VM 5
AD DS Pooled VM 6
NOTE The information in the rest of this chapter explains exactly how a user ends up con-
nected to their requested VM. For now, the key take-away is that all of the role services in
Figure 4-1 play a part in the process.
What isn’t VDI? VDI sn’t just about v rtua z ng ex st ng desktops, or us ng a too such as
System Center V rtua Mach ne Manager (SCVMM) to mage a desktop computer and move t
nto the data center It’s true that there s a sma amount of benefit n runn ng a desktop from
a VM It’s easy to back up and therefore to restore, so a crashed desktop computer doesn’t
b ock a user from work ng Fundamenta y, though, there’s a ot more benefit n v ew ng VDI
as part of a strategy for reduc ng management costs than n just putt ng desktops n the data
www.it-ebooks.info
center Done we , VDI can reduce some operat ng costs; but done poor y, t becomes a some-
what more expens ve way of hav ng phys ca desktops w th a good oca backup
www.it-ebooks.info
The term no ogy can get a tt e tr cky For examp e, when you’re ta k ng about connect ng
to a c ent operat ng system runn ng n a VM, wh ch one s the c ent? When d scuss ng VDI,
use the fo ow ng terms to exp a n what’s happen ng
■ The computer that s runn ng the RDC c ent and that someone s ts n front of s ca ed
the client Th s s cons stent w th term no ogy when connect ng to a sess on
■ The VM that th s person s connect ng to s the endpoint, or the guest (a guest of the
RD V rtua zat on Host t’s runn ng on) A sess on on an RD Sess on Host can a so be an
endpo nt
■ Prepar ng a VM to be used (for examp e, br ng ng t out of h bernat on) s ca ed
orchestration.
■ Mov ng a VM to a new RD V rtua zat on Host s ca ed placement. P acement s not
part of the bas c RDS VDI so ut on but m ght be supported v a a fi ter p ug- n
The rest of th s chapter covers the mechan cs of how you nsta and configure the RDS
ro es requ red to support VDI For now, the focus s on the mechan cs of how peop e d scover
persona desktops and poo ed VMs, and how the connect ons they make get to the appropr -
ate endpo nts
www.it-ebooks.info
Personal VMs Virtual Desktop
Pools
RD Virtualization
Host
RD Connection
Broker
RD Session Host in
redirection mode
Windows 7
Remote
RDP File Desktop RemoteApp and
RD Web Access Desktop Connection
Connection
(RDWA Feed) (RADC)
FIGURE 4-2 RD Connect on Broker s n charge of connect ng users to persona and poo ed VMs.
www.it-ebooks.info
Discovering a VM
The first step of us ng a VM s d scover ng that a VM ex sts To a ow users to d scover VMs,
the adm n strator ass gns a persona desktop or creates a VM poo from the RemoteApp and
Desktop Connect ons Manager on the RD Connect on Broker When an adm n strator ass gns
a persona VM, th s ass gnment s recorded n the user account propert es n AD DS (Act ve
D rectory n both W ndows Server 2008 and W ndows Server2008 R2 support th s user ac-
count property ) Both persona and poo ed VMs are added to the pub sh ng feed that popu-
ates both Remote Desktop Web Access and RemoteApp and Desktop Connect ons on c ents
runn ng W ndows 7 Th s pub sh ng feed s custom zed for each user’s secur ty credent a s, so
that one user does not see another’s persona desktop RemoteApp program d sp ay s a so
fi tered accord ng to wh ch users have perm ss on to use wh ch app cat ons That sa d, a VM
poo s are v s b e to a consumers of the feed
When a user— et’s ca her K m Akers—nav gates to the RD Web Access page, she’s
prompted for her credent a s Those credent a s go to the pub sh ng serv ce on RD Connec-
t on Broker, wh ch then ooks them up n AD DS to determ ne what resources—RemoteApp
programs and VMs—have been ass gned to those credent a s The browser w then d sp ay
a fi tered ook of the RemoteApp programs and VMs to wh ch K m has access Aga n, K m w
see a the poo s
If K m were connect ng to the feed through RemoteApp and Desktop Connect ons on the
c ent runn ng W ndows 7, the process wou d be pretty s m ar The ma n d fference s that
K m wou d see the VM (as we as RemoteApp cons to wh ch she has access) n a fo der on her
Start menu Conceptua y, her connect on process ooks ke F gure 4-3
RD
Connection
Broker
1 User Credentials
TScPubRPC
(RemoteApp and
Filtered User Resources 3
Desktop Connection
Kim Akers
Management Service)
Kim Akers Resources:
• kim.akers Personal VM
• RemoteApp 1
• RemoteApp 3 2 User SID Check
• RemoteApp 6
• VM Pool X
AD DS
www.it-ebooks.info
NOTE It’s also possible to save an RDP file that points to a personal VM or pool and
email that file to someone or put it on a network share. If you do that, the connection
process will be the same, but users can skip the discovery step (the process of finding
out what VMs are available to you). Distributing RDP files manually saves a few steps in
publishing but complicates the process of updating available resources, especially in large
environments.
Brokering a Connection
K m n t ates the broker ng phase by c ck ng the persona desktop or poo ed VM con At th s
po nt, she’s requested a type of resource, ke access to a VM poo , and the broker ng must
get her to the most appropr ate ocat on based on the server oad and what she’s asked for
The RD Connect on Broker s bu t to be flex b e both n terms of determ n ng what k nd of
resource K m wants to connect to (a VM or a sess on) and the ru es govern ng wh ch connec-
t on s most appropr ate It does th s by us ng a coup e of d fferent k nds of p ug- ns resource
plug-ins, wh ch are used for a spec fic k nd of resource, and filter plug-ins, wh ch are used n
comb nat on w th a part cu ar resource p ug- n to tweak the ru es govern ng wh ch resource
s chosen and what happens to prepare t for a connect on The broker ng serv ce commun -
cates w th the resource p ug- ns to engage them as appropr ate for the type of connect on It
a so gets the VM IP address back from the VM resource p ug- n to nform the c ent of ts fina
endpo nt See F gure 4-4 for a d agram of the re at onsh p between the component parts
Brokering Service
Load Load
Placement
Balancing Balancing
Orchestration
Connection Broker
Database
FIGURE 4-4 The Broker ng serv ce on the RD Connect on Broker engages w th the appropr ate resource
p ug n.
RD Connect on Broker comes w th two resource p ug- ns a sess on p ug- n used for
connect ng to RD Sess on Host servers and a VM p ug- n used to connect to persona and
poo ed VMs Each of these resource p ug- ns comes w th bu t- n nterna og c that the RD
Connect on Broker uses to determ ne where a connect on shou d go and how t’s made
www.it-ebooks.info
ready to accept connect ons By defau t, the VM p ug- n w d str bute VM requests even y
among a RD V rtua zat on Host servers ava ab e Because our bas c scenar o nc udes on y
a s ng e server, a connect ons w go there, but f more were ava ab e, then t wou d use a
round-rob n techn que to d str bute the VM requests Resource p ug- ns are stored on the RD
Connect on Broker n HKLM/System/CurrentContro Set/Serv ces/Tssd s/Parameters/Resource
F gure 4-5 shows the sett ngs for the VM resource p ug- n (Th s RD Connect on Broker
has on y the VM Resource p ug- n because there are current y no RD Sess on Host farms
configured on t ) The va ue for IsEnab ed must be 1 for the p ug- n to funct on, and the
system must be ab e to dent fy the p ug- n by name, c ass ID (the un que dent fier for a COM
object), and prov der
A though RDS comes w th on y two p ug- ns (aga n, the RD Sess on Host p ug- n doesn’t
show here because th s RD Connect on Broker s not connected to an RD Sess on Host farm),
ndependent software vendors (ISVs) can mp ement resource p ug- ns for other k nds of end-
po nts as we , such as b ade PCs or phys ca desktops The broker ng og c used to connect to
and prepare those resources wou d depend on how the ISV had mp emented the resource
p ug- n and the ru es that were nc uded These ru es cou d be bu t nto the resource p ug- ns
or mp emented as fi ter p ug- ns to the ma n resource p ug- n, as the ISV saw fit
To change the defau t behav or of the resource p ug- n, you’d add a new fi ter p ug- n and
assoc ate t w th that resource p ug- n For examp e, you m ght want to change the way that
oad ba anc ng works Rather than send ng VM requests to each RD V rtua zat on Host n
turn, an ISV m ght create a product to send them to the host server w th the owest processor
stress, or the owest number of current y runn ng VMs In that case, the ISV doesn’t have to
change the under y ng og c to connect to a VM—just the ru es by wh ch t happens F ter
p ug- ns can contro behav or for oad ba anc ng (p ck ng the r ght endpo nt), orchestrat on
(ready ng a VM for a connect on), or p acement (putt ng a VM on a host) F ter p ug- ns are
stored on the RD Connect on Broker n HKLM/System/CurrentContro Set/Serv ces/Tssd s/
Parameters/F ter
www.it-ebooks.info
Each fi ter p ug- n s assoc ated w th a s ng e resource p ug- n, and more than one fi ter
p ug- n can be act ve at one t me To determ ne wh ch fi ter p ug- n’s ru es w preva n case
of a confl ct, you can set pr or ty when mp ement ng the fi ter p ug- n F ter pr or ty s set
n HKLM/System/CurrentContro Set/Serv ces/Tssd s/Parameters/F ter/n, where n s a who e
number greater than 0
Orchestrating a VM
D scovery and broker ng get a user 95 percent of the way to a work ng VM, but not 100
percent The fina stage s orchestration, wh ch means to make the VM ready for connect ons
Orchestrat on s an mportant step W thout t, the VM wou d have to be constant y on, wa t-
ng for a connect on Orchestrat on makes t poss b e to put a VM to s eep and wake t up on
demand, sav ng hardware resources on the host
NOTE Although the Microsoft VDI model also supports placement, RDS alone doesn’t
implement placement; add-ons might. If you’re using RDS only, then the VMs you run will
need to be on the hosts where they will be running.
As shown n F gure 4-6, dur ng orchestrat on, the VM Host Agent finds a VM on the RD
V rtua zat on Host that doesn’t a ready have a connect on and wakes t You can watch th s
from Hyper-V Manager A s eep ng VM w wake up and be ready to accept ncom ng con-
nect ons The key part of th s s the VM Host agent—w thout that, the hyperv sor has no way
to know that t needs to wake up the VM The WTS app cat on programm ng nterface (API)
shown here s for manag ng the VM sess ons In Chapter 11, “Manag ng Remote Desktop
Sess ons,” you w earn more about how you can use too s bu t on th s API to nteract w th
sess ons and VMs
VM Host
FIGURE 4-6 The VM Host Agent wakes up and mon tors the VMs on the RD V rtua zat on Host.
www.it-ebooks.info
Connecting to a VM Pool
When K m gets the con represent ng the VM poo or persona desktop, she can c ck t to
n t ate the connect on process Let’s start w th the poo ed VM case (shown n F gure 4-7) and
assume that she s mak ng a new connect on and does not have any d sconnected sess ons
ava ab e K m wou d proceed w th the fo ow ng steps
1. K m c cks the con represent ng the VM poo Do ng so opens the RDP fi e assoc ated
w th that con, wh ch then popu ates the fie ds of MSTSC DLL w th the nformat on n
the RDP fi e MSTSC DLL sends th s connect on request to the red rector (The red rec-
tor s an RD Sess on Host server that has been configured not to accept ncom ng con-
nect ons, but on y forward requests to the RD Connect on Broker )
2. The red rector sends the request to the RD Connect on Broker A though broken out
as separate mach nes n F gure 4-7, to better ustrate the connect on process, the
RD Connect on Broker can be on the same server as the red rector, and th s s n fact
recommended
3. The RD Connect on Broker nspects the nformat on that MTSC DLL sent and earns that
K m s attempt ng to connect to a VM and the VM s a poo ed VM The RD Connect on
Broker act vates the VM resource p ug- n Know ng that K m requested a VM poo , the
RD Connect on Broker checks ts connect on database to see whether K m a ready has
a d sconnected sess on on a VM n the poo It knows th s because the VM Host Agent
on each RD V rtua zat on Host updates the RD Connect on Broker when a VM’s state
changes
4. Hav ng a found a VM Host, the VM p ug- n sends a request to the VM Host agent on the
RD V rtua zat on Host server and asks that the VM be prepared for K m’s connect on
5. The VM Host agent orchestrates the VM (and restores t to a ready state f t s h ber-
nat ng) and, when t’s ready, gets ts IP address
6. The VM Host agent passes the IP address to the RD Connect on Broker
7. The RD Connect on Broker sends the IP address to the red rector
8. The red rector sends the IP address to the c ent from wh ch K m made the or g na
request
9. K m s seam ess y d sconnected from the RDP connect on to the red rector and recon-
nected to the VM us ng the IP address that the red rector sent to her computer
www.it-ebooks.info
Session Plug-in
RDVH Server
VM Plug-in 3
RD Connection
Broker 6 4
Pooled VM 1
5
2 7 Pooled VM 2
Pooled VM 3
1
RD Session Host in
redirection mode
Kim.Akers
loadbalanceinfo:s:tsv://vmresource.1.VM-POOL-ID-GOES-HERE
If the code nc uded a 2 nstead of a 1 and no Poo ID, that wou d have nd cated a per-
sona VM However, because the defau t oad ba anc ng sends a user to a persona VM f he or
she has one, th s ne sn’t rea y requ red for connect ng to persona VMs
Rolling Back a VM
Ro ng back a VM means revert ng a VM’s state to a pr or po nt n t me Th s s done by tak ng
a “snapshot” of the VM and then us ng t to return to the state the VM was n when the snap-
shot was taken Th nk of a snapshot as a stat c p cture of a VM When a VM s ro ed back, any
changes made to the VM beyond the po nt when the snapshot was taken are reversed
www.it-ebooks.info
CAUTION It’s best to snapshot a VM when it’s turned off, so that the VM doesn’t
preserve any temporary data that you don’t want to be part of the pooled VM. Do
ensure that the VMs are gracefully powered down; if you just turn the VM off in
Hyper-V instead of gracefully shutting down, then the VM will not start normally
and will show the boot menu to choose normal or safe mode.
Those who’ve used Term na Serv ces n the past to access sess ons m ght wonder why
ro back s an ssue When you’re done w th a sess on, you just og off and, except for changes
wr tten to your profi e, any changes that you made wh e the sess on was act ve are gone Th s
s because an RD Sess on Host server s, n best pract ce, proper y ocked down to avo d user
changes to the system tse f
VMs n a poo are d fferent, however Each user who ogs on to a part cu ar VM w see the
same VM that the prev ous user had, not a un que sess on on a server So the changes made
by one user (new app cat on nsta s, and so on) w st be there when one user fin shes and
ogs off and the next user connects to that VM Therefore, the user exper ence over t me
cou d vary cons derab y from VM to VM because changes made (by each user) to the VMs n
the poo wou d be reta ned Troub eshoot ng wou d become more comp cated, because a
VM’s configurat on wou d no onger be pred ctab e Enab ng ro back on a the VMs n a poo
ensures that any changes made to these VMs wh e a user was ogged n w be d scarded,
thus ma nta n ng a cons stent env ronment for a users each t me they connect to a VM n the
poo
CAUTION Because any changes made while a user is logged on to the VM will be
discarded, it is very important to update VMs while they are not in use and to then
take another snapshot after this maintenance. Otherwise, those updates will also be
discarded.
loadbalanceinfo:s:tsv://vmresource.2
VMResource shows that she’s ask ng for a VM, and 2 nd cates that a persona VM s requested
(A 1 s gn fies a poo )
www.it-ebooks.info
When K m c cks the con to connect to her persona desktop, she’s prompted for her cre-
dent a s When she prov des her credent a s to og on, she’s pass ng them to the RD Connec-
t on Broker RD Connect on Broker checks those credent a s aga nst Act ve D rectory and finds
the name of her persona VM, stored n her user account propert es After the persona VM
s ocated, the VM p ug- n on the RD Connect on Broker w contact the VM Host where her
persona desktop s ocated and prompt the VM Host Agent there to orchestrate the VM and
return the VM’s IP address The red rector returns the IP address to K m, and the RDP c ent on
her computer w s ent y d sconnect from the red rector and reconnect to the persona VM
NOTE This implementation assumes that machines are domain joined and AD DS is avail-
able for user SID checks and RemoteApp and VM filtering.
F gure 4-8 shows a b rd’s-eye v ew of what must happen to each ro e serv ce and to the
VMs to support M crosoft VDI It s a so ava ab e n the fi es M crosoft-VDI-Setup-Steps vsd
and M crosoft-VDI-Setup-Steps xps on the compan on med a
To support M crosoft VDI, you’ need to do the fo ow ng
■ Insta the RD V rtua zat on Host
■ Insta and configure the RD Connect on Broker ( nc ud ng the red rector on the same
computer)
■ Insta and configure RD Web Access to a ow users to d scover the VMs
■ Configure the VMs to work w th VDI
■ Create poo s and ass gn persona desktops as requ red
The next sect ons exp a n how to accomp sh each of these steps
www.it-ebooks.info
• Install RDVH Role
Service For every pooled
• Rename Personal VMs or personal VM:
to match the VM
computer name! • Enable Remote Desktop and add users to
Remote Desktop Users group
• Snapshot each
RDVH1 • HKLM/System/CurrentControlSet/Control/
pooled VM
TerminalServer/AllowRemoteRPC = 1
• Rename each
snapshot: • For RemoteApp for HyperV: HKLM/System/
RDV_Rollback CurrentControlSet/Control/TerminalServer/
fDenyTSConnections = 0
• Make Firewall Exception for Remote Service
Management
• Set RDP Protocol Permissions
www.it-ebooks.info
Installing the RD Virtualization Host
Insta ng the RD V rtua zat on Host ro e serv ce s s mp e Th s feature depends on Hyper-V,
so RD V rtua zat on Host s the on y RDS ro e serv ce that cannot be v rtua zed tse f
Assum ng that no RDS ro es are nsta ed on the server, you w beg n to nsta RD V rtu-
a zat on Host by open ng Adm n strat ve Too s/Server Manager and choos ng Ro es from the
menu n the eft pane C ck the Add Ro es nk You’ see the Before You Beg n page; c ck
Next when you are sure that you have met the recommendat ons to have a strong adm n s-
trator password, have configured requ red Stat c IPs, and have nsta ed the atest updates
From the Se ect Server Ro es page, choose Remote Desktop Serv ces from the st You
shou d see the Hyper-V ro e serv ce a ready nsta ed as shown n F gure 4-9 ( f you don’t,
you’ be prompted to nsta t when you se ect the ro e serv ce)
NOTE If you have installed RDS on this server already, begin the process from the Add
Role Services link in the Role Status section of the Roles page in Server Manager. This will
skip the first couple of steps and take you directly to the Select Role Services page.
FIGURE 4-9 Hyper V s a requ rement for the RD V rtua zat on ro e serv ce.
www.it-ebooks.info
C ck Next to open the Introduct on To Remote Desktop Serv ces page and then c ck Next
aga n to open the Se ect Ro e Serv ces page
On the Se ect Ro e Serv ces page, se ect the check box next to the Remote Desktop V rtu-
a zat on Host ro e serv ce and c ck Next, as shown n F gure 4-10
FIGURE 4-10 Se ect the Remote Desktop V rtua zat on Host ro e serv ce.
Confirm your nsta at on se ect ons on the next page and c ck Insta When the nsta -
at on s comp ete, the Insta at on Resu ts screen shou d nd cate that the nsta at on suc-
ceeded C ck C ose
Back n the Server Manager, browse to the Ro es se ect on and h gh ght Remote Desktop
Serv ces, and you w see the Remote Desktop V rtua zat on Host Agent runn ng n the Sys-
tem Serv ces sect on, as shown n F gure 4-11 Th s agent s respons b e for orchestrat ng VMs,
so t’s essent a to th s ro e serv ce’s funct on
www.it-ebooks.info
FIGURE 4-11 After the RD V rtua zat on Ro e Serv ce s nsta ed, the Remote Desktop V rtua zat on Host
Agent serv ce appears n the Server Manager.
At th s po nt, the RD V rtua zat on Host s ready to support v rtua desktop poo s and per-
sona desktops Before sett ng those up, et’s cont nue by nsta ng the broker
Import-Module servermanager
Then run the Add-W ndowsFeature command and reference the RD V rtua zat on Host
ro e serv ce as fo ows
Add-WindowsFeature RDS-Virtualization
The RD V rtua zat on Host ro e requ res the Hyper-V ro e, and t w be nsta ed dur ng
th s nsta at on procedure f t s not a ready present If your mach ne does not meet the
requ rements for Hyper-V, the nsta at on of RD V rtua zat on Host ro e serv ce w fa and
show you th s message
www.it-ebooks.info
Add-WindowsFeature : Hyper-V cannot be installed. The processor on this computer is
not compatible with Hyper-V. To install this role, the processor must have a supported
version of hardware-assisted virtualization, and that feature must be turned on in the
BIOS…
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
False No Failed {}
NOTE If you have installed RDS on this server already, begin the process from the Add
Role Services Link in the Role Status section of the Roles page in Server Manager. This will
skip the first couple of steps and bring you directly to the Select Role Services page.
C ck Next to open the Introduct on To Remote Desktop Serv ces page and then c ck Next
aga n to open the Se ect Ro e Serv ces page
On the Se ect Ro e Serv ces page, se ect the check box next to Remote Desktop Connec-
t on Broker and c ck Next, as shown n F gure 4-12
The RD Connect on Broker requ res an RD Sess on Host server configured n red rect on
mode (for the sake of conven ence, we’ ca that server the red rector because that’s ts job)
to pass t ncom ng RDP connect ons As d scussed ear er, the RDP requests don’t go d rect y
to the RD Connect on Broker but to the red rector For s mp c ty, set up the red rector on the
same computer as the RD Connect on Broker To do th s, a so choose RD Sess on Host from
the st shown n F gure 4-12
www.it-ebooks.info
FIGURE 4-12 The RD Connect on Broker s a ro e serv ce of RDS.
Confirm your nsta at on se ect ons on the next page and c ck Insta When the nsta a-
t on s fin shed, the Insta at on Resu ts screen shou d nd cate that the nsta at on succeeded
C ck C ose The RD Connect on Broker s now nsta ed and ready to be configured for poo ed
and persona VMs
To nsta RD Connect on Broker v a W ndows PowerShe , first mport the Servermanager
modu e as fo ows
Import-Module servermanager
Then run the Add-W ndowsFeature command and reference the RD Web Access ro e
serv ce as fo ows
Add-WindowsFeature RDS-Connection-Broker
Remove-WindowsFeature RDS-Connection-Broker
www.it-ebooks.info
Configuring RD Web Access
RD Web Access s nstrumenta to d scover ng VMs, but ts scope goes beyond that to nc ude
RemoteApp programs, VMs, fu desktop sess ons, and even phys ca desktops For more n-
format on on how to nsta and configure th s ro e serv ce for d fferent scenar os, see Chapter
9 For th s c rcumstance, we w assume that you have nsta ed the ro e serv ce and want to
configure t to serve VMs on y
To pub sh poo ed and persona VMs v a RD Web Access, the ro e serv ce needs to be
configured w th a source for wh ch the webs te w d sp ay persona and poo ed VMs For th s
scenar o, you need to configure RD Web Access to pu nformat on from RD Connect on Bro-
ker, so the first th ng that you need to do s add the RD Web Access server to the TS Web Ac-
cess Computers group on the RD Connect on Broker server After you have done th s, t’s t me
to configure RD Web Access from the webs te tse f Access t by do ng e ther of the fo ow ng
■ Se ect the Remote Desktop Web Access Configurat on too sted n the Remote Desk-
top Serv ces fo der n Adm n strat on Too s
■ Open W ndows Internet Exp orer and type the fo ow ng URL
https://servername/RDWeb
where servername s the name of your RD Web Access server You can a so subst tute
localhost for the server name f you are access ng the webs te from the server tse f
A fresh nsta of the RD Web Access webs te w configure the s te as a secured s te us ng
a Hypertext Transfer Protoco Secure (HTTPS), and t w have a Secure Sockets Layer (SSL)
cert ficate ass gned to t automat ca y The cert ficate w be a se f-s gned cert ficate, w th the
server FQDN represent ng the cert ficate common name For examp e, f you were to nsta
RD Web Access on a server ca ed Co fax ash oca , the se f-s gned cert ficate ass gned to the
cert ficate s made for Co fax ash oca and s gned by Co fax ash oca However, access ng the
s te by e ther of these methods w produce an error page that says the fo ow ng
The security certificate presented by this website was not issued by a trusted
certificate authority.
The security certificate presented by this website was issued for a different website's
address.
Security certificate problems may indicate an attempt to fool you or intercept any data
you send to the server.
Th s s expected behav or; the cert ficate ass gned does not have a common name that s
referenced n the URL opened by the RD Web Access Configurat on too ( t uses oca host n-
stead of the server FQDN), nor s the cert ficate trusted by defau t C ck the Cont nue To Th s
Webs te nk and you w get a ogon screen
NOTE Chapter 10, “Making Remote Desktop Services Available from the Internet,” ex-
plains how to avoid this error.
www.it-ebooks.info
Members of the oca adm n strators group are a owed to configure RD Web Access by
defau t, so og on w th an adm n strator account, as shown n F gure 4-13
Enter your user name n the form of domain/user name, enter your password, and c ck
S gn n
NOTE In the security section of this page, you have the option of selecting whether you
are accessing this website from a public or private computer. If you choose the option This
Is A Public Or Shared Computer, then the timeout for the website login is shorter than if
you choose the option This Is A Private Computer.
Next, you w be taken to the Configurat on tab of the webs te, as shown n F gure 4-14
www.it-ebooks.info
FIGURE 4-14 Add a source for RemoteApp programs and desktops to RD Web Access.
When you access persona and poo ed VMs, you must spec fy an RD Connect on Broker
server as the source because th s s the server that s aware of those persona VM ass gnments
and VM poo s Se ect the An RD Connect on Broker Server opt on and enter the fu y qua fied
doma n name (FQDN) of the RD Connect on Broker server C ck OK
www.it-ebooks.info
■ The name of the RDSH red rector from wh ch t w be rece v ng ncom ng requests,
and to whom t w be send ng fu fi ed request nformat on
■ If you need to prov de red rect on for c ents us ng RDC 6 1 or ear er, then you w
prov de the a ternat ve server name, wh ch bas ca y s the same red rector server, but
uses a d fferent ssued Doma n Name System (DNS) host record
■ If you w requ re connect ons to go through RD Gateway, then you w prov de th s
RD gateway nformat on (you’ find out more about th s n Chapter 11)
■ If you w s gn the RDP fi es created for poo ed and pr vate desktop connect ons, you
w prov de the d g ta cert ficate used to s gn these fi es (d scussed n more deta n
Chapter 8, “Secur ng Remote Desktop Protoco Connect ons”)
Start the w zard by c ck ng the Configure V rtua Desktops nk n the Act ons pane of the
Remote Desktop Connect on Manager As shown n F gure 4-15, th s w open the w zard’s
Before You Beg n page
FIGURE 4-15 The Before You Beg n page te s you the nformat on that you w be prov d ng n the fo
ow ng pages.
C ck Next to se ect the RD V rtua zat on server(s) that w support your VM poo s and
persona desktops, as shown n F gure 4-16 You can use one or more RD V rtua zat on Host
servers to support the poo
www.it-ebooks.info
FIGURE 4-16 Prov de the names of the RD V rtua zat on servers that w prov de persona and poo ed
VMs.
After choos ng the RD v rtua zat on host server, c ck Next to configure the red rect on set-
t ngs, as shown n F gure 4-17
FIGURE 4-17 Prov de the name (and the a ternat ve name, f you want) of the RD Sess on Host red rector.
www.it-ebooks.info
Add the name of the red rector (th s can be the same mach ne as the RD Connect on
Broker f you chose to nsta the two ro e serv ces on the same mach ne) If you need to sup-
port c ents us ng RDC 6 1 or ear er, add an “a ternat ve server name” to make th s work You
create an a ternat ve name by add ng another Host record (an A or AAAA record) to DNS w th
an un que name that po nts to the IP address of the RD Sess on Host server that s n red rec-
t on mode For examp e, F gure 4-17 shows that the a ternat ve name for the red rector server
s pyram d-vmred r, so the DNS entry added to DNS wou d be pyram d-vmred r ash oca and
wou d map to the same IP address as the DNS entry that s a ready created for th s server
name y, pyram d ash oca
Y ou don’t have to let the wizard automatically configure the RD Session Host
server appropriately for its redirection duties. If you don’t, however, you will
need to do this manually on the server. Here’s how.
1. Add the RD Session Host server name to the Session Broker Computers group on
the RD Connection Broker server.
2. On the RD Session Host server, open the RD Session Host Configuration tool, and
in the middle pane, double-click Member Of Farm In RD Connection Broker.
4. In the Remote Desktop Virtualization section, select the Virtual Machine Redi-
rection option.
5. At the bottom of the RD Connection Broker Settings screen, enter the name of
the RD Connection Broker server and click OK.
You will see a warning dialog box that tells you the changes that will be made to the
RD Session Host if you put it in redirection mode. In short, those changes mean that
people will not be able to use the RD Session Host to run RemoteApp programs or
full desktops. Click Yes and then click OK on the Properties dialog box that appears.
When you’re fin shed, c ck Next to nd cate the RD Web Access server that w enab e
d scovery, as shown n F gure 4-18
www.it-ebooks.info
FIGURE 4-18 Prov de the name of the RD Web Access server.
Spec fy the RD Web Access server that w prov de access to poo ed and persona VMs to
users In th s examp e, the RD Web Access server and the RD Connect on Broker are the same
server, but they do not have to be When you’ve chosen the server, c ck Next to rev ew the
changes, as n F gure 4-19
FIGURE 4-19 Rev ew and conf rm your se ect ons and then app y them.
www.it-ebooks.info
When you’re sure that you have set up the RD Connect on Broker server correct y, c ck
App y to fin sh and v ew a summary of the sett ngs (shown n F gure 4-20)
Not ce that no persona VMs are yet ass gned—hence the ye ow warn ng symbo Th s sn’t
necessary to configure a VM poo , though
These sett ngs can be adjusted at any t me To access the configurat on pages, n Remote
Desktop Connect on Manager, se ect RD V rtua zat on Host and then r ght-c ck and choose
Propert es to v ew or ed t the sett ngs on the Red rect on Sett ngs tab These sett ngs shou d
be fam ar to you because you configured them us ng the w zard prev ous y
NOTE Because we haven’t yet discussed the roles of the RD Gateway or digital signature,
we won’t discuss those tabs of the Properties dialog box until Chapter 10 and Chapter 8,
respectively.
If you use a text ed tor to open a poo ed or persona VM RDP fi e RD Web Access cre-
ated (for examp e, one that was prov ded n RemoteApp and Desktop Connect ons on c ents
runn ng W ndows 7), you’ not ce someth ng a b t odd the pr mary fu address sett ng va ue
w be that of the a ternate server name, and the a ternate fu address sett ng w have the
pr mary server name as ts va ue, ke th s
www.it-ebooks.info
Th s s more of a cur os ty than anyth ng e se; don’t ed t the RDP fi e to reverse the sett ngs
and do not change the sett ngs n the Remote Desktop Connect on Manager to reflect the
sett ngs n the RDP fi e
Setting Up VMs
VDI s bu t for de ver ng c ent operat ng systems, and the n-box so ut on supports W ndows
XP SP3, W ndows V sta SP1, and W ndows 7 To prepare a VM to be used as a poo ed or per-
sona VM, you need to make a few adjustments to the operat ng system On each VM, you must
do the fo ow ng
1. Enab e Remote Desktop
2. Add the peop e who w be us ng the VM to the Remote Desktop Users group
3. Enab e RemoteRPC on the VM
4. G ve the RD V rtua zat on Host server the requ red perm ss ons to orchestrate the VM
5. Create firewa except ons for Remote Desktop Protoco and Remote Serv ce
Management
6. Reboot to restart the Term na Serv ces serv ce and use the new perm ss ons (requ red
for W ndows XP VMs on y)
We w go through each of these steps n deta , but f th s ooks ke a ot of work to do on
every VM, you’ be g ad to know that you don’t have to M crosoft has prov ded a scr pt to do
th s prep work Down oad the scr pt from http://gallery.technet.microsoft.com/ScriptCenter
/en-us/68462b23-0890-4dbd-95b6-8de5763e4f68 The scr pt works on VMs runn ng
W ndows 7, W ndows V sta, and W ndows XP operat ng systems
When you run the scr pt, you m ght see two more command- ne boxes appear and then
d sappear Th s s expected; the scr pt ca s Netsh exe to make firewa except ons, and you are
see ng Netsh runn ng n a command prompt
Both persona and poo ed VMs must be n a doma n A members of a poo must be n
the same doma n, but there are no spec fic requ rements for the AD DS schema A persona
desktops must be n a nat ve-mode doma n; you can use the add t ona funct ona ty n the
User Account Propert es tab to ass gn a persona VM f you use W ndows Server 2008 R2
(W ndows Server 2008 doesn’t have the graph ca user nterface for th s, so you w need
at east one doma n contro er runn ng W ndows Server 2008 R2 or a computer runn ng
W ndows 7 w th the Remote Server Adm n strat on Too s nsta ed to make the ass gnment )
www.it-ebooks.info
Enable Remote Desktop and Add Users to the Remote Desktop Users
Group
Remote Desktop s not enab ed by defau t on c ent operat ng systems To perm t ncom ng
RDP connect ons to a c ent, you must enab e them To do so, go to the Contro Pane and
open System C ck the Remote Sett ngs nk on the eft s de of the d a og box to open the
tabbed d a og box shown n F gure 4-21
To enab e connect ons, choose one of the two opt ons If the computers that you’ be
us ng to connect to th s VM are runn ng W ndows V sta or ater, you can choose the opt on
requ r ng Network Leve Authent cat on (NLA), wh ch requ res that a user prov de credent a s
before estab sh ng a sess on w th the endpo nt If they’ be runn ng other operat ng systems
(for examp e, ear er vers ons of M crosoft W ndows CE), a ow connect ons from any vers on
of Remote Desktop
www.it-ebooks.info
FIGURE 4-22 Add users to the Remote Desktop Users group.
If you c ck Add, you’ open the Se ect Users d a og box Browse to the des red user group
(or nd v dua s, as requ red) and add them
Enable RemoteRPC
Remote Procedure ca s (RPCs) a ow other processes to connect w th the operat ng system
They’re requ red to a ow the VM Host Agent to wake up the VM To a ow RPC connect v ty,
set the va ue of A owRemoteRPC to 1 n the ocat on HKLM/System/CurrentContro Set/
Contro /Term na Server, as shown n F gure 4-23
www.it-ebooks.info
FIGURE 4-24 Enab e Remote Desktop through the f rewa .
Se ect the check boxes for both serv ces to enab e th s traffic through the mach ne firewa
and then c ck OK
For W ndows XP, you w not see these opt ons n F rewa Run these commands at a com-
mand prompt to accomp sh these configurat on changes
www.it-ebooks.info
TABLE 4-1 Ava ab e and Requ red Perm ss ons or he RD V r ua za on Hos Server o Manage VMs
We’ve nc uded the programmat c va ues n th s tab e to make t eas er to fo ow what the
next commands (and the scr pt that you saw a nk to ear er) are do ng Essent a y, t’s a ow-
ng the RD V rtua zat on Host server to query the VM status v a RDP, og off the connect on,
and d sconnect a sess on
To a ow the RD V rtua zat on Host to manage the VM, you’ need to ed t these sett ngs
on each VM Because the c ent operat ng system does not have the RD Sess on Host UI, you’
need to execute the fo ow ng commands at a command prompt
www.it-ebooks.info
ON THE COMPANION MEDIA This code is contained in batch files on the
companion media called RDP-Permissions.bat (for Windows Vista and Windows 7)
and RDP-Permissions-XP.bat (for Windows XP). To use these files, edit the variables
DOMAINAME and RDVH-SERVERNAME to reflect your domain name and RD
Virtualization Host server name.
www.it-ebooks.info
To enab e ro back on a VM, perform the fo ow ng steps
1. Log on to the RD V rtua zat on Host server us ng an Adm n strator account
2. In Adm n strat ve Too s, open Hyper-V Manager
3. Under V rtua Mach nes, r ght-c ck a runn ng VM and then c ck Snapshot Wa t wh e
the system creates the snapshot
4. When the snapshot s comp ete, rename t to RDV Ro back
Ro back occurs when the user ogs off the VM The VM s saved and then mmed ate y
reverted and returned to ts state at the t me of ro back Make sure that the VM s n the state
you want t to be n when you’re ro ng back before mak ng the snapshot
Creating Pools
There’s rea y no re at onsh p between a VM poo and the server on wh ch t’s ocated; the
poo boundar es are not dr ven by the hosts’ capac ty A VM poo can be on a s ng e server, or
t can be spread across mu t p e servers An RD V rtua zat on Host server can have one poo ’s
VMs on t or more than one Because a poo does not have to be ocated on a s ng e server,
you can add capac ty just by add ng new servers and add ng the VMs from those servers to
the poo
To create a VM poo , go to Adm n strat ve Too s/Remote Desktop Serv ces/Remote Desk-
top Connect on Manager on the RD Connect on Broker From the eft pane, r ght-c ck RD
V rtua zat on Host Servers and choose Create A V rtua Desktop Poo to start the w zard, as
shown n F gure 4-25
FIGURE 4-25 Rev ew sett ngs for the poo before beg nn ng.
The adv ce that the w zard g ves here s mportant F rst, the VMs n a poo shou d a be
dent ca , or e se the user’s exper ence w change depend ng on wh ch VM he or she con-
nects to Th s perta ns to operat ng systems too W ndows 7 VMs shou d be n one farm, and
www.it-ebooks.info
any W ndows XP VMs shou d be n another In add t on, make sure that the RD Connect on
Broker a ready s aware of about the RD V rtua zat on Host where you’ve set up the VMs to
popu ate the poo When you’re sure of both of these tems, c ck Next to se ect VMs to add to
the poo
Choose the VMs by h gh ght ng them (to se ect more than one, ho d down the Ctr key
and c ck each VM that you want to add), as shown n F gure 4-26 Not ce that t s much s m-
p er to choose the r ght VMs f you are very exp c t about the VM configurat on (defin ng the
operat ng system, whether t’s 32-b t or 64-b t, and so forth) A VMs on the RD V rtua zat on
Host w be d sp ayed here, whether they are runn ng c ent or server operat ng systems The
VMs se ected n th s examp e w back a poo of W ndows XP SP3 VMs
NOTE Microsoft VDI is for supporting client operating systems, but, especially in small
deployments where one piece of hardware supports many roles, it’s possible that an RD
Virtualization Host server could have VMs running a server operating system.
When you’ve se ected a the VMs, c ck Next to cont nue to the Set Poo Propert es page
shown n F gure 4-27
www.it-ebooks.info
FIGURE 4-27 Conf gure the d sp ay name for the poo .
Type a d sp ay name for the poo (not ce that, to make t eas er to determ ne the poo ’s
contents, we named t accord ng to the operat ng system of the VMs n t) Then enter a Poo
ID for the poo The Poo ID s used by the RDP fi e to dent fy the poo When you are done,
c ck Next to rev ew the sett ngs, as shown n F gure 4-28
FIGURE 4-28 Rev ew the farm sett ngs for the VM poo .
In th s examp e, the VMs are actua y ocated on two d fferent RD V rtua zat on Host serv-
ers, so both are sted here C ck F n sh to c ose the w zard
www.it-ebooks.info
Should You Deploy Pooled or Personal VMs?
M icrosoft VDI supports both pooled and personal desktops. Which should you
use?
Personal VMs are best if you’re looking to create an experience very like that of a
desktop computer in a company where users have administrative control over the
computer and will customize it.
Pooled VMs are better for a more generic user experience because they really can’t
be customized. They’re similar to sessions in that way, except that they run in a VM
and are therefore fully protected from affecting people using other machines in the
VM pool. Pooled VMs can be cheaper to manage because they are more generic,
too—if one VM starts being a problem, a user can log out and log back in again and
get a new VM when the other is taken offline. In addition, it’s easier to troubleshoot
issues on a pooled VM because it should be identical to other members of the pool.
The more consistent a set of machines is, the easier it is to update them, as well.
You might end up with a mix, but those who need to give their user base more con-
trol will likely deploy personal desktops for at least those users. Bear in mind that it
might be most appropriate to give pooled VM users sessions on an RD Session Host
server, if their applications will run there. Sessions scale much more than pooled
VMs on the same computer, so this option is more economical.
www.it-ebooks.info
FIGURE 4-29 Ass gn persona desktops to nd v dua users.
C ck ng the nk w start the Ass gn Persona V rtua Desktop W zard shown n F gure 4-30
The first page of the w zard offers genera gu de nes about persona desktops They can
be ass gned to on y one user at a t me, each person can on y have one desktop at a t me,
both user and VM must be doma n members, and the name of the VM must match the name
n the Hyper-V Manager (For more spec fics about the doma n requ rements for persona
desktops, see the fo ow ng s debar )
www.it-ebooks.info
DIRECT FROM THE SOURCE
M icrosoft’s VDI solution offers two deployment scenarios: virtual desktop pools
and personal virtual desktops. Virtual desktop pools do not depend on a
specific AD DS schema level; however, personal virtual desktops do need a Windows
Server 2008 or Windows Server 2008 R2 schema.
■ To deploy personal virtual desktops, your schema for the AD DS forest must
be at least Windows Server 2008. To use the added functionality provided by
the Personal Virtual Desktop tab in the User Account Properties dialog box in
Active Directory Users And Computers, you must run Active Directory Users
And Computers from a computer running Windows Server 2008 R2 or from
a computer running Windows 7 that has Remote Server Administration Tools
(RSAT) installed.
■ You must use a domain functional level of at least Windows 2000 Server
native mode. The functional levels Windows 2000 Server mixed mode and
Windows Server 2003 interim mode are not supported.
Next to the User Name nput box, c ck Se ect User and choose a user from AD DS to
whom you want to ass gn the VM When you’ve done so, the V rtua Mach ne drop-down
menu w become act ve From the drop-down menu, se ect the VM to be ass gned to th s
user A ava ab e VMs on a RD V rtua zat on Host servers that are added to RD Connect on
Broker w be sted n the V rtua Mach ne drop-down menu When you’ve chosen the VM,
c ck Next Confirm the ass gnment as shown n F gure 4-31 and then c ck Ass gn
F na y, on the Ass gnment Summary page, e ther c ck F n sh or se ect the check box to
ass gn more VMs Se ect ng the check box w enab e the Cont nue button, a ow ng you to
ass gn more VMs to users Then, when you c ck Cont nue, the w zard w restart, and you w
go through the same procedures for each VM that you want to ass gn
When you are fin shed ass gn ng VMs to users, c ear the Ass gn Another VM To Another
User check box The Cont nue button w change to a F n sh button C ck F n sh, and you are
done
www.it-ebooks.info
FIGURE 4-31 Conf rm the VM ass gnment.
HOW IT WORKS
I f you’d like to experiment with personal VMs without needing to use discovery,
here’s how. Creating an RDP file to give to users to connect to their personal VMs
is a matter of adding a few extra settings to a saved RDP file.
username:s:kristin
full address:s:humpback.ash.local
Save the file and then open it in a text editor (like Notepad.exe). Now add the fol-
lowing line (and, of course, save the file once more).
www.it-ebooks.info
If any consumers of this RDP file will be using RDC 6.1 client or earlier, then you also
need to add the alternative name of the RD Session Host server in redirection mode
that is specified on the Redirection Settings tab of the RD Connection Broker Virtual
Desktop Properties dialog box. The example line of code here specifies the server
name humpback-vmredir.
Creating an RDP file used to connect to the VM pool is the same process as creating
an RDP file to connect to a personal VM, with one difference. You must specify the
VM Pool ID, so that the redirector knows that the user needs to connect to the VM
pool, instead of a personal VM. To do so, add the following line to the RDC file.
loadbalanceinfo:s:tsv://vmresource.1.VM-POOL-ID-GOES-HERE
The VM Pool ID is located on the General tab of the VM Pool Properties dialog box
in the RD Connection Broker. The 1 in the previous line signifies that a pooled VM is
requested. A 2 indicates a personal VM, but if a personal VM exists for a user, then
the RD Connection Broker will send them there automatically, even without the 2
specified; that’s how load balancing works for VMs. It’s similar to the way that the
broker will always reconnect a user to a disconnected session instead of starting a
VM.
www.it-ebooks.info
FIGURE 4-32 Conf gure persona VM RDP sett ngs v a the Persona V rtua Desktops Propert es tabbed
d a og box.
On the Genera tab, enab e users to see the r persona v rtua desktop (shou d they be as-
s gned one) n RD Web Access and n the r Start menu by se ect ng the check box next to the
opt on Show In RemoteApp And Desktop Connect on
NOTE You can also toggle showing and hiding personal VMs in RADC and RD Web
Access by right-clicking Personal Virtual Desktops and then choosing the setting from the
shortcut menu.
To save power on your RD V rtua zat on host servers, set your persona VMs to go nto a
saved state when a certa n amount of t me has passed after a user ogs off or s d sconnected
Mach nes are saved n the state they are n at that t me, and they are restored to th s state
when needed aga n To set th s opt on, se ect the Automat ca y Save V rtua Mach nes check
box and then choose a t me n m nutes (w th a m n mum of 5) to wa t before the VM s put
nto a saved state
Next, se ect the Common RDP Sett ngs tab Here you can contro dev ce and resource red -
rect on by se ect ng the check boxes next to the resources you want the user to have access to
n the remote sess on By defau t, a red rect on s a owed You can a so contro the fo ow ng
d sp ay sett ngs
■ Allow Font Smoothing Font smooth ng s a owed by defau t To d sab e t, c ear the
check box next to A ow Font Smooth ng
www.it-ebooks.info
■ Multiple Monitor Use By defau t, the sess on w use a c ent mon tors when con-
nect ng to the persona VM remote sess on To use on y one mon tor, c ear the check
box next to Use A C ent Mon tors When Connect ng To A Remote Desktop
■ Color Depth By defau t, th s s set to h gh qua ty (32 b t) Change the sess on co or
depth by open ng the correspond ng drop-down menu and choos ng 15, 16, or 24 b t
To spec fy custom RDP sett ngs (sett ngs that are configurab e n an RDP fi e but not set on
the preced ng two tabs), c ck the Custom RDP Sett ngs tab Here you can nput RDP sett ngs
nc ud ng aud o red rect on sett ngs, custom desktop he ght and w dth, and whether W ndows
key comb nat ons are app ed to the oca or remote computer
NOTE For details on RDP settings you can customize, see http://technet.microsoft.com
/en-us/library/ff393699(WS.10).aspx. The link is also available on the companion media.
For a full list of RDP settings, see Appendix A.
Custom sett ngs you nput cannot overwr te sett ngs a ready configured n Remote Desk-
top Configurat on Manager If a sett ng s nva d or tr es to overwr te a sett ng that s a ready
configured, you w get an error and you w need to remove the custom sett ng
To configure RDP Sett ngs on a per-VM-poo bas s, r ght-c ck the VM poo you want to
configure and choose Propert es The poo ’s Propert es d a og box w appear These sett ngs
are dent ca to the sett ngs ava ab e to persona VMs, except that on the Genera tab you
can a so ed t the poo d sp ay name (the name that appears n RD Web Access and RADC) as
we as the Poo ID (the ID that RD Connect on Broker uses to dent fy the poo ) Change these
sett ngs by ed t ng the text n the correspond ng text boxes When you are done ed t ng RDP
sett ngs for poo s or persona VMs, c ck OK to save the changes
Persona and poo ed VM RDP sett ngs are a so configurab e v a PowerShe To get to these
sett ngs, mport the RDS Modu e
Import-Module RemoteDesktopServices
cd connectionbroker\virtualdesktops\pools\
Then nav gate further to Persona V rtua Desktops or to a named poo and ed t sett ngs
us ng the set- tem command
www.it-ebooks.info
that requ re W ndows XP One obv ous examp e of th s wou d be a web app cat on requ r ng
M crosoft Internet Exp orer 6 That vers on of Internet Exp orer doesn’t come w th W ndows
7, and you can’t v rtua ze t us ng App-V W ndows Server 2003 Term na Serv ces doesn’t
support RemoteApp programs, e ther W thout th s feature, you’d have one opt on set up a
W ndows Server 2003 term na server and run the app cat on from there on a fu desktop
RemoteApp for Hyper-V makes th s unnecessary Th s feature enab es a c ent runn ng
W ndows XP SP3 (or W ndows V sta, or W ndows 7) to serve RemoteApp programs to a
computer runn ng W ndows 7 (or techn ca y, to any computer runn ng the RDC 7 c ent) The
endpo nt can st support on y a s ng e connect on—that’s how an RDP connect on to a c ent
operat ng system works—but th s feature can enab e you to use W ndows 7 on the desktop
wh e export ng o der app cat ons to the newer p atform
One connect on doesn’t mean one RemoteApp If a VM s prov d ng more than one
RemoteApp program, then a user can run as many as requ red; a w run on the same VM, n
the same sess on
NOTE This feature also allows Windows 7 and Windows Vista to serve RemoteApp
programs. However, most applications that run on either of those platforms will run on
Windows Server 2008 or Windows Server 2008 R2. Rather than using RemoteApp for
Hyper-V, it might be more cost-effective to run RemoteApp programs that don’t require
Windows XP from a terminal server/RD Session Host. This is because a client operating
system can support only a single active remote connection.
When you run a RemoteApp from a guest operat ng system, t w reta n the ook and fee
of the operat ng system that t’s runn ng on That s, f the endpo nt s runn ng W ndows XP,
the RemoteApp w have the W ndows XP t t e bar and contro s
If you’ve heard of a feature ca ed XP Mode, you m ght have not ced that th s sounds
extreme y s m ar For those who haven’t, when runn ng a computer n XP Mode, you use
M crosoft V rtua PC to run a guest VM of W ndows XP on the oca computer and run
app cat ons from there Th s works we n many cases RemoteApp for Hyper-V d ffers from
XP Mode n be ng appropr ate n the fo ow ng cases
■ When the client can’t run Virtual XP or can’t support two operating systems
running at the same time Netbook computers are one good examp e of th s s tu-
at on They can run W ndows 7, but you’re not ke y to be happy runn ng W ndows 7,
V rtua PC, and W ndows XP at the same t me on a ow-power computer
■ When the user needs the application only occasionally, or only for a few min-
utes at a time If someone’s us ng an app cat on for 5 m nutes an hour, t’s e ther a
waste of comput ng resources to keep the W ndows XP VM runn ng or a waste of t me
to keep start ng t whenever you need the app cat on
Us ng RemoteApp for Hyper V for App cat on Compat b ty Chapter 4 219
www.it-ebooks.info
Configuring RemoteApp on Hyper-V
To use RemoteApp on Hyper-V, you must configure both the c ent and the endpo nt, as
fo ows
■ The VM must be runn ng W ndows XP SP3 (Profess ona Ed t on), W ndows V sta SP1
(Enterpr se or U t mate Ed t on), or W ndows 7 (Enterpr se or U t mate Ed t on)
■ The VM must have the update to enab e RemoteApp de very (W ndows XP and
W ndows V sta on y) and you must ed t the reg stry to a ow the RemoteApp program
to start
■ The c ent must have the RDC 7 c ent nsta ed and an RDP fi e configured to connect
to a RemoteApp
■ Set Group Po cy to d sconnect sess ons on the endpo nt after a certa n amount of t me
Let’s start w th the endpo nt
Configuring the VM
To configure the VM, first nsta the update that enab es th s feature Aga n, th s s not
requ red for W ndows 7, but t s requ red for W ndows V sta SP1 and W ndows XP SP3 The
update s ava ab e on y for 32-b t operat ng systems
To nsta the hotfix for W ndows XP, nav gate to http://www.microsoft.com/downloads
/details.aspx?FamilyID=2f376f53-83cf-4e5b-9515-2cb70662a81b&displaylang=en and choose
to down oad the hotfix
When t’s down oaded and you run t on W ndows XP, you’ be prompted to nsta
KB961742-v3 exe C ck Run to unpack the nsta at on and beg n The steps are s mp e
1. Rev ew the open ng page and note that you m ght need to restart the computer after
nsta ng the hotfix
2. Agree to the cense terms
3. Let Setup check the current configurat on
4. When prompted, c ck F n sh to end the nsta at on and prompt the reboot
When the app cat on s nsta ed, you’ need to perm t peop e to n t ate a connect on to
the VM by start ng that app cat on To use the M crosoft term no ogy, you’re add ng t to the
a ow st To do so, you’ be ed t ng the Reg stry
On the VM, enab e RemoteApp for Hyper V by chang ng the fo ow ng va ue from 0 to 1
www.it-ebooks.info
Readying the Client
The c ent must have RDP 7 nsta ed RDP 7 s pre nsta ed on W ndows 7; you can down oad
t to nsta on 32-b t W ndows XP or W ndows V sta as we (see the sect on ent t ed “Add -
t ona Resources” ater n th s chapter for the ocat on of the down oad)
remoteapplicationmode:i:1
alternate shell:s:rdpinit.exe
Those sett ngs w work f you have just one mach ne But most ke y you w have mu -
t p e computers prov d ng these RemoteApp programs, configured as a VM poo If so, then
the RDP fi e needs adjust ng to connect to the poo The computer name that you enter w
need to be the name of the RD Sess on Host server red rector, and you need to add th s ne
to the RDP fi e
loadbalanceinfo:s:tsv://vmresource.1.POOL-ID-GOES-HERE
After you’ve configured the RDP fi e appropr ate y, then anyone attempt ng to use the
RemoteApp VM poo w be routed to the most appropr ate endpo nt for the r sess on, just as
they wou d for a fu desktop If a user attempts to start a second RemoteApp program that
s prov ded by VMs n the poo , then the RD Connect on Broker w route the r connect on
request to the VM where they’re a ready runn ng a RemoteApp Th s s because the first step
of broker ng s to see f the person attempt ng to connect a ready has a sess on runn ng
www.it-ebooks.info
Configuring a Time Limit for Disconnected Sessions on the Endpoint
When a user starts a RemoteApp program on a VM runn ng RemoteApp for HyperV, when
the user c oses the app cat on, the r sess on on that VM rema ns act ve, and stays act ve, even
f the VM s put nto a saved state When the VM s restored, the ast user who had started the
RemoteApp w st be ogged on to that mach ne In add t on, because c ents can have on y
one sess on go ng at a t me, th s computer s now effect ve y on y usab e by that user That s,
no other users w be ab e to start a RemoteApp on th s mach ne
Fortunate y, you can set a t me m t for d sconnected sess ons on the endpo nt v a a Group
Po cy object (GPO) Here’s how
1. Create an organ zat ona un t (OU) for your endpo nt(s) n Group Po cy Manager, add
the endpo nt computers to th s OU, and then create a GPO and enab e th s sett ng
2. When you have enab ed the sett ng, choose a t me per od after wh ch a d sconnected
sess on w be ended
3. App y the GPO to the Endpo nt OU that you just created and reboot the endpo nts
(because computer po c es are app ed at startup)
www.it-ebooks.info
Troubleshooting: Why Did a Pooled VM Connection Fail?
A user clicked an icon to connect to a pooled VM, and the connection didn’t
work. Why not? Here are two things that can go wrong during the connec-
tion, aside from the standard “you didn’t configure this properly” errors reported at
http://technet.microsoft.com/en-us/library/ee891400(WS.10).aspx.
Waking the VM . . .
This is about the elusive “Waking the VM…” message and eventual timeout. There
are a few reasons for this, all of which have to do with not having the client config-
ured correctly. You will receive this error for the following reasons.
■ The VM has not been prepared properly. You will experience this situation
when any of the preparation was not done, including the exceptions in the
firewall, the registry entry adjustments, or the WMIC commands.
■ The VM was prepared properly, but the Rollback snapshot was taken
before the preparation was finished, and as a result, the VM can ‘t accept
connections.
Event ID 1296:
Remote Desktop Connection Broker Client failed while getting redirection
packet from Connection Broker.
User : ASH/kristin
HRESULT = 0x80070490
followed by
Remedy this situation by re-running the Configure Virtual Desktops Wizard on the
RD Connection Broker server. You do not need to change any of the settings (unless
they are wrong, of course). Just re-run the wizard with the same settings as you had
before, and the RD Connection Broker will resume working properly.
Us ng RemoteApp for Hyper V for App cat on Compat b ty Chapter 4 223
www.it-ebooks.info
Summary
Add ng VM support to RDS ncreases the number of scenar os that RDS can support
A though sess ons st a ow you to get more peop e per server, VMs have the r own
advantages Persona desktops enab e comp ete desktop rep acement, mov ng the persona
computers nto the data center and prov d ng more centra management Poo ed VMs a ow
a set of peop e to share a more so ated env ronment than a sess on can prov de RemoteApp
for Hyper-V a ows you to serve app cat ons from a c ent runn ng W ndows XP to a W ndows
7 desktop, even f the c ent runn ng W ndows 7 can’t run a oca hyperv sor
After read ng th s chapter, you shou d know the fo ow ng
■ When to use VMs nstead of sess ons
■ When to use persona and poo ed VMs
■ How to set up VM poo s and persona desktops
■ How d scovery, broker ng, and orchestrat on work
■ How to use RemoteApp for Hyper-V to pub sh app cat ons from a W ndows XP VM
Additional Resources
The fo ow ng resources conta n add t ona nformat on and too s re ated to th s chapter
■ The hotfixes to enab e RemoteApp d sp ay on W ndows XP SP3 are on ne at
http://www.microsoft.com/downloads/details.aspx?FamilyID=2f376f53-83cf-4e5b-9515-
2cb70662a81b&displaylang=en.
■ The hotfix to enab e RemoteApp d sp ay on W ndows V sta SP1 s ava ab e from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
26a2de17-8355-4e8d-8f33-9211e48651fb.
■ Error messages re at ng to RD Connect on Broker are documented at
http://technet.microsoft.com/en-us/library/ee891400(WS.10).aspx.
■ For nformat on on custom z ng the RDP sett ngs used n Persona and Poo ed VMs, see
Chapter 6, “Custom z ng the User Exper ence ”
■ For nstruct ons on nsta ng RD Web Access, and for configur ng RD Web Access to
prov de access to RD Sess on Host desktops and RemoteApps, see Chapter 9, “Mu t -
Server Dep oyments ”
■ For nformat on on us ng RD Gateway to access poo ed and persona VMs, as we as
other RDS resources from outs de your corporate network, see Chapter 10, “Mak ng
Remote Desktop Serv ces Ava ab e from the Internet ”
www.it-ebooks.info
CHAPTER 5
T hus far n th s book, you have earned how to set up a s ng e Remote Desktop (RD)
Sess on Host server or a s mp e M crosoft V rtua Desktop Infrastructure (VDI) de-
p oyment Those dep oyments aren’t yet product on-ready, though No app cat ons are
ava ab e, the connect ons aren’t secured, you haven’t yet defined the dev ces and exper -
ence to red rect, and the profi es and Fo der Red rect on aren’t yet set up
Proper y configured profi es and Fo der Red rect on go a ong way toward a good user
exper ence for users work ng v a remote connect on to the data center Because profi es
weren’t or g na y des gned for remote work env ronments, th s can somet mes be tr cky
Remote Desktop Serv ces (RDS) ndependent software vendor (ISV) partners have deve -
oped some products to he p make a h gh y flex b e system for comp ex env ronments
Th s chapter, however, shows you how best to configure profi es and Fo der Red rect on
us ng the too s that come w th W ndows
The bas c e ements of a user workspace are the configurat on sett ngs n the user’s
profi e and the defau t ocat ons to save data After read ng th s chapter, you w under-
stand the fo ow ng
■ How roam ng, oca , and mandatory profi es work
■ Why v rtua zat on can comp cate mp ement ng profi e strateg es
■ Best pract ces for stor ng and manag ng profi es
■ How to use Fo der Red rect on to un fy user defau t ocat ons between oca and
remote app cat ons
225
www.it-ebooks.info
■ The benefits and drawbacks of us ng mandatory profi es to ma nta n a cons stent ook
and fee
■ How to secure the desktop to prevent users from sav ng fi es to t and why th s s
mportant
■ How to support profi es across servers runn ng both W ndows Server 2008 R2 and
W ndows Server 2003, or W ndows 7 and W ndows XP v rtua mach nes (VMs)
NOTE Super-mandatory profiles label the folder where they’re stored with the .man
suffix, like this: //servername/sharename/mandatoryprofile.man/. Super-mandatory user
profiles are similar to normal mandatory profiles except that users with super-mandatory
profiles cannot log on when the server that stores the mandatory profile is unavailable.
Users with normal mandatory profiles can log on with the locally cached copy of the
mandatory profile. Use super-mandatory profiles only when you want to have absolute
control of the user profile—so much so that you can’t take the chance that a cached copy
might be out of date.
Wh e a user s ogged n, the NTUSER DAT fi e s oaded temporar y nto HKEY CURRENT
USER (HKCU) n the reg stry of the computer that user s ogged on to; the documents are
stored n the subfo ders w th n the profi e fo der, as shown n F gure 5-1 You w find out
n deta about the parts of a profi e—both the reg stry and the data fo ders— ater n th s
chapter But first et’s exam ne the d fferent types of profi es
226 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Profile Folders with Data NTUSER.dat Loaded in HKCU
FIGURE 5-1 The user prof e conta ns persona sett ngs and data such as fo ders and the user spec f c
reg stry sett ngs.
Types of Profiles
As a uded to n the prev ous sect on, there are three types of profi es oca , roam ng, and
mandatory Loca profi es are stored on and used from a s ng e computer and store data
n NTUSER DAT Roam ng profi es are stored on and used from a network share, so they’re
ava ab e to any computer that can access that part cu ar network share They a so store data
n NTUSER DAT Mandatory profi es are often centra y ocated ke roam ng profi es, but
whereas oca profi es and roam ng profi es are read-wr te, mandatory profi es are read-on y
They store the r sett ngs n NTUSER MAN
Loca profi es are usua y fast to oad because they are stored on the computer the user s
us ng When a user ogs on, the oca profi e w oad from ts oca ocat on on the hard dr ve
and popu ate HKCU When the user ogs off, the contents of HKCU ( nc ud ng any changes
that the user made) w be wr tten back to the oca hard d sk and overwr te the prev ous ver-
s on of the fi e
www.it-ebooks.info
NOTE Local profiles aren’t a good fit for most remoting scenarios because they’re stored
on a single computer. Personal desktops and single RD Session Host server deployments are
possible exceptions to this, but pooled VMs and RD Session Host sessions in a farm larger
than one server will quickly find that local profiles lead to an inconsistent user experience.
This is because the user would have a unique local profile on each machine she logs onto.
Roam ng profi es afford the most flex b ty n a remot ng env ronment because they’re
stored n a centra ocat on access b e to a VMs and RD Sess on Host servers They’re a so
read-wr te, so users can adjust the r sett ngs When a user ogs onto a sess on or VM (or
a computer, for that matter), the roam ng profi e w oad from ts network ocat on and
popu ate HKCU n the reg stry When the user ogs off, the contents of HKCU ( nc ud ng any
changes that the user made) w be wr tten back to the network ocat on and overwr te the
prev ous vers on of the fi e
Mandatory profi es are oaded to HKCU when a user ogs on, just ke a roam ng profi e,
but they aren’t wr tten back to the r storage ocat on at ogoff—a changes to the profi e are
just d scarded
228 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
User Profile and the Registry
The reg stry s organ zed nto sect ons ca ed keys, wh ch a gn w th a part cu ar configurat on
opt on For examp e, computer-w de sett ngs are stored n HKEY LOCAL MACHINE (HKLM),
whereas user-spec fic sett ngs are stored n HKEY CURRENT USER (HKCU) As w th a vers ons
of M crosoft W ndows NT s nce t was first re eased, W ndows Server 2008 R2 and W ndows 7
ma nta n user-spec fic sett ngs n HKCU for each user ogged on to the computer
You can see how HKCU works and reflects changes to the user env ronment by fo ow ng
the process out ned n the fo ow ng How It Works s debar, “Observe How Changes to the
Env ronment Are Reflected n the Reg stry ”
HOW IT WORKS
O ne easy way to watch how HKCU changes as you customize your environment
is to make a change and watch the contents of the registry, as follows.
1. Run Regedit.exe and confirm that you want to run it when prompted.
3. Right-click the Desktop and choose Personalize from the context menu to open
the Personalization window.
4. Click Window Color And Appearance. In the Appearance Settings dialog box,
click Advanced to open the aptly named Advanced Appearance dialog box. From
here, select Window from the Item drop-down list. Change Color 1 to light gray
and click OK.
5. Click OK in the Appearance Settings dialog box. The screen will adjust for a mo-
ment, and then the background color of windows will turn light gray.
In W ndows Server 2008 R2 and W ndows 7, HKCU conta ns the subkeys descr bed n
Tab e 5-1 Even f you’re ogg ng on to a W ndows Server 2008 R2RD Sess on Host server from
an ear er operat ng system such as W ndows XP, the profi e n the RD Sess on Host sess on
corresponds to the server p atform These are st the reg stry keys that app y to the sess on,
not the c ent computer operat ng system There m ght be add t ona subkeys n th s sect on;
t depends on wh ch app cat ons you have nsta ed For examp e, f you nsta M crosoft
Out ook, you’ see an Ident t es key
www.it-ebooks.info
TABLE 5-1 Subkeys o HKCU n W ndows 7 and W ndows Server 2008 R2
230 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Data s stored n HKCU on y for the durat on of the sess on, wh e data stored n HKLM per-
s sts unt the reboot Most p eces of the reg stry are saved n fi es ca ed hives and are oaded
as necessary When a h ve fi e s opened, t’s re oaded nto the reg stry Therefore, HKCU s
stored as a h ve n a fi e ca ed NTUSER DAT that s oaded at user ogon Each user ogged on
to an RD Sess on Host server sees h s or her own vers on of HKCU
How does th s data get oaded? When you og on to a computer, the User Profi e Serv ce
oads the h ve fi e from the ocat on spec fied n your user account propert es and popu ates
HKCU for that sess on When you og off the computer, the h ve fi e s wr tten back to ts
storage ocat on as NTUSER DAT If you happen to be ogged on to more than one computer
at a t me, two cop es of your profi e w be open, popu at ng the contents of HKCU on each
computer
NOTE Profiles can be cached on the server to speed up logons if you set the correspond-
ing Group Policy. However, even if you enable caching, when a user logs off the RD Session
Host server, the corresponding branch of HKCU is cleared. You’ll find out more about cach-
ing user profiles in the section entitled “Caching Roaming Profiles” later in this chapter.
FIGURE 5-2 Load ng a prof e nto a remote desktop sess on updates the Prof e L st key for the ent re RD
Sess on Host server.
www.it-ebooks.info
When you og off an RD Sess on Host server, the two keys w th your SID are ocked They
don’t actua y go away, but f you attempt to open the key assoc ated w th a user who s cur-
rent y ogged off, you’ get an error message te ng you that the system cannot find the fi e
spec fied Log on aga n, and the key w th the same SID w be repopu ated
A though oad ng a profi e adds two keys to the reg stry that never go away, most of the
t me t doesn’t matter As d scussed n the sect on ent t ed “The Consequences of De et ng a
Profi e Fo der from W ndows Exp orer” ater n th s chapter, t does matter shou d you choose
to de ete a profi e De et ng the fi e doesn’t de ete the reg stry keys assoc ated w th t There-
fore, a ways use the correct too s to de ete profi es; otherw se those users won’t be ab e to
oad the r profi es proper y when they og on aga n
CAUTION One implication of the way profiles work is that you shouldn’t use the
same profile for local sessions and remote sessions. If you do, then by definition, ev-
ery time you log on to your computer and then log on to an RD Session Host server,
you will be opening two copies of your profile. You will almost certainly lose profile
data this way.
232 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
You m ght be wonder ng whether open ng two RemoteApp programs from a s ng e RD
Sess on Host server opens one or two cop es of your profi e The answer depends on the ver-
s on of W ndows Server host ng the sess on, and how you’re start ng the app cat ons On a
term na server runn ng W ndows Server 2003, you cou d create a Remote Desktop Protoco
(RDP) sess on that wou d open a s ng e app cat on nstead of d sp ay ng the ent re desktop
(As noted n Chapter 1, “Introduc ng Remote Desktop Serv ces,” not many peop e d d th s be-
cause the exper ence wasn’t very user-fr end y, but t was poss b e ) If you presented nd v dua
app cat ons th s way, then each t me a user opened an app cat on on the same server, he
wou d open a separate sess on and therefore a separate copy of the profi e
W ndows Server 2008 mproved on th s des gn n two ways F rst, t ntroduced RemoteApp
programs A RemoteApp programs started from the same server by the same user account
run n the same sess on, so they open on y a s ng e copy of your profi e Second, when
dec d ng where to route ncom ng connect ons to an RD Sess on Host server farm, the RD
Connect on Broker w check to see f a user a ready has an open sess on on an RD Sess on
Host server n the farm If t does, then the user w be routed to the same sess on to start the
app cat on So, what s the resu t? You have preference to the server where you a ready have
an open connect on, and, so ong as you’re connect ng to on y a s ng e server, on y one copy
of the profi e w be open because a RemoteApp programs w run n the same sess on
FOLDER DESCRIPTION
AppData Defau t root ocat on for user app cat on data and b nar es
Contacts Used to store contact nformat on and s a so the address book for W ndows
Ma , the successor to M crosoft Out ook Express (W ndows Ma s not
nc uded n W ndows 7 or W ndows Server 2008 R2)
Desktop A tems stored on the desktop, nc ud ng fi es and shortcuts
Documents Defau t root ocat on for a user-created fi es (spreadsheets, text
documents, and so on)
Down oads Defau t ocat on for a fi es down oaded us ng W ndows Internet Exp orer
Favor tes Bookmarked Un form Resource Locators (URLs) n Internet Exp orer
L nks F e and fo der shortcuts; these show up under the Favor tes menu on the
eft s de of an Exp orer w ndow
Mus c Defau t root ocat on for a mus c fi es
Continued on the next page
www.it-ebooks.info
FOLDER DESCRIPTION
Beg nn ng n W ndows V sta and W ndows Server 2008, the profi e structure changed from
W ndows XP and W ndows Server 2003 (W ndows 7 and W ndows 2008 R2 reta n th s new
profi e structure ) The new structure uses more fo ders to organ ze the data
Not ce that W ndows XP and W ndows 2003 were not ment oned n Tab e 5-2 Th s s
because profi es have evo ved over t me and the structure of profi es has changed W ndows
XP and W ndows Server 2003 profi es are ca ed vers on 1 (V1) profi es; profi es us ng the
structure of W ndows V sta and W ndows Server 2008 and ater are ca ed vers on 2 (V2)
profi es A V2 user profi e fo der s d st ngu shed from ts predecessors by an added V2
extens on
Vers on 2 profi es genera y use more fo ders than those of W ndows XP, but V1 top- eve
fo ders such as NetHood and Pr ntHood were moved ns de the AppData fo der beg nn ng n
W ndows V sta Tab e 5-3 (adapted from the M crosoft document “Manag ng Roam ng User
Data Dep oyment Gu de” ocated at http://technet.microsoft.com/en-us/library
/cc766489(WS.10).aspx) shows the d fferences n the defau t root profi e fo der structure
between V1 and V2 profi es
234 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
V2 PROFILE FOLDERS V1 PROFILE FOLDERS
(WINDOWS VISTA AND LATER) (WINDOWS XP AND WINDOWS SERVER 2003)
As you m ght have not ced n Tab e 5-3, the Loca Sett ngs fo der from V1 profi es does
not ex st n V2 profi es, and many V1 profi e fo ders are now conso dated under the AppData
fo der n V2 profi es Why does th s reorgan zat on of data matter?
One b g accomp shment of the V2 profi e reorgan zat on s that mach ne-spec fic data s
now separated from user-spec fic data V1 profi es kept mach ne-spec fic and user-spec fic
data scattered through the profi e V2 profi es sort th s data and do a better job of separat ng
user-spec fic data from data that s e ther too arge to roam w th the user or s spec fic to a
part cu ar mach ne and therefore shou d not roam
In V2 profi es, the AppData fo der now has three subfo ders that separate th s k nd of data
■ AppData\Roaming Data that s user-spec fic and shou d roam w th the user profi e
■ AppData\Local Data that s e ther mach ne-spec fic or too arge to roam w th a
user’s profi e fo der, for examp e, an Out ook OST fi e
■ AppData\LocalLow Data for “ ow- ntegr ty” apps (such as browser-based apps) to
store data
Tab e 5-4 (wh ch was adapted from the M crosoft “Manag ng Roam ng User Data Dep oy-
ment Gu de”) shows where certa n V1 profi e data s stored n the V2 profi e structure
www.it-ebooks.info
V2 PROFILE DATA LOCATIONS V1 PROFILE DATA LOCATIONS
Because V1 profi es and V2 profi es are so d fferent, you can’t use the same profi es for
W ndows Server 2008 R2 RD Sess on Host servers that you d d for term na servers runn ng
W ndows Server 2003or W ndows XP VMs The structures of the profi es don’t match
You’ earn ater n th s chapter how to a ow W ndows Server 2003 and W ndows Server
2008 profi es to coex st (See the sect on ent t ed “Shar ng Fo ders Between W ndows Server
2003 and W ndows Server 2008 Roam ng Profi es” ater n th s chapter ) Th s s mportant
both for support ng m xed dep oyments of term na servers runn ng W ndows Server 2003
and W ndows Server 2008 R2 RD Sess on Hosts, and for support ng W ndows 7 VM poo s and
W ndows XP VM poo s (The changes to the profi e structure between the operat ng systems
are one reason why you shou d not comb ne W ndows 7 and W ndows XP VMs n the same
poo )
236 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Second, f you’re us ng mandatory profi es and you don’t red rect fo ders outs de the
profi e fo der, users w not be ab e to save fi es to the standard persona fo ders such as
Documents The fi es w ook ke they’re sav ng, but they won’t be reta ned Th s w cause
users a great dea of gr ef and br ng you many unso vab e ca s to the He p desk
NOTE The Recycle Bin is a hidden file in the root of the profile folder. You can’t redi-
rect it, and even if you’re using mandatory profiles, you will still be able to send files to
the Recycle Bin.
The th rd reason app es to VMs, whether poo ed or persona In the case of a persona
desktop, sav ng fi es oca y preserves them, but t comp cates fi e restore because the fi es
are stored n the VM To restore the fi es saved on the oca VM, you’d need to restore the
VM from backup Sav ng the fi es separate y makes t eas er to restore them, and the eas est
way to do that s to enab e Fo der Red rect on In the case of pooled VMs, Fo der Red rect on
s essent a As w th mandatory profi es, sav ng fi es to oca fo ders on a poo ed VM can ead
to ost data As d scussed n Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on
Host Server,” the most common configurat on for poo ed VMs s to ro back changes at user
ogout so the VM rema ns pr st ne That ro back means that any documents saved to the VM
wou d be ost (Some ISV so ut ons actua y de ete the VM on each use and re-create t, wh ch
has the same effect )
For these reasons, t’s good pract ce to use Fo der Red rect on w th RDS, whether connect-
ng to VMs or sess ons You’ earn how to do th s n the sect on ent t ed “Centra z ng Per-
sona Data w th Fo der Red rect on” ater n th s chapter For now, just know that red rect ng
profi e fo ders means just that stor ng profi e subfo ders and the data w th n them, outs de
the ma n root profi e fo der
www.it-ebooks.info
F gure 5-3 shows the ntr cate matr x of user profi es and red rected fo ders for users who
access mu t p e desktop and RDS env ronments
Personal VMs
File Server
Windows 7 Virtual
Desktop Pools
Personal VM Roaming Profiles
Windows XP Virtual
Desktop Pools Redirected Folders
Desktops
FIGURE 5-3 Prov d ng a cons stent env ronment for RDS env ronments becomes more comp cated w th
v rtua zat on.
238 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
So what does t mean to have a these v rtua zat on env ronments ava ab e?
Us ng more than one or two types of v rtua zat on can ead to profi e pro ferat on It’s
re at ve y s mp e f you use one type of v rtua zat on For examp e, f you norma y work from
a desktop runn ng W ndows 7 and use RemoteApp for Hyper-V to run a coup e of W ndows
XP app cat ons as RemoteApp programs, then you w have two profi es—one for the Re-
moteApp sess on and one for oca use Add a sess on to that and you cou d potent a y have
three profi es to manage S m ar y, the more server farms that a person w need to access
to run RemoteApp programs, the more ke y that she w have mu t p e cop es of her profi e
open at once Th s s a good argument aga nst farm pro ferat on
Operat ng systems that use V1 profi es can techn ca y use the same V1 profi e (and the
same goes for operat ng systems that use V2 profi es) Whether th s s a good dea depends
on whether the sett ngs n the profi es are appropr ate to both oca and remote sess ons
A so, keep n m nd that f you have a copy of your profi e open n two sess ons, then you
m ght ose changes f you ed t both cop es
Storing Profiles
By defau t, when you og on to a computer runn ng W ndows 7 for the first t me (un-
ess you’ve set up roam ng profi es), you’ create a new profi e n ts oca profi e d rectory
(%SystemRoot%\Users) Th s profi e d rectory w have your name as a ogon a as; t w
conta n your fo ders and NTUSER DAT (wh ch s a h dden fi e, so you won’t see t un ess you’ve
enab ed v ew ng h dden fi es) If eft a one, thereafter you’ store everyth ng n that ocat on
Documents w defau t to Documents, mages w defau t to P ctures, and where mus c s
stored by defau t s eft as an exerc se for the reader A w be we so ong as that’s the
on y computer you use If t’s not the on y computer you use, however, fe gets somewhat
more comp cated
Thus far, you have earned how to set up on y a s ng e RD Sess on Host server However, to
prov de redundancy and better sca e, you’ need to have mu t p e RD Sess on Host servers or-
gan zed nto a farm When a user ogs on to an RD Sess on Host server farm, the connect on s
passed from an RD Sess on Host server to the RD Connect on Broker If the user try ng to con-
nect has no current sess ons, the RD Connect on Broker p cks the RD Sess on Host server w th
the owest number of act ve sess ons and sends the user there, as shown n F gure 5-4 Each
t me a user connects, the RD Connect on Broker dec des anew wh ch server the user shou d
connect to, based on the number of connect ons that each server s act ve y support ng and
whether the user a ready has a sess on open somewhere The user connects to the server w th
the fewest act ve connect ons or the one where the user a ready has an open sess on It s
ke y (and h gh y recommended) that users w og off when not us ng the r RD Sess on Host
server sess on, so f you use oca profi es for RD Sess on Host server sess ons, then over t me,
a user w have a oca profi e on a the servers n the farm
www.it-ebooks.info
RD Session Host Farm
User Local
Profile created
User logs on Wednesday
Monday
RD Session Host Server 1
User Local
Profile created
Tuesday
User logs on RD Connection
Tuesday Broker RD Session Host Server 2
User Local
Profile created
Monday
FIGURE 5-4 f you use oca prof es w th RD Sess on Host or poo ed VMs, a user cou d eventua y have
oca prof es on every server n the farm or every VM.
Th s m ght not sound so bad The user’s ogons w occur qu ck y because the profi e
sn’t oaded from the network but rather from the oca computer But when the user makes
a change here and there, over t me, her desktop w ook comp ete y d fferent depend-
ng on wh ch RD Sess on Host server (or poo ed VM) she ogs on to (If user data s part of
the profi e— f you haven’t red rected profi e fo ders—the user w be even more confused
because the data that she saved n one oca My Documents fo der won’t be n another one )
If she makes a bad change, that change cou d we ead to a He p desk ca that can be tr cky
to figure out unt you determ ne to wh ch RD Sess on Host server she s connected Th s s
espec a y true because the prob em m ght van sh f the user ogs off and then ogs back on
and the RD Connect on Broker sends her to a d fferent RD Sess on Host server
To avo d th s scenar o, a the RD Sess on Host servers shou d use the same copy of the
profi e, wh ch means that you need to use roam ng (or mandatory) profi es stored on a net-
work share When a user ogs on, the User Profi e Serv ce ooks at the user account propert es
to see where the profi e reserved for RD Sess on Host server sess ons s kept and oads t from
there
240 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
When a user ogs off, the profi e s e ther de eted from the RD Sess on Host server or
reta ned n the oca cache, depend ng on the Group Po cy sett ngs app ed to the RD Sess on
Host servers For faster ogons, cache the profi e Just ensure that there’s enough space on the
hard d sk ho d ng the cache to support everyone who m ght need to cache the r profi e there
www.it-ebooks.info
File Server
Adam Barr
Roaming Profile
Documents
Document X Document Y
..\Appdata\Application Y
..\Appdata\Application X
NTUser.dat
The whole
NTUSER.DAT
file gets
The whole
overwritten
NTUSER.DAT file gets
overwritten again =
Last Write Wins!
Adam logs off RDS Farm1 second Adam logs off RDS Farm1 first
Adam Barr
242 CHAPTER 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
■ Loca profi es genera y aren’t su ted to dep oyments of more than one RD Sess on Host
server because the user exper ence w be d fferent on every RD Sess on Host server
■ Large roam ng profi es can ncrease ogon and ogoff t mes The User Profi e Serv ce
must copy the fi es to the endpo nt and then copy them back to the profi e when stor-
ng fi es on a persona VM can comp cate backups and restor ng data
■ Ro back reverts a changes to a poo ed VM to the state when you took the snapshot
■ Profi e sett ngs are stored as a flat fi e wr tten back to the profi e storage ocat on at
ogoff
The fo ow ng sect ons exp a n how these facts affect your des gn
CAUTION If you use mandatory profiles or pooled VMs with rollback enabled, you
must configure Folder Redirection to allow users to save files to their personal fold-
ers that are part of their profiles.
www.it-ebooks.info
The core cho ce between mandatory and roam ng profi es s the tradeoff of flex b ty
versus contro Mandatory profi es e m nate the chance of a user mak ng a bad change that
can’t be fixed by ogg ng off and ogg ng back on aga n Mandatory profi es a so speed ogoff
t mes because they don’t need to be wr tten back to the share
However, mandatory profi es don’t a ow users the degree of persona zat on that many
peop e have come to expect from W ndows In add t on, mandatory profi es don’t a ow other
app cat ons to save data to the profi e e ther Th s means that some secur ty app cat ons that
requ re g v ng users a pr vate key [such as the encrypted fi e system (EFS)] don’t work w th
mandatory profi es The cho ce w depend on your corporate cu ture, your need to use app -
cat ons that requ re pr vate keys, and the ab ty of the IT department to contro the desktop
ON THE COMPANION MEDIA One solution to the choice between roaming pro-
files and mandatory profiles is not to choose. Use mandatory profiles and combine
them with a mechanism that allows users to save selected settings and have them
applied at logon. Windows Server 2008 does not include this functionality, but
several RDS ISVs or consulting partners do. You can find an example of this function-
ality—a tool named Flex Profiles—from the following link on the companion media:
http://www.immidio.com/flexprofiles.
244 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
■ You m ght need V1 profi es to access term na servers runn ng vers ons of W ndows
ear er than W ndows Server 2008, and V2 profi es to access RD Sess on Host servers
■ Imp ement roam ng profi es for use w th VM poo s to keep the user exper ence cons s-
tent and avo d os ng profi e changes to ro back
■ Persona VMs can use a oca profi e for faster ogons
■ To avo d the Last Wr te W ns prob em, avo d users open ng the same profi e on mu -
t p e mach nes at the same t me
NOTE For instructions on how to create a read-only desktop, read the section entitled
”Creating a Safe Read-Only Desktop” later in this chapter.
If you keep the Desktop fo der n the profi e fo der and use mandatory profi es, then
peop e can save fi es to the desktop as ong as they are ogged on When the user ogs off,
however, no changes are saved, nc ud ng saved fi es on the desktop The same th ng w hap-
pen to users of VM poo s w th ro back enab ed; anyth ng saved by the user to the VM dur ng
each sess on w be d scarded once the VM snapshot s nvoked
In both cases, red rect the desktop to a fo der so users can save data there w thout t be ng
d scarded at ogoff
NOTE For instructions on implementing Folder Redirection, see the section “Centralizing
Personal Data with Folder Redirection” later in this chapter.
www.it-ebooks.info
Upload Profile Registry Settings in the Background
NTUSER DAT s updated on y when a user ogs off A user who does not og off sn’t sav ng
changes Th s can ead to data oss A new po cy n W ndows Server 2008 R2 enab es th s fi e
to be up oaded wh e the user s ogged on, as fo ows
Computer Configurat on Adm n strat ve Temp ates System User Profi es Background
up oad of a roam ng user profi e’s reg stry fi e wh e user s ogged on
Configure the sett ng to up oad NTUSER DAT on a set schedu e (at a certa n t me of day) or
at a set nterva , des gnated n hours
NOTE This setting does not upload any other profile data, just the contents of HKCU.
Speed Up Logons
Peop e are sens t ve to the amount of t me t takes to og on to a sess on If t takes too ong,
you’ have prob ems w th peop e eav ng the r sess ons open rather than ogg ng off Th s s
a secur ty r sk, has the potent a to ock fi es that more than one person m ght need to ed t,
and keeps processes open on the RD Sess on Host server You can d sconnect and term nate
sess ons forc b y us ng Group Po cy, but th s has other drawbacks
To encourage peop e to og off, make the ogon process as pa n ess as poss b e You’ve
a ready earned about us ng Fo der Red rect on to m n m ze the s ze of a profi e To speed
th ngs up, you can a so emp oy Group Po c es to do the fo ow ng
■ Cache roam ng profi es
■ L m t the amount of t me an RD Sess on Host server or VM w try to oad the user
profi e before us ng a temporary profi e
■ Set an upper m t on the s ze of a user profi e
■ Process group po c es asynchronous y
S peeding up logons is important, but when it’s Friday afternoon and you want to
get out of the office, logoffs are just as important. There are two ways in which
Windows Server 2008 and later help logoffs take less time.
You can limit the size of a profile using Group Policy (and help this limit by redirect-
ing the folders out of the policy). This policy, Limit Profile Size, is set per user and
is located in User Configuration Policies Administrative Templates System User
Profiles.
Prior to Windows Server 2008, there was a nasty catch when it came to profile
quotas: Windows was serious about enforcing this limit. If you made your roaming
246 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
profile larger than Group Policy allowed, Windows would prevent you from logging
off until you made the profile smaller. In Windows Vista and later, you can log
off, but if the profile is larger than the size permitted by Group Policy, the profile
changes won’t get written back to the roaming profile storage area.
Before Windows Server 2008, another issue that could delay logoffs (or prevent you
from unloading your roaming profile altogether) was applications or drivers that
left handles to the registry open (in other words, they started to use it but never
broke the connection). Microsoft had a separate tool called the User Profile Hive
Cleanup Service (in an application called UPHClean) that checked for these open
handles and closed them so users could log off. In Windows Server 2008 and later,
UPHClean functionality is handled by the User Profile Service.
CAUTION Don’t delete user profiles from the RD Session Host server using
Windows Explorer or the delete command-line tools, because this does not clean
up the registry entries associated with the profile and can affect the user’s ability to
log on again. Configure the RD Session Host servers with Group Policy to delete any
profiles unused for a given period.
www.it-ebooks.info
you app y Group Po cy asynchronous y (the defau t act on for a desktop), the user can og on
wh e Group Po cy s be ng app ed Asynchronous process ng can ead to changes n the user
env ronment after users have ogged on but w speed up ogon t mes f Group Po cy process-
ng s s ow ng th ngs down For a rev ew of the connect on process, see Chapter 3, “Dep oy ng
a S ng e Remote Desktop Sess on Host Server ”
A ow asynchronous Group Po cy process ng by enab ng the fo ow ng Group Po cy
sett ng
Th s po cy works on y when ogg ng on to an RDS sess on host It’s not needed when
ogg ng on to desktop poo s, because a desktop operat ng system a ready processes Group
Po cy asynchronous y by defau t
248 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
TABLE 5-5 Recommended Share and NTFS Perm ss ons or an RDS Roam ng Pro es S orage Fo der
The best case is to add the domain name to the profile path; this disambiguates
the path when there are two (or more) users with the same name living in different
domains. For example, in a large corporate network, you might have Domain1\
Myname (that’s me) and Domain2\Myname (some other user). When Domain1\
Myname logs on to a legacy terminal server the profile created for him will be
…\Myname. If Domain2\Myname later wants to store his profile on the same server,
he will have a problem. That’s why you add .domain to the profile path, so that users
with the same name but from different domains would have different profiles. So
ideally, you always want to add .domain to the profile path.
But then, what do you do with profiles that were created before you made this
change and don’t have .domain in the name? Leave them as is. But in this case, how
do you know which user this particular profile belongs to? You use permissions to
determine that. When the User Profile Service creates a new profile, it gives full
control to the user whom this profile is created for. So, if Domain1\Myname has
explicit full control permission to the …\Myname folder, then this profile belongs
to me and not to Domain2\Myname. That’s why you have this logic when creating
profile names.
www.it-ebooks.info
1. Attempt to locate the …\username.domain path. If it exists and the user has
explicit permissions to it, then use it.
2. If the user does not have explicit Full Control access to …\username.domain or
this folder does not exist, then try to access …\username.
3. If …\username exists and the user has explicit permissions to it, then use it.
4. If the user does not have explicit Full Control access to …\username or the folder
does not exist, then use …\username.domain.
As you can see, by default you always create the folder with …\username.domain.
Only when the …\username folder exists and the user has explicit Full Control ac-
cess to it do you use it. Again, it’s always best to include the domain name in the
profile path so that two people with the same user name with accounts in different
domains can store their profiles in the same central share.
When you’ve set up the profi e ocat on, configure the user account to use roam ng pro-
fi es Th s process var es s ght y for profi es used w th RD Sess on Host servers and for profi es
used w th poo ed and persona VMs You w see these d fferences as you step through th s
process It’s eas est f you configure th s v a Group Po cy, but you w a so see how to do t on
a per-user bas s
250 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
FIGURE 5-6 Enter the Remote Desktop Serv ces prof e path.
NOTE Windows Server 2008 and later and Windows Vista profiles have a .V2 extension.
Older operating systems use V1 profiles, which have no extension associated with the
profile folder name.
Virtual Machines
Poo ed and persona VMs do not use Remote Desktop Serv ces profi es A poo ed or persona
VM s rea y a v rtua zed c ent desktop and acts accord ng y—that s, t uses regu ar profi es
For these VM scenar os, enter the profi e share’s UNC path on the Profi es tab of the user ac-
count Propert es d a og box, shown n F gure 5-7
www.it-ebooks.info
FIGURE 5-7 Spec fy the prof e used for poo ed and persona VMs on the Prof e tab, not the Remote
Desktop Serv ces Prof e tab.
When the user s configured to use roam ng profi es, t’s t me to create the profi e Th s
happens when the user first ogs on to the RD Sess on host server (or the poo ed/persona
VM) When the user first ogs on, the fo ow ng happens
1. The User Profi e Serv ce creates a profi e fo der for the user n the spec fied path
2. The User Profi e Serv ce cop es the defau t profi e on the RD Sess on Host server or VM
to g ve the user a profi e
3. When the user ogs off, the User Profi e Serv ce cop es the profi e to ts storage oca-
t on n the spec fied network share The user w be the owner of the fo der and there-
fore w be the on y one to have access to the fo der and ts contents
A though a user profi e fo der s for the user, f Adm n strators a so have perm ss ons they
can de ete a corrupted profi e or perform other ma ntenance eas y To perm t th s, g ve the
Doma n Adm ns group Fu Contro NTFS r ghts to the parent fo der, and pre-create roam ng
profi e fo ders for each user n the roam ng profi es share Make sure that the user has fu
contro of h s profi e fo der, subfo ders, and fi es and that the user s a so the owner of the
fo der The s mp est way to do th s s to use Group Po cy; f you keep your RD Sess on Host
servers or poo ed VMs n the r own organ zat ona un t (OU), you can a so create a computer
Group Po cy object (GPO) w th Loopback Process ng enab ed and g ve adm n strators access
to profi e contents by enab ng the fo ow ng GPO sett ng
252 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Computer Configurat on Po c es Adm n strat ve Temp ates System User Profi es Add
The Adm n strators Secur ty Group To The Roam ng User Profi e Share
For more nformat on on Loopback Process ng and us ng Group Po cy to create and man-
age RDS roam ng profi es, see the sect on ent t ed “Us ng Group Po cy to Manage Roam ng
Profi es” ater n th s chapter
T o use roaming profiles, you need a file server to store them on. In a smaller
deployment, you can have administrative rights to the file server as well as the
terminal servers, but enterprise deployments often segregate ownership. If you
aren’t an administrator of the file server, you can’t manage the folders directly—
you’ll need to ask the file server administrator. Even the Group Policy setting Add
The Administrators Security Group To Roaming User Profiles will not help if the RDS
administrator is not a member of the Administrators group on the file server. You
could lobby to become a member of the Administrators group on the file server,
but this is counter to Least Privilege Access principles.
You can resolve this situation with a logoff script. Use Icacls.exe to include RDS
administrators to the user profile’s permissions during logoff from user’s security
context. This works because the user has full access permissions to her profile, so
she can add necessary permissions for RDS Administrators. For example, the Logoff
script might look like this.
Add this script to each user through Group Policy: User Configuration Windows
Settings Scripts Logoff Script. Now you can manage that profile folder.
There are two reasons to do this at logoff, not logon. First, if the user is logging
on for the first time, the profile folder might not yet exist, so the settings wouldn’t
apply until the second time. If the user never logged in again, you couldn’t delete
her profile without the help of the file server administrators. Second, if the profile
is large, it takes some time for Icacls.exe to go through the whole tree. Users do not
like long logon times, so why make them wait to start working? Let the script pro-
cess permissions when they’re done working and are less concerned about time.
www.it-ebooks.info
Converting an Existing Local Profile to a Roaming Profile
Somet mes you w want to convert ex st ng oca profi es to roam ng profi es Th s can app y
f you are convert ng a trad t ona desktop dep oyment to an a -RDS dep oyment, and you are
w ng to r sk that the oca profi e sett ngs are appropr ate for the remote work env ronment
NOTE It’s often unwise to convert a local profile that a user has been using on a personal
desktop to a Remote Desktop Services roaming profile. The user might have administrative
access to her personal computer and could have installed numerous applications and made
many customizations that don’t apply to the shared (and more locked-down) world of RD
Session Host servers.
T he Copy To button is now disabled, because even though this button was used to
overwrite a profile with another profile, it was unsupported to use it to edit the
default profile. It was unsupported because the source profile was just copied whole-
sale into the default profile—the Copy To button performed a complete copy of ev-
erything in the source profile over the default profile. This could lead to errors in the
registry because references to the source user would persist on any new user created
from the new default profile. Because it was an unsupported method, its behavior was
updated; the default profile is now the only one that is copyable using this button.
The remova of th s funct ona ty doesn’t prevent you from convert ng oca profi es to
roam ng profi es or even overwr t ng one user’s profi e w th another’s Remov ng the funct on-
a ty prevents you from overwr t ng the defau t user profi e w th another user profi e Peop e
often overwrote the defau t user profi e w th a custom zed one from another user to dep oy
custom zed profi es to new users As descr bed n the D rect from the Source s debar ent t ed
“Why the Copy To Button Is D sab ed,” do ng th s was unsupported (a though popu ar) as far
254 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
back as W ndows XP, because a though th s “worked” for many peop e, t actua y was not a
c ean process It cou d ead to prob ems f that profi e had been used at a , and t wou d a so
“tattoo” the profi e w th nappropr ate sett ngs and nam ng, such as the fo ow ng
■ A st of that user’s frequent y run programs
■ The user’s documents fo ders w be ncorrect y ca ed Adm n strator’s Documents
■ The user m ght have access to Adm n strat ve Too s (th s s ncorrect for regu ar users)
■ W ndows 7 brar es w be broken
www.it-ebooks.info
3. Save th s Unattend xm fi e to C \W ndows\System32\Sysprep
4. After you have the Unattend xm fi e n p ace, open a command prompt and type the
fo ow ng command
After you run th s command, the server w reboot When t comes back up, the defau t
profi e w be overwr tten w th the one that was ogged n when you ran Sysprep Now you
can h gh ght the defau t profi e and use the Copy To button to copy the profi e to a network
share to be used for roam ng profi es
C reating a network default profile can work well to deploy customized profiles in
low-complexity environment. But it’s not always the best solution.
First, there is no way to distinguish when a network default profile should be used
to create a new roaming user profile. As discussed earlier in this chapter, in complex
remoting scenarios, it’s possible for people to have more than one remoting profile,
and if you point them to the same starting point, they will start with the same pro-
file in all scenarios. For example, a new profile created when the user logs on to a
Windows 7 pooled VM would stem from the same network default user profile that
is used to create a new user roaming user profile for use in an RD session host server
256 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
environment. Depending on how you implement profiles, this might or might not
be acceptable.
In short, Windows doesn’t allow you to specify more than one default profile loca-
tion. So unless it’s okay to use the same default profile to build all roaming profiles,
we recommend applying customizations through Group Policy or scripting.
Assum ng that you can use a network defau t profi e for a your scenar os, on W ndows
2008 (and W ndows 7) you can copy a oca defau t profi e to the NETLOGON share on a
doma n contro er, fo ow ng these steps
1. Log on to the server w th an adm n account
2. From the Run box, browse to the doma n contro er \\DOMAIN CONTROLLER\
NETLOGON
3. Create a fo der n the NETLOGON share and name t Defau t User v2
4. From Server Manager, c ck Change System Propert es, nav gate to the Advanced tab,
and then c ck the Sett ngs button n the User Profi es sect on
5. Se ect the Defau t Profi e from the st of profi es stored on the server and c ck Copy To
6. Browse to or type the network path \\DOMAIN CONTROLLER\NETLOGON Defau t
User v2
BEST PRACTICE Ensure that the profile doesn’t contain any unnecessary data. A large
default network profile will slow down the initial profile creation process because new
profiles have to pull this large amount of data across the network.
www.it-ebooks.info
to the sess on Because sett ngs are app ed to users at ogon, they don’t have to be saved as
part of a user’s account propert es Because they’re app ed second, sett ngs app ed to a user
w contro when there’s a confl ct
Because of the order n wh ch user and computer Group Po cy s app ed, when manag-
ng RD Sess on Host server sett ngs, you’ a most a ways use an add t ona GPO to enforce
loopback policy processing In short, oopback po cy reapp es the user-spec fic sett ngs that
are p aced on the OU where Loopback Process ng s enab ed after the norma user GPOs are
app ed The resu t s that sett ngs p aced on the RD Sess on Host server OU w a ways take
precedence n case of a confl ct If you have b ocked GPO nher tance on the RDS OU, then
on y the user po c es that you p ace on the OU w be mp emented for your users You’ find
out more about oopback po c es n the sect on ent t ed “The Ins and Outs and Ins of Loop-
back Po cy Process ng” ater n th s chapter
There’s some over ap between the computer- and user-spec fic sett ngs n Group Po cy, but
you’ genera y find that you’ need both to configure the users’ work ng env ronment When
sett ng up an RD Sess on Host server env ronment, where t’s mportant not just that you are
ogg ng on but that you’re us ng an RD Sess on Host server, you’ definitely need both
ON THE COMPANION MEDIA The following explanations assume that you have
permission to manage Group Policy for your RD Session Host servers. If this is not
the case, you’ll need to provide the instructions to the administrator controlling
Group Policy for your organization and let him or her fit them into corporate
management policy. This is one way to organize your RD Session Host server GPOs,
but it is not the only possible model. GPO architecture is unique to the particular
situation. For example, for some organizations, blocking inheritance might not be an
option for business policy reasons. For more information on Group Policy modeling,
see “Design Considerations for Organizational Unit Structure and Use of Group
Policy Objects,” located at http://technet2.microsoft.com/windowsserver/en
/library/2f8f18cf-a685-48db-a7be-c6401a8fb6341033.mspx?mfr=true. (This article
was written for Windows Server 2003, but it still applies.) You can also find the link
on this book’s companion media.
258 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
ORGANIZE FARMS AND POOLS INTO OUS
F rst, create an OU for each RD Sess on Host farm or VM poo (Because a members of a farm
or poo are homogenous, they shou d a be n the same OU ) Open Act ve D rectory Users
And Computers, r ght-c ck the doma n, and choose New, Organ zat ona Un t Name t after
the farm (for examp e, RDSH Farm1) and then drag a computer objects n the farm or poo
nto the OU (see F gure 5-8)
FIGURE 5-8 Create OUs for your RD Sess on Host server farms and VM poo s.
www.it-ebooks.info
IMPORTANT Company policy might prevent you from blocking inheritance. You can
still know exactly what policies are going to be applied to the users and computers in your
OUs; it will just take more effort because you will have to know about all Group Policies
applied at higher levels.
The computer policy will affect all Create different GPOs for
users who log on to any RD Session different terminal server user
Host server or VM in the OU. groups based on group needs.
FIGURE 5-9 Create separate user and computer GPOs for the RDS env ronment.
260 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
To create the GPOs, open the GPMC (by c ck ng Start, Programs, and Adm n strat ve Too s)
R ght-c ck the Group Po cy Objects fo der n the eft pane, found under your doma n fo der,
and choose New to open the d a og box shown n F gure 5-10
Name the computer po cy someth ng descr pt ve, such as RDS Computer GPO, and then
c ck OK
Next, create another po cy that w ho d user-spec fic sett ngs, nam ng t someth ng ke
RDS User GPO C ck OK, and you w be back n the GPMC, w th a st of ava ab e po cy ob-
jects that nc udes the ones you just created, as shown n F gure 5-11
Next, ensure that each GPO s spec fic to one type of sett ngs—computer or user Th s s
opt ona , but th s w g ve you more contro over your RDS env ronment
C ck the Deta s tab n the upper port on of the r ght pane Here, there’s a GPO Status
drop-down st w th four opt ons A Sett ngs D sab ed, Computer Configurat on Sett ngs
D sab ed, Enab ed, and User Configurat on Sett ngs D sab ed For your computer-spec fic
GPOs, make sure that no user-spec fic sett ngs w be app ed by sett ng the Status to User
Configurat on Sett ngs D sab ed Fo ow the same process to create a new user-spec fic GPO
For the User GPO, nav gate to the drop-down menu on the Deta s tab and set the GPO Status
to Computer Configurat on Sett ngs D sab ed
www.it-ebooks.info
Updating Group Policy
A ctive Directory Domain Services (AD DS) does not immediately send user
Group Policy changes down to the computers to which they apply. The Group
Policy engine on the computer actually pulls the GPO changes from AD DS at
specific intervals, called the refresh interval. By default, the refresh interval is 90
minutes (plus a random time ranging from 0 to 30 minutes). To immediately see
the effects of changes that you make to GPOs, you can force this refresh. Open a
command prompt on your RD Session Host server and type gpupdate /force. Most
computer policies can be updated just by doing this; a few (like Folder Redirection)
will require a reboot.
262 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Local
Site
Domain
Computer OU
User OU
On a persona computer, t’s perfect y acceptab e to have the dent ty of the person
ogg ng on define the fina sett ngs for Group Po cy But RD Sess on Host server farms and
poo ed VMs are ocat on-spec fic or context-spec fic s tuat ons n wh ch where you are matters
even more than who you are For examp e, you m ght dec de that t’s acceptab e for users to
use c pboard red rect on when connect ng to persona VMs, but for secur ty reasons, you
don’t want them us ng c pboard red rect on when connect ng to an RDS server farm host ng
sens t ve data You need po c es app ed based on wh ch computer you are ogged on to In
th s case, you w app y oopback po cy process ng to te the Group Po cy eng ne to app y
the user GPOs that are app ed to a computer OU (for examp e, to an RDS farm OU) after ap-
p y ng the user GPOs that are norma y app ed dur ng ogon W th oopback po cy process-
ng enab ed, GPO process ng w now work as shown n F gure 5-13
www.it-ebooks.info
Local
Site
Domain
User OU
FIGURE 5-13 Loopback Process ng changes the effect ve Group Po cy resu ts.
When the RD Sess on Host server starts, computer GPOs are app ed When the user ogs
on to the RD Sess on Host server, the User GPOs are app ed to the sess on Then, because
oopback po cy process ng s enab ed, User GPOs that are app ed to the RD Sess on Host
server OU are app ed ast In add t on, f you have b ocked nher tance, t’s poss b e that the
only GPOs that w be app ed are computer and user GPOs that are p aced spec fica y on the
OU
To enab e Loopback Process ng, r ght-c ck the Computer GPO app ed to the RD Sess on
Host server OU and choose Ed t The Group Po cy Management Ed tor opens the GPO Go
to Computer Configurat on, Po c es, Adm n strat ve Temp ates, System, and Group Po cy and
264 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
find the User Group Po cy Loopback Po cy Process ng Mode node n the pane on the r ght
Doub e-c ck t and you w see the d a og box shown n F gure 5-14
FIGURE 5-14 Enab e oopback po cy process ng from the User Group Po cy Loopback Process ng Mode
Propert es d a og box.
HOW IT WORKS
L oopback policy can apply to users in one of two ways: Merge Mode and Replace
Mode.
■ In Merge Mode, loopback policy processing will apply the user GPOs placed
on the RD Session Host server OU along with the other normal user GPOs
applied from the OU where the user account resides. If there is a conflict,
then the user GPOs applied to the RD Session Host server OU will prevail.
■ In Replace Mode, the Group Policy engine ignores all other user GPOs from
the User OU and applies only the user GPOs applied to the RD Session Host
server OU.
Merge Mode and Replace Mode affect only GPOs placed on the OU where the user
account resides. User GPOs placed at higher levels (for example, at the domain
level) will still be applied unless you have specifically blocked inheritance on the OU
where the computers reside.
Whether you choose Merge Mode or Replace Mode depends on your goals and
how you’ve set up the rest of your environment. If users are using the same GPOs to
Continued on the next page
www.it-ebooks.info
log on to the RD Session Host servers and to their local desktops, their user settings
might not mesh well with a shared environment. If that’s the case, then you’d pick
Replace Mode. If you want the user experience to be as similar as possible for both
local and remote logons, then Merge Mode might be more appropriate because
it will preserve user-specific policies. The main thing you’ll need to watch out for
is that GPO settings from the GPOs applied to the user do not cause problems for
your user when she is logged on to an RD Session Host server (or pooled VM). Using
Merge Mode is more work because it requires a lot of considering of individual
policies and their effect on a remote workspace.
FIGURE 5-15 Add users to the GPO Secur ty F ter ng sect on of the ASH TS Users Po cy.
266 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Using Group Policy to Define the Roaming Profile Share
After you have a Group Po cy nfrastructure set up, you can create a po cy to create roam ng
profi e fo ders n the proper fo der share ocat on automat ca y
The Group Po cy sett ng to set the path for RDS roam ng profi es s a computer set-
t ng R ght-c ck your Computer Po cy GPO and choose Ed t Expand the GPO to Computer
Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop
Serv ces Remote Desktop Sess on Host Profi es In the pane at r ght, doub e-c ck Set Path
For Remote Desktop Serv ces Roam ng User Profi e, shown n F gure 5-16
FIGURE 5-16 Set the path for Remote Desktop Serv ces Roam ng User Prof e storage.
Se ect the Enab ed opt on and type the RDS roam ng profi e share ocat on n the Profi e
Path text box If you use Group Po cy to set the RDS roam ng profi e path, then the profi e
fo ders that are created take the form of username domainname V2; you do not need to
add the %username% var ab e, the doma n name, or the V2 extens on Th s s n contrast to
defin ng the path to the Remote Desktop Serv ces profi e fo der by ed t ng the user account
propert es through scr pt ng or through Act ve D rectory Users And Computers, where you
must spec fy the username and domainname var ab es to create the fo der proper y
www.it-ebooks.info
NOTE If you already have profiles stored in the profile path and the profile folders do not
include the domain name (perhaps they take the form of username.V2), change the names
to include the domain name. Otherwise, the server will not see the existing profile, and the
service will create a new one in the format username.domainname.V2.
If the profi e fo ders are created automat ca y when the user ogs on, then the user gets
so e access to the profi e and s a so set as the owner of the profi e fo der To perm t adm n-
strators to access the profi e, enab e the fo ow ng GPO sett ng Computer Configurat on
Po c es Adm n strat ve Temp ates System User Profi es Add The Adm n strators Secur ty
Group To Roam ng User Profi es W th th s GPO sett ng enab ed, the fo ow ng perm ss ons are
p aced on new y created user fo ders
■ User Fu Contro , owner of fo der
■ SYSTEM Fu Contro
■ Administrators Fu Contro (Th s s the oca adm n strators group of the server
where the profi es are stored, wh ch a so conta ns the Doma n Adm ns group )
You can a so pre-create user profi e fo ders and set perm ss ons as requ red For more
nformat on about profi e fo der perm ss ons, see the sect on ent t ed “Convert ng an Ex st ng
Loca Profi e to a Roam ng Profi e” ear er n th s chapter
W th th s GPO sett ng configured, users access ng the RD Sess on Host servers n th s OU
now have a roam ng profi e created and stored n the des gnated share
\\servername\sharename\%username%
Speeding Up Logons
One of the b ggest cha enges that IT profess ona s face n an RDS env ronment s to prov de
a user exper ence that fee s as much ke a oca computer as poss b e Users want to og on
qu ck y, work stead y, get the r job done, and get out If they find that they have to wa t on-
ger to og on than they ke, the He p desk w hear about t, or peop e w ook for ways to
c rcumvent the data center
268 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Roam ng profi es are usua y the best cho ce for RDS Centra z ng the profi e on a network
share makes t poss b e to a ways have the same exper ence no matter what RD Sess on Host
server or VM a user s ogged nto—even new ones that were just added Centra z ng a so
s mp fies backups However, f you don’t take steps to avo d t, profi es grow over t me By
defau t, a profi e conta ns not on y configurat on data but a so user documents Assum ng
that a user saves fi es to the fo ders there for that purpose, the profi e w grow B g profi es
s ow down ogons and ogoffs due to the mass ve amounts of data that must be cop ed to the
remote ocat on
There are severa th ngs you can do to speed ogons
■ Take advantage of the new behav or of Group Po cy cach ng among servers n a farm
to reduce the t me needed for the first og n
■ Enab e Fo der Red rect on
■ Manage po cy cach ng
■ L m t profi e s ze
Let’s start w th the one that requ res no configurat on
www.it-ebooks.info
owed to og on because there’s no room to store the r profi es There are Group Po c es to
remove o der data n the cache f room runs out, but t’s better f you can avo d th s prob em
ent re y
The s mp est step that you can take to avo d profi e b oat s to enab e Fo der Red rec-
t on Fo der Red rect on has two advantages t keeps user data out of the profi e to keep the
profi e sma er, and t a ows d fferent a synch ng (so that f on y part of a fi e s changed, that
part w be saved to the centra ocat on, rather than copy ng the ent re fi e) You’ earn how
to set up Fo der Red rect on n the sect on “Centra z ng Persona Data w th Fo der Red rec-
t on” ater n th s chapter
270 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
be ow the quota The po cy sett ng s found n Computer Configurat on Adm n stra-
t ve Temp ates W ndows Components Remote Desktop Serv ces Remote Desktop
Sess on Host Profi es L m t The S ze Of The Ent re Roam ng User Profi e Cache
NOTE Although you can apply the Delete Cached Copies Of Roaming Profiles GPO set-
ting to pooled and personal VMs, it doesn’t accomplish anything useful. Pooled VMs get
rolled back (if set up to do so) when a user logs off, so the user profile cache is cleared
as part of the rollback function. And personal VMs are, well, personal. They will have one
profile cached on the machine. You will have enough room for one user profile cache in
this instance. Deleting the profile cache on a personal desktop will just increase logon time
and has no advantages.
Another way to make sure that your servers do not run out of d sk space due to an over-
grown profi e cache s to put a cap on the cache s ze If the s ze of the ent re cache exceeds
the m t set by th s po cy, the server w de ete the o dest profi e n the cache unt the overa
s ze drops be ow the thresho d you set The GPO sett ng s ocated at Computer Configurat on
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces RD Sess on
Host Profi es L m t The S ze Of The Ent re Roam ng User Profi e Cache
Enab e th s sett ng and enter the fo ow ng numbers
■ A mon tor ng Interva ( n m nutes) The nterva at wh ch the profi e cache s ze s
checked
■ Max mum cache s ze ( n GB) Th s s the thresho d If the cache grows beyond th s num-
ber, the o dest profi es start gett ng de eted
www.it-ebooks.info
FIGURE 5-17 When you cache a prof e on a server, t automat ca y creates a correspond ng reg stry
entry.
NOTE Examining this key can also help you troubleshoot profile problems. If a user seems
to be getting his standard profile to log on to the RD Session Host server, check the con-
tents of CentralProfile (see Figure 5-17). If this entry is blank, that person is using a local
profile.
If you just de ete the profi e from W ndows Exp orer, the entr es n the reg stry rema n,
wh ch confuses the server, as exp a ned n the next sect on
The c eanest way to de ete unused profi es s to et Group Po cy de ete the o d and unused
profi es You can a so de ete cached roam ng user profi es from the User Profi es sect on of
System Propert es on the RD Sess on Host server Log on to the RD Sess on Host server as
an adm n strator Go to Start, Contro Pane , System, and c ck Change Sett ngs The System
Propert es d a og box w appear Se ect the Advanced tab In the User Profi es sect on, c ck
Sett ngs… to open the User Profi es d a og box, shown n F gure 5-18
FIGURE 5-18 The User Prof es d a og box d sp ays the prof es stored on the computer.
272 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
H gh ght the roam ng profi e that you want to de ete and then c ck De ete When you see
a d a og box confirm ng that you want to de ete the profi e, c ck Yes and the roam ng profi e
cache s de eted C ck OK
FIGURE 5-19 The RDS roam ng prof e cache reg stry entry for user Adam Barr
The Profi eImagePath key n th s fo der nd cates the cache ocat on, wh ch by defau t s
%SystemDr ve%\Users\%UserName% (The network ocat on where the roam ng profi e s
stored s n the Centra Profi e key )
If you de ete the user’s oca y cached profi e fo der and that user starts a sess on on that
RD Sess on Host server, he w get a temporary profi e The reg stry entry correspond ng to
the user’s cached profi e s renamed The SID part stays the same, but t s g ven an extens on
of bak, as shown n F gure 5-20
www.it-ebooks.info
FIGURE 5-20 The o d reg stry key for the prof e that was de eted ncorrect y now has a .bak extens on.
In add t on, a new key s created n ts p ace The new y created reg stry entry s named
after the user SID just as before However, the Profi eImagePath key ns de the new fo der now
po nts to %SystemDr ve%\Users\TEMP, as shown n F gure 5-21
FIGURE 5-21 A new reg stry entry s created, but the Prof e magePath key po nts to
%SystemDr ve%\Users\TEMP.
Therefore, the entry that used to work now has a bak extens on and s not usab e, and
the profi e actua y be ng used s a temporary profi e When the user ogs off, h s temporary
profi e s not cop ed back to the centra profi e storage ocat on on the fi eserver
De et ng the profi e from the System Propert es d a og box User Profi es sect on no onger
works e ther Most ke y, the profi e w not even be sted n the d a og box If t s, t most
ke y means that the user has not ogged off comp ete y If you do manage to se ect t and
c ck De ete, you get an error message “Profi e not de eted comp ete y Error – The system
cannot find the fi e spec fied ”
274 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
To rect fy th s, you must manua y de ete the abandoned reg stry entry that has the bak
extens on You m ght a so need to reboot the server On y then can the user og on to the RD
Sess on Host server and have h s roam ng profi e correct y cached once aga n on the server
www.it-ebooks.info
FIGURE 5-22 Set the Fo der Red rect on po cy.
R ght-c ck the AppData(Roam ng) fo der and choose Propert es to open the d a og box
shown n F gure 5-23
276 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
To spec fy the ocat on of the AppData(Roam ng) fo der, choose between two opt ons n
the Sett ng drop-down menu
■ Basic Redirect Everyone’s Folder To The Same Location Th s means just what t
says; a AppData(Roam ng) fo der data for every user w go to the same ocat on
■ Advanced Specify Locations For Various User Groups To store user data n d f-
ferent ocat ons based on user group membersh p, choose th s opt on
The menu contents w vary depend ng on the type of fo der red rect on you choose If
you choose Bas c, then you get a Target fo der ocat on drop-down menu w th three cho ces
■ Create A Folder For Each User Under The Root Path Choose th s opt on to put
each user’s profi e data nto a fo der under the root path named accord ng to the user
name In the Root Path text box, spec fy the ocat on of your des gnated Fo der Red -
rect on share In most cases, th s s the best opt on
■ Redirect To The Following Location Choose th s opt on to red rect a user data
to the same ocat on You’d do th s f you wanted a users to use the same Desktop or
Start Menu fo der Choose th s opt on on y f you want everyone to wr te to the same
user-spec fic fo ders
■ Redirect To The Local Profile Location Don’t choose th s opt on Your profi es
roam, and you want your profi e fo ders red rected to the network share
C ck the Sett ngs tab, as shown n F gure 5-24
FIGURE 5-24 Grant The User Exc us ve R ghts To AppData(Roam ng) s enab ed by defau t. C ear th s
check box to et adm n strators manage the red rected fo der.
www.it-ebooks.info
By defau t, Grant The User Exc us ve R ghts To AppData(Roam ng) s enab ed If you eave
t th s way, then the user w own th s fo der, and on y she w be ab e to access th s data To
enab e manag ng th s fo der, c ear th s box so that the r ghts from the parent fo der w be
nher ted For examp e, f you g ve Doma n Adm ns fu contro of the parent fo der, then th s
group w have access to the red rected user fo ders as we
If your users a ready have these fo ders before you set up Fo der Red rect on, then you
must set up the ex st ng fo ders n one of two ways (otherw se, Fo der Red rect on w fa )
■ The user needs to be the owner of the fo der and can be granted exc us ve r ghts to the
fo der
■ If the user does not need to be the owner of the fo der, c ear th s box
A the fo ders sted n th s GPO sect on have the same cho ces to p ck from, except for the
P ctures, Mus c, and V deo fo ders These fo ders have an extra sett ng that you can choose
for the ocat on of the fo der Fo ow The Documents Fo der Th s means that these fo ders w
be stored n the user’s Documents fo der, wherever that fo der s red rected
To move the contents of the ex st ng fo der to the new fo der outs de the profi e, se ect
the Move The Contents Of “The Name Of The Fo der Be ng Red rected” check box to the new
ocat on
ON THE COMPANION MEDIA When redirecting a folder using Group Policy, one
of the options is Move The Contents. Unless you select this option, a duplicate link
will be left behind, even when that folder is completely empty, meaning that users
will see two Documents folders, two Music folders, and so forth. For tips on how to
avoid the “duplicate link” problem, see http://blogs.technet.com/deploymentguys
/archive/2008/05/01/dealing-with-duplicate-user-profile-links-in-windows-vista.aspx.
You can also find the link on this book’s companion media.
278 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
Sharing Folders Between Windows Server 2003 and
Windows Server 2008 R2 Roaming Profiles
The eas est profi e env ronment to manage s homogenous A users work on y n RD Sess on
Host servers, and a servers of sess ons are runn ng W ndows Server 2008 R2 However, there
are good reasons why you m ght need to support both V1 and V2 profi e structure at the
same t me
■ Some users work both on the RD Sess on Host server and on VMs runn ng W ndows XP
(perhaps because they’re us ng RemoteApp on Hyper-V)
■ You’re m grat ng to W ndows Server 2008 R2 RDS from W ndows Server 2003 Term na
Serv ces, and some of the o der servers are st n use as you convert
V1 profi es and V2 profi es are not compat b e Therefore, f you have some act ve 2003 RD
Sess on Host servers, you w need to keep two sets of profi es for your users—one to og on
to the 2003 servers and one to og on to the 2008 servers And you m ght need even more
profi es f users are a so us ng poo ed and persona VMs, and/or RemoteApp programs on
Hyper-V However, Fo der Red rect on can be used to br dge the gap
Not a 13 fo ders that can be red rected n W ndows Server 2008 R2 can be red rected n
W ndows Server 2003, but some can You can share the data n these fo ders between the
2003 profi es and the 2008 profi es On the Sett ngs tab of each fo der n the Fo der Red rec-
t on conta ner s an opt on ca ed A so App y Red rect on Po cy To W ndows 2000, W ndows
2000 Server, W ndows XP And W ndows Server 2003 Operat ng Systems For some fo ders,
th s opt on s ava ab e, but on others (the ones that w not red rect for down eve operat ng
systems), t appears d mmed and s unava ab e Tab e 5-6 shows wh ch of the fo ders can be
red rected for W ndows 2000, W ndows XP, and W ndows Server 2003
TABLE 5-6 Pro e Fo der Red rec on Capab es or Var ous Vers ons o W ndows
www.it-ebooks.info
CAN THE FOLDER BE
REDIRECTED FOR EARLIER
FOLDER OPERATING SYSTEMS? DETAILS
280 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
ON THE COMPANION MEDIA For more information on Windows Server 2003 and
Windows XP Profiles and Folder Redirection, see http://technet2.microsoft.com
/windowsserver/en/library/06f7eebc-2ebb-47c5-8361-1958b58078cc1033.mspx?mfr=true.
You can also find the link on this book’s companion media.
NOTE Some custom applications might not respond well to having the AppData folder
redirected. But not redirecting AppData could lead to profile bloat, especially if your ap-
plications write a lot of data to this location. For situations like this, consider using App-V
to deploy the problem application. For technical resources on sequencing with App-V, see
http://www.microsoft.com/systemcenter/appv/dynamic.mspx.
www.it-ebooks.info
DIRECT FROM THE FIELD
M andatory profiles are generally considered fast and secure because they
usually are small in size and cannot be modified by the user. Although that is
true—mandatory profiles stay pristine indefinitely—there is more to security than
read-only access.
Mandatory profiles are a variant of roaming profiles: A master copy on a file server
is copied to the RDS session host during logon. The resulting local copy is secured
with file system ACLs that grant full access to the user, but to no one else (except
administrators and SYSTEM). All is safe and secure—except in the case of manda-
tory profiles.
A user profile consists not only of file system data, but also of a registry hive (stored
in the file NTUSER.MAN) that is mounted to HKU\<SID> and accessible from within
a session via the well-known name HKCU. In contrast to the file system, registry
permissions are not changed during logon because that is not necessary—at least
with roaming profiles where the master copy of each hive already has the correct
permissions.
So on an RD Session Host server where mandatory profiles are used, a user can
simply open Regedit (if not blocked from doing so), navigate to HKU\<Some other
user’s SID>, and read/write at will.
Consequences
Users being able to read/write somebody else’s HKCU hive poses a potentially grave
security problem. At least two types of attacks can be envisioned: eavesdropping
and damaging. Here are some simple examples.
Many applications store a list of most recently used (MRU) files in HKCU (for exam-
ple, Word: HKCU\Software\Microsoft\Office\12.0\Word\File MRU). By reading such
lists, attackers can gain information about which documents another user is editing.
Applications and the operating system itself need and expect write access to HKCU.
Because a user always has write access to HKCU, programs do not handle
282 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
the absence of such permissions well. By changing permissions on another user’s
hive (for example, removing write access), an attacker could effectively break
another user’s session, making it impossible to start and use even the most trivial
programs—most applications that store their settings in HKCU would be affected.
How to Fix
The following workarounds can help fix this security vulnerability.
2. Block access to the registry via software restriction policies. This includes, but is
not limited to, Regedit.exe, Cmd.exe, Reg.exe, scripts and batch files, and other
custom (downloaded) tools. In essence, in order to avoid this problem exclusive
white-listing is required.
3. Re-ACL (change the security permissions on) each registry hive after it is loaded
and replace “Everyone” with the current user.
www.it-ebooks.info
FIGURE 5-25 To convert a roam ng prof e to a mandatory prof e, change ts extens on.
No changes that the user makes to the profi e w be saved But comb n ng mandatory
profi es w th Fo der Red rect on w g ve users some contro over the r sess on and a ow them
to change the r Favor tes, Documents, Desktop, and other sett ngs w thout comprom s ng the
configurat on data oaded n HKCU
TABLE 5-7 Share Perm ss ons or a Manda ory Pro e S orage Fo der
284 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
TABLE 5-8 NTFS Perm ss ons or User Accoun s or a Manda ory Pro e S orage Fo der
2. Create a fo der w th n the fo der created n Step 1, name t someth ng appropr ate to
nd cate t s a mandatory profi e, and append the V2 extens on (for examp e
ASH RDS MAN V2)
3. Because us ng the Copy To button now works on y for the Defau t user profi e, th s s
the profi e you w copy to the share you created n Step 1 On the RD Sess on Host
server, from Server Manager, c ck Change System Propert es and se ect the Advanced
tab In the User Profi es sect on, c ck Sett ngs H gh ght the Defau t User, and c ck
Copy To In the Copy To d a og box, type or browse to the shared fo der ocat on that
you created n Step 1 C ck Perm tted To Use, add Everyone, and c ck OK
NOTE If you choose to create a customized mandatory profile, use Sysprep to over-
write the Default User profile on the machine that you will copy from. For more on
customizing the default user profile and using the Copy To button, and how to use
Sysprep to customize the Default User Profile, see the sections earlier in this chapter
entitled “Converting an Existing Local Profile to a Roaming Profile” and “Customizing a
Default Profile.”
4. Rename NTUSER DAT n the resu t ng profi e ( n the fi e share created n Step 1) to
NTUSER MAN You w need to change the fo der opt ons to show h dden fi es and
fo ders to see th s fi e
5. Create appropr ate GPOs by do ng the fo ow ng
■ Ed t the Computer GPO sett ng as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Profi es Set Path For Remote Desktop Serv ces
Roam ng User Profi e to po nt to the share created n Step 2, for examp e //co fax/
ash-rds-mandatory-profi e/ASH RDS MAN) Do not nc ude the V2 extens on
■ Enab e the Computer GPO po cy sett ng as fo ows Adm n strat ve Temp ates
W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host
Profi es Use Mandatory Profi es On The RD Sess on Host Server
■ Enab e the Computer GPO sett ngs as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates System User Profi es Add The Adm n strators Secur ty
Group To Roam ng User Profi es
www.it-ebooks.info
6. App y the GPOs to the RD Sess on Host Server OU ( n Group Po cy Manager on a
doma n contro er)
7. Reboot the RD Sess on Host servers and test by ogg ng n as a regu ar user
286 CHAPTER 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
4. Enab e the GPO sett ng as fo ows Computer Configurat on Po c es Adm n strat ve
Temp ates W ndows Components Remote Desktop Serv ces Remote Desktop
Sess on Host Profi es Use Mandatory Profi es On The RD Sess on Host Server
5. Enab e the Computer GPO sett ng as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote
Desktop Sess on Host Profi es Set Path For Remote Desktop Serv ces Roam ng User
Profi e Po nt to the oca mandatory profi e ocat on, such as C \Mandatory Profi e Do
not nc ude the V2 extens on
6. Do th s on each mach ne n the farm or poo
ADDITIONAL INFORMATION
PROBLEM SOLUTION IN THIS CHAPTER
Profi e and Fo der Red rect on Troub eshoot ng T ps Chapter 5 287
www.it-ebooks.info
ADDITIONAL INFORMATION
PROBLEM SOLUTION IN THIS CHAPTER
Users cannot oad the r You m ght have de eted the See the sect on ent t ed
roam ng profi es when cached profi e manua y “De et ng Cached Profi es
they og on, and they see a us ng W ndows Exp orer Manua y ”
message that they w be De ete the o d reg stry keys
ogged on w th a temporary and use too s such as the
profi e profi e management ut ty or
De prof to de ete profi es
Test ng Mandatory Profi es Make sure you set the
returns the error “Access s Everyone group to be
den ed ” perm tted to use the
profi e when you use the
Copy To button to create
the mandatory profi e If
necessary, de ete the profi e
that s not work ng and redo
t
Summary
A though roam ng profi es (read-wr te or read-on y) are often the best mode for stor ng user
profi es n an RDS env ronment, the comp cat ons nvo ved n mak ng them work well can be
daunt ng Th s chapter has exp a ned how profi es work, nc ud ng how the User Profi e Serv ce
oads and saves configurat on data You’ve earned about best pract ces, nc ud ng how to
keep profi es manageab e n s ze to speed user ogons and how Fo der Red rect on and profi e
cach ng a so contr bute to faster ogons You’ve seen how to set up Group Po cy to enab e
automat c profi e creat on and how to use secur ty fi ter ng and oopback po cy process ng to
ensure that the po c es are app ed correct y w th RDS F na y, you’ve earned how to set up
and use mandatory profi es w th RDS and how to prevent users from os ng fi es when us ng
mandatory profi es
■ There are three types of profi es oca , roam ng, and mandatory ( nc ud ng super-
mandatory)
■ Comb n ng roam ng profi es w th Fo der Red rect on s genera y the best way to store
user data n remote env ronments Fo der Red rect on s very mportant for keep ng
ogon t mes short and profi e s zes sma
■ Mandatory profi es work best when you don’t want to save any changes to the profi e
and have prevented users from wr t ng fi es to profi e fo ders
■ Profi es don’t merge—they overwr te For best resu ts, open on y one copy of the user
profi e at a t me For th s reason, you shou d genera y not use the same roam ng pro-
fi e for both oca ogons and RD Sess on Host server ogons
288 Chapter 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment
www.it-ebooks.info
■ Imp ement ng Group Po cy correct y from the beg nn ng s key to mak ng roam ng
profi es work
■ Fo der Red rect on s very mportant to mak ng profi es work proper y, as fo ows
• Us ng Fo der Red rect on, you can share fo ders between two profi es for better
ntegrat on of oca and remote user exper ences
• If us ng mandatory profi es, you must use Fo der Red rect on to a ow users to save
fi es to any of the r norma document storage ocat ons (for examp e, Documents
and Favor tes)
Additional Resources
The fo ow ng resources w extend your know edge of top cs addressed n th s chapter A
nks are ava ab e to you on th s book’s compan on med a
■ For more nformat on on user profi e management (w th or w thout RDS), read the
fo ow ng
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 6
■ Mov ng the C ent Exper ence to the Remote Sess on 307
■ Pr nt ng w th RDP 334
If you’re read ng th s book sequent a y, by th s po nt you have the bas c v rtua mach ne
(VM) or sess on de very system enab ed, and you’ve configured profi es and fo der
red rect on for your env ronment At th s stage, you’re ready to move on to what most
users wou d cons der the cr t ca part of remot ng the user exper ence After read ng th s
chapter, you’ know more about the fo ow ng po nts
■ How the core features of Remote Desktop Protoco (RDP) 7 0 work
■ How the remote exper ence w vary depend ng on the vers on of RDP a user
emp oys to get to W ndows 7 or W ndows Server 2008 R2
■ How RDP 7 0 and RemoteFX d ffer n the r approaches to remot ng
■ How to configure the remote exper ence so that c ent-s de dev ces work n
remote sess ons
■ How to configure pr nt ng w th and w thout RD Easy Pr nt
291
www.it-ebooks.info
New Features in RDP 7.0
E ach version of RDP adds new features to improve the user experience. RDP 7.0
introduces a number of changes to the remoting protocol that are designed to
make the remote session feel more like working on the local computer.
● Multimedia remoting
● True multi-monitor support
● Audio recording from the local session to the remote session
● Desktop composition (Aero Glass) remoting from a session
● Language bar redirection
All these features require having Windows 7 or Windows Server 2008 R2 on the
endpoint, and they are not available for /admin connections to a server running
Window Server 2008 R2.
Multimedia Remoting
Using Remote Desktop Connection (RDC) 7 with Windows 7 and Windows Server
2008 R2, audio and video content, played back by using Windows Media Player, is
redirected from the RD Session Host server to the client in its original format and
rendered by using the client’s resources. Other multimedia content, such as Silver-
light and Windows Presentation Foundation (WPF), are rendered as bitmaps on the
server. The bitmaps are then compressed and sent over to the client.
Desktop Composition
RDC 7, with Windows 7 and Windows Server 2008 R2, supports Aero Glass remoting
and display of other advanced graphics features within an RD Session Host session.
Desktop composition works only with a single monitor.
www.it-ebooks.info
What Defines the Remote Client Experience?
D st ngu sh ng RDP 7 0, RDC 7, and the actua user exper ence can be confus ng There are
three p eces that fac tate remot ng (shown n F gure 6-1)
■ The RDC application on the client Th s app cat on comes nat ve to an operat ng
system, but can be upgraded You don’t have to upgrade the operat ng system
■ The RDP listener on the endpoint The W nstat on dr ver on the endpo nt stens for
ncom ng RDP connect ons and sends data to the c ent computer The stener s bu t
nto the operat ng system, so to upgrade t, you have to upgrade the operat ng system
■ The RDP The protoco that the RDC and the stener use to pass data between the
oca and remote computer
RDC Client
RDP Listener
RD
An Application. Can be Session
upgraded without Host
upgrading the RDC Client Farm
operating system.
RDP Listener
FIGURE 6-1 The RDP C ent, stener, and protoco work together to fac tate remot ng.
The three of these comb ned define the c ent exper ence The protoco tse f passes data,
the RDC sends data from the c ent and hand es t when rece ved, and the W nstat on dr ver
on the remote computer sends data from the server and rece ves t
The stener and the RDC c ent support vers ons of the RDP protoco Tab e 6-1 descr bes
the remot ng exper ence atta nab e g ven d fferent comb nat ons of RDC and the RDP stener
(A though the user nterface n the RD Sess on Host Configurat on too says RDP 6 1, the
exper ence s RDP 7 0 ) There s no user nterface to d sp ay the vers on of the RDP stener on
www.it-ebooks.info
c ent operat ng systems, but th s s the vers on bu t n to the operat ng system (To see the
vers on on c ent SKUs, go to HKLM\SYSTEM\Contro Set001\Contro \Term na Server\Wds\
Rdpwd )
NOTE It’s a bit confusing that the RDP listener name in RD Session Host Configuration
says “6.1” when the protocol experience is 7. It does this because, as you can see in
HKLM\SYSTEM\ControlSet001\Control\Terminal Server\Wds\Rdpwd, the name of the
Winstation driver (the session driver, and stored in WdName) is “Microsoft RDP 6.1.” It
could just have easily been “Fred.” Regardless of the name of the driver, the experience you
will get when connecting to a Windows Server 2008 R2 or Windows 7 endpoint with RDC 7
is that of RDP 7.0.
RDC 7 0 w appear n the W ndows XP and W ndows V sta RDC About d a og box as ver-
s on 6 1 7600 “7600” s the RTM vers on number of the W ndows 7 bu d It w a so say that
RDP 7 0 s supported
SERVER 2008 R2
VISTA SP1, SP2
WINDOWS 7
WINDOWS
WINDOWS
WINDOWS
WINDOWS
NOTE Table 6-3 in the section entitled “How the RDC Version Affects the User Experi-
ence—or Doesn’t” later in this chapter further defines this matrix.
When connect ng from a c ent to an endpo nt, the remot ng exper ence w be the ow-
est common denom nator of what the RDC can support and what the RDP stener on the
endpo nt can support For examp e, f you connect from a mach ne runn ng W ndows XP to
another mach ne runn ng W ndows XP, even f you have nsta ed RDC 7, the exper ence w
be that of RDP 5 1, because the RDP stener on W ndows XP supports on y up to RDP 5 1
Another examp e If you connect from a mach ne runn ng W ndows 7 to a mach ne runn ng
www.it-ebooks.info
W ndows Server 2008 R2, RDP 7 0 s supported by both the c ent and the stener, so that s
the exper ence you w get
The RDP protoco connect ng the RDC and the endpo nt s sp t nto virtual channels
V rtua channe s are ded cated paths that carry part cu ar k nds of data For examp e, d ffer-
ent channe s support pr nt jobs, c pboard shar ng, dr ve red rect on, and so forth In W ndows
Server 2008 R2, v rtua channe s operate n both user mode and kerne mode (see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces,” for a descr pt on of user mode and
kerne mode) Remote aud o and the c pboard red rector both have v rtua channe s n user
mode, whereas p ug and p ay dev ces commun cate v a kerne -mode v rtua channe s
To pass data between c ent and server, both ends of the channe must ex st and be
enab ed That’s why t’s poss b e to turn off dr ve red rect on on an RD Sess on Host server
w thout hav ng to overr de th s sett ng on the c ent—the server just sn’t sten ng on that
channe It’s a so why t’s not poss b e to use a g ven v rtua channe un ess t s supported by
both c ent and server You can’t, for examp e, use the RDP 7 0 c ent to enab e P ug and P ay
(PnP) Dev ce Red rect on on a term na server runn ng W ndows Server 2003 The c ent sup-
ports that channe , but the server does not
HOW IT WORKS
W hen the product group blogged about RDP 7.0 on the RDS Team Blog, some
people wanted to know if the new protocol would enable new features on
earlier versions of Windows. For example, would someone using RDP 7.0 on the cli-
ent get language bar support when connecting to Windows XP? Would they get any
new functionality?
The short answer is “Not really.” This is because of the way that virtual channels
work. Almost all features available with RDS rely on virtual channels. (One exception
to this rule is the integration of RemoteApp and Desktop Connections in the Start
menu of Windows 7. That feature actually depends on the client operating system
itself.) If the virtual channel isn’t on both ends of the connection, then the feature
doesn’t work.
www.it-ebooks.info
Unt W ndows Server 2008, a v rtua channe s were created at the beg nn ng of the ses-
s on and severed when the sess on was ended by the c ent or the server—these are static
channels W ndows Server 2008 ntroduced a new k nd of v rtua channe ca ed a dynamic
virtual channel (DVC) that an app cat on can create after the sess on has begun, and wh ch t
can sever before the sess on ends DVCs make t poss b e to add new red rected dev ces to a
sess on after t’s started If you re ed on stat c channe s ent re y, then t wou d not be pos-
s b e to p ug n a camera (for examp e) to the c ent and have t show up n an act ve remote
sess on Instead, you’d have to p ug the camera nto the un versa ser a bus (USB) port before
beg nn ng the sess on
Separat ng data nto v rtua channe s s how th s arch tecture a ows you to se ect ve y d s-
ab e c ent-s de red rect on It’s poss b e to enab e pr nt ng but d sab e dr ve red rect on, or to
enab e c pboard red rect on but d sab e PnP dev ces The fo ow ng sect on exp ores n deta
how v rtua channe s work
www.it-ebooks.info
2. The server and c ent exchange some bas c nformat on about the connect on,
nc ud ng the fo ow ng
NOTE For details on licensing, see Chapter 12, “Licensing Remote Desktop Services.”
7. The server te s the c ent what capab t es t supports, and the c ent acknow edges th s
nformat on The server capab t es sent dur ng th s step nc udes features such as the
fo ow ng
• RemoteApp support
• Desktop compos t on support
• The eve of compress on supported
8. F na y, the c ent and server fina ze the connect on deta s After the c ent has rece ved
th s, t can start send ng keyboard and mouse nput to the sess on, and the server can
beg n send ng graph ca updates to the c ent
www.it-ebooks.info
The fo ow ng features of RDP use stat c v rtua channe s
■ C pboard red rect on
■ DVCs
■ RemoteApp programs
■ Aud o output
■ Smart card red rect on
■ F e system red rect on
■ Ser a port red rect on
■ Legacy pr nter red rect on (not RD Easy Pr nt)
■ Sess on shadow ng
An RDP connect on m ght not have a these stat c v rtua channe s n p ace Dur ng the
capab ty negot at ons between c ent and server, po c es app ed to the endpo nt (and c ent)
w be taken nto cons derat on Therefore, even f the operat ng system cou d techn ca y
support, say, fi e system red rect on, f fi e system red rect on s turned off due to Group Po cy
or turned off on the RDC, then the feature won’t be supported and the stat c v rtua channe
won’t be created
www.it-ebooks.info
The fo ow ng features of RDP use DVCs
■ RD Easy Pr nt
■ PnP Remot ng
■ Mu t med a Remot ng
■ Aud o Record ng from c ent to sess on
■ Compos ted Remot ng (requ red to enab e effects ke Aero G ass remot ng)
www.it-ebooks.info
process w th the sess on (A though a c ent operat ng system endpo nt can support on y a
s ng e nteract ve sess on at a t me, Fast User Sw tch ng means that t m ght have more than
one sess on ogged on at once )
www.it-ebooks.info
DIRECT FROM THE SOURCE
I have been passionate about desktop centralization for many years, even before I
joined the Microsoft Remote Desktop Virtualization team in 1998. Prior to joining
Microsoft, I was a UNIX developer. (We didn’t call the scenario “desktop centraliza-
tion” at that time. We called it “X Windows.”)
The promise of Virtual Desktop Infrastructure (VDI) is that user desktops can be
centralized in such a way as to move complexity and state from the desktop into the
datacenter. To execute on this promise, we needed to allow people to use a broad
range of endpoint devices without compromising on the user experience. To this
end, we are developing a remoting approach that complements traditional graphics
remoting capabilities and works for endpoint devices ranging from PCs to the most
lightweight of thin clients.
If you have a powerful client device with a rich software stack and your host has all
the right graphics intercept points, a client-centric graphics remoting can give you a
great user experience over a relatively low-bandwidth connection. But if you have a
less complex client device, are missing some important graphics intercept points on
www.it-ebooks.info
the host, or both, client-centric remoting will result in gaps in the experience, such
as choppy video or missing graphics.
Today, bandwidth is less expensive and more widely available, and Windows users
want a wide array of graphics types (for example, Silverlight, Adobe Flash, DirectX,
Aero Glass, Windows Media, and so on). These changing conditions call for the ad-
dition of a new model that can support all graphics types, including 3-D, by sending
highly compressed bitmaps to the endpoint device in an adaptive manner. We call
this host-centric remoting.
You can ensure a consistent user experience for a wide array of devices if you follow
the VDI model and move a large portion of the client software and hardware into
the datacenter. With host-centric remoting, all the graphics can be intercepted on
the host at a very low layer in the software stack. All graphics are rendered on the
host into a single frame buffer (a temporary holding station for graphical updates)
that represents the user’s display. Changes to the frame buffer are sent to the client
at a frame rate that dynamically adapts to network conditions and the client’s abil-
ity to consume the changes. The changes are sent to the client endpoint as highly
compressed bitmaps by using an encoding scheme optimized for Windows desktop
content. The basic graphics requirement for the client endpoint is that it supports
the ability to decode and display the highly compressed bitmaps that it receives
from the host. At a minimum, the client needs the decoder counterpart to the en-
coder that was used on the host, as well as a basic graphics display capability.
If you’re wondering which remoting model to choose, you don’t have to. If you
have a client device with a rich software stack and advanced processing capabilities,
client-centric remoting makes sense. But to deliver completely on the promise
of VDI for less powerful client devices, you also need host-centric remoting. We
are adding RemoteFX as a new capability or “payload” to the RDP platform, while
continuing to support and enhance our existing client-centric model. Whichever
remoting model you use, the fundamentals of RDP are unchanged. RDP includes
the same authentication, encryption, device redirection, and transport capabilities,
independent of the remoting model being used.
www.it-ebooks.info
through RDP channe s us ng a oss ess techn que known as Huffman compression (Loss ess
compress on doesn’t ose any data dur ng the compress on/decompress on process )
NOTE Huffman compression encodes data based on the frequency of symbols in the
data stream. If a symbol appears more often, its representative code is shorter than a
character that appears only once. For more information on Huffman compression, see
http://www.huffmancoding.com/my-family/my-uncle/huffman-algorithm.
W ndows Server 2008 added a new codec, ca ed NSCodec, for mprov ng graph cs com-
press on over the w de area network (WAN) for 32-b t and 24-b t graph cs (used on y w th
RDC 5 1) Th s ossy compress on a gor thm s contro ed by the fo ow ng Group Po cy object
(GPO)
Th s compress on mode s off by defau t because t s more memory- ntens ve on the end-
po nt (wh ch can reduce the number of sess ons that an RD Sess on Host server can support)
However, t a ows RDP to perform better over s ower networks To the user, the mages st
ook fine—your eye puts the mages together n the same way t does for a newspaper mage
The more data that s ost n the compress on process—wh ch genera y corre ates to a h gher
degree of compress on—the gra n er the connect on w ook
NSCodec works by degrad ng the graph cs s ght y (a most mpercept b y to the user),
us ng the fo ow ng techn ques
■ Sp tt ng and comb n ng co or p anes, wh ch bas ca y means send ng a the co or nfor-
mat on at once nstead of treat ng two types of co ors as d fferent “ ayers” n the mage
and send ng them separate y
■ Co or space convers on (requ red for chroma subsamp ng)
■ Chroma subsamp ng and super-samp ng, wh ch reduces the var at on n co ors
between adjo n ng p xe s (wh ch the human eye s ess sens t ve to) wh e ma nta n ng
the ntens ty Reduc ng the co or fide ty s gn ficant y reduces the amount of data that
needs to be sent
■ Co or oss reduct on
When the c ent and endpo nt are negot at ng the r mutua capab t es (see the sect on
ent t ed “Stat c V rtua Channe s” ear er n th s chapter), they determ ne whether the c ent
supports both ossy compress on (and how much co or oss the c ent w to erate) and
chroma subsamp ng Both requ re at east RDP 6 1 on the c ent
www.it-ebooks.info
304 CHAPTER 6 Custom z ng the User Exper ence
www.it-ebooks.info
received data. If it can’t, then it will need the endpoint to send the character again.
ClearType remoting is off by default and isn’t recommended for wide area network
(WAN) connections.
As you can see, the choices you could make depend on the amount of bandwidth
available and are computer-wide. If you need to support both local and remote
users, one option would be to define a parallel farm for use via RD Gateway only.
(For more about RD Gateway, see Chapter 10, “Making Remote Desktop Services
Available from the Internet.”) If you did this, then you could use the compression
algorithm optimized for low-bandwidth scenarios and limit the color depth, then
provide greater color depth and a memory-optimized compression algorithm on
the endpoints for local use.
www.it-ebooks.info
The RDP 7.0 FAQ
W hen the product group posted the RDS Team Blog entry announcing RDP 7.0
for Windows XP SP3 and Windows Vista SP1, we got a lot of questions. For
easy reference, we’ve organized and answered them here.
A separate installation of RDP 7.0 is not supported on earlier server operating sys-
tems as a client, and if you hack the install to install RDP7 on a server SKU (there are
instructions floating around the web for this, but none are supported or endorsed
by Microsoft), then this will not enable the new features of RDP7 on the endpoint.
As of this writing, there is no RDP 7.0 for Apple Macintosh operating systems, just a
basic connectivity. Microsoft does not make or support an RDP client for Linux.
www.it-ebooks.info
Can I Use RDP 7.0 to Make Windows 7 Support Multiple Sessions?
No. Client SKUs support only a single active session at a time. This is by design; mul-
tiple sessions aren’t covered by the End User License Agreement (EULA).
Can I Split the Remote Display to Show Both Local and Remote
Desktops?
If a monitor is connected to the client, it will be used to display the remote ses-
sion. Using the tools provided, it is not possible to specify that a particular monitor
should be used for displaying the remote session and another should be used for
displaying the local desktop. It’s also not possible to hook up an external display
tool (like a projector) and show the local window on the projected image and the
remote session on the client’s monitor (or the reverse).
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 307
www.it-ebooks.info
The pr or t es mean that a though configurat on at these eve s w be merged for the
connect on, f dev ce red rect on s not a owed at any of these eve s, the red rect on w be
d sab ed for the user or mach ne(s) the sett ng affects For examp e, f dr ve red rect on s eft
unconfigured n Group Po cy but enab ed n RDC, t w be enab ed for the connect on But f
you enab e dr ve red rect on n RDC, yet t s d sab ed at the server eve ( n Remote Desktop
Sess on Host Configurat on), dr ve red rect on to that server w be d sab ed A ower-pr or ty
sett ng m ght be ab e to d sab e a sett ng enab ed at a h gher pr or ty, but t can never enab e
someth ng d sab ed at a h gher pr or ty
Not a po c es are configurab e through a too s Group Po cy exposes a po c es (except
for the dr ves and dev ces p ugged n ater sett ngs); other too s expose a subset Because
of the d fferent ways you can contro dev ce and resource red rect on, the opt ons can be
confus ng Tab e 6-2 summar zes the types of dev ces and resources that can be red rected;
whether they can be contro ed by Act ve D rectory Users And Computers, RDC, Remote
Desktop Sess on Host Configurat on, or Group Po cy; and what that contro ed state s set to
by defau t
TABLE 6-2 De au Dr ve and Resource Red rec on Se ngs or Ac ve D rec ory Users And Compu ers, RDC,
Remo e Desk op Sess on Hos Con gura on Too , and Group Po cy Se ngs
www.it-ebooks.info
ACTIVE DIRECTORY REMOTE
USERS AND DESKTOP
COMPUTERS USER SESSION HOST
ENVIRONMENT TAB RDC 7 CONFIGURATION GROUP POLICY
*In Remote Desktop Session Host Configuration, LPT port redirection will be disabled and not able to be edited
(the check box will be shaded and unavailable to check) if this Group Policy setting, Use Remote Desktop Services
Easy Print Printer Driver First, is enabled. The setting is located at Computer Configuration Policies Administra
tive Templates Windows Components Remote Desktop Services RD Session Host Printer Redirection.
**Although there is a setting on the Environment tab in the user account Properties dialog box available from Ac
tive Directory Users And Computers, this setting has no effect. It was originally designed to be used by the Citrix
MetaFrame add on to Windows 2000 Remote Desktop Services (before RDP supported drive redirection), and it
isn’t used by RDP.
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 309
www.it-ebooks.info
By defau t, most dev ce red rect on s not spec fied at the Group Po cy eve (the po c es
are ava ab e but not configured) To contro dev ce red rect on v a Group Po cy, the GPOs
that you wou d mod fy (and app y to the OU where the endpo nt res des) are ocated at Com-
puter Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote
Desktop Serv ces Remote Desktop Sess on Host Dev ce and Resource Red rect on They are
■ Allow Audio And Video Playback Redirection Aud o and v deo p ayback red rec-
t on s d sab ed by defau t when connect ng to a W ndows 2008 R2 RD Sess on Host
server but enab ed for W ndows 7, W ndows V sta, or W ndows XP If th s sett ng s un-
configured, aud o and v deo p ayback red rect on can be contro ed us ng the Remote
Desktop Sess on Host Configurat on on a per-server bas s
■ Allow Audio Recording Redirection Aud o record ng red rect on s not a owed
by defau t when connect ng to a W ndows 2008 R2 RD Sess on Host server, but t s
a owed by defau t when connect ng to a W ndows 7 endpo nt To change th s defau t
behav or, togg e th s GPO (to Enab ed for RD Sess on Host Servers, or D sab ed for
W ndows 7 endpo nts)
■ Limit Audio Playback Quality You can m t the qua ty of aud o p ayback by en-
ab ng th s sett ng L m t ng aud o p ayback qua ty can he p save bandw dth over s ow
WAN nks You can set the aud o p ayback to H gh (no compress on), Med um (some
compress on, atency determ ned by the codec used), or Dynam c, wh ch determ nes
the best cho ce of p ayback qua ty g ven the bandw dth ava ab e to the connect on
■ Do Not Allow Clipboard Redirection Enab e th s po cy to d sab e c pboard red -
rect on to an endpo nt C pboard red rect on can a so be contro ed on a user bas s n
Group Po cy w th th s GPO User Configurat on Po c es Adm n strat ve Temp ates
W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host
Dev ce and Resource Red rect on Do Not A ow C pboard Red rect on
■ Do Not Allow COM Port Redirection Enab e th s po cy to d sab e COM Port
red rect on By defau t, COM Port red rect on s a owed for RDS sess ons If your users
don’t need t, stop COM Port red rect on by enab ng th s sett ng If you d sab e th s
sett ng, then COM Port red rect on s a ways a owed If th s sett ng s eft unconfigured,
COM port red rect on s not spec fied by Group Po cy but can be spec fied us ng RD
Configurat on Too on a per-server bas s
■ Do Not Allow Drive Redirection Enab e th s po cy to d sab e dr ve red rect on to an
endpo nt
■ Do Not Allow LPT Port Redirection Th s sett ng does affect LPT pr nters However,
t w have no effect f you’re us ng RD Easy Pr nt because that’s not red rected— t’s
just sent to the c ent for process ng Th s sett ng can a so be configured from e ther
Act ve D rectory Users And Computers or the C ent Sett ngs tab for RDP n Remote
Desktop Sess on Host Configurat on Enab e th s po cy to d sab e LPT Port red rect on
to an endpo nt
■ Do Not Allow Supported Plug And Play Device Redirection By defau t, th s s not
contro ed by Group Po cy, and users can choose to enab e P ug And P ay Red rect on
www.it-ebooks.info
n the RDC c ent Enab e th s po cy to d sab e P ug And P ay Red rect on It can a so be
contro ed on a per-server bas s us ng RD Sess on Host Configurat on
■ Do Not Allow Smart Card Device Redirection By defau t, smart card red rect on
s enab ed for RDP 6 1 and ater Enab e th s po cy to d sab e dr ve red rect on to an
endpo nt
■ Allow Time Zone Redirection T me zone red rect on s not a owed by defau t, and
t s configurab e on y by GPO See the sect on ent t ed “Red rect ng T me Zones” ater
n th s chapter for more nformat on T me zone red rect on a so does not work for
poo ed and persona VMs runn ng c ent operat ng systems
NOTE Although these policies are listed in the Remote Desktop Services section of Group
Policy, they apply to pooled and personal VMs as well (except for time zone redirection).
You can a so d sab e red rect on of spec fic types of supported p ug and p ay dev ces
w th GPOs ocated at Computer Configurat on Adm n strat ve Temp ates System Dev ce
Insta at on Dev ce Insta at on Restr ct ons, but you need to know the Dev ce IDs or Dev ce
g oba y un que dent fiers (GUIDs) of the dev ces for wh ch you wanted to d sab e red rect on
For examp e, to b ock red rect on of a camera, enab e the GPO ca ed Prevent Insta at on Of
Dev ces Us ng Dr vers That Match These Dev ce Setup C asses and nput the Dev ce C ass of
the spec fic dev ce for wh ch you want to b ock red rect on
To find out what a dev ce’s GUID s, open Computer Management, se ect Dev ce Manager,
r ght-c ck a dev ce, se ect Propert es, se ect the Deta s tab, and n the Propert es drop-down
box, choose Dev ce C ass GUID R ght-c ck the va ue and choose Copy
You can a so a ert the user that the dev ce red rect on has been b ocked by po cy restr c-
t ons by send ng a pop-up message to the remote sess on Enab e e ther of these two GPOS
and add a text message
■ D sp ay A Custom Message When Insta at on Is Prevented By A Po cy Sett ng
■ D sp ay A Custom Message T t e When Dev ce Insta at on Is Prevented By A Po cy
Sett ng
By defau t, dev ce red rect on s a owed on a per RD Sess on Host server (except for aud o
and v deo p ayback) To d sab e spec fic dev ce red rect ons, open the Remote Desktop Ses-
s on Host Configurat on on the server, doub e-c ck RDP-Tcp, se ect the C ent Sett ngs tab,
and se ect the check box next to any of the fo ow ng dev ces that you do not want to red rect
■ Dr ve
■ W ndows Pr nter
■ LPT Port
■ COM Port
■ C pboard
■ Aud o And V deo P ayback (d sab ed n RD Configurat on by defau t)
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 311
www.it-ebooks.info
■ Aud o Record ng
■ Support P ug And P ay Dev ces
■ Defau t To Ma n C ent Pr nter
Note that Defau t To Ma n C ent Pr nter s more of an opt on than a red rect on, but t s
ocated n th s pane Th s togg es whether or not to make the c ent defau t pr nter the defau t
pr nter n the remote sess on
Assum ng that you’ve not d sab ed dev ce red rect on by GPO or at the server eve , any
rema n ng dev ce red rect on setup occurs on the c ent (If you have d sab ed dev ce red rec-
t on at the GPO or server eve , then there’s noth ng to be done on the c ent—noth ng that
you do on the c ent w overr de Group Po cy or cho ces made at the server eve ) Run the
Remote Desktop Connect on (RDC) c ent To configure dev ce red rect on, c ck the Op-
t ons button n the RDC d a og box and se ect the Loca Resources tab The Pr nters and the
C pboard opt ons are on th s tab, but to choose to red rect other dev ces, you’ need to c ck
More to open the d a og box shown n F gure 6-2
FIGURE 6-2 You can choose to make p ug and p ay dev ces ava ab e n the remote sess on.
If you use smart cards for user authent cat on n your env ronment, then smart cards must
be red rected so users can use them to authent cate the r remote sess ons As shown n
F gure 6-2, smart cards are red rected by defau t
Ser a port dev ces are not remoted by defau t; not many dev ces use ser a connect ons
these days L kew se, dr ves are not remoted by defau t Expand the Dr ves opt on to se ect
part cu ar dr ves that you want to make access b e n the remote sess on (One opt on s Dr ves
That I P ug In Later, so you can opt to add USB dr ves to the remote sess on us ng DVCs )
www.it-ebooks.info
P ug and p ay dev ces are not remoted by defau t, so you’ need to enab e the r red rec-
t on to use them n the sess on In F gure 6-2, there s a camera p ugged nto the c ent If you
se ect the check box next to Other Supported P ug And P ay (PnP) Dev ces, when you connect
to the remote sess on, the RD Sess on Host server w nsta the red rector dr ver and then
d sp ay the dr ve n My Computer as though t were oca y attached, as shown n F gure 6-3
FIGURE 6-3 Red rected dev ces appear n the remote nstance of My Computer, just as they do n the
oca nstance.
IMPORTANT If you don’t see the PnP device automatically in the remote session—if
instead the endpoint prompts you to install drivers—then you probably haven’t previously
installed the Desktop Experience, which is required to use the PnP Device Redirection
Framework.
Red rected dev ces, such as the camera n the examp e, w d sappear when unp ugged
and then w reappear when you p ug them n aga n When the sess on ends, a red rected
dev ces d sappear from the endpo nt
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 313
www.it-ebooks.info
Therefore, t’s necessary to make sure that you restr ct remote user access to key dr ves from
remote sess ons
Perhaps ess obv ous y, red rect ng dev ces to a remote sess on m ght affect the exper ence
for the person who’s benefit ng from the red rect on Those remote dev ces must pass data
back and forth between c ent and endpo nt The more data you pass, the more compet t on
there s for bandw dth between c ent and server RDP compresses data we (see the How It
Works s debar ent t ed “Tun ng RDP Performance for LANs and WANs” ear er n th s chap-
ter), and t s qu te respons ve for LAN connect ons, but t can st be affected by arge fi e
transfers, ke any other network— t’s just that arge fi e transfers don’t affect the user’s typ ng
when work ng oca y
Red rect ng pr nt dev ces can a so ease management at the expense of performance Be-
cause pr nt ng to red rected pr nters s much eas er w th RD Easy Pr nt, t m ght be tempt ng
to a ways pr nt to red rected pr nters Th s can be a good po cy, but keep n m nd the phys ca
ocat on of the pr nters Every t me the pr nt job has to trave across the network, that’s one
hop across a re at ve y s ow connect on (A LAN m ght be qu te fast, but t’s st s ower than
pass ng data between components on the same computer ) So f a c ent has a oca y nsta ed
pr nter, that’s one hop If the c ent has a network connect on to a TCP/IP pr nter, that’s two
hops (one to get to the c ent and one to get to the pr nter) If the c ent s connect ng to a
pr nt server w th connect ons to other pr nters, that’s three hops one to get to the c ent, one
to get to the pr nt server, and one to get to the pr nter
Attach ng the pr nters to the RD Sess on Host server works somet mes, but t doesn’t
a ways work we One d sadvantage s that th s puts you r ght back to nsta ng a the pr nter
dr vers on the RD Sess on Host server, w th the management overhead that enta s For an-
other reason, c ents m ght be nowhere near the RD Sess on Host server—perhaps not even n
the same country But t’s worth keep ng the “hop” count n m nd when des gn ng the pr nter
arrangement, ba anc ng t aga nst the management requ rements
The bottom ne s that the dec s ons you make about dev ce red rect on w be based on
the c rcumstances n wh ch you’re dep oy ng RDS and the scenar os that you’ need to enab e
www.it-ebooks.info
DIRECT FROM THE SOURCE
Beginning in Windows Server 2008 and Windows Vista, we fixed this problem by
allocating a fixed percentage of bandwidth to video updates to the client. The rest
goes to virtual channel traffic for redirected devices. By default, this allocation is 70
percent for video and 30 percent for virtual channel data. When bandwidth usage is
constrained, video data is guaranteed to get 70 percent of the available bandwidth,
so the session will remain responsive.
Although this scheme solves the problem effectively, there could be some scenarios
in which you might want to tweak it a bit. You can adjust these settings by editing
the registry. Please note that these edits are not supported, and you will need to
reboot the RD Session Host server to see the changes take effect.
View or add the following list of registry values that affect the bandwidth allocation
behavior. These are all DWORD values under HKLM/SYSTEM/CurrentControlSet/
Services/TermDD.
● FlowControlDisable When set to 1, this value will disable the new flow control
algorithm, making it first-in–first-out (FIFO) for all packet requests. This provides
results similar to Windows Server 2003. (Default for this value is 0).
● FlowControlDisplayBandwidth/FlowControlChannelBandwidth These two
values together determine the bandwidth distribution between display and virtual
channels (VCs). You can set these values in the range of 0–255. For example, setting
FlowControlDisplayBandwidth = 100 and FlowControlChannelBandwidth = 100 will
make the bandwidth distribution equal between video and VCs. The default settings
are 70 for FlowControlDisplayBandwidth and 30 for FlowControlChannelBandwidth,
thus making the default distribution equal to 70–30.
● FlowControlChargePostCompression This value, if set to 1, bases the bandwidth
allocation on post-compression bandwidth usage. The default for this value is 0,
meaning the bandwidth distribution is applied on precompressed data.
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 315
www.it-ebooks.info
Clipboard Redirection
The system c pboard a ows users to transfer data between app cat ons that are runn ng on
the same computer F rst, a user cop es data from one app cat on, wh ch p aces that data on
the c pboard Next, the user pastes t n another app cat on Because the c pboard stores
the data, t’s poss b e to paste mu t p e t mes Because the c pboard w store data n mu -
t p e formats, t’s poss b e to share nformat on between app cat ons that support d fferent
formats—for examp e, you can paste data from M crosoft Word to Notepad, even though
Notepad does not support the docx format Any app cat on that uses the c pboard can
share data between the oca and remote sess on
C pboard red rect on a ows you to share the fo ow ng between oca and remote
app cat ons
■ Gener c data
■ Pa ette data to preserve the co or of the data on the c pboard
■ Metafi e data for stor ng an mage n an app cat on-agnost c format
■ The st of fi es to be transferred
■ F e Stream data for transm tt ng p eces of an mage ( nstead of the who e fi e) or
separat ng the copy act on for mu t p e fi es
To set up red rect on, the c ent and server go through the fo ow ng steps to n t a ze the
connect on shown n F gure 6-4
1. The server te s the c ent the capab t es that t supports
2. The server te s the c ent that t s ready and wa t ng
3. When t hears that the server s ready, the c ent transm ts ts capab t es to the server
4. The c ent not fies the server of a ocat on on the c ent fi e system that can be used to
depos t fi es be ng cop ed to the c ent To use th s ocat on, the server must be ab e to
access t d rect y At th s po nt, the c ent and the server capab ty negot at on s com-
p ete
5. The server and c ent synchron ze the C pboard Formats that each supports, by m m-
ck ng a copy operat on on the c ent by forc ng t to send a Format L st PDU
6. The server confirms the st of supported formats
www.it-ebooks.info
Capabilities PDU 1
3 Capabilities PDU
FIGURE 6-4 Here s the c pboard red rect on connect on n t a zat on sequence.
Two sequences compr se the data transfer between the c pboards on each end of the
v rtua channe the copy sequence and the paste sequence These sequences together copy
data on the server c pboard to the c pboard of a c ent
The copy sequence synchron zes the st of ava ab e formats across the c ent and the serv-
er c pboards The endpo nt s not fied when the user updates the contents of the c pboard so
t doesn’t have to keep po ng the keyboard to get updates When the c pboard s updated
on the server, t sends a Format L st PDU to the c ent conta n ng an updated st of formats
that are ava ab e on the endpo nt The c ent updates ts c pboard format st and sends a
Format L st Response PDU back to the server
The paste sequence transfers data from the server to the c ent c pboard It gets nvoked
when an app cat on on the endpo nt requests data from ts c pboard When an app cat on
on the server requests data from the c pboard, the endpo nt sends a Format Data Request
PDU The Format Request PDU conta ns a format ID of the type of data requested The c ent
responds by Format Data Response PDU conta n ng the data requested from ts oca c p-
board
NOTE If the data requested is a file, a File Contents Request PDU and File Contents
Response PDU are used to implement the transfer of files.
F gure 6-5 dep cts a c pboard copy/paste funct on over an RDP connect on In the fo -
ow ng scenar o, there s data on the c ent c pboard that s requested from w th n the RDP
sess on hosted on the server Here are the steps
1. Data from a c ent app cat on gets cop ed to the c pboard
2. The c pboard not fies the v rtua channe on the c ent
3. The VC on the c ent sends an updated Format L st to the server
4. The server’s VC rece ves the Format L st and updates the c pboard on the server
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 317
www.it-ebooks.info
5. The server’s VC acknow edges that the update happened successfu y
6. The app cat on on the server requests data
7. The server’s VC requests the data from the c ent
8. The c ent’s VC gets the data or fi e from the c ent’s c pboard
9. The c ent’s VC sends the requested data or fi e back to the endpo nt
10. The VC on the server sends the data or fi e to the c pboard
11. The c pboard sends the data to the app cat on
CLIENT SERVER
Data Application
copied to requests
clipboard data
Application 1 6 Application
11
Clipboard Clipboard
2
VC gets data 8 Clipboard Clipboard
notifies VC updated
4 10
3 or at List PD U
or at List R esponse PDU 5
or at Data ile Contents
7
Request PDU
or at Data ile Contents
9
Response PDU
VC ENDPOINT VC ENDPOINT
CLIPBOARD VIRTUAL CHANNEL
www.it-ebooks.info
NOTE Device redirection is called an extension to basic RDP because it enhances the core
RDP capabilities of graphics remoting and enabling mouse and keyboard input. The exten-
sion is also used as a base by other RDP extensions for printers, ports, and smart cards.
F rst, the protoco has to be n t ated The n t at on sequence cons sts of an “announce and
rep y” exchange, a capab t es exchange, and a dev ce st exchange between the c ent and
the server, as fo ows
1. The server and c ent exchange vers on nformat on, and the c ent sends a C ent ID to
the server
2. The c ent sends ts computer name to the server
3. Then the server and c ent exchange the r capab t es—the st of features that w be
sent over the v rtua channe The capab t es st n these exchanges can nc ude both
fi e system capab t es and capab t es for other extens ons that p ggyback on the F e
System V rtua Channe extens on (such as the Port V rtua Channe Extens on and the
Pr nt V rtua Channe Extens on) If the capab ty s not nc uded n th s exchange, then
the feature w not be supported over the channe and the subsequent dev ce w not
be red rected
4. The server confirms that t got the c ent ID
5. The c ent sends a C ent Dev ce L st Announcement Request to the server conta n ng
nformat on on a the dev ces that w be red rected, nc ud ng fi e system dev ces,
pr nters, ser a ports, para e ports, and smart cards The server sends a Server Dev ces
Announce Response message to the c ent nd cat ng the success or fa ure of each
dev ce n t at on
After a successfu n t at on sequence, oca fi e system dev ces can be used n the remote
sess on as f they were oca The fi e system VC extens on takes care of forward ng var ous
I/O requests and responses between the c ent and server (reads, wr tes and quer es, contro
requests, and so on) to the red rected dev ces
Even though fi e system red rect on uses stat c v rtua channe s, dev ces (for nstance, flash
dr ves) can be attached to the c ent and to the ex st ng remote sess on wh e the sess on s
act ve When a new dev ce s added to the c ent, the c ent not fies the endpo nt and the end-
po nt confirms the changes When a dev ce s removed from the c ent, the c ent not fies the
server that the dr ve s no onger ava ab e F gure 6-6 ustrates how these commun cat ons
fac tate dr ve (and other resource) red rect on
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 319
www.it-ebooks.info
CLIENT SERVER
www.it-ebooks.info
1. The port red rect on extens on enumerates the oca ser a and para e ports that need
to be red rected, and the F e System V rtua Channe Extens on sends the nformat on
(conta n ng un que IDs for each dev ce) to the server
2. When the server rece ves th s request, t creates a pseudo-port dev ce that emu ates
the c ent dev ce The pseudo-dev ce’s ID matches the port ID on the c ent
3. When the server creates the pseudo-port, t sends a Server Create Request to the c ent
to open an nstance of the port dev ce
Now that the pseudo-port s created on the server, the sess on can start us ng the port
The pseudo-port acts as a sort of ntermed ary between the app cat on and the c ent
when the port s used, shar ng nformat on that t rece ves from one w th the other Whenever
an app cat on on the server opens the pseudo-dev ce, the server sends a message to
the c ent conta n ng app cat on request parameters, and the c ent processes the data
Whenever an app cat on on the server requests a read, wr te, or contro operat on on the
pseudo-dev ce, the port sends a correspond ng message to the c ent for process ng The
c ent n return processes the requests and sends a correspond ng message back to the port
conta n ng the resu ts of the request The port forwards the resu ts to the app cat on that
made the n t a request For these transact ons, the server must ma nta n an assoc at on
between the I/O requests from the app cat ons and the responses from the c ent It does so
by tagg ng them w th a match ng ID ca ed a F eID
When an app cat on attempts to c ose the port nstance to the pseudo-dev ce, the end-
po nt sends the request to the c ent The c ent processes the request and responds w th a
confirmat on (or an error)
Printers
For o der pr nt ng mode s (RD Easy Pr nt runs n ts own DVC, so t does not use th s extens on),
the RDS Pr nt V rtua channe extens on a ows red rect on of c ent-s de pr nters n a remote
sess on runn ng on a server The RDS Pr nt VC Extens on s a subprotoco w th n the RDP F e
System VC Extens on and w on y operate when the F e System VC extens on s work ng
As part of the F e System VC Extens on setup, the c ent prepares and sends a C ent Dev ce
L st to the server (see the sect on ent t ed “F e System Red rect on” ear er n th s chapter for
more nformat on) conta n ng nformat on on a the dev ces that w be red rected The Pr nt
VC Channe Extens on he ps to create th s st by prepar ng the pr nter dev ce data (enumerat-
ng the pr nter queues, determ n ng what pr nters w be red rected, and so on) that goes nto
the C ent Dev ce L st When the server rece ves the st, t creates a pseudo-pr nter queue that
represents the c ent-s de pr nter
NOTE For more details on configuring RD Easy Print and standard printer redirection, see
the section entitled “Printing with RDP” later in this chapter.
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 321
www.it-ebooks.info
Plug and Play Devices
The Dev ce Red rect on Framework ntroduced n W ndows Server 2008 and nsta ed when
you nsta the Desktop Exper ence uses DVCs to enab e P ug and P ay (PnP) Dev ce Red rec-
t on Th s framework makes t poss b e to red rect certa n types of dev ces from a c ent to
a remote sess on (R ght now, t works on y for spec fic types of dev ces, but the framework
s des gned to support potent a y any k nd of p ug and p ay dev ce ) Both oca and remote
app cat ons can use the red rected dev ces, and the dev ces are v s b e on y to the sess on n
wh ch they are started Here’s the rea y good part—th s process works w thout nsta ng dr v-
ers for those dev ces on the endpo nt The dev ce red rect on framework uses the c ent-s de
dr vers to enab e the dev ces
As far as poss b e, you won’t want to nsta dr vers on a server or VM Dev ce dr vers are
not a ways re ab e If a dr ver crashes, t can affect the person us ng t (a user-mode dr ver) or
crash the endpo nt (a kerne -mode dr ver) Unfortunate y, dev ce dr vers enab e the operat ng
system to commun cate w th hardware, so you don’t have a cho ce about us ng them M cro-
soft doesn’t make a W ndows dr vers, so ts contro over th s prob em s m ted
RD Sess on Host Server n W ndows Server 2008 R2, as we as W ndows 7, s des gned to
m n m ze the dependency on dev ce dr vers As you’ see n the sect on ent t ed “When You
Cannot Use RD Easy Pr nt” ater n th s chapter, t’s not a ways poss b e to avo d us ng dev ce
dr vers to enab e c ent-s de dev ces, and you w earn how to support them when you can’t
avo d us ng them But PnP Dev ce Red rect on and RD Easy Pr nt he p reduce the prob ems
assoc ated w th us ng dr vers They don’t e m nate dr vers ent re y—you st need dev ce dr v-
ers on the c ent—but they do keep the dr vers off the server, as ong as the c ent-s de dr vers
support the framework
The PnP Dev ce Red rect on Framework uses the components shown n F gure 6-7
www.it-ebooks.info
CLIENT ENDPOINT
Application
MSTSC.exe UmRdpService
PnP Protoco
RDP Virtual
Channel Host Process
PnP Redirector
Redirection
/O
I/O Redirector Driver
RDP Virtual
Channel
Ref ected /O
USER MODE USER MODE
KERNEL MODE KERNEL MODE
/O Rep ay
PnP Events
FIGURE 6-7 Arch tecture of the PnP Dev ce Red rect on Framework.
On the c ent s de s the RDC (Mstsc exe), w th a PnP red rector and an I/O red rector
[You can see these two components on the c ent n the form of the Remote Desktop Dev ce
Red rector (RDDR) n the System Dev ces sect on of the Dev ce Manager ] RDDR manages two
aspects of commun cat ng w th c ent-s de mob e dev ces
■ Inventory of wh ch dev ces are present, the r capab t es, and the data on them,
hand ed by the PnP manager and passed to the PnP red rector
■ Reads from and wr tes to those dev ces (I/O rep ay), hand ed by the nput/output (I/O)
manager and passed to the I/O red rector
The PnP manager and I/O red rector both commun cate w th the dr ver stacks for the
dev ces they’re manag ng, wh ch then commun cate w th the hardware The RDDR sends th s
commun cat on to the sess on on the server v a two v rtua channe s one each for PnP-re ated
traffic and I/O-re ated traffic
On the server, the two v rtua channe s backed by RDDR both commun cate w th the
Rdpdr sys dev ce dr ver n the RDP stack, wh ch hand es dev ce red rect on for RDP sess ons
The PnP protoco passes the dev ce management and I/O data between the RDP stack n
kerne mode and the Remote Desktop Serv ces User Mode Port Red rector serv ce (the
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 323
www.it-ebooks.info
UMRDP serv ce), wh ch makes dev ce red rect on work By send ng the data to the sess on, the
PnP protoco and port red rect on serv ce a ow the dev ces to show up n the sess on
Commun cat on w th those dev ces s hand ed through the User-Mode Dr ver Framework
(UMDF) The UMDF s part of the standard W ndows operat ng system— t’s not spec fic to RD
Sess on Host servers—and was or g na y deve oped to support dev ces such as cameras and
portab e mus c p ayers The UMDF has three components
■ Dr ver manager (user mode) n the form of the UmRDP Serv ce
■ Reflector (kerne mode)
■ Host process (user mode)
The driver manager s a system-w de W ndows serv ce started when the first UMDF dev ce
s nsta ed It manages the host process and responds to messages from the reflector
The reflector s the proxy for the kerne -mode stack for the dr vers It ves n the kerne ,
but t s not a dr ver— ts ro e s to send messages to the correct dr ver runn ng n user mode
Every t me an app cat on makes an I/O request nvo v ng an app cat on us ng the UMDF, the
request goes through standard secur ty vett ng and s then passed to the reflector
The host process s a ch d process of the dr ver manager (so that f t crashes, t won’t br ng
down the dr ver manager) The host process accepts messages from the dr ver manager (to
oad dr vers) and from the reflector (to accept requests to those dr vers)
The three components work together ke th s An app cat on makes an I/O request that
requ res a user-mode dr ver (Wh ch one sn’t mportant for the genera case descr bed here )
The request goes to the reflector The reflector passes th s request to the UMDF framework
w th n the host process The framework e ther sends the job to the appropr ate dr ver or
sends t back to the reflector f no dr ver s ava ab e Next, the reflector sends the request
back to the dr ver manager to te the host process to oad an add t ona dr ver
The UMDF host can manage any compat b e user-mode dr ver In th s case, RDS has mp e-
mented a red rector dr ver whose job s to commun cate w th Rdpdr sys n the RDP protoco
stack Therefore, the red rector dr ver’s job s to accept the messages passed to t by the
reflector, wh ch rece ves those requests from the app cat on runn ng n the remote sess on
that’s try ng to access the red rected dev ce
For examp e, the p eces can commun cate someth ng ke th s
1. An app cat on runn ng n the remote sess on makes a request to copy a p cture from a
c ent-s de med a dev ce
2. The I/O request (to copy a fi e from the p ug and p ay dev ce) goes to the kerne -mode
UMDF reflector
3. The UMDF reflector passes the request to the UMDF host process, wh ch determ nes
that the request came from the remote desktop sess on and uses the UMDF dr ver
manager to route t to the user-mode red rect on dr ver
4. The red rect on dr ver sends the request to Rdpdr sys, n the protoco stack
www.it-ebooks.info
5. Rdpdr sys sends the request to the Term na Server Dev ce Red rector (TSDR) on the
c ent v a the VCs
6. TSDR commun cates w th the I/O manager to sat sfy the request
Today, on y dev ces support ng the Med a Transfer Protoco (MTP) and P cture Transfer
Protoco (PTP) can be red rected us ng the PnP Dev ce Red rect on Framework (and not a
dev ces support ng those protoco s are supported w th RD Sess on Host Servers or poo ed
and persona VMs) However, the framework s des gned to be extens b e, so other types of
dev ces can be red rected as we
NOTE Although time zone redirection has been supported since Windows Server 2003,
the user policy controlling was introduced in Windows Server 2008. In Windows Server
2003, you could enable or disable this setting only on a computer-wide basis.
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 325
www.it-ebooks.info
c ents capab e of return ng the c ent computer’s t me zone (RDP 5 1 and ater) w do so To
d sab e t, e ther don’t configure the po cy or d sab e t
NOTE The time zone redirection GPOs work only on RD Session Host servers, not when
connecting to pooled or personal VMs.
Playing Audio
RDP 7 0 supports two k nds of aud o red rect on from endpo nt to c ent one us ng host-
based render ng and one us ng c ent-based render ng In the first, the aud o s rendered on
the server and sent to the c ent In the second ( ntroduced n RDP 7 0), the aud o s sent from
the endpo nt to the c ent for render ng The first vers on has great backward compat b ty
as th s feature was ntroduced n W ndows Server 2003 The second, ava ab e on y w th RDP
7 0 and when connect ng to W ndows 7 or W ndows Server 2008 R2, has the advantage of
perfect y synch ng aud o and v deo p ayback because they’re rendered on the c ent
In add t on to remot ng aud o from endpo nt to c ent, RDS can remote aud o from c -
ent to endpo nt, enab ng users to record themse ves at the r computers wh e work ng n a
remote ocat on
www.it-ebooks.info
UDP YES/NO
Version
Formats
YES/NO
YES/NO
YES/NO
YES/NO UDP
CLIENT SERVER
• The c ent can consume aud o data (If th s flag sn’t set, then the endpo nt won’t
send aud o data to the c ent )
• The c ent can change the vo ume on the aud o f t’s changed n the sess on
• The c ent can adjust the p tch f t’s changed n the sess on
3. The server and c ent sort out whether to use UDP to send the aud o traffic to the
server
If the c ent s runn ng W ndows XP SP 1 or ater, then the c ent can accept the aud o
data sent to t v a UDP The fact that t can doesn’t mean t will—the server m ght over-
r de the c ent and send the nformat on v a stat c v rtua channe The dec s on process
works ke th s
• If the server s runn ng W ndows XP SP1 or ear er, t w a ways use UDP commun -
cat ons f the c ent supports them
• If the endpo nt s runn ng W ndows XP SP2 or SP3, then f the c ent vers on s
greater than 5 (mean ng that the c ent s runn ng W ndows XP SP2 or ater) the
server w send aud o data to the c ent v a UDP
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 327
www.it-ebooks.info
After the c ent and server have estab shed how they can commun cate, c ents us ng UDP
w work out w th the server wh ch port they’re us ng and get the UDP commun cat ons set
up
NOTE Although audio traffic sent via UDP isn’t covered by RDP encryption, part of the
UDP configuration is setting up encryption between the client and server.
If the commun cat on s happen ng on stat c v rtua channe s and both server and c ent are
runn ng W ndows 7 or W ndows Server 2008 R2, then they w work out how much contro
the sess on can have over the aud o There are three flags that the c ent can send to te the
server how t wants to adjust the aud o qua ty
■ For the owest-qua ty aud o, the server dynam ca y adjusts the aud o format to best
match network bandw dth (the s ze of the p pe) and atency (the speed of the p pe)
■ For med um qua ty, the server p cks a format that the c ent supports that s a so the
best comprom se between qua ty and ava ab e bandw dth
■ For h gh qua ty, the server chooses the aud o format the c ent supports that a so w
de ver the best aud o, regard ess of the bandw dth requ rements
That just set up the commun cat ons between c ent and server, but the actua data trans-
fer s much s mp er In a nutshe , when commun cat on happens a ong a stat c v rtua channe ,
the server first te s the c ent what aud o to expect next (w th a short segment of the actua
content), then sends the aud o After each transm ss on, the c ent sends an acknow edgment
To adjust the vo ume of the aud o be ng sent to the c ent, the server w send a packet
te ng the c ent what the vo ume shou d be ( n abso ute terms, not re at ve to what t m ght
have been prev ous y)
Multimedia Redirection
Mu t med a red rect on, ntroduced w th W ndows 7 and W ndows Server 2008 R2, s a b t
d fferent from standard aud o red rect on In th s feature, any content that can be p ayed
w th W ndows Med a P ayer can be sent to the c ent to be rendered us ng the c ent’s copy of
W ndows Med a P ayer, as ong as the fo ow ng cond t ons app y
■ The server s runn ng W ndows 7 U t mate or Enterpr se ed t on or s an RD Sess on host
server
■ The user s not connect ng w th an /adm n connect on
■ The c ent s connect ng v a RDC 7
■ The c ent has W ndows Med a P ayer nsta ed
www.it-ebooks.info
At a h gh eve , n mu t med a remot ng, mu t med a content s sent from c ent to server v a
a s ng e DVC W th n the DVC are subchanne s for send ng the aud o and v deo updates (see
F gure 6-9)
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 329
www.it-ebooks.info
To enab e advanced graph cs remot ng, open Server Manager on the RD Sess on Host
server In the C ent Exper ence sect on, make sure that you’ve checked the box for Aud o
record ng red rect on W ndows 7 Enterpr se and U t mate ed t on don’t requ re add t ona
configurat on to support th s feature
To record from w th n a sess on, you’ need to enab e th s feature on the c ent Open
the RDC c ent and expand the opt ons Se ect the Loca Resources tab and c ck the Sett ngs
button n the Remote Aud o sect on In the Remote Aud o Record ng sect on, make sure that
Record From Th s Computer s se ected
NOTE For the sake of readability, this table will not attempt to show the myriad subcases
(for example, the user experience when connecting to an RD Session Host server via an
/admin connection). The most important thing to remember is that the full set of RDP 7.0
features is available only when connecting a Windows Server 2008 R2 RD Session Host
server or a Windows 7 Enterprise or Ultimate edition computer, and using the RDC 7 client.
CLIENT MAX
OPERATING SYSTEM SUPPORTED RDC SERVER RDP EXPERIENCE
www.it-ebooks.info
CLIENT MAX
OPERATING SYSTEM SUPPORTED RDC SERVER RDP EXPERIENCE
As you can see from Tab e 6-3, the RDP exper ence s never greater than the owest RDP
vers on supported on the c ent and server (remember that an RDC c ent connects to an
RDP stener vers on on the server) Insta ng RDC 7 on the endpo nt does not update the
stener; t just updates the c ent component There s no way to upgrade the stener w thout
upgrad ng the server’s operat ng system Therefore, wh chever has the owest vers on (c ent
RDC or server stener) s the vers on that w determ ne the user exper ence
For the spec fics of the user exper ence when connect ng to an RD Sess on Host server or
W ndows 7 Enterpr se or U t mate ed t on, see the fo ow ng sect ons
Connectivity Experience
Tab e 6-4 descr bes how users can connect to the RemoteApp programs and VMs ass gned
to them For bas c connect v ty, the vers on of the server sn’t cr t ca as ong as users have
perm ss on to make the connect on (and the server sn’t runn ng W ndows 7 Prem um, wh ch
does not a ow ncom ng RDP connect ons), th s w work
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 331
www.it-ebooks.info
TABLE 6-4 C en RDC Vers on De erm nes he Connec v y Exper ence
User Experience
Tab e 6-5 descr bes the features ava ab e to users when they are connected Th s t me, vers on
matters Assume here that the server s an RD Sess on Host server or W ndows 7 U t mate or
Enterpr se ed t on W ndows 7 Profess ona (for examp e) w not have the fu comp ement of
features
In Tab e 6-5, the “true” and “spann ng” descr pt ons for mu t -mon tor support deta the
way the feature man fests In true mu t -mon tor support, the v deo dr ver on the endpo nt
can d st ngu sh between a the mon tors connected to the d sp ay and treats them ndepen-
dent y In the spann ng mu t -mon tor support ava ab e w th RDP 6 0 and 6 1, the endpo nt’s
www.it-ebooks.info
d sp ay dr ver treats a c ent-connected mon tors as a s ng e dev ce There’s one catch to true
mu t -mon tor support It does not work w th Aero G ass If you have more than one mon tor,
Aero G ass w be d sab ed
CONNECTING
FROM DESCRIPTION RDC 7 RDC 6.1 RDC 6.1 RDC 5.2
Mov ng the C ent Exper ence to the Remote Sess on CHAPTER 6 333
www.it-ebooks.info
CONNECTING
FROM DESCRIPTION RDC 7 RDC 6.1 RDC 6.1 RDC 5.2
www.it-ebooks.info
Printing to a Directly Connected Printer
The s mp est way to prov de pr nt ng capab t es from an server s to nsta the pr nter d rect y
onto t Every user ogg ng onto the server w (g ven the proper perm ss ons) have access to
the pr nter, no matter where he or she s remot ng from The pr nter can be a network pr nter
(perhaps shared from a pr nt server), a d rect y connected pr nter (v a USB or para e port
connect on), or an IP-based pr nter ocated on the LAN
Pr nt ng to d rect y connected pr nters on a h gh eve works ke th s
1. An app cat on creates a pr nt job and sends t to the pr nt spoo er
2. The spoo er does any convers on necessary and sends the resu t ng spoo fi e to the
pr nter dr ver (or to the spoo er on another mach ne, for examp e, a pr nt server, wh ch
w pass t to ts pr nter dr ver)
3. The pr nter dr ver sends the fi e to e ther a GDI pr nt dev ce or an XML Pr nt Spec fica-
t on (XPS) pr nt dev ce
HOW IT WORKS
A GDI printer accepts enhanced metafile (EMF)–formatted files, and an XPS print
device accepts XPS formatted files, so depending on what type of initial file an
application creates (XPS or EMF), it might need to be converted to the format that is
accepted by the print device.
NOTE For more information on the GDI and XPS print paths, refer to MSDN
at http://msdn.microsoft.com/en-us/library/ms742418.aspx.
Figure 6-10 maps the different scenarios for printing to a GDI print device from dif-
ferent types of applications.
PRINT SPOOLER
Win32
Application EMF print job
www.it-ebooks.info
A .NET application will create a print job and send it to the print spooler, where it
goes through the .NET XPS to GDI conversion module (when native conversion is
not available). The print spooler processes the resulting EMF file and sends the print
job to the print driver, which sends the job to the print device.
Figure 6-11 maps out different scenarios for printing to a XPS print device from
various types of applications.
PRINT SPOOLER
WPF
Application XPS print job
(.NET App)
FIGURE 6-11 F es pr nted to an XPS pr nt dev ce m ght need convers on depend ng on the
f e type n t a y created.
If an application creates an XPS file, it needs no conversion. The print spooler passes
the XPS file to the printer driver, and the printer driver sends the print job to the
XPS print device.
www.it-ebooks.info
Insta ng the pr nter dr vers on the endpo nts works we n scenar os where the pr nt
dev ces, pr nt servers, and endpo nts are a ocated on the same LAN, preferab y where work-
ers can reach th s pr nter eas y on foot It’s eas er to mp ement for RD Sess on Host servers
than VMs—there’s ess nsta ng because VMs are s ng e-user—but t’s techn ca y poss b e on
both
Attach ng a pr nter d rect y to the server s not such a good dea n h gh y d str buted
scenar os, espec a y f there’s a WAN nvo ved Pr nt ng speeds can be dramat ca y affected
by h gh- atency networks Not on y that, but you cou d have users wa k ng a ong way for
a pr nted document—poss b y to Germany from New York, f the pr nters are a c ustered
around the RD Sess on Host servers n the Frankfurt data center F na y, nsta ng pr nters on
each poo ed or persona VM s a hass e to manage When t’s not pract ca to attach the pr nt-
ers to the endpo nts, the benefits of pr nt red rect on rea y stand out
www.it-ebooks.info
c ent (a so used w th W ndows Server 2003) that uses dr vers on the pr nter The fo ow ng
sect ons exp a n how pr nter red rect on works for RDP 6 0 c ents and ear er, and how the RD
Easy Pr nt mode works; both m ght be app cab e to W ndows Server 2008 R2
NOTE On the server side, you do not need a matching printer installed—just the printer
driver. On a Windows Server 2008 R2 RD Session host server, you add print drivers by add-
ing and then deleting a printer (leaving the driver behind) or by highlighting a printer that
is already installed, clicking the Print Server Properties link, navigating to the Drivers tab,
and clicking Add.
www.it-ebooks.info
NOTE Wnotify.dll monitored system events in previous versions of Windows but was
replaced with SENS beginning in Windows Server 2008 and Windows Vista.
To red rect c ent-s de pr nters to the remote desktop sess on automat ca y, these compo-
nents cooperate n the fo ow ng ways
1. The c ent, Mstsc exe, connects to a server and goes through the connect on and ogon
sequence W n ogon exe rema ns oaded n the user sess on, as does W nsta d , used
for configur ng the term na sess on
2. V a W nsta d and the remote connect on manager, Rdpwsx d s not fied of the new
connect on and not fies Rdpdr sys
3. Rdpdr sys sends a packet request ng that the pr nters for the new sess on be enumer-
ated
4. The c ent co ects the fo ow ng nformat on from the c ent and sends t to the sess on,
where t s passed by Rdpwsx d to Rdpdr sys
• Pr nter configurat on data ava ab e,nc ud ng name, dr ver name, paper or entat on,
defau t status, and so forth—everyth ng standard for a W ndows pr nter, but noth-
ng conta ned outs de the W ndows pr nter configurat on d a og boxes
www.it-ebooks.info
FIGURE 6-12 Rdpdr.sys creates a correspond ng pr nt port for each queue that the c ent sends.
NOTE Group Policy controls whether all printers are redirected, or just the client
default printer. If it’s the latter, only the client default printer is created in the remote
session.
6. Rdpdr sys a so te s the PnP app cat on programm ng nterfaces (APIs) that new pr nt-
ers are ava ab e These APIs not fy the spoo er (Spoo sv exe) of the new pr nters for
that connect on The spoo er has Usbmon d enumerate the ava ab e ports, as cop ed
from the c ent and renamed on the sess on The spoo er updates the c ent’s reg stry
to make the pr nters ava ab e to them
NOTE In Windows Server 2003, the spooler service was not session-aware and up-
dated HKCU for everyone logged on to the RD session host server, so that users ended
up with printers in their profiles that belonged to other users. They couldn’t use them,
but they were recorded in the registry. The CPU cycles the spooler service used in order
to write to all the copies of HKCU strained the RD Session Host server. This has been
changed in Windows Server 2008 so that a user’s printers are written only to the user’s
copy of HKCU.
www.it-ebooks.info
7. W n ogon exe not fies SENS that the sess on s created SENS wa ts for d sconnect or
ogoff events so that t can te Rdpdr sys when to tear down the mapped ports
8. SENS does the fo ow ng
• Ensures that the pr nter has a correspond ng dr ver ava ab e on the endpo nt
• Sets the c ent’s defau t pr nter to be the defau t pr nter n the sess on
• Adds the new pr nter queue to ts st of dev ces
• Sets the defau t secur ty for the pr nter so that the ogged-on user has read/wr te/
pr nt perm ss ons to the pr nter queue and the adm n strator has fu contro
The pr nters shou d now appear n the remote sess on as TS001 to TS00n If the pr nters are
not appear ng, check the fo ow ng
■ The c ent and the server must have a match ng dr ver nsta ed for each pr nter that
w be red rected If there s no dr ver match, you w see event ID 1111 ogged n the
System Event Log on the endpo nt
■ C ent pr nters are a owed to be red rected Th s po cy can be set n RD Sess on Host
Configurat on ( n the RDP sett ngs), n Act ve D rectory Users And Computers, and n
Group Po cy You’ find out more about how to do th s n the sect on ent t ed “Con-
tro ng Pr nter Red rect on” ater n th s chapter Pr nter red rect on ab t es are a so
contro ed by the Pr nters check box ocated on the Remote Desktop Connect on c -
ent’s Loca Resources tab
■ Rdpdr sys must be funct on ng proper y If no dev ces are be ng red rected and po cy
perm ts red rect on, open Dev ce Manager and nspect the contents of System Dev ces
to find the RD Sess on Host server Dev ce Red rector and see f t’s work ng proper y
■ The Remote Desktop Serv ces UserMode Port Red rector serv ce on the server must
be runn ng If t’s not, then start t and d sconnect and reconnect a sess ons Because
pr nter queues are bu t at the beg nn ng of the connect on, s mp y restart ng th s ser-
v ce won’t restore pr nter queues
■ The Pr nt Spoo er serv ce on the server must be runn ng
www.it-ebooks.info
4. Assum ng that the pr nt job s go ng to a red rected port ( dent fied as TSXXX), the
spoo er sends the pr nt job to the dynam c port mon tor (Usbmon d )
5. The dynam c port mon tor transfers the spoo fi e to Rdpdr sys, wh ch sends the data to
the appropr ate RDS c ent, where t’s sent to the appropr ate pr nter
To sum up, most of the process ng s done on the server, the dr vers must be present on
the server (so that the GDI or XPS Pr nt API can format the data stream appropr ate y for the
se ected pr nter), and there’s a ot of data convers on (for examp e, EMF fi es actua y get con-
verted to RAW format when ts sent to a PostScr pt pr nter) Every t me you convert data from
one format to another, there’s a r sk of data oss
www.it-ebooks.info
RD Easy Pr nt s supported by c ents runn ng RDP 6 1 or ater The o der format descr bed
prev ous y s st supported for o der vers ons of RDP, but RD Easy Pr nt s the preferred
method because of ts ower management and bandw dth overhead As exp a ned prev -
ous y, W ndows 7, W ndows 2008 R2, and W ndows V sta and W ndows 2008 w th a p atform
upgrade a support XPS nat ve y W ndows 2003 and W ndows XP requ re NET Framework to
do the convers on to XPS
L ke o der pr nt ng methods, RD Easy Pr nt must render data nto a WYSIWYG format and
pass that data from the endpo nt to the c ent where the pr nter s ocated Where Easy Pr nt
d ffers s n the render ng and spoo ng process Bas ca y, Easy Pr nt takes a pr nt job request
and does on y enough process ng on the server to get the pr nt job to the c ent, as ustrated
n F gure 6-13
SERVER
PRINT SPOOLER
WPF
Application XPS print job pass through
(.NET App)
GDI to XPS native conversion
Win32
Application Windows Vista (w/update),
Windows 7/ Windows Server 2008 R2
XPS Spool File gets passed via RDP to the Remote Desktop Client
CLIENT
PRINT SPOOLER
XPS XPS
XPS print job pass through Spool Printer
Remote File Driver
Desktop
Client with XPS Print
XPS to GDI Conversion
Device
.NET Framework 3.0 SP1
RD Easy
Print Windows XP/Windows Server 2003/ EMF GDI
Plug in Windows Vista (w/o update)/ Spool Printer
Windows Server 2008 RTM File Driver
GDI Print
XPS to GDI Conversion Device
Native
www.it-ebooks.info
The pr nt ng process works ke th s
1. The user starts a pr nt job from an app cat on runn ng n the remote sess on
2. The pr nt job s converted to an XPS fi e, nat ve y (th s step s sk pped f the fi e s a -
ready n XPS format)
3. The XPS fi e s sent to the RD Easy Pr nt p ug- n n the RDC c ent
4. XPS fi es dest ned for an XPS pr nter are passed to the XPS pr nt dr ver XPS fi es des-
t ned for a GDI pr nter are converted to EMF spoo fi es and then passed to the GDI
pr nter dr ver
5. The pr nt job goes to the pr nter
The most mportant concept to remember n th s process s that you don’t have to nsta
pr nter dr vers on the server RD Easy Pr nt uses a proxy dr ver on the server to pass pr nt jobs
to the c ent for pr nt ng Because of th s, a c ent pr nters are ava ab e n the remote desktop
sess on By us ng RD Easy Pr nt, you no onger have to match dr vers on the endpo nt w th
dr vers on the c ent, and there s no r sk of server crashes due to crash ng kerne -mode pr nt
dr vers or spoo er crashes stemm ng from a prob em dr ver
L ke other dev ce red rect on, RD Easy Pr nt uses v rtua channe s to et you configure the
pr nt ng propert es app cat on d rect y on the c ent When a user c cks a pr nter’s prefer-
ences from a sess on, the RD Easy Pr nt dr ver on the endpo nt ntercepts th s ca and sends
the request to the RD Easy Pr nt p ug- n on the RDC c ent The c ent ca s the c ent-s de
pr nter dr ver, wh ch br ngs up the pr nt ng preferences d a og box on the c ent Therefore,
the preferences that you get when you pr nt from a c ent are the same preferences that you
get when pr nt ng from an RDS sess on
NOTE Although the following discussions are about printing, they apply to faxing as well.
Faxing works just fine with RD Easy Print—simply set up the fax on the client. When the
client chooses to send a fax, the client-side dialog box opens to prompt the user for the
contact information. Scanning is not supported in native Windows Server 2008 R2, but it is
enabled by several third-party products.
www.it-ebooks.info
endpo nt In the prev ous vers on of Term na Serv ces, the NET Framework was a so requ red
to convert XPS to GDI for output on GDI pr nters and to convert XPS to GDI for output w th
XPS pr nters One of the b ggest mprovements to RD Easy Pr nt n W ndows 7 and W ndows
Server 2008 R2 s that the NET Framework s no onger needed to do th s convers on— t’s
bu t nto the operat ng system In add t on, w th the r ght serv ce pack and p atform update
nsta ed, W ndows Server 2008 and W ndows V sta no onger requ re the NET Framework
e ther when act ng as c ents
NOTE The platform update for Windows Vista and Windows Server 2008 is downloadable
from the Microsoft website at http://support.microsoft.com/kb/971644. Windows Server
2008 requires Windows Server 2008 Service Pack 2 in order to install the update, and
Windows Vista requires Windows Vista Service Pack 2.
W ndows XP st requ res the NET Framework 3 0 SP1 or ater be nsta ed Tab e 6-6
prov des a st of s tuat ons n wh ch the NET Framework s no onger requ red to use RD Easy
Pr nt
CLIENT SERVER
W ndows V sta SP2 w th RDC 7 and KB971644 nsta ed W ndows Server 2008 R2
(http://support.microsoft.com/kb/971644)
W ndows V sta SP2 w th RDC 7 and KB971644 nsta ed W ndows 7
W ndows 7 W ndows Server 2008 R2
W ndows 7 W ndows 7
W ndows Server 2008 w th SP2 and KB971644 nsta ed W ndows 7
W ndows Server 2008 R2 W ndows 7
W ndows Server 2008 w th SP2 and KB971644 nsta ed W ndows Server 2008 R2
RD Easy Pr nt s not meant for a s tuat ons So t’s not ava ab e, for examp e, from a
W ndows 7 c ent remot ng to a W ndows XP server RD Easy Pr nt s a so not ava ab e n any
sess on when you make an adm n strat ve connect on (mstsc /adm n) Tab e 6-7 and Tab e 6-8
show s tuat ons n wh ch RD Easy Pr nt w and w not work Th s s he pfu when you’re try ng
to determ ne what’s wrong, on y to rea ze that the server that you attempted to use RD Easy
Pr nt on was a doma n contro er to wh ch you had an adm n strat ve connect on
NOTE Some of these scenarios work or don’t work depending on whether or not RD Ses-
sion Host Server role service is installed on the server. These are noted by entries in the last
column.
www.it-ebooks.info
TABLE 6-7 Scenar os When RD Easy Pr n W Work
CLIENT SERVER IF
CLIENT SERVER IF
www.it-ebooks.info
CLIENT SERVER IF
W ndows XP w th SP3 and NET W ndows Server 2008 Term na Serv ces s
Framework 3 SP1and h gher not nsta ed
W ndows Server 2008 R2 W ndows 7 Profess ona
W ndows Server 2008 W ndows 7 Profess ona
W ndows XP w th SP3 and NET W ndows 7 Profess ona
Framework 3 SP1and h gher
W ndows Server 2008 R2 W ndows XP SP3 and NET
Framework 3 SP1 and h gher
W ndows Server 2008 W ndows XP SP3 and NET
Framework 3 SP1 and h gher
W ndows 7 U t mate/Enterpr se/ W ndows XP SP3 and NET
Profess ona Framework 3 SP1 and h gher
W ndows XP SP3 and NET W ndows XP SP3 and NET
Framework 3 SP1and h gher Framework 3 SP1 and h gher
W ndows Server 2008 W ndows Server 2008 Term na Serv ces s
not nsta ed
NOTE In some instances (noted in Table 6-8), you can get RD Easy Print to work with
Windows 7 Professional, but it is not supported officially.
www.it-ebooks.info
Let’s rev ew the scenar o A user ogs on to ASHPersona VM1 Some pr nters are ava ab e,
as shown n F gure 6-14
The user creates a sess on on Farm1 ash oca Open ng the Pr nters conso e n the ses-
s on, you can see that a four pr nters have been red rected and are ava ab e n the remote
desktop sess on The red rected pr nters are des gnated by the name of the pr nter p us the
red rected sess on ID number (wh ch s red rected 3 n th s examp e), as shown n F gure 6-15
FIGURE 6-15 Red rected pr nters are des gnated by the sess on D number.
NOTE In the older printing model, redirected printers were named according to this
format: Client Printer Name (from Client Computer Name) in session number X. In
Windows Server 2008 and Windows Server 2008 R2, redirected printer names now follow
this format: Client Printer Name (redirected session ID). This makes it easier to read the
names and distinguish them from other printers when many printers are available.
www.it-ebooks.info
H gh ght ng the pr nter revea s the dr ver used for the pr nter n the ower sect on of the
w ndow (as the Mode ) As the h gh ghted pr nter n F gure 6-15 shows, the pr nter s us ng
the Remote Desktop Easy Pr nt Dr ver
The user opens Notepad, creates a text fi e, and then chooses F e, Pr nt The Pr nt
d a og box appears, and the user se ects the defau t red rected pr nter and then c cks the
Preferences button n the upper-r ght area of the pr nter d a og box The pr nter Propert es
d a og box appears If the RDP sess on s open n fu -screen mode, the pr nter Propert es
d a og box appears to be part of the sess on But f the RDS sess on s v ewed n a sma er
w ndow, as shown n F gure 6-16, the user can actua y drag the pr nter Propert es d a og
box out of the w ndow That s because th s d a og box s runn ng not n the remote desktop
sess on but from the oca computer, because t’s us ng the oca dr ver
FIGURE 6-16 The Pr nt ng Preferences d a og box s super mposed over the sess on w ndow.
www.it-ebooks.info
When You Cannot Use RD Easy Print
RD Easy Pr nt works a ot of the t me, but t does not work a the t me W th so many pr nt-
ers out today, you are bound to run nto a few that just do not respond we to RD Easy Pr nt
(e ther they won’t pr nt or they pr nt bad y) In these cases, you w need to re y on the o der
pr nt ng method— nsta ng dr vers on the endpo nt
The RD Easy Pr nt dr ver s nsta ed by defau t on W ndows XP SP3 and ater, and us ng the
RD Easy Pr nt dr ver for pr nter red rect on s a so enab ed by defau t To make the server ook
for pr nter dr vers nstead of us ng the RD Easy Pr nt dr ver, you must change the sequence
n wh ch the RD Easy Pr nt dr ver w be used The endpo nt w try to use the RD Easy Pr nt
dr ver for pr nter red rect on first and resort to other pr nter dr vers on y f the RD Easy Pr nt
dr ver s not ava ab e Set one of the fo ow ng GPOs to reverse th s (make the endpo nt use
pr nter dr vers first, and then RD Easy Pr nt)
■ On a computer bas s Computer Configurat on Po c es Adm n strat ve Temp ates
W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host
Pr nter Red rect on Use Remote Desktop Easy Pr nt Pr nter Dr ver F rst
■ On a user bas s User Configurat on Po c es Adm n strat ve Temp ates W ndows
Components Remote Desktop Serv ces Remote Desktop Sess on Host Pr nter Red -
rect on Use Remote Desktop Easy Pr nt Pr nter Dr ver F rst
If th s po cy s enab ed or not configured, the server reflects ts defau t behav or RD Easy
Pr nt dr ver first, other dr vers second To make the server ook for other pr nter dr vers before
t attempts to use RD Easy Pr nt, set the po cy to D sab ed Th s does not d sab e RD Easy
Pr nt, but the server w attempt to use the RD Easy Pr nt dr ver on y f a match ng pr nter
dr ver s not ava ab e
HOW IT WORKS
T he RD Easy Print driver is installed by default. You can delete it, but it will rein-
stall again when you reboot. It’s also available for manual reinstallation as part
of the Windows Server 2008 R2 driver set. If you do remove the RD Easy Print driver
from the endpoint and your endpoint is running Windows 7 or has the RD Session
Host role service installed, then no redirection will happen at all if the preceding
GPO is enabled or not configured. The endpoint will attempt to use the RD Easy
Print driver that is missing and will not look for other printer drivers to use; printer
redirection simply fails. There is no supported method for removing the RD Easy
Print driver permanently.
www.it-ebooks.info
Distributing Drivers to Endpoints
If you have prob ems us ng RD Easy Pr nt w th certa n pr nter mode s, you’ need to revert to
the o der pr nt ng mode , wh ch means nsta ng pr nter dr vers on the server The cha enge
here s how to get the dr vers onto the endpo nts (and d str bute them to other endpo nts
after they are tested)
If a pr nter dr ver s nc uded w th the operat ng system, the server w nsta the dr ver
automat ca y f t’s needed and the person attempt ng to use t has the r ght perm ss ons But
what f the pr nter dr ver s not nc uded n the operat ng system?
You can use Group Po cy and the Pr nt Management Conso e (PMC) to d str bute the
dr vers w thout touch ng every server You nsta the pr nters (so that the dr vers are nsta ed)
but then you delete the printers Th s second step s cr t ca , because t keeps users from be ng
confused by pr nters that they can see but don’t have perm ss on to pr nt to or that do not
actua y connect to an actua pr nt dev ce
In W ndows Server 2008 R2 and W ndows 7, you can use Group Po cy to dep oy the pr nt-
ers to each server When you app y and then remove the GPO, the pr nters get removed, but
the dr vers rema n Here are the steps to perform
1. F rst, add the pr nters by open ng the PMC, r ght-c ck the pr nter server, and choose
Add Pr nter to open the Network Pr nter Dr ver W zard The pr nters do not have to
work because they are on y temporary to fac tate d str but ng the pr nter dr vers
2. After your pr nters are nsta ed, use the PMC to create the GPO for dep oy ng pr nters
(PMC s nsta ed as part of the Pr nt Server ro e ) In the PMC, nav gate to the Pr nt-
ers sect on, r ght-c ck each pr nter that you want to dep oy, and choose Dep oy W th
Group Po cy, as shown n F gure 6-17
FIGURE 6-17 C ck Dep oy W th Group Po cy to create a GPO to dep oy pr nters to endpo nts.
3. Browse and se ect the GPO that you want to use to conta n the pr nters that you w
d str bute, or, f you want to use a new GPO, c ck the Create New Group Po cy Object
con, as shown n F gure 6-18
www.it-ebooks.info
FIGURE 6-18 Create a new GPO to use to d str bute pr nters.
4. Name the new GPO someth ng descr pt ve, ke “Dep oy Pr nters To Endpo nts,” and
c ck OK Se ect the check box next to the computers that th s GPO app es to (per
mach ne) Then c ck Add to add the pr nter to the st Then c ck OK Do th s for every
pr nter that you want to dep oy
NOTE If you look at this GPO in the Group Policy Management console (GPMC), you
will see the path for which the setting is located: Computer Configuration Policies
Windows Settings Printer Connections. But if you try to create a policy manually (not
using the PMC), you won’t be able to get to the Printer Connections GPO. It will not
show up in the GPMC.
5. When the GPO s comp ete, app y t to each OU where your servers res de Next, forc-
b y update the po c es on the endpo nts by runn ng gpupdate /force or reboot ng The
pr nters w now be nsta ed
6. F na y, after you’ve ensured that the pr nters are dep oyed correct y to the servers, re-
move the pr nters by de et ng the GPO and forc ng the update The pr nter s removed
from the server, but the dr vers are st ava ab e (You can see th s by open ng the Pr nt
Server Propert es tab on the Dev ces And Pr nters conso e (you must have a pr nter
nsta ed and se ected for th s button to be ava ab e)
www.it-ebooks.info
operat ng systems W thout go ng nto deta , W ndows 7 and W ndows Server 2008 R2
are fundamenta y very s m ar W ndows 98 and W ndows Server 2003 were not—the r
arch tectures were ent re y d fferent Because W ndows 98 and W ndows Server 2003 were so
d fferent, pr nter manufacturers d d not a ways make sure the dr vers had the same name
Name m smatches were (and occas ona y st are) a prob em when remot ng us ng pr nter
dr vers because f the names don’t match exact y, the mapp ng does not occur The work-
around for th s was to create an INF fi e on the endpo nt that te s the endpo nt that Dr ver
X equa ed Dr ver Y ( n th s examp e, HP LaserJet X = Hew ett Packard LaserJet X) The server
wou d read th s fi e and make the pr nter dr ver match, and then t cou d red rect the pr nter
Th s dr ver name m smatch m ght not happen w th newer operat ng systems, but the work-
around has another use Shou d you dec de to mp ement the o der pr nt ng mode , you can
use th s techn que to m n m ze the number of pr nter dr vers that you have to nsta on your
endpo nt; you can create one-to-many mapp ng (one dr ver on the server to many pr nter
dr vers on the c ent) The server w use the one dr ver that you te t to use whenever t en-
counters a need for any of the dr vers that you map to that s ng e dr ver For nstance
■ Brother MFC-230C = Brother MFC-235C
■ Brother MFC-230C = Brother MFC-239C
■ Brother MFC-230C = Brother MFC-240C
NOTE Some printers might not work with specified drivers. Also, you might lose some
functionality when using one driver in place of another. For instance, one driver might
allow you to print in Booklet style, and another might not. You will need to test printer
driver mapping fully to see what printer drivers will map to certain printers, and also what
functionality you might lose by doing so.
To find the server dr ver name and the c ent dr ver name that you want to map, the dr ver
name s spec fied n the pr nter propert es of an nsta ed pr nter R ght-c ck an nsta ed
pr nter and go to the Advanced tab of the Pr nter Propert es d a og box The pr nter dr ver
name can a so be found n the Pr nt Server Propert es d a og box Do th s by open ng the
Pr nt Server Propert es d a og box, se ect ng the Dr vers tab, h gh ght ng the dr ver, and c ck-
ng Propert es
Here s how to mp ement the mapp ng
1. Create an INF fi e that conta ns the mapp ngs (name t PRINTDRIVERMAP nf) Store
the fi e n C \W ndows\System32\on the endpo nt The fi e shou d ook ke th s (but
conta n ng your un que mapp ngs)
[Printers]
;"Client Printer Driver Name" = "Server Printer Drive Name"
"Client Printer Driver X" = "Server Printer Driver W"
"Client Printer Driver X" = "Server Printer Driver X"
"Client Printer Driver y" = "Server Printer Driver Y"
"Client Printer Driver Z" = "Server Printer Driver Z"
www.it-ebooks.info
NOTE This INF example file shows mapping two client drivers to one server driver, and
then two more unique mappings.
The fi e needs to have the sect on t t e [Pr nters] because t gets referenced next n
the reg stry keys that need to be put n p ace on the endpo nt to nvoke the mapp ng
process
2. Nav gate to the Rdpwd fo der and choose New, Str ng Key Name the keys Pr nterMap-
p ngINFName and Pr nterMapp ngINFSect on, respect ve y Creat ng the fo ow ng
reg stry keys w te the endpo nt to ook for pr nter dr ver mapp ngs n the Pr nters
sect on of the PRINTDRIVERMAPS nf fi e
Group of Machines
Machine
Connection
www.it-ebooks.info
If pr nter red rect on s d sab ed at any of these eve s, pr nter red rect on w be d sab ed
for the user or mach nes that the sett ng affects—and therefore, everyth ng be ow that eve
If you enab e th s po cy, users w not be ab e to red rect pr nt jobs to the r oca computer
pr nters If you do not configure or d sab e th s po cy, pr nter red rect on s a owed
Because th s sett ng s not configured by defau t, pr nter red rect on at th s eve s a -
owed but can st be affected at the other eve s (by computer or by sess on) If th s po cy s
enab ed, t w take precedence over sett ngs at the other eve s
www.it-ebooks.info
The Group Po c es are
■ Use RD Easy Print Printer Driver First You encountered th s sett ng ear er n th s
chapter If th s po cy s enab ed or not configured, the endpo nt tr es to use the Easy
Pr nt dr ver to red rect c ent pr nters first On y f the Easy Pr nt dr ver sn’t ava ab e w
t ook for a pr nter dr ver on the endpo nt that matches the pr nter dr ver on the c ent
Th s does not d sab e Easy Pr nt, but the endpo nt w use Easy Pr nt on y f a pr nter
dr ver s not ava ab e
■ Specify RD Session Host Server Fallback Printer Driver Behavior Fa back pr nter
dr ver behav or te s the endpo nt that f t cannot find a pr nter dr ver match to a
pr nter dr ver on a computer, then t shou d attempt to use an a ternate pr nter dr ver
Fa back pr nter dr vers are HP DeskJet 500, HP DeskJet 500C, HP LaserJet 4/4M PS,
and HP Co or LaserJet 5/5M PS Th s sett ng s d sab ed by defau t
■ Redirect Only The Default Client Printer C ents m ght have many pr nters nsta ed
on the r c ent PCs; by defau t, a w be red rected to the sess on To decrease resource
usage on the endpo nt, you can enab e th s po cy such that on y the defau t pr nter on
the c ent PC w be red rected to the sess on
■ Do Not Set A Default Client Printer To Be The Default Printer In A Session By
defau t, the c ent’s defau t pr nter s the defau t pr nter for the remote sess on If you
enab e th s sett ng, there s no defau t pr nter for the remote sess on
www.it-ebooks.info
L ke other pr nt ng sett ngs, Pr nter Dr ver Iso at on s contro ed n a t ered fash on, by
Group Po cy, by the pr nter dr ver INI fi e, and by the Pr nt Management Conso e Here are
the opt ons
■ If you want, you have the opt on of contro ng overa Pr nter Dr ver Iso at on on a
computer by sett ng the fo ow ng GPO
Computer Configurat on Adm n strat ve Temp ates Pr nters Execute Pr nt Dr vers n
Iso ated Processes
■ If th s po cy s d sab ed, then dr ver so at on s d sab ed for a dr vers on the affected
computers If th s po cy s enab ed or not configured, then t s a owed
■ If Pr nter Dr ver Iso at on s a owed (or not configured) by Group Po cy, next the
pr nter dr ver INI fi e s checked to see f the pr nter dr ver supports so at on If the
Pr nter Dr ver Iso at on key Dr verIso at on s m ss ng or s set to 0, the dr ver does not
support Pr nter Dr ver Iso at on If the Dr verIso at on key s set to 2, the dr ver does
support so at on
■ If the dr ver supports Pr nter Dr ver Iso at on, t s oaded by defau t nto a separate
process ca ed Pr nt so at onhost exe ( nstead of be ng oaded nto Spoo sv exe) a ong
w th other pr nter dr vers that are configured for shared so at on If a dr ver does not
support so at on, the dr ver w be oaded nto Spoo sv exe
NOTE All native drivers for Windows 7 and Windows Server 2008 R2 support Printer
Driver Isolation, and by default, they will run in shared mode unless otherwise dictated.
Th s defau t funct ona ty can be overr dden by Group Po cy and on each nd v dua pr nter
dr ver us ng the Pr nt Management Conso e
Pr nter dr vers that are compat b e by defau t run n shared mode But you can overr de
th s on a per-dr ver bas s n the Pr nt Management Conso e To do th s, r ght-c ck each dr ver
and choose Shared, Iso ated, or None
NOTE If GPO dictates that printer isolation is disabled, isolation mode settings from the
Print Management Console are ignored.
You can a so force pr nter dr vers that are not compat b e w th Pr nter Dr ver Iso at on to
run n shared mode or to adhere to the sett ngs n the Pr nt Management Conso e by en-
ab ng the fo ow ng GPO
Computer Configurat on Adm n strat ve Temp ates Pr nters Overr de Pr nt Dr ver Execu-
t on Compat b ty Sett ng Reported By Pr nt Dr ver
www.it-ebooks.info
The opt ons for th s GPO are
■ Enabled The pr nter dr ver w run n shared mode or as spec fied n the Pr nt Man-
agement Conso e
■ Disabled Or Not Configured The Pr nter Dr ver Iso at on s determ ned by the key
sett ng n the pr nter dr ver INI fi e
www.it-ebooks.info
■ http://support.microsoft.com/kb/959442 The edges of a document are truncated
when you try to pr nt the document by us ng Term na Serv ces Easy Pr nt from a c ent
that s runn ng W ndows XP SP3, W ndows V sta SP1, or W ndows Server 2008
■ http://support.microsoft.com/kb/946411 When you pr nt an XPS fi e on a com-
puter runn ng W ndows XP SP2 or SP3, the characters n the XPS fi e pr nt ncorrect y
Summary
From the user’s po nt of v ew, the remot ng exper ence s the most mportant aspect of RDS If
the screen doesn’t ook good, the aud o doesn’t sound good, or the pr nt jobs don’t pr nt, the
user has a bad exper ence
After read ng th s chapter, you shou d have earned the fo ow ng
■ The re at onsh p between the RDC c ent, the RDP protoco , and the RDP stener, and
how the three e ements define the user exper ence
■ The RDP features ntroduced w th W ndows 7 and W ndows Server 2008 R2
■ How a features of RDP re ated to the remote exper ence work
■ How to enab e and configure features of RDP
■ How to pr nt v a RDP, w th and w thout Easy Pr nt
www.it-ebooks.info
Now that you know how RDP prov des the “ ke be ng there, on y better” exper ence for
users, you w earn n the next chapters how you, the adm n strator, can ock down the user
desktop (Chapter 7, “Mo d ng and Secur ng the User Env ronment”) and protect the network
connect on (Chapter 8)
Additional Resources
Th s chapter exam nes n depth how RDP works For more nformat on, the fo ow ng MSDN
s tes prov de the or g na documents deta ng how the protoco works
■ Bas c RDP Remot ng http://msdn.microsoft.com/en-us/library
/cc240445(v=PROT.10).aspx
■ Graph cs Acce erat on http://msdn.microsoft.com/en-us/library
/cc241537(v=PROT.10).aspx
■ Graph cs Compress on http://msdn.microsoft.com/en-us/library
/ff635378(v=PROT.10).aspx
■ Desktop Compos t on http://msdn.microsoft.com/en-us/library
/cc216513(v=PROT.10).aspx and http://msdn.microsoft.com/en-us/library
/dd358323(v=PROT.10).aspx
■ Dynam c V rtua Channe s http://msdn.microsoft.com/en-us/library
/cc241215(v=PROT.10).aspx
■ Bas c Aud o Remot ng http://msdn.microsoft.com/en-us/library
/cc240933(v=PROT.10).aspx
■ C pboard Red rect on http://msdn.microsoft.com/en-us/library
/cc241066(v=PROT.10).aspx
■ Easy Pr nt http://msdn.microsoft.com/en-us/library/cc242947(v=PROT.10).aspx
■ Pr nter Red rect on http://msdn.microsoft.com/en-us/library/cc242116(v=PROT.10).aspx
■ Aud o Input Red rect on http://msdn.microsoft.com/en-us/library
/dd342521(v=PROT.10).aspx
■ Mu t med a Remot ng http://msdn.microsoft.com/en-us/library
/dd342975(v=PROT.10).aspx
■ Ser a and Para e Port Red rect on http://msdn.microsoft.com/en-us/library
/cc242856(v=PROT.10).aspx
■ F e System Red rect on http://msdn.microsoft.com/en-us/library
/cc241305(v=PROT.10).aspx
■ P ug and P ay Red rect on http://msdn.microsoft.com/en-us/library
/cc242231(v=PROT.10).aspx
www.it-ebooks.info
The fo ow ng resources conta n add t ona nformat on and too s re ated to th s chapter
■ Want more nformat on about RDP performance? See the wh te paper nked at
http://blogs.msdn.com/rds/archive/2010/02/05/announcing-the-remote-desktop-
protocol-performance-improvements-in-windows-server-2008-r2-and-windows-7-
white-paper.aspx.
■ Down oad RDC 7 for W ndows V sta SP1+ and W ndows XP SP3 at
http://blogs.msdn.com/rds/archive/2009/10/28/announcing-the-availability-of-remote-
desktop-connection-7-0-for-windows-xp-sp3-windows-vista-sp1-and-windows-vista-
sp2.aspx.
■ You can down oad the Remote Desktop c ent for Mac ntosh at
http://www.microsoft.com/mac/products/remote-desktop/default.mspx.
■ New W ndows 7 pr nt ng arch tecture can be down oaded at
http://download.microsoft.com/download/5/E/6/5E66B27B-988B-4F50-AF3A-
C2FF1E62180F/CON-T572 WH08.pptx.
■ M crosoft Most Va uab e Profess ona Emer tus Vera Noest has put together a great
st of hotfixes and updates perta n ng to pr nt ng, wh ch can be found at
http://ts.veranoest.net/ts printing.asp.
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 7
If you’re read ng th s book n order, at th s po nt, your users can use the r v rtua
mach nes (VMs) or sess ons The servers are set up, the profi es and fo der red rect on
are a configured, and user dev ces are red rected The on y catch s that now the user
work env ronments are w de open
G v ng users non-secured work env ronments m ght be a r ght As you’ earn n
th s chapter, the ru es for secur ty w ke y vary w th the k nd of work env ronment that
you’re support ng RD Sess on Host servers need to be ocked down because the server
host ng the sess ons s pers stent and the mach ne s shared, so one person’s error can
have ast ng mpact on a ot of peop e Poo ed VMs us ng ro back—so the VM ro s back
to a saved state each t me a user ogs off—need ess secur ty because you don’t want
users runn ng ma ware but don’t need to worry about permanent changes to the VMs
A so, persona desktops shou d be governed by the same ru es that you’ve app ed to
phys ca desktops
Th s chapter w show you how to enab e and yet st contro your users’ dev ces and
des res, mean ng that you’ understand how to map the c ent-s de exper ence to the re-
mote env ronment but you’ do so n a way that doesn’t negat ve y affect the servers
or the end users The fo ow ng top cs w be d scussed
■ Lock ng down the servers (and why you shou d do so)
■ Opt m z ng the user exper ence
■ Configur ng remote contro of a sess on
■ Secur ng access to the RD Sess on Host server
363
www.it-ebooks.info
The pr mary focus of th s chapter s RD Sess on Host server env ronments Th s s because
poo ed VMs revert when a user ogs off, and persona VMs shou d be hand ed the same way
that you hand e phys ca user desktops n your company Th s doesn’t mean that you won’t
tweak poo ed or persona VMs For nstance, t’s poss b e that you w not want a user nsta -
ng or runn ng rogue software from a poo ed mach ne, even f t w revert to ts or g na state
after ogoff Therefore, f a sett ng or procedure s spec fic, e ther on y to RD Sess on Host
servers or on y to poo ed or persona VMs, we w say so Otherw se, assume that the tact c,
sett ng, or procedure app es to both k nds of mp ementat ons
www.it-ebooks.info
Restricting Device and Resource Redirection
As was d scussed n Chapter 6, “Custom z ng the User Exper ence,” dev ce red rect on s a b g
part of mak ng a remote app cat on fee ke a oca app cat on Dev ce red rect on a ows us-
ers to open oca fi es n remote sess ons or save fi es to the r oca computers, copy data back
and forth, p ay and record aud o, and so forth
Integrat on between oca and remote computers sounds great unt you rea y need to
enforce secur ty on corporate data For examp e, by defau t, c ent dr ves and the c pboard
are v s b e n a remote connect on, but both open a secur ty ho e from the data center to a
remote computer Dr ve red rect on a ows users to copy or even save sens t ve data from the
corporate network to a poss b y unsecured computer
The ru e of thumb for dev ce and resource red rect on s that more s not necessar y better
D sab e red rect on that you don’t need As you can see from the descr pt ons n Chapter 6,
d sab ng unnecessary dev ces both cuts down on bandw dth resources that m ght be used for
other funct ons and can reduce server and sens t ve data exposure
NOTE For details on how device redirection works when applied at the user, machine, or
Group Policy level, see Chapter 6.
www.it-ebooks.info
they can copy data to any dr ve to wh ch they have access To turn off dr ve red rect on
for users or computers, enab e th s po cy
■ Do Not Allow LPT Port Redirection LPT ports are used to access o der pr nters If
you don’t have a need to red rect these dev ces, enab e th s po cy
■ Do Not Allow Supported Plug And Play Device Redirection Enab e th s po cy to
d sab e red rect on for P ug and P ay dev ces such as cameras
■ Do Not Allow Smart Card Device Redirection Enab e th s po cy to d sab e smart
card red rect on
Dr ve red rect on s an obv ous secur ty ho e ( t a ows users to transfer fi es from the r
remote sess on to the r oca hard dr ve and v ce versa), but pr nt ng can a so create a secur ty
prob em To d sab e a pr nter red rect on, enab e th s po cy, found n the computer’s Group
Po cy sett ngs Computer Configurat on Po c es Adm n strat ve Temp ates W ndows
Components Remote Desktop Serv ces Remote Desktop Sess on Host Server Pr nter
Red rect on Do Not A ow C ent Pr nter Red rect on By defau t, t s not configured; f
t s not configured, pr nter red rect on can be contro ed v a Act ve D rectory Users And
Computers, Remote Desktop Connect on (RDC), or the RD Configurat on Too
You can a so d sab e red rect on of spec fic types of supported p ug and p ay dev ces For
examp e, you m ght not want to b ock a p ug and p ay dev ce red rect on, but you don’t want
to a ow floppy d sk or CD-ROM dr ve red rect on spec fica y The Group Po cy object (GPO)
to do th s s ocated at Computer Configurat on Adm n strat ve Temp ates System Dev ce
Insta at on Dev ce Insta at on Restr ct ons Prevent Insta at on Of Dev ces That Match Any of
these Dev ce IDs
NOTE The redirection-oriented group policies mentioned in this section are covered in
more detail in Chapter 6.
NOTE There is also a Connect Client Drives At Logon option; it is checked by default.
However, this setting has no effect. It was originally designed to be used by the Citrix
MetaFrame add-on to Microsoft Windows 2000 Remote Desktop Services before the
Remote Desktop Protocol (RDP) supported drive redirection, and it isn’t used by RDP.
www.it-ebooks.info
Restricting Device and Resource Redirection Using the RD Session Host
Configuration Tool
You can a so d sab e dev ce and resource red rect on from Remote Desktop Sess on Host
Configurat on, but remember that th s means configur ng each server separate y You cannot
configure dev ce and resource red rect on for poo ed or persona VMs us ng RD Sess on Host
Configurat on
To d sab e dr ve and resource red rect on from Remote Desktop Sess on Host Configura-
t on, open the RDP c ent Propert es d a og box by doub e-c ck ng RDP-Tcp and then nav gat-
ng to the C ent Sett ngs tab shown n F gure 7-1 Se ect the check boxes correspond ng to
the type of red rect on that you want to d sab e C ck App y and then c ck OK
FIGURE 7-1 Restr ct red rect on by se ect ng the check boxes on the C ent Sett ngs tab of the RDP Tcp
Propert es d a og box.
www.it-ebooks.info
Restricting Access to the Control Panel
User Configurat on Po c es Adm n strat ve Temp ates Contro Pane
■ Prohibit Access To Control Panel Users shou d have no need to access the Contro
Pane Enab ng th s sett ng removes Contro Pane from the Start menu and W ndows
Exp orer, so users won’t have access to Contro Pane , nor w they be ab e to run any
of the Contro Pane tems
NOTE When you enable this setting, you prevent administrators from installing any
Windows Installer (MSI) package onto the RD Session Host server, even if Deny is explicitly
set for the Administrator account. Therefore, to install applications, you’ll need to disable
this policy. While installing, disable remote logons.
■ Devices: Prevent Users From Installing Printer Drivers Enab ng th s sett ng pre-
vents users from add ng pr nter dr vers to an RD Sess on Host server as part of add ng
a network pr nter Th s po cy does not affect adm n strators and does not perta n to
add ng a oca pr nter
■ Prevent Access To Registry Editing Tools By defau t, access to the reg stry (on a
m ted bas s) s a owed Enab e th s sett ng to prevent access to the reg stry
■ Disable Regedit From Running Silently Enab e th s sett ng to prevent users
from runn ng reged t w th the /s sw tch For nstance, a user cou d run regedit /s
Filename reg from a command prompt and mport a fi e nto the reg stry even though
Prevent Access To Reg stry Ed t ng Too s s enab ed
www.it-ebooks.info
Preventing Access to Windows Automatic Updates
To prevent W ndows updates from be ng app ed automat ca y to product on RD Sess on
Host servers, d sab e W ndows Automat c Updates Th s ockdown sn’t about users as much
as t s about mak ng sure that changes aren’t made un ntent ona y and w thout fu test ng
These po c es are
■ Remove Access To All Windows Update Features Enab ng th s sett ng b ocks ac-
cess to the W ndows Update webs te and removes the W ndows Update nk from the
Start menu and from the Too s menu n Internet Exp orer Not ficat ons about updates
w cease and automat c updat ng s d sab ed
www.it-ebooks.info
Pinned programs list
User data
Computer, Network,
Recent Items, Connect To,
Recently used programs Games, Favorites
Search Box
FIGURE 7-2 The Start menu areas and the r sources of data are shown here.
To ock down the Start menu and taskbar, use these Group Po cy sett ngs, wh ch are
accessed n the fo ow ng ocat on
User Configurat on Po c es Adm n strat ve Temp ates Start Menu And Taskbar
■ Prevent Changes To Taskbar And Start Menu Settings Be ng ab e to make
changes to the taskbar and the Start menu g ves users the opportun ty to access
programs such as Internet Exp orer, ema programs, network shares, and Internet
webs tes v a the Address bar, L nks, and so on Enab ng th s sett ng b ocks access to the
Propert es d a og box that users see when they r ght-c ck the taskbar It a so removes
the Taskbar and Start menu tems from the Taskbar And Sett ngs Menu Propert es
d a og box It does not stop users from turn ng on taskbar too bars
■ Show QuickLaunch On Taskbar By defau t, the Qu ckLaunch too bar s shown on
the taskbar when a user ogs on Th s can be he pfu f you want to p ace app cat on
nks for your users on th s bar—for nstance, by preconfigur ng the defau t user profi e
Just be aware that users can de ete cons from the Qu ckLaunch too bar, wh ch m ght
generate He p desk ca s Users can a so turn th s too bar on and off H de the Qu ck-
Launch too bar and prevent users from turn ng t on by d sab ng th s sett ng
■ Remove Access To The Context Menus For The Taskbar Enab ng th s sett ng
prevents users from turn ng taskbar too bars on and off
■ Remove Programs On Settings Menu Enab ng th s sett ng removes access to the
Contro Pane , Pr nters, and Network Connect ons fo ders from the Start menu
www.it-ebooks.info
■ Remove Common Program Groups From Start Menu Enab ng th s sett ng
d sp ays on y tems pu ed from the user’s profi e n the Start menu Items from the
Pub c User profi e w not be merged and ava ab e on the user’s Start menu n the A
Programs st or on the desktop
■ Remove The Pinned Programs List From The Start Menu Enab ng th s sett ng
removes the p nned programs st from the Start menu and prevents users from p n-
n ng programs to the Start menu By defau t, Internet Exp orer and an ema c ent can
be p nned to th s menu; th s sett ng removes the r nks by c ear ng the correspond ng
boxes on the S mp e Start menu custom zat on contro pane
■ Remove the All Programs List From The Start Menu A Programs s norma y
made of a comb nat on of the pub c users’ programs and an nd v dua user’s pro-
grams port on of the profi e Enab ng th s sett ng removes the A Programs menu
from the Start menu Th s nc udes nks to Accessor es, the Startup fo der, and other
program nks that you m ght not want to be access b e
■ Remove Network Connections From Start Menu Enab ng th s sett ng den es users
access to the Manage Network Connect on nk n the Network And Shar ng Center
■ Remove Network Icon From Start Menu Enab ng th s sett ng removes the Net-
work con from the Start menu; however, t st appears and s access b e n the Contro
Pane and W ndows Exp orer
■ Remove Favorites Menu From Start Menu A though the Favor tes menu s not
shown by defau t, enab ng th s sett ng proh b ts users from d sp ay ng the Favor tes
menu v a the Propert es of the Start menu, thus proh b t ng easy access to Un form
Resource Locators (URLs) from the Start menu
■ Remove Run Menu From Start Menu Enab ng th s sett ng removes the Run opt on
from the Start menu, Task Manager, and W ndows Exp orer In add t on, users w not
be ab e to enter a oca fi e path or a Un versa Nam ng Convent on (UNC) path nto the
Internet Exp orer address bar The key comb nat on W ndows Logo+R no onger br ngs
up the Run box f th s sett ng s enab ed
■ Remove Drag And Drop Context Menus On The Start Menu Enab ng th s sett ng
prevents users from dragg ng nks to the Start menu However, t does not prevent
access to the Start Menu Propert es d a og box
■ Do Not Search Internet Enab ng th s sett ng prevents the W ndows Search box
from search ng Internet h story or Favor tes Th s can decrease user access to URLs that
cou d po nt to executab es or other potent a y harmfu scr pt fi es
■ Do Not Search Programs and Control Panel Items Enab ng th s sett ng keeps
users us ng the Search box on the Start menu to search for programs or Contro Pane
tems on the RD Sess on Host server Th s w prevent search ng the RD Sess on Host
server for programs that users m ght not need to run or wh ch m ght be harmfu
www.it-ebooks.info
Removing Icons from the Desktop
P ac ng cons on the desktop s a very easy and d rect way to access some nformat on f
you’re d sp ay ng fu desktops nstead of RemoteApp programs However, you m ght not
want users ook ng at the System propert es of My Computer or mapp ng a dr ve so eas y
You can remove cons from the desktop w th these sett ngs, access b e from the fo ow ng
ocat on
■ Hide And Disable All Items On The Desktop Enab ng th s sett ng h des and d s-
ab es a tems on the desktop, nc ud ng the Recyc e B n and My Computer Users w
not be ab e to access My Computer from the desktop and ga n access to unauthor zed
data and programs by mapp ng a network dr ve (These programs are st ava ab e
from other ocat ons, such as the Desktop too bar on the taskbar, however )
■ Remove Computer Icon From The Desktop Th s po cy removes the Computer con
from the desktop as we as w th n W ndows Exp orer, and from the Desktop too bar on
the taskbar, prevent ng users from r ght-c ck ng My Computer and mapp ng a dr ve
■ Prevent Access To The Command Prompt Enab e th s sett ng to prevent users from
us ng the command prompt
www.it-ebooks.info
Removing Access to Task Manager
The Task Manager s on y one step removed from the command prompt, as t prov des access
to the Run button Therefore, t’s good to remove th s source of temptat on n sess ons For
VMs, you m ght want to eave t open so peop e can have more contro over hang ng app ca-
t ons or other Task Manager too s— t depends on whether you v ew access to Run as accept-
ab e Th s po cy s ava ab e n the fo ow ng ocat on
User Configurat on Po c es Adm n strat ve Temp ates System Ctr +A t+De Opt ons
■ Remove Task Manager Enab e th s sett ng to prevent users from execut ng new
tasks (start ng programs) or chang ng the pr or ty of processes v a the Task Manager
User Configurat on Po c es Adm n strat ve Temp ates Start Menu And Taskbar
■ Remove Links And Access To Windows Update A though the W ndows Update
webs te s ava ab e on y to adm n strators, users can use W ndows Update from the
Contro Pane ( f you have not b ocked access to t) to open Internet Exp orer If you are
not b ock ng Internet Exp orer access, enab e th s sett ng
■ Hide Internet Explorer Icon On Desktop Th s po cy does not prevent users from
start ng Internet Exp orer another way, but t removes the Internet Exp orer con from
the desktop and from the Qu ckLaunch too bar on the taskbar
Somet mes b ock ng Internet Exp orer s not pract ca To limit access v a Internet Exp orer,
you can configure a proxy sett ng on the browser to po nt to an nterna web page te ng us-
ers that Internet access has been b ocked, and d sab e the ab ty to change the proxy sett ngs
Th s w a ow access to ntranet s tes wh e keep ng users off the Internet To do so, configure
the fo ow ng po c es, found n these ocat ons
User Configurat on Po c es W ndows Sett ngs Internet Exp orer Ma ntenance Connect on
■ Proxy Settings Set the proxy sett ngs to a fa se nterna address or to an nterna
webs te that te s users that Internet access s forb dden from Remote Desktop Serv ces
(RDS) Se ect the Do Not Use Proxy Server For Loca (Intranet) Addresses check box
www.it-ebooks.info
User Configurat on Po c es Adm n strat ve Temp ates W ndows Components Internet
Exp orer
■ Disable The Advanced Page Enab ng th s sett ng b ocks access to the Advanced
page defin ng the secur ty sett ngs for Internet Exp orer (The Advanced page has other
funct ons, but the secur ty sett ngs are most mportant to the safety of your RD Sess on
Host servers )
■ Disable The Connections Page Enab ng th s sett ng b ocks access to the Connec-
t ons page, where users can configure VPN and proxy sett ngs
■ Disable The Content Page Enab ng th s sett ng b ocks access to the Content page,
where rat ngs and cert ficates are managed
■ Disable The General Page Enab ng th s sett ng b ocks access to the Genera page,
where the home page sett ngs, d sp ay sett ngs, and brows ng h story are managed
■ Disable The Privacy Page Enab ng th s sett ng b ocks access to the Pr vacy page,
wh ch defines sett ngs for b ock ng pop-up w ndows and the secur ty sett ngs for
pages
■ Disable The Programs Page Enab ng th s sett ng b ocks access to the Programs
page, where ema c ents, defau t browser not ficat ons, and browser add-ons are
managed
■ Disable The Security Page Enab ng th s sett ng b ocks access to the Secur ty page,
where zone trust eve s (and zone membersh ps) are set Th s s another mportant
page to ock down
www.it-ebooks.info
User Configurat on Po c es Adm n strat ve Temp ates W ndows Components W ndows
Exp orer
■ Remove Map Network Drive And Disconnect Network Drive Enab ng th s set-
t ng removes the ab ty to map a network dr ve by r ght-c ck ng My Computer or from
the Too s menu n W ndows Exp orer and Network Shar ng Center
■ Remove Windows Explorer’s Default Context Menu Enab ng th s sett ng removes
the w ndow that users get when they r ght-c ck an tem n W ndows Exp orer; for
nstance, enab ng th s po cy wou d d sab e r ght-c ck ng My Computer ocated on the
desktop, wh ch prov des users w th a menu w th the opt on to map a network dr ve or
manage the computer
■ Hide These Specified Drives In My Computer Th s sett ng does just what t says It
h des the dr ve etters that you spec fy It does not b ock access to the dr ves v a other
methods such as Run L m t th s sett ng to spec fic dr ve etters f you have mapped
dr ves that users must have read y ava ab e To rea y prevent access, use t n comb -
nat on w th the Prevent Access To Dr ves From My Computer po cy
■ Prevent Access To Drives From My Computer Enab e th s sett ng for dr ves A
through D to prevent access to those dr ves, wh ch are most ke y the system dr ves,
the floppy dr ve ( f present— t’s not ke y), and the CD-ROM dr ve Users w see the
dr ves but cannot open or search them L m t th s sett ng to spec fic dr ve etters f you
have mapped dr ves that users need to access Th s sett ng s usefu to prevent users
add ng oca dr ves to brar es
Controlling Libraries
L brar es, ntroduced w th W ndows 7 and W ndows Server 2008 R2, don’t fundamenta y
change the need to ock down the RD Sess on Host server or poo ed VMs, but they do g ve
you another reason to do t L brar es are des gned to encourage users to add more storage
ocat ons, and you rea y don’t want users to add ocat ons on the oca hard d sk As d scussed
n Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep oyment,” stor ng fi es
on the hard d sk comp cates backups (for RD Sess on Host servers) and can ead to destroyed
data (for poo ed VMs set to ro back at user ogoff) Let’s ta k about how to configure brar es
to prevent users from sav ng fi es oca y
F rst, you’ need a tt e background, because brar es are new L brar es don’t conta n
anyth ng themse ves—they are co ect ons of assoc ated fo der ocat ons These co ect ons
are stored n Extens b e Markup Language (XML) fi es (one for each brary) w th names ke
Mus c brary-ms A brar es are stored n C \Users\UserName\AppData\Roam ng\M crosoft\
W ndows\L brar es, mean ng that they can be part of the roam ng user profi e f you have
one (Even f you’re us ng a oca profi e, the brary data w st be stored n the same p ace )
If you’re us ng roam ng user profi es, users do not have to re-create the r brar es every t me
they og on to a new RD Sess on Host server or poo ed VM There are four defau t brar es
Documents, V deos, P ctures, and Mus c
www.it-ebooks.info
The brary descr pt on fi es nc ude nformat on ke the Secur ty ID of the owner, the fo der
type (d fferent types of fi es use d fferent types to d sp ay d fferent k nds of data d fferent y),
and the defau t save ocat on for the brary A though you can read th s fi e n Notepad, t’s
not very nformat ve, and t’s not recommended that you ed t t manua y because t wou d be
easy to mess up
NOTE C++ developers can edit this file programmatically using the IShell Library
Interface documented on MSDN at http://msdn.microsoft.com/en-us/library
/dd391719(v=VS.85).aspx. There is no Windows PowerShell or Windows Management
Instrumentation (WMI) interface to manipulate libraries, unfortunately.
The ma n ssue w th brar es s that by defau t, the Documents brary (for examp e)
conta ns two fo ders My Documents and Pub c Documents If you have set up fo der
red rect on, My Documents w be the path to the red rected fo der, wh ch s what you want
My Documents s the defau t save ocat on, wh ch s a so what you want
However, the brary a so surfaces the Pub c Documents fo der on the C dr ve ( n Users\
Pub c\Documents), wh ch s not what you want It’s poss b e that there cou d be some reason
why you’d want to store documents there that a the users cou d see, but that’s not a great
p an most of the t me, for reasons exp a ned n the first paragraph You a so don’t want
peop e add ng more ocat ons on the C dr ve and scatter ng fi es random y on the RD Sess on
Host hard d sk or on a poo ed VM that w be overwr tten when users are fin shed w th t—
annoyed users w be ca ng the He p desk ook ng for the r m ss ng fi es To prevent users
from stor ng fi es n Pub c Documents or anywhere e se on the C dr ve, you shou d use NTFS
perm ss ons and the H dden attr bute to ock down the C \Users\Pub c fo der
www.it-ebooks.info
DIRECT FROM THE FIELD
W hat’s the simplest thing you can do to lock down an RD Session Host server?
Remove the Execute permissions from everywhere they don’t need to be. Do
users really need to be able to execute programs from their home drives, temporary
Internet files, or the Outlook attachment cache folder? Of course not! By preventing
them from doing so using this method, you remove about 99.99 percent of all pos-
sible ways to execute “rogue” software on your RD Session Host server.
Whether you remove these permissions via Group Policy (with a Software Restric-
tion Policies disallowed path rule or by using AppLocker) or via good old-fashioned
editing of NTFS permissions depends largely on your environment and what else
you might be doing. But the bottom line is that there are only a few folders from
which users actually must be able to run programs (such as the Windows and Pro-
gram Files folders, for example). For everything else on a server (and the network),
remove those permissions.
● Don’t Run Specified Windows Applications This is the block list ap-
proach—starting with everything and then defining applications that are not
allowed to run. Blacklists aren’t the most effective way to manage applica-
tions because executable names change (or new executables are created) and
block lists don’t take changes into account.
This policy does not stop users from copying the executable file from another
computer, renaming it, and running the same application under another
name. A better way to block application execution is to implement Software
Restriction Policies.
● Run Only Specified Applications This is a whitelist approach—starting from
nothing and then adding programs that are allowed to run. This approach is
more secure than the block list approach because it does restrict even new
executables, but it can be difficult to implement because of unexpected ap-
plication dependencies.
Enabling this setting and adding executables to the corresponding list
prevents all programs except the ones on the list from running. However, it
does not stop users from copying an executable file from another computer,
renaming it to match an application known to be exempt, and running it that
way.
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 377
www.it-ebooks.info
Computer Configuration Policies Administrative Templates Windows
Components Remote Desktop Services Remote Desktop Session Host
Connections
NOTE AppLocker, which is discussed next, supersedes SRP for Window 7 and Windows
Server 2008 R2. Although SRPs will work with Windows 7 and Windows Server 2008 R2,
you will most likely use AppLocker instead because it’s a lot simpler. For all other operating
systems, you will continue to use SRP to restrict application access.
SRPs are mp emented through Group Po cy and checked every t me a p ece of software s
run An SRP can be set as a user po cy or a computer po cy (or both), wh ch means that ad-
m n strators have the flex b ty to a ow or deny software for groups of users or for everyone
who ogs on to the sess on or VM
Depend ng on how you set up the po cy, one of two th ngs happens E ther the software s
express y den ed (or not a owed) by the po cy and t does not run, or the software s spec fi-
ca y a owed (or not den ed) by the po cy and t executes The reason that software can be
seen as e ther express y a owed or not den ed and v ce versa s because there are three ways
to set up the po cy
A Software Restr ct on Po cy s made up of two parts a secur ty eve and add t ona ru es
The secur ty eve s an overa ru e that reflects the method that you w use to restr ct soft-
ware access Three secur ty eve s are ava ab e at the fo ow ng ocat on
NOTE These GPO settings will be available after you create a policy.
www.it-ebooks.info
■ Unrestricted Th s s the east secure method It a ows a programs to be executed
except those that you spec fica y deny Th s s common y ca ed “b ack st ng ”
■ Basic User Th s method s cons dered an ntermed ate eve of secur ty Un ess there
s an except on found for th s ru e, software w run as a norma user (w thout adm n s-
trat ve pr v eges)
■ Disallowed Th s s the str ctest, but a so the most secure, method It does not a ow
any programs to run except those that you spec fica y a ow If you choose to use th s
method, take care to test the po cy fu y before act vat ng t on product on computers,
so you find a software dependenc es Th s approach s common y ca ed “wh te st ng ”
When you have chosen your secur ty eve , make except ons to th s overa ru e for spec fic
app cat ons or for types of app cat ons or code You can do th s by creat ng add t ona ru es
w th a d fferent defau t ru e app ed There are four types of add t ona ru es that you can cre-
ate to make except ons to the secur ty eve , at the fo ow ng ocat on
NOTE The Basic User security level is not supported for certificate rules.
■ Path Rule Th s ru e dent fies a spec fic path of an app cat on and on y the app ca-
t on n that path can be a owed or den ed A spec fic p ece of code (such as W nword
exe) can be expressed n the path, or the path can po nt to a fo der If the atter, a
code n the fo der s a owed or den ed For examp e, f you host M crosoft Office 2010
app cat ons on your RD Sess on Host server, you can po nt to the M crosoft Office
nsta at on d rectory A code n that d rectory w be a owed or den ed depend ng
on the po cy secur ty eve and add t ona ru e sett ngs Env ronmenta var ab es, UNC
paths, reg stry paths, quest on marks, and aster sk w dcards can be used n path ru es
■ Network Zone Rule Th s ru e app es on y to MSI fi es, so t s probab y not very
usefu n ock ng down an RD Sess on Host server except when nsta ng software The
network zone ru e a ows or den es software nsta at on (for MSI fi es on y) based on
wh ch Internet zone t was down oaded from
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 379
www.it-ebooks.info
These ru es are app ed from the most spec fic to the most genera Cert ficate ru es are
extreme y spec fic about the software they represent, fo owed by hash ru es, then path ru es,
and fina y, Internet zone ru es are the east spec fic Any software not covered by one of these
add t ona ru es s contro ed by the defau t secur ty eve (defau t ru e)
For examp e, et’s create an SRP that w affect doma n users n the fo ow ng ways when
they og on to your RD Sess on Host server(s)
■ Doma n users can run Office 2007 app cat ons
■ Doma n users cannot run Internet Exp orer
■ Doma n users cannot run Cmd exe or Contro exe (Contro Pane )
■ Doma n users cannot run any software on the RD Sess on Host server that s not n-
sta ed on the RD Sess on Host server For nstance, f a user cop es Cmd exe from her
oca computer to the roam ng profi e desktop and then tr es to start th s app cat on
from the RD Sess on Host server, you want the act on to fa
Th s examp e assumes you have your RD Sess on Host servers p aced n the r own orga-
n zat ona un t (OU), and f you have mu t p e RD Sess on Host servers n the same farm, that
they are configured dent ca y See Chapter 9 for more about RD Sess on Host farms
Because you want to affect the doma n users group when they og on to the RD Sess on
Host server, create a Software Restr ct on Po cy n the user sect on of a GPO, ocated here
User Configurat on Po c es W ndows Sett ngs Secur ty Sett ngs Software Restr ct on
Po c es
NOTE The Software Restriction Policy setting for Computers is located at Computer
Configuration Policies Windows Settings Security Settings Software Restriction Policies.
Open the Group Po cy Management conso e (GPMC) and create a new GPO; n th s ex-
amp e, t s named RD Software Restr ct on Po cy Then nav gate to the Software Restr ct on
Po c es fo der, r ght-c ck the fo der, and choose New Software Restr ct on Po c es
To keep software that s not nsta ed from runn ng, you need to d sa ow a software from
runn ng and then make except ons to th s ru e for software ocated n spec fic p aces on the
server
C ck the Secur ty Leve s fo der, and n the r ght pane, r ght-c ck D sa owed and choose
Set As Defau t Now you need to create the except ons to th s defau t ru e So you don’t ock
yourse f out, and so you can run app cat ons nsta ed on the RD Sess on Host server, M cro-
soft creates two except ons to the D sa owed secur ty eve and p aces them n the Add t ona
Ru es fo der when you create a new SRP They are
■ %HKEY LOCAL MACHINE\SOFTWARE\M crosoft\W ndowsNT\Current Vers on\
SystemRoot%
The secur ty eve for th s add t ona ru e s set to Unrestr cted; t a ows access to tems
n the server system root fo der (C \W ndows) Users need access to some tems n the
W ndows fo der to og on, so keep th s sett ng
www.it-ebooks.info
■ %HKEY LOCAL MACHINE\SOFTWARE\M crosoft\W ndows\Current Vers on\
ProgramF esD r%
The secur ty eve for th s add t ona ru e s set to Unrestr cted and a ows access to the
tems n the Program F es D rectory Internet Exp orer happens to be nsta ed to th s
d rectory, so de ete th s ru e, because one of the goa s s to b ock access to Internet
Exp orer
Users current y have unrestr cted access to Cmd exe and Contro exe because of the
add t ona ru e that a ows unrestr cted access to the W ndows fo der; W ndows conta ns
the System32 fo der, wh ch s where these app cat ons res de Therefore, you need to make
add t ona ru es to deny access for these spec fic app cat ons R ght-c ck the Add t ona
Ru es fo der and choose New Path Ru e Enter the path to Cmd exe n the Path text box
(C \W ndows\System32\Cmd exe), change the secur ty eve to D sa owed, type a descr pt on
of the ru e, and c ck OK Then do the same th ng for Contro exe
To a ow Office software to run, create another path ru e, type the path to Office (typ ca y
C \Program F es\M crosoft Office), and change the secur ty eve to Unrestr cted Type a
descr pt on of the ru e and c ck OK To app y th s GPO to the Doma n Users group, change
the secur ty fi ter ng on the GPO by remov ng the Authent cated Users group and add ng the
Doma n Users group App y the GPO to the OU where the RD Sess on Host server(s) res de,
and then you are done
Now, f you don’t a ready have oopback po cy process ng enab ed, create a computer
GPO, app y oopback process ng, and then app y the GPO to the RD Sess on Host server OU
Th s app es the user’s SRP to the users spec fied n the user’s SRP secur ty fi ter ng
If you set SRPs us ng a computer GPO, you w ke y want to forgo app y ng th s po cy
to the oca adm n strator account To do th s, c ck the Software Restr ct on Po c es fo der,
doub e-c ck the Enforcement sett ng, and choose to App y Software Restr ct on Po c es To
The Fo ow ng Users A Users Except Loca Adm n strators C ck OK
Using AppLocker
A though o der operat ng systems w cont nue to re y on SRP to contro software access,
AppLocker, wh ch s new to W ndows Server 2008 R2 and W ndows 7 (U t mate and Enterpr se
ed t ons), supersedes SRP for these new operat ng systems and prov des an enhanced soft-
ware restr ct on feature set In fact, wh e AppLocker has some s m ar t es to Software Restr c-
t on Po c es, t s actua y a comp ete y new feature bu t us ng d fferent techno ogy
NOTE Windows 7 Professional can be used only to create AppLocker rules—the rules
cannot be enforced in this version.
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 381
www.it-ebooks.info
■ Un ke hashes, AppLocker ru es can surv ve vers on upgrades and ocat on path
changes because they can be based on d g ta s gnatures
■ AppLocker po c es can be run n aud t-on y mode, so you can determ ne the effect of
a ru e before you dep oy t
■ AppLocker ru es are w zard-dr ven, so they’re easy to set up Because you can mport
and export them, t’s a so easy to move ru es from a test to a product on env ronment
■ AppLocker organ zes fi e formats nto four collections [executab es, nsta ers, scr pts
and dynam c- nk brar es (DLLs)] to prov de s mp e ways to bu d mu t p e ru es that
together can prov de more deta ed restr ct ons
■ AppLocker has W ndows PowerShe support v a AppLocker cmd ets
You can st use SRPs w th W ndows 7 and W ndows Server 2008 R2, but f AppLocker ru es
and SRPs ex st n the same GPO, AppLocker ru es po c es w supersede any SRP po c es for
W ndows 7 and W ndows Server 2008 R2 O der operat ng systems w use on y the Software
Restr ct on Po c es
NOTE You don’t have to upgrade your infrastructure to support AppLocker. A computer
running Windows Server 2008 R2 or Windows 7 is needed to create the rules, but they can
be housed on a Windows Server 2003 or 2008 domain controller.
AppLocker s s m ar to SRP n that you create wh te sts (ru es that spec fica y a ow access
to fi es) and b ock sts (ru es that spec fica y deny access to fi es) to contro access to fi es and
fo ders on computers You create ru es as needed, for four predefined fi e categor es (co ec-
t ons) executab es, scr pts, nsta ers, and DLLs
NOTE DLL rules are turned off by default, because DLL rules can affect machine perfor-
mance. Take caution when creating and enforcing DLL rules and test thoroughly before
deployment.
www.it-ebooks.info
To he p you avo d th s p tfa , when you first create a ru e, AppLocker w prompt you to et
t create a set of “defau t” ru es to make sure that you don’t ock peop e out of the mach ne
Of course, you can hone these ru es to su t your needs
• Publisher
Examp e O=MICROSOFT CORPORATION, L=REDMOND,
S=WASHINGTON, C=US
FIGURE 7-3 AppLocker Pub sher ru es are based on a comb nat on of the extended attr butes of
the f e s d g ta s gnature.
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 383
www.it-ebooks.info
NOTE You can customize publisher rules by selecting the Use custom values check box
shown in Figure 7-3 and editing the attribute values as needed.
■ Path The ru e w affect a spec fic fi e or a fi es n a spec fic fo der Both of these
opt ons are set by spec fy ng (by typ ng or brows ng to) the path of the fi e or fo der
■ File Hash F e Hash ru es are based on a d g ta fingerpr nt of a fi e Us ng the
fi e (an executab e, scr pt, nsta er, or DLL) as an nput, an a gor thm generates a
representat on (a hash) of the fi e If you change anyth ng about the fi e, ts hash s no
onger va d, and a ow ru es w no onger work
AppLocker Exceptions
To fac tate even more deta ed contro over fi e access, you can a so make except ons to each
ru e For examp e, you cou d a ow access to a executab es n the Programs fo der for User
Group A, except for certa n app cat ons w th n the Programs fo der that you w sh to deny to
User Group A
www.it-ebooks.info
AppLocker Audit Mode
AppLocker s powerfu To he p you determ ne the rea effects of the ru es that you make,
AppLocker prov des an “aud t on y” mode, n wh ch you can og the effects of ru es so that
you can determ ne the overa resu ts of ru es before you put them nto product on When
AppLocker ru e co ect ons are set to Aud t On y mode, act ons that the ru es wou d have
affected (a owed or den ed) w be ogged n the Event V ewer of the mach ne where the
act on was comm tted For examp e, f a user executes CMD exe on an RD Sess on Host server
where an AppLocker ru e that was enforced wou d have den ed the act on, the fo ow ng
event wou d be ogged n the RD Sess on Host server Event Log at Event V ewer/App cat on
and Serv ces ogs/M crosoft/W ndows/AppLocker/EXE and DLL/
Event Id 8003: %SYSTEM32%\CMD.EXE was allowed to run but would have been prevented from
running if the AppLocker policy were enforced.
Implementing AppLocker
The fo ow ng examp e shows how to mp ement AppLocker po c es for an RD Sess on Host
farm Th s examp e shows how you can create, aud t, and enforce AppLocker po c es that w
do the fo ow ng
■ G ve adm n strators fu access to the mach ne
■ Enab e access for the ASH Users group to the M crosoft Office fo der on the RD
Sess on Host server farm members, except for M crosoft Exce
■ Prov de the ASH Users group the ab ty to start a remote desktop sess on by grant ng
access to fi es n the W ndows fo der, except CMD exe, Powershe exe, Reged t exe,
Wscr pt exe, and Cscr pt exe
■ B ock a users except adm n strators from runn ng any scr pts or nsta ers on the
mach ne
F rst, for AppLocker ru es to affect mach nes, those mach nes must be runn ng the App -
cat on Ident ty Serv ce The serv ce s not started by defau t, and the serv ce sett ng s set to
Manua You m ght want to change the defau t serv ce sett ng from manua to automat c, so
that whenever you start the servers n the farm, AppLocker w work w thout you need ng to
turn the serv ce on manua y
ON THE COMPANION MEDIA A script that starts the AppIDSvc service and also
sets the service startup parameter to Automatic for all computers in a specified OU is
located on the companion media as Start-AppIDSvc.ps1.
A so, be aware that users who have adm n strator r ghts on mach nes and VMs that are
contro ed by AppLocker po c es can render the po c es use ess by s mp y d sab ng the
AppIDSvc serv ce Make sure that users do not have th s ab ty n any RDS sess on or poo ed/
persona VM scenar o
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 385
www.it-ebooks.info
AppLocker ru es can be created from d fferent sources
■ D rect y n the oca po cy of the mach ne on wh ch the po c es w app y
■ On another mach ne runn ng W ndows 7 or W ndows Server 2008 R2 w th the same
software nsta ed as the product on env ronment, and a so the Remote Server Adm n-
strat on Too s (RSAT) nsta ed
E ther way you create your ru es, you shou d first mp ement them n a test env ronment
and then aud t them n a product on env ronment before enforc ng them Th s two-step
process w cut down on unforeseen consequences negat ve y affect ng user access n an RDS
env ronment
In th s examp e, you w see how to create po c es d rect y on a farm member (the RD
Sess on Host server’s name s FUJI) that s current y not accept ng connect ons Then you w
see how to export the ru es to an XML fi e and mport them nto a GPO that w be app ed to
an RD Sess on Host farm n Aud t mode When t’s c ear that the AppLocker po c es accom-
p sh the ntended goa s but do not affect the users negat ve y, t’s safe to change the GPO to
Enforce mode
F rst, create and export the AppLocker po c es by comp et ng these steps
1. On RD Sess on Host server FUJI, open the Loca Secur ty Po cy, browse to the App ca-
t on Contro Po c es fo der, and expand the AppLocker fo der
2. R ght-c ck Executab e Ru es and choose Create Defau t Ru es Three executab e ru es
w appear n the r ght pane, as shown n F gure 7-4 By creat ng the defau t ru es,
you have a ready g ven the BUILTIN/Adm n strators group fu access to a fi es on the
mach ne, because th s s one of the defau t ru es
3. Adjust the first ru e to a ow a spec fic user group ASH Users ( nstead of Everyone) to
access the Office executab es, except for Exce , as fo ows
a. Doub e-c ck the first ru e h gh ghted n F gure 7-4 On the Genera tab, se ect the
user group that you want to affect ( n our examp e, ASH Users) Keep the A ow
opt on se ected
www.it-ebooks.info
b. On the Path tab, c ck Browse Fo ders and browse to the fo der where the Office
executab es are ocated %PROGRAMFILES%\M crosoft Office\*
c. On the Except ons tab, add a pub sher except on by c ck ng Add, brows ng to the
Exce executab e, and then c ck ng OK
d. C ck OK aga n to app y the changes to the defau t ru e
4. Doub e-c ck the second defau t ru e shown n F gure 7-4 [named (Defau t ru e) A fi es
ocated n the W ndows fo der] and adjust t to a ow ASH Users to access a execut-
ab es n the W ndows fo der Then make an except on to the ru e and deny access to
CMD exe, Powershe exe, Reged t exe, Wscr pt exe, and Cscr pt exe, as fo ows
a. Doub e-c ck the h gh ghted ru e On the Genera tab, rep ace the Everyone group
by c ck ng Se ect and choos ng the appropr ate user group to whom you want th s
ru e to app y (ASH Users) Leave the A ow opt on se ected
b. Leave the %WINDIR% path on the Path tab as s
c. On the Except ons tab, add five except ons, one for each executab e to wh ch you
want to deny th s group access Leave the Pub sher except on type se ected C ck
Add, browse to cmd exe, and c ck OK Do the same for the other four executab es
When the except ons st s comp ete, as shown n F gure 7-5, c ck OK to app y the
changes to the ru e
5. The eas est way to b ock a users except adm n strators from runn ng any scr pts on the
mach ne s to nvoke the creat ng of “defau t scr pt ru es” and then de ete the ones that
you do not want to use
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 387
www.it-ebooks.info
a. Se ect and r ght-c ck the Scr pt ru es node n the Loca Secur ty po cy, and then
choose Create Defau t Ru es Three defau t ru es w be created, as shown n
F gure 7-6
b. Se ect the first two ru es and then r ght-c ck and choose De ete
You are eft w th one ru e that a ows the BUILTIN/Adm n strators group to run a
scr pts on the mach ne, but no one e se w be a owed to do so because of the
nherent Deny ru e that s enforced
6. To b ock a users except adm n strators from runn ng any nsta ers on the mach ne,
fo ow the steps a d out n Step 5, but do so us ng the W ndows Insta er Ru es node
7. Now you w export the ru es that you have created to an XML fi e and mport them
nto a GPO R ght-c ck the AppLocker node and choose Export Po cy Choose a path
to save the fi e, enter a fi e name (our fi e name s ASH Farm1 AppLocker Ru es), and
c ck Save
www.it-ebooks.info
8. When you export ru es from the oca secur ty po cy, they are not de eted De ete them
for now because they have not yet been tested n a non-product on env ronment
R ght-c ck the AppLocker node and choose C ear Po cy Th s reverts AppLocker to ts
or g na unconfigured state If you need to adjust the ru es n the future, you can do so
by re- mport ng the po cy XML fi e that you created and adjust ng and re-export ng
the po cy; but for now, there s no reason to eave them n p ace
After you have created the ru es XML fi e, create a new GPO (us ng Group Po cy
Manager) and then mport the XML fi e nto the AppLocker node n the GPO, as shown
n F gure 7-7
Prevent ng Users from Runn ng Unwanted App cat ons Chapter 7 389
www.it-ebooks.info
FIGURE 7-8 Set the AppLocker ru es to Aud t On y mode.
Next, you app y the new GPO to the OU that conta ns the servers that you want to affect
In th s examp e, you app y the ru e to the ASH RD Farm1 OU, conta n ng two RD Sess on Host
servers (FUJI and GLACIER) Now, when users og on to the farm, AppLocker ogs the act ons
the user takes that are a owed and the act ons that wou d be den ed had the AppLocker ru es
been enforced These ogs are n the Event V ewer\App cat ons and Serv ces Logs\M crosoft\
W ndows\AppLocker fo der on the RD Sess on Host server where the user sess on s runn ng
In our examp e, Exce was b ocked from start ng As you can see n F gure 7-9, the event og
shows that had the AppLocker ru e been enforced, the user wou d have been den ed access
After you have tested and adjusted the AppLocker ru es fu y to su t your needs, change
the enforcement of the ru es shown n F gure 7-8 from Aud t On y to Enforce Ru es and c ck
OK to save the change Your ru es w now be enforced Any changes that you need to make
n the future can be done so d rect y n the GPO ( f you know the text you need to enter), or
you can mport the ru es aga n to a mach ne that s not current y host ng or accept ng con-
nect ons, make changes to the ru es there, export the new ru e set, and re- mport them nto a
GPO
www.it-ebooks.info
FIGURE 7-9 AppLocker ogs warn ngs and nformat on regard ng aud ted AppLocker ru es n the Event
V ewer of the server where the user sess on runs
www.it-ebooks.info
3. Create a GPO that red rects the Start menu for a users who og on to the mach nes n
the OU to th s one ocat on and p ace the GPO on the appropr ate OU
4. Set the fo ow ng GPOs (some of wh ch were ment oned ear er n the sect on about
ock ng down the Start menu and taskbar)
User Configurat on Po c es Adm n strat ve Temp ates Start Menu and Task Bar
• Remove Common Groups From Start Menu Th s does not p ace tems from
the A Users group n the user’s Start menu ocated at C \ProgramData\M crosoft\
W ndows\Start Menu\Programs
• Remove Pinned Programs List From The Start Menu Enab ng th s sett ng
removes the tems stored n the Qu ckLaunch fo der of the user profi e For examp e,
you cou d use a roam ng user profi e w th Qu ckLaunch tems stored at \\FILE-
SERVER\ASH-user-fo der-red rect on\kr st n gr ffin\AppData\Roam ng\M crosoft\
Internet Exp orer\Qu ck Launch\User P nned\Start Menu
• Remove The Network Icon From The Start Menu Th s removes the network
con from the r ght s de of the Start menu
5. Remove the Contro Pane con from the Start menu by enab ng the fo ow ng GPO
User Configurat on Po c es Adm n strat ve Temp ates Contro Pane Proh b t Access
To The Contro Pane
6. Prov de adm n strat ve too s on the r ght s de of the Start menu, wh e e m nat ng th s
for regu ar users (who shou d not have a need for these too s) On each RD Sess on
Host server remove NTFS perm ss ons for the Everyone group and the Users group
from the fo ow ng fo der C \ProgramData\M crosoft\W ndows\Start Menu\Programs\
Adm n strat ve Too s
The resu t of these few steps s a cons stent Start menu for users even f they are us ng
roam ng profi es and fo der red rect on The same tems w be ava ab e n the A Programs
menu each t me the user ogs on, and to add or change th s menu, you on y have to ma nta n
the one red rected Start Menu fo der
What’s a so n ce about th s arrangement s that d fferent users can see d fferent cons,
effect ve y g v ng them a d fferent Start menu depend ng on who they are To do th s, just
change the NTFS perm ss ons on each con n the Start Menu red rected fo der Users who do
not have NTFS perm ss ons to the con w not see the con n the r Start menu
You can a so red rect d fferent user groups to d fferent Start menus (that s, d fferent Start
Menu red rected fo ders) and ach eve the same effect Th s requ res that you create and ma n-
ta n mu t p e GPOs that red rect the Start menu to d fferent fo ders, on a user-group bas s
Just remember to set the appropr ate NTFS perm ss ons on the red rected fo der and a so to
remove the Authent cated Users group from the GPO secur ty fi ter ng and add the spec fic
users and user groups that you want to use the GPO
www.it-ebooks.info
Keeping the RD Session Host Server Available
You have seen how to secure the sess ons and VMs and how to s mp fy the user’s v ew of the
desktop Some Group Po cy sett ngs a ow you to mprove the user exper ence through m t-
ng access or shorten ng ogon t mes
NOTE It’s also possible to prevent logons to the RD Session Host server via Active Direc-
tory Users And Computers; one option in the user account Properties dialog box defines
whether users are allowed to log on to the RD Session Host server (they are, by default).
Although it might appear that Group Policy or Active Directory Users And Computers set-
tings are good ways to prevent people from logging on during server maintenance, they’re
really not, because the policy might not apply in time and you might not have Active
Directory Domain Services (AD DS) control anyway. To lock out users during maintenance,
run the following command on the RD Session Host that you need to work on.
www.it-ebooks.info
connect ons to approx mate y 100 and not nterfere w th user access Th s a so ensures
that you won’t a ow more connect ons than are needed
Sett ng sess on t me m ts can be a de cate ba anc ng act For examp e, the onger that
d sconnected sess ons are ava ab e before be ng term nated, the more t me users have to re-
connect Reconnect ng to an ex st ng sess on s faster than creat ng a new sess on, and recon-
nect ng to an ex st ng sess on keeps the user ocked nto a part cu ar RD Sess on Host server
However, d sconnected sess ons st requ re some memory Not much memory s needed
because when a sess on s d sconnected, the data stored n phys ca memory s h gh on the st
to be paged to d sk, but t does requ re some If the RD Sess on Host server s memory-con-
stra ned, d sconnected sess ons cou d affect performance To set a t me m t on d sconnected
sess ons, enab e and configure the fo ow ng po cy
You can a so set sess on m ts defin ng how ong sess ons m ght be act ve or d e before
they’re d sconnected However, you can’t set sess on t me m ts for nd v dua RemoteApp
programs A RemoteApp programs us ng the same sess on w fo ow the same ru es
NOTE As discussed in Chapter 11, “Managing Remote Desktop Sessions,” although VMs
are not visible in the Remote Desktop Services Manager, you can shadow them from the
command prompt if you know the session ID for the VM. Chapter 11 discusses how to do
this in the explanation of how to use shadow for runtime management.
www.it-ebooks.info
In br ef, Remote Contro works by ntercept ng the output of the RDP graph cs dr ver
When a sess on s shadowed, rather than send ng the output to on y one sess on, the RDP
graph cs dr ver sends the screen updates and mouse and keyboard nputs to two sess ons the
sess on be ng shadowed and the sess on do ng the shadow ng Th s s why you can’t shadow a
sess on un ess you’re n an RDP sess on yourse f
Chapter 11 d scusses how to use Remote Contro , but for now, et’s focus on the perm s-
s ons opt ons and how to set them
There are two eve s of nteract on w th a Remote Contro sess on F rst, you can use t
to v ew the user sett ng Th s sett ng a ows both the user and the adm n strator to see the
sess on at the same t me, but on y perm ts the user to nteract w th t The other opt on s to
a ow the adm n strator to nteract w th the user’s sess on
There are three opt ons for Remote Contro
■ You can d sab e t ent re y Th s sett ng w prevent adm n strators from us ng Remote
Contro on user sess ons Th s s the most secure opt on, but t’s a so the east he pfu
■ You can enab e t but requ re the user’s perm ss on for an adm n strator to connect to
the sess on
■ You can enab e t and not requ re any not ficat on
The opt on that you p ck w obv ous y depend on the c rcumstances D sab ng shadow ng
m ght be necessary when pr vacy ru es n your organ zat on don’t perm t t Requ r ng
not ficat on a ows you to use th s capab ty but st reassure the users that no one can see
the r desktop w thout the r know edge or perm ss on A so, not requ r ng not ficat on a ows
the adm n strator to aud t user act v ty, wh ch s a requ rement n some organ zat ons
You can define the way Remote Contro works on a per-server bas s through RD Sess on
Host Configurat on, for spec fic users n AD DS user account propert es, or by us ng Group
Po cy
To configure Remote Contro sett ngs for nd v dua RD Sess on Host servers, go to Start,
Adm n strat ve Too s, Remote Desktop Serv ces and open RD Sess on Host Configurat on In
the Connect ons sect on at the top of the m dd e pane, doub e-c ck RDP-Tcp to open the
RDP-Tcp Propert es d a og box, and then go to the Remote Contro tab shown n F gure 7-10
www.it-ebooks.info
FIGURE 7-10 Conf gure computer propert es for Remote Contro .
As you can see, the defau t sett ngs a ow the per-user sett ngs to overr de To configure
Remote Contro sett ngs on a per-user bas s, open Act ve D rectory Users And Computers and
open a user’s account Propert es d a og box, as shown n F gure 7-11
To set remote sett ngs us ng Group Po cy, configure Set Ru es For Remote Contro Of RD
Sess on Host Server User Sess ons You can set the po cy on a per-computer or per-user bas s
For computers, the po cy s ocated n Computer Configurat on Po c es Adm n Temp ates
W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host Connec-
t ons For users, t’s n User Configurat on Po c es W ndows Components Remote Desktop
Serv ces Remote Desktop Sess on Host Connect ons Enab e the po cy and then ed t the
sett ngs to p ck the appropr ate opt on, as shown n F gure 7-12
www.it-ebooks.info
FIGURE 7-11 Conf gure user account propert es for Remote Contro .
FIGURE 7-12 You can ed t the Remote Contro Group Po cy for users or for a RD Sess on Host servers.
www.it-ebooks.info
If you don’t configure the po cy or any remote contro sett ngs, then the sett ngs n Act ve
D rectory Users And Computers w take effect by defau t, and Remote Contro sess ons w be
a owed w th the user’s perm ss on, w th adm n strators a owed to nteract w th the sess on
Un ess there’s a rea y good reason to configure Remote Contro sett ngs d fferent y for
d screte sets of peop e, you shou d configure them for a RD Sess on Host servers n the same
way Hav ng d fferent po c es for d fferent peop e cou d eas y confuse adm n strators and
render the Remote Contro opt on ess usefu
Summary
Host ng shared desktops and app cat ons n the datacenter s a de cate ba ance between
prov d ng a r ch user exper ence (as d scussed n Chapter 6) and ock ng down the server to
avo d one user from affect ng others, as d scussed n th s chapter (Some ockdown can a so
app y to any desktop, whether t s n the datacenter or t s a phys ca desktop that you want
to contro )
Here are some of the best pract ces covered n th s chapter
■ Use Group Po cy to configure user sett ngs f poss b e A sett ngs are n Group Po cy,
and some are represented n e ther Act ve D rectory Users And Computers or the
Remote Desktop Serv ces Configurat on Too
■ Lock down the RD Sess on Host server by remov ng the ab ty to browse the operat ng
system and perm tt ng on y author zed executab es to run
■ Avo d confus ng peop e who work n sess ons and poo ed VMs by h d ng oca fi es n
brar es and prevent ng peop e from wr t ng to those oca ocat ons
■ On W ndows 7 VMs and W ndows Server 2008 R2 RD Sess on Host servers, use
AppLocker to prevent unauthor zed app cat ons from runn ng
■ Creat ng a read-on y Start menu can he p s mp fy the exper ence for peop e who need
a fu desktop but shou dn’t be confused by too many opt ons
■ L m t usage of the RD Sess on Host servers and m t sess on counts to keep contro of
cens ng for app cat ons censed on a per-connect on bas s and to opt m ze perfor-
mance on the RD Sess on Host servers
■ Configure Remote Contro sett ngs to enab e sess on aud t ng as we as enab e the
He p Desk to ass st users remote y
Additional Resources
The fo ow ng resources are re ated to top cs covered n th s chapter You can a so find the
nks on th s book’s compan on med a
■ For more nformat on about Software Restr ct on Po c es, see http://go.microsoft.com
/fwlink/?LinkID=92567.
www.it-ebooks.info
■ An ntroduct on to AppLocker s ocated at http://technet.microsoft.com/en-us/library
/dd560656(WS.10).aspx.
■ For some deas of how to manage AppLocker v a W ndows PowerShe , see
http://blogs.msdn.com/b/powershell/archive/2009/06/02/getting-started-with-
applocker-management-using-powershell.aspx.
■ To down oad RDP 7 for W ndows V sta SP1 and ater, go to
http://www.microsoft.com/downloads/details.aspx?familyid=AC7E58F3-2FD4-4FEC-
ABFD-8002D34476F4&displaylang=en for 32-b t systems, and
http://www.microsoft.com/downloads/details.aspx?familyid=11E7A081-22A8-4DA7-
A6C5-CDC1AC51A1A4&displaylang=en for 64-b t systems
■ To down oad RDP 7 for W ndows XP SP3, go to http://www.microsoft.com/downloads
/details.aspx?FamilyId=72158b4e-b527-45e4-af24-d02938a95683&displaylang=en
■ To down oad RDP 6 1 for W ndows XP SP2, go to http://www.microsoft.com/downloads
/details.aspx?FamilyId=6E1EC93D-BDBD-4983-92F7-479E088570AD&displaylang=en.
■ For an ntroduct on to brar es n W ndows 7, see http://msdn.microsoft.com/en-us
/magazine/dd861346.aspx
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 8
■ Authent cat ng C ent dent ty w th Network Leve Authent cat on (NLA) 415
■ Configur ng the Secur ty Sett ngs on the RD Sess on Host Server 417
C hapter 7, “Mo d ng and Secur ng the User Env ronment,” d scussed some approaches
to ock ng down the server or VM to protect them from ma ce or error Isn’t that
enough?
Lock ng down the server s mportant, but t assumes that you’ve already made a
secure connect on to the server That assumpt on doesn’t cons der the poss b ty of the
connect on—or the commun cat on between the c ent and server—be ng comprom sed
n some way For examp e
■ An ex st ng connect on cou d be ntercepted and the data flow comprom sed
■ The user cou d connect to a ma c ous server and type h s or her ogon credent a s
for the owner of the server to capture
■ A c ent not author zed to connect to the Remote Desktop (RD) Sess on Host
server cou d make repeated attempts to connect, ty ng up resources on the RD
Sess on Host server as t tr es to author ze the connect on, thus prevent ng autho-
r zed users from connect ng
The catch to m t gat ng a these connect on vu nerab t es s that the ogon
exper ence s a cr t ca part of a successfu RD Sess on Host server dep oyment If the
connect on exper ence s bad, then the users access ng the RD Sess on Host server w
be unhappy w th the serv ce Therefore, you must keep the data stream secure but a so
make t as fast as poss b e Th s chapter exp a ns the key W ndows components that
tack e th s prob em, nc ud ng the fo ow ng
■ Remote Desktop Protoco (RDP) encrypt on
■ Server authent cat on
401
www.it-ebooks.info
■ Network Leve Authent cat on (NLA)
■ S ng e s gn-on (SSO)
F gure 8-1 shows the features that w be d scussed and the techno og es support ng each
feature
Network Level
Authentication
Credential Security
Provider (CredSSP)
Single Sign On
FIGURE 8-1 Key RDS commun cat on secur ty features and support ng techno og es are presented here.
www.it-ebooks.info
n Chapter 7, n wh ch c ent and server negot ate the r mutua capab t es There are two
requ rements for th s to work proper y
■ The c ent must trust the server SSL cert ficate that s used to ver fy the server’s dent ty
■ The connect on between server and c ent must use H gh or FIPS encrypt on Low
encrypt on on y encrypts the traffic from c ent to server, not server to c ent, so t’s not
a secure way to send secur ty capab t es or shared secrets
If these two requ rements are met, the c ent and server estab sh commun cat on as
fo ows
1. The c ent sends a he o message a ong w th a random fixed- ength va ue The server
responds w th a random fixed- ength va ue Dur ng th s exchange, the c ent te s the
server the compress on methods, c phers, and hashes that t supports It a so sends ts
protoco vers on and a sess on ID to the server (The sess on ID dent fies the commun -
cat on channe ; th s s not the Sess on ID on an RD Sess on Host server )
2. The server p cks the h ghest compress on method that they both support and the
c pher and hash funct on from the c ent’s st, and te s the c ent wh ch one t has cho-
sen If there’s a m n mum set on the server and the c ent can’t meet th s m n mum, the
connect on w fa
3. The server sends ts d g ta cert ficate to the c ent Th s cert ficate conta ns the server’s
name, the trusted CA that s gned the cert ficate, and the server’s pub c key
4. The c ent ver fies that the cert ficate s va d and trusted (the cert ficate used to s gn
the server cert ficate s ocated n the c ent’s Trusted Root Cert ficat on Author t es
store) Then t creates a pre-master secret, encrypts t w th server pub c key, and sends
t to server
5. The server rece ves and decrypts the pre-master secret w th ts pr vate key Th s server
s the on y one that can do th s because t s the on y server w th the match ng pr vate
key
6. Now that both server and c ent have the pre-master secret and both random numbers
exchanged at the beg nn ng of the process, they use these va ues to generate the
48-byte master secret (a so known as the shared secret) After the master secret s gen-
erated, they de ete the pre-master secret
7. Both c ent and server then hash the 48-byte master secret and use t to generate the
MAC secret (the sess on key used for hash ng) and the WRITE key (the sess on key used
for encrypt on) The keys are used to encrypt and decrypt the commun cat on for th s
sess on After the sess on s over, the keys are d scarded
See F gure 8-2 for an overv ew of how TLS a ows the c ent and server to set up a secure
commun cat on nk
www.it-ebooks.info
The client sends Hello plus a random number.
#$%^&
Pre Master
Secret
The client creates a pre master secret, encrypts it using the public key
from the endpoint’s certificate, and sends it to the endpoint.
The endpoint decrypts the pre master key using its private key.
Both client and server use the pre master secret plus the random values
to generate the master secret, then use the master secret to generate the
session keys used to encrypt and decrypt during the session.
If any step of th s sequence doesn’t work, the connect on has not been fu y secured What
happens then depends on the sett ngs on the Advanced tab of the Remote Desktop Connec-
t on (RDC) c ent In the case of authent cat on fa ure, a user can choose to do any one of the
fo ow ng
■ Connect anyway, w thout not fy ng the c ent that there was a prob em authent cat ng
the server
■ Warn the c ent but st a ow the connect on (the defau t)
■ Deny the connect on outr ght f t can’t be ver fied
www.it-ebooks.info
The except on s f the server requ res a certa n eve of secur ty (for examp e, H gh encryp-
t on) If the server has requ rements and the c ent can’t meet them, the connect on w fa
By defau t, the c ent and server w negot ate and use the most secure connect on sett ngs
that they both support
NOTE Because Microsoft Internet Information Services (IIS) doesn’t use CredSSP, you
can’t use CredSSP to pass credentials to RD Web Access. Users will need to authenticate
against RD Web Access to store their credentials in the site (see Chapter 9, “Multi-Server
Deployments”). After users are authenticated, they will not need to authenticate again
to start RemoteApp programs.
■ For reconnect ng to a sess on w th n a farm, CredSSP speeds the process of pass ng the
connect on to the correct server by a ow ng the RD Sess on Host server to see who s
ogg ng on w thout hav ng to create an ent re sess on (us ng NLA n a s ght y d fferent
scenar o)
www.it-ebooks.info
HOW IT WORKS
C redSSP enables mutual authentication of server and client, as shown in the fol-
lowing illustration.
3
+1
4 User name
5 Password
1. The client initiates a secure channel with the server using TLS, and the server
passes back its certificate with its name, CA, and public key. Only the server is
identified; the client remains anonymous at this point.
NOTE Although the client uses TLS to establish the secure connection, this
isn’t full server authentication. The client and server don’t need to have a
mutually trusted CA root.
2. When the session has been established and a session key is created, CredSSP uses
the Simple and Protected GSS-API Negotiation (SPNEGO) protocol to authenti-
cate the server and client mutually, so that they know they can trust each other.
www.it-ebooks.info
Basically, this mechanism lets the client and server agree on an authentication
mechanism that they both support, such as Kerberos or NTLM.
3. After the mutual authentication finishes, CredSSP on the client encrypts the
server’s certificate with the session key created during Step 2 and sends it to the
server. The server receives the encrypted certificate, decrypts it using its private
key, and then adds 1 to the most significant bit of the certificate number. It then
encrypts the result and sends it back to the client.
4. The client reviews the encrypted certificate that it gets from the server and com-
pares it to the certificate it has.
5. Assuming the results match, CredSSP on the client sends the user credentials to
the server.
After they’re saved and you have made an n t a connect on, you can ed t them (for
examp e, f you change your password, as CredSSP w not automat ca y update password
changes) by c ck ng the Ed t nk n F gure 8-4
www.it-ebooks.info
FIGURE 8-4 You can ed t or de ete stored credent a s.
If you choose to ed t the saved credent a s, you’ see a d a og box ke the one used to
og on Your doma n and user name w be d sp ayed and your password credent a s w be
eft b ank If you choose to save credent a s us ng another user name, you can a so c ck Use
Another Account to start over comp ete y Use th s opt on to update a stored password after
you’ve changed t
If you c ck the De ete nk, you’ remove that stored credent a from the CredSSP store A
d a og box w prompt you to confirm the act on and then c ear that saved user name and
account nformat on from the cache Use th s opt on to de ete credent a s you acc denta y
saved or wh ch are no onger needed
www.it-ebooks.info
Using RDP Encryption
Because there’s a ot of open network between the user runn ng the app cat on on an RD
Sess on Host server and the server runn ng the app cat on, t’s mportant to encrypt the
traffic go ng between them so that t can’t be ntercepted By defau t, RDP traffic w be
encrypted as strong y as the c ent can support t—128-b t, f you’re us ng RDP 5 2 or ater
Both the RD Sess on Host server and the c ent are configured to et the c ent and the server
negot ate the h ghest eve of encrypt on that both can support
www.it-ebooks.info
determ ned to be comp ant On W ndows Server 2008 R2, the Encrypted F e System (EFS)
behav or won’t change regard ess of th s sett ng; the defau t a gor thm s the FIPS-comp ant
256-b t Advanced Encrypt on Standard (AES) a gor thm On prev ous vers ons of W ndows,
requ r ng FIPS comp ance wou d make EFS fa back to 3DES
You can configure the RD Sess on Host server to use FIPS-comp ant a gor thms e ther from
Group Po cy or from RD Sess on Host Configurat on If you set Group Po cy to requ re FIPS
comp ance, th s w overr de the Remote Desktop Serv ces–spec fic Group Po cy that sets the
RDP Encrypt on eve to H gh
NOTE Because NIST certification takes some time, it is possible that the FIPS-compliant
algorithm might not be the strongest one available. More recent algorithms might not
have been certified yet.
NOTE For more information on TLS, see the section entitled “Transport Layer Security”
earlier in this chapter.
www.it-ebooks.info
Establishing a Kerberos Farm Identity
Pr or to W ndows Server 2008 R2, Kerberos authent cat on d d not recogn ze farms—just
nd v dua servers Therefore, to authent cate a server’s dent ty, you had to use cert ficates
Beg nn ng n W ndows Server 2008 R2, you cou d add server farms to AD DS and authent cate
the farm Th s a ows you to save the t me and expense requ red to nsta cert ficates on a
servers, and t a so makes t much eas er to dep oy new servers n the farm qu ck y, because
you won’t need to nsta cert ficates on them You st need to know how to use cert ficates,
s nce Kerberos authent cat on st does not work over the Internet, but th s feature can save
you from need ng to nsta cert ficates on a farm members f us ng a fu RDS dep oyment on
the LAN
When the farm has a Kerberos dent ty, the farm’s account credent a s are stored on the RD
Connect on Broker server The broker then prov des each server n the farm w th the farm’s
account credent a s RD Sess on Host servers use the farm’s account credent a s as supp emen-
ta to the nd v dua server credent a s
There s no user nterface to add servers to a farm, but there are scr pts for do ng so To
see how to estab sh a Kerberos farm dent ty programmat ca y, see http://blogs.msdn.com/b
/rds/archive/2009/05/20/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-
the-remote-desktop-services-provider-for-windows-powershell.aspx
NOTE The following instructions are not intended for a production deployment; they are
for testing only. For production, we strongly recommend that you use certificates issued by
a trusted CA or create a Kerberos identity for the server farm.
Authent cat ng Server dent ty (Server Authent cat on) Chapter 8 411
www.it-ebooks.info
Server Authent cat on checks the name that you enter n Remote Desktop C ent w th the
name ssued n the cert ficate that s spec fied n RD Configurat on Too on the RD Sess on
Host server that t connects to However, th s cert ficate was generated for a server, not a farm
Therefore, when you try to connect to the farm, you w get the error shown n F gure 8-5
FIGURE 8-5 The cert f cate s not from a trusted CA, accord ng to th s d a og box.
Th s error s a b t m s ead ng The cert ficate w not be seen as trusted because the
se f-s gned cert ficate s not ocated n the c ent’s trusted root store Even f the se f-s gned
cert ficate were ocated n the c ent’s trusted root store, however, the name on the cert ficate
s wrong, and you wou d st get th s error
NOTE You could disregard the error and still connect. If the certificate was generated
from a CA (not self-signed), the inability to validate it would be severe enough to prevent
the user from connecting to the server.
To use a se f-s gned cert ficate to test farm access, you need the name spec fied on the
cert ficate to be the name of the farm, and you need to nsta that cert ficate n the trusted
root store on a c ents so that the c ent trusts the cert ficate
The troub e s, there’s no way to use any RDS too to generate a se f-s gned cert ficate that
meets those needs
If you thought you’d be c ever and use RD Gateway to generate a se f-s gned cert ficate
(see Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the Internet,” to earn
how), you m ght at first th nk that you are successfu It w generate a se f-s gned cert ficate,
and the name w be whatever you spec fy, but you can’t export the pr vate key The resu t
s that you w be ab e to mport that cert ficate nto the cert ficate store on the RD Sess on
www.it-ebooks.info
Host server, but t won’t be usab e n RD Sess on Host Configurat on because t’s m ss ng the
pr vate key If the RD Gateway and one RD Sess on Host server n the farm were on the same
mach ne (wh ch s a bad dea, for reasons that are covered n Chapter 10), th s wou d work for
that server, but you cou dn’t use the farm cert ficate for any other servers n the farm, because
when you mported the cert ficate, t wou d ack the pr vate key
Using SelfSSL.exe
RDS doesn’t have any too s to he p you create a se f-s gned farm cert ficate However, the
IIS6 Resource K t does have a too that w do th s You can down oad the II6 Resource K t
from http://support.microsoft.com/kb/840671. You’re ook ng for the too ca ed Se fSSL exe
Here’s how to generate a se f-s gned farm cert ficate to test server authent cat on n a p ot
dep oyment Aga n, for product on, you shou d get a cert ficate s gned by a trusted CA (You
w get an error f you run Se fSSL on a mach ne that does not have IIS nsta ed; however, the
cert ficate w st be created and s usab e ) There are three steps
■ Generate the cert ficate us ng the farm name
■ Export the cert ficate
■ Import the cert ficate on each server n the farm
2. Type the command to create the cert ficate, fi ng n the name of your farm for CN (for
examp e, farm ash oca )
3. When prompted to rep ace the SSL sett ngs for s te 1 (Y/N)? choose Y You shou d get
the fo ow ng success message
Authent cat ng Server dent ty (Server Authent cat on) Chapter 8 413
www.it-ebooks.info
FIGURE 8-6 Use the Cert f cates MMC to export the cert f cate.
2. C ck Next and then choose the opt on to export the pr vate key and c ck Next aga n
3. Choose the PFX format and c ck Next
4. Add a password for the fi e and c ck Next
5. Add a path and fi e name to export to, c ck Next, and then c ck F n sh
To use th s cert ficate to test, t w need to be mported to the Persona Store on a RD
Sess on Host servers n the farm, as we as to the Trusted Root Cert ficat on Author t es
Store on the c ents you use to test
NOTE The certificate will contain the private key, and normally you would not add
this type of certificate to clients, which is another reason that this is for testing pur-
poses only. If you would rather add a certificate to clients that does not have the private
key, re-export the certificate without the private key and import that certificate to the
clients.
www.it-ebooks.info
Authenticating Client Identity with Network Level
Authentication (NLA)
Authent cat ng the server protects the c ent from connect ng to a ma c ous RD Sess on Host
server masquerad ng as a eg t mate one, but what about protect ng the RD Sess on Host
server from ma c ous connect ons? As d scussed n Chapter 3, “Dep oy ng a S ng e Remote
Desktop Sess on Host Server,” the process of start ng a connect on—even just present ng a
ogon screen—requ res the server to create many of the processes requ red to support a ses-
s on (for examp e, Csrss exe and W n ogon exe) Sess on creat on s expens ve, so creat ng even
th s much of a sess on—on y to be to d that the user try ng to access the RD Sess on Host
server doesn’t have the requ red credent a s— s both a secur ty vu nerab ty and a perfor-
mance h t
One way to reduce both the secur ty h t and the performance h t s to enab e connect ons
on y from computers that support NLA NLA uses CredSSP to present user credent a s to the
server before the server has to create a sess on
You m ght have not ced that when you connect to an RD Sess on Host server w th the RDC
6 x or ater c ent, you don’t connect to the RD Sess on Host server ogon screen to prov de
your credent a s Instead, a oca d a og box pops up to take your credent a s on the c ent (see
F gure 8-7) Th s d a og box s the front end of CredSSP
FIGURE 8-7 The W ndows Secur ty d a og box s the user nterface for CredSSP.
When you type your credent a s nto th s d a og box, even f you don’t choose to save
them, they go to the CredSSP, wh ch then passes the credent a s to the RD Sess on Host server
v a a secure channe On y f the RD Sess on Host server accepts the credent a s w t beg n
bu d ng a sess on for th s user
NOTE You might also see NLA referred to as front-side authentication. It‘s the same thing,
but with a different name.
Authent cat ng C ent dent ty w th Network Leve Authent cat on (NLA) Chapter 8 415
www.it-ebooks.info
On c ents that support CredSSP and RDP 6 x and ater, the c ents w a ways use NLA f t’s
ava ab e You can a so configure the RD Sess on Host server to perm t connect ons on y from
computers that support NLA, us ng Group Po cy or on a per-server bas s us ng RD Sess on
Host Configurat on Because CredSSP, the techno ogy that supports NLA, s part of the oper-
at ng system rather than part of RDP, the c ent operat ng system must support CredSSP for
NLA to work Therefore, a though there s an RDC 6 0 c ent ava ab e for W ndows XP SP2, th s
doesn’t enab e W ndows XP SP2 to use NLA C ents runn ng W ndows XP SP3, W ndows V sta,
and W ndows 7 a support CredSSP A so, RDC w te you f t supports NLA n the About
screen To see th s, c ck the Computer con n the upper- eft corner of the RDC and choose
About The About screen w say f t supports NLA, as shown n F gure 8-8
NOTE You can also restrict Windows Vista and Windows 7 to accept connection requests
only from clients that support NLA. To do so, go to Control Panel System Remote
Settings. From the Remote tab of the System Properties dialog box, select the option
restricting incoming connections to those that can support NLA.
www.it-ebooks.info
Configuring the Security Settings on the RD Session
Host Server
The sect on ent t ed “Core Secur ty Techno og es” ear er n th s chapter exp a ned the deta s
of us ng var ous connect on secur ty mechan sms Th s sect on exp a ns how to configure
those sett ngs us ng the RD Sess on Host Configurat on and Group Po cy
ON THE COMPANION MEDIA This resource kit also contains a script for config-
uring the security settings programmatically using Windows PowerShell. See the
companion media for the script called Set-RDP-Security.ps1.
FIGURE 8-9 Ed t connect on secur ty from the Genera tab of the RDP Tcp stener Propert es d a og box.
Configur ng the Secur ty Sett ngs on the RD Sess on Host Server Chapter 8 417
www.it-ebooks.info
Configuring Encryption
A per-server connect on secur ty sett ngs are configured from the Genera tab of the
protoco stener Propert es d a og box To get here, go to Adm n strat ve Too s Remote
Desktop Serv ces Remote Desktop Sess on Host Configurat on and then doub e-c ck RDP-
Tcp n the Connect ons sect on of the m dd e pane Set the encrypt on eve You must choose
e ther H gh or FIPS-comp ant encrypt on f you want to support server authent cat on H gh
encrypt on uses the strongest key strength of the server; FIPS-comp ant encrypt on uses an
encrypt on a gor thm that has been tested by NIST
NOTE FIPS-compliant algorithms are not necessarily stronger than High security on all
platforms; it depends on what’s installed and what’s been tested. The point of FIPS compli-
ance is to serve as a policy measure for networks that must conform to these guidelines.
www.it-ebooks.info
To requ re NLA connect ons to VMs runn ng c ent SKUs, open the System tem n the Con-
tro Pane and go to the Remote tab In the Remote Desktop sect on, ensure that the opt on
A ow Connect ons On y From Computers Runn ng Remote Desktop W th NLA (more secure)
s se ected
CAUTION Enabling this policy causes the RD Session Host servers to use FIPS-
compliant algorithms for everything, not just for RDP connections. Therefore, be
aware that requiring FIPS can cause problems with some websites and applications
that require inter-server communication.
Configur ng the Secur ty Sett ngs on the RD Sess on Host Server Chapter 8 419
www.it-ebooks.info
NOTE This applies more to companies that maintain their own Public Key Infrastructure
(PKI) and can provide this certificate template name.
To do th s, enab e the Server Authent cat on Cert ficate Temp ate GPO and prov de the
name of the temp ate to use If you do, then the server w choose on y from among cert fi-
cates us ng that temp ate w th a name match ng the server name If there’s more than one
cert ficate to choose among, the server w choose the cert ficate w th the atest exp rat on
date If you’ve a ready spec fied a cert ficate to use for server authent cat on, the RD Sess on
Host server w gnore th s sett ng To configure NLA v a Group Po cy, go to Computer
Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop
Serv ces Remote Desktop Sess on Host Secur ty
To requ re NLA, enab e the Requ re User Authent cat on For Remote Connect ons By Us ng
Network Leve Authent cat on po cy D sab ng or not configur ng th s po cy means that NLA
s not requ red
Summary
Secur ng the server s mportant when the c ent s connected, but secur ng the connect on
protects the commun cat on between server and c ent In th s chapter, you’ve earned how to
protect the connect on from ntercept on, spoofed servers, and den a of serv ce (DoS) attacks
us ng connect on secur ty
Some best pract ces for RDS connect on secur ty nc ude the fo ow ng
■ Use H gh or FIPS encrypt on f at a poss b e Low encrypt on does not a ow server
authent cat on, so t shou d be used on y when WAN acce erators requ re t
■ If us ng RDS on y on the LAN, create a Kerberos farm dent ty rather than re y ng on
cert ficates Do ng th s w make t eas er to en arge the farm wh e st a ow ng server
authent cat on
■ Use se f-s gned cert ficates on y for test ng, not n a product on env ronment Se f-
s gned cert ficates, as the name nd cates, are se f-s gned—they are not s gned and
va dated by a trusted th rd party C ents must have the same se f-s gned cert ficate
p aced n the r Trusted Root Cert ficat on Author t es Store n order to trust the
cert ficate
■ Requ re NLA both to prevent DoS attacks on the servers and speed farm connect ons,
because NLA prevents the need to create a fu sess on on the red rect ng RD Sess on
Host server
www.it-ebooks.info
Additional Resources
These resources conta n add t ona nformat on re ated to th s chapter
■ If you need a refresher on W ndows PowerShe support for Remote Desktop Serv ces,
see Chapter 1, “Introduc ng Remote Desktop Serv ces ”
■ For more deta s on how c ent-server negot at ons work, see Chapter 6, “Custom z ng
the User Exper ence ”
■ For more nformat on about CredSSP, see http://www.wipo.int/pctdb/en/wo.jsp?IA=WO
2007033087&DISPLAY=DES or http://download.microsoft.com/download/9/5
/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf.
■ For the deta s of how TLS s mp emented n W ndows Server 2008 R2, see
http://msdn.microsoft.com/en-us/library/dd207968(v=PROT.10).aspx.
■ For more about how the connect on sequences work, see “Remote Desktop Protoco
Bas c Connect v ty and Graph cs Remot ng Spec ficat on,” ava ab e for down oad from
http://msdn.microsoft.com/en-us/library/cc240445.aspx.
■ For a descr pt on of the Credent a Secur ty Support Prov der (CredSSP) n W ndows XP
SP3, see http://support.microsoft.com/kb/951608/.
■ A though a compar son of NTLM and Kerberos s outs de the scope of th s book, you
can find the spec ficat ons for NTLM and M crosoft’s mp ementat on of Kerberos on-
ne at http://msdn.microsoft.com/en-us/library/cc236622(v=PROT.10).aspx (NTLM) and
http://msdn.microsoft.com/en-us/library/cc233855(v=PROT.10).aspx (Kerberos)
www.it-ebooks.info
www.it-ebooks.info
CHAPTER 9
Multi-Server Deployments
■ Key Concepts for Mu t Server Dep oyments 423
P rev ous chapters n th s book have covered how to set up nd v dua servers for very
s mp e dep oyments of fu desktops on one server ( n Chapter 3, “Dep oy ng a S ng e
Remote Desktop Sess on Host Server”) and a Remote Desktop (RD) V rtua zat on Host
server for prov d ng v rtua mach nes (VMs; n Chapter 4, “Dep oy ng a S ng e Remote
Desktop V rtua zat on Host Server”) However, you haven’t spent a th s t me earn ng
about profi e management w th Remote Desktop Serv ces (RDS) and how to configure
c ent exper ence and secur ty sett ngs v a Group Po cy just to set up a s ng e server
You’ need mu t p e servers for sca e and redundancy
In th s chapter, you’ earn how to de ver VMs and RemoteApp programs from more
than one server, nc ud ng the fo ow ng top cs
■ Creat ng an RD Sess on Host farm
■ Pub sh ng app cat ons from RemoteApp Manager
■ Ass gn ng app cat ons to users
■ D sp ay ng resources from mu t p e farms and RD V rtua zat on host servers
through RD Web Access
■ Enab ng users to d scover RemoteApp programs, RD Sess on Host fu desktop
sess ons, and VMs through the RD Web Access webs te and RemoteApp And
Desktop Connect ons
423
www.it-ebooks.info
RD Session Host Farms
An RD Sess on Host farm s a group of RD Sess on Host servers that are a de ver ng the same
app cat on set and are assoc ated under the same farm name For best resu ts, a servers n a
farm are assumed to have the same software the same vers on of the operat ng system, the
same updates, and the same vers ons of app cat ons Th s s mportant because connect ons
to a farm are oad-ba anced across the ent re farm If the servers are d fferent, users’ exper -
ence w vary depend ng on wh ch server they connect to, and th s w confuse users and
ead to He p desk ca s It’s acceptab e f the hardware n the farm var es a b t, as ong as you
take th s nto account when we gh ng the servers A server that has on y 75 percent of the
capac ty of other servers shou d have on y 75 percent of the we ght n oad-ba anc ng
If you need to de ver more than one app cat on set, you can do th s w th more than
one farm In W ndows Server 2008 R2, RD Web Access, as we as RemoteApp and Desktop
Connect ons (a new feature n W ndows 7 and W ndows Server 2008 R2), can be supp ed w th
resources from more than one farm, or even nd v dua RD Sess on Host servers
RemoteApp Internals
RemoteApp programs are app cat ons that run on the endpo nt and d sp ay on the c ent but
are d sp ayed a ongs de the c ent-s de app cat ons A RemoteApp programs runn ng on the
same computer run n the same sess on, a though the desktop s not v s b e Th s reduces the
overhead on the servers and m n m zes the number of cop es of the profi e that are open
(See Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep oyment,” for an
exp anat on of why th s s mportant )
RemoteApp programs work a tt e d fferent y from app cat ons d sp ayed from a fu re-
mote desktop because they must ntegrate w th the oca y nsta ed app cat ons In essence,
the server sends the ent re desktop to the c ent, but you can’t see the desktop The c ent-
s de components create the r own app cat on w ndows to m rror those n the remote sess on
and d sp ay them on the c ent
Chapter 3 exp a ns the processes and startup mechan sm for a remote sess on W th Re-
moteApp programs, the process s a tt e d fferent; the c ent and server must be even more
c ose y a gned When a c ent starts ts first RemoteApp, the process works as ustrated n
F gure 9-1
www.it-ebooks.info
Client creates
corresponding
window Virtual Channel
3
7
MSTSC.exe
Request: Launch
1 2 UserInit.exe
RemoteApp
RDPShell.exe RDPInit.exe
4
RDPInit.exe checks
RDPShell.exe intercepts the allow list
application window opening
instructions and sends them to
the client 5
Application starts,
creates app
window
6
FIGURE 9-1 RemoteApp programs use a spec a she to d sp ay app cat on w ndows.
www.it-ebooks.info
Server-Side Components
On the server, severa components must cooperate to ensure the fo ow ng
■ On y app cat ons current y n the a ow st can be started as RemoteApp programs
■ The c ent-s de proxy w ndow must open and c ose n sync w th the nv s b e app cat on
w ndow n the remote sess on
The fo ow ng components make th s poss b e
■ Rdp n t exe
■ Rdpshe exe
■ Rdpdd d
■ The app cat on w ndow
F gure 9-2 dep cts how the RemoteApp components work together to create the user
exper ence For more nformat on about the broader RD Sess on Host sess on arch tecture, see
Chapter 3
Window
Virtual Channel Display Info
Communication
RDPSHELL.EXE
USER MODE
KERNEL MODE
Notify Window
Icon Info Info
WINDOWS OBJECT
RDPWD.SYS RDPDD.DLL
WINOBJ MANAGER
Callback
FIGURE 9-2 Server s de components n user mode and kerne mode enab e RemoteApp programs.
Rdp n t exe s the RemoteApp equ va ent of User n t exe, wh ch starts ogon scr pts and
starts the user she Rdp n t exe starts the Rdpshe exe and updates the c ent-s de taskbar
v a Rdpdd d Rdp n t exe a so hand es the ogoff og c When no more RemoteApp program
app cat on w ndows are open and no processes are runn ng n the user sess on that haven’t
www.it-ebooks.info
yet ex ted, Rdp n t exe d sconnects or ogs off the sess on n accordance w th the ru es set n
Group Po cy (You can’t configure th s sett ng on the RD Sess on Host server )
The Group Po cy object (GPO) sett ng that contro s when a RemoteApp s ogged off
s Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Sess on Host Sess on T me L m ts Set T me
L m t For Logoff Of RemoteApp Sess ons To set a t me m t that RemoteApps w stay
d sconnected before they are ogged off, enab e th s sett ng and then choose a t me m t
from the drop-down menu
Rdpshe exe s the she , the RemoteApp equ va ent of Exp orer exe It keeps track of
changes to app cat on w ndows (for examp e, open ng and c os ng) and sends them to the
c ent-s de components so that the app cat on w ndow v s b e to the c ent behaves exact y
ke the app cat on w ndow n the nv s b e she Rdpshe exe a so keeps track of any Con-
nect/D sconnect/Reconnect events to the remote sess on, so the app cat on w ndow on the
c ent s de d sappears or reappears as appropr ate
Rdpdd d s the kerne -mode Remote D sp ay Protoco (RDP) d sp ay dr ver n the sess on
Th s component rece ves the W ndow ng and System Tray Icon not ficat ons from Rdp n t exe
and Rdpshe exe and updates the d sp ay accord ng y It a so sends a d sp ay updates on the
term na server to the c ent
Client-Side Components
On the c ent s de, other components cooperate to make the RemoteApp v s b e on the desk-
top and update the app cat on w ndow n the remote sess on (see F gure 9-3) These compo-
nents of the RDC c ent spec fic to RemoteApp programs nc ude
■ The RemoteApp p ug- n
■ The W ndow ng p ug- n
■ The nput and draw ng orders hand ers
■ The RemoteApp proxy w ndow
■ The Not fy con
RemoteApp Proxy
Window
MSTSC.EXE
User Input
www.it-ebooks.info
These components have the fo ow ng jobs
■ The W ndow ng p ug- n co ects the w ndow pos t on ng nformat on from the remote
sess on and passes t to the RemoteApp p ug- n
■ The draw ng orders hand er co ects the w ndow appearance nformat on and feeds t
to the shadow b tmap
■ The shadow b tmap sends b tmaps to the RemoteApp p ug- n to draw the app cat on
w ndow
■ The RemoteApp p ug- n rece ves a the draw ng and pos t on ng nformat on and co -
ects a the nput for that w ndow to send back to the RD Sess on Host server It a so
co ects user feedback on the w ndow state and pos t on and sends t to the remote
sess on to update the app cat on w ndow there
The RemoteApp proxy w ndow s the w ndow for the RemoteApp; the W ndow ng p ug- n
pos t ons t correct y, and the shadow b tmap draws t The Not fy con d sp ays the Remote-
App program’s con n the taskbar
NOTE Generating video display takes some processor power and memory on the RD Ses-
sion Host server; the larger the display, the more power it takes. If every person using the
RD Session host server uses lots of monitors, this could affect scale on the RD Session Host.
One of the new features of W ndows Server 2008 was monitor spanning, where n a sess on
on a term na server expanded to fit a the mon tors connected to the c ent When the c ent
connects to the server us ng mon tor spann ng (for any mon tor configurat on), t te s the RDP
d sp ay dr ver (Rdpdd sys) the s ze of the mon tor attached to t, add ng the mon tor reso u-
t ons together (see F gure 9-4) Rdpdd sys accepts th s and treats the mu t p e mon tors as
one b g mon tor It sn’t aware that mu t p e mon tors are connected; t s mp y uses the s ze of
the tota d sp ay area, up to 4096 × 2048 p xe s, to arrange w ndows (If you exceed the tota
d sp ay area on your mon tors, the d sp ay w on y be up to 4096 × 2048 )
To enab e mon tor spann ng, connect to the remote server by us ng the /span opt on w th
Mstsc exe Type mstsc.exe /span n the Run box of the Start Menu or add the entry span
monitors:i:1 to the RDP connect on fi e In the absence of th s entry, mon tor spann ng s
d sab ed for desktop connect ons
www.it-ebooks.info
2400
800 800 800
0,0
600
FIGURE 9-4 nd v dua mon tors add up to a s ng e arge mon tor s zed 2400 × 600.
Because spanned mon tors are seen by the RDP d sp ay dr ver as a s ng e ent ty, there are
some restr ct ons on configurat on F rst, a the mon tors must be set to the same reso ut on,
because to the server, they’re a the same mon tor If you don’t set a the mon tors to the
same reso ut on, then even f mon tor spann ng s enab ed, the desktop w be confined to
your pr mary mon tor Second, the mon tors must be set up n a hor zonta configurat on, as
n F gure 9-4; the spann ng s ntended to go from eft to r ght Th rd, the eftmost mon tor
must be the pr mary mon tor so that both c ent and server start count ng n the upper eft as
0,0 when dec d ng how to arrange p xe s on the screen
One m tat on of mon tor spann ng s that t rea y sn’t a mu t -mon tor so ut on so much
as a way to support a arge d sp ay The desktop extends across the ent re space (mean ng
that you m ght want to use an odd number of mon tors to avo d message boxes—wh ch
typ ca y pop up n the m dd e of the screen—be ng sp t between two mon tors) In add -
t on, max m zed app cat ons max m ze across the ent re space, wh ch can make them n-
conven ent y w de RemoteApp programs makes mon tor spann ng more mu t -mon tor- ke
by exp o t ng what t knows about the mon tor w ndow s ze to max m ze app cat ons to the
mon tor n wh ch you’ve got them, and at the same t me mak ng t poss b e to move them
around For examp e, start M crosoft PowerPo nt as a RemoteApp wh e two mon tors are
connected to your c ent Both mon tors are set to 1280 × 800 The new y started RemoteApp
w appear max m zed on Mon tor 1 To move t, c ck the Restore Down button and drag
the w ndow to Mon tor 2 When you max m ze t aga n, the RemoteApp w appear n the
confines of the second mon tor nstead of be ng spread across every mon tor connected to
the c ent If you pos t on a RemoteApp across two mon tors, t w max m ze the one n wh ch
more of ts w ndow s d sp ayed, as shown n F gure 9-5
www.it-ebooks.info
RemoteApp
Remo teApp
RemoteApp
FIGURE 9-5 n a spanned sess on, a RemoteApp w max m ze to the mon tor on wh ch more of ts w n
dow s d sp ayed.
How do RemoteApp programs know where to draw the app cat on w ndow? When run-
n ng RemoteApp programs, as you mod fy the app cat on w ndow on the c ent (max m ze
t, m n m ze t, and so forth), these changes are sent to the app cat on w ndow on the RD
Sess on Host server A though the server doesn’t know that there are mu t p e mon tors, the
c ent does When you max m ze a RemoteApp n a c ent-s de mon tor, t max m zes to the
mon tor on wh ch you have t d sp ayed It then reports ts new s ze to the remote app cat on
w ndow The resu t s that the app cat on w ndow s s zed for a s ng e mon tor, not the ent re
spanned area
If you are mon tor spann ng, before connect ng to the RemoteApp, you have to configure
the mon tors on the c ent to the same reso ut on If you don’t, you w see some odd behav-
or RemoteApp programs d sp ayed on one mon tor m ght “ eak” nto the d sp ay on another
one (For examp e, a F e, Open menu m ght be part a y d sp ayed on Mon tor 1 when the
app cat on’s pr mary d sp ay s on Mon tor 2 )
www.it-ebooks.info
True mu t -mon tor support, ntroduced n W ndows Server 2008 R2, doesn’t have the
m tat ons of spann ng The mon tors are hand ed ndependent y, so the arrangement doesn’t
matter to the d sp ay and the mon tor reso ut ons don’t have to match RemoteApp programs
d sp ay as though they’re on a s ng e mon tor, but you can stretch them to fi a the mon tors
f you w sh W ndows 7 has mu t p e mon tor support, but W ndows 7 does not support Aero
when you are us ng mu t p e mon tors n a remote sess on
www.it-ebooks.info
■ A way to take the n t a connect on requests and send them to a broker ng mechan sm
des gned to take nto account var ab es spec fic to the farm env ronment
■ A broker ng mechan sm that determ nes wh ch farm server s best su ted to accommo-
date the sess on u t mate y and then sends the connect on to the chosen server
The n t a connect on s hand ed by a oad ba ancer or red rector The broker ng s hand ed
by a RDS ro e serv ce ca ed RD Connect on Broker Read on to earn more about each of
these mechan sms
NOTE Because hardware load balancers are not included with RDS, this chapter will not
cover them, but they are an option. Remember that a hardware load balancer is a single
point of failure unless you buy redundant hardware.
RR DNS creates mu t p e host records for the same host name Each t me a request for
that host name s made, the Doma n Name System (DNS) server returns the host records
n consecut ve order It’s easy to set th s up The catch to th s method s that, f a host goes
offl ne, DNS cont nues rout ng peop e to that server as ong as the host record rema ns n ts
database
NLB d str butes ncom ng connect ons even y across each oad-ba anced server on the
pr nc p e that f the ncom ng requests are even y d str buted, the traffic shou d be, too NLB
s best for oad-ba anc ng servers when the connect ons are very short, ke web servers, or n
th s case, the n t a connect on n a farm that s part c pat ng n RD Connect on Broker oad-
ba anc ng NLB s more comp cated to set up than RR DNS, but t’s capab e of detect ng when
a server s no onger ava ab e and w not attempt to send connect ons to t
A ded cated red rector s an RD Sess on Host server whose so e ro e s to red rect n t a
connect on requests to RD Connect on Broker To avo d ask ng work ng RD Sess on Host farm
servers to hand e ncom ng connect ons, you can ded cate a server to do th s work The on y
catch to us ng a ded cated red rector s that t represents a s ng e po nt of fa ure
www.it-ebooks.info
HOW IT WORKS
B oth RR DNS and NLB come with Windows Server 2008 R2. Which should you
use?
RR DNS is very easy to set up, but it has two limitations: One is that client-side DNS
caching can result in clients resolving DNS requests with cached records instead
of receiving a reply from the DNS server. This means that RR DNS is bypassed
completely. Second, RR DNS does not know when a server goes offline, so it
will continue to reply to requests with the host record of the unavailable server,
resulting in 30-second delays for clients who receive this reply.
For these reasons, you might choose to use NLB, which distributes incoming con-
nections evenly across the load-balanced servers. Although NLB is not ideal for
load-balancing among RD Session Host servers, it’s fine for creating the initial
connections, because they don’t last long. NLB does not rely on DNS the way that
RR DNS does, so it does not have a problem with cached DNS entries. NLB also
detects when a server in the cluster goes offline and will stop sending requests to
the downed server.
You w earn how to mp ement the n t a oad-ba anc ng opt ons n the sect on ent t ed
“Dep oy ng RD Sess on Host Farms” ater n th s chapter
www.it-ebooks.info
■ Does the user attempt ng to make th s connect on a ready have a sess on open on an
RD Sess on Host server n the farm?
■ If not, wh ch server has the owest number of sess ons?
RD Connect on Broker makes those dec s ons about how to d str bute ncom ng connec-
t ons to a farm
You earned about RD Connect on Broker w th V rtua Desktop Infrastructure (VDI) n
Chapter 4 In terms of poo ed and persona VMs, RD Connect on Broker commun cates w th
VDI servers and w th Act ve D rectory Doma n Serv ces (AD DS) to co ect data about poo ed
and persona VMs that are ava ab e for connect on RD Connect on Broker determ nes the
k nd of connect on a user s request ng, finds the r ght endpo nt for the request, and keeps
track of c ent connect ons to persona and poo ed VMs For RDS farm scenar os, RD Connec-
t on Broker prov des
■ Sess on-based oad-ba anc ng, wh ch even y d str butes RDS sess ons to servers n the
farm accord ng to the server capab t es and the number of connect ons t’s host ng
■ Sess on reconnect on, reconnect ng users to the r d sconnected sess ons
■ Sess on dra n ng, s ow y dra n ng sess ons from an RD Sess on Host server that must go
offl ne (for examp e, due to ma ntenance needs) by not a ow ng new connect ons to
the server
■ Access to mu t p e RemoteApp sources v a RD Web Access
RD Connect on Broker can run on any vers on of W ndows Server 2008 R2 that supports
RDS The servers connected to t can run W ndows Server 2003 or ater That sa d, servers
runn ng W ndows Server 2003 can take advantage of the sess on reconnect on feature, but
cannot be part of a oad-ba anced farm C ents need a m n mum of RDC 5 2 to use RD Con-
nect on Broker Load Ba anc ng
As descr bed n Chapter 4, the RD Connect on Broker s made flex b e through a mode
of p ug- ns to the base broker ng mechan sm D fferent types of resources have the r own
resource p ug- ns that conta n the og c requ red to find the most appropr ate target for that
type of connect on and to prepare for connect on For examp e, the Sess on P ug- n oad-
ba ances based on the number of sess ons on each RD Sess on Host server Independent
software vendors (ISVs) can change the og c for find ng and prepar ng the endpo nts by
mp ement ng fi ter p ug- ns to the resource p ug- ns, or they can make RD Connect on Broker
support ent re y new types of resources by add ng the r own resource p ug- ns
www.it-ebooks.info
2. The user authent cates to that RD Sess on Host server If the c ent supports NLA (see
Chapter 7, “Mo d ng and Secur ng the User Env ronment”), th s reduces the overhead
on the RD Sess on Host server by authent cat ng the user w thout creat ng a sess on
3. The RD Sess on Host server that rece ved the ncom ng connect on (henceforth ca ed
the red rector) passes the contents of the RDP fi e to the RD Connect on Broker
4. RD Connect on Broker exam nes the RDP data to find the des red type of connect on
If t’s for a sess on, t act vates the RD Sess on Host resource p ug- n Th s p ug- n first
determ nes whether there’s a ready a sess on n the farm for th s user It does th s by
check ng ts database, wh ch stores the nformat on shown n Tab e 9-1 If so, the p ug-
n can te wh ch server t’s on and what the Sess on ID s
NOTE It can also tell whether the session is displaying a full desktop or RemoteApp
programs. This is important because the two sessions have different shells.
If the user does not a ready have an act ve sess on, the RD Connect on Broker finds the
server that conta ns the fewest act ve sess ons RD Connect on Broker sends the resu t
of ts efforts (wh ch nc udes the IP address of the RD Sess on Host server that the c ent
shou d connect to) to the red rector
5. The red rector sends the IP address to the c ent
6. The c ent s ent y d sconnects from the RD Sess on Host that red rected the connect on
and reconnects to the RD Sess on Host server us ng that IP address
Farm1.ash.local
5
IP address of
destination Direct connection
server to destination
1 server
2 6
RD Connection
RDSH1 RDSH2 RDSH3 RDSH4 Broker
3
4
FIGURE 9-6 Connect on requests get d rected to RD Sess on Host servers us ng RD Connect on
Broker.
www.it-ebooks.info
TABLE 9-1 Rou ng n orma on S ored by RD Connec on Broker
HOW IT WORKS
IP address redirection, used when clients can connect directly to servers in the farm,
is the default for RD Connection Broker. It works like this.
1. The client connects to the initial load balancer and is routed to an RD Session
Host server, where the client is authenticated. If the client supports NLA, the
client doesn’t have to create a full session to be authenticated, speeding up the
process.
2. The RD Session Host server redirects the connection request to the RD Connec-
tion Broker.
3. The RD Connection Broker finds the most suitable endpoint for the connection
request and gets its IP address.
www.it-ebooks.info
4. RD Connection Broker returns the answer to the RD Session Host server, which
passes the encrypted load-balance packet to the client. The packet contains the
IP address of the chosen RD Session Host server.
5. The client connects directly to the RD Session Host server IP address specified in
the load-balance packet.
When the load-balancing configuration requires that all initial traffic go through
the load balancer, clients can’t connect using IP addresses. In that case, the load
balancer must support RD Connection Broker routing tokens. Clients get routed to
the appropriate RD Session Host server like this.
1. The client connects to the initial load balancer and is routed to an RD Session
Host server, where the client is authenticated.
2. The RD Session Host server queries the RD Connection Broker for the RD Session
Host server to which this client should be redirected.
4. The RD Session Host server tells the client to connect again to the load balancer,
but this time, it gives the client a routing token to give to the load balancer.
5. The routing token contains the IP address of the chosen RD Session Host server.
6. The client connects directly to the RD Session Host server IP address specified in
the routing token.
You m ght be wonder ng how RD Connect on Broker keeps track of the RD Sess on Host
servers What happens f one goes offl ne, and how w the RD Connect on Broker know f t
does? For that matter, what w t do f a server goes offl ne?
To keep track of RD Sess on Host server status, the RD Connect on Broker keeps track of
whether the connect ons that t red rects to the RD Sess on Host servers n the farm actu-
a y go through If a red rect on attempt succeeds, that’s great—the RD Sess on Host server
s ava ab e If a red rect on attempt fa s, then there might be a prob em w th the RD Ses-
s on Host server or the network—but t’s not defin te, because there was on y one attempt
Therefore, 60 seconds after the n t a red rect on request, the RD Connect on Broker starts
p ng ng the RD Sess on Host server that d dn’t respond If the RD Sess on Host server does
not respond to a set number of p ngs (a defau t of 3, at a defau t nterva of 10 seconds apart)
then the RD Connect on Broker removes that RD Sess on Host server from ts database
Th s back-and-forth means that, about two to three m nutes from the t me the RD Con-
nect on Broker attempts to send a connect on to an unava ab e RD Sess on Host server, the
RD Connect on Broker w stop ook ng for the server Remov ng an RD Sess on Host server
from the farm by de et ng t from the TS Sess on D rectory Computers group w not de ete t
from the RD Connect on Broker’s database
www.it-ebooks.info
NOTE An RD Session Host server gets re-added to the RD Connection Broker database
by re-adding it to the farm in RD Session Host Configuration and re-adding the RD Session
Host server to the Session Broker Computers group on the RD Connection Broker.
If you take a server offl ne, you can speed up the process of purg ng the database by
shorten ng the nterva s at wh ch t ooks for the RD Sess on Host server These are contro ed
by three reg stry keys ocated under HKLM/SYSTEM/CurrentContro Set/Serv ces/Tssd s
/Parameters n the RD Connect on Broker’s reg stry Conven ent y, a these va ues are n
dec ma , so they’re easy to nterpret The three that you need to concern yourse f w th are the
fo ow ng
■ T meBetweenP ngs (defau t va ue of 78 hex dec ma , or 120 seconds)
■ NumberFa edP ngsBeforePurge (defau t va ue s 3)
■ T meServerS entBeforeP ng (defau t va ue s 60; the va ue s n seconds)
To decrease or ncrease the nterva between when RD Connect on Broker attempts to con-
nect and when t purges the RD Sess on Host server from the database, ed t these sett ngs
Just be aware that a connect on prob em or the server be ng offl ne sn’t the on y reason why
an RD Sess on Host server m ght not respond
ON THE COMPANION MEDIA You can use the SBDatabaseDump.vbs script found
on the companion media to dump the contents of the RD Connection Broker data-
base. Just edit as needed for your deployment.
B efore Windows Server 2008, when a terminal server in a farm received a con-
nection request, it created a temporary session to authenticate the user and
load user policies. If no local disconnected session was present, it queried the TS
Session Directory to see if there was a disconnected session for the user on another
computer in the farm. If a disconnected session was found, a redirection request
was sent to the client to connect to the other server instead. The temporary session
was then discarded.
The temporary session creation resulted in significant delay in completing the con-
nection because a full logon occurs in the session. Also, the user experience was
unpleasant because the user saw two welcome screens, first for the temporary ses-
sion and then again for the redirected session. The new technique addresses these
drawbacks when a connection is made using the new RDC client with CredSSP.
www.it-ebooks.info
W ndows Server 2008 ntroduced a new techn que to mprove the red rect on scenar o
C ents that support NLA can pass the r credent a s to the term na server (now the RD Ses-
s on Host server) The RD Sess on Host server (act ng as a red rector) host ng the temporary
connect on can use those credent a s to authent cate that the user s a owed to og on to
the farm and can pass those credent a s to the RD Connect on Broker to he p t ook for an
ex st ng connect on assoc ated w th those credent a s If RD Connect on Broker finds a d scon-
nected sess on on another computer n the farm, t mmed ate y sends a red rect packet to the
c ent, and the c ent subsequent y connects to the red rected server Hence, no temporary
sess on s created before the connect on s red rected Th s change mproves secur ty because
the c ent must be authent cated even before t makes the connect on, and t a so mproves
performance because the first RD Sess on Host server doesn’t have to create a temporary
sess on
It’s a so worth ment on ng that users w get an error f they try to access nd v dua farm
members from a c ent computer by connect ng to an nd v dua server name However, a
c ent can st access nd v dua farm servers by IP address (the c ent w get warn ngs about
the IP address not be ng the name of the server, but eventua y, the user wou d be a owed
to connect) To stop th s, enforce Server Authent cat on on the c ents by us ng the fo ow ng
GPO
Enab e the po cy and choose Do Not Connect If Authent cat on Fa s from the drop-down
menu Then c ck Ok to save the changes and app y the GPO to the organ zat ona un t (OU)
where c ent computers res de
NOTE Administrators can access RD Session Host servers by server name even if they are
part of a farm.
www.it-ebooks.info
Chapter 4 exp a ns how to nsta the RD Connect on Broker ro e serv ce, wh ch you need
to do because you must have a connect on broker to de ver poo ed and persona VMs To
perform the add t ona setup, read on
NOTE If the RD Connection Broker server is also a domain controller, you can’t use Server
Manager to add RD Session Host servers to the Session Directory Computers group; use
Active Directory Users And Computers to do this instead.
RR DNS
Sett ng up RR DNS s very easy Just add a DNS host entry for the farm name that po nts to
each server n the farm For examp e, one of our farms cons sts of two servers, whose DNS
entr es map to the fo ow ng IP addresses
Fuji.ash.local = 10.10.10.110
Glacier.ash.local = 10.10.10.112
To mp ement RR DNS, add two more host entr es po nt ng to the correspond ng IP ad-
dresses as fo ows
Farm1.ash.local = 10.10.10.110
Farm1.ash.local = 10.10.10.112
NOTE If you use RR DNS, you should also lower the Time To Live (TTL) of the DNS entries
so the DNS cache on the clients gets updated frequently. This will cut down on clients
bypassing RR DNS completely or possibly trying to access a dead server. To change the
TTL on DNS entries in DNS Manager click View, Advanced. Then right click the DNS entry,
select Properties, lower the TTL value, and click OK.
www.it-ebooks.info
NLB
To avo d prob ems w th sta e DNS entr es, you m ght dec de to mp ement NLB To configure
an NLB c uster, you need to comp ete the fo ow ng steps
1. If you have a network adapter ded cated to NLB, you need to configure t
2. Insta the NLB Manager on a host node or other management mach ne
3. Configure the NLB c uster
4. Add a DNS entry mapp ng the farm name to the c uster IP address
Before W ndows Server 2008, t was adv sed to use two network adapters on each c uster
member one for NLB traffic and one for other traffic If you used on y one network adapter
per host n Un cast mode, one host cou d not commun cate w th another—each server wou d
see tse f as both the n t at ng and dest nat on computer Beg nn ng w th W ndows Server
2008, however, NLB was re-eng neered so that mp ement ng NLB n Un cast mode on one
network adapter now a ows for host-to-host commun cat on So now you have a cho ce You
can use one network adapter for a commun cat on, or you can m t NLB traffic to ts own
network adapter In our mp ementat on examp e, you w use two network adapters one
reserved for NLB traffic and one for other traffic ( ke remote adm n strat on)
NOTE If your RD Session Host Servers are virtualized and you choose to operate in
Unicast mode, be sure to enable media access control (MAC) address spoofing on the NLB
network adapter or hosts will not converge. For more on MAC address spoofing on virtual
adapters, see “Configure MAC Address Spoofing for Virtual Network Adapters” at
http://technet.microsoft.com/en-us/magazine/ff458341.aspx.
www.it-ebooks.info
You can a so nsta the Network Load Ba anc ng feature us ng W ndows PowerShe us ng
th s command
Import-Module Servermanager
add-Windows FeatureNLB
2. In the Host nput box, enter the name of one of the NLB hosts (one of the RD Sess on
Host server farm members) and c ck Connect A ava ab e network adapters on that
server show up n the ower pane Se ect the NLB ded cated network adapter that you
have configured to use w th oad-ba anc ng and c ck Next
3. The IP address and subnet mask ass gned to the network adapter w show up n the
next w ndow The pr or ty number s a un que number that d fferent ates the servers
Accept the defau t va ue If you need to make any changes to the address, c ck Ed t
and make your changes Leave the In t a Host State as Started, and c ck Next
4. On the next screen, c ck Add and add a un que IP address and subnet mask that w
be shared by a c uster members, and then c ck OK When users request access to the
farm, they w be sent to th s address nstead of a spec fic RD Sess on Host server ad-
www.it-ebooks.info
dress The address w appear n the C uster IP address w ndow, as shown n F gure 9-8
C ck Next
5. On the C uster Parameters page, accept the defau ts, nc ud ng Un cast for the C uster
Operat on Mode sett ng, and c ck Next A c uster host adapters must use the same
operat on mode or NLB w not funct on
6. On the New C uster Port Ru es page, you need to make a few changes to the defau t
sett ngs C ck Ed t, and then change the start ng and end ng port range to 3389 ( n
both the To and From fie ds) because you w be us ng th s c uster to oad-ba ance RDP
traffic on y In the Protoco s sect on, se ect TCP In the F ter ng Mode sect on, choose
Mu t p e Hosts to a ow mu t p e hosts to hand e traffic for th s port ru e For Affin ty,
you have three cho ces
■ None Mu t p e connect ons com ng from the same IP address can be spread
among the farm members
■ Single Choos ng th s opt on g ves affin ty to connect ons com ng from the same
IP address; they w be term nated on the same farm member
■ Network Choos ng th s opt on means that c ent connect ons w th n the same
C ass C address space are term nated on the same server
Choose Affin ty None so that ncom ng connect ons can be sent to any member of the
farm (There’s no reason to set affin ty when the connect ons are be ng red rected, and
do ng so cou d make your oad-ba anc ng efforts use ess by send ng repeated connec-
t on requests to the same server ) Then c ck OK F gure 9-9 shows these changes
www.it-ebooks.info
FIGURE 9-9 Change the port range, protoco , and f ter ng mode.
W hen configuring an NLB cluster, you will have several options, one of which is
to choose Unicast or Multicast mode.
Unicast uses a virtual MAC address, which is used instead of the physical MAC ad-
dress (which is hard-coded on the network adapter) for all traffic that is covered by
the port rules in the NLB configuration. Multicast adds the virtual MAC address and
the physical MAC address on the network adapter. Multicast uses both the virtual
MAC and the physical MAC addresses. Using both the virtual and the physical MAC
addresses allows NLB members to communicate with each other as well as clients.
In both Unicast and Multicast, the virtual MAC is being used by multiple comput-
ers. If there are multiple servers using the same MAC address, a switch is not able to
learn the port for the virtual MAC and is forced to send the packets destined for the
virtual MAC to all ports of a switch. This is called switch port flooding. To limit the
impact of network switch port flooding, you can use the following solutions.
● Create a virtual local area network (VLAN) for all your NLB servers.
www.it-ebooks.info
● Use a hub or dumb switch for all your NLB servers and then connect the de-
vice to the rest of the network.
● Use Multicast mode and configure static mapping for the NLB cluster nodes
in the switch so that it floods only the mapped ports instead of the entire
switch.
● Use port mirroring so that all ports involved in the NLB cluster mirror each other.
In earlier versions of Windows, Unicast required two network adapters per NLB
member so that one network adapter could be used for NLB traffic and the other
network adapter could be used to manage the servers and used for any intra-cluster
network needs, such as copying files between the nodes. Multicast mode was often
used when only a single network adapter was available, because it would allow
easier management of the servers and would also allow for intra-cluster communi-
cation by using the physical MAC. In Windows Server 2008 R2, there is no longer an
issue with Unicast mode so that it needs a second network adapter in each node.
Multicast mode can have some support issues, such as the following.
www.it-ebooks.info
Configuring a Dedicated Redirector
If you have des gnated a ded cated red rector, you no onger need an n t a oad-ba anc ng
mechan sm The RDS farm connect on broker ng steps shown ear er n F gure 9-6 are s ght y
d fferent n th s scenar o, as shown n F gure 9-10
Farm1.ash.local
4
IP address of
destination Direct connection
server to destination
server
1 5
RSDH
Plug in
Dedicated
redirector
RD Connection
RDSH2 RDSH3 RDSH4 Broker
2
3
FIGURE 9-10 f you use a ded cated red rector, you don t need an n t a oad ba anc ng mechan sm.
To configure a ded cated red rector for oad-ba anc ng n t a RD Sess on Host server farm
connect ons, you must do the fo ow ng
1. G ve the RD Sess on Host server perm ss on to jo n the RD Connect on Broker
2. Configure the RD Sess on Host server to become a ded cated red rector
3. Add a DNS entry that maps the farm name to the IP address of the RD Sess on Host
server that becomes a red rector
F rst, add the RD Sess on Host server to the Sess on Broker Computers Group on the RD
Connect on Broker and then perform the fo ow ng steps
1. On the RD Sess on Broker computer, open RD Sess on Host Configurat on Open the
RD Connect on Broker Propert es w ndow by doub e-c ck ng the Member Of RD Con-
nect on Broker nk ocated n the Ed t Sett ngs w ndow
2. C ck Change Sett ngs, and choose Ded cated Farm Red rect on n the RD Connect on
Broker sett ngs w ndow
www.it-ebooks.info
3. Enter the FQDN of the RD Connect on Broker Server, and the FQDN of the farm name
n the correspond ng nput boxes at the bottom of the screen Then c ck OK You
shou d get the pop-up message shown n F gure 9-11 (As the adm n strator, you can
st connect to the server w th a /adm n connect on )
FIGURE 9-11 A ded cated red rector doesn t support user sess ons, just ncom ng connect on
requests.
4. Add doma n users to the Remote Desktop Users group on th s server f they aren’t
a ready members Even though peop e won’t run sess ons on th s server, they must be
ab e to connect to t
5. On your DNS server, add a DNS host entry that maps the farm FQDN to the ded cated
red rector’s IP address
www.it-ebooks.info
FIGURE 9-12 You can jo n a server to a farm from the RD Connect on Broker propert es tab n RD
Sess on Host Conf gurat on.
2. C ck Change Sett ngs In the resu t ng RD Connect on Broker Sett ngs w ndow, you
spec fy how th s RD Sess on Host server w nteract w th RD Connect on Broker—that
s, what the re at onsh p s Choose Farm Member and then enter the RD Connect on
Broker server FQDN and the farm name n the nput boxes, as shown n F gure 9-13
FQDN s a h erarch ca nam ng format used w th DNS to denote the ocat on of a
computer or resource n the DNS tree h erarchy It’s a good dea to use the DNS name
for the farm, not ts NetBIOS name, even though NetBIOS names w work for s mp e
dep oyments It’s a form of p ann ng ahead, because you must use the FQDN f any of
the fo ow ng cond t ons app y
● You want to use DNS for name reso ut on (for examp e, f you’re us ng IPv6, wh ch
WINS does not support)
● The farm cert ficate uses the FQDN n e ther the Subject or Subject A ternat ve
Name fie ds
● You want to use Kerberos authent cat on, not NTLM
www.it-ebooks.info
FIGURE 9-13 Add the RD Connect on Broker server name and the farm name.
NOTE For information on creating a Kerberos identity for an RD Session Host server
farm, see http://blogs.msdn.com/b/rds/archive/2009/05/20/creating-kerberos-identity-
for-rd-session-host-farms-part-i-using-the-remote-desktop-services-provider-for-
windows-powershell.aspx.
3. C ck OK and you w be back on the RD Connect on Broker Propert es tab The check
box next to Part c pate n Connect on Broker Load Ba anc ng s se ected by defau t
Leave t se ected
4. Choose the re at ve we ght of th s farm server The we ght descr bes ts capac ty re at ve
to the other RD Sess on Host servers n the farm A though a RD Sess on Host serv-
ers shou d be configured dent ca y, not a w necessar y have the same amount of
memory or the same number of processor cores For examp e, f a server s on y 75
percent as powerfu as other servers n the farm, then you can reduce ts we ght to
a ow t on y 75 percent as many connect ons as the other servers The defau t va ue s
100
www.it-ebooks.info
5. A so by defau t, the red rect on method—how a c ent connects to the RD Sess on
Host server once RD Connect on Broker dec des wh ch server shou d accomodate the
connect on— s set to Use IP Address Red rect on If the n t a oad ba ancer a ows
c ents to connect d rect y to RD Sess on Host servers n the farm, keep th s defau t
sett ng
NOTE Unless you know otherwise, always use IP address redirection. Some initial load-
balancing configurations require all RD Session Host server traffic to be routed through
the initial load balancer. Therefore, clients do not communicate directly with RD Session
Host servers in the farm because they won’t know their IP addresses. Instead, they talk
to the load balancer, and the load balancer passes the communication to the appropri-
ate RD Session Host server. In these situations, the load balancer must use routing token
redirection instead of IP address redirection.
6. In the bottom sect on of th s page, se ect the IP address that w be used for reconnec-
t ons to th s server
NOTE If you have more than one network adapter that you want to use, you can
choose them all by checking the box next to each network adapter.
www.it-ebooks.info
■ Configure RD Connection Broker Farm Name Enab e th s sett ng and spec fy a
farm name Because the GPO s app ed to an OU ho d ng the RD Sess on Host servers,
a RD Sess on Host servers w know th s farm name
■ Configure RD Connection Broker Server Name Enab e th s sett ng and type the
IP address or the FQDN of the server where RD Connect on Broker s nsta ed RD Ses-
s on Host servers n the farm w be serv ced by th s RD Connect on Broker Aga n, the
FQDN s recommended
■ Use IP Address Redirection Enab e th s sett ng un ess your n t a oad ba ancer
so ut on requ res token-based red rect on
Any of these po cy sett ngs, f not configured or d sab ed, can be configured us ng RD
Sess on Host Configurat on on a per-serv ce bas s, a though the sett ngs n Group Po cy take
precedence f there s a confl ct One except on to th s ru e s the Jo n RD Connect on Broker
po cy sett ng; f t s d sab ed n Group Po cy, t cannot be configured v a RD Sess on Host
Configurat on If sett ngs are configured v a Group Po cy, then the opt ons to configure them
n RD Sess on Host Configurat on are d mmed, as shown n F gure 9-14
FIGURE 9-14 Conf gur ng the RD Sess on Host server to jo n a farm v a Group Po cy b ocks the ab ty to
ed t these sett ngs n RD Sess on Host Conf gurat on.
www.it-ebooks.info
Using Windows PowerShell to Join a Farm
On an RD Sess on Host server farm member, open an e evated W ndows PowerShe prompt
and then do the fo ow ng
1. F rst, mport the Remote Desktop Serv ces Modu e w th the fo ow ng command
Import-module remotedesktopservices
set-location rds:
3. Nav gate to the RD Connect on Broker sett ngs d rectory w th the fo ow ng command
cd rdsconfiguration\ConnectionBrokerSettings
When you configure a server to jo n an RD Connect on Broker server farm, a the sett ngs
to do so need to be run n one ne of code Therefore, you need to know what sett ngs to
spec fy beforehand To know what tems you w be sett ng and what the va ue opt ons are
for each sett ng, run th s command
get-childitem | format-list
These tems n the resu t ng st correspond to the tems that you wou d set n the RD Ses-
s on Host Configurat on had you done th s v a the graph ca user nterface (GUI)
Next, get the current red rectab e address opt ons that you have to choose from so that
you can spec fy one or more IP addresses to use for IP address red rect on ater n the scr pt
PS RDS:\> cd RedirectableAddresses
PS RDS:\rdsconfiguration\ConnectionBrokerSettings\RedirectableAddresses>dir
Take a ook at your red rectab e address opt ons; f you have more than one network
adapter configured on the server, you w have mu t p e addresses to choose from The resu ts
w ook s m ar to th s
Directory: RDS:\rdsconfiguration\ConnectionBrokerSettings\RedirectableAddresses
www.it-ebooks.info
Now you have a the data that you need to configure the RD Sess on Host server to jo n
an RD Connect on Broker farm Do th s by runn ng the fo ow ng code, nputt ng the va ue
opt ons that work w th your env ronment
NOTE To get help in setting the item ServerPurpose, run the following command.
To get help in understanding ServerPurpose parameters and their possible values, run this
command.
get-help Set-Item -path .\Serverpurpose -param <The parameter you for which
you want possible values>
ON THE COMPANION MEDIA A script to perform this process for all servers in an
OU is included on the companion media in the JoinFarm.ps1 file. The script sets IP
address redirection to use the first available network adapter option.
www.it-ebooks.info
FIGURE 9-15 The name that you choose here w be the D sp ay name for RemoteApp And Desktop
Connect ons on the c ent.
You’ve got a ot of at tude n choos ng a name Names can be ong, conta n spaces, and
w show m xed case There’s one caveat to th s You can’t end the D sp ay name w th any
character that W ndows sees as e ther part of a fi e name ( ) or a w dcard character (* or ?)
That’s why, n F gure 9-15, the “Inc” has no per od You can nc ude any of these characters
e sewhere n the D sp ay name, but you cannot use any of them as the ast character n the
name
www.it-ebooks.info
Adding Applications to the Allow List
Before add ng app cat ons to the a ow st, t’s mportant to understand what add ng ap-
p cat ons to the a ow st s and sn’t It isn’t a form of software restr ct on po cy or a way to
enab e AppLocker, as d scussed n Chapter 6, “Custom z ng the User Exper ence ” Add ng an
app cat on to the a ow st on y enab es a user to open a sess on w th that app cat on; after
the remote sess on has begun, t’s poss b e to start any other app cat on on the RD Sess on
Host server to wh ch you have access Do not cons der the a ow st as a step toward ock ng
down the server
So what is the a ow st? Add ng an app cat on to the a ow st makes t poss b e to start
that app cat on n a sess on (as a RemoteApp) and a so to package t as a RemoteApp pro-
gram for d str but on If you add an app cat on to the a ow st, package t, g ve that RDP fi e
to someone, and then remove the app cat on from the a ow st, that RemoteApp fi e w
not work any onger In add t on, f you prev ous y configured the app cat on to work w th RD
Web Access and then remove t from the a ow st, t w no onger appear n the porta after
you remove t from the a ow st
To add app cat ons to the a ow st, open the RemoteApp Manager (see F gure 9-16)
from Start, Adm n strat ve Too s, Remote Desktop Serv ces, RemoteApp Manager Th s too
contro s wh ch app cat ons are ava ab e as RemoteApp programs and how users reach those
programs
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 455
www.it-ebooks.info
None of these sett ngs app y, however, unt you popu ate the a ow st To add an nsta ed
app cat on to the a ow st, you must add t to the RemoteApp Programs st ocated n the
ower sect on of the m dd e pane (shown n F gure 9-16) by fo ow ng the next set of steps
NOTE You can add only applications on a terminal server running Windows Server 2008
or an RD Session Host server running Windows Server 2008 R2 to the allow list. Terminal
servers running Windows Server 2003 cannot run RemoteApp programs or back an RD
Web Access server, except to connect to a full desktop.
1. C ck the Add RemoteApp Programs button n the Act ons pane or r ght-c ck n the
RemoteApp Programs sect on and choose Add RemoteApp Programs to start the
RemoteApp W zard C ck Next
2. Choose the app cat on(s) that you want to pub sh by se ect ng the correspond ng
check box n the RemoteApp Programs st (see F gure 9-17) If an nsta ed app cat on
does not appear n the st, ocate t by c ck ng Browse and nav gat ng to the execut-
ab e fi e
FIGURE 9-17 Add one or more nsta ed app cat ons to the a ow st.
NOTE Applications are listed in alphabetical order, taken from the Start menu of the
RD Session Host server on which you’re running Remote App Manager. Use Browse to
find applications that are not on the Start menu.
www.it-ebooks.info
3. If add ng a s ng e app cat on, you can ed t the app cat on sett ngs by c ck ng Proper-
t es The Propert es sect on s d scussed n the sect on ent t ed “Ed t ng RemoteApp
Propert es” ater n th s chapter If you’ve se ected more than one app cat on from the
st, you can’t ed t the propert es
4. C ck Next, rev ew the sett ngs that you have chosen, and c ck F n sh The app cat on s
now on the a ow st
FIGURE 9-18 C ck a Change nk n the RemoteApp Manager Overv ew sect on to open the RemoteApp
Dep oyment Sett ngs d a og box.
NOTE You can also click the corresponding the RD Session Host Server Settings, RD
Gateway Settings, or Digital Signature Settings options in the Actions pane to open the
RemoteApp Deployment Settings tabbed dialog box.
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 457
www.it-ebooks.info
Open the RemoteApp Dep oyment Sett ngs d a og box to ed t the g oba sett ngs used to
configure RemoteApp RDP and W ndows Insta er (MSI) d str but on fi es These sett ngs a so
app y to RDP fi es created when a user c cks a RemoteApp con n RD Web Access or Remote-
App and Desktop Connect ons
NOTE If you change settings in the middle pane, RD Web Access and RemoteApp And
Desktop Connections will use the updated settings. RDP files and .MSI files that you create
from the RemoteApp Manager will not. You’ll need to re-create them to make the new set-
tings take effect.
RemoteApp dep oyment sett ngs app y to a app cat ons that you pub sh (un ess you
exp c t y change the sett ngs dur ng creat on) but w not affect app cat ons you’ve a ready
pub shed If you update these sett ngs, any RDP or MSI fi es that you’ve a ready created w
be out of date You w need to recreate and red str bute them
www.it-ebooks.info
authent cat on that must be used when us ng RD Gateway For examp e, for greater secur ty,
you cou d requ re smart card authent cat on To use the same user credent a s to access RD
Gateway and the RD Sess on Host server, se ect the correspond ng check box Otherw se,
users w be prompted for credent a s tw ce
NOTE Although Kerberos is the default authentication method for Windows Server 2008
R2, clients connecting via RD Gateway uses NTLM (which validates the domain only), not
Kerberos (which validates the full name of the server). This is because you can’t use Kerbe-
ros over the Internet. Kerberos requires that both client and server be domain-joined so
that they can contact the authentication service. Therefore, for RD Gateway, you’ll rely on
either NTLM or smart card access.
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 459
www.it-ebooks.info
HOW IT WORKS
T he digital certificate used to sign an RDP file (or any other file) contains proof
that the subject of the certificate (the web server, the user, the application, the
entity) is indeed who or what it claims to be. Digital certificates are used for a vari-
ety of purposes, like authenticating servers, signing email, or authenticating users
on a network.
When used to sign RDP files generated by the RemoteApp Manager, the digital cer-
tificate provides the software publisher identity to users of the RDP files. This gives
users assurance that they will connect to a trusted RD Session Host server. It also
assures that the RDP file code has not been altered in any way after it was published
and signed using the certificate.
When purchasing a certificate, to prove that the subject of the certificate is real, the
issuer of the certificate (the certificate authority, or CA) must verify the subject’s
identity. The CA does a background check to be sure that the person requesting the
certificate is who he or she says. (The result is that you can’t get signing certificates
from a company that you don’t belong to, or even to a company that you do belong
to if you don’t have authority to get them.) After the CA has verified the requestor’s
identity, the CA signs the certificate with its digital signature to show that the ap-
propriate checking has taken place and to verify that the certificate subject is valid.
You can obtain a digital certificate from a public company such as VeriSign or
Thawte. Alternatively, your company can maintain your own public key infra-
structure (PKI), the system that maintains CAs and other systems related to digital
certificates, and can issue and maintain your own digital certificates. In either case, a
digital certificate is verified as legitimate by verifying the issuing CA signature used
to sign the certificate. To verify the issuing CA signature, that CA certificate—which
contains its digital signature—needs to be installed on the client in the Trusted Root
certificate store. Users can add CA certificates to this store for every source they
trust.
www.it-ebooks.info
On Windows Vista and Windows 7, when an application needs to verify a certificate
that has been signed by a CA, and that CA is not directly trusted (its certificate is
not installed in the Trusted Root CA store on the computer), then the computer
checks with Windows Update to see if the CA has been added to the Microsoft list
of trusted authorities. If it has, then the certificate is automatically downloaded and
installed in the Trusted Root CA store on the computer.
Computers running Windows XP and earlier can update their trusted root certifi-
cates by downloading the latest root update package from the Microsoft Updates
Catalog.
Companies that run their own PKI solution can choose to have their CA certificate
signed by a public CA that is part of the Microsoft Root Certificate Program. This
will save them from having to install their CA certificate on each of their clients,
because the public CA that signed the company’s CA root certificate would already
have its certificate placed in the Computer Certificates/Trusted Root Certification
Authorities folder.
NOTE If you need to distribute already created or manually created RDP files to users via
email or network share, you can use the RDPsign.exe command-line tool to sign the files.
See the section entitled “Signing Already-Created RDP Files” later in this chapter for more
details.
You can te an RDP fi e s s gned f you open t n a text ed tor The s gnature w be n-
c uded n the fi e, as shown n F gure 9-19
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 461
www.it-ebooks.info
FIGURE 9-19 A s gned RDP f e nc udes the encrypted s gnature.
If you try to execute a s gned fi e that has been tampered w th, the remote desktop
c ent w open, but the sett ngs once conta ned n the s gned RDP fi e w no onger be
prese ected A so, the pub sher of the RDP fi e w be unknown because you are no onger
runn ng a preconfigured RDP fi e ( t was broken when the fi e was changed after t was
s gned)
When a user opens a s gned RDP fi e, he or she w be presented w th the screen shown n
F gure 9-20
www.it-ebooks.info
FIGURE 9-20 S gned RDP f es show the user the pub sher s dent ty before the code executes.
The user can then ver fy that he or she s execut ng the ntended code from the correct
source The user can then execute the code by c ck ng Connect, or he or she can choose to
c ck Cance and not execute the fi e
If you do not use d g ta s gnatures to s gn RDP fi es, when users open a pub shed RDP fi e,
they w rece ve a warn ng (shown n F gure 9-21) stat ng that the pub sher of the RDP fi e
can’t be dent fied
FIGURE 9-21 f a d g ta s gnature s not used to s gn an RDP f e, the user rece ves a warn ng that the
pub sher of the Remote Connect on can t be dent f ed.
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 463
www.it-ebooks.info
The user e ther connects anyway by c ck ng Connect or c cks Cance to cance the
connect on
T he RDP settings are passed to the endpoint when a user makes a connection.
Not all options for an RDP file are exposed through the GUI of Mstsc.exe. To
change the way a RemoteApp (or desktop) starts, you can edit the contents of the
RDP file from a text editor such as Notepad. Most of these are reasonably self-
explanatory, but it’s good to examine what you can and can’t control with an RDP
file. (Not all settings here will be present in all RDP files, and desktops might have
additional options.)
ON THE COMPANION MEDIA A link to a website that provides all of the RDP file
settings and their possible values is located on this book’s companion media. The
URL is http://blog.kristinlgriffin.com/2010/10/rdp-settings-for-rdc-7.html.
RDP fi e sett ngs shou d not be changed f the RDP fi e s s gned, because th s w break the
s gnature, corrupt the fi e, and render t unusab e
www.it-ebooks.info
FIGURE 9-22 Ed t RemoteApp sett ngs n the RemoteApp Propert es d a og box.
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 465
www.it-ebooks.info
Don’t Change the Alias
The Alias property s a un que dent fier for the app cat on, defau t ng to the app cat on
screen name A though you can ed t th s property, t’s best that you don’t, because th s s how
the computer dent fies each RemoteApp The RemoteApp Manager uses W ndows Man-
agement Instrumentat on (WMI) nterfaces that represent RemoteApp programs The c ass
Win32 TSPublishedApplicationList sts a RemoteApp programs n a st, dent fy ng them by
the r a ases If you change an a as, the c ass w not be ab e to find the RemoteApp n ts st
CAUTION The RD Web Access website populates its list of applications by querying
WMI, so editing the alias can cause a RemoteApp not to display in RD Web Access.
/S \\colfax\ash-company-files\Mydoc.pptx
By defau t, command- ne arguments are not enab ed for RemoteApp programs because
no arguments are un versa y appropr ate By a ow ng users to spec fy the r own arguments,
you expose the RD Sess on Host server to attack, for examp e, through rogue webs tes If you
must enab e arguments, se ect one of the fo ow ng cho ces
■ Allow Any Command-Line Arguments Choose th s opt on to a ow users to ass gn
parameters to a RemoteApp Users can then open the RDP fi e n a text ed tor and
add the arguments that they want to use for that connect on, as shown n F gure 9-23
Users cannot add arguments to RemoteApps that they access v a RD Web Access But
they can ed t RemoteApps d str buted by RemoteApp And Desktop Connect ons or by
RDP or MSI fi e d str but on by r ght-c ck ng the RemoteApp and open ng t n a text
ed tor
NOTE If you digitally sign your RDP files, don’t allow users to specify command-line
arguments. If users edit the arguments, they’ll corrupt the file.
www.it-ebooks.info
FIGURE 9-23 Add a command ne parameter to a RemoteApp RDP f e.
NOTE For best performance, it’s always best to disable unnecessary images. For example,
to remove the splash screen from the opening of any Microsoft Office application, add the
/q switch to the list of required command-line arguments. See the Additional Resources
at the end of this chapter for pointers to command-line arguments for some sample
applications.
The sett ngs that you p ck w a ways app y to that RemoteApp when t’s started because
they’re defined on the server
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 467
www.it-ebooks.info
Assigning Applications to Users
In W ndows Server 2008, a users access ng the same RD Web Access s te wou d see the same
app cat on set—you cou dn’t fi ter accord ng to user dent ty A though the defau t sett ng
st a ows a authent cated doma n users (who are n the Remote Desktop Users group on
the RD Sess on Host server) to run the app cat ons, you can a so a ow on y certa n users to
see app cat ons To configure th s, turn to the User Ass gnment tab when configur ng the
RemoteApp propert es, as shown n F gure 9-24
FIGURE 9-24 You can f ter the contents of RD Web Access or RemoteApp And Desktop Connect ons by
user dent ty.
To ass gn app cat ons, just se ect the opt on for Spec fied Doma n Users And Doma n
Groups and c ck Add Th s w open the fam ar search too for find ng users and groups n
AD DS F nd the appropr ate user or group and c ck OK, and then c ck OK aga n to confirm
your se ect on when you see the user or group name n the st
CAUTION If you opt to assign the application to specified domain users and do-
main groups but don’t add a user or group name to the input box, then the applica-
tion will not be visible to anyone.
www.it-ebooks.info
■ The user or group accounts you ass gn them to must be doma n accounts You can’t,
for examp e, ass gn app cat ons to a oca user on the RD Web Access computer
■ The RD Web Access computer and RD Sess on Host server host ng the RemoteApp
must be both doma n-jo ned They must be e ther n the doma n for the user accounts
or a trusted doma n
■ You can on y choose users or groups of users; there s no opt on to fi ter accord ng to
wh ch computer the app cat on set s v ewed from
■ If someone can see an app cat on and you don’t th nk he or she shou d be ab e to,
check the groups that have access to the app cat on and the group membersh ps of
the user who can unexpected y see the app cat on
■ The RD Web Access server must be a member of the W ndows Author zat on Access
Group n the doma n, so t has perm ss on to check the group membersh ps for a user
account You can confirm th s membersh p on a doma n contro er—to do th s, open
Act ve D rectory Users And Computers and ook n the Bu t n fo der to st a the bu t-
n groups Check the Members tab for the W ndows Author zat on Access Group The
RD Web Access server, or a group of wh ch t s a member, must appear n th s st
Save the sett ngs that you’ve adjusted The app cat on s now added to the a ow st and
can be d sp ayed w th the sett ngs that you spec fied
Import-module remotedesktopservices
set-location rds:
cd RemoteApp\RemoteAppPrograms
New-Item -applicationpath "c:\windows\system32\calc.exe" -applicationname "Calculator"
-ShowInPortal 1
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 469
www.it-ebooks.info
Exporting and Importing the Allow List
To export the a ow st and assoc ated sett ngs, c ck the Export RemoteApp Sett ngs nk n
the Act ons pane of the RemoteApp Manager to open the d a og box shown n F gure 9-25
FIGURE 9-25 Export RemoteApp sett ngs to a f e or to other RD Sess on Host servers.
To export to s ng e RD Sess on Host servers on the same network, choose the first opt on
and prov de the server’s DNS name C ck OK and the sett ngs w appear n the RemoteApp
Manager of the spec fied server Import the programs and sett ngs to a server by c ck ng the
Import RemoteApp Sett ngs nk n the Act on pane of the RemoteApp Manager, and spec fy-
ng the DNS name of the server from wh ch to mport the sett ngs
If you’re configur ng more than one server or the other server sn’t yet on ne, choose
Export The RemoteApp Programs L st And Sett ngs To A F e and then choose the name and
ocat on to store the fi e The created fi e w have an extens on of pub On another RD Ses-
s on Host server, open RemoteApp Manager and c ck the Import RemoteApp Sett ngs nk n
the Act ons pane Locate the pub fi e and c ck Open
One caut on about mport ng and export ng the a ow st If you are s gn ng the fi es
d g ta y, you won’t be ab e to create RDP or MSI fi es from a secondary server A though t w
appear that the s gn ng sett ngs have been exported for you to use when creat ng RDP fi es,
th s s ncorrect The requ red certificate w not be stored n the secondary server’s cert ficate
store For th s reason, t’s best to des gnate one server as a management server Create the
RDP and MSI fi es from the des gnated management server and just mport the a ow st to
the secondary servers You can a so nsta the s gn ng cert ficate on each of the other RD Ses-
s on Host servers and manua y ed t the RemoteApp d g ta cert ficate sett ngs on each server
to reflect the correct cert ficate
www.it-ebooks.info
Configuring Timeouts for RemoteApp Sessions
A RemoteApp programs for the same user that are run from the same server are run n
the same sess on for greater effic ency Therefore, when a user c oses one RemoteApp,
th s doesn’t c ose the ent re sess on f other RemoteApp programs are st runn ng There
s no opt on to og off or c ose a sess on from a RemoteApp Do ng so wou d term nate
a RemoteApp programs the user started from that server s mu taneous y because a
RemoteApp programs run n the same sess on
Second, w th RemoteApp programs, users are no onger start ng and us ng app cat ons
from w th n another desktop Instead, they open and c ose RemoteApp programs from the r
own desktop, and they no onger make a defin t ve dec s on about the state of the r sess on
by e ther d sconnect ng or ogg ng off Rather, they open and c ose RemoteApp programs as
needed and do not have to th nk about the sess on Th s s good from a user perspect ve, but
t makes know ng when to d sconnect a sess on a b t more comp cated
Because a RemoteApp sess on depends on the presence or absence of ts RemoteApp
programs, the og c for determ n ng when the sess on shou d end s d fferent from that of
a desktop The sect on ent t ed “RemoteApp Interna s” ear er n th s chapter exp a ned the
commun cat on paths between the c ent-s de app cat on and the remote sess on When the
very ast RemoteApp n a sess on s c osed (s gna ed through a w ndow ng event show ng that
the w ndow s c osed), and key processes are no onger runn ng n the remote sess on, the
connect on determ nes that the sess on s comp ete and can be d sconnected The t me that
the sess on rema ns n a d sconnected state depends on how you configure the Group Po cy
sett ng Set T me L m t For Logoff Of RemoteApp Sess ons, ocated n Computer (or User)
Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop
Serv ces Remote Desktop Sess on Host Sess on T me L m ts
NOTE RemoteApp programs and system tray icons that the user starts indirectly are
included in this determination. As an example, let’s assume a user opens a Microsoft Word
document with a Word RemoteApp and the document contains a link to a Microsoft Excel
spreadsheet. If the user also uses Excel as a RemoteApp, then clicking on the link indirectly
opens the Excel RemoteApp. Both of these RemoteApp programs need to be closed for the
session to be disconnected.
You don’t necessar y want to term nate a sess on as soon as the ast RemoteApp s c osed
It’s much faster to reconnect to an ex st ng sess on than to re-create a new one (the process
of oad ng a the processes to support the sess on s expens ve) Therefore, you m ght want to
ed t the user or computer Group Po cy to pro ong the nterva between d sconnect on and
term nat on of RemoteApp sess ons Th s g ves users a tt e t me to rea ze that they have one
more ema to send and start M crosoft Out ook from the ex st ng remote sess on, rather than
wa t ng for a new sess on To do so, when you enab e the GPO sett ng Set T me L m t For Log-
off Of RemoteApp Sess ons, se ect the Enab ed rad o button and choose a t me sett ng from
the RemoteApp Sess on Logoff De ay drop-down menu, as shown n F gure 9-26
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 471
www.it-ebooks.info
FIGURE 9-26 Use Group Po cy to set a t me m t for ogoff of RemoteApp sess ons.
NOTE If you also enable the GPO setting Set Time Limit For Disconnected Session, then
choose a time for that GPO that is longer than the time specified for RemoteApp Session
Logoff Delay. Otherwise, sessions will always be terminated before the RemoteApp Session
Logoff Delay Time limit is reached, thus rendering that GPO irrelevant.
There’s a tradeoff between keep ng respons ve sess ons and not over oad ng the RD Ses-
s on Host server If you choose to reta n sess ons for a ong t me, you m ght affect the RD
Sess on Host server because the d sconnected sess ons rema n act ve Be sure that you have
suffic ent page fi e space to accommodate the d sconnected sess ons when they’re not n use
www.it-ebooks.info
RDP fi e Se ect the cert ficate’s Deta s tab and scro down to the Thumbpr nt va ue, as shown
n F gure 9-27
FIGURE 9-27 The cert f cate thumbpr nt s revea ed n the Deta s tab of the cert f cate.
H gh ght and copy the thumbpr nt to a text ed tor and remove the spaces so that you end
up w th 40 characters, such as 0d1f0dbf0a8accc4fbd80e2f087fc40b4d4aefed You are now
ready to s gn an RDP fi e RDPs gn exe s a command- ne too and conta ns a few parameters
to note Tab e 9-2 exp a ns the parameters
PARAMETER DESCRIPTION
/sha1<hash> Rep ace <hash> w th the thumbpr nt of the cert ficate that you want to
use to s gn the RDP fi e
/q Qu et Mode—You w rece ve no output f the command s successfu
and very tt e f t fa s
/v Verbose Mode—The oppos te of Qu et Mode It shows you a
messages re ated to the execut on
/l Tests s gn ng the RDP fi e and te s you the resu ts of the test, but does
not actua y s gn the fi e
/? Typ ca command prompt for d sp ay ng he p for the command You
can a so type rdpsign and get the he p nformat on
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager chapter 9 473
www.it-ebooks.info
Open a command prompt, type rdpsign, add the hash, se ect a resu t d sp ay mode f you
want, and then prov de the ocat on of the RDP fi e The fo ow ng examp e shows an Rdps gn
command successfu y executed
Users that start a s gned RDP fi e w get an uned tab e user nterface, as shown n
F gure 9-28
FIGURE 9-28 S gned RDP f es are preconf gured and not ed tab e.
On y f certa n red rect on was a owed at the t me of creat on w the user have the op-
portun ty to d sab e t If red rect on s d sab ed, the user w not be g ven the opportun ty to
enab e t
www.it-ebooks.info
Both sett ngs are ava ab e n the same ocat on To set the po c es for computers, go
to Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Connect on C ent For users, go to User
Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop
Serv ces Remote Desktop Connect on C ent
NOTE To use RDP files from computers outside the corporate local area network (LAN),
you need to deploy RD Gateway to provide secure access to RD Session Host servers in the
network. For information about RD Gateway, see Chapter 10.
When users doub e-c ck a RemoteApp RDP fi e, they see a connect on screen that e ther
revea s the software pub sher dent ty (so users know they are execut ng code from a trusted
source), as prev ous y shown n F gure 9-20, or nd cates that the pub sher s unknown, as
shown n F gure 9-21
To create an RDP fi e for d str but on, c ck the Create rdp F e nk n RemoteApp Manager
C ck Next on the We come screen The Spec fy Package Sett ngs page appears, as shown n
F gure 9-29
www.it-ebooks.info
FIGURE 9-29 Spec fy RemoteApp MS package sett ngs, nc ud ng a save ocat on and any changes to
server name, port, RD Gateway sett ngs, or the defau t s gn ng cert f cate.
Enter a ocat on where you want to save the MSI package or browse to the ocat on RDP
fi es (and MSI packages) are configured by defau t w th the configurat on sett ngs that you set
n RemoteApp Manager
On th s page, you can make any needed changes to the defau t RemoteApp sett ngs for
the MSI package by c ck ng the Change button next to the appropr ate sett ng C ck Next,
rev ew your sett ngs, and then c ck F n sh The created RDP fi e w be saved to the ocat on
you spec fied n the w zard
www.it-ebooks.info
2. Enter a ocat on where you want to save the MSI package, or browse to the ocat on
Make any needed changes to the defau t RemoteApp sett ngs for the MSI package
by c ck ng the Change button next to the sett ng you want to change and enter ng
the new sett ng C ck Next The Configure D str but on Package appears, as shown n
F gure 9-30
FIGURE 9-30 Assoc ate f e extens ons and create shortcut cons for RemoteApp programs.
3. In the top sect on, choose to put a shortcut on a c ent’s desktop, the Start menu, or
both by se ect ng the correspond ng check box If you choose to put a shortcut con on
the Start menu, then enter the name of the fo der n wh ch the con w res de
4. In the bottom sect on, you can choose to assoc ate fi e extens ons w th the RemoteApp
program by se ect ng the correspond ng check box C ck Next, and then c ck F n sh on
the Rev ew Sett ngs page
Creat ng RDP fi es and MSI packages m ght seem very s m ar, but another ma n purpose
of creat ng MSI packages s to dep oy RemoteApp programs v a Group Po cy To use Group
Po cy to dep oy RemoteApp MSI fi es, create a GPO and nk t to an OU for the users or
c ents for wh ch the Group Po cy shou d app y Nav gate to e ther Computer Configurat on
Po c es Software Sett ngs or User Configurat on Po c es Software Sett ngs, as appropr ate
R ght-c ck Software Insta at on and choose New Software Package If you dep oy RemoteApp
MSI fi es us ng a computer po cy, the app cat on s ass gned and nsta ed automat ca y when
the user boots the computer On y adm n strators can un nsta the app cat on
www.it-ebooks.info
NOTE You can choose to either assign applications (installing them automatically) or
publish applications (making them available for installation). It’s a best practice to assign
MSIs containing RDP files. Otherwise, the file associations linked with those RemoteApp
programs won’t work properly.
NOTE RD Web Access also provides a way to connect remotely to other machines on the
network via the Remote Desktop tab on the website interface. This is covered later in this
chapter in the section entitled “Using the RD Web Access Website.”
www.it-ebooks.info
RD Session Host RD Connection
Server or Farm Broker
RD Web Access
Role Service
WMI RPC
FIGURE 9-31 The RD Web Access ro e serv ce gets RemoteApp, desktop sess on, and poo ed and persona
VM nformat on from RD Sess on Host servers or RD Connect on Broker.
NOTE It’s important to understand that the RD Web Access role service is more than just
a website. The role service is what polls the source(s) and gathers the data. The website is
merely a way of telling the role service what source(s) to poll and then also displaying that
data in a web browser.
The source d ctates what kinds of resources are access b e v a RD Web Access, as shown n
F gure 9-32
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 479
www.it-ebooks.info
RD Virtualization
Host Server
Pooled VMs
Personal VMs
RemoteApp(s) RemoteApp(s)
Full Desktop(s)
Full Desktop(s)
RD Web Access
Role Service
WMI RPC
FIGURE 9-32 The RD Web Access source d ctates the types of resources ava ab e v a RD Web Access.
RD Sess on Host servers prov de access to RemoteApp and fu desktop sess ons If th s
s a you need to make ava ab e, then you have two ways to configure the RD Web Access
source You can configure the RD Sess on Host servers or farms as the RD Web Access sources,
or RD Connect on Broker can be configured to atta n th s data from the RD Sess on host serv-
ers and then pass t on to RD Web Access
However, f you need to prov de access to poo ed and persona VMs, then you must use
RD Connect on Broker as the source, because on y RD Connect on Broker rece ves data from
RD V rtua zat on Host servers regard ng the VMs that they prov de Because RD Connect on
Broker can a so be configured to consume resource data from RD Sess on Host servers and
farms, t can act as an overa source for a ava ab e resources
www.it-ebooks.info
If you ass gn one or more RD Sess on Host servers or farm names as the source, the RD
Web Access ro e serv ce gets the resource data from th s source by query ng the WMI nter-
faces on the source to see what app cat ons are on the a ow st and are configured to be
shown n the porta
If you configure RD Connect on Broker as the source, RD Web Access quer es the RD Con-
nect on Broker us ng RPC RD Connect on Broker quer es the RD Sess on host servers and
farms that t knows about, gets the resource data, and passes t to RD Web Access
L ke RDP fi es created us ng the RemoteApp Manager, the dynam ca y created RDP fi es
on the RD Web Access RemoteApp Programs tab adhere to the configurat on sett ngs spec -
fied n RemoteApp Manager For examp e, f RemoteApp Manager g oba sett ngs spec fy
connect ng to an RD Sess on Host server farm, then the RDP fi es created by RD Web Access
RemoteApp Programs tab w a so conta n th s sett ng L kew se, f RemoteApp Manager con-
ta ns RD Gateway sett ngs, then RD Web Access RDP fi es are a so set up to connect through
RD Gateway
Import-Module Servermanager
add-WindowsFeature RDS-Web-Access -restart
De ver ng RemoteApp Programs and VMs Through RD Web Access CHAPTER 9 481
www.it-ebooks.info
A successfu nsta g ves the fo ow ng resu ts
WARNING: [Installation] Succeeded: [Remote Desktop Services] Remote Desktop Web Access.
RD Web Access requires additional configuration. On the Configuration page of the RD Web
Access website, you need to specify the source that will provide the RemoteApp programs
and desktops that will be displayed to users. For more information, see <a href="ts_
remoteprograms.chm::/html/e1e047ce-d080-4568-b987-378fef46bea2.htm">Configuring the RD
Web Access Server</a>.
NOTE If you choose to install via the command line, then any needed components, such
as IIS 7.5, that are not installed already will be installed automatically and will appear in the
Feature Results section of the installation summary.
Imp ement ng RD Web Access nsta s the RD Web Access webs te to the RD Web v rtua
path of the IIS defau t webs te The nsta d rectory s ocated at %W nD r%\Web\RDWeb
www.it-ebooks.info
FIGURE 9-33 When you og n to the RD Web Access webs te, you have access to a tabbed nterface.
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 483
www.it-ebooks.info
FIGURE 9-34 C ck the Conf gurat on tab to access the RD Web Access conf gurat on area.
4. Se ect the rad o button correspond ng to the type of sources that w prov de the
RemoteApp and desktop nformat on to RD Web Access
5. Enter the name of the sources you want n the Source Name nput box If you chose
the opt on One Or More RemoteApp Sources, separate each RD Sess on Host server or
RD Sess on Host farm name source w th a comma When you are fin shed, c ck OK
Each source that you choose for RD Web Access must be ab e to commun cate w th the
ro e serv ce Grant th s access by add ng the RD Web Access computer account to the source’s
oca TS Web Access secur ty group
www.it-ebooks.info
Initial Load Balancing RD Web Access Source
NLB or RR DNS RD Session Host Server(s)
and/or Farm(s)
FIGURE 9-35 G ve RD Web Access perm ss on to query every RD Sess on Host server that s an RD Web
Access source.
RD Web Access w query every nd v dua RD Sess on Host server for ts a ow st and
RemoteApp configurat on For farms, RD Web Access w choose one of the servers n each
farm to query, but shou d that server become unava ab e, t w query another farm member
nstead
FIGURE 9-36 f RD Connect on Broker s the RD Web Access source, RD Web Access gets a ow st and
RemoteApp conf gurat on data from RD Connect on Broker.
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 485
www.it-ebooks.info
RD Web Access gets a ow st and RemoteApp configurat on data from RD Connect on
Broker, wh ch gets the data from an RD Sess on Host server n each farm
FIGURE 9-37 Add the RD Web Access server account to the RS Web Access Computers group on the
red rector.
If you use RD Connect on Broker as the RD Web Access source, you need to add the RD
Connect on Broker server computer account to the TS Web Access Computers group on the
farm red rector or red rectors, and then add the RD Web Access server computer account to
the TS Web Access Computers group on the RD Connect on Broker, as shown n F gure 9-38
www.it-ebooks.info
Initial Load Balancing RD Web Access Source
Dedicated Redirector RD Connection Broker
RDWeb Access
RD Connection Broker server is added to the TS
Server is added to
Web Access Computers group on each RD Session
the TS Web Access
Host server farm redirector
Computers group
FIGURE 9-38 Add the RD Connect on Broker server account to the RS Web Access Computers group on
the red rector and add the RD Web Access server account to the TS Web Access Computers group on the
RD Connect on Broker.
A so, a though the red rector s not accept ng connect ons, t s a farm member n a other
respects, and because RD Connect on Broker or RD Web Access quer es the red rector for
a ow st and RemoteApp configurat on data, the red rector has to be configured dent ca y
to other farm members Th s nc udes hav ng the exact same RemoteApp sett ngs For
examp e, f you do not add the farm cert ficate to a red rector, then when a RemoteApp s
started from the webs te, t w be try ng to reach the farm name, so t w show a cert ficate
error when the name on the red rector cert ficate does not match the farm name, as shown n
F gure 9-39
FIGURE 9-39 Avo d gett ng an error by add ng the cert f cate conta n ng the farm name to the RDP Tcp
Propert es Genera tab of RD Sess on Host Conf gurat on.
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 487
www.it-ebooks.info
Configuring WebSSO
To m n m ze the number of t mes users must present credent a s, enab e Web SSO Web SSO
stores the credent a s that a user uses to og on to the RD Web Access webs te and then uses
them to authent cate the user when he or she opens a RemoteApp program v a the webs te
(or v a RemoteApp And Desktop Connect ons on a c ent runn ng W ndows 7) The user does
not rece ve any more og n prompts when the user starts a RemoteApp
NOTE Web SSO works only for authentication to RemoteApp programs. There is no way
to use Web SSO to pass credentials to a full desktop connection or VM connection.
www.it-ebooks.info
t on method by doub e-c ck ng GatewayCredent a sSource and spec fy ng the correspond ng
number va ue as fo ows
■ 0 NTLM (password)
■ 1 Smart Card
■ 4 User Chooses Later (the defau t)
Externa users w access the Remote Desktops tab of the RD Web Access webs te and type
n the name of the computer to wh ch they want to connect The connect on w be made
secure y through RD Gateway
If you do not want users to be ab e to use the Remote Desktop capab t es from the RD
Web Access webs te, doub e-c ck Show Desktops and change the defau t entry (True) to
Fa se Th s w h de the Remote Desktops tab The changes take p ace mmed ate y, so f the
web page s open, refresh the page to see those changes A ow or d sa ow the fo ow ng
resource red rect on opt ons by doub e-c ck ng each opt on and chang ng the va ue for the
entry to True (enab e) or Fa se (d sab e)
■ xC pboardxDr veRed rect on
■ xPnPRed rect on
■ xPortRed rect on
■ xPr nterRed rect on
A ternat ve y, you can use a text ed tor such as Notepad to mod fy the Web config fi e for
the RD Web Access webs te ocated at %W nD r%/Web/RDWeb/Pages/Web config Locate
these entr es (under the head ng<!-- Dev ces And Resources Preset The Checkbox Va ues To
E ther True Or Fa se -->) and change the va ue to “true” or “fa se” as needed as fo ows
NOTE If PnP, Port, and Drive redirection options are shaded and unavailable, add the
website to the web browser’s Trusted Sites list and they will become available.
When you a ow other red rect on capab t es (c pboard and pr nter red rect on s enab ed
by defau t), they w not actua y be enab ed However, by a ow ng other types of red rect on
you g ve users the opt on to enab e that type of red rect on when they n t ate a connect on
v a the Remote Desktops tab When a user nputs a computer name and c cks Connect, the
RDP fi e starts The user can now c ck the Deta s button and enab e the types of red rec-
t on that you have a owed by se ect ng the box next to the type of red rect on that he or she
wants to enab e and then c ck ng Connect
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 489
www.it-ebooks.info
DIRECT FROM THE SOURCE
R DP file signing lets you put some user protection in place by allowing an RDP
file’s publisher to sign the file with a digital certificate. So, if you trust the
publisher, you know you can trust the RDP connection. Unsigned files will show a
warning label when they are started.
If you’re using RD Web Access to make both RemoteApps and full remote desktops
available, you might notice something odd if you’re using RDP file signing. When
you start RemoteApps, the dialog box will indicate that the files are signed (that is,
they will identify the publisher of the file). When you start a connection from the
Remote Desktops page, the dialog box will warn that the Publisher is not known,
meaning that the file is unsigned.
Whether you click an icon on the RemoteApp Programs page or the Connect button
on the Remote Desktops page, doing so creates an RDP file. There’s one important
difference between these approaches, however: When you click an icon on the
RemoteApp Programs page, an RDP file that has been created from settings on the
RD Session Host server is channeled to the client. When you click Connect on the
Remote Desktops page, the client creates the RDP file. The following illustrations
show this.
Web.config settings
Client RD Web Access
are sent to the client
Server
www.it-ebooks.info
RDP signing is available for RemoteApps but not for connections to full desktops.
Here’s why: The RDP file created when you start a RemoteApp from RD Web Access
is created on the RD Session Host server using the configuration settings set in
RemoteApp Manager. You can specify a digital certificate in RemoteApp Manager
with which to sign RemoteApps. If you have specified a digital certificate, the RDP
file will be signed when it’s created and then channeled to the client. Thus, the pub-
lisher of the RDP file will be identified to the client.
In contrast, an RDP file is created on the client when you click the Connect button
on the Remote Desktops page, combining the settings specified in the Web.config
file and Desktop.aspx on the RD Web Access server, along with any input from the
user. There’s no setting on the client to specify a digital certificate to use to sign
RDP files that it creates. The client does not sign the file, and the publisher is shown
as unidentifiable.
NOTE To restore the link to point to the default URL, right-click the rdcInstallUrl applica-
tion setting and then click Remove.
A ternat ve y, you can use a text ed tor such as Notepad to mod fy the Web config fi e
for the RD Web Access webs te d rect y By defau t, the path of the configurat on fi e s
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 491
www.it-ebooks.info
%W nD r%\Web\RDweb\Web config To mod fy the fi e, under the <appSett ngs> sect on of
the fi e, add an entry ke th s one, where URL s the target URL for the nk
www.it-ebooks.info
Customizing Titles and Subtitles
There are three ma n pages of the RD Web Access webs te RemoteApp Programs, Remote
Desktop, and Configurat on Each page conta ns two nes n the upper- eft port on of the page
■ The Page T t e (the defau t s “Remote Desktop Serv ces Defau t Connect on”)
■ A page descr pt on or Subt t e area (the defau t s “Remote Desktop Serv ces Defau t
Connect on”)
Here s how to rename each page
■ A Page T t es are changed by ed t ng the %W nD r%\Web\RDWeb\App Data\
RDWebAccess Config fi e ne
■ However, f you set the Connect on Sett ngs on an RD Connect on Broker server, these
w show up as the D sp ay name for a RD Web Access webs te pages
■ To change the Subt t e area of the Log n page, open Log n aspx n a text ed tor and
find and ed t th s str ng
if ( objForm != null )
{
strDomainUserName = objForm.elements("DomainUserName").value;
strPassword = objForm.elements("UserPass").value;
strWorkspaceId = objForm.elements("WorkSpaceID").value;
strRDPCertificates = objForm.elements("RDPCertificates").value;
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 493
www.it-ebooks.info
to th s
if ( objForm != null )
{
strDomainUserName = objForm.elements("DomainUserName").value;
Subst tute your doma n NetBIOS name n the code where t says “YOUR-DOMAIN-HERE”
( n bo d n the code shown here)
www.it-ebooks.info
DIRECT FROM THE SOURCE
L et’s say that you’re attempting to access a Remote Desktop via RD Web Access.
Although the clients attempting to access the RD Web Access page are all on the
same subnet as the RD Web Access server, you’ve configured the network so that
they’re actually connecting via the Internet, not the intranet. Therefore, you’d like
to require that these clients use RD Gateway.
There’s no check box on the Remote Desktops page to force the use of RD Gateway,
but you can make it happen by editing Desktop.aspx from this
to this
All Remote Desktop connections initiated from that RD Web Access site should now
go through RD Gateway.
F na y, save the fi e
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 495
www.it-ebooks.info
Troubleshooting RD Web Access Permissions
If you run nto prob ems mp ement ng RD Web Access, t’s somet mes a perm ss ons prob em
Here are some genera troub eshoot ng t ps
■ Make sure that the correct computer accounts are added to the needed secur ty
groups on RD Sess on Host servers and RD Connect on Broker
■ The W ndows Author zat on Access Group ocated n Act ve D rectory Users And
Computers needs to have the RD Connect on Broker server n t f t s used n RD Web
Access to check access contro sts (ACLs) and do the fi ter ng
■ If you have ver fied that the pert nent perm ss ons have been g ven to the appropr ate
servers and you st rece ve Event d 1011 on the RD Connect on Broker,
● Look n the Event V ewer under App cat ons and Serv ces Logs/M crosoft/
W ndows/RemoteApp and Desktop Connect on Management and and see f any
errors ex st there that w ead you to how to fix your ssue
● Check to see that WMI Secur ty and COM secur ty are correct on each RD Sess on
Host server Th s s norma y taken care of for you, but t s worth check ng f you
are hav ng prob ems add ng an RD Web Access source to the webs te On each RD
Sess on Host server, check the fo ow ng
WMI Security Settings:
1. Start the WMI Contro MMC snap- n
2. R ght-c ck the WMI Contro node and se ect Propert es
3. Go to the Secur ty tab and nav gate to Root, CIMV2, Term na Serv ces
4. H gh ght Term na Serv ces and c ck Secur ty
5. Confirm that oca server\TSWeb Access Computers sted w th Execute Methods,
Enab e Account, and Remote Enab e s set to A ow
DCOM Security Settings:
1. Start the Component Serv ces MMC snap- n and nav gate to Component Serv ces,
Computers, My Computer
2. R ght-c ck My Computer and se ect Propert es
3. Go to the COM Secur ty tab, and under Access Perm ss ons, c ck Ed t L m ts
4. Make sure the TS Web Access Computers have a the perm ss ons set to A ow
5. Under Launch And Act vat on Perm ss ons, c ck Ed t L m ts and confirm that the
oca server \TSWeb Access Computers s sted, w th a the perm ss ons set to
A ow
www.it-ebooks.info
Using the RD Web Access Website
The RD Web Access ro e serv ce supports two ways of present ng app cat ons to users the RD
Web Access webs te and the RemoteApp And Desktop Connect ons too n W ndows 7 In th s
sect on, you’ earn how to use the RD Web Access webs te
NOTE To use RD Web Access, the clients must have RDC 6.1 or later installed. RDC 7.0 or
later is recommended for the best user experience. See Chapter 6 for more information
about RDC and where to get updated versions of the client.
FIGURE 9-41 The RD Web Access webs te requ res the M crosoft Remote Desktop Serv ces Act veX con
tro to be enab ed.
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 497
www.it-ebooks.info
R ght-c ck the Informat on Bar (a ye ow bar) and choose Run Add-on to nsta the contro
Users runn ng W ndows XP SP3 m ght not see th s pop-up message Instead, the user m ght
og n and get the message shown n F gure 9-42
FIGURE 9-42 Users of W ndows XP m ght rece ve a message te ng them that the Remote Desktop Serv
ces Act veX c ent s not ava ab e.
To nsta the contro , c ck Too s/Internet Opt ons, se ect the Programs tab, and c ck the
Manage Add-ons button at the bottom of the d a og box Se ect Show A Add-ons from the
drop-down menu on the r ght s de of the page Then find the M crosoft RDP C ent Contro n
the eft pane, se ect t, and c ck the Enab e button at the ower-r ght s de of the page Then
c ck C ose
To og onto the webs te, enter a user name n the form of domain\username, such as ASH\
kr st n gr ffin Enter the user’s password Choose a secur ty mode that descr bes the computer
that you are us ng, and then c ck S gn n
Logging In
The RD Web Access og n page has an opt on that spec fies whether the computer used to
access RD Web Access s a pr vate computer, mean ng you are the on y one that uses the
computer, or a pub c computer If you p ck the Pr vate opt on, then the sess on w stay act ve
onger f there s a per od of nact v ty
www.it-ebooks.info
NOTE If you have enabled Computer Configuration Policies Administrative Templates
Security Credentials Delegation Allow Delegating Default Credentials and applied it
to your pooled or personal VMs, you may notice one other effect of choosing Public or
Private mode for RD Web Access. When this GPO is enabled and applied to VMs and you
have set the RD Web Access page to Private Mode, you will not be prompted for creden-
tials when you click the icon for the VM pool or personal VM. Instead, you will be logged
in using the credentials you logged onto the computer with. This is great if those are the
credentials you need to log into VMs, but if the credentials used for local logins differ from
the credentials used to log into VMs, you might want to avoid this GPO for VMs since it will
present the wrong credentials and the login will fail.
When you have ogged on to the webs te, you w be taken to the RemoteApps page
shown n F gure 9-43
FIGURE 9-43 The RD Web Access RemoteApp Programs page offers a number of opt ons.
When users open the RD Web Access webs te, they are prov ded w th a web page w th two
tabs, the RemoteApp Programs tab and the Remote Desktops tab The RemoteApp Programs
tab conta ns nks to ava ab e RemoteApps and VMs and a so nks to fu desktop sess ons for
RD Sess on Host servers or farms as perm tted n RemoteApp Manager The Remote Desktops
tab prov des access to other remote desktops on the network
When a user c cks a RemoteApp con n RD Web Access (or chooses a desktop to connect
to, as d scussed n the next sect on, “Connect ng to Resources), the Act veX contro n the
browser creates a temporary RDP fi e n the user’s Temp fo der on the c ent The RDP fi e w
have a random y generated name that beg ns w th TSPORTAL and nc udes a five-d g t num-
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 499
www.it-ebooks.info
ber Next, the Act veX contro ca s Mstsc exe and po nts t to the path of the new RDP fi e, as
n th s examp e for an RDP fi e named TSPORTAL#12345
Th s command starts Mstsc exe exact y as f you had po nted t to any other RDP fi e, creat-
ng the connect on
Connecting to Resources
You can use the RD Web Access webs te to connect to RemoteApp programs, VMs, fu desk-
tops on a RD Sess on Host server, or even your persona computer
The resources that a user sees are based on h s or her access r ghts—that s, users see on y
resources that they n fact have perm ss on to access When a user c cks an app cat on con,
th s w start an RDP fi e and the RemoteApp executes If you remove an app cat on from the
a ow st on the RD Sess on Host server(s), the app cat on s no onger d sp ayed n the web
part
One of the b ggest advantages of dep oy ng RemoteApps us ng RD Web Access s that the
RDP fi es created through the webs te use the sett ngs spec fied n the RemoteApp Manager
of the assoc ated RD Sess on Host server Therefore, they are a ways up to date You don’t
need to red str bute RDP fi es to users whenever a change occurs n the RemoteApp Manager
NOTE You might notice that some settings do not change immediately in RD Web
Access when you make a change to an RD Web Access source and you use RD Connection
Broker as the source. This is because the RD Web Access service caches settings from RD
Connection Broker for three minutes at a time for performance reasons.
NOTE The user needs to be a member of the Remote Desktop Users group of the
specified computer to connect remotely to that computer.
From the Remote Desktops tab, a user prov des the name of the computer to connect
w th, and an RDP fi e s created and opened The user prov des proper credent a s, and the
remote desktop sess on starts
www.it-ebooks.info
NOTE The connection options used when RDP files are created from the Remote Desk-
tops tab do not adhere to RemoteApp Manager. Instead, the options are set in IIS. This is
discussed in the section entitled “Configuring RD Web Access Remote Desktop Connection
Options” earlier in this chapter.
To get to your desktop, first make sure that the RD Web Access s te s one of your Trusted
webs tes Then c ck the Remote Desktop nk to open the Remote Desktop page shown n
F gure 9-44
FIGURE 9-44 Access other desktops from the Remote Desktop webpage.
From here, users can connect to servers—and other computers that have Remote Desktop
enab ed—by typ ng n the name of the computer, se ect ng the screen s ze, and c ck ng Con-
nect When a user c cks Connect, an RDP fi e po nt ng to the computer spec fied s created on
the user’s computer, us ng the sett ngs defined n Web config on the RD Web Access server
NOTE A user must be a member of the computer’s Remote Desktop Users security group
to log on remotely.
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 501
www.it-ebooks.info
The Opt ons button prov des a set of RDP sett ngs that the user can adjust, nc ud ng
dev ce and resource red rect on, whether to a ow keyboard shortcuts n the remote desktop
sess on, and the speed of the connect on However, f these opt ons are spec fied us ng Group
Po cy or RD Configurat on, then the sett ngs spec fied by the user are gnored
HOW IT WORKS
www.it-ebooks.info
Configuring RemoteApp And Desktop Connections on Unmanaged
Computers
One advantage to us ng RD Web Access to d sp ay RDS resources s that the computer the
user connects from doesn’t have to be a work computer As ong as users know wh ch URL
to connect to and the computer meets the m n mum requ rements for connect ng (RDC 6 1
to use the RD Web Access webs te, or W ndows 7 to connect to RemoteApp And Desktop
Connect ons), then they can og on from anywhere they can connect The computer they use
does not have to be jo ned to the doma n or have ever been connected to t
To set up RemoteApp And Desktop Connect ons manua y, fo ow these steps
1. Open the Contro Pane and c ck the con for RemoteApp And Desktop Connect ons to
open the n t a screen If no RemoteApp And Desktop Connect ons ex st now, the r ght
pane w be b ank
2. C ck the nk to add a new RemoteApp And Desktop Connect on
3. Type the URL the adm n strator prov ded n the text box Th s URL w ook someth ng
ke th s https://servername/rdweb/feed/webfeed.aspx, where servername s the name
of the RD Web Access server C ck Next
4. You’ see a warn ng that you’re connect ng to the feed and th s w down oad content
to your computer C ck Next aga n to agree to th s
5. You’ see a process bar as the connect on s made, and then you’ see a d sp ay screen
show ng that the connect on was made successfu y (see F gure 9-45) Th s page w
show the name of the resource and the RemoteApp programs and VMs ass gned to
you
FIGURE 9-45 When you connect successfu y to a RemoteApp and Desktop Connect on feed, the
number of resources at the t me of connect on w appear n the feed.
De ver ng RemoteApp Programs and VMs Through RD Web Access chapter 9 503
www.it-ebooks.info
After you’ve connected to the feed, the contents w appear on the Start menu, as shown
n F gure 9-46 It’s poss b e to connect to more than one feed; the contents of each w ap-
pear as nested fo ders
FIGURE 9-46 A RemoteApp And Desktop Connect ons appear on the Start menu.
ON THE COMPANION MEDIA You can download the Configure RemoteApp and
Desktop Connection on Windows 7 Clients script located at http://gallery.technet.
microsoft.com/ScriptCenter/en-us/313a95b3-a698-4bb0-9ed6-d89a47eacc72 on the
companion media.
www.it-ebooks.info
Updating a RemoteApp and Desktop Connection
The feed w update regu ar y (refresh ng tse f every 24 hours; th s doesn’t mean you w nec-
essar y wa t 24 hours to see changes you made), but you can a so force updates f requ red
To do so, open RemoteApp And Desktop Connect ons n the Contro Pane and choose the
connect on, c ck Propert es, and then c ck Update Then c ck OK
CAUTION The URL isn’t cached anywhere, so don’t break a connection that you
might want to return to without having the URL available.
Summary
One of the best th ngs about RDS s that t reduces the cost of add ng one more user to the
company or department Rather than sett ng up a computer for each person, you just g ve
access to the VM poo or to the RD Sess on Host server To rea y take advantage of th s flex-
b ty, you’ need to dep oy more than one server to bu d a farm
At th s po nt, you shou d know
■ How to oad-ba ance n t a connect ons to a farm
■ How you can d sp ay remote resources for users
■ How to configure RD Web Access server to d sp ay RemoteApp programs and VMs and
how to fi ter the r d sp ay accord ng to user dent ty
■ How the ro es support ng farm access work together
■ Methods of custom z ng the resource d sp ay
So far, th s book has focused on access ng VMs and RemoteApp programs from the LAN
In Chapter 10, you’ move on to nformat on about support ng WAN scenar os w th RD
Gateway
www.it-ebooks.info
Additional Resources
These resources conta n add t ona nformat on and too s re ated to th s chapter
■ For nformat on on creat ng a Kerberos dent ty for an RD Sess on Host server farm, see
the art c e on the team b og ocated at http://blogs.msdn.com/b/rds
/archive/2009/05/20/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-
the-remote-desktop-services-provider-for-windows-powershell.aspx.
■ See the compan on med a for a nk to http://blog.powershell.no/category/remote-
desktop-services/, where you can find a new W ndows PowerShe modu e for RDS that
nc udes cmd ets for mport ng and export ng a ow sts
■ A nk to “Custom z ng Remote Desktop Web Access by Us ng W ndows SharePo nt
Serv ces Step-by-Step Gu de” s ava ab e on the compan on med a, or you can
down oad t from http://www.microsoft.com/downloads/details.aspx?displaylang=
en&FamilyID=eb2b786f-2a70-4045-a899-6d7c9a794fbc
■ Down oad the Configure RemoteApp and Desktop Connect on on W ndows 7 C ents
scr pt from http://gallery.technet.microsoft.com/ScriptCenter/en-us/313a95b3-a698-
4bb0-9ed6-d89a47eacc72. (The nk s a so ava ab e on the compan on med a )
■ You can add command- ne sw tches when start ng Office app cat ons For examp e,
see http://office.microsoft.com/en-us/excel-help/command-line-switches-for-excel-
HA010158030.aspx#BM4 to open Exce w th custom opt ons A so, see http://partners.
adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf#page=5 to earn how
to open Adobe Acrobat fi es w th custom opt ons
www.it-ebooks.info
CHAPTER 10
S o far n th s book, you have earned how to access RemoteApp programs, v rtua
mach nes (VMs), and Remote Desktop (RD) Sess on Host sess ons when your users are
ocated on your nterna network But what f they want to access these resources from
home, from an Internet café, or another pub c p ace? The RD Gateway ro e serv ce a ows
secure Remote Desktop Protoco (RDP) access from c ents ocated outs de the corporate
network to resources ocated ns de the corporate network, w thout need ng any spec a
software on the c ent, as ong as t supports connect ng v a RD Gateway
507
www.it-ebooks.info
3. RD Gateway first authent cates the c ent and ver fies that the c ent s author zed to
make th s connect on by check ng the user credent a s aga nst ts RD Connect on Ac-
cess Po c es (RD CAPs)
4. If the c ent s authent cated and author zed, RD Gateway then ver fies that the c ent s
a owed to connect to the requested resource by check ng ts RD Resource Access Po -
c es (RD RAPs)
5. If the c ent s a owed access to the requested resource, RD Gateway estab shes an
RDP connect on to the resource Thereafter, a traffic for th s connect on s prox ed
through RD Gateway, as shown n F gure 10-1 RD Gateway forwards packets back and
forth from the RD Sess on Host server and the remote c ent, send ng RDP packets over
port 3389 to the nterna RDP resource, and Secure Sockets Layer (SSL)–encapsu ated
packets over port 443 to the remote c ent
Remote
Client
SSL tunnel,
Port 443
Internal Network
SSL tunnel, Port 443
RD Gateway
RDP Session Port 3389 RDP Session RDP Session Port 3389
Port 3389
FIGURE 10-1 RD Gateway acts as the m dd eman for connect ons to RDP resources.
508 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Understanding RD Gateway Authorization Policies
RD Gateway uses two d st nct types of author zat on po c es, n consecut ve order, to contro
connect ons to nterna RDP resources F rst, the connect ng c ent’s user, and opt ona y com-
puter credent a s, are checked aga nst RD CAPs to see that the connect ng c ent s a owed to
access RD Gateway Spec fica y, RD CAPs define
■ Wh ch users (spec fied by user group membersh p) can connect to RD Gateway
■ From wh ch computers (spec fied by computer group membersh p) users can connect
(opt ona )
■ Supported authent cat on methods (smart card or password)
■ Wh ch c ent dev ces w be red rected to the remote sess on
■ Opt ona t meouts for act ve and d e sess ons
RD CAPs are stored n a Network Po cy Server (NPS), part of the Network Po cy and Ac-
cess Serv ces ro e n W ndows Server 2008 R2 The Network Po cy and Access Serv ces ro e s
nsta ed automat ca y when you nsta RD Gateway; f you ke, you can e ect to store the RD
CAPs on a centra NPS to a ow mu t p e RD Gateway servers to draw the r RD CAPs from the
same server (Th s a so makes sense f you’re us ng NPS for other reasons )
NOTE The section entitled “Using a Central NPS to Store RD CAPs” later in this chapter
provides more information about how to set up centralized RD CAPs.
After the RD Gateway has estab shed that ts RD CAPs a ow the user to connect, t checks
the resource requested aga nst ts RD RAPs RD RAPs spec fy wh ch nterna resources (spec -
fied by computer groups) a user s a owed to access v a RD Gateway Th s two-t ered system
makes t poss b e to spec fy, for examp e, that a user can connect v a the Internet but cannot
connect to h s or her desktop computer v a RD Gateway, even though he or she can do so
when connect ng from the oca area network (LAN)
Th nk of RD CAPs and RD RAPs as spec fy ng who can get to what RD CAPs define who can
connect to RD Gateway, and RD RAPs define what nterna resources user groups can connect
to after they connect to RD Gateway You can have mu t p e RD CAPs and RD RAPs n use at
the same t me A user must meet the requ rements spec fied on at east one RD CAP and one
RD RAP to connect to RD Gateway and then to do anyth ng after that
To use RD Gateway, you must create at east one RD CAP and one RD RAP But you m ght
need more than one of each to contro access to RD Gateway and to network resources more
exp c t y Defin ng mu t p e RD CAPs and RD RAPs a ows you to be very spec fic when grant-
ng network access nstead of g v ng c ents fu access to every RDP-enab ed dev ce on the
network that they cou d get to wh e on the LAN
It’s eas est f you group RD CAPs and RD RAPs conceptua y For nstance, you can use two
RD CAPs and two RD RAPs to spec fy the fo ow ng connect on requ rements
■ Company Account ng Team Remote Access Author zat on Po c es
www.it-ebooks.info
• RD CAP Account ng user group members can estab sh a connect on to RD Gate-
way, but on y when they are us ng computers that be ong to the Account ng com-
puter group These users can connect on y us ng smart cards, and dev ce red rect on
w be d sab ed
• RD CAP Sa es user group members can connect to RD Gateway from any computer
They can use password authent cat on, and c pboard and pr nter red rect on are
a owed
• RD RAP Sa es user group members can connect to computers that are members of
the Sa es computer group
NOTE The next section will show you how to create an RD CAP and RD RAP as part of the
RD Gateway installation procedures. For information on creating RD CAPs and RD RAPs
post-installation, see the section entitled “Creating and Maintaining RD Gateway Authori-
zation Policies” later in this chapter.
RD Gateway Requirements
RD Gateway s an RDS ro e serv ce and therefore runs on W ndows Server 2008 R2 Hardware
requ rements can vary, depend ng on the oad the ro e serv ce w accommodate But n gen-
era , RD Gateway can accommodate a arge number of concurrent connect ons on standard
server hardware For examp e, RD Gateway capac ty p ann ng nformat on prov ded n the
W ndows Server 2008 R2 gu de shows that a dua processor server w th 4 GB of RAM can ac-
commodate more than 1200 connect ons
It’s a so worth not ng that RD Gateway can be v rtua zed RD Gateway can a so be m ted
as to the number of s mu taneous connect ons t can accommodate, depend ng on the ver-
s on of W ndows Server 2008 R2 you are us ng See the sect on ent t ed “L m t ng S mu tane-
ous Connect ons to RD Gateway” ater n th s chapter for more nformat on on th s m tat on
W ndows Server 2008 R2 Standard ed t on can accommodate a max mum of 256 connect ons
Foundat on ed t on can accommodate a max mum of 50 s mu taneous connect ons W ndows
Server 2008 R2 Enterpr se and Datacenter ed t ons are un m ted
510 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
To mp ement RD Gateway, you’ need cert ficates that a ow the c ent and RD Gateway to
set up a trusted commun cat ons channe , and the c ents w need to use a supported oper-
at ng system and RDP c ent
F rst, you’ need a cert ficate for RD Gateway to use For RD Gateway and remote c ents
to estab sh an encrypted connect on to one another, you must nsta a server authent ca-
t on cert ficate (an SSL cert ficate) n the RD Gateway server cert ficate store You can get the
cert ficate from a pub c cert ficate author ty (CA), or f you ma nta n your own Pub c Key
Infrastructure (PKI), you can generate your own server authent cat on cert ficate
NOTE For testing purposes, you can create a self-signed certificate using RD Gateway
Manager, but it is not recommended to use self-signed certificates in a production
environment.
Regard ess of where you get the cert ficate, remote computers connect ng to the RD
Gateway server w attempt to ver fy the va d ty of the RD Gateway cert ficate They do th s
by search ng the r own trusted root cert ficate store for the root CA cert ficate of the CA that
s gned the RD Gateway cert ficate If the root CA cert ficate s there, the c ent trusts the root
CA and therefore can trust the RD Gateway server (th s s ca ed the chain of trust) If not, then
the connect on w not be estab shed
It’s often eas est f you use pub c cert ficates or have your own cert ficates s gned by a
pub c CA You m ght not have contro over the remote computers used to connect to RD
Gateway f they’re not company assets or computers be ong ng to the users connect ng v a
the Internet Therefore, e ther purchase an SSL cert ficate from a pub c CA that s part of the
M crosoft Root Cert ficate Program or have your root CA cert ficate cos gned by a pub c CA
that s part of th s program Members of th s program have the r root CA cert ficates a ready
nsta ed on W ndows operat ng systems (and they can be updated by W ndows Update), so
you w decrease the chance of user connect ons fa ng due to cert ficate va dat on ssues
If you use cert ficates that aren’t a ready n the c ent’s trusted store, users w need to nsta
them before they can connect to RD Gateway
NOTE For more information on the Microsoft Root Certificate Program and certificates in
general, see Chapter 9, “Multi-Server Deployments.”
To work w th RD Gateway, the SSL cert ficate must have the fo ow ng attr butes
■ The cert ficate must be a computer cert ficate because users w be authent cat ng w th
a server, not a person
■ The extended key usage for the cert ficate must be Server Authent cat on (OID
1 3 6 1 5 5 7 3 1)
■ The cert ficate Subject name shou d match the Doma n Name System (DNS) name
that the c ent w use to connect For nstance, f remote users w connect to the RD
Gateway name of rdgateway ove2sk net, th s needs to be the subject on the cert fi-
cate You can a so use a w dcard cert ficate to work for a subdoma ns (for examp e,
* ove2sk net)
How RD Gateway Works Chapter 10 511
www.it-ebooks.info
NOTE To specify multiple alternative names for a certificate, use a certificate that uses
the Subject Alternative Name (SAN) attribute. For example, if you use both the .com
and .net variations of your domain, you can specify both rdgateway.ilove2ski.net and
rdgateway.ilove2ski.com. If the certificate uses the SAN attributes, then users can con-
nect only using RDP 6.1 (available in Windows Vista SP1, Windows XP SP3, or Windows
Server 2008) and later.
Second, you’ need to ensure that the c ents can use RD Gateway RD Gateway has the
fo ow ng c ent requ rements
■ The c ents must be runn ng W ndows XP (W th Serv ce Pack 2) or ater W ndows CE
and non-W ndows c ents don’t work w th RD Gateway nat ve y
■ The c ents must have RDC 6 0 or ater nsta ed, or RDC 7 to support a the features of
RD Gateway n W ndows Server 2008 R2
NOTE Although you can technically connect to RD Gateway using RDC 6.0, we recom-
mend using RDC 6.1 or later. RDC 6.0 lacks some important features such as the ability
to access RD Web Access and the ability to use SAN certificates on RD Gateway. And
remember, you need RDC 7.0 or later to get the latest feature set.
Installing RD Gateway
To nsta the RD Gateway Ro e Serv ce, og on w th an Adm n strator account and proceed
through the w zard as descr bed n the fo ow ng steps
1. Open Server Manager, add the Remote Desktop Serv ces ro e, and choose the RD
Gateway Ro e Serv ce when prompted If the Remote Desktop Serv ces ro e s a ready
nsta ed, then se ect the Remote Desktop Serv ces Ro e, c ck Add Ro e Serv ce n the
r ght pane, choose RD Gateway, and c ck Next
2. You w be prompted to nsta any requ red ro e serv ces requ red for RD Gateway,
as shown n F gure 10-2 RD Gateway requ res Internet Informat on Serv ces (IIS) 7 5,
wh ch nc udes the requ red RPC over HTTP Proxy feature, RSAT Ro e Adm n strat on
Too s, and Network Po cy and Access Serv ces, wh ch s used to store RD CAPs C ck
Add Requ red Ro e Serv ces and then c ck Next
512 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
FIGURE 10-2 nsta any requ red ro e serv ces and features for RD Gateway.
3. You w be prompted to prov de a server authent cat on cert ficate to use for estab sh-
ng SSL connect ons If you have a ready nsta ed the requ red server authent cat on
cert ficate n the server’s Computer cert ficate store, t w appear n the st of cert fi-
cates to choose from, as shown n F gure 10-3
Otherw se, you can create a se f-s gned cert ficate (you shou d use th s type of cer-
t ficate on y for test ng n a nonproduct on env ronment) If you don’t current y have
a cert ficate nsta ed, you can sk p th s step by se ect ng Choose A Cert ficate For SSL
Encrypt on Later C ck Next
CAUTION If the RD Gateway server has more than one server authentication
certificate installed, the wizard will preselect the first one that it finds. This might
not be the one that you intend to use, and if it does not meet the requirements and
the user does not trust it, the connections won’t work. If you have more than one
server authentication certificate installed on the server, check to make sure that RD
Gateway is configured with the right certificate.
www.it-ebooks.info
FIGURE 10-3 Choose an SSL cert f cate to use w th RD Gateway.
4. On the next page, you’ be prompted to create the requ red RD CAP and author zat on
po c es; do so by se ect ng the opt on Now and then c ck ng Next (You can a so opt
to do th s ater us ng the RD Gateway Management Conso e, but remember that you
must have at east one RD CAP spec fied before users can be author zed to connect to
RD Gateway and at east one RD RAP to enab e users to get to resources )
5. Add the oca or doma n user groups that w be assoc ated w th both the RD CAP and
the RD RAP F rst, you w create an RD CAP By defau t, the oca Adm n strators group
s a ready added to the nput box Members of the user groups added here are a owed
to connect to RD Gateway To add mu t p e user groups, type them and separate them
w th a sem co on, or c ck the Add button to p ck a group from Act ve D rectory Do-
ma n Serv ces (AD DS) If the user groups that you want to add are ocated n d fferent
doma ns, you must use the Add button to add each one C ck Next
6. Spec fy the name for the RD CAP (the defau t when you do th s dur ng nsta at on s
TS CAP 01, but you can change t) and choose the W ndows authent cat on method by
wh ch users spec fied n th s RD CAP can connect to RD Gateway by se ect ng the check
box next to Password or Smart Cards, or both boxes C ck Next
7. Now you w create an RD RAP Enter the name of the RD RAP (the defau t when you
do th s dur ng nsta at on s TS RAP 01) and add a doma n computer group that con-
ta ns the resources to wh ch user groups w connect A ternat ve y, you can g ve users
fu access to nterna RD Sess on Host servers and computers w th Remote Desktop
enab ed by choos ng A ow Users To Connect to Any Computer On The Network C ck
Next
514 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
NOTE If you choose to create an initial RD RAP while installing RD Gateway, remember
that the wizard associated the same user group(s) with both the RD CAP and RD RAP.
You will need to edit the policies later if this is not specifically what you want.
8. If you are nsta ng NPS, the Network Po cy and Access Serv ces ntroduct on page
appears C ck Next, and then c ck Next to nsta NPS
9. If you prev ous y chose to nsta IIS, then the Internet Informat on Serv ces (IIS) ntro-
duct on page appears C ck Next, and then c ck Next aga n to nsta the se ected IIS
ro e serv ces
10. Confirm the nsta at on se ect ons and c ck Insta When the nsta at on s comp ete,
you w see an Insta at on Resu ts page show ng that the nsta at on s successfu C ck
C ose
If you use W ndows PowerShe to nsta RD Gateway, you are not prompted to nsta any
dependent components; they are nsta ed automat ca y as needed A so, an RD CAP and RD
RAP are not created, so you must configure the po c es manua y before users can use RD
Gateway F na y, RD Gateway w not be configured to use an SSL cert ficate You w need to
nsta an appropr ate cert ficate f you have not done so a ready, and manua y configure RD
Gateway to use t
NOTE To see how to add an SSL certificate to an RD Gateway server, see the section en-
titled “Choosing an SSL Certificate to Use with RD Gateway” later in this chapter.
www.it-ebooks.info
However, you can sk p th s step and configure them post- nsta at on; you m ght not want to
nk the RD CAP and RD RAP as c ose y as the nsta at on w zard does, and f you nsta v a
W ndows PowerShe , you can’t nsta an RD CAP or RD RAP wh e nsta ng the ro e serv ce
You’ need to know how to configure RD CAPs and RD RAPs post- nsta at on and as your ac-
cess strategy deve ops over t me
RD CAPs and RD RAPs work together to g ve remote users access to nterna resources
A though the resu t re es on both of these tems be ng configured, RD CAPs and RD RAPs are
not necessar y t ed to each other That sa d, f you a ow a user access to RD Gateway but do
not g ve perm ss on to connect to any resources, the connect on w fa Make sure that the
RD CAPs and RD RAPs, a though ndependent, comp ement each other
NOTE Using the installation wizard to create RD CAPs and RD RAPs makes it appear that
the two are more linked than they are. The user groups that you specify in the RD CAP are
merely supplied in the corresponding user group entry box for both RD CAPs and RD RAPs,
but a user group can be associated with more than one RD RAP.
Creating an RD CAP
Creat ng an RD CAP after nsta at on s s m ar to do ng t us ng the nsta at on rout ne de-
scr bed n the sect on ent t ed “Insta ng RD Gateway” ear er n th s chapter However, there
are some d fferences that are po nted out n the fo ow ng steps
1. From RD Gateway Manager ( ocated n the Remote Desktop Serv ces too s), expand the
Po c es fo der n RD Gateway Manager, r ght-c ck the Connect on Author zat on Po -
c es fo der, and choose Create New Po cy, then choose W zard to start the Create New
Author zat on Po c es W zard
2. You st have the opt on to create both an RD CAP and an RD RAP, or to create on y
one or the other If you choose to create both, the w zard w run through both the RD
CAP and RD RAP w zards consecut ve y Th s t me, choose Create On y A RD CAP and
c ck Next
NOTE If you configure RD Gateway to use a centralized NPS, then RD CAPs are not
locally managed and stored. When RD CAPs are stored on a centralized NPS, you can
create only an RD RAP instead of both an RD RAP and RD CAP. You will instead see a
Central Network Policy Servers folder. If you right-click the folder and choose Configure
Central RD CAP, this will actually take you to RD Gateway Properties, where you can
adjust the settings for the centralized store. You have to create centralized RD CAPs on
the centralized NPS server instead. For more information on centralized RD CAPs see
the section entitled “Using a Central NPS to Store RD CAPs” later in this chapter.
516 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
3. Enter a name for the RD CAP (to he p you d st ngu sh RD CAPs, use a spec fic nam ng
convent on for your author zat on po c es, perhaps re ated to what user group t w
app y) and c ck Next
4. Spec fy the W ndows authent cat on method (password, smart card, or both) that s
requ red, and then add the user groups and the computer groups that are author zed
to connect to RD Gateway, as shown n F gure 10-4 For examp e, you cou d choose to
requ re smart-card author zat on when us ng RD Gateway, even f users can og on w th
passwords wh e on the LAN
FIGURE 10-4 Se ect a supported W ndows authent cat on method and add user and computer
groups to wh ch the RD CAP app es.
NOTE If you add both users and computer requirements to the RD CAP, then the two
are cumulative; a user who is allowed to access RD Gateway must also be using a com-
puter that is allowed to connect to RD Gateway.
Not ce that th s step d ffers from the RD Gateway nsta at on w zard The nsta at on
w zard asks you to supp y oca or doma n user groups that w be assoc ated w th both
the RD CAP and RD RAP Th s w zard does not do th s Instead, t asks you to supp y
user groups for on y the connect on author zat on po cy C ck Next
5. In W ndows Server 2008 R2, RD Gateway can enforce dev ce red rect on; th s s a
change from W ndows Server 2008, wh ch d d not enforce t By defau t, the RD CAP
a ows a dev ce red rect on—the po c es app y ng to the endpo nt can m t further,
but you can use RD Gateway to m t dev ce red rect on even more over the w de area
www.it-ebooks.info
network (WAN) than s common y done on the LAN D sab e dev ce red rect on for
c ents by se ect ng D sab e Dev ce Red rect on For The Fo ow ng C ent Dev ce Types
and then se ect ng the boxes next to the dev ces that shou d not be red rected
Th s d ffers from the RD Gateway nsta at on w zard, wh ch does not g ve you the op-
t on to d sab e or m t dev ce red rect on at a Instead, the n t a RD CAPs created w th
the nsta at on w zard w have dev ce red rect on enab ed for a c ent dev ces
You can a so deny c ent connect ons to RD Sess on Host servers that do not enforce
RD Gateway dev ce red rect on If you choose th s opt on, you w m t connect ons to
W ndows Server 2008 R2 and W ndows 7 endpo nts, because o der operat ng systems
do not enforce RD Gateway secure dev ce red rect on C ck Next
6. On the next page, you can set t meouts for act ve and d e sess ons
To rec a m unused resources on RD Gateway, you can configure the gateway to d scon-
nect d e sess ons after a spec fied t me per od (defined n m nutes) Th s w prevent
users from wa k ng away and eav ng sess ons open
You can a so set a t meout for act ve sess ons ( n m nutes) The sess on can be just d s-
connected; th s forces the user to re n t ate the sess on and og on aga n You can a so
choose to s ent y reauthent cate the user to the sess on Choos ng th s opt on means
that the user and sess on s reauthent cated and reauthor zed, but w thout any mpact
on the user or sess on However, f po c es have changed, then the user wou d have to
reauthent cate when the sess on t meout m t s reached, and the new po ces wou d
then take effect, thus keep ng sess ons cons stent y conform ng to the most up-to-date
po c es
7. Rev ew the Summary page to make sure that you chose the r ght sett ngs, and then
c ck F n sh
518 CHAPTER 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
HOW IT WORKS
I n Windows Server 2008, disabling drive redirection from the RD CAP would have
no effect if drive redirection was enabled on the client and the destination com-
puters were protected via RD Gateway.
In Windows Server 2008 R2, this has changed. If drive redirection is disabled in RD
Gateway, then it will be disabled no matter what the client and server have con-
figured. If RD Gateway enables drive redirection, but the client or server disables
it, then redirection is likewise disabled. This is great for restricting resources based
on user group (remember that only printer redirection can be restricted in the
user account in Active Directory Users And Computers). For instance, you could
use precreated, signed RDP files to give users access to resources, and the RDP file
would be configured to use RD Gateway for every connection. Then the policies on
the RD Gateway would be configured to restrict certain device redirection based on
user group membership. The file is read-only by the nature of it being signed, so
tampering with it would break it.
Th s new RD CAP defines what comb nat on of users (and opt ona y computers) are
a owed to access RD Gateway, but t doesn’t get users any farther than the RD Gateway
because you haven’t yet defined any resources that they are a owed to access To define what
resources users can access after they are a owed to connect to RD Gateway, you’ need to
create an RD RAP, wh ch s d scussed next
Creating an RD RAP
Creat ng an RD RAP us ng RD Gateway Manager s very s m ar to creat ng one us ng the
nsta at on w zard except that you are asked to assoc ate user groups w th the RD RAP You
can a so create and use RD Gateway–spec fied computer groups n the RD RAP, wh ch sn’t an
opt on when us ng the nsta at on w zard To do th s, perform the fo ow ng steps
1. Expand the Po c es fo der n RD Gateway Manager, r ght-c ck the Resource Author -
zat on Po c es fo der, choose Create New Po cy, and then choose W zard to start the
Create Author zat on Po c es For RD Gateway W zard
NOTE Even if you’re using a centralized NPS to store RD CAPs, you still create RD RAPs
on the local RD Gateway. RD RAPs are not stored by NPS.
www.it-ebooks.info
2. Aga n, you can choose to create both an RD CAP and an RD RAP or to create on y one
or the other If you choose to create both, then the w zard w run through both the
RD CAP and RD RAP w zards consecut ve y Choose Create On y A RDRAP and c ck
Next
3. Enter a name for the RD RAP (aga n, choose someth ng descr pt ve) and c ck Next
4. Add oca or doma n user groups assoc ated w th th s RD RAP that can access the re-
sources spec fied n t To spec fy mu t p e user groups, separate them w th a sem co on
or c ck Add aga n to add another group If the groups that you want to add are n d f-
ferent doma ns, you must use the Add Group button to add the user groups from each
doma n C ck Next
5. Now, choose the resources that the spec fied user group(s) can connect to You can
a ow users to connect to any network resource, spec fy one doma n computer group,
or spec fy one RD Gateway–managed computer group If you are a ow ng access to
an RD Sess on Host server farm, you must choose the Se ect An Ex st ng RD Gateway–
Managed Computer Group Or Create A New One opt on The deta s of th s opt on
are d scussed n the sect on ent t ed “Us ng RD Gateway Computer Groups to Enab e
Access to a Server Farm” ater n th s chapter For now, choose A ow Users To Connect
To Any Network Resources C ck Next
NOTE If you create an RD RAP during the initial installation, you won’t have the option
of choosing an RD Gateway–managed group.
6. Remember that RD Gateway acts as a proxy for the network resources to wh ch users
w remote On the next page, spec fy the port that peop e are ab e to use v a RD
Gateway By defau t, the gateway w a ow connect ons on y v a port 3389, wh ch s the
defau t port for RDP You can opt to configure another port (or ports separated w th a
sem co on), for examp e, f you’ve ed ted the port that RDP uses You can a so choose
to a ow connect ons through any port Most of the t me, you’ use 3389 for RDP traf-
fic, so choose that opt on now C ck Next
7. In the fina page of the w zard, you’ see a summary of the sett ngs that you’ve con-
figured C ck F n sh and the new RD RAP w be v s b e n the Resource Author zat on
Po c es Fo der
NOTE If you are familiar with the process of creating an RD RAP, you can skip the wizard
and just fill in the requirements for the authorization by right-clicking the Resource Autho-
rization Policies folder in RD Gateway and then choosing Create New Policy, Custom. This
opens a tabbed New RD RAP dialog box, which you can use to fill in the same settings for
which you’re prompted in the wizard.
520 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Modifying an Existing Authorization Policy
To mod fy an ex st ng RD CAP or RD RAP n RD Gateway Manager, se ect the Connect on Au-
thor zat on Po c es fo der or the Resource Author zat on Po c es fo der, respect ve y You’ see
the re ated author zat on po c es n the center pane Doub e-c ck the po cy that you want to
ed t Ed t the po cy propert es on each of the tabs as appropr ate and then c ck OK to save
and c ose the po cy
You a so have the opt on to d sab e or enab e a po cy (for examp e, you m ght need to test
the mpact of a part cu ar author zat on po cy) By defau t, a created po c es are enab ed
D sab e a po cy by c ear ng the Enab e Th s Po cy check box on the Genera tab of the po cy
www.it-ebooks.info
C ck the server n the eft pane to v ew the Connect on Status and Configurat on Status
deta s n the m dd e pane Th s pane conta ns three sect ons, each of wh ch conta ns nforma-
t on and nks to configurat on pages n RD Gateway The three sect ons are
■ The Connect on Status, wh ch shows you how many connect ons are current y estab-
shed w th RD Gateway and how many resources users are connected to When peop e
are us ng RD Gateway, you can mon tor and d sconnect act ve connect ons here Open
the Mon tor Act ve Connect ons page by c ck ng the correspond ng nk
■ The Configurat on Status sect on, wh ch te s you how many RD CAPs and RD RAPs are
present y configured If you have set up an RD Gateway farm, th s sect on nd cates
how many servers are n that farm
NOTE RD Gateway farms are discussed in the section entitled “Creating a Redundant
RD Gateway Configuration” later in this chapter.
You can a so create or mod fy RD CAPs and RD RAPs here by c ck ng the V ew Con-
nect on Author zat on Po c es nk and V ew Resource Author zat on Po c es nk,
respect ve y
Create or mod fy an RD Gateway farm by c ck ng the Add RD Gateway Server Farm
Members nk
■ The Re ated Documentat on sect on, wh ch prov des nks to RD Gateway configurat on
He p fi es
RD Gateway ets you know f you sk pped v ta sett ngs by d sp ay ng a red c rc e w th an X
or a ye ow tr ang e w th an exc amat on po nt next to the sett ngs that need further con-
figurat on For examp e, reca that an nsta at on us ng W ndows PowerShe sn’t comp ete
The RD Gateway Management Conso e w d sp ay the warn ngs shown n F gure 10-4 f you
nsta RD Gateway us ng W ndows PowerShe
NOTE You can edit specific settings by clicking the link next to the green arrows in the
middle pane of RD Gateway Manager.
522 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
FIGURE 10-6 Conf gure or ed t RD Gateway sett ngs us ng the RD Gateway Propert es d a og box.
From here, you can ed t the sett ngs as descr bed n the fo ow ng sect ons
www.it-ebooks.info
Choosing an SSL Certificate to Use with RD Gateway
If you d dn’t define a cert ficate wh e nsta ng RD Gateway, you’ need to do so afterwards,
or when you’re mov ng from a se f-s gned cert ficate to one s gned by a trusted CA Go to the
SSL Cert ficate tab on the RD Gateway Propert es d a og box to se ect an SSL cert ficate to use
w th RD Gateway
If you have a ready configured RD Gateway to use a cert ficate, the cert ficate nformat on
s d sp ayed on th s tab and the Se ect An Ex st ng Cert ficate From The RD Gateway <SERVER-
NAME> Cert ficates (Loca Computer)/Persona Store opt on button s se ected You can
choose another cert ficate that s a ready nsta ed on the server by c ck ng the Import Cert fi-
cate button and choos ng from the cert ficates sted Va d SSL cert ficates that are nsta ed to
the server’s Computer Cert ficate Store Persona fo der w be ava ab e n the Import Cert fi-
cate pop-up d a og box Choose a cert ficate and c ck Import
If you do not have an SSL cert ficate nsta ed on th s server, you can create a se f-s gned
cert ficate to use w th RD Gateway Use th s cert ficate for test ng purposes on y; f t’s used n
a product on env ronment, you cou d have ssues w th users who are not ab e to va date the
cert ficate because t’s not n the r trusted root cert ficate store A se f-s gned cert ficate a so
sn’t ver fied by any author ty
To create a se f-s gned cert ficate, choose the Create A Se f-S gned Cert ficate opt on and
c ck the Create and Import Cert ficate button The Create Se f-S gned Cert ficate d a og box
w appear, as shown n F gure 10-7
Enter the fu y qua fied doma n name (FQDN) of the RD Gateway nto the Cert ficate name
nput box; th s s the FQDN that s reso vab e to externa users Because the cert ficate s se f-
524 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
s gned, t w a so act as ts own root cert ficate C ents must a so have th s cert ficate nsta ed n
the r computers’ cert ficate store n order to va date th s same cert ficate used by RD Gateway
Therefore, the Store The Root Cert ficate check box s se ected by defau t; th s a ows you to save
the cert ficate to a fi e so that you can mport t to the Trusted Root Cert ficat on Author t es
cert ficate store on your test c ent C ck Browse, nav gate to the chosen save ocat on, and type
a fi e name, or type the ocat on and fi e name n the F e Name box, and then c ck OK
NOTE To install the certificate on your test clients, open a Microsoft Management Con-
sole (MMC) on the client and add the Certificates snap-in. Expand the Certificates store
tree and then right-click the Trusted Root Certification Authorities folder. Choose All Tasks,
Import and follow the steps in the wizard to import the self-signed certificate file that you
created from RD Gateway Manager.
You can a so mport a cert ficate to the server’s cert ficate store and configure RD Gateway
to use th s cert ficate To do so, se ect the Import A Cert ficate Into The RD Gateway <SERVER-
NAME> Cert ficates (Loca Computer)/Persona Store opt on button Then c ck the Browse
and Import Cert ficate button Browse to the cert ficate fi e that you want to mport, se ect
the fi e, and c ck Open
NOTE To load-balance RD Gateway servers, see the section entitled “Creating a Redun-
dant RD Gateway Configuration” later in this chapter.
www.it-ebooks.info
Auditing RD Gateway Events
For troub eshoot ng and p ann ng purposes, aud t ng connect on events s a good dea The
RD Gateway Aud t ng tab, shown n F gure 10-8, a ows you to spec fy the RD Gateway events
that you want to og
These events are ogged n the Event V ewer under App cat on And Serv ces Logs/M crosoft/
W ndows/Term na Serv ces-Gateway By defau t, a ava ab e RD Gateway connect on and autho-
r zat on events are ogged (the opt ons are a checked on th s tab) To mod fy wh ch connect on
and author zat on events are aud ted, se ect or c ear the boxes correspond ng to the ava ab e
events n the Se ect Events To Log d a og box Genera y, fa ed events are more s gn ficant than
successfu ones because they can s gna unauthor zed attempts or annoyed users
526 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
If you do th s, then you need to set up SSL br dg ng on th s tab SSL br dg ng means that
SSL requests com ng from the remote c ent are term nated at the br dg ng app ance and
new requests are then n t ated by the br dg ng app ance to RD Gateway Enab e SSL br dg ng
by se ect ng the Use SSL Br dg ng check box Next, you need to choose a br dg ng method
The first br dg ng method s ca ed HTTPS-HTTPS br dg ng By br dg ng SSL traffic, you
ga n further contro of the commun cat on to and from RD Gateway The br dg ng prod-
uct acts as a po ceman by decrypt ng SSL connect ons com ng from outs de the network,
nspect ng them for ma c ous code, and then re-estab sh ng the SSL sess on w th RD Gate-
way f the packets pass nspect on A traffic flow ng to and from RD Gateway goes through
the br dg ng app ance To enab e HTTPS-HTTPS br dg ng, se ect the HTTPS-HTTPS Br dg ng
(Term nate SSL Requests And In t ate New HTTPS Requests) opt on button
You can a so br dge HTTPS-HTTP commun cat ons between the br dg ng dev ce and RD
Gateway, ca ed SSL offloading and termination HTTPS–HTTP br dg ng saves processor cyc es
SSL packet process ng genera y takes more processor cyc es than regu ar Hypertext Transfer
Protoco (HTTP) traffic By offload ng the SSL commun cat on to TMG or another br dg ng
dev ce, you save process ng power
Enab e HTTPS-HTTP br dg ng by se ect ng the Use HTTPS-HTTP Br dg ng (Term nate SSL
Requests And In t ate New HTTP Requests) opt on button C ck OK to save your se ected
sett ngs
HOW IT WORKS
When deployed with a simple firewall, the RD Gateway server is still processing all
the incoming SSL traffic. During SSL communication, there is a lot of back-and-forth
to establish a secure communication between client and server. The client must ini-
tiate the connection, and the server’s digital certificate must be validated by the cli-
ent. Then a secret session key must be established to encrypt the communications.
While all this communication is going on, the RD Gateway server must still act as a
proxy for the incoming connection requests. On a busy server, this can consume a
lot of processor cycles.
HTTPS-HTTPS SSL bridging adds an additional layer of security to the SSL commu-
nication by examining the contents of the SSL traffic and ensuring that it contains
no malicious packets before sending it to the RD Gateway. However, HTTPS-HTTPS
bridging does not offload the SSL processing; it only decrypts the Hypertext
Transfer Protocol Secure (HTTPS) traffic to examine it before encrypting it again to
send to the RD Gateway. The RD Gateway must still do all the SSL communication
processing—but now it is just safer to do so. For any performance benefit, you
www.it-ebooks.info
must implement SSL offloading and termination with HTTPS-HTTP bridging. The
catch is that you must balance the performance benefit of not processing the SSL
traffic with the fact that, after it leaves the bridging device, the traffic is no longer
encrypted. The traffic should be passing over the private network at this point, but
for some implementations, this might still be a consideration.
RD Gateway Messaging
In RD Gateway for W ndows Server 2008 R2, you now can send messages to users when they
request access to resources v a RD Gateway (Use these messages to educate peop e on com-
pany po c es, warn them of serv ce outages, and the ke ) To do so, you configure the sett ngs
on the RD Gateway Messag ng tab, shown n F gure 10-9
528 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
■ System Message Th s message s d sp ayed to users after they og on to a system,
and on y for a spec fied t me per od System messages are good for not fy ng users of
some future event, ke a ma ntenance w ndow, other p anned downt me, or a pend ng
change n access po c es
Logon messages are d sp ayed each t me that a user requests access to a resource v a RD
Gateway, but before they are ogged onto the sess on Configure a ogon message by se ect-
ng the Enab e Logon Message check box Then c ck the Browse button and choose a text fi e
that conta ns the ogon message
When a user requests a resource v a RD Gateway before he or she s ogged onto that
resource, the user w see a ogon message w ndow ke the one shown n F gure 10-10
FIGURE 10-10 A user w see a ogon message when attempt ng to access a resource v a RD Gateway and
RD Gateway ogon messag ng s enab ed.
To og onto the remote desktop sess on, users must s gn fy that they agree to the terms of
the message by se ect ng the I Understand And Agree To The Terms Of Th s Po cy check box
After users check the box and c ck OK, they are ogged onto the remote sess on If users do
not agree to the terms of the message, then the r on y opt on s to c ck C ose and cance the
request If users agree to the message terms, then they can a so se ect the Do Not Ask Aga n
Un ess Changes To The Po cy Occur check box to suppress the ogon message unt the po cy
changes
System messages are d sp ayed r ght after a user ogs onto a system, but on y dur ng the
t me per od that you spec fy n the RD Gateway Messag ng nterface To configure a system
message, se ect the Enab e System Message check box on the Messag ng tab of the RD Gate-
way Propert es d a og box Type the message that you want to send nto the system message
nput box F na y, adjust the start and end t me to reflect the t me per od dur ng wh ch users
w see the message Un ke ogon messages, users cannot opt to suppress system messages
They w d sp ay every t me that users nvoke a new remote sess on dur ng the spec fied t me
w ndow, as shown n F gure 10-11
www.it-ebooks.info
FIGURE 10-11 Users w rece ve a system message after they ogon to the requested remote sess on.
Because system messages d sp ay on y once per sess on, f a user opens mu t p e Remote-
App programs on the same RD Sess on Host server, the message w d sp ay on y once A
RemoteApp programs run n the same sess on
CAUTION If you use round robin DNS (RR DNS) or a dedicated redirector for RD
Session Host farm initial load balancing RD Gateway, system messages will appear
twice. This is because RD Gateway sees both the initial connection to the RD Session
Host server and also the final connection to the determined destination server. Use
network load balancing (NLB) to avoid double messaging.
Messages on y d sp ay for connect ons made from RDC 7 or ater To prevent peop e from
c rcumvent ng ogon or system messages, you can deny RD Gateway connect ons from c ents
not runn ng RDC 7 0 by se ect ng the On y A ow Connect ons From Remote Desktop Serv ces
C ents That Support RD Gateway Messag ng check box
530 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
If you opt to enab e access to a computer group, you’ open a new page n the Author za-
t on Po c es W zard, where you can create anew RD Gateway–managed computer group or
se ect an ex st ng one
NOTE You can also create or manage RD Gateway – managed computer groups by
selecting the Resource Authorization Policies folder and then clicking the Manage Local
Computer Groups link in the Actions panel on the right side of the RD Gateway Manager.
FIGURE 10-12 RD Gateway Managed Computer Group member names must be reso vab e.
If you have a ready created an RD Gateway–managed computer group, then choose the
Se ect An Ex st ng RD Gateway–Managed Computer Group opt on and then h gh ght the
group n the Ex st ng Computer Groups box
www.it-ebooks.info
You can a so ed t an ex st ng RD RAP to enab e access to an RD Gateway–managed com-
puter group In RD Gateway, c ck the Resource Author zat on Po c es fo der, then doub e-
c ck the RD RAP that you want to ed t Se ect the Network Resource tab and then choose
the Se ect An Ex st ng RD Gateway-Managed Computer Group Or Create a New One opt on
From here, you can create a new group or se ect an ex st ng one as descr bed prev ous y
FIGURE 10-13 Ed t or create RD Gateway managed computer groups us ng the Manage Loca y Stored
Computer Groups d a og box.
C ck ng ex st ng computer groups revea s the RD RAPs that they are assoc ated w th n the
ower sect on of the eft pane and the computer group members n the ower sect on of the
r ght pane ( n F gure 10-13, for examp e, the group conta ns members of an RD Sess on Host
server farm, so the farm FQDN and NetBIOS name are sted, a ong w th a farm members
and a NetBIOS names and IP addresses of the nd v dua servers)
To create a new computer group, c ck Create Group On the Genera tab, enter a name
for the computer group On the Network Resources tab, enter the names and opt ona y the
IP addresses of the RD Sess on Host servers or computers that you want to add to the group
C ck OK
To ed t an ex st ng group, se ect the group and then c ck Propert es and adjust the
computer group name or the servers n the group as necessary To de ete an RD Gateway–
managed computer group, c ck the group and c ck Remove
532 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Bypassing RD Gateway for Internal Connections
It’s understandab e that you want remote users to estab sh secure encrypted connect ons to
desktops and servers ocated on the nterna network But for oca users access ng resources
on the same nterna network, you can choose to bypass RD Gateway and a ow them to con-
nect d rect y to the resource There are two p aces to do th s RDC on the c ent and Remote-
App Manager on the server, as fo ows
■ Remote Desktop Client Open the RDC and c ck Opt ons C ck the Advanced tab
and then c ck the Sett ngs button n the Connect From Anywhere sect on Se ect Use
These RD Gateway Server Sett ngs, supp y the server name, and then se ect the box
next to Bypass RD Gateway Server For Loca Addresses
■ RemoteApp Manager Use th s sett ng to bypass RD Gateway for RemoteApp pro-
grams and for RDP fi es created by RD Web Access Open RemoteApp Manager, c ck
the RD Gateway Sett ngs nk, se ect Use These RD Gateway Server Sett ngs, supp y the
server name, and then se ect the box next to Bypass RD Gateway Server For Loca Ad-
dresses
NOTE To see how to force RDC connections initiated from RD Web Access to use RD
Gateway, see the section entitled “Force RDC Connections Through RD Gateway via RD
Web Access” in Chapter 9.
www.it-ebooks.info
• Ask For Credentials, Use Basic Protocol Th s opt on s on y ava ab e us ng
group po cy— t s not ava ab e v a RemoteApp Manager Credent a s are sent n
c eartext and therefore are not secure
• Use Smart-Card
You can a ow users to change the authent cat on method by se ect ng the A ow Us-
ers To Change Th s Sett ng check box, or you can enforce the sett ng you choose by
c ear ng th s box If users cannot change th s sett ng, t w be n effect for a connec-
t ons through RD Gateway If th s po cy s not configured and no opt on s spec fica y
se ected by the user, then NTLM and smart cards can be used
■ Enable Connection Through RD Gateway Enab ng th s sett ng means that when
users cannot create an RDP connect on to a computer, they w attempt to connect v a
an RD Gateway that you spec fy n the Set RD Gateway Server Address po cy descr bed
next
You can enforce th s sett ng by c ear ng the A ow Users To Change Th s Sett ng check
box If the po cy s enforced, then users w attempt to connect through the RD Gate-
way address g ven n the Set RD Gateway Server Address po cy descr bed next C ear-
ng the check box means users w not use the address spec fied n the Set RD Gateway
Server Address po cy; nstead, they are a owed to spec fy the RD Gateway that they
w sh to use
■ Set RD Gateway Server Address Spec fies the RD Gateway address that users w
attempt to connect to f they are unab e to connect d rect y to an RDP resource To
enforce th s sett ng, check the A ow Users To Change Th s Sett ng check box n the eft
pane
CAUTION If you enable the Enable Connection Through RD Gateway policy, you
also must enable Set RD Gateway Server Address and provide the address. If you en-
able that policy but do not specify the address here, then user connections will fail.
534 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
FIGURE 10-14 V ew a RD Gateway act ve sess on nformat on from the Mon tor ng fo der.
The spec fic data reported for each connect on nc udes the fo ow ng
■ Connection ID The Connect on ID s formatted as <A:B>, where A s the Tunne ID
and B s the Channe ID The Tunne ID represents the c ent’s connect on to the RD
Gateway, wh e the Channe ID represents the c ent’s connect on to the requested
resource The Tunne ID s ncremented each t me a new connect on s made to RD
Gateway; f you restart the Remote Desktop Serv ces Gateway serv ce, the Tunne ID
count restarts at 1
■ User ID The User ID shows the doma n and user name of the user who estab shed
the sess on, tak ng the form domain\username
■ User Name The sess on user’s fu name as spec fied n AD DS
■ Connection On States when a sess on was estab shed
■ Connection Duration States how ong a sess on has been act ve
■ Idle Time States how ong a sess on has been d e
■ Target Computer The computer that the sess on s connected to
NOTE If there is no redirection, then RD Gateway monitoring displays the farm name
(for example, Farm.ash.local). If there is redirection, RD Gateway monitoring displays
the “host name” (for example, Fuji.ash.local).
www.it-ebooks.info
■ Client IP Address The IP address of the c ent that s connect ng If you are connect-
ng to RD Gateway from the other s de of a firewa , the IP address sted w be the
address of the firewa
■ Target Port The port to wh ch the user s connected
C ck ng any of the act ve sess ons a so shows the nformat on about the se ected sess on n
the bottom pane, but w a so revea the tota k obytes sent and rece ved n that sess on
By defau t, RD Gateway updates the connect on data every 30 m nutes To change th s
nterva , r ght-c ck the Mon tor ng fo der, choose Set Automat c Refresh Opt ons from the
context menu, and spec fy the new nterva Don’t refresh too often; samp ng takes processor
cyc es, so a h gh refresh rate can affect server performance You can a so d sab e automat c
data refresh ng by choos ng the Do Not Refresh Automat ca y opt on C ck OK for the set-
t ngs to take effect
You can use th s data to ana yze the connect ons and tweak po cy accord ng y For ex-
amp e, f your ana ys s nd cates that a ot of connect ons go d e after 30 m nutes, you cou d
configure RD CAP t meouts to d sconnect connect ons that are d e for more that 30 m nutes
and free resources for other users
From the Mon tor ng fo der, not on y can you v ew connect on data but you a so can per-
form some tasks, such as d sconnect ng connect ons and chang ng the number of s mu tane-
ous connect ons a owed to RD Gateway D sconnect connect ons from th s fo der accord ng
to the fo ow ng ru es
■ To d sconnect a s ng e sess on, r ght-c ck the sess on and choose D sconnect Th s
Connect on
■ A user can estab sh more than one RD Gateway sess on To d sconnect a a user’s
sess ons, r ght-c ck a user’s connect on and choose D sconnect Th s User
■ To d sconnect a RD Gateway sess ons at once, r ght-c ck the Mon tor ng fo der,
choose Se ect A , and then r ght-c ck any of the h gh ghted sess ons and choose
D sconnect These Connect ons
■ To d sconnect mu t p e connect ons at once, press Ctr -c ck or Sh ft-c ck to se ect
mu t p e connect ons, then r ght-c ck and choose D sconnect These Connect ons
536 CHAPTER 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
You can a so ed t the RD Gateway connect on m t from the Mon tor ng fo der R ght-c ck
the Mon tor ng fo der and choose Ed t Connect on L m t from the context menu Th s br ngs
up the Genera tab of the RD Gateway server Propert es d a og box L m t the sess ons to a
spec fic number, or put the RD Gateway nto dra n mode and c ck OK
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Internal Network
Cluster IP:
X.X.X.X
RD Gateway RD Gateway
IP: Y.Y.Y.Y IP: Z.Z.Z.Z
FIGURE 10-15 For redundancy, oad ba ance ncom ng connect ons to RD Gateway among mu t p e servers.
NOTE Figure 10-15 does not include the RD Connection Broker because, although the
broker plays a part in choosing which resource ultimately gets a connection, the final con-
nection does not go through RD Connection Broker.
When you c uster RD Gateway servers, network traffic over port 443 sn’t d rected to a spe-
c fic RD Gateway server Instead, t goes to the c uster IP address represent ng the co ect on
of RD Gateway servers Then the oad-ba anc ng mechan sm determ nes to wh ch RD Gateway
server the connect on shou d be sent, genera y based on the current oad
538 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
In th s examp e, NLB s used as the oad-ba anc ng mechan sm, and two network nterface
cards (NICs) are nsta ed on each RD Gateway computer One NIC w support ncom ng
connect ons for management purposes, and NLB w use the other for oad ba anc ng We
recommend us ng stat c address ng for the management NIC; the NIC used for oad ba anc ng
must be configured w th a stat c IP address, subnet mask, and gateway address When you
have nsta ed the NICs on the RD Gateway servers, nsta NLB on each RD Gateway server
that w become part of the c uster E ther use Server Manager or nsta us ng W ndows
PowerShe us ng the fo ow ng code
Import-Module Servermanager
Add-WindowsFeature NLB
After nsta ng NLB, create a server c uster and add the RD Gateway servers as members
Open the Network Load Ba anc ng Manager by c ck ng Start, Programs, Adm n strat ve Too s,
Network Load Ba anc ng Manager, or by typ ng nlbmgr n the Start, Run box Comp ete the
fo ow ng steps to create a server c uster
1. C ck C uster and se ect New
2. In the Host nput box, enter the name of one of the RD Gateway servers and c ck
Connect NICs ava ab e to use w th NLB w appear n the ower text box Se ect the
ded cated NIC that you have configured to use w th oad ba anc ng (remember, t must
have a stat c IP address) and c ck Next
3. The IP addresses ass gned to the NIC w appear The pr or ty number s a un que num-
ber that d fferent ates the servers Accept the defau t va ue The IP address n the ower
text box w be ded cated to oad ba anc ng It’s poss b e that both NICs w show up
n the text box (assum ng that you have dua NICs); use the Ed t and Remove buttons
to adjust the ded cated IP address sett ngs as needed Leave the In t a HostState as
Started and c ck Next
4. Spec fy the c uster IP address by c ck ng Add and spec fy ng the IPv4address and sub-
net mask or IPv6 address When users request access to RD Gateway, they w be sent
to th s c uster address nstead of a spec fic RD Gateway server address Then the con-
nect on s sent by the oad ba ancer to the appropr ate RD Gateway server C ck Next
5. Enter the pub c FQDN name that remote users use to access RD Gateway (for examp e,
rdgateway ove2sk net) and choose the c uster operat on mode (Un cast or Mu t cast)
A host adapters must use the same operat on mode or NLB w not funct on In th s
examp e, choose Un cast C ck Next
6. For NLB to do ts job, you need to nd cate the ports that t shou d sten on for traffic
By defau t, t stens on ports 0 to 65535, and t oad-ba ances the connect ons f the
traffic appears on one of those ports However, to accept ncom ng SSL connect ons, t
needs to sten on y on port 443 Ed t the defau t ru e to change the range From and To
fie ds to 443
7. Under F ter ng Mode, choose Mu t p e Hosts to a ow mu t p e hosts to hand e traffic
for th s port ru e Now you have three Affin ty cho ces
www.it-ebooks.info
• None Choos ng th s opt on means that mu t p e connect ons com ng from the
same IP address can be spread among the farm members
• Single Choos ng th s opt on g ves affin ty to connect ons com ng from the same
IP address; they w be term nated on the same RD Gateway farm member
• Network Choos ng th s opt on means that c ent connect ons w th n the same
C ass C address space are term nated on the same RD Gateway server
S ng e s a most a ways the best cho ce F rst, th s w prevent RemoteApp connec-
t ons n a s ng e RDP sess on from be ng d str buted across more than one RD Gateway
server Second, troub eshoot ng connect on prob ems s eas er when the connect ons
for each sess on are com ng through one RD Gateway server Most mportant, each
sess on connect on requ res two SSL connect ons one from the c ent to the RD Gate-
way server, and one from RD Gateway to the c ent W thout server affin ty, t’s poss b e
for a sess on’s two needed SSL connect ons to get sp t between two servers Because
both the ncom ng and the outgo ng connect ons are necessary to support the sess on,
sp tt ng the sess on between two servers doub es the chances that the sess on w be
ost due to a downed RD Gateway server
8. Choose the appropr ate affin ty sett ng and c ck OK Then c ck F n sh
I f SSL connections of a session get split between two servers, it actually reduces the
resilience of the RD Gateway farm for failover. Here’s how it happens. Imagine that
you have many clients connecting to RD Gateway server A and also to RD Gateway
server B. If either of the servers fails, clients connected through the failing server
need to reconnect, but so do all those who have the split connections between
servers A and B. The only circumstance under which you should not set affinity is if
many clients are coming in from one IP address (for example, are working through a
proxy server).
Not setting affinity adds complexity to the environment in several ways. You can
have SSL connections split up and redirected to different servers, and as the admin-
istrator, you have no control over this. Second, in case of a failed server, more clients
suffer (those who go through this server plus those who have a single SSL session
served on the failed server). Third, in general, it reduces the predictability.
When you have any IP-based affinity on the NLB, the Server Farm feature is not
used. There will be no situation when different SSL connections from the single cli-
ent (so, from the same IP) will be sent to different RD Gateway servers, as IP
540 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
affinity is set on NLB. So it doesn’t matter if the Server Farm setting in RD Gateway
is configured or not.
Don’t use the affinity option included with some hardware load balancers. It does
not provide any additional benefits to RD Gateway as opposed to using IP affinity,
and it still requires the Server Farm setting to be configured.
CAUTION Don’t enable Single if all connections are proxied and appear to be
coming from the same IP address (the address of the proxy server or firewall). In
that situation, the Single option will direct all connections to the same RD Gateway
server. When using a proxy server or firewall, choose None.
Next, you w need to add the other RD Gateway farm members by r ght-c ck ng the
c uster and choos ng Add Host To C uster G ve the name of the server and then choose the
ded cated IP address that you w use for th s host, just as you d d when sett ng up the first
host Because th s server w be jo n ng th s c uster, you do not get to choose any other set-
t ngs Do th s for each c uster member
After you’ve created the c uster and added a RD Gateway c uster hosts, the Network Load
Ba anc ng Manager shou d ook s m ar to F gure 10-16
FIGURE 10-16 Network Load Ba anc ng Manager has a c uster created and hosts converged.
A hosts shou d converge (note that hosts appear w th a green square around the com-
puter cons) If NLB can’t hear a server heartbeat, the server state w d sp ay as “unreachab e”
w th a red X on the computer con When the heartbeat resumes, the server reconverges The
deta s of changes n the env ronment show n the bottom pane
To use RD Gateway, you w need to map the externa DNS name (rdgateway ove2sk net,
the same name that you spec fied as the NLB) to the externa IP address you des gnate that
comes to your firewa , and then map that IP address to the nterna c uster IP address NLB
w take care of pass ng the connect on to the proper RD Gateway mach ne Th s s shown
ear er n F gure 10-15
www.it-ebooks.info
Preventing Split SSL Connections on RD Gateway
Sett ng affin ty n a oad ba ancer to a s ng e server s the dea , but t won’t a ways work For
nstance, f a arge number of the RD Gateway connect ons w be com ng from users beh nd
a proxy, the r IP addresses w a appear to be the same, and they w a get routed to one
RD Gateway farm member If you can’t use IP affin ty, then you must set up an RD Gateway
farm on each RD Gateway farm member to avo d sp tt ng up ncom ng and outgo ng SSL
connect ons for each sess on
NOTE Every SSL connection to RD Gateway actually consists of two SSL channels
(RPC IN DATA and RPC OUT DATA).
By sett ng up the farm on each RD Gateway server, you’re te ng a the RD Gateway serv-
ers about each other Do ng so ensures that the SSL channe s that are support ng the same
connect on w be routed through the same RD Gateway
To set up an RD Gateway farm, fo ow these steps
1. Open RD Gateway Manager, r ght-c ck the server, and choose Propert es from the
context menu to open the server Propert es d a og box C ck the Server Farm tab,
shown n F gure 10-17
FIGURE 10-17 Add RD Gateway servers to the Server Farm tab f you don t use P aff n ty n your
oad ba anc ng mechan sm.
542 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
2. Add a server farm member to the RD Gateway Server Farm Member text box and c ck
Add
3. Do th s for a server farm members and then C ck OK
4. Repeat th s process for each RD Gateway server farm member Connect ons support ng
the same sess on shou d now be sent through the same RD Gateway server
The file cannot be imported because it might have been modified or corrupted.
If you cannot mport po c es from one RD Gateway server to another, t’s poss b e that the
exported sett ngs refer to oca secur ty groups that don’t ex st on the server you’re mport ng
them to
NOTE You will also get this error if RD RAPs are centrally stored. See the section entitled
“Configuring a Central RD RAP Store” later in this chapter for more details.
www.it-ebooks.info
Gateway servers In fact, you cou d create one scr pt conta n ng a RD Gateway configurat on
sett ngs and run t aga nst the organ zat ona un t (OU) that conta ns the RD Gateway servers
anyt me you needed to make a change For examp e, f you want to add the ASH-RDS-Users
user group to an RD RAP ca ed RD-RAP-01 on a RD Gateway mach nes n an OU ca ed
ASH RDG Farm, you wou d run the fo ow ng scr pt
$objOU = "ASH_RDG_Farm"
$Domain = "ash"
$Suffix = "local"
$OU = [ADSI] "LDAP://OU=$objOU, DC=$Domain, DC=$suffix"
foreach ($child in $ou.psbase.children)
{
invoke-Command -computerName $child.name -scriptBlock {
$RDRAPName = "RDS-RAP-01"
$UserGroup = "ASH-RDS-Users@ASH"
Import-module remotedesktopservices
set-location rds:
cd gatewayserver\rap\$RDRAPName\
new-item usergroups -Name $UserGroup
}
}
To he p you understand the RD Gateway fo der structure n W ndows PowerShe , run the
fo ow ng commands to nav gate to the RD Gateway conta ner, as shown n F gure 10-18
544 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
A RD Gateway configurab e sett ngs are ocated n the root or n conta ners n the
gatewayserver d rectory Use the d r and cd commands to enter subconta ners to get a fu
understand ng of sett ng names and perm ss b e operat ons
ON THE COMPANION MEDIA The script shown in this example is located on the
companion media as the Add-RDRAP-UserGroup.ps1 file.
FIGURE 10-19 The RD Gateway Propert es RD CAP Store tab shows you opt ons for stor ng RD CAPs.
www.it-ebooks.info
If you choose to use a centra NPS, the new NPS w act as a Remote Authent cat on D a -In
User Serv ce (RADIUS) server to the RD Gateway servers, and the RD Gateway servers w act
as RADIUS c ents to the NPS, as shown n F gure 10-20
Remote
Client
SSL tunnel,
Port 443
Internal Network
• RD Gateway
servers act as
RADIUS clients
• Forward RD 3 3
CAP and NAP • Acts as a
check to NAP RADIUS
server server
• Checks RD • Checks RD
RAP if needed CAP and
2
optionally
NPS NAP policies
RDP RDP
Connections Connections
to Resources 4 to Resources
FIGURE 10-20 RD Gateway servers act as RAD US c ents when you store RD CAPs on a centra NPS.
546 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
If you set up a centra NPS for stor ng RD CAPs, the process to connect v a RD Gateway w
work ke th s
1. A remote user requests connect on to a resource v a RD Gateway
2. The RD Gateway server forwards the request to the centra zed NPS, wh ch checks the
RD CAPs (and poss b y other network access po c es, too) and e ther a ows or den es
access based on whether the requester meets po cy cr ter a
NOTE NPS can be used to check computer system health and uses network policies to
accomplish this. You will learn more about this in the section entitled “Using NAP with
RD Gateway” later in this chapter.
3. If the requestor meets po cy requ rements as defined n the connect on and resource
author zat on po c es, then the user s a owed to connect to RD Gateway
4. RD Gateway does an RD RAP check and the connect on s estab shed or den ed based
on the resu ts
To configure RD Gateway to use a centra zed NPS, you need to do the fo ow ng
1. Insta the Network Po cy and Access Serv ces ro e on a server (or use an ex st ng one)
2. Configure RD Gateway servers to use the new NPS ocat on
3. Configure the RD Gateway servers to forward network access requests to the new NPS
4. Manua y create new RD CAPs on the des gnated NPS
These steps are descr bed n the next sect ons
Import-module servermanager
add-WindowsFeature NPAS
www.it-ebooks.info
NOTE After you point an RD Gateway server to another NPS, you can no longer create
RD CAPs using RD Gateway Manager. The tools to create RD CAPs are disabled, and the
RD CAP folder is replaced with a Central Network Policies folder that shows which NPS RD
Gateway now uses to store RD CAPs, which are really Network Policies in NPS. In this case,
you create and edit RD CAPs on the centralized NPS server instead.
548 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
ENABLE NPS TO TRUST THE RD GATEWAY SERVERS
To respond to requests from the RD Gateway servers, the centra NPS server must trust them
1. On the des gnated NPS, open the Network Po cy Server management conso e, expand
the RADIUS C ents and Servers fo der, r ght-c ck RADIUS C ents, and choose New
from the context menu
2. Enter the name of an RD Gateway server n the Fr end y Name nput box, and ts DNS
name or IP address n the Address nput box
NOTE If you are using NLB with multiple NICs installed on your RD Gateway servers, be
sure to input the NLB IP address when creating RADIUS clients.
3. Next, accept the defau t Shared Secret Temp ate (None), make sure the Manua opt on
s se ected, and enter the shared secret that you spec fied on the RD Gateway server
RADIUS c ent On the Advanced tab, accept the defau t configurat on, and then c ck
OK
4. Repeat th s for each RD Gateway server that w act as a RADIUS c ent
The RADIUS c ents w show up n the r ght pane, as shown n F gure 10-21
FIGURE 10-21 Add each RD Gateway server as a RAD US c ent on the NPS.
www.it-ebooks.info
Request Po cy for each RD Gateway server n your farm, each conta n ng on y cond -
t ons re evant to the nd v dua RD Gateway server For examp e, say that you have two
RD Gateway servers w th the fo ow ng names and IP addresses
550 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
TABLE 10-2 Ne work Po cy Cond ons and Va ues Tha Correspond o Spec c RD CAP Se ngs
Attr bute Va ue = 9
Continued on the next page
www.it-ebooks.info
NETWORK NETWORK CORRESPONDS
POLICY POLICY NETWORK POLICY TO RD CAP
PROPERTIES TAB SETTING VALUE SETTING RD CAP VALUE
A though the ntr cac es of network po cy creat on on an NPS are outs de the scope of th s
book, here s an examp e of how to create a s mp e po cy that a ows access to RD Gateway
based on user group membersh p
1. In the Network Po cy Server Management Conso e, expand the Po c es fo der, r ght-
c ck Network Po c es, and choose New
2. G ve the po cy a name, and for Type Of Network Access Server, choose Remote Desk-
top Gateway from the drop-down st Th s spec fies the type of network access server
that w send connect on requests to the NPS C ck Next
3. At east one cond t on s requ red for th s po cy to be eva uated when a connect on
request s sent to NPS C ck Add and then choose a cond t on category For examp e,
choose W ndows Groups C ck Add and then c ck Add Groups to add the group(s),
one of wh ch a user must be a member to access the RD Gateway server C ck OK a
coup e of t mes to return to the ma n d a og box and then c ck Next
552 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
4 On the Spec fy Access Perm ss on page, choose the Access Granted opt on and c ck
Next
5. On the Configure Authent cat on Methods page, c ear a the check boxes and then
se ect the A ow C ents To Connect W thout Negot at ng An Authent cat on Method
check box C ck No on the nformat on pop-up w ndow Then c ck Next
6. Accept the defau ts on the Configure Constra nts page and c ck Next
7. On the Configure Sett ngs page, se ect the RADIUS Attr butes Standard opt on and
then remove the defau t Framed-Protoco and Serv ce-Type attr butes C ck Next
8. On the Comp et ng New Network Po cy page, c ck F n sh
NOTE To save the NPS configuration to an XML file, run netsh nps export. For example,
export the NPS configuration from a server named COWBOY to a network share with the
following code.
Run the netsh nps import command to import an NPS configuration file.
msxml://%SystemRoot%\System32\tsgateway\rap.xml
to th s
msxml://\\colfax\ash-company-files\IT\rap.xml
www.it-ebooks.info
Be sure to set the perm ss ons on the network share that conta ns the Rap xm fi e proper y
so that on y RD Gateways are a owed wr te/read access Otherw se, someone can c rcumvent
the RD RAPs eas y by ed t ng the fi e
A so, f you do not configure your RAP share w th the correct perm ss ons to a ow RD
Gateway servers to access the XML fi e, then NPS quarant nes the user The RDC that the
c ent n t ated w stop respond ng You w have to use Task Manager to k the attempted
connect on The server w show an error n the event ID 6276 n the Secur ty Event Log as
fo ows
Event ID 642: The RD Gateway server cannot open the resource authorization policy store
on Authorization Manager (Azman).The following error occurred: "5".
There are a few ssues w th centra y stored RAPs that you shou d be aware of F rst, mak ng
changes to centra y ocated RD RAPs takes some work, because you cannot ed t the centra y
ocated fi e from RD Gateway Manager You have to repo nt them to the oca store ocat on,
mod fy the RD RAPs, and then re-copy the RAP xm fi e to the centra ocat on and repo nt
the reg stry key to the centra ocat on A so, to successfu y export and mport RD Gateway
sett ngs from one server to another, you a so have to repo nt RD RAPs to be stored oca y,
do the export and mport, and then repo nt the RD RAPs storage ocat on reg stry entry to
the centra ocat on For these reasons, f you make changes to your RD Gateway configura-
t on frequent y, centra y stored RD RAPs m ght not work for you, due to the effort nvo ved n
keep ng them centra y ocated
554 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
■ The computer must have an act ve firewa
■ The computer must have current ant v rus s gnatures
■ Spyware protect on must be enab ed
www.it-ebooks.info
■ NPS Service Eva uates SoHRs and determ nes whether the NAP c ent s Comp ant,
Noncomp ant, or Non-NAP-Capab e, and packages SoHR responses nto a System
SoHR (SSoHR) report
■ NAP Enforcement Server (NAP ES) Commun cates w th the c ent-s de NAP En-
forcement C ent (NAP EC) component
NAP c ent components nc ude the fo ow ng
■ NAP Enforcement Client (NAP EC) The NAP c ent component that commun cates
w th the NPS ES component
■ System Health Agent (SHA) The c ent-s de agent that mon tors and creates a
report of the c ent hea th as regards to var ous system hea th e ements (for examp e,
Ant v rus, Ant spyware, W ndows Updates, and so on) The SHA g ves th s report to the
NAP Agent The SHA a so performs system hea th updates as set forth by the remed a-
t on process Every SHA has a correspond ng SHV on the NPS
■ Statement of Health (SoH) The report that the SHA creates Each SHA creates ts
own SoH w th data on the e ements that the SHA reports on (for examp e, W ndows
Secur ty e ements, th rd-party ant v rus, and so on)
■ System Statement of Health (SSoH) A report that conta ns a SHA reports
■ NAP Agent Th s s a c ent-s de agent that s bu t nto W ndows XP SP3 and ater It
unpacks SSoHRs and d str butes resu t ng SoHRs to the SHAs It a so packages SoHs
nto one SSoH that s sent to the server
These components work together as shown n F gure 10-22
RD
SHA
CAPs SHV
1 6
Network
SoHR Policies SoH
Health SoHR
SoH
Policies
5
10 NPS
NAP Agent Administration
2 Server
SSoH SSoHR
RD RAPs
9 8
NAP EC NAP ES
3 4
FIGURE 10-22 A c ent sends an SSoH, and the NPS responds w th an SoHR.
556 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
1. When a c ent requests remote access to a resource (a remote desktop sess on,
RemoteApp, or a VM), the c ent must send an SoH report to the NPS The c ent SHAs
create the SoH report(s), and each SHA passes the SoH to the NAP Agent
NOTE There can be more than one active SHA and corresponding SHV at a time. For
example, you can implement third-party antivirus or antispyware SHAs and SHVs. For
the purposes of this chapter, use the built-in client-side Windows SHA (WSHA) and
server-side Windows SHV (WSHV), which monitor and report on the Windows Security
Center settings (Windows Firewall, Windows Updates, and so on).
2. The NAP Agent comb nes the SHAs nto the SSoH and passes th s SoH to NAP EC
3. The NAP EC passes the SSoH to the NPS ES on the NPS v a RD Gateway
4. The NPS ES passes the SSoH to the NPS Serv ce, wh ch unpacks the SSoH and passes
each resu t ng SoH to the NPS Adm n strat on Server (NPS AS) component
5. NPS AS passes each SoH made from the c ent-s de SHA to ts correspond ng SHV
6. The SHV checks the SoH aga nst ts requ rements and sends the resu t ng SoHR to the
NPS AS The NPS AS passes the SoHR to the NPS Serv ce
7. The NPS Serv ce compares the SoHR(s) aga nst ts network and hea th po c es It
ocates a network po cy (wh ch a so references a hea th po cy) that best matches the
c ent hea th state Hea th po c es m ght ook ke the examp es n Tab e 10-3
Each network po cy not on y references a hea th po cy, t conta ns access restr ct ons
and remed at on nstruct ons as needed Because of th s, a computer c ent w a ways
match a network po cy (pass, fa , or not capab e of us ng NAP) For examp e,
Tab e 10-4 shows an examp e of Network Po c es referenc ng Hea th Po c es and
d ctat ng access and remed at on accord ng y
www.it-ebooks.info
TABLE 10-4 Examp e Ne work Po c es Tha Re erence Hea h Po c es and De erm ne he eve o
C en Access
The NPS Serv ce creates an SSoHR that conta ns both ts find ngs and the resu tant
eve of access (and, f you want, remed at on nstruct ons) and sends t to the NAP ES
8. The NAP ES passes the report to the NAP EC on the c ent v a RD Gateway
9. The NAP EC sends the SSoHR to the NAP Agent
10. The NAP Agent unpacks t and sends each SoHR made from a spec fic SHV to the cor-
respond ng SHA
If the po cy and the c ent’s hea th status are such that the c ent s a owed access to RD
Gateway, then access to RD Gateway s granted RD Gateway then checks ts RD RAPs If an RD
RAP grants the c ent access to the requested resource, then the c ent s a owed to connect
The network po cy that the c ent matched a so determ nes the type of dev ce red rect on
a owed
NPS supports ndependent software vendors (ISVs) creat ng SHAs and correspond ng
SHVs The nat ve W ndows SHVs (WSHVs) conta n sett ngs concern ng the status of the
categor es shown n Tab e 10-5
The correspond ng WSHA (remember, every SHV has a correspond ng SHA), nat ve to
c ents runn ng W ndows XP SP3 and ater, mon tors the W ndows Secur ty Center sett ngs
558 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
NOTE The NPS does not save any SoH client data, so every time that the client reports on
its state of health, the NPS will be looking only at the latest information. There’s no cache
to go out of date.
CAUTION If you use a third-party tool with a Windows equivalent and auto-
remediation cannot update the state of the third-party tool, then it will attempt to
update the state of the Windows equivalent. For example, if you have a third-party
firewall installed (but disabled) and auto-remediation cannot enable it, it will enable
Windows Firewall instead. This could lead to unexpected results.
That s how NAP works Th s next sect on exp a ns configur ng RD Gateway and NPS to
use NAP to keep c ents that don’t meet system hea th po c es away from RD Sess on Host
servers, VMs, and other computers w th remote desktop enab ed A fu d scuss on of NAP s
outs de the scope of th s book, so the nformat on here concentrates on us ng NAP w th RD
Gateway on y
www.it-ebooks.info
NOTE For a broader discussion of NAP, see Windows Server 2008 Networking and Net-
work Access Protection (NAP) (Microsoft Press, 2008), by Joseph Davies and Tony Northrup
with the Microsoft Networking Team.
560 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
NOTE By default, when you set an RD Gateway server to store its RD CAPs on a central-
ized NPS, it creates a remote RADIUS server group named TS GATEWAY SERVER GROUP.
If you have this group, then just edit it by double-clicking it and adding the FQDN of the
central NPS and the shared secret. Then click OK.
Next, make sure you have a Connect on Request Po cy configured n each RD Gateway
server’s oca NPS Th s po cy w forward connect on requests to the remote RADIUS server
group that you configured n the prev ous step, as fo ows
1. In the NPS Management Conso e, r ght-c ck the Connect on Request Po c es fo der
and se ect New Enter a po cy name, and from the Type Of Network Access Server
drop-down box, choose Remote Desktop Gateway C ck Next
2. Add the NAS Port Type cond t on by c ck ng Add, choos ng NAS Port Type from the
bottom of the st C ck Add and then se ect the check box next to V rtua (VPN) and
c ck OK Then c ck Next
3. On the Spec fy Connect on Request Forward ng page, se ect Authent cat on and then
se ect the Forward Requests To The Fo ow ng Remote RADIUS Server Group For Au-
thent cat on opt on
4. In the drop-down box, make sure the remote RADIUS server group that you created
ear er s se ected C ck Next tw ce and c ck F n sh
NOTE If you first installed RD Gateway and created RD CAPs using the wizard, then you
will already have a policy created for you called TS GATEWAY AUTHORIZATION POLICY.
You can just double-click the policy and change the Authentication to forward requests to
the remote RADIUS server group.
CAUTION If you are using a single RD Gateway server instead of a central NPS
server, delete or disable any RD CAPs. During this process, you will create new ones
that will include health checking, and you don’t want new policies conflicting with
old policies.
www.it-ebooks.info
Note the Issued To name on the SSL cert ficate that you configured the RD Gateway server
to use You w use th s name n the NAP c ent configurat on The name s ocated on the SSL
cert ficate tab n the RD Gateway Propert es
FIGURE 10-23 W ndows Secur ty Hea th Va dator conta ns sett ngs app y ng to W ndows 7,
W ndows V sta, and W ndows XP c ents.
3. WSHV nc udes tabs that perta n to configurat ons for W ndows XP, W ndows 7, and
W ndows V sta c ents Se ect the boxes next to tems you want to nc ude as requ re-
ments for c ents to ga n access to RD Gateway If your company uses W ndows XP,
W ndows 7, and W ndows V sta c ents, then you need to set requ rements on each of
the appropr ate tabs When you’re done, c ck OK
562 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Next, configure the centra NPS w th RADIUS c ent nformat on so that connect on re-
quests can be rece ved from the RD Gateway servers You a so need to configure the connec-
t on, network, and hea th po c es requ red for RD Gateway to use NAP
Fortunate y, there s a w zard that w perform these dut es The NAP W zard w do the
fo ow ng
■ Add spec fied RD Gateway servers as RADIUS c ents
■ Create a Connect on Request Po cy that te s the NPS to process connect on requests
■ Create three network po c es (RD CAPs) one for comp ant computers, one for non-
comp ant computers, and one for non-NAP-capab e computers
■ Create two hea th po c es that w be referenced by the comp ant and noncomp ant
network po c es
Run the NAP W zard and do the fo ow ng
1. On the centra NPS, open the Network Po cy Server conso e and se ect NPS (Loca )
From the Standard Configurat on sect on n the m dd e pane, choose Network Access
Protect on (NAP) from the drop-down st and c ck the Configure NAP hyper nk to
open the Configure NAP w zard shown n F gure 10-24
FIGURE 10-24 Choose the type of connect on for wh ch you re conf gur ng NAP.
www.it-ebooks.info
2. From the drop-down st, choose Remote Desktop Serv ces Gateway (RD Gateway)
Name your po cy and c ck Next
3. In the d a og box shown n F gure 10-25, add the RD Gateway servers that wact as
NAP RADIUS c ents You shou d add a RD Gateway servers n the farm, as shown n
F gure 10-25
Add RD Gateway servers by c ck ng Add and enter ng the nformat on for an RD Gate-
way server, as shown n F gure 10-26
564 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
FIGURE 10-26 Add each RD Gateway as an NAP Enforcement server.
Input a fr end y name (for examp e, the FQDN of the RD Gateway server), enter and
ver fy each server’s IP address, and type n the shared secret that w be used to jo n
the RADIUS c ent w th the RADIUS server C ck OK Do th s for each RD Gateway server
n the RD Gateway farm C ck Next
NOTE The shared secret that you input here must match the shared secret that you
entered when you configured each RD Gateway server’s remote RADIUS server.
From here, the process s much ke creat ng an RD CAP, w th the add t on of se ect ng
a WSHV
4. Next, choose the dev ce red rect on sett ngs to app y to the RD Gateway connect ng
c ents and se ect the author zat on methods that they’re a owed to use For examp e,
the d a og box shown n F gure 10-27 s configured to a ow password authent cat on
and dev ce red rect on, and on y a ow c ents support ng the red rect on po c es to use
RD Gateway C ck Next
www.it-ebooks.info
FIGURE 10-27 Conf gure the c ent dev ce red rect on and authent cat on methods.
5. On the next page, you can enab e d e sess on t meouts and act ve sess on t meouts;
th s m m cs the same sett ngs that are set when creat ng an RD CAP Configure these
sett ngs to your k ng and then c ck Next
6. On the next page, configure the user or computer group(s) that you want to a ow to
use RD Gateway C ck Add User or Add Mach ne to choose user or computer groups
C ck Next
7. Now, choose the System Hea th Va dator to use w th th s configurat on In th s ex-
amp e, we ed ted the defau t W ndows Secur ty Hea th Va dator (WSHV) so th s s the
on y one ava ab e It s a so se ected by defau t
NOTE Although Windows Server 2008 R2 comes with only one SHV, the NAP model is
extensible. ISVs can write their own sets of rules to cover conditions not accounted for
in the default health validator.
566 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
A so on th s page, choose what shou d happen when computers that are NAP- ne -
g b e attempt to connect By defau t, they’re den ed access, but you can a so perm t
access and og the connect on C ck Next to move to the rev ew page
8. F na y, the w zard w show your opt ons for your rev ew as shown n F gure 10-28 If
the RADIUS c ents and po c es are what you ntended, c ck F n sh
FIGURE 10-28 Rev ew your NAP Enforcement po cy sett ngs and RAD US c ent conf gurat on
sett ngs.
After the NAP Creat on W zard fin shes, you w find that t created one connect on
request po cy, three network po c es, and two hea th po c es These po c es work together,
first to accept connect on nformat on from RD Gateway, and then to eva uate whether c ents
request ng a connect on to RD Gateway shou d be a owed or den ed based on the hea th of
the computer from wh ch they are connect ng, as we as the computer account and user ac-
count from wh ch the c ent n t ates the connect on
F gure 10-29 shows the re at onsh ps among these po c es Th s s what each type of po cy
does
■ The Connect on Request po cy a ows RD Gateway to send connect on requests to
NPS
www.it-ebooks.info
■ Each of the three Network Po c es conta ns nformat on on the computer accounts and
user accounts from wh ch t accepts connect ons, as we as spec fics on sess on t meout
dev ce red rect on In other words, a network po cy shou d be very fam ar to you— t
s what an RD CAP rea y s
■ The two hea th po c es—one a “pass ng” po cy, the other a “fa ng” po cy—
determ ne the hea th of a computer request ng connect on to RD Gateway Us ng
spec ficat ons that are set n the WSHV, the connect ng c ent’s SoH s eva uated It w
a ways meet the requ rements of one of these po c es (that s, t w e ther pass or fa )
FIGURE 10-29 The re at onsh ps of po c es created by the NAP W zard make sure that a remote c ent w
a ways meet the requ rements of one network po cy.
NAP c ents w a ways fa nto one of three scenar os shown n F gure 10-29 The c ent
w meet the cond t ons spec fied n the Comp ant or Non-Comp ant network po cy, or they
w not be NAP-capab e and therefore meet the cond t on of the Non-NAP-Capab e network
po cy The computers that meet the requ rements for the Comp ant network po cy w be
g ven fu access to RD Gateway Those computers that meet the requ rements for e ther of
the other two po c es w be g ven the amount of access spec fied by the NAP Enforcement
sett ngs n each network po cy respect ve y NAP Enforcement sett ngs were configured by
568 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
the w zard, but you can tweak them as you see fit They are ocated n each network po cy on
the Sett ngs tab Se ect NAP Enforcement
NOTE You can also create Remediation Server Groups by clicking New Group on this
same screen.
After you create a remed at on server group, add t to the NAP RD Gateway Non-Comp -
ant po cy by fo ow ng these steps
1. Doub e-c ck the network po cy, se ect the Sett ngs tab, and se ect NAP Enforcement
2. In the Remed at on Server Group And Troub eshoot ng URL sect on, c ck Configure
www.it-ebooks.info
3. In the resu t ng d a og box, se ect the remed at on server group from the drop-down
st and c ck OK
On the network po cy Sett ngs NAP Enforcement pane , not ce that you can a so enter a
Troub eshoot ng URL when you c ck the Configure button n the Remed at on Server Group
And Troub eshoot ng URL sect on Add a URL to a webs te that te s users how to update the r
mach nes to come nto comp ance w th the corporate system hea th po c es
NOTE Although online documentation on whether Windows Server 2008 can be a NAP
client is conflicting, it cannot be a NAP client for RD Gateway using only components that
come with the operating system. This is because the WSHA is not supported on Windows
Server 2008. It is possible that you could integrate a third-party SHV and SHA and then use
Windows Server 2008 as a NAP client for RD Gateway.
NOTE Windows Vista has the NAP client enabled by default. Windows XP SP3 and
Windows 7 do not. Enable it by starting the Network Access Protection Agent service and
then restarting the computer.
Enab e the RD Gateway Quarant ne enforcement c ent by add ng the NAP C ent Configu-
rat on snap- n to an MMC C ck Enforcement Agents, r ght-c ck the RD Gateway Quarant ne
enforcement c ent, and c ck Enab e An eas er way to do th s s to open an e evated com-
mand prompt and run th s command
570 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
NOTE There is no NAP Client Configuration snap-in for Windows XP, so enable the RD
Gateway Quarantine enforcement client by using the command line.
Add the RD Gateway to the Trusted Gateways st by open ng Reged t exe and nav gat ng
to HKLM/SOFTWARE/M crosoft/Term na Server C ent/TrustedGateways Add a new str ng
va ue ca ed GatewayFQDN Then doub e-c ck GatewayFQDN and enter the FQDN name of
the RD Gateway
Eas er yet, M crosoft prov des a scr pt that performs a these tasks Down oad the text fi e
Tsgqecc entconfig txt (http://www.microsoft.com/downloads/
details.aspx?familyid=cb986639-20e5-4f16-8e48-be68d23dc888&displaylang=en) and rename
t Tsgqecc entconfig cmd You w need to run the scr pt w th e evated pr v eges Open an
e evated command prompt, nav gate to the d rectory where the scr pt res des, and type
tsgqecclientconfig <RD Gateway FQDN> Successfu resu ts ook ke th s
tsgqecclientconfig.cmd rdgateway.ilove2ski.net
Setting the list of trusted TS Gateway servers to rdgateway.ilove2ski.net ...
The operation completed successfully.
Enabling the TS Gateway Quarantine Enforcement Client
The operation completed successfully.
Setting the Network Access Protection service startup type to Automatic...
[SC] ChangeServiceConfig SUCCESS
Starting the Network Access Protection service...
The Network Access Protection Agent service is starting.
The Network Access Protection Agent service was started successfully.
ON THE COMPANION MEDIA The link to the Tsgqecclientconfig file is also located
on the companion media.
www.it-ebooks.info
NOTE Some NPS-related events are listed in the System Event log, but most connection-
related event logs are located in the Security Event log.
FIGURE 10-30 f your computer does not comp y w th NAP hea th po c es, you w see th s error message
when attempt ng to connect.
FIGURE 10-31 The WSHV w send nstruct ons to the NAP Agent to get t to enab e the W ndows
F rewa .
572 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
NOTE If you do not see this message on the client, open a command prompt and run
Napstat.exe to invoke the NAP Agent.
If the NAP Agent s successfu , t w report that t has updated the computer and that the
computer s now NAP-comp ant, as shown n F gure 10-32
FIGURE 10-32 After the c ent s updated and s NAP comp ant, the user can try the connect on request
aga n.
After the c ent has been updated and made comp ant w th the hea th po c es, then the
user can retry the connect on Th s t me, the computer w match the NAP-Comp ant net-
work po cy and the c ent w be ab e to connect to RD Gateway Because the hea th po cy
s part of the connect on po cy, the RD Gateway w just have to check ts RD RAPs before
perm tt ng the fina connect on
www.it-ebooks.info
prob em between the RADIUS c ent and server m ght ex st To determ ne the rea reason for
a b ocked connect on, corre ate the event ogs n these three Event V ewer og p aces
■ In the RD Gateway server og ocated at App cat on Logs and Secur ty/M crosoft/
W ndows/Term na Serv ces-Gateway/Operat ona The den ed connect on w show
up n th s og as Event ID 201 You can see who tr ed to og on and genera y why they
were den ed Corre ate th s w th the fo ow ng Secur ty og ocated at W ndows Logs/
Secur ty Look for Aud t Fa ure og entr es (event IDs 6273 and 6274) that correspond
to the attempted ogon t me Scro to the bottom of these ogs to find a reason code
and a reason for the b ocked connect on
■ In the NPS Event V ewer Check the System og for events w th a source of NPS For
nstance, f your RADIUS c ents have dua NICs and they start commun cat ng w th the
NPS from the wrong one (mean ng that they are us ng an IP address not spec fied n
the RADIUS C ent fie d n the NPS Conso e), you w see Event ID 13 n your event ogs
The user "ASH\kristin.griffin", on client computer "10.10.10.1", did not meet resource
authorization policy requirements and was therefore not authorized to resource
"humpback.ash.local". The following error occurred: "23002".
Connect ng from a W ndows XP c ent w a so resu t n Event 301 be ng ogged n the Op-
erat on og, but not ce that the resource name s the down eve DNS name of the red rector
The user "ASH\hao.chen", on client computer "10.10.10.1", did not meet resource
authorization policy requirements and was therefore not authorized to resource
"humpback-vmredir". The following error occurred: "23002".
574 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Identifying NAP Errors
Connect ons that are b ocked due to NAP po c es are fa r y stra ghtforward The og fi es are
found n two p aces
■ On the NPS, open Event V ewer, expand Custom V ews/Server Ro es, and c ck Network
Po cy And Access Serv ces Th s custom event og v ew conta ns a the event ogs per-
ta n ng to NPS, nc ud ng account ng events that occur on th s server
■ By defau t, NPS ogs account ng and authent cat on requests to a og fi e ocated at
%SystemRoot%\System32\LogF es To adjust wh ch events are ogged or other sett ngs
such as the og ocat on, open the Network Po cy Server conso e, c ck Account ng, and
then c ck the Configure Loca F e Logg ng nk
If you are hav ng prob ems w th your NAP hea th po cy setup or remed at on, the fo ow-
ng troub eshoot ng t ps can he p
■ If your c ents match on y the NAP-Non-Capab e network po cy and they are rea y
NAP-Capab e c ents, and your NAP c ent setup s correct, then you m ght have m ssed
configur ng each RD Gateway to request c ents to send an SoH Because no SoH s
sent, the c ent s seen as Non-NAP-Capab e To fix th s, on each RD Gateway server,
n the RD Gateway Manager, r ght-c ck the server and se ect Propert es Nav gate to
the RD CAP Store tab and make sure that the Request C ents To Send A Statement of
Hea th check box s se ected
■ Runn ng the Napstat exe command at a command prompt shows the current NAP
Agent status on the c ent You can use th s to see exact y what the NAP Agent s ac-
comp sh ng when the c ent attempts to connect to a remote desktop resource
■ Use the fo ow ng commands on each c ent to make sure that the NAP c ent configu-
rat on s correct
• netsh NAP client show state Te s you f the NAP agent serv ce s runn ng It
shou d be If t s not, then enab e the serv ce
• netsh NAP client show group If you used Group Po cy to set up the NAP c ent
configurat on, ver fy that the enforcement c ent s enab ed v a Group Po cy by run-
n ng th s command The enforcement c ent shou d return the fo ow ng data
• netsh nap client show config If you manua y set up the NAP c ent configura-
t on, ver fy that the enforcement c ent s enab ed v a the oca po cy by runn ng th s
command The enforcement c ent shou d return the fo ow ng data
www.it-ebooks.info
■ NAP c ent event ogs cou d show you errors to he p you correct c ent-s de NAP ssues
The NAP c ent event ogs are ocated at App cat on and Serv ces Logs/M crosoft/W n-
dows/Network Access Protect on/Operat ona
■ If the c ent NAP Agent s configured correct y and your network po c es are work ng
except for auto-remed at on, check to see f you have both enab ed auto-remed at on
and set a remed at on server group and troub eshoot ng URL n the noncomp ant
po cy You cannot have a URL set and have auto-remed at on work at the same t me
■ Look n the System and Secur ty Event Logs on the NPS for events perta n ng to suc-
cessfu and dec ned connect ons
■ For auto-remed at on to work, the c ent must be ab e to mod fy the firewa and other
secur ty sett ngs Make sure that Group Po cy s not b ock ng the c ent from tak ng
remed at on act on
NOTE Regardless of whether you place the RD Web Access server in a perimeter network
or on the internal network, it’s a good idea to replace the self-signed SSL certificate on the
RD Web Access server with one signed by a public CA so that users can continue have an
encrypted session with the website and also be able to trust the certificate without having
to manually the website SSL cert to their trusted root store. As explained in Chapter 4,
“Deploying a Single Remote Desktop Virtualization Host Server,” a fresh install of the RD
Web Access website will configure the site as a secured site, using a self-signed SSL certifi-
cate. Although this is fine for testing, using self-signed certificates is not recommended in
production environments.
RD Gateway a so uses SSL cert ficates to encrypt commun cat on We recommend SSL
cert ficate opt ons for both RD Gateway and RD Web Access, depend ng on the r ocat on n
the network
576 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
If you have a per meter network, then t s w se to p ace the RD Web Access server n the
per meter to m n m ze your attack surface That way, f your web server s comprom sed, your
nterna network w not be You can a so put RD Web Access n the nterna network and
pub sh the webs te through ISA/TMG or another firewa app ance You can configure the RD
Web Access webs te to have the same URL for both nterna and externa access, or create a
separate URL for nterna and externa use
If both nterna and externa users get RemoteApp programs from RD Web Access, you can
prov de the same externa URL to peop e connect ng from ns de and outs de the network
Externa users w reso ve the URL through pub c DNS servers For nterna users to reso ve
th s externa URL, you w need to take one of the fo ow ng approaches, sp t DNS or DNS
doctor ng, as fo ows
■ Sp t DNS creates a zone n your nterna DNS servers for the externa doma n You add
an entry that maps the externa DNS name to the nterna IP address of the RD Web
Access s te
At a h gh eve , DNS doctor ng maps nterna and externa addresses (you’ need to make
sure your firewa supports th s) An nterna network c ent connects to an externa DNS server
for DNS reso ut on, and the externa DNS server responds to the query The firewa sees that
the externa DNS reso ut on IP address rea y trans ates to an IP address on the nterna net-
work The firewa ntercepts the DNS reso ut on response from the externa DNS server and
rep aces t w th the nterna address The common name of your SSL cert ficate shou d reflect
the externa name of the webs te as fo ows
■ Obta n a regu ar SSL cert ficate w th the common name n the form <external-DNS-
hostname>.<external-domain-name>.<top-level-domain-name>. For examp e,
rdweb ove2sk net
■ You cou d a so use a w dcard SSL cert ficate w th a common name reflect ng the exter-
na doma n space, such as * ove2sk net
NOTE To save money, you can get a wildcard certificate that references the external
domain name space and use it for both RD Gateway and RD Web Access, as well as to sign
RemoteApps.
A ternat ve y, you cou d set up the RD Web Access server to use one URL for nterna use
and one for externa use To accomp sh th s, you can obta n a Subject A ternat ve Name (SAN)
cert ficate A SAN cert ficate (a so known as a Un fied Commun cat ons Cert ficate, or UCC
cert ficate) conta ns mu t p e subjects When you app y the SAN cert ficate to the webs te, the
cert ficate w match both nterna and externa URLs, so a user won’t get warn ng messages
when try ng to connect For nstance, n th s examp e, the test env ronment nterna doma n
name s Ash oca , but for users outs de the nterna network, the doma n name I ove2sk net s
used So you wou d use a SAN SSL cert ficate on the RD Web Access webs te w th the fo ow-
ng two subjects Apps ash oca and Rdweb ove2sk net
www.it-ebooks.info
SAN cert ficates are more expens ve If your budget w not accommodate a SAN cer-
t ficate, you cou d use a standard SSL cert ficate (w th one common name), a ow HTTP and
HTTPS access to the webs te, and then b ock port 80 at the firewa Th s means that nterna
users cou d access an nterna unencrypted HTTP address (no SSL cert ficate needed), and
externa users wou d st have to use an encrypted HTTPS address Of course, th s assumes
that your company secur ty po cy a ows unencrypted access to ntranet s tes from ns de the
corporate network
NOTE See the Additional Resources at the end of this chapter for links to information on
DNS doctoring and SAN/UCC certificates.
NOTE See the Direct from the Source sidebar entitled “TMG and RD Gateway Topology
Scenarios” later in this chapter for information on protecting RD Gateway positioned in the
internal network.
578 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Internal Network
Port 443 open
AD DS RD Gateway
RDP Session Port 3389 RDP Session RDP Session Port 3389
Port 3389
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Perimeter Network
Port 443 open in firewall
RD Gateway
FIGURE 10-34 RD Gateway can be pos t oned n the per meter network.
If you dec de to pos t on RD Gateway n the per meter network, bear n m nd that for RD
Gateway to create RD CAPs that refer to doma n accounts, t has to be ab e to commun cate
w th AD DS Otherw se, your users w have to present the r credent a s more often They’
have to authent cate once to RD Gateway (p aced n a workgroup w th oca accounts) and
then aga n when RD Gateway a ows the user to access an nterna resource
580 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
If you dec de to prov de RD Gateway n the per meter network w th access to AD DS, t’s
poss b e to do th s w thout d rect y expos ng AD DS to threats For examp e, you can create a
separate forest n the per meter network, and create a one-way trust between the per meter
network AD DS and the nterna corporate AD DS You can a so p ace a read-on y doma n
contro er n the per meter network
In these scenar os, you need to open spec fic ports to a ow the needed traffic to pass
between the per meter network and the nterna network Refer to the fo ow ng b og post
(a so nc uded on the compan on med a) for nformat on on firewa ru es and port access
needs w th regards to RD Gateway n the per meter network http://blogs.msdn.com/b/rds/ar-
chive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
T here are several network topologies that work for using TMG or ISA as an HTTP/
HTTPS bridge for RD Gateway.
www.it-ebooks.info
Model 2: TMG as Back-end Firewall
In this model, TMG is the back-end firewall. This scenario is more popular in small to
mid-sized companies. TMG performs the role of internal network edge firewall and
also bridges incoming SSL traffic destined for RD Gateway on the internal network
(see Figure 10-36). The benefit of this model is that companies don’t have to invest
in an extra firewall to create a perimeter network. It’s also worth mentioning that
ISA/TMG has had no documented exploits and has had fewer than 10 fixes in the
history of the product’s existence, so TMG is a good firewall solution.
582 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Perimeter Network
Port 443 open
X.X.X.1
Microsoft Threat
DMZ switch Management
X.X.X.100
Gateway 2010
X.X.X.2
AD DS RD Gateway
RDP Session Port 3389 RDP Session RDP Session Port 3389
Port 3389
FIGURE 10-35 TMG can be pos t oned n the per meter network.
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Perimeter Network
Port 443 open
X.X.X.1
DMZ switch
Microsoft Threat Management
X.X.X.2 Gateway 2010
Y.Y.Y.100
RD Gateway
RDP Session Port 3389 RDP Session RDP Session Port 3389
Port 3389
FIGURE 10-36 TMG can act as the nterna network edge f rewa and can a so br dge RD
Gateway traff c.
584 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
Remote
Client
SSL tunnel,
Port 443
Internal Network
Port 443 open
Microsoft Threat
Management
Gateway 2010
AD DS RD Gateway
RDP Session Port 3389 RDP Session RDP Session Port 3389
Port 3389
FIGURE 10-37 TMG can be pos t oned n the nterna network and st nspect and br dge
traff c to RD Gateway.
www.it-ebooks.info
ON THE COMPANION MEDIA These links are also available on the companion
media.
Summary
One of the great va ues of RDS s that t enab es peop e to work norma y over the Internet
RD Gateway s an RDS ro e serv ce that makes t poss b e to do th s secure y Th s chapter has
ntroduced you to a number of best pract ces for mp ement ng RD Gateway
■ Load-ba ance RD Gateway servers to ncrease gateway upt me
■ When us ng an RD Gateway farm, centra ze the RD CAP and RD RAP sources to s m-
p fy configurat on If centra z ng sn’t poss b e for some reason, use the export and
mport capab t es on the RD Gateway servers to ma nta n servers w th dent ca set-
t ngs
■ Enab e server affin ty to keep a SSL connect ons for a s ng e sess on on the same RD
Gateway server and to reduce the r sk that a downed server w take down the sess on
■ Use NAP to conduct c ent system hea th checks and to determ ne f a c ent s comp -
ant w th company system hea th standards before t connects to the network us ng RD
Gateway
Additional Resources
The fo ow ng resources are re ated to top cs covered n th s chapter You can find the nks
and scr pts on th s book’s compan on med a A ot of the nformat on n th s chapter has fo-
cused on the var ous cond t ons under wh ch connect ons are made, and you’ see resources
here re ated to that as we
■ For more nformat on on RD Gateway ava ab ty, configurat on, and connect on Event
ID codes and poss b e reso ut ons, see http://technet.microsoft.com/en-us/library
/ee891285%28WS.10%29.aspx.
■ For more nformat on on TMG network topo ogy, see http://technet.microsoft.com
/en-us/library/dd896975.aspx
■ For more nformat on on configur ng RD Gateway w th TMG/ISA Server, see
http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx.
■ M crosoft has made a scr pt ava ab e to he p configure ISA Server for use w th RD
Gateway Informat on about th s scr pt can be found at http://blogs.msdn.com/b/rds
/archive/2010/01/08/publish-rd-gateway-on-an-isa-server-using-a-script.aspx
■ To earn more about NAP, see Windows Server 2008 Networking and Network Access
Protection (NAP), by Joseph Dav es and Tony Northrup w th the M crosoft Network ng
Team, ava ab e at http://www.microsoft.com/mspress/books/11160.aspx.
586 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
■ For the NAP c ent configurat on too (Tsgqecc entconfig cmd), go to
http://www.microsoft.com/downloads/details.aspx?familyid=cb986639-20e5-4f16-8e48-
be68d23dc888&displaylang=en.
■ “Remote Desktop Serv ces Gateway Server Protoco Rout ng Spec ficat on” s ava ab e
for down oad from http://msdn.microsoft.com/en-us/library/cc248485.aspx
■ “W ndows Secur ty Hea th Agent (WSHA) and W ndows Secur ty Hea th Va dator
(WSHV) Protoco Spec ficat on” s ava ab e for down oad from
http://msdn.microsoft.com/en-us/library/cc215773.aspx.
■ “Statement of Hea th for Network Access Protect on (NAP) Protoco Spec ficat on” s
ava ab e for down oad from http://msdn.microsoft.com/en-us/library/cc212976.aspx.
■ For more nformat on on the M crosoft Root Cert ficate Program and cert ficates n
genera , see Chapter 9, “Mu t -Server Dep oyments ”
■ Refer to the sect on ent t ed “Transport Layer Secur ty” n Chapter 8, “Secur ng Remote
Desktop Protoco Connect ons,” to see how SSL encrypt on works
■ To see how to force RDCs n t ated from RD Web Access to use RD Gateway, see the
sect on ent t ed “Force RDC Connect ons Through RD Gateway v a RD Web Access” n
Chapter 9
■ Refer to the compan on med a for a scr pt to add RD RAP user groups ca ed
Add-RDRAP-UserGroup ps1
■ To understand RD Gateway dep oyment n a per meter network and what firewa ru es
you w need to mp ement, see http://blogs.msdn.com/b/rds/archive/2009/07/31
/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
■ For an ntroduct on to Network Access Protect on, see http://technet.microsoft.com
/en-us/network/cc984252.aspx
■ For nformat on on NAP server s de arch tecture, go to http://msdn.microsoft.com
/en-us/library/cc895519(v=VS.85).aspx
■ For nformat on on NAP c ent arch tecture, go to http://msdn.microsoft.com/en-us
/library/aa369702(VS.85).aspx.
■ For more nformat on on dep oy ng RD Gateway w th NAP, see http://blogs.msdn.com
/b/rds/archive/2009/08/17/deploying-rd-gateway-r2-server-with-nap.aspx# Steps to
configure 2
■ More nformat on on configur ng the RD Gateway NAP scenar o s prov ded at
http://technet.microsoft.com/en-us/library/cc732172(WS.10).aspx.
■ Informat on on NAP C ent Configurat on can be found at http://technet.microsoft.com
/en-us/library/cc754803.aspx
■ Qu ck fixes for NAP can be found at http://technet.microsoft.com/ru-ru/library
/dd348494%28WS.10%29.aspx
www.it-ebooks.info
■ For a descr pt on of the Remote Desktop Connect on 7 0 c ent update for Remote
Desktop Serv ces (RDS) for W ndows XP SP3, W ndows V sta SP1, and W ndows V sta
SP2, as we as down oad nks, see http://support.microsoft.com/kb/969084
■ Informat on on mprov ng RD Gateway ava ab ty us ng NLB can be found at
http://blogs.msdn.com/b/rds/archive/2009/03/24/improving-ts-gateway-availability-
using-nlb.aspx
■ For nformat on on custom z ng RD Gateway authent cat on and author zat on
schemes, see http://blogs.msdn.com/b/rds/archive/2010/01/06/customizing-rd-gate-
way-authentication-and-authorization-schemes.aspx
588 Chapter 10 Mak ng Remote Desktop Serv ces Ava ab e from the nternet
www.it-ebooks.info
CHAPTER 11
·■ Organ z ng Servers and VMs n the Remote Desktop Serv ces Manager 600
P rev ous chapters n th s book exp ored how to set up and configure a Remote
Desktop (RD) Sess on Host server and the support ng ro es Sett ng up the RD Sess on
Host server puts users n a pos t on to og on and use t but adm n strators need a
too to keep track of what those users are do ng and to he p them, f necessary That too
s the Remote Desktop Serv ces Manager
Th s chapter w exp ore how to use the sess on management too s—both command-
ne and graph ca —to v ew and nteract w th runn ng sess ons Th s chapter d scusses
■ The too s ava ab e n W ndows Server 2008 R2 to he p you manage sess ons
■ How to find and manage sess ons on an RD Sess on Host server
■ How to find and manage processes on an RD Sess on Host server
■ How to get remote contro of user sess ons
■ How to create custom server management groups n the Remote Desktop Serv ces
Manager
■ How to use the command- ne too s, scr ptab e nterfaces, and W ndows
PowerShe to get nformat on the graph ca user nterface (GUI) doesn’t offer
589
www.it-ebooks.info
Introducing RD Session Host Management Tools
W ndows Server 2008 R2 has a set of too s for manag ng user sess ons The Remote Desktop
Serv ces Manager GUI and command- ne too s to supp ement t and enab e scr pt ng Before
de v ng nto the r usage, et’s take a qu ck tour so that you can see what’s poss b e
HOW IT WORKS
Many people can use an RD Session Host server at the same time and can all be
logged onto the same computer. Therefore, it’s possible to aggregate information
about processes and logons to individual sessions on a per-user basis. But while one
RD Virtualization Host supports multiple VMs, the RD Virtualization Host does not
see processes in each VM. You have to go to each VM for this information. If you
know the server name and user name, you can control VMs remotely, disconnect or
log off VM sessions, and even terminate processes in individual VMs, but you can’t,
say, terminate every instance of Sol.exe that’s running on an RD Virtualization Host
just by choosing to kill the process on that server.
Similarly, one VM has only one session so you might as well address users by name
as by session ID. A user could have more than one session on an RD Session Host,
but there’s always a 1:1 mapping of users to sessions on a pooled or personal VM.
In short, most too s work for manag ng poo ed and persona VMs as ong as you’re ogged
on to a sess on on an RD Sess on Host server to use the management too s Th s chapter
covers these too s n terms of manag ng RD Sess on Host sess ons, but understand that these
processes w work for poo ed and persona VMs, too, and the chapter w note exp c t y
when they do not However, be aware that the way you’ nteract w th a VM d ffers from how
you’ nteract w th a sess on For examp e, you m ght be check ng an RD Sess on Host server
to figure out f the amount of user sess ons s caus ng a s owdown n user exper ence, but th s
wou d not be an ssue for a poo ed or persona VM
www.it-ebooks.info
The Remote Desktop Services Manager
Let’s start by gett ng or ented After you nsta the RDS ro e, the Remote Desktop Serv ces
Manager too n F gure 11-1 s access b e by brows ng to Start, A Programs, Adm n strat ve
Too s, Remote Desktop Serv ces, and fina y Remote Desktop Serv ces Manager Us ng th s
too , you can
■ D sp ay rea -t me data about current users, sess ons, and processes
■ Mon tor, d sconnect, and reset sess ons
■ V ew or nteract w th a user’s sess on
■ Send messages to users
■ Term nate sess ons and og off users
FIGURE 11-1 Use the Remote Desktop Serv ces Manager to manage sess ons on RD Sess on Host servers
and poo ed and persona VMs.
The eft pane d sp ays the ava ab e RD Sess on Host servers; by defau t, t w d sp ay on y
the server that you’re current y ogged on to, but you can add more A though you can man-
age on y one server at a t me (you can’t, for examp e, k a nstances of So exe runn ng n
the farm from th s too ), you can add more servers and even poo ed and persona VMs You’
earn about how to do th s ater n th s chapter, n the sect on ent t ed “Organ z ng Servers and
VMs n the Remote Desktop Serv ces Manager ”
The center pane d sp ays the nformat on for the current y se ected server, nc ud ng con-
nected users, the sess ons on the server, and the processes runn ng on the server Some of
th s data m ght be redundant, as t’s just d fferent ways of d sp ay ng data about the peop e
ogged on to the RD Sess on Host server, what they’re do ng there, and wh ch sess ons are
open It’s d fferent ways of ook ng at the same data
The r ght pane d sp ays the context-sens t ve act ons that you can take depend ng on the
tem you’ve se ected n the eft or center panes
The Users tab conta ns current data perta n ng to the users connected to the RD Sess on
Host server and the assoc ated sess ons, as shown n Tab e 11-1
www.it-ebooks.info
TABLE 11-1 Da a on he Users Tab o he Remo e Desk op Serv ces Manager
DATA DESCRIPTION
Much of the data ocated on the Sess ons tab (see Tab e 11-2) m m cs the data on the Users
tab However, the Sess ons tab d sp ays a few more sess on deta s, a ow ng you to v ew the
protoco used to connect to the RD Sess on Host server ( f app cab e) and the names of the
computers that users connect from ( f the sess on s act ve)
TABLE 11-2 Da a on he Sess ons Tab o he Remo e Desk op Serv ces Manager
DATA DESCRIPTION
The Processes tab (see Tab e 11-3) d sp ays deta s about the processes current y runn ng
on each server, the assoc ated sess ons, and the users who nvoked them
www.it-ebooks.info
TABLE 11-3 Da a on he Processes Tab o he Remo e Desk op Serv ces Manager
DATA DESCRIPTION
The Remote Desktop Serv ces Manager d sp ays s m ar nformat on n many d fferent ways
to support var ous start ng po nts that you m ght take to gather needed nformat on For
examp e, f user K m Akers has a prob em w th a program freez ng or otherw se m sbehav ng
n her sess on, you can use the Processes tab to stop the process and be sure that you p cked
the nstance that be ongs to her If K m needs he p w th her sess on, you can h gh ght the root
of the Remote Desktop Serv ces Manager to find out wh ch server she s ogged on to, shadow
her sess on, and ass st her Fundamenta y, though, the nformat on that you can get about ses-
s ons s pretty stra ghtforward wh ch users are ogged on, whether they’re us ng the r sess on,
wh ch app cat ons they’re runn ng, and wh ch RD Sess on Host server they’re connected to
When you understand what nformat on you can get from the Remote Desktop Serv ces
Manager, you can answer many quest ons even f the GUI doesn’t ant c pate them For
examp e, you can find out how many users are ogg ng on dur ng a part cu ar nterva n the
morn ng or how many peop e are us ng a part cu ar app cat on Know ng e ther of these
p eces of nformat on, you can take appropr ate act on end processes, term nate sess ons,
or connect to a user’s sess on to he p h m or her out Go ng outs de the Remote Desktop
Serv ces Manager, you cou d even use the nformat on you get here to prompt you to
purchase more censes or add more servers, just to meet ncreas ng demand
Th s chapter w cover a the act ons that you can perform us ng the Remote Desktop
Serv ces Manager However, when you automate quer es or changes, you’ want to know
about the command- ne too s and somet mes comb ne them w th scr pt ng such as W ndows
PowerShe or VBScr pt Unfortunate y, the GUI does not a ways refresh we , even n a sma
farm To get the most re ab e nformat on about sess on status, the command- ne too s
m ght be more re ab e
ON THE COMPANION MEDIA You can run the Remote Desktop Services
Manager tool from Windows 7 (Professional, Enterprise, or Ultimate editions only)
with the Remote Server Administration Tools (RSAT), which includes both the
Remote Desktop Services Manager and Remote Desktops. Download RSAT for
Windows 7 from the Microsoft website at http://www.microsoft.com/downloads
/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en.
www.it-ebooks.info
DIRECT FROM THE SOURCE
I f you right-click an active remote connection in the Sessions or Users tab, you’ll
see a Status option in the context-sensitive menu. Click it, and you’ll see a dialog
box like the one shown in Figure 11-2.
FIGURE 11-2 Exam ne a sess on s status to expose more deta s about a remote sess on, such as
c ent co or depth.
You can learn the following information from this dialog box.
● The User Name field, populated only when you open the Status dialog box
from the Sessions tab, shows the name of the currently logged in user.
www.it-ebooks.info
● Network Adapter tells you the name of the network adapter the user is
connected to on the RD Session Host server. The information here will match
what’s in the Remote Desktop Session Host Configuration/RDP-Tcp/Network
Adapter tab.
● Client Address tells you the client’s Internet Protocol (IP) address for local
connections. If the connection was started through RD Gateway, this address
will not display.
● Client Build Number tells you the build number of the client operating
system.
● Client Directory points you to the location on the client where the dynamic-
link library (DLL) supporting the RDP client is stored.
● Client Color Depth indicates the color depth used in the RDP session.
● Encryption Level shows you the encryption setting managed through Group
Policy or in RD Session Host Configuration, showing not the actual encryption
setting but the option that the client sets as the encryption level.
● Client Resolution shows the resolution of the remote session.
● The Input/Output Status section shows the traffic passing between the remote
session and the client.
Notice that a couple of the settings that you can see in the dialog box were left out
of this list. Both the Client Hardware ID and the Client Product ID are hard-wired
fields that will be the same for all clients. (They’re here for legacy reasons.) There-
fore, they don’t give you any useful information.
Apart from those two fields, however, this dialog box shows you some information
about the client experience that you can’t get anywhere else. Want to understand
why users are saying that their application looks grainy? Check the screen resolu-
tion here. Need to know the IP address that a client is using to connect to the RD
Session Host server? Check it here. Beta-testing a new version of the client operat-
ing system? You can tell who’s using the beta version by checking the build number.
You can even use the Input/Output Status data to confirm that a session is not
frozen; when the user moves the mouse, the number of incoming and outgoing
bytes should update.
Command-Line Tools
In add t on to the graph ca too s, W ndows Server 2008 R2, ke prev ous vers ons of W ndows
Server, has command- ne too s that you can use to v ew sess on nformat on, manage a ses-
s on’s contents, contro a user’s sess on remote y, and so forth These command- ne too s are
bu t on the same nterfaces as the graph ca too s, so any nformat on you get from one (for
examp e, Process ID) can be used n another
www.it-ebooks.info
Both W ndows Server 2008 R2 and W ndows 7 support the Remote Desktop Serv ces
command- ne too s; these too s are part of the operat ng system Tab e 11-4 sts the ava -
ab e command- ne too s
COMMAND DESCRIPTION
change ogon or chg ogon Enab e, d sab e, dra n, or query nformat on about ogons
from sess ons on an RD Sess on Host server
change port or chgport L st or change the COM port mapp ngs to be compat b e
w th MS-DOS app cat ons
ogoff Log off users and de ete the r sess on from the RD Sess on
Host server
msg Send a message to a user or mu t p e users on an RD Ses-
s on Host server
query process or qprocess D sp ay nformat on about a the processes current y run-
n ng on an RD Sess on Host server
query sess on or qw nsta D sp ay nformat on about sess ons on an RD Sess on Host
server
query termserver or qappsrv L st a the RD Sess on Host servers on a network
query user or quser D sp ay nformat on about the users connected to an RD
Sess on Host server
reset sess on or rw nsta Term nate a sess on on an RD Sess on Host server
shadow Enab e an adm n strator to v ew or nteract w th an act ve
sess on of another user remote y on an RD Sess on Host
server You must run th s command from w th n an RDP
sess on on an RD Sess on Host for t to work
tscon Connect to another sess on on an RD Sess on Host server
(you have to be n a remote sess on to connect to another
remote sess on)
tsd scon D sconnect a sess on from a server
tsk Term nate a process runn ng on an RD Sess on Host
server You can dent fy the process by mage name or
Process ID
tsprof Cop es the Remote Desktop Serv ces user profi e from
one user to another Th s command- ne too s not
ava ab e for W ndows 7, and a though t s ava ab e for
W ndows Server 2008 R2, t does not work It was used n
prev ous vers ons of Term na Serv ces
www.it-ebooks.info
The fo ow ng command- ne too s were removed n W ndows Server 2008
■ tsshutdn Th s command was used to shut down a term na server Use the shutdown
command nstead
■ register Th s command was used to reg ster a program
■ cprofile Th s command was used to remove wasted space n a user profi e and to
de ete fi e assoc at ons from the reg stry that were made to certa n app cat ons
NOTE For those who like working in Windows PowerShell, Shay Levy, a Windows
PowerShell MVP, built a Terminal Services PowerShell Module to help manage and monitor
RDS sessions and processes. Download the module at http://code.msdn.microsoft.com
/PSTerminalServices. The Uniform Resource Locator (URL) is located on the companion
media. This tool is good for programmatically interacting with sessions or gathering
information from multiple machines.
T here are many command-line utilities to manage Remote Desktop Services from
the command line. The major drawback of these utilities is that they output
the result in text; you’ll run a command, such as query.exe, against a server, get the
result on screen, find a session ID or any other information you’re looking for, and
then execute a second command to manage that session. From an automation per-
spective, text output is not ideal, because you need to further parse the result and
extract the information you need. In addition, text parsing is not always the safest
method, because it is prone to errors and can lead to incorrect results.
To make the process of managing Remote Desktop Session Host servers more
robust and accurate, I wrote the PSTerminalServices PowerShell module. Unlike
command-line utilities, the functions of the module gives you back rich .NET objects
that you can use to manage Remote Desktop users, sessions, and processes.
NOTE Rich .NET objects are not just a string of characters from a command-
line tool. Each object implements a set of methods and properties. For
example, a session object you get with the Get-TSSession function has an
IdleTime property or a Logoff method.
www.it-ebooks.info
One advantage of the functions is the ability to pipe the output of one command
to another. For example, you can get all session objects from each RD Session Host
server in a farm that have been idle for a certain length of time and pipe them to
another command that disconnects them. Another advantage is the support of the
risk mitigation common parameters: WhatIf and Confirm. The first parameter dis-
plays a message that describes the effect of the command instead of executing it,
and the second one prompts you for confirmation before executing the command.
For example, this script finds sessions on domain-joined RD Session Host servers
that have been idle for over an hour and disconnects the sessions.
"Server1","Server2" | Foreach-Object{
Get-TSSession -ComputerName $_ -Filter {$_.IdleTime -gt (New-TimeSpan
-Hours 1) }
} | Disconnect-TSSession–WhatIf
The example script shown here and other examples are available at
http://blogs.microsoft.co.il/blogs/scriptfanatic/archive/2010/09/16/remote-desktop-
services-r2-resource-kit.aspx. The link is also available on the companion media. For
information on installing the module, please refer to the module project Web page
at http://code.msdn.microsoft.com/PSTerminalServices.
mstsc /admin
www.it-ebooks.info
You can a so spec fy the /admin sw tch when add ng connect ons to the RSAT The /console
sw tch creates an adm n connect on when connect ng from an o der RDP c ent to a W ndows
Server 2008 R2 RD Sess on Host server P ug n /admin when work ng from RDC 5 2 and
Mstsc exe w open a d a og box that exp a ns the proper syntax for the command, because
that vers on of the RDC c ent s not aware of the /admin sw tch Unfortunate y, th s means
that you’ need to change the connect on syntax depend ng on whether you’re connect ng
from a current or o der vers on of Mstsc exe
HOW IT WORKS
I n Windows Server 2003, you could make two remote administrative connections
and one console connection from the physical console, all without using a
Terminal Services client access license (TS CAL). Windows Server 2008 and later
permit two simultaneous administrative connections. This might look like a
reduction in licensed connections, but the previous model was also a convenience.
It was possible for two administrators to make connections, leave them connected,
and effectively block anyone else from making an administrative connection to the
terminal server because the remote logon count was at capacity. You had to have
the console connection just to reset one of those remote connections.
NOTE For those who have worked with Windows Server 2003, RSAT is equivalent to the
Windows 2003 Server Administration Tools Pack (Adminpak.exe). There’s also a version of
RSAT for Windows Vista SP1 that allows management of Windows Server 2008 terminal
servers.
www.it-ebooks.info
RSAT s compat b e w th 32-b t and 64-b t W ndows Server 2008 and 32-b t and 64-b t
W ndows V sta SP1 c ents runn ng W ndows V sta Bus ness, Enterpr se, or U t mate ed t ons
RSAT for W ndows 7 s not compat b e w th prev ous vers ons of W ndows
RSAT conta ns many more too s than that are d scussed n th s chapter, as t encompasses
too s to manage other W ndows Server 2008 R2 ro es The nformat on n th s chapter concen-
trates on the fo ow ng RDS-spec fic RSAT too s
■ Remote Desktop Services Manager Used to manage RD Sess on Host servers
■ Remote Desktops Used to connect to remote desktops from one w ndow
Both of these too s get nsta ed on W ndows Server 2008 R2 when you nsta the Remote
Desktop Serv ces ro e They work more or ess the same way when nsta ed on a computer
runn ng W ndows 7
To nsta RSAT on a W ndows 7 c ent, down oad RSAT for W ndows 7 from
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-
4e344e43997d.
Be sure to down oad the correct vers on (32-b t or 64-b t) of the RSAT MSU fi e Insta the
too by doub e-c ck ng the M crosoft Update Standa one Package (MSU) fi e and c ck ng OK
to nsta the Update For W ndows (KB958830)
After you’ve nsta ed RSAT, you w need to enab e t, because the nsta er does not en-
ab e a the too s by defau t Open Contro Pane and doub e-c ck Programs And Features
Then c ck Turn W ndows Features On Or Off Se ect the Remote Server Adm n strat on Too s
check box, expand Ro e Adm n strat on Too s, and then expand th s se ect on and se ect the
check boxes next to Remote Desktop Serv ces Too s Then c ck OK
When you have enab ed the too s, you w find that a Remote Desktop Serv ces fo der s
now v s b e n Adm n strat ve Too s Th s fo der conta ns nks to the Remote Desktop Serv ces
Manager and Remote Desktops too s
www.it-ebooks.info
NOTE After you add servers to a particular group, they’re there unless you manually
delete them. You can’t drag RD Session Host servers or VMs to a new group, although you
can add one server to multiple groups if you wish.
To create a new group, r ght-c ck the Remote Desktop Serv ces Manager con n the eft
pane and choose New Group from the context menu In the d a og box that appears, type the
name of the new group and c ck OK Th s group w now appear n the eft pane
The Remote Desktop Serv ces Manager starts w th one defau t—and empty—group
named My Group To popu ate an ex st ng group, r ght-c ck ts con n the eft pane of the
Remote Desktop Serv ces Manager and choose Add Computer from the context menu Th s
w open the Se ect Computer d a og box, wh ch you m ght have seen before when work ng
w th the M crosoft Management Conso e (MMC) From here, you can add computers to the
group n one of three ways
■ If you know the name of the server or VM that you want to add to the conso e, se ect
Another Computer, type the name nto the text box, and then c ck OK The server w
appear n My Group
■ If you don’t know the fu name but know the etters that t beg ns w th, c ck Browse In
the d a og box that opens, type the name or part a name of the server or VM and c ck
Check Names The name w appear n the Enter The Object Name To Se ect text box
w th an under ne If you typed the prefix and there’s more than one match, then you
can p ck the r ght name from a st (You can’t add more than one name at a t me )
■ If you have no dea of the name of the server, you’ need to search Act ve D rectory
Doma n Serv ces (AD DS) for t From the second Se ect Computer d a og box, c ck
Advanced to search AD DS C ck Locat ons to spec fy the organ zat ona un t (OU) that
the RD Sess on Host servers are n and then c ck F nd Now to st a servers n that
OU From there, you can se ect servers one at a t me to appear n the Se ect Computer
d a og box
Manua y popu at ng groups s t me-consum ng Operat ng on the pr nc p e that you’d ke
to manage a the RD Sess on Host servers and VMs n one or more farms, regard ess of the r
names, you can mport server nformat on from the RD Connect on Broker To do th s, r ght-
c ck the Remote Desktop Serv ces Manager and choose Import From RD Connect on Broker
Enter the name or IP address of the RD Connect on Broker server from wh ch you want to
mport and c ck OK A new server management group w be created named RD Connect on
Broker(servername), and groups w be created beneath t named after your farm name(s) or
VM poo s, as shown n F gure 11-3
Organ z ng Servers and VMs n the Remote Desktop Serv ces Manager Chapter 11 601
www.it-ebooks.info
FIGURE 11-3 mport RD Sess on Host farms and VM poo s from the RD Connect on Broker nto the
Remote Desktop Serv ces Manager.
NOTE When you import VM farms from the RD Connection Broker, it will import the VMs
according to their VM names in Hyper-V Manager, not according to their computer names.
Because the application programming interface (API) that the Remote Desktop Services
Manager and the command-line tools are built on uses the computer name, you must
make the VM name listed in Hyper-V Manager and the computer name match to manage
VM sessions at all. If you don’t, you won’t see any activity inside the VMs from the Remote
Desktop Services Manager (all tabs will be blank), and you won’t be able to connect to the
VMs using the Query command-line tools.
After mport ng the poo s and farms nto the Remote Desktop Serv ces Manager, you must
connect to each server to g ean any usefu data Th s s a one-t me process; after th s, they
w be connected when you open th s too on th s part cu ar server or workstat on R ght-
c ck each server and choose Connect After a servers n each farm or a VMs n the poo
are connected, you can h gh ght the group, user, sess on, and process data for a servers n
the group appear together n the m dd e conso e pane You can a so c ck each server n the
group and v ew just the data for that server
www.it-ebooks.info
Monitoring Application Use
You can mon tor processes on an RD Sess on Host server or VM from the Remote Desktop
Serv ces Manager or by us ng the query command- ne too w th the process parameter, as
shown here
query process
From the Remote Desktop Serv ces Manager, connect to the server or VM that you want to
mon tor and then se ect the Processes tab n the m dd e pane to d sp ay a processes runn ng
on that server You can then sort the tab e by c ck ng the co umn head ng you want to sort by
(Server, User, Sess on, ID, PID, or Image)
You can accomp sh the same th ng at the command prompt by runn ng the query process
or qprocess command aga nst an RD Sess on Host server or a VM The syntax for both of
these commands fo ows
You can get a st of a processes runn ng on an RD Sess on Host server For examp e, the
fo ow ng command returns a processes runn ng on the RD Sess on Host server FUJI
You can a so get more deta ed nformat on by spec fy ng d fferent parameters For n-
stance, to find a the processes runn ng under sess ons started by the user nancy anderson on
server FUJI, the command and data returned wou d ook ke th s
www.it-ebooks.info
Another examp e of gett ng spec fic process-re ated nformat on from the command ne
s to find a nstances of a part cu ar app cat on runn ng on an RD Sess on Host server For
nstance, to find a sess ons n wh ch users are runn ng Exce exe on server FUJI, the command
and resu ts wou d ook ke th s
If you’ve used W ndows PowerShe , you m ght be fam ar w th the Get-Process cmd et
It’s a usefu too that te s you a ot about the processes runn ng on a computer, nc ud ng
work ng set, CPU t me, and more nformat on than qprocess can convey Unfortunate y,
Get-Process s not mu t -user-aware and reports on y on the processes runn ng n the current
sess on S m ar y, you can’t use the Stop-Process cmd et very we on an RD Sess on Host
server, because t s on y aware of the processes runn ng n the same sess on that t s
Terminating Applications
When you know where an app cat on s runn ng, you can term nate t f you need to A user’s
app cat on m ght be unrespons ve or a user m ght get past your ockdown schemes (for more
nformat on, see Chapter 7, “Mo d ng and Secur ng the User Env ronment”) It’s even poss b e
to term nate a process for one user so that another user can use t w thout v o at ng your
app cat on cens ng To term nate a process from the Remote Desktop Serv ces Manager,
connect to the server or VM where the process s runn ng, se ect the Processes tab, r ght-c ck
the process, and choose End Process
You a so can end a process from the command ne by runn ng the tsk command The
syntax s
Not ce that you can k e ther a spec fic nstance of an app cat on on a server or a
nstances To term nate an app cat on runn ng n a spec fic sess on, use the /ID:sessionid
parameter to spec fy that sess on You need to know the sess on ID where the process s
runn ng, so you must first run the query sess on command to find out what the sess on ID s
www.it-ebooks.info
To ustrate, et’s comb ne these two commands to effect ve y shut down one nstance of
an app cat on Th s examp e w term nate the Exce exe process runn ng n the sess on for
user adam barr on server FUJI F rst, run the query sess on command to find the correct ses-
s on ID
Then term nate M crosoft Exce by spec fy ng the process name, the server, and the sess on
ID
What f you forget to d sab e nsta at ons and d scover a mahjong tournament tak ng
p ace among the users on an RD Sess on Host server? You can a so term nate a process ( n th s
examp e, mahjong) runn ng n a sess ons on an RD Sess on Host server by us ng the /A sw tch
n th s way
www.it-ebooks.info
Switching Between Sessions
Let’s say that you have ogged on to your W ndows 7 desktop v a RDP w th your doma n cre-
dent a s so that you can work on that computer from a remote ocat on When you do so, the
conso e sess on sw tches to the RDP sess on and the conso e goes back to the ogon screen
The same funct ona ty s beh nd the ab ty to move between sess ons on an RD Sess on Host
server, us ng the Remote Desktop Serv ces Manager or the tscon command You can sw tch
between your own sess ons f you have more than one, or ( f you know the password) you can
connect to another user’s sess on and d sconnect your own Connect ng to a sess on us ng th s
funct ona ty automat ca y d sconnects the sess on you started from
There are a few caveats to us ng the Connect funct ona ty
■ It works on y to connect to an RDP-Tcp sess on from another RDP-Tcp connect on on
the same server You can connect to an act ve or a d sconnected sess on
■ You cannot connect to a RemoteApp sess on, on y a fu desktop
■ A though you can connect to another sess on from an adm n strat ve (/admin)
connect on, you can’t connect to an adm n strat ve connect on from another RDP-Tcp
connect on
■ When you are prompted for a password wh e connect ng to a sess on from the
Remote Desktop Serv ces Manager, the password s obscured on the screen When
you supp y the password to the command- ne too , the password m ght be d sp ayed
on the screen, n c eartext, f you want Therefore, be carefu how you use tscon when
anyone s stand ng beh nd you!
NOTE If you attempt to connect to a local logon session from tscon, you’ll see error code
31, telling you, “A device attached to the system is not functioning.” If you attempt to con-
nect to an /admin remote connection, you’ll get an error message that access is denied.
Meher Malakapalli
Senior Development Lead
T he Connect tool (whether implemented from the command line or the GUI) im-
plements this functionality through the WTSConnectSession function described
on MSDN at http://msdn.microsoft.com/en-us/library/bb394782(VS.85).aspx. For
the purposes of the IT pro, this function takes three important parameters: logonID,
targetlogonID, and password.
www.it-ebooks.info
Basically, this function accepts the domain name and user name of the person
initiating the request. If these do not match, then the person initiating the request
must type in the password of the account that owns the target session. One key fact
to note is that Connect works only on the same RD Session Host server—you can’t
connect to a session on another server. Therefore, the credentials don’t go over
the network except when you type them into the RDP window, and then they’re
protected by RDP encryption.
The bottom line is that when you connect to another session, the credentials that
you provide are protected. They never leave the RD Session Host server and they
are removed from memory as soon as the function is finished with them.
To use the Connect funct ona ty from the Remote Desktop Serv ces Manager or the tscon
command, fo ow these steps
1. Start an RDP sess on to the RD Sess on Host server host ng the sess on to wh ch you
want to connect
2. F nd the correct sess on From the Remote Desktop Serv ces Manager, find the cor-
rect sess on from the Users or Sess ons tab n the center pane If us ng the command
prompt, find the sess on ID by typ ng query session
3. Connect to the sess on From the Remote Desktop Serv ces Manager, r ght-c ck the
sess on and choose Connect from the context menu From the command prompt, type
tsconsessionID /password:password to enter the password w th the command, or
/password* to be prompted for the password You’ need to nc ude a of th s nfor-
mat on n the command
NOTE You must supply the password when connecting from the command prompt or
the command will fail. When connecting from the Remote Desktop Services Manager,
you are prompted for the password if connecting to a session that is not your own.
4. Assum ng that you prov de the correct password and t’s poss b e to connect to the
sess on, you w connect mmed ate y to the new sess on and see any app cat ons or
fi es open n the other sess on The person whose sess on that was w be d sconnected
If the password sn’t va d, you’ see an error message
So why do th s? The funct ona ty s most usefu f RemoteApp funct ona ty sn’t n the p c-
ture In W ndows Server 2003 and ear er, the on y way to pub sh nd v dua app cat ons was
by m t ng a sess on to a s ng e app cat on By us ng Connect, t was poss b e ( f awkward) for
a user to move between nd v dua app cat ons on the same term na server
Today, th s command sn’t app cab e to most s tuat ons because the on y sess ons that
you shou d be ab e to connect to (assum ng reasonab y secure doma n password protect on)
www.it-ebooks.info
are your own One poss b e scenar o for us ng Connect n th s present vers on of RDS s f you
were ogged on to an RD Sess on Host server as both a user and an adm n strator, us ng two
d fferent accounts You cou d sw tch to your adm n strator persona by connect ng to the ses-
s on, but you’d d sconnect your user persona
NOTE See the section entitled “Auditing User Logons” later in this chapter for more ex-
amples of how to use the query user command.
The resu ts w show the state, d e t me ( f app cab e), and ogon t me of each sess on
www.it-ebooks.info
At th s po nt, you have a coup e of opt ons you can d sconnect the sess on or term nate t
D sconnect ng the sess on causes t to use fewer resources on the server wh e eav ng open
the app cat ons and data n use n the sess on Term nat ng the sess on (a so ca ed resetting
the sess on) w end the sess on comp ete y D sconnect ng s not nvas ve; users can get back
to where they were by ogg ng on aga n, but t does cont nue to use resources on the server
Term nat ng sess ons frees resources, but t can ead to fi e ock ng ssues because t’s an un-
gracefu ex t and fi es m ght not c ose proper y
NOTE RDS does not support concurrent user licensing, just per-user or per-device.
Therefore, if you’re using a native RDS environment (and aren’t running add-ons that are
licensed on a concurrent-user basis), it’s immaterial from a licensing perspective whether
you disconnect or terminate a session. Adding third-party software that does support con-
current user licensing can affect the best practices that apply to you.
Disconnecting Sessions
D sconnect ng a sess on us ng the Remote Desktop Serv ces Manager s easy F nd the sess on
to d sconnect, r ght-c ck t, and choose D sconnect from the context menu You must be con-
nected to the same server as the sess on you’re d sconnect ng
To d sconnect a sess on from the command prompt, use tsd scon The syntax s s mp e
As you can see, when us ng the command- ne too , you can spec fy the server on wh ch
you want to d sconnect a sess on
CAUTION If you run tsdiscon without arguments, you’ll disconnect your own ses-
sion even if you’re sitting at the console. You won’t lose any data because the session
will continue running and you can just reconnect, but disconnecting yourself is
disconcerting and should be avoided.
Terminating Sessions
You can term nate a sess on eas y from the Remote Desktop Serv ces Manager or the com-
mand prompt
To term nate a sess on from the Remote Desktop Serv ces Manager, h gh ght the sess on
on the Users or Sess ons tab, r ght-c ck, and choose Reset You’ see a d a og box te ng you
www.it-ebooks.info
that you’re resett ng th s user’s sess on C ck OK, and then the sess on w reset A processes
be ong ng to that user w be term nated mmed ate y
You can a so term nate act ve and d sconnected sess ons from the command ne us ng one
of these three ut t es (the r syntax s shown here)
Reset sess on and rw nsta are funct ona y the same n that they term nate the connect on
ungracefu y—the sess on never has a chance to c ose open fi es or save the profi e changes
Logoff s a tt e d fferent n that, a though t won’t save open fi es, t w at east wr te back
changes to the profi e
The syntax for a three commands requ res that you use the sess on name or sess on ID
to dent fy the sess on you want to c ose, so you w need to get th s nformat on from the
Remote Desktop Serv ces Manager or from the command ne by us ng the query user com-
mand The syntax s
For nstance, to reset a d sconnected sess on for user pau koch on server FUJI, run these
commands The fo ow ng examp e checks for Pau ’s sess on after resett ng t just to make the
po nt that th s sess on no onger ex sts
www.it-ebooks.info
■ Remote Desktop Session Host Configuration Used to spec fy Remote Contro set-
t ngs on a per-server bas s
■ Active Directory Users And Computers Used to spec fy Remote Contro sett ngs
on a per-user bas s
The ab ty to contro or shadow a user’s sess on remote y s enab ed by defau t on the
Remote Contro tab of each user’s account Propert es d a og box, as shown n F gure 11-4
NOTE Even though Remote Control is enabled by default in domain user account
properties, these settings are used only when you use Remote Desktop Session Host
Configuration (instead of Group Policy) to stipulate Remote Control settings, and only
when Remote Desktop Session Host Configuration is set to Use Remote Control With
Default User Settings. You will look at Remote Desktop Session Host Configuration Remote
Control settings later in this section.
If you do not want to be ab e to v ew or nteract w th sess ons opened by the user, c ear
the Enab e Remote Contro check box
By defau t, the user’s perm ss on s requ red for an adm n strator to nteract w th the user’s
sess on When you nvoke remote contro of a user sess on, the user rece ves a prompt s m ar
to F gure 11-5 request ng that he or she grant you perm ss on to contro the sess on If the
www.it-ebooks.info
user c cks No or doesn’t respond, the person request ng remote contro w see a message
that access s den ed
FIGURE 11-5 f the user s perm ss on s requ red for shadow ng the sess on, the user w see th s not ce.
Not everyone wants users to be aware that the r sess ons are be ng shadowed; some
compan es use th s feature for aud t ng the work hab ts of the r emp oyees If Requ re User’s
Perm ss on s not enab ed, then you can ga n remote contro (for v ew ng or nteract ng, de-
pend ng on the eve of contro opt on se ected) of the user sess on w thout her know edge or
perm ss on
When you attach to the sess on n these c rcumstances, the user sees noth ng and s not
aware of your presence un ess you nteract w th the sess on n some way
CAUTION If you decide to interact with user sessions without user knowledge or
permission, check with your company’s legal and human resources (HR) departments
first, to make sure that the company is legally protected and that HR policies reflect
this need.
By defau t, adm n strators have fu contro of the user sess on Th s means you can ma-
n pu ate the sess on (use the keyboard and mouse, and so on) as f you are the user Th s eve
of contro can be changed to a ow on y observat on by se ect ng the opt on V ew The User’s
Sess on At th s eve , you can observe the user’s sess on, but you cannot contro t n any way
Remote Contro sett ngs can a so be set us ng RD Sess on Host Configurat on on each
server or by us ng Group Po cy Group Po cy sett ngs take precedence over RD Sess on Host
Configurat on sett ngs
www.it-ebooks.info
■ User Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces RD Sess on Host Connect ons Set Ru es For Remote
Contro Of Remote Desktop Serv ces User Sess ons
NOTE If both of these Group Policy settings are enabled and there is a conflict, the
computer policy settings will take precedence.
Open ng e ther of these GPO sett ngs revea s the screen shown n F gure 11-6
FIGURE 11-6 The Set Ru es For Remote Contro Of Remote Desktop Serv ces User Sess ons GPO sett ng
d a og box a ows you to choose the sett ngs you want for remote sess ons.
Enab e the GPO sett ng and then spec fy whether user perm ss on s requ red for
nteract on w th the user sess on and what eve of contro w be a owed Do th s by choos ng
the appropr ate opt on from the Opt ons drop-down menu The opt ons ava ab e are the
fo ow ng
■ Full Control With User’s Permission W th the user’s perm ss on, you can take ac-
t on n the sess on just as f you were the user
■ Full Control Without User’s Permission W thout the user’s perm ss on and w thout
the user rece v ng any not ficat on beforehand, you can take act on n the sess on just
as f you were the user
■ View Session With User’s Permission W th the user’s perm ss on, you can v ew the
sess on but cannot nteract w th t n any way
www.it-ebooks.info
■ View Session Without User’s Permission W thout the user’s perm ss on and w th-
out the user rece v ng any not ficat on, you can v ew the sess on but cannot nteract
w th t n any way
If these Group Po cy sett ngs are set to Not Configured, then Remote Contro sett ngs are
contro ed by RD Sess on Host Configurat on Enab ng e ther of these Group Po cy sett ngs
overr des Remote Contro from the RD Sess on Host Configurat on, and the sett ng opt ons
there w be d sab ed
To d sab e remote contro of user sess ons, choose the No Remote Contro A owed opt on
from the Opt ons drop-down menu
NOTE Disabling the Set Rules For Remote Control Of Remote Desktop Services policy has
the same effect as not configuring it.
FIGURE 11-7 Conf gure Remote Contro v a the RD Sess on Host Conf gurat on
RDP Tcp Propert es d a og box.
www.it-ebooks.info
There are two ways to enab e remote contro
■ Enab e remote contro and spec fy whether user perm ss ons are requ red to shadow
the user sess on and the eve of contro (v ew on y or nteract) perm tted when shad-
ow ng the sess on
■ Enab e remote contro and use the Remote Contro sett ngs set n each user’s account
propert es to spec fy whether shadow ng that user’s sess on s a owed, whether the
user’s perm ss on s requ red, and the eve of contro (v ew on y or nteract) perm tted
when shadow ng the sess on
You can d sab e remote contro of user sess ons created on the server by choos ng Do Not
A ow Remote Contro
By defau t, on y adm n strators have the r ght to shadow sess ons To g ve another user or
user group perm ss ons to shadow sess ons, fo ow these steps
1. Open RD Sess on Host Configurat on and doub e-c ck RDP-Tcp
2. Nav gate to the Secur ty tab and c ck OK to the warn ng that pops up te ng you to
mod fy the Remote Desktop Sess ons group Then c ck Advanced
3. Add the user account or the user group whose sess ons you wou d ke to be ab e to
shadow by c ck ng Add and enter ng the name of the user or group Then c ck OK
4. In the Perm ss ons Entry For RDP-Tcp d a og box, se ect the Remote Contro check box
5. Then c ck OK n each of the three d a og boxes that are open to save the changes
The sett ngs are app ed at ogon, so the users to whom you granted th s r ght must og off
and og back on before they can remote contro others’ sess ons
www.it-ebooks.info
respons ve Therefore, a though t s techn ca y poss b e to shadow a RemoteApp sess on, t’s
pretty use ess Before shadow ng, be sure that you’re connect ng to a fu desktop sess on
NOTE Neither the Remote Desktop Services Manager nor the command-line tools make
it easy to distinguish between full desktops and RemoteApp sessions. To learn how to dis-
tinguish between sessions running RemoteApp programs and those running a full desktop,
see the section entitled “Differentiating RemoteApp Sessions from Full Desktop Sessions”
later in this chapter.
Shadow ng a sess on s s mp e, and you can do t from the Remote Desktop Serv ces Man-
ager or from a command prompt
To shadow from the GUI, create an RDP connect on to a server or desktop and run the
Remote Desktop Serv ces Manager On the Users tab n the m dd e pane, r ght-c ck the user
whose sess on you want to shadow and se ect Remote Contro If the user’s perm ss on s
requ red, the user w rece ve a remote contro request and can accept or deny t
On the server, you w see a d a og box ask ng you to spec fy a key sequence to end the
shadow sess on (shown n F gure 11-8) Ctr +Tab s the defau t cho ce, but you can choose
other opt ons f the defau t doesn’t work for you
FIGURE 11-8 Choose a hot key sequence to end a shadow sess on.
Your screen m ght freeze br efly wh e the user s a erted to your shadow request f
shadow ng s configured to not fy the user (and the user’s screen m ght b nk once when you
connect)
After the user grants you perm ss on to shadow the sess on, your sess on w be rep aced
w th the user’s sess on desktop If sett ngs on y perm t you to v ew the sess on, then you w
be ab e to see the user’s act ons, but you won’t be ab e to nteract w th the sess on Other-
w se, you can take part n the sess on as f you were the user To stop shadow ng, s mp y press
the hot key sequence that you se ected when estab sh ng the sess on; the shadow sess on w
d sappear and you w be back to your desktop The user’s sess on w cont nue as norma
You can a so start a shadow sess on from the command ne Aga n, you’ need to estab-
sh an RDP sess on first and run the command from t To get remote contro of a sess on
from the command ne, use the shadow command and prov de the name of the sess on ID to
www.it-ebooks.info
wh ch you want to connect To shadow a sess on on a remote computer, add the name of the
server, as n th s examp e of shadow ng sess on 2 on server FLAPJACK
shadow /SERVER:flapjack 2
When you start a shadow sess on from the command ne, there s no prompt for you to
choose a hot key sequence to end the shadow sess on To end the shadow sess on, use the
hot key sequence Ctr +*
NOTE The asterisk above the number 8 does not work to stop shadowing. Use the
asterisk on your numeric keypad.
shadow 3
Your session may appear frozen while the remote control approval is being negotiated.
Please wait...
Remote control failed. Error code 7051
Error [7051]:The requested session is not configured to allow remote control.
However, f you are n t at ng the shadow ng operat on from a computer other than the
one that hosts the sess on that you want to shadow, you w not get such a stra ghtforward
message Instead, f there’s a prob em, you w rece ve a crypt c message ke th s
shadow 3 /SERVER:FUJI
Your session may appear frozen while the remote control approval is being negotiated.
Please wait...
Remote control failed. Error code 2
Error [2]:The system cannot find the file specified.
www.it-ebooks.info
Typ ca y, f you see error code 2, t means e ther that the user den ed your request to
shadow the sess on or shadow ng the sess on s not a owed
If you’d ke to save yourse f the troub e of try ng three d fferent too s to find the current
Remote Contro sett ngs and where they’re set, query the Win32 TSRemoteControlSetting
W ndows Management Instrumentat on (WMI) c ass from W ndows PowerShe
NOTE The methods and properties for this class can be found at http://msdn.microsoft.com
/en-us/library/aa383817(VS.85).aspx.
To v ew the Remote Contro sett ngs for a computer, open W ndows PowerShe and enter
the fo ow ng command
The mportant part of the output s at the bottom, where you’ see va ues such as th s
Caption :
Description :
InstallDate :
LevelOfControl : 0
Name :
PolicySourceLevelOfControl : 0
RemoteControlPolicy : 1
Status :
TerminalName : RDP-Tcp
www.it-ebooks.info
The PolicySourceLevelOfControl shows where the va ue of LevelOfControl comes from A
va ue of 0 means that th s va ue s set on a per-server bas s, a va ue of 1 nd cates that t’s set
by Group Po cy, and a va ue of 2 means that t’s the user account po c es
The va ue of the RemoteControlPolicy property nd cates whether Remote Contro sett ngs
are configured on a per-user bas s (1) or a per-server bas s (0)
You can observe the changes to these sett ngs by ed t ng the Remote Contro sett ngs
from RD Sess on Host Configurat on Try ed t ng the sett ngs to see how the va ue of the
LevelOfControl property changes when you d sab e remote contro , and you’ see the va ue
change when you run the scr pt
Another reason you m ght see errors when try ng to shadow sess ons has to do w th screen
s ze If you try to shadow a sess on that s us ng one mon tor from another sess on that s
spann ng mu t p e mon tors, you w not be ab e to shadow the sess on Try ng to shadow
from a W ndows 7 c ent us ng mu t p e mon tors to a sess on us ng fewer mon tors resu ts n
the sess on be ng d sconnected and you w get the fo ow ng error
NOTE Shadowing from a Windows XP client to an RD Session Host server remote session
does not work. It results in the session being disconnected, and you will get this error.
www.it-ebooks.info
■ Allow All Connections Th s s the defau t user mode A connect ons are a owed
■ Allow Reconnections, But Prevent New Logons Th s s dra n mode Users w th
ex st ng sess ons are a owed to reconnect or to stay connected to the server, but new
connect ons are b ocked
■ Allow Reconnections, But Prevent New Logons Until The Server Is Restarted
Th s s temporary dra n mode The server w not accept new connect ons (and the RD
Connect on Broker w not route connect ons to t) unt the server s rebooted After
the server has rebooted, th s sett ng w revert to A ow A Connect ons
Choose the opt on that su ts your needs and c ck OK
To change user ogon mode from the command prompt, you’ use the change ogon
command You must execute th s command from the server whose user ogon mode you’re
chang ng; the too does not offer a remote opt on The change ogon syntax s pretty s mp e
■ /query Returns the state of the server
■ /enable Enab es ogons that had been d sab ed
■ /disable D sab es a ncom ng connect ons, nc ud ng reconnect ons
■ /drain Puts the server nto dra n mode
■ /drainuntilrestart Puts the server nto temporary dra n mode (unt the system s
restarted)
If you’re fam ar w th th s too from prev ous vers ons of W ndows Server, you m ght not ce
the opt ons for enab ng dra n mode and temporary dra n mode Otherw se, the syntax hasn’t
changed s nce W ndows Server 2003
Not ce that change ogon offers an opt on that RD Sess on Host Configurat on does not
/disable. Dra n mode proh b ts new connect ons but does a ow users to reconnect to ex st ng
sess ons If you’re ser ous about remov ng users from the server, use change ogon /disable to
prevent any ncom ng connect ons, even reconnect ons However, use th s opt on w th care
D sab ng ogons when users have ex st ng sess ons open can resu t n ost data or profi e
changes n the orphaned sess ons Dra n mode, comb ned w th rem nders to users that you
w be shutt ng down the server and requests to users to og off the r sess ons, s a safer
opt on
Each of these opt ons a ows you to configure on y one server, though To set the ogon
mode on more than one server at a t me, use e ther Group Po cy or scr pt the ogon mode v a
WMI To ed t the User Logon Mode v a Group Po cy, go to Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote Desk-
top Sess on Host Connect ons A ow Users To Connect Remote y Us ng Remote Desktop
Serv ces
Group Po cy s most usefu for onger-term changes affect ng many servers (you wou dn’t
ed t Group Po cy for a temporary change to two servers), whereas WMI s better for faster
or more d rected changes Group Po cy sn’t pract ca for, say, chang ng the ogon mode for
two RD Sess on Host servers n the farm wh e the other two keep accept ng ogons, but WMI
works we for th s
www.it-ebooks.info
One way to check for the current ogon mode v a WMI on the oca computer s to run the
fo ow ng W ndows PowerShe scr pt (To run th s scr pt on a remote computer, rep ace the
va ue of $strComputer w th the name of the other computer )
$strComputer = "."
$RDSH = get-wmiobject -class "Win32_TerminalServiceSetting" -namespace
"root\CIMV2\terminalservices" `
-computername $strComputer
switch ($RDSH.AllowTSConnections)
{
0 {"User logons are disabled."}
1 {"User logons are enabled."}
default {"The user logon state cannot be determined."}
}
switch ($RDSH.SessionBrokerDrainMode)
{
0 {"Allow all connections."}
1 {"Allow incoming reconnections but prohibit new connections."}
2 {"Allow incoming reconnections but until reboot prohibit new connections."}
default {"The user logon state cannot be determined."}
}
For examp e, th s scr pt w return the fo ow ng message f the server s n temporary dra n
mode
ON THE COMPANION MEDIA This script is also available on the companion media
as CheckLogon.ps1.
Not ce that th s scr pt has to query two propert es to return a the nformat on The
AllowTSConnections property corresponds to the /enable and /disable sw tches, and
SessionBrokerDrainMode corresponds to the /drain and /drainuntilrestart sw tches As before,
you are us ng the sw tch statement to eva uate the actua va ues and make nterpret ng the
output eas er The effic ency of runn ng a scr pt to get the nformat on you need s somewhat
reduced f you have to ook up the return va ues on MSDN to know what they mean
www.it-ebooks.info
One way to commun cate w th your user base s by send ng messages from the Remote
Desktop Serv ces Manager or by us ng the msg command- ne too Us ng these too s, you
can commun cate w th nd v dua s, se ected groups, or everyone ogged on to the server You
can even wa t for acknow edgement of your message
NOTE Using the techniques described in the rest of this chapter, you can send messages
to users logged on to VMs as well as users logged on to sessions. Only one person will be
logged on to each VM, however, so the broadcast functionality won’t work on VMs as it
does for sessions. That is, you can’t use it to send a message to all VMs on an RD Virtualiza-
tion Host.
From the Remote Desktop Serv ces Manager, r ght-c ck a sess on on an RD Sess on Host or
VM and se ect Send Message You w see a d a og box ke the one n F gure 11-9
FIGURE 11-9 Send a message to a user ogged on to an RD Sess on Host server or a VM w th the Send
Message too .
The message conta ns the sender’s user name and the t me that the message s sent Type
your message n the Send Message d a og box and c ck OK The user w see a message box
ke the one n F gure 11-10
www.it-ebooks.info
You can a so use the msg command- ne ut ty to send a message to a sess on ke th s
msg nancy.anderson /SERVER:FUJI Nancy, Tech Support has reviewed your case, and will be
with you in 5 minutes.
If you are not runn ng the msg command from the same RD Sess on Host server as the
one where the sess on s hosted, then you must spec fy the server (or VM) as shown n the
examp e You can spec fy sess ons based on user name, sess on ID, or sess on name Use the
query command or the Remote Desktop Serv ces Manager to get any of these data po nts
If you have not m ted users to one sess on per server, then you m ght need to send a
message to every sess on that user has open If you prov de the user name as an argument,
the message w appear n a sess ons be ong ng to that user To send a message to a ses-
s ons on a server, use the * argument For examp e, to send a message to every sess on on
server FUJI, run th s command
msg * /SERVER:FUJI This server will be rebooted at 3pm. Please close your RemoteApp
programs.
You can a so send a message to a users on an RD Sess on Host server, sess on IDs, or
sess on names conta ned n a fi e Us ng a fi e to spec fy who shou d rece ve a message can
be he pfu f you need to commun cate w th a group of users, but not every s ng e person
us ng the server For nstance, maybe you need to te a users from the account ng
department on server FUJI to shut down the account ng app cat on To do th s, first create a
fi e conta n ng the user names of the account ng department users Th s s most eas y done
from W ndows PowerShe w th the fo ow ng scr pt, wh ch gets the names of the users n
the ASH Account ng Users OU and adds them to a fi e named c \scr pts\ash-acct-users txt
Obv ous y, you’ need to mod fy the L ghtwe ght D rectory Access Protoco (LDAP) paths and
fi e name for your purposes
When you have the names n the fi e, then you can run the msg command as shown here
www.it-ebooks.info
Shutting Down and Restarting RD Session Host Servers
When you’ve dra ned the server of users and not fied anyone who s st connected to the
server, you can shut t down You’ve probab y shut down a server from the GUI; shutt ng
down an RD Sess on Host server s no d fferent However, because you m ght not have shut t
down from the command prompt, the focus s on that opt on here
NOTE The tsshutdown command used in Windows Server 2003 was discontinued in
Windows Server 2008 and Windows Vista. Use the shutdown command instead. You must
be an administrator to shut down or reboot an RD Session Host server. Users do not get
access to the Shut Down, Restart, Hibernate, or Sleep option on the Start menu when
working in a session. Nor can they execute the shutdown command.
Shutt ng down and reboot ng an RD Sess on Host server from the Start menu s no d f-
ferent from shutt ng down or reboot ng a W ndows Server 2008 R2 server (w thout RDS
nsta ed) or a W ndows 7 c ent Go to Start and then c ck the arrow to the r ght of the ock
button on the ower r ght of the menu A menu pops up; choose e ther Restart or Shut Down
When you choose to shut down or restart a server, you w see a pop-up w ndow n wh ch
you need to choose a reason for the shutdown/reboot from the Opt on drop-down menu
A so, nd cate whether the act on was p anned or unp anned, type any comments that you
want to add n the Comments w ndow, and c ck OK Th s nformat on s recorded n the server
System Event Log (Event ID 1074) Th s ogg ng s he pfu for keep ng track of who rebooted
or shut down a server, and why they d d so G v ng deta ed nformat on n the Comments
area can make t eas er for another adm n strator to figure out the exact reason for a reboot
For nstance, f you nsta an app cat on update, you can add a comment n the Shut Down
W ndows d a og box nd cat ng exact y wh ch one t was, wh ch saves t me f someone e se
needs the deta s ater
You can a so use the shutdown command to shut down or restart a server from the
command ne Th s command can be run from a W ndows Server 2008 R2 server or even a
W ndows 7 c ent The command syntax s
NOTE Typing shutdown at a command prompt gives you the same command syntax and
arguments as typing shutdown /?.
Tab e 11-5 shows a st of the command- ne arguments ava ab e for the shutdown
command
www.it-ebooks.info
TABLE 11-5 Argumen s or he shu down Command
www.it-ebooks.info
ARGUMENT INPUT DETAILS
Instead of runn ng through every opt on the shutdown command offers, the fo ow ng
nformat on h gh ghts some opt ons app cab e to an RDS env ronment
Us ng the command- ne ut ty means that you can shut down or reboot a server remote y
For nstance, to shut down the server FUJI from a remote W ndows 7 c ent, the command
ooks ke th s
shutdown /m \\FUJI
shutdown /r /m \\FUJI
As w th shutt ng down or reboot ng from the GUI, t’s good to document why the event s
occurr ng Use the /c argument to add a comment to the event to get recorded n the event
og For examp e, th s command shuts down FUJI and adds a comment to exp a n the reason
for the shutdown
TABLE 11-6 Major and M nor Number Codes Correspond ng o Reasons or a Server Shu down or Reboo
TYPE
E = EXPECTED
U = UNEXPECTED
P = PLANNED MAJOR MINOR TITLE/EXPLANATION
www.it-ebooks.info
TYPE
E = EXPECTED
U = UNEXPECTED
P = PLANNED MAJOR MINOR TITLE/EXPLANATION
For nstance, to reboot the server FUJI and document the reboot as be ng due to app ca-
t on ma ntenance, the command s
www.it-ebooks.info
Runn ng the preced ng command remote y produces Event ID 1074 n the System Event
Log on the server that s rebooted, w th a descr pt on of the act on that occurs The data
nc udes the user name that n t ated the request, the IP address of the computer the request
comes from, and the reason for the request
The process wininit.exe (10.10.10.23) has initiated the restart of computer FUJI on
behalf of user ASH\Administrator for the following reason: Application: Maintenance
(Planned)
Shutdown exe s a so he pfu f you need to reboot many servers To do so, run the fo ow-
ng command
shutdown /i
FIGURE 11-11 The Remote Shutdown d a og box a ows you to shut down spec f c computers.
C ck Add and type the name of the computer that you want to shut down or restart Do
th s for a computers you want to shut down or restart and then choose the act on you want
to perform from the What Do You Want These Computers To Do drop-down menu
■ Restart
■ Shutdown
■ Annotate Unexpected Shutdown
www.it-ebooks.info
NOTE The Annotate Unexpected Shutdown option works only if you previously had an
unexpected shutdown or restart.
Choose the reason for th s act on by se ect ng the appropr ate cho ce from the Opt on
drop-down menu and add any comments n the Comment text box Then c ck OK
As an examp e, f you perform schedu ed server ma ntenance, such as runn ng some up-
dates every Sunday, and nc ude a reboot, you can automate the reboot process by creat ng a
schedu ed task w th the W ndows Server 2008 Task Schedu er or by us ng the command- ne
too schtasks. For examp e, to reboot the server FUJI every Sunday n ght at m dn ght, use the
schtasks command as shown here
schtasks.exe /create /SC WEEKLY /D SUN /RU admin@ash.local /RP "xxxxxxxx" /TN RebootFUJI
/TR "C:\windows\system32\shutdown.exe /m \\FUJI /r /c FUJI-WindowsUpdates-Reboot" /ST
12:00
If a shutdown or reboot attempt fa s, Event ID 1073 s ogged n the System Event Log of
the server that fa s to reboot The og won’t te you why the act on fa ed, but t w at east
et you know that t d d fa and wh ch user account ssued the command If you ke, you can
use Schtasks exe to create a task that performs an act on such as runn ng a scr pt that ema s
you every t me the event ID appears The deta s of Server-reboot-fa ed vbs are n the next
s debar, “D rect from the F e d Ema Yourse f When a Reboot Fa s ”
www.it-ebooks.info
DIRECT FROM THE FIELD
W hen performing remote reboots, you’re not present to see whether the
reboot works . . . and it can waste a lot of time if you think a server reboots
when it doesn’t. One solution is to email yourself when a shutdown or reboot fails.
You’ll need a Simple Mail Transfer Protocol (SMTP) server running in your domain
(you can install the SMTP server feature built into Windows Server 2008 or you
can use another SMTP server), the Microsoft Collaboration Data Objects (CDOs)
installed on the computer creating the email, and a script to do the emailing. You
can edit this sample script to conform to your needs.
Option Explicit
'''----- script configuration area
Const strSMTPServer = "arvon.ash.local"
Const strFrom = "alerts@ash.local"
Const strTo = "adam.barr@ash.local "
'''----- end configuration area
www.it-ebooks.info
objMail.Textbody = "Critical error!! " &strNetBIOSComputer& " failed to
reboot " & Now &vbCRLF
objMail.Send
Set objMail = Nothing
www.it-ebooks.info
HOW IT WORKS
Y ou can find RemoteApp sessions from the command line using the query com-
mands. The query session command will help you find the sessions hosting
Rdpinit.exe and Rdpshell.exe, and query process will help you find out whether a
user’s session contains those processes.
To find out which sessions on server FUJI are running Rdpshell.exe, run this
command.
The results show that Paul Koch is running a RemoteApp and therefore should not
be shadowed.
Let’s say that you know the user whose session you want to shadow. You can ask the
user to describe the session’s appearance and figure out if he is running a Remote-
App, but that’s slow and unreliable. The better alternative is to query the Remote
Desktop Services Manager for the processes that the user is running. To query the
processes running for user Kim Akers on server FUJI, run this command.
The preceding command also reveals the session ID, which you need to shadow
Kim’s session, like this.
shadow /SERVER:FUJI 3
www.it-ebooks.info
Auditing Application Usage
Many adm n strators want to know f the r company s comp ant w th the r app cat on cens-
ng requ rements Unfortunate y, th s sn’t easy to determ ne at the best of t mes, and t gets
harder when an RD Sess on Host dep oyment s nvo ved F rst, app cat on cens ng for an RD
Sess on Host server can be tr cky You need to read the app cat on’s fine pr nt (the app ca-
t on vendor determ nes the cens ng requ rements, not M crosoft), and f you must be ab e to
demonstrate comp ance for ega reasons, you m ght need to c ar fy the deta s w th the ap-
p cat on’s vendor (Not a cense agreements are wr tten w th v rtua zat on n m nd ) Second,
W ndows Performance Mon tor doesn’t offer a way to keep track of how many nstances of
a process are open on a server, other than add ng a process counter and manua y count ng
how many processes have the same name
You could count app cat on nstances from the Remote Desktop Serv ces Manager by
count ng processes on each RD Sess on Host server and add ng up the resu ts of each count,
but why wou d you? The query process or qprocess command prov des a way to do the same
th ng programmat ca y W th a tt e he p from some other scr pt ng objects, the query pro-
cess command can be the bas s of a rud mentary app cat on meter ng too
NOTE The Get-Process Windows PowerShell cmdlet isn’t session-aware, so it will return
only processes in the current session.
Use th s too not on y to keep track of your cens ng, but a so to et you know f an app -
cat on’s usage s decreas ng If you’re cons der ng ret r ng an app cat on, record ng how many
nstances are runn ng over t me can g ve you the data you need to know about how many
peop e are st us ng t
www.it-ebooks.info
NOTE The code snippets in the following sections are not full working scripts. For the
sake of space, the script lines that define variables have been removed. The full working
scripts are located on the companion media.
Th s won’t work n the workgroup scenar o, because workgroups don’t have OUs In that
case, you’ need to re y on the query termserver command, as n the fo ow ng examp e
Th s s a b t more comp cated, because the command- ne too returns some extra data and
www.it-ebooks.info
you’ need to remove t from the fi e Th s sect on re es on both RDSHNames bat and
QueryRDSH vbs on the compan on med a
www.it-ebooks.info
List Processes on the RD Session Host Servers
When you know the names of the RD Sess on Host servers n an OU, query each server by
typ ng query process <executable> /server:<server name> To make t easy, automate
th s process by runn ng a batch fi e that runs the query process command aga nst the saved
server st and p pes that data to a fi e, as shown here
Why use a batch fi e? Most y because t’s easy There’s no reason to re nvent the whee and
try to pu a the process data from a the servers when query process does the same th ng
so succ nct y Th s batch fi e s on the compan on med a as Processes bat
www.it-ebooks.info
ON THE COMPANION MEDIA The text file contents produced by the preceding
script contains a carriage return at the end of the file, which for line-counting
purposes will increase the count by 1. This carriage return has been deleted in
CheckFile.vbs, which is located on the companion media.
www.it-ebooks.info
Set objWSHNetwork = Nothing
Set objMail = CreateObject ("CDO.Message")
objMail.Configuration.Fields.Item
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objMail.Configuration.Fields.Item
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = strSMTPServer
objMail.Configuration.Fields.Item
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMail.Configuration.Fields.Update
objMail.From = strFrom
objMail.To = strTo
objMail.Subject = "Licensing Check!! " & Now
objMail.Textbody = "Licensing Check!! " & " The application count in use is "
&objprocessesFile.line& " which is higher than number of licenses purchased " & Now
objMail.Send
Set objMail = Nothing
End if
' Create or append data to log file
' =====Configuration Area================
objApp = "excel.exe"
strProcLogDir = "\\colfax\ash-company-files\IT\Reports"
strProcLogFile = "processcountlog.txt"
' =====End Configuration Area============
Sub subAppend
' Append count to the log file processcountlog.txt
Set objProcLogFile = objFSO.OpenTextFile(strProcLogDir& "\" &strProcLogFile,
ForAppending, true)
strProcLogText = NOW & "/The # of instances of " &objApp& " running is "
&objProcessesFile.Line
' Writes strText to processcountlog.txt
objProcLogFile.WriteLine(strProcLogText)
objProcLogFile.close
End Sub
' Check that the directory folder exists, if not create file
If objFSO.FolderExists(strProcLogDir) Then
'do nothing
Else
Set objProcLogFolder = objFSO.CreateFolder(strProcLogDir)
objProcLogFolder.close
End If
' If log file exists append data, if not, then create file and append data
If objFSO.FileExists(strProcLogDir& "\" &strProcLogFile) Then
call subAppend
Else
Set objProcLogFile = objFSO.CreateTextFile(strProcLogDir& "\" &strProcLogFile)
objProcLogFile.Close
www.it-ebooks.info
call subAppend
End If
WScript.Quit
That approach s fine for gett ng rea -t me data to he p you so ve a rea -t me ssue, such as
determ n ng f your server s over oaded w th user connect ons and perform ng poor y But to
get a sense of the average number of users ogg ng onto a server, you w need to comp e a
user count over t me To get th s count over t me, you can run query user and p pe the data to
a fi e ke th s
www.it-ebooks.info
NOTE As demonstrated in the section entitled “Record Application Instances and Email
Alerts,” you can also count the entries in the text file and append the count to another file
so you can see the count increase over time. To see how to count lines in a file and append
this count to a log file, refer to the Check-email.vbs script on the companion media.
www.it-ebooks.info
Now stop the Exce exe process assoc ated w th hao chen Do th s by spec fy ng the PID
assoc ated w th the process shown n the preced ng query
NOTE You can also specify the process by using the session ID and process name switches.
Refer to the section entitled “Monitoring and Terminating Processes” earlier in this chapter
for other examples of terminating processes.
If other users a so comp a n, and t s apparent that a nstances of Exce are sta ed, you
can term nate them a by runn ng tsk , but use the processname parameter (the mage name
m nus the executab e extens on) and the sw tch /A (wh ch te s tsk to k a nstances of the
processname)
Then run qprocess aga n and see that there are no onger any nstances of Exce exe
runn ng
Summary
Th s chapter has exp a ned how to manage current RDP sess ons us ng the graph ca and
command- ne too s Some of the best pract ces covered nc ude the fo ow ng
■ If you p an to mport VM poo s from RD Connect on Broker to work n the Remote
Desktop Serv ces Manager, make sure the computer names match the VM names n
Hyper-V The mport ng funct on w report the VM names, not the computer names,
and the management API uses the computer names
■ For the most accurate nformat on across mu t p e servers, use the command- ne too s
■ For best password secur ty, do not use tscon from the command ne, because t d s-
p ays the password on the screen n c eartext
■ If you must remove a sess on from an RD Sess on Host server forc b y, use the ogoff
command rather than resett ng the sess on A though ogoff won’t save user data, t
w wr te profi e changes back to the profi e server, whereas resett ng the sess on does
not
■ Don’t try to shadow RemoteApp sess ons Use the Remote Desktop Serv ces Manager
or the query sess on or query process command to determ ne whether a sess on s
d sp ay ng a fu desktop or a RemoteApp
www.it-ebooks.info
■ When prepar ng for user ma ntenance, use the /drain sw tch w th the change ogon
command to dra n users s ow y from the RD Sess on Host server rather than us ng the
/disable sw tch
■ You can use the command- ne too s to he p you earn patterns of app cat on usage
and user ogons and save those nventor es to a og fi e
Additional Resources
Th s chapter nc udes a number of too s for check ng sett ngs and runn ng nventory, a of
wh ch are on the compan on med a
■ For more deta s about how there can be mu t p e nstances of the same process on an
RD Sess on Host server, see Chapter 2, “Key Arch tectura Concepts for Remote Desktop
Serv ces ”
■ For more deta s about the sess on startup process, see Chapter 3, “Dep oy ng a S ng e
Remote Desktop Sess on Host Server ”
■ To earn how to configure Remote Contro sett ngs v a Group Po cy rev ew the sect on
ent t ed “Enab ng Remote Contro v a Group Po cy” n th s chapter
■ To down oad RSAT for W ndows 7, go to http://www.microsoft.com/downloads
/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en.
■ M crosoft MVP Shay Levy has created the Term na Serv ces PowerShe Modu e, wh ch
a ows you to perform many Remote Desktop Serv ces Manager tasks from W ndows
PowerShe Get t here http://code.msdn.microsoft.com/PSTerminalServices.
■ Informat on on the W n32 TSRemoteContro Sett ng C ass can be found at
http://msdn.microsoft.com/en-us/library/aa383817(VS.85).aspx.
■ A W ndows PowerShe modu e for mon tor ng VDI and RD Sess on Host server sess ons
s ava ab e at the M crosoft Scr pt Center at http://gallery.technet.microsoft.com
/ScriptCenter/en-us/e8c3af96-db10-45b0-88e3-328f087a8700.
■ Other scr pts to accomp sh other management tasks such as enab ng or st ng the
remote contro sett ngs for a user account, farm and VDI usage reports, report ng
sess on d e nformat on, and more can be found at the M crosoft Scr pt Center n the
Remote Desktop Serv ces sect on at http://gallery.technet.microsoft.com/ScriptCenter
/en-us/.
■ M crosoft MVP M chae Sm th created a scr pt that sends an ema when an event ID
occurs Get th s scr pt at http://theessentialexchange.com/blogs/michael
/archive/2008/10/06/script-for-from-the-field.aspx.
■ The CDO nsta er can be down oaded from http://www.microsoft.com/downloads/en
/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e.
www.it-ebooks.info
CHAPTER 12
R emote Desktop Serv ces (RDS) works on y for a m ted t me w thout cens ng, so to
comp ete th s book, you’ earn more about that ssue, nc ud ng
■ The cens ng mode s for RDS
■ How to nsta the RDS L cens ng ro e serv ce
■ How to act vate cense servers
■ How to nsta and manage cense packs
■ How to po nt an RD Sess on Host server to a cense server
■ How RD Sess on Host ass gns censes
■ How to run usage reports
643
www.it-ebooks.info
The RDS Licensing Model
As RDS ga ns more funct ona ty, the cens ng mode has to adjust to nc ude th s new func-
t ona ty In W ndows 2000 Server, the cens ng mode was ent re y per-dev ce (mean ng that
every dev ce connect ng to a term na server needed a cense) W ndows Server 2003 ntro-
duced per-user cens ng for term na servers, g v ng compan es a cho ce of how they wanted
to cense access W ndows Server 2008 ntroduced new ro es ke Term na Serv ces Gateway,
wh ch d dn’t perform a cense check but st requ red a cense to use them
The add t on of nat ve v rtua mach ne (VM) support n W ndows Server 2008 R2
ntroduced added comp ex ty F rst, remote access to c ent operat ng systems s governed
by ru es separate from those for remote access to a server operat ng system Second, VM
dep oyments are he ped by some partner techno og es (for examp e, System Center V rtua
Mach ne Manager and App-V) that were not part of the former TS c ent access cense (CAL)
Th rd, some peop e want VMs on y, and some peop e want a the funct ona ty of RDS VMs,
RD Sess on Host sess ons, remote access to RDS resources, and so forth
The fina vers on has worked out to a two-t er mode
NOTE For answers to frequently asked questions about RDS licensing, see
http://www.microsoft.com/windowsserver2008/en/us/rds-product-licensing.aspx.
■ RDS Licensing L cens ng to access RD Sess on Host sess ons ( nc ud ng VMs) and to
use other RDS ro e serv ces (such as RD Gateway, RD Connect on Broker, and RD Web
Access)
■ VDI Licensing L cens ng to access poo ed or persona VMs hosted on the RD V r-
tua zat on Host server and to use RD Connect on Broker prov de access to poo ed
and persona VMs Th s cens ng mode s ntended for peop e who need on y V rtua
Desktop Infrastructure (VDI) and don’t need other RDS ro e serv ces (for examp e, RD
Gateway for WAN access)
RDS Licensing
RDS CALs g ve users or dev ces the r ght to access and use any of the RDS ro e serv ces Th s
s why RDS CALs are part of the requ rements for VDI access, as shown n the sect on ent t ed
“VDI L cens ng” ater n th s chapter RDS CALs a so nc ude the r ghts to use App-V to dep oy
app cat ons to RD Sess on Host servers There are four RDS cens ng opt ons to choose from,
and wh ch opt on you choose depends on how your company operates The four RDS cens-
ng opt ons are
■ Per-User Licensing Each user that w use RDS ro e serv ce(s) needs to have an RDS
User CAL Purchase RDS User CALs when your users w access RDS ro e serv ce(s) from
mu t p e mach nes Th s mode a ows users to access RDS resources from any computer
www.it-ebooks.info
because the cense s t ed to the user, not the dev ce RDS Dev ce CALs, converse y, are
t ed to the access ng dev ce
■ Per-Device Licensing Each dev ce that w use RDS ro e serv ce(s) needs to have an
RDS Dev ce CAL Purchase RDS Dev ce CALs when mu t p e users w access RDS ro e
serv ce(s) from a set number of c ent dev ces A good examp e of when RDS Dev ce
CALs are the better cho ce s sh ft work—when mu t p e users at d fferent t mes of the
day w use one mach ne to access RDS resources RDS Dev ce CALs are a so requ red
to access poo ed or persona VMs
■ RDS External Connector Th s cense opt on a ows mu t p e externa users (users
who are not part of your company and for whom you do not prov de cens ng) to
access one spec fic server Each server accessed wou d need a cense For examp e, f
you were go ng to cense access to an RD Sess on Host server on one server, v a RD
Gateway on another server, you wou d need a cense for both servers
■ Services Provider License Agreement (SPLA) Th s cens ng s spec fica y for host-
ng prov ders and ndependent serv ce vendors (ISVs) that host RDS and prov de RDS
access r ghts as part of the r offer ng
Of the four opt ons, RDS (Per-User or Per-Dev ce) CALs are most common y used w th
RDS RD Sess on Host servers can be configured on y n Per-User or Per-Dev ce mode, but not
both Most peop e purchase one type of RDS CAL You m ght use both f prov d ng both VMs
and sess ons Per-User CALs to access RD Sess on Host servers and RDS Per-Dev ce CALs to
use poo ed and persona VMs
HOW IT WORKS
www.it-ebooks.info
VDI Licensing
The VDI cens ng mode s dev ce-based, mean ng that you buy a cense for each dev ce
that w access poo ed or persona VMs hosted on RD V rtua zat on Host servers It has three
components
■ L cens ng for the c ent dev ces that w access v rtua desktops
■ RDS CALs for each dev ce that w access RD V rtua zat on Host server and use RD
Connect on Broker to ga n access to the VMs
■ L cens ng for management components
NOTE Non-SA customers will need to purchase Virtual Desktop Access (VDA) licensing,
which is discussed in the next section.
Dev ces covered by SA can run up to four VMs oca y on the desktop and access up to four
VMs on servers n the datacenter Dev ces covered by SA a so nc ude “roam ng r ghts”—the
s ng e pr mary user of an SA- censed dev ce can access poo ed or persona VMs from any PC
w thout hav ng to purchase any add t ona censes
Compan es w need to purchase V rtua Desktop Access (VDA) cens ng for dev ces not cov-
ered by SA that w be used to access poo ed and persona VMs , You’ need VDA for dev ces
ke th n c ents, non-W ndows-based dev ces, and dev ces that are not part of your organ za-
t on (such as contractors’ computers) It a so covers W ndows dev ces for compan es that don’t
subscr be to SA Each VDA cense does the fo ow ng
■ Inc udes SA benefits for W ndows such as 24x7 ca and web support (how much
depends on your nvestment n SA) and access to dep oyment p ann ng serv ces
■ A ows concurrent connect ons to up to four VMs
■ Inc udes pr mary user roam ng r ghts
The pr mary user of a dev ce that s covered by a VDA cense can access h s or her VDI
desktop from non-corporate mach nes, such as persona aptops or hote computers
www.it-ebooks.info
■ System Center Virtual Machine Manager (SCVMM) To prov s on and manage VMs
■ Microsoft Desktop Optimization Pack (MDOP) Inc udes use of App-V to de ver
app cat ons to v rtua desktops
■ System Center Configuration Manager (SCCM) To configure RD V rtua zat on
Host servers
■ System Center Operations Manager (SCOM) To manage RD V rtua zat on Host
hea th and performance mon tor ng
The r ght to use these products to manage your VDI mp ementat on s nc uded n the VDI
Su te censes, d scussed next
VDI Suites
Instead of requ r ng the purchase of separate RDS cens ng and management cens ng,
M crosoft prov des two subscr pt on-based VDI cens ng bund es VDI Standard Su te and VDI
Prem um Su te
VDI Standard Su te nc udes
■ Per-Dev ce CAL for access ng VDI desktops on y, not sess ons
■ Use of management products to manage VMs and hosts (SCVMM, MDOP, SCCM, and
SCOM)
■ Use of RD Connect on Broker to prov de access to poo ed and persona VMs
VDI Prem um Su te nc udes a the benefits of the VDI Standard Su te, as we as the
fo ow ng
■ RDS CAL for access ng both v rtua desktops and sess ons
■ Use of App-V to de ver app cat ons to RD Sess on Host servers
In certa n c rcumstances, you w not need to purchase anyth ng extra to have the r ght
to access poo ed or persona VMs For examp e, f you don’t need to use extra management
too s to manage VDI, your c ent dev ces are covered by SA, and you a ready own RDS Per-
Dev ce CALs, then you don’t need any further cens ng to access poo ed or persona VMs
However, f you want to use the management too s (SVCMM, SCCM, SCOM, and MDOP), then
you have to e ther purchase VDI Su te CALs (wh ch nc udes the r ghts to these too s) or pur-
chase nd v dua cens ng for the too s you want to use
NOTE A brochure with licensing examples to help you understand what VDI licenses you
will need given different scenarios is available at http://download.microsoft.com
/download/7/8/4/78480C7D-DC7E-492E-8567-F5DD5644774D/VDA Brochure.pdf. The
link is available on the companion media.
www.it-ebooks.info
License Tracking and Enforcement
Some RDS cense opt ons are enforced wh e others are not The same s true for track ng
cense a ocat on Tab e 12-1 shows wh ch censes are tracked, enforced, both, or ne ther
NOTE VDI Licensing will be tracked and enforced in Windows Server 2008 R2 SP1.
Per-User cens ng s tracked but not enforced, whereas Per-Dev ce cens ng s tracked and
enforced Th s does not mean that you are not bound by your cense agreement, however—
you are requ red to purchase the proper amount of censes for your env ronment whether or
not the cens ng mode s enforced You can have up to two concurrent adm n strat ve con-
nect ons to an RD Sess on Host server for adm n strat ve purposes Adm n strat ve connect ons
do not requ re an RDS CAL
NOTE Putting the RD Session Host servers into Per-User mode can help you avoid
outages because Per-User licensing isn’t enforced. It’s okay to run in Per-User mode, even
if you have purchased Per-Device RDS CALs. For that reason, in an emergency, flip the
switch. You won’t be able to use the License Server application to keep track of how many
RDS Per-Device CALs are used, but as long as you have enough licenses to accommodate
your connecting devices, this is in compliance with the End User License Agreement
(EULA). Then you can fix your downed license server. To be clear, this does not remove your
responsibility to be licensed according to EULA.
www.it-ebooks.info
cense Per-User censes are stored as a property on a user account object n Act ve D rectory
Doma n Serv ces (AD DS), so the RD Sess on Host server can check th s when user credent a s
are presented (If you use Per-User cens ng n a workgroup, then Per-User censes aren’t
tracked )
A censes are ass gned for a random per od of 52 to 89 days so that unused censes can
return to the cense poo automat ca y Beg nn ng seven days before the cense exp res,
when that cense s presented at ogon, the RD Sess on Host server w try to renew t for
another per od of 52 to 89 days
NOTE It’s possible to revoke a Per-Device CAL manually if you don’t want to wait for
the automatic revocation to kick in. The section entitled “Revoking RDS CALs” later in this
chapter talks more about this.
If the c ent does not have a va d cense or f the cense t has s w th n seven days of
exp r ng, then the RD Sess on Host server must attempt to obta n a cense for the c ent at
each og n If the server cannot find a cense server to renew the cense before t exp res or
no cense s ava ab e, the cense w exp re What happens then depends on the c rcum-
stances descr bed n Tab e 12-2 Not ce that there are c rcumstances n wh ch an RD Sess on
Host server n Per-User mode w perm t the connect on when an RD Sess on Host server n
Per-Dev ce mode w not
The RD Sess on Host server The RD Sess on Host server The RD Sess on Host server
has never found a cense w ssue a temporary cense w ssue a temporary cense
server but s n ts grace that asts up to 90 days that asts up to 90 days
per od
The RD Sess on Host server The RD Sess on Host The RD Sess on Host
has never found a cense server w not perm t the server w not perm t the
server and s out of the grace connect on connect on
per od
The RD Sess on Host server The c ent w be a owed The c ent w be a owed
has found a cense server access for up to 120 days access for up to 120 days
but the cense server has no
RDS CALs nsta ed and s not
act vated The cense server
s n the grace per od
Continued on the next page
www.it-ebooks.info
CIRCUMSTANCE PER-USER PER-DEVICE
The RD Sess on Host server The RD Sess on Host server The RD Sess on Host
has found a cense server but w perm t the connect on server w not perm t the
the cense server has no RDS connect on
CALs nsta ed The cense
server s out of ts grace
per od
The RD Sess on Host server The RD Sess on Host server The RD Sess on Host server
has found a cense server w g ve the cense server the w contact the cense server
w th RDS CALs ava ab e name of the user attempt ng w th the hardware ID (HWID)
to connect to the RD Sess on of the computer attempt ng
Host server The cense to connect to the RD Sess on
server w then contact AD Host server The cense
DS to set a property on that server w then ass gn an RDS
user’s account object to show CAL to that HWID and create
that the person has used a a record of the ass gnment
cense
If you watch a cense server when a user s ogg ng onto an RD Sess on Host server n
Per-Dev ce mode, you m ght not ce that before ssu ng a permanent cense to the dev ce, the
cense server w first ssue a temporary cense Th s temporary cense s g ven to the c ent
dev ce pr or to the user ogon The reason s that you need a cense to connect, but unt the
user who n t ated the connect on has presented credent a s, the RD Sess on Host server can’t
te whether that user has perm ss on to og on to the RD Sess on Host server and therefore
w not a ocate a cense unnecessar y
NOTE Prior to Windows Server 2000 SP2, a terminal server issued a permanent RDS CAL
when the connection was initiated. Unfortunately, this meant that it was very easy for a
malicious person to drain TS CALs from a license server because the person didn’t even
need a valid account to attempt the connection and have TS CAL assigned to the connect-
ing computer.
When the user ogs on from a c ent dev ce a second t me, then the RD Sess on Host server
w attempt to get a va d RDS Dev ce CAL for the dev ce If the RD L cense server does not
have any, then the c ent can cont nue to access the server for up to 90 days, or unt the c ent
s ssued a rea RDS Dev ce CAL, wh chever comes first
What f a cense server the RD Sess on Host server connects to doesn’t have any censes
of the r ght k nd ava ab e? Pr or to W ndows Server 2008 R2, the cense server wou d forward
the request to another cense server that t had d scovered (the cense servers wou d search
for and d scover other cense servers), a feature ca ed CAL Forward ng W ndows Server 2008
R2 no onger uses cense server d scovery (d scovery cou d be nterrupted by so many s tua-
t ons t wasn’t re ab e), so CAL Forward ng has been removed Instead, you must po nt a RD
Sess on Host server to the cense server(s) t shou d use If one cense server cannot fu fi the
www.it-ebooks.info
request, the RD Sess on Host server w proceed to the next one n the st unt t finds one
that can fu fi the request or unt t runs out of cense servers
B ecause CAL Forwarding is deprecated in Windows Server 2008 R2, how can you
make sure that your RD Session Host server contacts the second license server in
case the first one doesn’t have the requested type of CALs?
In summary, to ensure that all the license servers can be contacted by RD Session
Host servers, specify their names on each RD Session Host server.
You w earn how to spec fy RD L cense servers n the Spec fied L cense Server L st n the sec-
t on ent t ed “Configur ng RD Sess on Host Servers to Use L cense Servers” ater n th s chapter
www.it-ebooks.info
Installing RD License Server
RDS L cens ng can be nsta ed on any W ndows Server 2008 R2 server that supports RDS You
can nsta th s ro e serv ce on a doma n contro er or member server To nsta the Remote
Desktop L cens ng ro e serv ce, fo ow these steps
1. If you haven’t prev ous y nsta ed any RDS ro es on the computer, start Server Man-
ager, r ght-c ck Ro es n the tree v ew on the eft, and choose Add Ro es
NOTE If you are installing RDS Licensing on a computer that already has RDS installed,
then you’ll start from the Role Services section of Server Manager. In the Remote
Desktop Services section, the screen will show the installed role services. Click Add
Role Services to jump to the page in the wizard where you choose to add the licensing
service.
2. C ck through the ntroduct on to RDS and on the next page, se ect the check box next
to the Remote Desktop L cens ng ro e serv ce C ck Next
3. Do not set a d scovery scope, as t does not app y to W ndows 2008 R2 cense servers
C ck Next
NOTE Discovery settings apply only to terminal servers running Windows Server 2008
and earlier. RD Session Host servers cannot use discovery to find license servers; you
must explicitly specify the licensing server that an RD Session Host server will use.
If needed, you can change the defau t ocat on of the cens ng database by c ck ng the
Browse button and choos ng a d fferent ocat on C ck Next
4. C ck the Insta button on Confirm Insta at on Se ect ons page
5. After the nsta at on s comp ete, you’ see a confirmat on message and a rem nder to
configure the RD Sess on Host servers to po nt to the cense server C ck C ose
You can a so nsta the Remote Desktop L cens ng ro e serv ce us ng W ndows PowerShe
ke th s
Remove-WindowsFeature RDS-Licensing
www.it-ebooks.info
RD License Server Connection Methods
RD L cense servers must commun cate w th the C ear nghouse when you add or m grate
censes, and act vate or deact vate a cense server
NOTE For details on how the communication with the Clearinghouse works, see the sec-
tion entitled “Background: How RDS CALs Are Tied to an RD License Server” later in this
chapter.
There are three methods that the RD L cense server can use to commun cate w th the
C ear nghouse when perform ng these tasks
■ Automatic Connection W th th s method, you enter the needed nformat on nto
the appropr ate RD L cense server w zard nterface and the RD L cense server contacts
the C ear nghouse automat ca y to perform the chosen act v ty When poss b e, th s s
the eas est method
■ Web Browser Use th s method when the RD L cense server does not have Internet
access but you can access the Internet from another computer The RD L cense server
d rects you to a webs te (https://activate.microsoft.com/) to perform the chosen act v ty
The RD L cense server a so g ves you the nformat on you w need
■ Telephone Use th s method when you do not have Internet access The RD L cense
server w ask you for your country or reg on and then prov de you w th the appropr -
ate phone number to ca the C ear nghouse
The method by wh ch you w commun cate w th the C ear nghouse s spec fied n the
RD L cense server’s Propert es d a og box When you nsta the RD L cense server, th s s set
to Automat c Connect on, but you can change t when you act vate RDS CALs You can a so
change th s method n the RD L cense Server Manager at any t me Change the connect on
method n the RD L cense Server Manager by r ght-c ck ng the server and choos ng Proper-
t es On the Connect on Method tab, use the Connect on Method drop-down box to choose
a connect on method and c ck OK Aga n, however, the Automat c Connect on method of
commun cat ng w th the C ear nghouse s s mp est
FIGURE 12-1 Act vate the RD L cense server to ssue permanent RDS CALs.
www.it-ebooks.info
Act vat ng a cense server reg sters t w th the C ear nghouse so that any censes that you
nsta on t w be assoc ated w th that server
NOTE Beginning in Windows Server 2008 R2, RD Licensing allows you to move licenses
from one license server to another without having to call the Clearinghouse. For details
on this process, see the section entitled “Migrating RDS CALs from One License Server to
Another” later in this chapter.
To act vate the cense server, open the RD L cens ng Manager The nterface here s pretty
stra ghtforward Any cense servers ( oca y nsta ed, or to wh ch you connected) w appear
under A Servers L cense servers that are marked w th a red X are not yet act vated and can
on y ssue temporary RDS CALs You can’t make RDS Per-User CAL reports yet because you
have no RDS Per-User CALs nsta ed for wh ch to create reports
NOTE To manage more than one license server from RD Licensing, right-click All Servers
and choose Connect. When prompted, type the name of the license server to connect to.
B ecause you haven’t yet installed any RDS CALs on the license server, you may
wonder why the license server contains a reference to Windows 2000. That’s
the result of a decision made in the Windows 2000 era. At that time, any Windows
2000 Professional computer had a license to access a Windows 2000 Server terminal
server. Many people referred to this as a “built-in” license, but this is misleading.
There was no license built into Windows Server 2000 Professional, just the ability to
pull from the Unlimited pool on the license server.
Beginning with Windows XP and Windows Server 2003, no client operating system
has been able to draw from this Unlimited pool, but it’s still available if you have
(a) Windows 2000 Server terminal servers using the license server and (b) Windows
Server 2000 Professional clients that will be using those license servers. If you
don’t have both, this Unlimited license pool is totally irrelevant. Even if you have
Windows 2000 Professional clients, they cannot draw from the Unlimited pool to
access a Windows Server 2008 RD Session Host server or a Windows Server 2008 or
Windows Server 2003 terminal server.
To act vate the cense server, se ect t, choose Act on, Act vate Server, or r ght-c ck the
cense server and then choose Act vate Server from the context st Th s w start the Act vate
Server W zard
www.it-ebooks.info
C ck Next and then choose a method to contact the C ear nghouse to act vate the server
If at a poss b e, use the Automat c Connect on opt on, as t’s ess prone to error than e ther
the webs te or the te ephone opt ons The C ear nghouse manages cens ng for M crosoft,
nc ud ng act vat ng cense servers, ssu ng RDS CALs and assoc at ng them w th a cense
server, and recover ng censes When you contact the C ear nghouse to act vate a server,
you’ rece ve an X 509 cert ficate to dent fy the server Insta ng RDS CALs on the act vated
server assoc ates them w th that cert ficate and va dates the r authent c ty
Next, you’ need to prov de some bas c company nformat on to the C ear nghouse to as-
soc ate you w th the act vated server Th s nformat on s requ red Type n your first name, ast
name, and company name, and then se ect your country or reg on from the correspond ng
drop-down menu
CAUTION If you’re tempted to put in a false name, as some people do when asked
to provide contact information, be aware that this information is designed to allow
the Clearinghouse to find you in its system if you need to have licenses reissued or
need other support. We recommend using your real name. If you put in a false name,
remember it!
Next, the w zard w prompt you for some add t ona opt ona nformat on that the
C ear nghouse can use to contact you and further dent fy you ema address, organ zat ona
un t (OU), company address, c ty, state or prov nce, and posta code
C ck Next, watch the status bar for a few seconds unt you see the act vat on s comp ete,
and you’re fin shed The cense server s now act vated and ready for you to nsta RDS CALs
When you go back to the RD L cens ng Server conso e, the server w now have a green con
w th a check mark nd cat ng that t s act vated
NOTE Although the Activate Server Wizard will prompt you to install RDS CALs right
away, you can skip this step for now and the license server will allow access for up to 120
days (until the grace period expires). The grace period ends at 120 days or when you install
at least one license pack.
www.it-ebooks.info
TABLE 12-3 RD cense Server Ac va on Reason Codes
CODE REASON
After the L cense server s act vated, you shou d note the L cense Server ID and the re-
qu red and opt ona nformat on that you used to act vate the cense server If you ever need
to contact the C ear nghouse (for examp e, to get your RDS CALs re ssued), th s s the nfor-
mat on that they w use to ver fy who you are and to he p you further If your cense server
d es n the future and you cannot get to th s nformat on, then work ng w th the C ear ng-
house becomes much harder
In the RD L cens ng Manager, r ght-c ck the cense server and choose Propert es from the
context menu Wr te down the L cense Server ID ocated on the Connect on Method tab and
a so a nformat on on the Requ red Informat on and Opt ona Informat on tabs We recom-
mend that you keep a your or g na purchase nformat on and rece pts
www.it-ebooks.info
Background: How RDS CALs Are Tied to an RD License
Server
When you act vate an RD L cense server w th the C ear nghouse, the C ear nghouse ssues an
X 509 d g ta cert ficate to the RD L cense server Th s cert ficate s used to encrypt commu-
n cat ons w th the C ear nghouse F gure 12-2 dep cts the process of act vat ng an RD L cense
server and nsta ng RDS CALs
Clearinghouse
1
RD License server sends Name, Company,
Country, and License Server Product ID
(LS PID) to the Microsoft Clearinghouse.
LS-PID
LSID
2
The Clearinghouse sends an X.509
3 certificate and a unique License Server
RD CALs created based on ID (LSID) to the RD License server.
35 character representation
of the certificate, which
also contains the LSID.
RD License Server
FIGURE 12-2 The C ear nghouse ssues an LS D to the RD L cense server, wh ch s matched to the LS D
conta ned n the RDS CALs.
1. You act vate the RD L cense server The RD L cense server sends nformat on to the
C ear nghouse dent fy ng the RD L cense server Th s nformat on nc udes
■ F rst Name and Last Name
■ Company
■ Country
■ L cense Server Product ID (LS-PID)
The LS-PID s server-spec fic because t s created from the W ndows Product ID (PID),
a un que dent fier created when you nsta the operat ng system It conta ns the
M crosoft Product Code (MPC) that dent fies the operat ng system and the Channe ID
that spec fies the channe through wh ch you purchased your operat ng system (Reta ,
Or g na Equ pment Manufacturer [OEM], Vo ume L cens ng Programs, Eva uat on, or
Checked Bu d)
www.it-ebooks.info
2. The C ear nghouse ssues an X 509 cert ficate to the RD L cense server The cert ficate s
used to estab sh secure commun cat ons between the RD L cense server and the C ear-
nghouse The C ear nghouse a so sends a un que L cense Server ID (LSID) to the server
Th s cert ficate s not stored n the regu ar computer cert ficate store on the server
Instead, t s stored n the reg stry at HKLM\SYSTEM\CurrentContro Set\Serv ces\
TermServL cens ng\Parameters The fo ow ng four keys ex st here
■ L$TermServLiceningSignKey-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
Th s key s created from the cense server’s cert ficate
■ L$TermServLicensingExchKey-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
Th s key s created from the cense server’s cert ficate
■ L$TermServLicensingServerId-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
The un que LSID sent from the C ear nghouse
■ L$TermServLicensingStatus-12d4b7c8-77d5-11d1-8c24-00c04fa3080d
The ast run state of the cense server database
3. You nsta RDS CAL packs RDS CALs are created based on a 35-character a phanu-
mer c representat on of the d g ta cert ficate that was ssued to the RD L cense Server
Th s 35-character sequence conta ns the LSID When RDS CALs are nsta ed, the RD
L cense server matches the LSID n the 35-character sequence w th ts own LSID, wh ch
was ssued by the C ear nghouse If they match, then the RDS CALs are nsta ed If they
do not match, the server rejects the nsta at on
NOTE If you see Event ID 17 logged and you find the license server is only issuing tem-
porary licenses, see http://support.microsoft.com/kb/2021885. You might have a corrupted
certificate. Reactivate the license server as described in the Knowledge Base article to
resolve the problem.
The key po nt s that the LSID issued to the RD License server is created from the LS-PID The
LS-PID s created from the un que operat ng system PID Th s process t es the RDS CALs to the
RD L cense server operat ng system nsta at on
Commun cat on from the RD Sess on Host servers and the c ents s encrypted based on
the RD L cense server cert ficate, as shown n F gure 12-3
www.it-ebooks.info
RD License Server RD License server gets an
X.509 certificate from
Microsoft Clearinghouse and
uses it as the root certificate
for the certificates it creates.
RD License server
creates and sends
RD Session certificates to the RD RD Session
Host Server Session Host servers. Host Server
Client Client
FIGURE 12-3 The RD L cense server ssues cert f cates to the RD Sess on Host servers.
1. The cense server gets an X 509 cert ficate from the C ear nghouse based on ts PID
2. The cense server creates d g ta cert ficates s gned w th ts own cert ficate and ssues
them to the RD Sess on Host servers (RD Sess on Host servers request RDS CALs on
beha f of the users or computers connect ng to them)
3. The RD Sess on Host servers use the r d g ta cert ficates to estab sh secure commun -
cat ons w th c ents to check for and to ssue RDS CALs
The resu t s that to estab sh secure commun cat on, the c ent ver fies the RD Sess on Host
server cert ficate by check ng the s gnature on the cert ficate
The RD Sess on Host server cert ficate s s gned by the RD L cense server cert ficate After t
gets a cert ficate from a cense server, t w never try to get another cert ficate, even f the -
cense server s changed Th s s because the cert ficate ssued by one RD L cense server s va d
for a other RD L cense servers Commun cat on happens us ng the or g na cert ficate on y
NOTE For Per-User licensing, the RD Session Host server doesn’t have to send anything
to or get anything from the client because all the RDS CAL usage information is stored in
AD DS.
www.it-ebooks.info
Adding License Servers to AD DS
After the n t a nsta at on and act vat on, the RD L cens ng Manager w show a ye ow warn-
ng s gn next to the cense server, as shown n F gure 12-4 Th s s because the cense server
has not yet been added to the Term na Server L cense Servers group n AD DS You must
add the cense server to th s group for every doma n for wh ch the cense server w a ocate
censes
FIGURE 12-4 Add the RD L cense server to the Term na Server L cense Servers group n AD DS by
se ect ng Rev ew Conf gurat on n the RD L cens ng Manager.
To do so, se ect the server n RD L cens ng Manager, r ght-c ck t, and se ect Rev ew Con-
figurat on C ck Add To Group and then c ck Cont nue n the resu t ng pop-up box that te s
you that you must have Doma n Adm ns pr v eges to do th s Then c ck OK n the second
pop-up box that te s you the account was added to the Term na Serv ces L cense Group n
AD DS
www.it-ebooks.info
FIGURE 12-5 Choose the type of cense packs you nsta .
2. From the L cense Program drop-down menu, choose the cense program that you
used to purchase your RDS CALs (for th s examp e, you w choose to nsta a reta
cense pack) The correspond ng Format and Locat on nformat on area w te you
what further nformat on you w need to prov de on the next page(s) C ck Next
3. The next page(s) can vary s ght y, depend ng on wh ch L cense Program you chose,
because the nformat on that you need to enter next s un que to the cense program
However, the genera step s the same enter the cense nformat on that the nterface
prompts for For examp e, for CALs purchased from the Reta Purchase program, type
n the cense code or key for your CAL purchase and c ck Add The code w show up
n the st of entered cense codes You can enter as many here as you have ava ab e
When you’re fin shed, c ck Next
NOTE The Microsoft RDS team has provided an example of how to use Windows
PowerShell to add a License Key Pack to an RD Licensing server (and how to perform
other license server management) online at http://blogs.msdn.com/b/rds/archive
/2010/04/07/manage-remote-desktop-licensing-by-using-windows-powershell.aspx.
www.it-ebooks.info
4. After you have entered a the requ red nformat on, the RD L cense server w contact
the C ear nghouse, nsta the censes, and then d sp ay them n the r ght pane of the
RD L cens ng Manager
NOTE For more information on how this change replaces CAL Request Forwarding
in Windows 2008, see the sidebar entitled “Direct from the Source: CAL Forwarding
Deprecated In Windows Server 2008 R2” earlier in this chapter.
www.it-ebooks.info
To use Group Po cy to configure RD Sess on Host servers w th known RD L cense servers,
do the fo ow ng
1. Create a Group Po cy Object (GPO) and enab e th s po cy Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host L cens ng Use The Spec fied Remote Desktop L cense
Servers
2. Spec fy the RD L cense server or servers that you want the RD Sess on Host servers
to use Do th s by name (NetBIOS or FQDN) or by server IP address, separated w th a
comma as shown here
colfax.ash.local,blueridge.ash.local.
3. App y the GPO to the OU where the RD Sess on Host servers res de
NOTE You can point an RD Session Host server to a license server in another domain, but
if the RD Session Host server is configured for Per-User licensing, a trust relationship must
exist between the domain where the license server is located and the AD DS for the user
accounts. This is because RDS Per-User CAL usage is stored in AD DS. When a user gets a
CAL, the RD License server updates their user account property to show that that user has
a CAL, so it must be able to write to the user account. It must also be able to query it to run
a report on Per-User CAL usage.
M grat ng RDS CALs from One L cense Server to Another Chapter 12 663
www.it-ebooks.info
Manager You can a so m grate RDS CALs from offl ne RD L cense servers to on ne RD L cense
servers So f you on y have one RD L cense Server and t d es, creat ng another RD L cense
server and m grat ng the RDS CALs to the new ocat on s s mp e You just need to reenter
your CAL L cense nformat on to comp ete the process To m grate RDS CALs from one cense
server to another, do the fo ow ng
1. Open the RD L cens ng Manager on the RD L cense server to wh ch you want to m -
grate censes, expand A Servers, r ght-c ck the RD L cense Server, and choose Man-
age RDS CALs Th s starts the Manage RDS CALs W zard
2. C ck Next on the We come page and, on the next page, choose the M grate RDS CALs
From Another L cense Server To Th s L cense Server opt on In the correspond ng drop-
down box, choose the reason for the m grat on Then c ck Next
3. Depend ng on the m grat on reason you chose n the prev ous step, the next screens
w vary
■ If you are rep ac ng the source cense server w th th s cense server, then the fo -
ow ng w happen
a. You w be prompted for the source cense server name or IP address
b. Then you w reenter your cense CAL program and code nformat on as you d d
when you or g na y nsta ed t
■ If the source server s not on ne, then
a. Se ect the check box for the opt on The Spec fied Source L cense Server Is Not
Ava ab e On The Network Do ng so w then requ re you to choose the operat-
ng system of the source cense server from the ava ab e drop-down box You
w a so need to enter the source server L cense Server ID
b. Reenter your cense CAL program and code nformat on as you d d when you
or g na y nsta ed t
■ If your source server s no onger funct on ng, se ect the check box for the opt on
The Source Server Is No Longer Funct on ng Then c ck Next
4. If you nd cated that your source cense server was not ava ab e or not funct on ng, on
the next page, you are requ red to agree not to use the censes nsta ed on the source
server Se ect the check box next to the agreement and c ck Next
5. On the next pages, reenter your L cense Program nformat on and correspond ng -
cense nformat on as you d d when you first nsta ed the censes on the source cense
server C ck Next and the censes w be m grated to the dest nat on server
www.it-ebooks.info
Rebuilding the RD License Server Database
You can a so comp ete y rebu d the cens ng database us ng the Manage RDS CALs W zard
You m ght do th s f your cense server database or cense server cert ficate becomes corrupt
or comprom sed, or f the cense server s be ng redep oyed To do th s, perform the fo ow-
ng steps
1. Open the RD L cens ng Manager on the RD L cense server to wh ch you want to
m grate censes, expand A Servers, r ght-c ck the RD L cense Server, and choose
Manage RDS CALs Th s starts the Manage RDS CALs W zard
2. C ck Next on the We come page and, on the next page, choose the Rebu d The
L cense Server Database opt on In the correspond ng drop-down box, choose the
reason for the rebu d Then c ck Next
3. Rebu d ng an RD L cense server database de etes any RDS CALs nsta ed on t, so have
your purchase agreement nformat on on hand The next page te s you th s Se ect the
Confirm De et on Of RDS CALs Current y Insta ed On Th s L cense Server check box
Then c ck Next
4. The next page confirms that the RD L cens ng database has been de eted C ck Next
and then fo ow the prompts to reenter your RDS CAL purchase nformat on as you d d
when you or g na y nsta ed the RDS CALs
www.it-ebooks.info
HOW IT WORKS
If you don’t back up a license server and the server fails, what have you lost?
You haven’t lost the licenses. Using the RD Licensing tool, you can migrate them to a
new server. If the original license server has failed, you can still reinstall the licenses
on a new server by saying that the server is out of commission and agreeing not to
use the licenses twice.
You haven’t lost the ability for people or devices that already had licenses to con-
nect. An RD Session Host server does not check with the license server every time
someone connects. It checks only when a user or a device without a license or one
with a license that needs to be renewed connects. Anyone who still has a currently
working license will continue to be able to connect.
You don’t lose the ability for new devices to connect, because they would get a
temporary RDS CAL and would be able to use it until it expired or the device could
be issued a real RDS CAL.
Devices with expired licenses would not be able to get a license and so would
not be able to connect. But this is dealt with easily by running more than one RD
License server.
You might have lost your usage reports, depending on whether you were issuing
Per-Device or Per-User licenses. Per-User licensing records are stored in AD DS,
since the license usage is reported as a property set on a user’s account. Per-Device
license reports are stored on each license server. Therefore, losing a license server
would prevent you from reporting accurately on Per-Device RDS CALs already is-
sued. However over time, as client RDS Per-Device licenses expire and they get new
ones, your reporting will become accurate again.
Because nsta at on of an RD L cense server and RDS CAL m grat on s an easy and qu ck
process to accomp sh, f you have redundancy bu t nto your cens ng mp ementat on
(mean ng that you have mp emented more than one cense server and sp t the RDS CALs
among them), you m ght not need to back up the nd v dua cense servers
www.it-ebooks.info
If your report ng s cruc a to you, and you cannot wa t for c ents to be re ssued censes
and for your count to become accurate over t me once aga n, then you can ma nta n backups
of your RD L cense servers so you can restore them f necessary and rega n fu funct ona ty
and report ng An RD L cense server cens ng database s stored as part of the system state
data ( t’s n %SystemRoot%\W ndows\System32\Lserver) As ong as the system state s
backed up, you can restore t to the same mach ne and get a fu recovery of the RD L cense
server
Each operat ng system nsta at on uses server-spec fic encrypt on that s un que to that
nsta at on Every new nsta at on of the operat ng system changes the crypto keys used n
the server-spec fic encrypt on
To be fu y funct ona w thout hav ng to m grate censes, the RD L cense Server restore
needs three th ngs
■ RD L cense Server database d rectory
■ L cens ng reg stry keys
■ Crypto keys from the operat ng system (those that crypto app cat on programm ng
nterfaces [APIs] use; these are mach ne-spec fic) Th s s requ red to prevent p racy
If you back up the RD L cense server system state, then you can restore to the same
hardware and you w have a fu y funct on ng RD L cense server Un ssued RDS CALs w be
restored and ava ab e
M crosoft a so supports restor ng a system state backup to a d fferent phys ca computer f
the new computer has the same hardware and f you take bare meta restore (BMR) backups
W ndows Server 2008 R2 W ndows Backup can make BMR backups
S tuat ons n wh ch you wou d need to do a new nsta at on and then m grate the RDS
CALs to the new nsta at on are those n wh ch you are unab e to restore the system state and
the LServer fo der successfu y For nstance, M crosoft does not support restor ng the system
state to d ss m ar hardware In th s case, t’s poss b e that you w need to start over w th a
new cense server and then m grate the censes
www.it-ebooks.info
server w ask the doma n contro er to update the user account to show that t’s us ng an RDS
CAL To track per-user cens ng, you must have a doma n
You can’t find ev dence of th s user CAL n the user account propert es n AD DS; th s s not
exposed n the user nterface However, you can run a report on the cense server to see how
many user CALs have been a ocated To do so, open RD L cens ng, r ght-c ck a server, and
choose Create Report, Per User CAL Usage
CAUTION Only choose an activated server to create the report. The Create Report
command will function if the server has no CALs or hasn’t been activated, but it will
return an empty set.
FIGURE 12-6 Choose a ocat on for wh ch to run the Per User RDS CAL Usage Report.
To generate the report, spec fy the part of AD DS to search for the data, as fo ows
■ Entire Domain The doma n that the cense server be ongs to
■ Organizational Unit A part cu ar OU where user accounts are stored that s a so part
of the doma n where the cense server res des Choose th s opt on to restr ct a search
to a part cu ar OU, f you want to get usage for on y a subset of users
■ Entire Domain And All Trusted Domains Inc udes doma ns n other forests n the
search, but choos ng th s opt on w ncrease the t me needed to generate the report
For th s examp e, choose Ent re Doma n (the defau t) and c ck Create Report After RD
L cens ng Manager creates the report, t appears n the RD L cens ng Manager, as shown n
F gure 12-7
www.it-ebooks.info
FIGURE 12-7 Use an RDS CAL usage report to determ ne how many per user CALs you ve consumed.
To v ew the report, save the data to a fi e R ght-c ck the report, se ect Save As from the
context menu, and prov de a ocat on to save the report to create a comma-de m ted fi e
at that ocat on Open the fi e n Notepad (or any program that can open csv fi es) to v ew a
report ke the one shown n F gure 12-8
A though Per-User RDS CAL usage s not enforced, the data ga ned from th s report ng
feature w he p you to demonstrate comp ance w th the RDS EULA The report conta ns the
fo ow ng data
■ The cense server the report was run on
■ The RDS CAL type (wh ch w be a ways per-user; at th s t me, W ndows Server does
not create reports on Per-Dev ce RDS CAL usage)
■ The Report date
■ The Report scope (doma n, OU, and so on)
■ The number of CALs nsta ed on the server, how many are current y n use, and how
many are current y ava ab e
■ Wh ch users have been ssued a CAL, and when that CAL w exp re and be returned to
the poo
NOTE A script to generate RDS Per-User CAL usage across domains is available at
http://blogs.msdn.com/b/rds/archive/2009/11/09/per-user-cal-reporting-script.aspx.
www.it-ebooks.info
RD L cens ng Manager a so shows you exp c t y wh ch mach nes have been a ocated an
RDS Per-Dev ce CAL In the RD L cens ng Manager, expand the cense server and se ect the
Per Dev ce L cense CALs group A ocated censes appear n the r ght pane
ON THE COMPANION MEDIA A script that counts allocated RDS Per-Device CALs
for servers in a named OU is available on the companion media. The script also sends
an email if the count is higher than the specified threshold value. The script is called
PerDeviceCAL-Count-Alert.vbs.
NOTE A script for tracking Per-Device licensing on a per server basis is available at
http://blogs.msdn.com/b/rds/archive/2007/08/10/generating-per-device-license-usage-
reports-for-ts-license-servers-running-windows-server-2008.aspx.
www.it-ebooks.info
ager and the c ent dev ce won’t get a new one The revocat on worked; what you’re see ng
s the way the bookkeep ng assoc ated w th revocat on funct ons If you revoke a c ent’s RDS
CAL, that computer can st connect unt the RDS CAL that t was or g na y g ven exp res If
you’re fo ow ng cens ng gu de nes, th s shou d be a moot po nt, because the who e po nt
of revok ng censes s to remove them from a computer that w no onger be used as an RD
Sess on Host server c ent Just don’t be surpr sed f that c ent PC can st connect to the RD
Sess on Host server for a wh e onger
But there’s a so a way to ensure that on y certa n RD Sess on Host servers can a ocate
censes from a part cu ar RD L cense server If your cense server s part of a doma n, then
you can enab e a group po cy to m t RDS CAL d sbursement to those RD Sess on Host
servers that are part of the cense server’s Term na Server Computers oca computer group
www.it-ebooks.info
The Term na Server Computers oca computer group s created on the RD L cense server
the first t me the Remote Desktop Serv ces L cens ng Serv ce starts By defau t, th s group
s empty To b ock rogue RD Sess on Host servers from stea ng RDS CALs (or users n other
departments from “borrow ng” them), fo ow these steps
1. Add RD Sess on Host servers to the Term na Server Computers group on the RD
L cense server
2. Create a GPO and enab e the Secur ty Group sett ng of the RD L cense server
3. App y the GPO to the OU where the RD L cense server res des
In Server Manager, expand Configurat on/Loca Users and Groups/Groups
NOTE If you install your license server on a domain controller, then the Terminal Server
Computers group is located in the AD DS/Users folder.
In the Term na Server Computers group add the author zed RD Sess on Host server(s)
to the group, and c ck OK You must add the RD Sess on Host servers nd v dua y to th s
group—you can’t group a the RD Sess on Host servers together and then add that group to
the RD Sess on Host servers group
You can a so use W ndows PowerShe to add RD Sess on Host server(s) to the Term na
Server Computers group w th th s command
NOTE Replace <servername@domain> with your server name and domain, such as
olympus@ash, for example.
On the doma n contro er, open the Group Po cy Management conso e and create a new
GPO named someth ng descr pt ve, such as RD L cense Restr ct ons R ght-c ck the new GPO
and choose Ed t Nav gate to Computer Configurat on Adm n strat ve Temp ates W ndows
Components Remote Desktop Serv ces RDS L cens ng Locate the L cense Server Secur ty
group sett ng, doub e-c ck t, se ect Enab e, and then c ck OK
App y th s po cy to the OU conta n ng the RD L cense server and then reboot the cense
server
If the L cense Server Secur ty Group GPO s enab ed and app ed to the cense server, the
RD L cense server w show a message to that effect n the RD L cens ng Configurat on d a og
box To see the message, r ght-c ck the server and choose Rev ew Configurat on
www.it-ebooks.info
NOTE If you want to specify that RD Session Host servers allocate CALs from different
license servers, then don’t add the RD License server role service to only servers that are
also DCs. If you do, then all license servers will allocate RDS CALs to servers added to the
Terminal Server Computers group in AD DS.
If you enab e th s po cy, then nstead of d str but ng RDS CALs when ower vers on CALs
wou d be more appropr ate but are not ava ab e, the RD L cense server w ssue temporary
CALs, wh ch w ast 90 days After 90 days, the c ent w be den ed access f you are us ng
Per-Dev ce cens ng
www.it-ebooks.info
FIGURE 12-9 The L cens ng D agnos s too g ves RD L cens ng spec f c nformat on about prob ems.
The report shown n F gure 12-9 states that L cens ng D agnos s d scovered that a though
th s RD Sess on Host server s configured to use RDS Per-Dev ce CALs, none are ava ab e
To get more deta s, c ck the entry for the cense server ocated n the Summary w ndow to
show more deta s, ke those shown n F gure 12-10
FIGURE 12-10 C ck on the d scovered cense server n the L cens ng D agnos s report summary sect on to
get more RD L cens ng nformat on.
www.it-ebooks.info
As you can see, L cens ng D agnos s reports on a few other tems you m ght find usefu for
troub eshoot ng cens ng ssues or for gett ng qu ck RD L cens ng nformat on The report
a so shows the fo ow ng
■ The vers on of the operat ng system that the RD L cense server s runn ng
■ The Prevent L cense Upgrade Group Po cy sett ng If enab ed, th s GPO defines how
RDS CALs are g ven to c ents f no appropr ate vers on of CAL s ava ab e for the
c ent’s operat ng system vers on If no ear er vers on of RDS CAL s ava ab e for a pre-
W ndows Server 2008 R2 RD Sess on Host server connect ng to your cense server, by
defau t the cense server w ssue an RDS CAL If you don’t want th s to happen, then
enab e th s GPO
■ The L cense Server Secur ty Group Po cy sett ng If th s po cy s enab ed, then the RD
Sess on Host server must be sted n the RD L cense server’s Term na Server Comput-
ers group to use the RD L cense server
■ Wh ch RDS CALs are nsta ed and ava ab e If you just want a qu ck g ance at your RDS
CAL ava ab ty, you can v ew t here nstead of us ng the RDS L cens ng Manager on
the RD L cense server
Summary
RDS cens ng has changed n W ndows Server 2008 R2, both to accommodate the add t on of
VMs (and the management too s many peop e want to support them) and to make the cens-
ng more robust Th s chapter has exp a ned those changes and descr bed best pract ces to
keep cens ng ava ab e, nc ud ng the fo ow ng
■ Per-Dev ce cens ng for sess ons s enforced, but Per-User cens ng s tracked VDI
cens ng s not enforced
■ If you requ re VDI on y, you m ght be ab e to use the VDI cens ng CAL
■ D scovery of other cense servers s no onger an opt on You must configure an RD
Sess on Host server to use a cense server or mu t p e cense servers
■ For max mum ava ab ty, we recommend hav ng more than one cense server, w th
the censes sp t between them
■ Use Group Po cy to prevent unauthor zed RD Sess on Host servers from consum ng
censes
Additional Resources
■ For more on SPLA, see http://www.microsoft.com/hosting/en/us/licensing
/splabenefits.aspx.
■ For examp es to he p you understand VDA, see http://download.microsoft.com
/download/7/8/4/78480C7D-DC7E-492E-8567-F5DD5644774D/VDA Brochure.pdf.
www.it-ebooks.info
■ For an exp anat on of the cens ng grace per od, see http://technet.microsoft.com
/en-us/library/cc738962(WS.10).aspx.
■ For more on RDS CALs, see http://technet.microsoft.com/en-us/library/cc753650.aspx.
■ Locate a number for the M crosoft C ear nghouse at http://support.microsoft.com
/kb/291795.
■ For more nformat on on backup and recovery n W ndows Server 2008 R2, see
http://technet.microsoft.com/en-us/library/dd979562(WS.10).aspx.
■ For nformat on on how to move the system state to new hardware, see
http://support.microsoft.com/kb/249694.
www.it-ebooks.info
Index
677
www.it-ebooks.info
bidirectional audio
678
www.it-ebooks.info
Group Policy
679
www.it-ebooks.info
Group Policy
680
www.it-ebooks.info
Performance Monitor
681
www.it-ebooks.info
peripheral media
682
www.it-ebooks.info
RD Virtualization Host
configur ng sett ngs, 458, 521–537 Configure Later opt on, 138
forc ng RDC connect ons, 494 configur ng, 144–164, 458
funct ona ty, 16, 29–31, 507–512 configur ng Performance Mon tor, 88
IIS requ rements, 34 configur ng secur ty sett ngs, 417
nsta ng, 512–521 creat ng sess ons, 119–134
ma nta n ng dent ca sett ngs, 543–554 dep oyment cons derat ons, 424, 439
messag ng support, 528–530 determ n ng system requ rements, 66–99
mon tor ng connect ons, 534–537 enab ng Remote Contro , 614–615
NAP support, 554–573 extrapo at on as test ng a ternat ve, 91–93
NLB support, 537–541 funct ona ty, 24–25
p ac ng, 576–585 gett ng server names, 634
RDS support, 24 mproved funct ona ty, 13
requ rements, 510–512 nsta ng app cat ons, 164–174
server farms and, 510, 530–532 nsta ng servers, 134–144
s z ng cons derat ons, 96 jo n ng servers to farms, 447–454
sp t SSL connect ons, 542 keep ng ava ab e, 393–394
SSL br dg ng and, 526 st processes on servers, 636
troub eshoot ng connect ons, 573–576 ock ng down servers, 377
tun ng propert es, 522–530 management too s, 590–600
RD Gateway Manager, 31, 516, 534 manag ng profi e cache, 270–275
RD Load S mu at on Too (RDLST) manag ng servers, 599–600, 624–629
configur ng test parameters, 81–87 memory cons derat ons, 45–56
creat ng test accounts, 80 merger/outsourc ng support, 19
creat ng USER ACTIVITY scr pt, 81 poo ed desktops and, 14
funct ona ty, 77–79 processor cyc es, 43–44
nsta ng agents, 79 RD Connect on Broker and, 440–447
Performance Mon tor and, 88, 90–91 RD Web Access and, 484
s mu at ons and, 88–161 RDS L cens ng and, 662–663
start ng agents, 81 RDS support, 24
tak ng base ne capture, 88 restart ng servers, 624–629
RD RAPs roam ng profi es, 250
assoc at ng w th computer groups, 531–532 serv ces support ng, 117–119
configur ng store, 553–554 shutt ng down servers, 624–629
creat ng, 519–520 user exper ence, 332–334
troub eshoot ng, 574 RD V rtua zat on Host See also VDI (V rtua Desk-
RD Sess on Host See also VDI (V rtua Desktop top Infrastructure)
Infrastructure) 64-b t cons derat ons, 42
64-b t cons derat ons, 41–42 app cat on de very and, 40
app cat on de very and, 40 configur ng RDP perm ss ons, 206–208
app cat on support, 101–109 funct ona ty, 25–26
best pract ces, 25 Hyper-V and, 34, 59
cach ng Group Po cy, 269 nsta ng, 190–192
cert ficate cons derat ons, 34 nsta ng v a W ndows PowerShe , 192
c os ng server back doors, 369–375 RDS support, 24
683
www.it-ebooks.info
RD Web Access
684
www.it-ebooks.info
roaming profiles
685
www.it-ebooks.info
rolling back VMs
686
www.it-ebooks.info
thin clients
687
www.it-ebooks.info
thrashing
688
www.it-ebooks.info
XPS printers
689
www.it-ebooks.info
www.it-ebooks.info
About the Authors
KRISTIN GRIFFIN was born n Ca forn a and grew up a m tary brat, part of a
ov ng and happy fam y She has worked with Term na Serv ces/Remote Desktop
Serv ces s nce W ndows 2000 and has mp emented RDS for a d verse set of
customers, nc ud ng d str butors, aw offices, and commerc a contract ng firms
Former y a sen or IT consu tant for a V rg n a-based Internet and app cat on
serv ce prov der, she s now a Seatt e-based ndependent consu tant and author
Kr st n was honored to rece ve the M crosoft MVP award for Remote Desktop
Serv ces beg nn ng n 2009 You can find her answer ng quest ons on the
M crosoft RDS Technet Forum (http://social.technet.microsoft.com/Forums/en
/winserverTS/threads) She a so keeps a b og concentrated on RDS t ps, setup, and
troub eshoot ng adv ce at b og kr st n gr ffin com In her spare t me Kr st n enjoys
photography, computer graph cs, camp ng, trave ng, sta ned g ass, woodwork ng,
and buy ng more too s from the hardware store Most of a she enjoys be ng w th
her fam y She takes her German shepherd dog w th her wherever she goes
A former m tary brat, CHRISTA ANDE RSON ved n var ous p aces n the
western Un ted States unt a v s t to V rg n a ended n a 20-year stay on the East
Coast She returned to Seatt e n 2007, where she enjoys the arts and outdoors
n a c ty w th a ot of both Chr sta’s nterest n trave and env ronmenta ssues
contr buted to her enthus asm for presentat on remot ng, beg nn ng w th C tr x
W nFrame n the m dd e 1990s A former Term na Serv ces MVP and free ance
techn ca author and speaker for over a decade, she s now a program manager on
the Remote Desktop V rtua zat on team at M crosoft She prom ses to ta k about
someth ng other than the book now
www.it-ebooks.info
www.it-ebooks.info
System Requirements
To use th s book’s compan on CD-ROM, you need a computer equ pped w th the
fo ow ng m n mum configurat on
■ M crosoft W ndows Server 2008 R2, W ndows Server 2008, W ndows 7,
W ndows V sta, W ndows Server 2003, or W ndows XP
■ An appropr ate processor depend ng on the m n mum requ rements of the
operat ng system)
■ At east 2 GB of system memory (depend ng on the m n mum requ rements
of the operat ng system)
■ A hard d sk part t on w th at east 1 GB of ava ab e space
■ Appropr ate v deo output dev ce
■ Keyboard
■ Mouse or other po nt ng dev ce
■ Opt ca dr ve capab e of read ng CD-ROMs
Some tems on the compan on med a have spec fic requ rements The compan-
on CD-ROM conta ns numerous nks to scr pts, too s, Know edge Base art c es,
and other nformat on To v ew these nks, you w need a Web browser and
Internet access
The compan on CD-ROM a so nc udes scr pts that are wr tten n VBScr pt
(w th a vbs fi e extens on), W ndows PowerShe (w th a ps1 fi e extens on) and a
few batch fi es The W ndows PowerShe scr pts requ re that you have W ndows
PowerShe 2 0 nsta ed To run these scr pts, your system must meet the fo ow ng
add t ona requ rements W ndows Server 2008 R2 and W ndows 7 nc ude
W ndows PowerShe 2 0 For W ndows XP SP3, W ndows V sta SP1, and W ndows
Server 2003 you must down oad and nsta W ndows PowerShe 2 0 The
W ndows PowerShe 2 0 down oad s ocated at http://support.microsoft.com
/kb/968929
■ Scr pts ntended for execut on on the oca server that depend on spec fic
counters and nterfaces w not execute correct y un ess the appropr ate
Remote Desktop Serv ces ro e serv ce s nsta ed (For examp e, a scr pt that
quer es RD Gateway nterfaces w not return resu ts un ess the RD Gateway
ro e serv ce s nsta ed )
The scr pts on the CD are not s gned To run them on your computer, we recom-
mend sett ng the W ndows PowerShe Execut on Po cy to “RemoteS gned ” To do
th s, start W ndows PowerShe and type Set-ExecutionPolicy RemoteSigned
www.it-ebooks.info
Th s sett ng w a ow you to run the scr pts on the CD, and t s more secure than
sett ng th s po cy to”Unrestr cted
When you run a W ndows PowerShe scr pt, you need to prov de the fu path
to the scr pt To use the VBScr pt scr pts and batch fi es, doub e-c ck them, or
execute them d rect y from a command prompt
F na y, the CD conta ns a few fi es created n V s o 2010, so you w need to
have the V s o 2010 v ewer to v ew these fi es It a so conta ns a few PDF fi es so
you w need a PDF reader to v ew these fi es
www.it-ebooks.info
What do
you think of
this book?
We want to hear from you!
To participate in a brief online survey, please visit:
microsoft.com/learning/booksurvey
Tell us how well this book meets your needs—what works effectively, and what we can
do better. Your feedback will help us continually improve our books and learning
resources for you.
Stay in touch!
To subscribe to the Microsoft Press® Book Connection Newsletter—for news on upcoming
books, events, and special offers—please visit:
microsoft.com/learning/books/newsletter