Best Technology Articles

IT Tips, Networking Articles, Networking Tutorials, Programming Tutorials, ASP Tutorials, PhP Tutorials, ADS Installation, Network Setup, Networking Tips and Tricks, Hacking Articles, Software Tips, Macintosh Articles, Macintosh Tips, Technology Tips, Mobile Softwares, Mobiles Rates in Pakistan

Can't Log On to Windows XP?

If that’s your only problem, then you probably have nothing to worry about. As long as you have your Windows XP CD, you can get back into your system using a simple but effective method made possible by a little known access hole in Windows XP.

This method is easy enough for newbies to follow – it doesn’t require using the Recovery Console or any complicated commands. And it’s free - I mention that because you can pay two hundred dollars for an emergency download of Winternals ERD with Locksmith which is a utility for unlocking lost Windows passwords. See here http://www.winternals.com/products/repairandrecovery/locksmith.asp

ERD is an excellent multi purpose product, but you should know it is not a necessary one if you have a healthy system and your sole problem is the inability to logon to Windows due to a forgotten password. Not necessary because you can easily change or wipe out your Administrator password for free during a Windows XP Repair. Here’s how with a step-by-step description of the initial Repair process included for newbie’s.

1. Place your Windows XP CD in your cd-rom and start your computer (it’s assumed here that your XP CD is bootable – as it should be - and that you have your bios set to boot from CD)

2. Keep your eye on the screen messages for booting to your cd Typically, it will be “Press any key to boot from cd”

3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files.

4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now

5. The Licensing Agreement comes next - Press F8 to accept it.

6. The next screen is the Setup screen which gives you the option to do a Repair.

It should read something like “If one of the following Windows XP installations is damaged, Setup can try to repair it”

Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process.

7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes.

8. Shortly after the Copying Files stage, you will be required to reboot. (this will happen automatically – you will see a progress bar stating “Your computer will reboot in 15 seconds”

9. During the reboot, do not make the mistake of “pressing any key” to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted.

10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system.

11. At the prompt, type NUSRMGR.CPL and press Enter. Voila! You have just gained graphical access to your User Accounts in the Control Panel.

12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for password. After you’ve made your changes close the windows, exit the command box and continue on with the Repair (have your Product key handy).

13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact.

I tested the above on Windows XP Pro with and without SP1 and also used this method in a real situation where someone could not remember their password and it worked like a charm to fix the problem. This security hole allows access to more than just user accounts. You can also access the Registry and Policy Editor, for example. And its gui access with mouse control. Of course, a Product Key will be needed to continue with the Repair after making the changes, but for anyone intent on gaining access to your system, this would be no problem.

And in case you are wondering, NO, you cannot cancel install after making the changes and expect to logon with your new password.

Cancelling will just result in Setup resuming at bootup and your changes will be lost.

Ok, now that your logon problem is fixed, you should make a point to prevent it from ever happening again by creating a Password Reset Disk. This is a floppy disk you can use in the event you ever forget your log on password. It allows you to set a new password.

Here's how to create one if your computer is NOT on a domain:

  • Go to the Control Panel and open up User Accounts.
  • Choose your account (under Pick An Account to Change) and under Related Tasks, click "Prevent a forgotten password".
  • This will initiate a wizard.
  • Click Next and then insert a blank formatted floppy disk into your A: drive.
  • Click Next and enter your logon password in the password box.
  • Click Next to begin the creation of your Password disk.
  • Once completed, label and save the disk to a safe place

How to Log on to your PC Using Your Password Reset Disk

Start your computer and at the logon screen, click your user name and leave the password box blank or just type in anything. This will bring up a Logon Failure box and you will then see the option to use your Password Reset disk to create a new password. Click it which will initiate the Password Reset wizard. Insert your password reset disk into your floppy drive and follow the wizard which will let you choose a new password to use for your account.

Note: If your computer is part of a domain, the procedure for creating a password disk is different.

What Is Terminal Services?

Updated: March 28, 2003

What Is Terminal Services?

In this section

Terminal Services provides the ability to host multiple, simultaneous client sessions on Windows Server 2003. Terminal Services is capable of directly hosting compatible multi-user client desktops running on a variety of Windows-based and non Windows-based computers. Standard Windows-based applications do not need modification to run on the terminal server, and all standard Windows Server 2003-?based management infrastructure and technologies can be used to manage the client desktops. In this way, corporations can take advantage of the rich choice of applications and tools offered by today’s Windows operating system environment.

Reducing the Total Cost of Ownership

Organizations are always searching for ways to reduce the costs of ownership and this is one of the major goals of Terminal Services. Terminal Services lets enterprises more easily and cost-efficiently accomplish this goal by allowing organizations to:

  • Centrally deploy and manage Windows-based applications.
  • Remotely administer Windows Server 2003-based computers.

Centrally deploy and manage Windows-based applications.

Terminal Services provides centralized deployment and management of 32-bit Windows-based applications to Windows-based terminals, remote users, or local PC desktops. Using Terminal Services, companies can ensure that all clients are using the current version of an application because the software is installed once on a server computer, rather than on every desktop throughout the company. This model reduces the costs and challenge of updating desktop machines, especially for remotely located desktops or branch office environments. In addition, Terminal Services features such as Remote Control can simplify application support.

Organizations can use Terminal Server mode to deliver Windows-based applications to heterogeneous desktop environments, over local area network (LAN), wide area network (WAN) and dial-up connections. This is a cost-effective way to deploy line-of-business applications that are frequently updated, hard to install, or need to be accessed over low-bandwidth connections.

Terminal Services acts as a convenient bridging tool for earlier desktops migrating to Windows XP Professional. It allows the Windows XP desktop experience to be delivered “virtually” to non-PC desktops and PCs that need hardware upgrades before they can run a full Windows XP operating system locally. Terminal Services clients are available for many different desktop platforms including Microsoft MS-DOS, Windows-based PCs, Macintosh, UNIX and others. By letting users access current applications on hardware that might otherwise be of little use, Terminal Services can help companies that are gradually replacing older machines. (Connectivity to MS-DOS, Macintosh, and UNIX-based machines requires a third party add-on such as Citrix MetaFrame).

Remotely administer Windows Server 2003-based computers

Remote Desktop for Administration can greatly reduce the overhead associated with remote administration. Enabled by Terminal Services technology, Remote Desktop for Administration is specifically designed for server management. Therefore, it does not install the application-sharing and multi-user capabilities or the process scheduling of the full Terminal Server component (formerly called Terminal Services in Application Server mode). As a result, Remote Desktop for Administration can be used on an already busy server without noticeably affecting performance and CPU utilization, which makes it a convenient and efficient service for remote management.

Remote Desktop for Administration is used to remotely manage Windows Server 2003 servers. This mode is designed to provide operators and administrators with remote access to typical back-end servers and domain controllers. The administrator has access to the graphical user interface-based tools that are available in the Windows environment, even if he or she is not using a Windows-based computer to administer the server. Administrators can securely manage their Windows Server 2003-based computers over any network connection from any device using the Terminal Services Client software. This lets an administrator perform tasks such as directory maintenance, virus scans, backups, reboots and even promote a server to be a domain controller—all from a remote location.

Remote Desktop for Administration allows for the management of servers from any location without affecting server performance or application compatibility. In addition to the console session, up to two remote administration sessions are supported; since this is meant as a single-user remote access solution, no Terminal Server Client Access License (CAL) is required to use Remote Desktop for Administration.

Administrators can also fully administer computers running Windows Server 2003 family operating systems from computers running earlier versions of Windows by installing Remote Desktop Connection.

Note

  • Remote Desktop for Administration is disabled by default in Windows Server 2003 family operating systems.

Common Terminal Services Scenarios

The way in which you plan to use Terminal Server has an effect on how you deploy it. The following scenarios outline the various ways in which you might use Terminal Server in your organization. Use the information in these scenarios to clarify how you are going to use Terminal Server in your organization.

Hosting Line-of-Business Applications

If your organization or certain groups within your organization use specialized applications to do their work, it might be beneficial to host the applications with Terminal Server. For example, you might decide to use Terminal Server in the following situations:

  • Custom applications. If your line-of-business application is developed in-house or especially for your organization, and it tends to require frequent updating or repair, deploying the application once on a terminal server can simplify administration of the application. This is especially useful if your environment is geographically dispersed or if you are deploying Terminal Server to centrally serve your organization’s branch offices.
  • Large central data pool. Applications that rely on access to a single data source often run better on a terminal server because large amounts of data do not have to travel across the network to users. Instead, the data processing takes place on the server. Only the keystrokes and display information travel across the network, so you can use lower bandwidth connections. This is especially useful if the users of the data pool are located remotely, for example in a branch office with a slow connection to the database server.
  • Task workers. In environments where you want workers to access only the application that they need to perform their jobs, you can centralize the administration of these users by using Terminal Server.
  • IT Admin tools. System administrators can perform tasks that require Enterprise Administrator or Domain Administrator permissions on a terminal server that has the necessary tools installed on it. They can also run their desktop applications on their local computer without these permissions.
  • Upgrading operating systems. If your organization uses a line-of-business application that is not optimized for your desktop operating system, you can host the application with Terminal Server rather than change operating systems.

Hosting the Desktop

You can use Terminal Server to host user’s entire desktop environments, so that when users log on, they see their usual desktop environments or desktop environments especially designed for their remote use. In this situation, users can open and close the applications they choose in the same way that they access applications from the Windows desktop on the local computer. You can host the desktop in the situations discussed in the following sections.

Remote users

Hosting the desktop with Terminal Server can provide consistency and better performance for users in remote locations because large amounts of application data are not being transmitted over the connection. For example, you might use Terminal Server in the following situations:

  • Bandwidth-constrained locations. In areas where high bandwidth is not available or cost-effective, deploying applications on a terminal server can improve performance for users who are connecting to the network from a remote location.
  • Mobile users. For users who are traveling and tend to access the corporate network over connections of varying bandwidth, Terminal Server can provide a more consistent experience.

Client heterogeneity

If your organization is in the process of converting all users to the same platform or upgrading desktop hardware, you can use Terminal Server to quickly deliver the most up-to-date version of the operating system and applications to the user while enabling you to spread the desktop platform or hardware conversion over a longer period of time. You can also deliver a highly controlled standard desktop to users by using Terminal Server, as illustrated in more detail in the following list:

  • Mixed-platform environment. If you have users who require applications based on operating systems other than Windows to perform their jobs, but your organization is transitioning to or requires a Windows-based desktop, you can host the desktop with Terminal Server. This requires the use of third-party software in conjunction with Terminal Server.
  • Upgrading hardware. If your organization is planning to upgrade to Windows XP on the desktop, but not all of the desktop hardware is compatible, you can use Terminal Server to host the desktops of users who have older hardware while you are in the process of upgrading the hardware. All users can have the same desktop environment and run the latest versions of the applications designed for Windows XP regardless of their desktop hardware.
  • Highly controlled environments. In situations where you want to deliver a standardized and controlled environment to users, you can host the desktop with Terminal Server to centralize management.

Hardware Considerations

You can reduce hardware costs by hosting applications with Terminal Server and using thin client devices or older hardware on your user’s desktops.

  • Use of thin clients. Windows Powered thin clients (sometimes called Windows-based terminals) offer an alternative to personal computers and traditional “green screen” terminals by enabling easy remote access to productivity and line-of-business applications that are hosted on Windows-based terminal servers.
  • Extending the life of older hardware. Rather than replacing older hardware that is no longer capable of running new Windows-based applications, you can use that older hardware much like a thin client to access the desktop and applications on the server rather than on the local computer.

Using the Remote Desktop Web Connection

The Remote Desktop Web Connection is an ActiveX control that provides virtually the same functionality as the executable version of Remote Desktop Connection, but it delivers this functionality over the Web even if the executable version is not installed on the client computer. When hosted in a Web page, the ActiveX Client Control allows a user to log on to a terminal server through a TCP/IP Internet or intranet connection and view a Windows desktop inside Internet Explorer.

The Remote Desktop Web Connection provides an easy way to offer Terminal Server through a URL. Consider using the Remote Desktop Web Connection in the following situations:

  • Roaming users. Users who are away from their computers can use Remote Desktop Web Connection to gain secure access to their primary workstations from any computer running Windows and Internet Explorer, provided they can reach the target computers.
  • Delivery of extranet applications. You can use Remote Desktop Web Connection to allow business partners or customers access to internal applications over the Internet. Users who gain access in this manner do not need to reconfigure their computers, and they do not gain access to your internal network.
  • Deployment transition. You can deploy the Remote Desktop Web Connection quickly and use it while you are deploying your full Remote Desktop Connection infrastructure.

Interactions with Other Technologies

Terminal Services depends on, or interacts with, the following technologies:

  • RDP Protocol - On the server, RDP uses its own video driver to render display output by constructing the rendering information into network packets using RDP protocol and sending them over the network to the client. On the client, RDP receives rendering data and interprets the packets into corresponding Microsoft Win32 graphics device interface API calls. For the input path, client mouse and keyboard events are redirected from the client to the server. On the server, RDP uses its own virtual keyboard and mouse driver to receive these keyboard and mouse events.
  • Terminal Server Interactions with RDP
    Terminal Server Interactions with RDP

Terminal Services Tools and Settings

In this section:

This section summarizes the tools and settings associated with Terminal Services.

Terminal Services Tools

The following tools are associated with Terminal Services.

Change.exe: Change logon

Category

This tool is included in all Microsoft Windows Server 2003 operating systems except the Web edition.

Version compatibility

This tool will run on all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Enables or disables session logons to a server that has Terminal Server enabled. The change logon command disables logons from client sessions other than the system console. Users that are currently logged on are not affected. Client sessions are always re-enabled when you restart the system. If you are connected to the terminal server from a remote location and disable client sessions, and if you log off before re-enabling client sessions, you will not be able to reconnect. You need to logon at the system console in order to re-enable sessions.

Change.exe: Change port

Category

This tool is included in all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Version compatibility

This tool will run on all Windows Server 2003 operating systems except Windows Server 2003, Web edition..

Changes the COM port mappings for MS-DOS application compatibility. Most MS-DOS applications support only COM1 though COM4 serial ports. Change port maps a serial port to a different port number, allowing applications that cannot access high-numbered COM ports to access the serial port. For example, to map COM12 to COM1 for use by a MS-DOS application, type change port com12=com1. Remapping works only for the current session.

You can run Change port without any parameters to display the available COM ports and the current COM port mappings.

Change.exe: Change user

Category

This tool is included in all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Version compatibility

This tool will run on all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Changes the .ini file mapping for the current user. Use change user /install before installing an application to create .ini files for the application in the Terminal Server system directory. These files are used as master copies for the user-specific .ini files. After installing the application, use change user /execute to revert to normal .ini file mapping.

Cprofile.exe: Clean profile

Category

This tool is included in all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Version compatibility

This tool will run on all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Cleans the specified profiles of wasted space and removes user-specific file associations from the registry when disabled.

A terminal server uses file associations to determine which application to use to access files of various types. File types are registered using Windows Explorer.

Per-user file associations allow each user to have a different application associated with a specific file type. For example, one user could have .doc files associated with Microsoft Word and another user could have .doc files associated with Windows WordPad.

If user-specific file associations are enabled, Clean profile only removes the unused space from the user profile. If user-specific file associations are disabled, Clean profile also removes the corresponding registry entries.

Flattemp.exe: Flat Temp

Category

This tool is included in all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Version compatibility

This tool will run on all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Enables or disables flat temporary folders. After each user has a unique temporary directory, use flattemp /enable to enable flat temporary directories.

The default method for creating temporary folders for multiple users (usually pointed to by the TEMP and TMP environment variables) is to create subfolders in the \Temp folder, using the logonID as the subfolder name. For example, if the TEMP environment variable points to C:\Temp, the temporary folder assigned to the user logonID DonHall is C:\Temp\DonHall. Using flattemp, you can point directly to the \Temp folder and prevent subfolders from forming. This is useful when you want the user temporary folders to be contained in home directories, whether on a terminal server local drive or on a shared network drive. You should use this command only when each user has a separate temporary folder.

Logoff.exe: Logoff

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Logs off a user from a session and deletes the session from the server. You can always log off from the session to which you are currently logged on. You must, however, have Full Control permission to log off users from other sessions.

Logging off a user from a session without warning can result in loss of data at the user’s session. You should send a message to the user using the msg command to warn the user before taking this action.

If no ID or name for the session is specified, logoff logs off the user from the current session. If you specify a session name, it must be an active one.

When you log off a user, all processes end and the session is deleted from the server.

You cannot log off a user from the console session.

Msg.exe: Msg

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Sends a message to a user. If you do not specify a name for the user or session, msg displays an error message. When specifying the name of a session, it must be an active one.

The user must have send message access permission to send a message.

Mstsc.exe: Remote Desktop Connection

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Mstsc.exe is the command-line tool that launches Remote Desktop Connection. Remote Desktop Connection (formerly known as the Terminal Services client) is installed by default on all Windows Server 2003 family operating systems. You can use Remote Desktop Connection to connect to terminal servers, or to the desktop of a computer running one of the Windows Server 2003 family operating systems or Windows XP for remote administration.

Remote Desktop Connection allows you to create and configure your connection, save your connection settings to a file, and open and edit your saved connection files, all in the same program.

Query.exe: Query process

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Query process displays information about processes running on a terminal server. You can use this command to find out which programs a specific user is running, and also which users are running a specific program.

If you do not specify the user name, session name, or program name, query process displays only the processes belonging to the current user.

If a session is specified, it must identify an active session. You can use wildcards to identify the process.

Query process returns the following information:

  • The user who owns the process
  • The session that owns the process
  • The ID of the session
  • The name of the process
  • The state of the process
  • The ID of the process

Query.exe: Query session

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Query session displays information about sessions on a terminal server. The list includes information not only about active sessions but about other sessions that the server runs..

A user can always query the session to which the user is currently logged on. To query other sessions, the user must have Query Information access permission.

If you do not specify a session using session name, user name, or session id, query session displays information about all active sessions in the system.

Query.exe: Query termserver

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Query termserver displays a list of all terminal servers on the network.

Query termserver searches the network for all attached terminal servers and returns the following information:

  • The name of the server.
  • The network (and node address if the /address option is used).

Query.exe: Query user

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Query user displays information about user sessions on a terminal server. You can use this command to find out if a specific user is logged on to a specific terminal server. Query user returns the following information:

  • The name of the user
  • The name of the session on the terminal server
  • The session ID
  • The state of the session (active or disconnected)
  • The idle time (the number of minutes since the last keystroke or mouse movement at the session)
  • The date and time the user logged on

If you use query user without specifying a user name, session name, or session ID, a list of all users who are logged on to the server is returned. Alternatively, you can also use query session to display a list of all sessions on a server.

Reset.exe: Reset session

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Enables you to reset (delete) a session from the terminal server. You can always reset your own sessions, but you must have Full Control access permission to reset another user’s session.

Be aware that resetting a user’s session without warning can result in loss of data at the session.

You should reset a session only when it malfunctions or appears to have stopped responding.

Shadow.exe: Shadow

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Shadow enables you to remotely control an active session of another user. You can either view or actively control the session. If you choose to actively control a user’s session, you will be able to input keyboard and mouse actions to the session.

You can always remotely control your own sessions (except the current session), but you must have Full Control access permission to remotely control another session. You can also initiate remote control using Terminal Services Manager.

Before monitoring begins, the server warns the user that the session is about to be remotely controlled, unless this warning is disabled. Your session might appear to be frozen for a few seconds while it waits for a response from the user.

Your session must be capable of supporting the video resolution used at the session you are remotely controlling or the operation fails.

The console session can neither remotely control another session nor can it be remotely controlled by another session.

Tscc.msc: Terminal Services Configuration snap-in

Category

This tool is included in all Windows Server 2003 operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

A Terminal Services connection provides the link clients use to log on to a session on the server. A TCP/IP connection is configured when Terminal Services is installed. Using Terminal Services Configuration, you can change the default properties of the connection or add new connections.

When you open Terminal Services Configuration you will see that a connection has already been configured. This is called the RDP-TCP connection. Typically, this is the only connection that needs to be configured for clients to connect to the server for Remote Desktop for Administration or application sharing with Terminal Server. Only one RDP (Remote Desktop Protocol) connection can be configured for each network adapter. If you want to configure additional RDP connections, you must install additional network adapters.

With Terminal Services Configuration, you can reconfigure the properties of the RDP-TCP connection, which includes limiting the amount of time client sessions can remain active on the server, setting protection levels for encryption, and selecting which permissions you want users and groups to have. Some connection properties can also be configured on a per-user basis using Terminal Services Group Policies or the Terminal Services extension to Local Users and Groups. For example, you can set different session time limits for each user when you use the Terminal Services extension to Local Users and Groups. Using Terminal Services Configuration, you can only set session time limits on a per-connection basis, which means the same time limit applies to all users who log on to the server using the connection.

Tscon.exe: Tscon

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 family operating systems and on all Windows XP operating systems.

Tscon allows you to connect to another session. You must have Full Control access permission or Connect special access permission to connect to another session. You cannot connect to the console session

If you do not specify a password in the password parameter, and the target session belongs to a user other than the current one, tscon fails.

Tsdiscon.exe: Tscon

Category

This tool is included in all Windows Server 2003 family operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Tsdiscon disconnects a session from a terminal server. You must have Full Control permission to disconnect another user from a session.

If no session ID or session name is specified, tsdiscon disconnects the current session. The console session cannot be disconnected.

Any applications that were running when you disconnected the session are automatically running when you reconnect to that session with no loss of data.

Tskill.exe: Tskill

Category

This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

Version compatibility

This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

Tskill ends a process. You can use tskill to end only those processes belonging to you, unless you are an administrator. Administrators have full access to all tskill functions and can end processes running in other user sessions.

When all processes running in a session end, the session also ends.

Tsmmc.msc: Remote Desktops snap-in

Category

This tool is included in all Windows Server 2003 operating systems. For Windows XP, this tool is available in the Windows Server 2003 Administration Tools Pack.

Version compatibility

This tool will run on all Windows Server 2003 and Windows XP operating systems.

Windows Server 2003 provides the ability to connect to the console (session 0) of a computer by using a Remote Desktops connection. Because of this, a Connect to Console check box is available in the user interface, but this feature only works when you connect to a Windows Server 2003-based computer.

It is still possible to use the Remote Desktops tool to connect to a computer that is running Microsoft Windows NT 4.0, Terminal Server Edition, or Windows 2000 Server with Terminal Services enabled, but this creates a regular Remote Desktop Protocol (RDP) session. The option to connect to the console session is ignored.

The Remote Desktops snap-in is ideal for administrators who are remotely administering multiple servers or terminal servers. You can create Remote Desktop connections to multiple terminal servers or to computers running Windows 2000 Server or Windows Server 2003 family operating systems with the Remote Desktops snap-in. A navigable tree display provides easy switching between connections.

By default, the Remote Desktops snap-in connects you to the console session of the computer you specify in the connection. To run a specific program on connection, create a new connection that specifies the program name, and ensure that the default behavior is not selected.

Tsprof.exe: Terminal Services profile

Category

This tool is included in all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Version compatibility

This tool will run on all Windows Server 2003 operating systems except Windows Server 2003, Web edition.

Copies the user configuration information, which is displayed in the Terminal Services extensions to Local Users and Groups and Active Directory Users and Computers, from one user to another. Terminal Services profile can also set the profile path for a user.

Tsadmin.exe: Terminal Server administration

Category

This tool is included in all Windows Server 2003 operating systems except Windows Server 2003, Web Edition.

Version compatibility

This tool will run on all Windows Server 2003 operating systems except Windows Server 2003, Web Edition.

Use Terminal Services Manager to view information about terminal servers that reside in trusted domains. Use this tool to monitor users, sessions, and applications on each terminal server, and to carry out assorted actions to manage the server.

When a user creates a session by connecting to a terminal server from a client computer, the session appears in the Session list in Terminal Services Manager. In addition, the name of the user who logs on by using the session appears in the Users list. Any applications run in the user’s session can be monitored on the Processes list. Therefore, you can oversee all users, sessions, and processes on a terminal server from one location.

Terminal Services Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Terminal Services.

Group Policy Settings Associated with Terminal Services

Group Policy Setting Description

Keep-Alive Connections

Specifies whether persistent connections are allowed.

Automatic reconnection

Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to Terminal Services sessions if their network link is temporarily lost.

Restrict Terminal Services users to a single remote session

Specifies whether to restrict users to a single remote Terminal Services session.

Enforce Removal of Remote Desktop Wallpaper

Specifies whether desktop wallpaper is displayed to remote clients connecting via Terminal Services.

Deny log off of an administrator logged in to the console session

Specifies whether to allow an administrator attempting to connect to the console of a server to log off an administrator currently logged on to the console.

Allow Time Zone Redirection

Specifies whether to allow the client computer to redirect its time zone settings to the Terminal Services session.

Do not allow clipboard redirection

Specifies whether to prevent the sharing of clipboard contents (clipboard redirection) between a remote computer and a client computer during a Terminal Services session.

Do not allow smart card device redirection

Specifies whether to prevent the mapping of smart card devices in a Terminal Services session.

Allow audio redirection

Specifies whether users can choose where to play the remote computer’s audio output during a Terminal Services session.

Do not allow COM port redirection

Specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Terminal Services session.

Do not allow client printer redirection

Specifies whether to prevent the mapping of client printers in Terminal Services sessions.

Do not allow LPT port redirection

Specifies whether to prevent the redirection of data to client LPT ports during a Terminal Services session.

Do not allow drive redirection

Specifies whether to prevent the mapping of client drives in a Terminal Services session.

Do not set default client printer to be default printer in a session

Specifies whether the client default printer is automatically set as the default printer in a Terminal Services session.

Always prompt client for password upon connection

Specifies whether Terminal Services always prompts the client for a password upon connection.

Set client connection encryption level

Specifies whether to enforce an encryption level for all data sent between the client and the remote computer during a Terminal Services session.

Secure Server (Require Security)

Specifies whether a Terminal Server requires secure RPC communication with all clients or allows unsecured communication.

Limit number of connections

Specifies whether Terminal Services limits the number of simultaneous connections to the server.

Limit maximum color depth

Specifies the maximum color resolution (color depth) for Terminal Services connections.

Allow users to connect remotely using Terminal Services

Specifies whether to allow users to connect remotely using Terminal Services.

Do not allow local administrators to customize permissions

Specifies whether to disable the administrator rights to customize security permissions in the Terminal Services Configuration tool (tscc.msc).

Remove Windows Security item from Start menu

Specifies whether to remove the Windows Security item from the Settings menu on Terminal Services clients.

Remove Disconnect option from Shut Down dialog

Specifies whether to remove the Disconnect option from the Shut Down Windows dialog box on Terminal Services clients.

License Server Security Group

Specifies the terminal servers and license servers to which a Terminal Server License Server offers licenses.

Prevent License Upgrade

Specifies how a License Server distributes license upgrades to terminal servers running Windows 2000.

Do not use temp folders per session

Specifies whether to prevent Terminal Services from creating session-specific temporary folders.

Do not use temp folders per session

Specifies whether to prevent Terminal Services from creating session-specific temporary folders.

Terminal Server IP Address Redirection

Specifies how client devices are directed when reconnecting to an existing terminal server session.

Join Session Directory

Specifies whether Terminal Services uses a Session Directory for tracking user sessions, allowing a group of terminal servers to locate and connect a user back to an existing session.

Session Directory Server

Specifies whether to configure a server as a Session Directory Server for Terminal Services sessions on your network.

Session Directory Cluster Name

Specifies the Cluster Name for the terminal server, associating it with other servers in the same logical group.

Set time limit for disconnected sessions

Specifies a time limit for disconnected Terminal Services sessions.

Sets a time limit for active Terminal Services sessions

Specifies a time limit for active Terminal Services sessions.

Sets a time limit for active but idle Terminal Services sessions

Specifies a time limit for active but idle Terminal Services sessions.

Allow reconnection from original client only

Specifies whether to allow users to reconnect to a disconnected Terminal Services session using a computer other than the original client computer.

Terminate session when time limits are reached

Specifies whether to terminate a timed-out Terminal Services session instead of disconnecting it.

Set path for TS Roaming Profiles

Specifies whether Terminal Services uses the specified network path for roaming user profiles.

TS User Home Directory

Specifies whether Terminal Services uses the specified network share or local directory path as the root of the user’s home directory for a Terminal Services session.

Sets rules for remote control of Terminal Services user sessions

Specifies the level of remote control permitted in a Terminal Services session.

Start a program on connection

Configures Terminal Services to run a specified program automatically upon connection.

For more information about Group Policy settings, see the Group Policy Settings Reference for Windows Server 2003.

Terminal Services WMI Classes

The following table lists and describes the WMI classes that are associated with Terminal Services.

WMI Classes Associated with Terminal Services

Class Name Namespace Version Compatibility

Win32_TerminalService

\\root\Cimv2

Windows Server 2003

Win32_TSSessionDirectory

\\root\Cimv2

Windows Server 2003

Win32_TerminalServiceSetting

\\root\Cimv2

Windows Server 2003

Win32_TSGeneralSetting

\\root\Cimv2

Windows Server 2003

Win32_TSLogonSetting

\\root\Cimv2

Windows Server 2003

Win32_TSSessionSetting

\\root\Cimv2

Windows Server 2003

Win32_TSEnvironmentSetting

\\root\Cimv2

Windows Server 2003

Win32_TSRemoteControlSetting

\\root\Cimv2

Windows Server 2003

Win32_TSClientSetting

\\root\Cimv2

Windows Server 2003

Win32_TSNetworkAdapterSetting

\\root\Cimv2

Windows Server 2003

Win32_TSPermissionsSetting

\\root\Cimv2

Windows Server 2003

Win32_TSAccount

\\root\Cimv2

Windows Server 2003

For more information about these WMI classes, see the WMI SDK documentation on MSDN.

Network Ports Used by Terminal Services

Terminal Server uses RDP to communicate between client and server computers. RDP works only across a TCP/IP connection, such as a local area network (LAN), wide area network (WAN), dial-up, Integrated Services Digital Network (ISDN), digital subscriber line (DSL), or virtual private network (VPN) connection. You can still use other protocols, such as Internetwork Packet Exchange (IPX) or NetBIOS Extended User Interface (NetBEUI), as the transport protocol for non-Terminal Server traffic, such as network file or printer sharing, or between the client portion of a client-server application and its server.

Port Assignments for Terminal Services

Service Name UDP TCP

Remote Desktop Protocol


3389

How Terminal Services Works

In this section

Terminal Services provides the ability to host multiple, simultaneous client sessions on Microsoft Windows Server 2003. Terminal Server is capable of directly hosting compatible multi-user client desktops running on a variety of Windows-based and non Windows-based hardware. Standard Windows-based applications do not need modification to run on the Terminal Server, and all standard Windows Server 2003-based management infrastructure and technologies can be used to manage the client desktops.

Terminal Services Architecture

Terminal Services consists of four components: the Windows Server 2003 multi-user kernel, the Remote Desktop client, the Terminal Services Licensing service, and Session Directory Services. Specifically:

Multi-user kernel. The multi-user kernel extensions, originally developed for Windows NT 4.0 Server, Terminal Server Edition, have been enhanced and fully integrated as a standard part of the Windows Server 2003 family kernel. These are resident on the server at all times, regardless of whether Terminal Services is enabled or not.

Remote Desktop client: The client software is an application that establishes and maintains the connection between a client and a server computer running Terminal Services.

Terminal Services Licensing service: This system allows terminal servers to obtain and manage terminal server client access license (TS CAL) tokens for devices and users connecting to a terminal server.

Session Directory Services: The session directory (SD) keeps a list of sessions indexed by user name, and allows a user to reconnect to the terminal server where the user’s disconnected session resides and resume that session.

Terminal Services Architecture

Terminal Services Architecture

The following table describes the Terminal Services architecture components.

Terminal Services Components

Component Description

CSRSS.exe

The Client-Server Runtime Subsystem is the process and thread manager for all logon sessions.

RdpDD.sys

Captures the Windows user interface and translates it into a form that is readily converted by RDPWD into the RDP protocol

RdpWD.sys

Unwraps the multi-channel data and then transfers it to the appropriate session.

SMSS.exe

Session Manager creates and manages all sessions.

Termsrv.exe

Manages client connections and initiates creation and shutdown of connection contexts.

Termdd.sys

The RDP protocol, which listens for RDP client connections on a TCP port.

Tdtcp.sys

Packages the RDP protocol onto the underlying network protocol, TCP/IP.

Wlnotify.dll

Runs in the session’s WinLogon process to create processes in the user session.

Win32k.sys

Manages the Windows GUI environment by taking the mouse and keyboard inputs and sending them to the appropriate application.

WinLogon.exe

This system service handles user logons and logoffs and processes the special Windows key combination Ctrl-Alt-Delete. WinLogon is responsible for starting the Windows shell (which is usually Windows Explorer).

Terminal Services Architecture

As the Windows Server 2003 Terminal Server boots and loads the core operating system, the Terminal Server service (termsrv.exe) is started and begins waiting for session connections. Each connection is given a unique session identifier or “SessionID” to represent an individual session to the Terminal Server, and each process created within a session is “tagged” with the associated SessionID to differentiate its namespace from any other session namespaces.

The console session (Terminal Server keyboard, mouse, and video) is always the first to load, is treated as a special-case client connection, and is assigned SessionID0. The console session starts as a normal Windows Server 2003 session, with the configured Windows display, mouse, and keyboard drivers loaded.

After creating the console session, the Terminal Server service then calls the Windows Session Manager (SMSS.EXE) to create two idle client sessions, which then await client connections. To create the idle sessions, the Session Manager starts the Client-Server Run-time Subsystem (CSRSS.EXE), and a new SessionID is assigned to that process. The CSRSS process also invokes the WinLogon process (WINLOGON.EXE) and the Windows Manager and GDI kernel module (Win32k.sys) under the newly associated SessionID.

The Windows image loader recognizes this Win32k.sys as a SessionSpace loadable image by a predefined bit set in the image header. It then relocates the code portion of the image into physical memory with pointers from the virtual kernel address space for that session if Win32k.sys has not already been loaded. By design, it always attaches to a previously loaded image’s code (Win32k.sys) if one already exists in memory (that is, from any active application or session). The data (or non-shared) section of this image is then allocated to the new session from a newly created SessionSpace pageable kernel memory section.

Unlike the console session, Terminal Server client sessions are configured to load separate drivers for the display, keyboard, and mouse. The display driver is the Remote Desktop Protocol (RDP) display device driver (rdpdd.dll), and the mouse and keyboard drivers are replaced with the RDP driver Rdpwd.sys. These drivers allow the RDP client session to be both available and interactive, remotely. Finally, Terminal Server also invokes a connection listener thread for the RDP protocol (Termdd.sys), which listens for RDP client connections on a TCP port.

At this point, the CSRSS process exists under its own SessionID namespace, with its data instantiated per process as necessary. Any processes created from within this SessionID will execute within the SessionSpace of the CSRSS process automatically. This prevents processes with different SessionIDs from accessing another sessions data.

Terminal Services Physical Structure

Terminal Services provides remote access to a Windows desktop through “thin client” software, allowing the client computer to serve as a terminal emulator. It provides an effective and reliable way to distribute Windows-based programs, providing a single point of installation with multiple users having access to the Windows Server 2003 operating system desktop, where they can run programs, save files, and use network resources as if they were sitting at that computer.

For computers running Windows Server 2003 operating systems, the Terminal Services client program (Remote Desktop Connection) is already installed. Windows Server 2003 operating systems also include Terminal Services Client software for computers running 16- and 32-bit operating systems.

A Terminal Services client can exist in a variety of forms. Thin-client hardware devices that run an embedded Windows-based operating system can run the Terminal Services client software to connect to a server computer running Terminal Services. Windows, Macintosh, or UNIX computers can run Terminal Services client software to connect to a Terminal Services server to display Windows-based applications. This combination of Terminal Services clients provides access to Windows-based applications from virtually any operating system.

Terminal Server Licensing

The Windows Server 2003 operating system family provides a client license management system known as Terminal Server Licensing. This system allows terminal servers to obtain and manage terminal server client access license (TS CAL) tokens for devices and users connecting to a terminal server. Terminal Server Licensing is a component service of Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. It can manage unlicensed, temporarily licensed, and client-access licensed clients, and supports terminal servers that run Windows Server 2003 as well as the Windows 2000 Server operating system. This greatly simplifies the task of license management for the system administrator, while minimizing under- or over-purchasing of licenses for an organization. Terminal Server Licensing is used only with Terminal Server and not with Remote Desktop for Administration.

Session Directory

Terminal Services is a technology that lets users run Microsoft Windows-based applications on a remote Windows Server 2003-based computer. In a Terminal Server-based computing environment, all application execution and data processing occur on the server. In a load balanced environment, a farm of terminal servers have incoming session connections distributed in a balanced manner across the servers in the farm. The session directory (SD) keeps a list of sessions indexed by user name, and allows a user to reconnect to the terminal server where the user’s disconnected session resides and resume that session.

Terminal Services Physical Structure

Terminal Services Physical Structure

Terminal Services Components

Component Description

Terminal Server

Hosts applications for client computers.

Terminal Server Licensing Service

Issues TS Device CAL token to a requesting terminal server.

Session Directory

Maintains a list of the user names associated with the session IDs connected to the servers in a load balanced Terminal Server cluster.

Remote Desktop Connection

Client software that allows a connection to one remote computer.

Remote Desktops MMC Snap-in

Client software used by administrators to connect to multiple remote computers simultaneously.

Remote Desktop Web Connection

ActiveX RDP Web browser client.

Terminal Services Processes and Interactions

Terminal Services transmits only the user interface of the program to the client, with the client computer connecting through the network, sending keystroke and mouse-movement information over the Remote Desktop Protocol to the Terminal Server. It then sends the client screen information in the form of simple (and bandwidth-friendly) GDI events, backed with bitmap information if required to properly display the desktop state.

Each user logs on and sees only their individual session, which is managed transparently by the server operating system and is independent of any other client session. The Terminal Server provides virtual Windows session management, so users can essentially treat that session as their own personal computer.

Remote Desktop Clients

There are three clients for Terminal Services: Remote Desktop Connection, Remote Desktops Snap-In, and Remote Desktop Web Connection. The client software is a very small software application that establishes and maintains the connection between a client and a server computer running Terminal Services. Each client transmits all input from the user to the server, such as keystrokes and mouse movements, and all output from the server such as application display information and print streams. Remote Desktop Web Connection provides most of the same functionality as the Remote Desktop Connection software; but it does not require a private network, or virtual private network connection. Remote Desktop Web Connection is covered in the next section.

Connection using Remote Desktop Connection

Connection using Remote Desktop Connection

Remote Desktop Connection and Remote Desktops Snap-In

The Terminal Services client has a new name, Remote Desktop Connection. Remote Desktop Connection can be installed and run on any Windows 95, Windows 98, Windows Millennium Edition, or Win32 platform (non-Windows-based clients are supported by the Citrix Metaframe add-on).

The client initiates a connection to the Terminal Server through TCP port 3389. The Terminal Server RDP listener thread detects the session request and creates a new RDP stack instance to handle the new session request. The listener thread hands over the incoming session to the new RDP stack instance and continues listening on the TCP port for further connection attempts. Each RDP stack is created as the client sessions are connected to handle negotiation of session configuration details.

First, an encryption level is established for the session. The Terminal Server initially supports three encryption levels: low, medium, and high.

Low encryption encrypts only packets being sent from the client to the Terminal Server. This “input only” encryption is to protect the input of sensitive data like a user’s password. Medium encryption encrypts outgoing packets from the client the same as low-level encryption, but also encrypts all display packets being returned to the client from the Terminal Server. This method of encryption secures sensitive data as it travels over the network to be displayed on a remote screen. Both low and medium encryption use the RC4 algorithm with a 40-bit key. High encryption encrypts packets in both directions, to and from the client, but uses the industry standard, non-exportable 128-bit high-level encryption.

At this point, prior to any logon being presented to the end user, the licensing details are negotiated. First, the client secures a Windows Server 2003 Client access license. Second, a Windows Server 2003 desktop license is verified on the machine that is connecting, and if no license can be validated, a connectivity license is provided to a non-Windows client to allow connection to the Terminal Server.

After session details have been negotiated, the server RDP stack instance, for this connection, is mapped to an existing idle Win32k user session, and the user is prompted with the Windows Server 2003 logon screen. If autologon is configured, the encrypted user name and password is passed to the Terminal Server and logon proceeds. If no idle Win32k sessions currently exist, the Terminal Server service calls the Session Manager (SMSS) to create a new user space for the new session. Much of the Win32k user session is using shared code and does load noticeably faster after one instance has previously loaded.

After the user types her or his user name and password, encrypted packets are sent to the Terminal Server. The Winlogon process performs the necessary account authentication to ensure that the user has sufficient credentials to log on and then passes the user’s domain and user name to the Terminal Server service, which maintains a domain/user name, SessionID list. If a SessionID is already associated with this user, they are remapped into the existing namespace, and the previous session stack is reloaded. Otherwise, the connection proceeds as normal and the Terminal Server service creates a new domain/user name, SessionID mapping. If for some reason more than one session is active for this user, the list of sessions is displayed and the user decides which one to make the reconnection.

The Remote Desktops snap-in is ideal for administrators who are remotely administering multiple servers or terminal servers. You can create Remote Desktop connections to multiple terminal servers or to computers running Windows 2000 Server or Windows Server 2003 family operating systems with the Remote Desktops MMC snap-in. A navigable tree display provides easy switching between connections.

Remote Desktop Web Connection

Remote Desktop Web Connection provides virtually the same functionality as Remote Desktop Connection, but delivers this functionality over the Web. When embedded in a Web page, Remote Desktop Web Connection can establish a Remote Desktop session with a remote computer, even if Remote Desktop Connection is not installed on the client computer. Remote Desktop Web Connection must be installed on a Web server with Internet Information Services (IIS) and Active Server Pages (ASP) enabled.

The Remote Desktop Web Connection is an ActiveX control that offers full feature parity with the standard Remote Desktop Connection client software offered in Windows XP and the Windows Server 2003 family of operating systems. The Remote Desktop Web Connection, like the Remote Desktop Connection which is installed by default, allows for connectivity to a Terminal Server. When installing the Remote Desktop Web connection on a specified computer the ActiveX control and sample ASP pages are installed. Internet Information Services is the delivery mechanism for the Remote Desktop Web Connection ActiveX control. This ActiveX control launches a Remote Desktop session to a Terminal Server computer from within Internet Explorer.

ActiveX control launches a remote session in IE

How Remote Desktop Web Connection works

Remote Desktop Web Connection connects to the Terminal Server as follows:

  1. The user opens a Web browser and requests the initial Remote Desktop Web Connection (DHTML) login page.
  2. The IIS server sends the page, and if this if the first time the client has connected, the user is also prompted to download the Remote Desktop ActiveX Control.
  3. The user populates the connection information which includes the Terminal Server name.
  4. The client computer creates a connection directly to the Terminal Server computer by using port 3389.

Connection Process

Remote Desktop Web Connection is a Web application that consists of an ActiveX control and DHTML pages. The DHTML pages provided only serve as a way to pass parameters to the Remote Desktop ActiveX control. Once the information is passed from the DHTML page to the ActiveX control, the Web page and the Web server no longer has a role in the process. Internet Information Services only serves as a mechanism for delivering the ActiveX control. When the user clicks Connect, the parameters from the DHTML page are passed to the control and a Remote Desktop connection to the Terminal Server is initiated.

When you connect to the IIS computer that is serving up the Remote Desktop Web Connection page, you are connecting over port 80. Upon connection to the Web page, the ActiveX control is downloaded to your client computer and stored in the default location for downloaded controls in Internet Explorer - %systemroot\Downloaded Program Files. From the supplied sample Web page, the name of the Terminal Server and the display resolution are passed as parameters to the ActiveX control. After these parameters are passed, the connect method on the control is called, and then a session is launched to the Terminal Server computer. The Active X control on the client computer then creates a connection directly to the Terminal Server computer over TCP port 3389.

Note

  • The Web client is the same as the full Remote Desktop Connection client without the entire configuration interface. It obtains these properties from the Remote Desktop Web Connection page, and not by any communication with the IIS computer itself.

Session Disconnect

If a user decides to disconnect the session, the processes and all virtual memory space remain and are paged off to the physical disk if memory is required for other processes. Because the Terminal Server keeps a mapping of domain/user names and SessionIDs, when the same user reconnects, the existing session is loaded and made available again. An additional benefit of RDP is that of being able to change session screen resolutions, depending on what the user requests for the session. For example, let’s say a user had previously connected to a Terminal Server session at 800 x 600 resolution and disconnected. If the user then moves to a different computer that only supports 640 x 480 resolution and reconnects to the existing session, the desktop is redrawn to support the new resolution.

Automatic Reconnection

Automatic Reconnection adds resilience to the Remote Desktop Connection client is Windows Server 2003. It is designed to recover from temporary connection losses due to network problems. Automatic Reconnection enables disconnected Terminal Services sessions to automatically re-authenticate to a Terminal Server without prompting the user for credentials.

Mobile users can greatly benefit from this feature. For example, with the previous versions of Terminal Server client, a user working with a wireless laptop which momentarily loses connectivity would be disconnected from the session and greeted with the message “The connection was ended because of a network error. Please try connecting to the remote computer again.” Now with Automatic Reconnection, the user resumes the original session without needing to re-enter a password.

Reconnection Process:

The Automatic Reconnection process is managed using a cookie that is sent to the client. When reconnection is initiated on the client, it sends this cookie to the server as a token for validating the connection. The auto reconnection cookie is generated at the server, and is flushed and regenerated any time a user logs in to a session or when a session is reset. This ensures that after the user connects to the session from a different computer, the original computer cannot reconnect. The server also invalidates and updates the cookie at hourly intervals, sending an updated cookie to the client as long as the session is active.

User Logoff

Once a user logs off from the session, all processes associated with the SessionID are terminated and any memory allocated to the session is released. Of course, if the user was running a 32-bit application like Microsoft Word and logged off from the session, the application would remain in memory until the very last user exited from the application.

Terminal Services Licensing service

The Windows Server 2003 operating system family provides a client license management system known as Terminal Server Licensing. This system allows terminal servers to obtain and manage terminal server client access license (TS CAL) tokens for devices and users connecting to a terminal server. Terminal Server Licensing is a component service of Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. It can manage unlicensed, temporarily licensed, and client-access licensed clients, and supports terminal servers that run Windows Server 2003 as well as the Windows 2000 Server operating system. This greatly simplifies the task of license management for the system administrator, while minimizing under- or over-purchasing of licenses for an organization. Terminal Server Licensing is used only with Terminal Server and not with Remote Desktop for Administration.

TS Licensing not used with  Remote Desktop

Terminal Server Licensing

Terminal Server for Windows Server 2003 (known as Application Server mode in Windows 2000 Server) provides application deployment and management for users on a variety of devices through its application server mode. Each device or user who initiates a session on a terminal server running Windows Server 2003 must be licensed with one of the following:

  1. Windows Server 2003 Terminal Server Device Client Access License.
  2. Windows Server 2003 Terminal Server User Client Access License.
  3. Windows Server 2003 Terminal Server External Connector.

Note that additional licenses might be needed, such as Microsoft or other application, operating system, and Client Access licenses. The licenses in the preceding list are required even if other add-on products are used on top of Windows Server 2003.

The Terminal Services Licensing service is only associated with licensing for a terminal server client. It is not used to license any other application or service, and does not replace or interoperate with the licensing service for any other component, or alter your rights and obligations under any End User License Agreement (EULA). The Terminal Server Licensing service is not a replacement for purchasing a TS CAL.

TS CAL tokens are electronic representations of real licenses, but they are not actual licenses themselves. Therefore if a license token is lost, it does not mean that you have lost an actual license. If you have the documentation to prove that you have bought an actual license, the license token can be re-issued. Conversely, just because you have a license token does not mean that it necessarily maps to an actual legal license.

Terminal Services Licensing is designed to manage these license tokens to allow an administrator to more accurately assess an organization’s licensing requirements. However, there are a few situations in which a license token will not map to an actual license. The administrator should determine if this is the case, and if necessary, purchase extra licenses (but not install the corresponding license tokens) to account for this discrepancy.

How Terminal Services Licensing Works

All communication during the licensing process occurs between the client and the terminal server, and between the terminal server and the license server. The terminal server client never communicates directly with the license server.

When a client device attempts to connect to a terminal server in Per Device mode, the terminal server determines if the client has a license token. Terminal server clients store license tokens in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing

If a client has no license token, the terminal server attempts to contact a license server from its list of discovered license servers. If no contact is made, the terminal server restarts the discovery process. If no license server responds, the device can not connect to the terminal server unless it is operating within the terminal server grace period.

When a license server responds, the terminal server requests a temporary token for the device because this is the first time the device has connected to a terminal server. The terminal server then pushes this temporary token to the device. After a user has provided valid credentials resulting in a successful logon, the terminal server instructs the license server to mark the issued temporary token as validated.

The next time a user attempts to connect to a terminal server in Per Device mode from this device, the terminal server requests a Windows Server 2003 TS Device CAL token for this device. If the license server has available TS Device CAL tokens, the license server removes one token from the available pool, marks it as issued to the device, logs the device name, the user name of the device, and the date issued, and then pushes this TS Device CAL token to the device.

If the license server has no TS Device CAL tokens, it will first look to any other license server in its domain, workgroup, or site. License servers maintain information about where other accessible license servers exist, and if they have license tokens. If another license server is accessible that does have inventory, the first license server will request a license token from the second license server and deliver it to the terminal server, which then passes the token to the client device. If there are no available TS Device CAL tokens, the device will continue to connect with the temporary token.

Temporary tokens allow devices to connect for 90 days, and will then expire. TS Device CALs, while representing perpetual licenses, are set to expire 52-89 days from the date they are issued. The terminal server always attempts to renew these tokens 7 days prior to their expiration. The purpose of this system is to recover TS Device CAL tokens that are lost due to events such as hardware failure or operating system reinstallation.

Client License Distribution Per User

When a terminal server is configured in Per User mode, the terminal server must be able to locate a license server after the grace period has expired. While it is possible to install TS Per User CAL tokens on a license server, there is currently no method of assigning a TS Per User CAL token to a particular user account.

Client License Distribution for External Connector

There is currently no support in Terminal Server Licensing or the Microsoft Clearinghouse for the External Connector. In order to use an External Connector license, you will need to configure your terminal server in Per User mode.

Terminal Server Licensing Model

Terminal Server Licensing operates between several components as shown in the previous figure, including the Terminal Server Licensing-enabled license server, the Microsoft Certificate Authority and License Clearinghouse, one or more terminal servers, and terminal server clients. A single license server can support multiple terminal servers. There can be one or more license servers in a domain, or throughout a site.

Microsoft Certificate Authority and License Clearinghouse

The Microsoft Clearinghouse is the facility Microsoft maintains to activate license servers and to issue client license key packs to license servers. A client license key pack is a digital representation of a group of client access license tokens. The Microsoft Clearinghouse is accessed through the Terminal Services Licensing administrative tool. It can be reached directly over the Internet, through a Web page, or by phone.

License Server

A license server is a computer on which Terminal Server Licensing is installed. A license server stores all TS CALs license tokens that have been installed for a group of terminal servers and tracks the license tokens that have been issued. One license server can serve many terminal servers simultaneously. A terminal server must be able to connect to an activated license server in order for permanent license tokens to be issued to client devices. A license server that has been installed but not activated will only issue temporary license tokens.

Terminal Server

A terminal server is a computer on which the Terminal Server service is installed. It provides clients access to Windows-based applications running entirely on the server and supports multiple client sessions on the server. As clients connect to a terminal server, the terminal server determines if the client needs a license token, requests a license token from a license server, and then delivers that license token to the client.

Terminal Services Session Directory Service

In a Terminal Server-based computing environment, all application execution and data processing occur on the server computer. In a load balanced environment, terminal servers are grouped into farms, with each farm being represented to client machines as a single computer name with one IP address. The device performing the load balancing redirects incoming session connections to each machine in the farm according to its load balancing algorithm. Using a load-balancing solution with Terminal Server distributes sessions across the servers in the farm for improved performance. Terminal Services Session Directory, which is available with Windows Server 2003, Enterprise Edition, works with your load-balancing solution.

Session Directory is a load balancing feature that enables users to easily reconnect to a disconnected session on a server farm running Terminal Services. The Session Directory is a database that tracks user session’s that are running on load-balanced terminal servers. It provides information when a user reconnects (after disconnecting intentionally or because of a network failure) to ensure that the user reconnects to the same session rather than starting a new session. Session Directory, which can support several thousand sessions, is also cluster-aware. Session Directory is compatible with the Windows Server 2003 load balancing service and is supported by third-party external load balancer products.

Session Directory and load balancing compatibility

Terminal Services Session Directory management works with a load balancing service to ensure that users are transparently reconnected to the original server hosting their disconnected Terminal Server session.

The components of Terminal Services Session Directory are:

  • A network load-balancing solution
  • Two or more Terminal Servers logically grouped into a Terminal Server cluster
  • A Session Directory server

Network Load Balancing, a clustering technology included in the Windows Server 2003, Enterprise Edition, and Windows Server 2003, Data Center Edition, enables servers to deliver high performance and failover protection. Network Load Balancing distributes IP traffic to multiple copies (or instances) of a TCP/IP service, such as Terminal Server or IIS, each running on an individual host within the cluster. The client’s access the cluster using one or more virtual IP addresses; from there the NLB cluster evenly partitions the client requests among the hosts. From the clients point of view, the cluster appears to be a single server. As enterprise traffic needs increase, network administrators can simply add an additional server and incorporate it into the cluster.

In a load balanced environment, each Terminal Services cluster is represented to client machines as a single computer name with one IP address. The device or service performing its load balancing redirects connections to individual servers (nodes) in the cluster according to its load balancing algorithm.

Load balancing pools the processing resources of several servers using the TCP/IP networking protocol whereas Session Directory keeps track of the disconnected sessions on the cluster and ensures that users are reconnected to those same sessions.

Session Directory members can only be comprised of Enterprise and Datacenter Terminal Servers. Computers running Windows Server 2003, Standard Edition, are unable to join a Session Directory because they lack the required clustering technology; however a computer running Windows Server 2003, Standard Edition, can operate as the Session Directory server.

How Session Directory Works

  1. An incoming connection to the cluster is load balanced to one node, which provides the logon prompt.
  2. When the user logs on to the Terminal Server cluster, the Terminal Server receiving the initial client logon request sends the user name to the Session Directory server.
  3. The Session Directory server checks the user name against its database and sends the result to the requesting server. The Session Directory database is a jet database containing a list of sessions indexed by user name.
  4. If the user has no disconnected sessions, the log on process continues at the server hosting the initial connection.
  5. If the user has a disconnected session on another serer, the initial hosting server sends the client information necessary for the client to continue authentication against the server hosting the disconnected session. The transition from one server to the other is transparent to the user.
  6. When the user logs on to the disconnected session, the Session Directory is updated.

The Terminal Server Session Directory database is updated and queried by the Terminal Servers whenever users log on, log off, or disconnect from a session.

Note

  • The Session Directory redirection feature is dependent on the version of the Remote Desktop Connection client used. The Remote Desktop client released with Windows XP is the minimum level necessary to function properly with Session Directory. Windows 2000 and Windows NT 4.0 Terminal Server clients are not Session Directory-aware, so client sessions will not be redirected to a disconnected session when that session is on an alternate node.

Network Load Balancing

Session Directory exists to solve a problem for Terminal Server clusters. These clusters can be load balanced using various solutions. This section discusses some general practices for any solution in use for load balancing. Here are some general considerations for Terminal Server clusters:

Consider splitting network traffic between two network adapters: one for Terminal Services connections and the other for access to other network resources and infrastructure. This allows for network access to the server in case the adapter bound to the cluster becomes unavailable.

For easier administration, place all load-balanced Terminal Servers into an Organizational Unit (OU) and apply Group Policy settings to that OU.

Home directories and other user data storage will need to be configured in such a way that the users can easily access their data no matter which server they are logged into.

Network Load Balancing (NLB) was previously installed by adding it as a service to a network connection and then configuring that network component on each node individually. NLB Manager in Windows Server 2003 is a new centralized snap-in added to provide easier configuration and maintenance for NLB configurations.

Although it is still possible to configure an NLB cluster by modifying network connection properties directly, the best practice is to use NLB Manager. In addition, the use of both NLB Manager and modifying network properties to configure an NLB cluster is not recommended.

Remote Desktop for Administration

You can use Remote Desktop for Administration to manage a network remotely using a configuration similar to the one shown in the following illustration.

Using Remote Desktop for Administration

Remote Desktop for Administration provides remote access to the server desktop by using the Terminal Services Remote Desktop Protocol (RDP) on port 3389. RDP transmits the user interface to the client session, and also transmits keyboard and mouse clicks from the client to the server. You can create up to two simultaneous remote connections. Each session you log on to is independent of other client sessions as well as the server console session. In essence, you can use Remote Desktop for Administration to log on to the server remotely as though you were logged on locally.

If you need to connect to the server console session remotely (for example, to access applications that direct only their user interface to the console), either use the Remote Desktops snap-in or use Remote Desktop Connection from the command line. When you attempt to connect to the console session, whether remotely or locally, you will be notified if there is already another user connected to the console session. The notification message will be shown after your logon credentials are validated, and will include information about the user who is logged on to the console session, including user name, location of logon (local or remote), and the state of the session (in use, locked, or idle).

Note

  • Be aware of the security implications of remote logons. Users who log on remotely can perform tasks as though they were sitting at the console. For this reason, you should ensure that the server is behind a firewall. You should require all users who make remote connections to use a strong password.

The connection to Remote Desktop for Administration uses TCP/IP, either over an existing network connection or by remote access. A remote access server running one of the Windows Server 2003 family of operating systems provides two different types of remote access connectivity:

Network and Dial-up Connections

Virtual private networking

The following illustration shows how you can connect to a computer running one of the Windows Server 2003 family of operating systems from a remote location using remote access.

Remote access to Windows Server 2003 computers

Administering Windows Server 2003 family operating systems remotely

After you are connected to a computer running a Windows Server 2003 family operating system, you can use Remote Desktop for Administration to remotely administer the server and its local computers. Remote Desktop for Administration gives you access to a variety of administrative tools used to configure and manage computers. Through a Terminal Services session, you can access Microsoft Management Console (MMC), Active Directory, Systems Management Server, network configuration tools, and most other administrative tools.

Remote Desktop for Administration is extremely useful because it provides remote access to most configuration settings, including Control Panel, which usually cannot be configured remotely. Also, using Remote Desktop for Administration can be particularly convenient for diagnosing a problem and testing multiple solutions quickly.

You can access the servers from anywhere in the world by using a wide-area network (WAN), a virtual private network (VPN), or a dial-up connection. You can start time-consuming batch administrative jobs (for example, tape backups), disconnect, and later reconnect to the corporate network to check progress.

Server application and operating system upgrades can be completed remotely as well as tasks that are not usually possible unless you are sitting at the console, such as domain controller promotion/demotion and disk defragmentation. Server file system tasks such as copying large files and virus scanning are much more efficient when performed within a Remote Desktop for Administration session, rather than using utilities that are executed from a client computer.

Administrative tasks are quicker and more intuitive than using command line utilities, although it is still possible to open a command shell.

Note

  • For some third-party applications, pop-up messages cannot be seen in a Terminal Services session. This is because there is a different security context or desktop for the connected session that does not display the application’s pop-up messages. The pop-up messages in these instances will go directly to the console. If you need to see these messages, connect to the console session using Remote Desktop Connection from the command line or the Remote Desktops snap-in.

Network Ports Used by Terminal Services

Terminal Server uses RDP to communicate between client and server. RDP works only across a TCP/IP connection, such as a local area network (LAN), wide area network (WAN), dial-up, Integrated Services Digital Network (ISDN), digital subscriber line (DSL), or virtual private network (VPN) connection. You can still use other protocols, such as Internetwork Packet Exchange (IPX) or NetBIOS Extended User Interface (NetBEUI), as the transport protocol for non–Terminal Server traffic, such as network file or printer sharing, or between the client portion of a client-server application and its server.

Port Assignments for Terminal Services

Service Name UDP TCP

Remote Desktop Protocol (RDP)


3389