Windows Management from Afar -- Redmondmag.com

Windows Management from Afar

Windows Server 2003 offers significant upgrades over Windows 2000 in the area of remote connectivity.

By Don Jones
07/01/2003

One of the coolest new features introduced in Windows 2000 was Terminal Services Remote Admin mode. Thanks to Terminal Services’ integration into the base operating system, up to two administrators can remotely control any Win2K server in their enterprise, making single-seat administration more realistic and without the need for third-party utilities like pcAnywhere. Of course, there are some drawbacks. In particular is Terminal Services’ lack of support for file copying to and from the remote machine, a feature long available in Symantec’s pcAnywhere, Citrix WinFrame and other products.

Windows Server 2003 still includes the Terminal Services technologies but deploys them differently. You might be surprised, for example, to find that your newly installed Windows 2003 computers not only don’t have remote control as a default option, but that there doesn’t seem to be any way to install Terminal Services in Remote Admin mode! Don’t panic—Windows 2003 not only includes a replacement for Remote Admin mode but offers some much needed improvements.

Language Lesson
You’ll need to become accustomed to new terminology when it comes to Windows 2003 and Terminal Services. Remote Admin mode is gone, replaced with Remote Desktop. Functionally, this is a one-for-one replacement for Remote Admin mode. Remote Desktop is installed in the OS by default and can’t be removed. If you’ve used Windows XP’s Remote Desktop, then you’re familiar with Windows 2003’s Remote Desktop, because they work almost exactly the same.

Terminal Server is a new term that refers to a Windows 2003 computer with Terminal Services installed, in what was called Application Server mode. Making Windows 2003 into a Terminal Server is what allows multiple users to log in and remotely use the server. You’ll still need a Terminal Services Licensing server somewhere on your network in order to use a Terminal Server.

Remote Desktop Connection (RDC) is the new name for the Terminal Services client. It looks and feels pretty much the same and still uses Microsoft’s Remote Desktop Protocol (RDP) to connect to Terminal Services. Windows 2003 supports RDP 5.1, which enables some cool new features discussed later. The RDC client included with Windows XP and newer editions of Windows CE-powered devices are RDP 5.1-compatible; older RDP 5.0 clients can still connect to Windows 2003 but can’t take advantage of the new features.

Terminal Services 2000 vs. 2003
While the functionality of Terminal Services hasn't changed a great deal in Windows Server 2003, the terminology has. Here's a summary of the new terms and new feature, compared to Windows 2000 Terminal Services.

Windows 2000 Server	Windows Server 2003
Remote Admin Mode installation option	Remote Desktop always installed
Application Mode installation option	Terminal Server installation option
Web client (Terminal Services Advanced Client, or TSAC)	Web client included with IIS 6.09 but not installed by default
32-bit clients: Terminal Services client	32-bit clients: Remote Desktop Connection and Remote Desktops console
Resource map-back: mainly printers	Resource map-back: sound, disk drives, printers
Server must have copy of all printer drivers used by clients for map-back to work	Server uses Plug and Play to automatically get printer drivers from NT-based clients
Maximum of two admin connections in Remote Admin mode	Max. two admin connections to Remote Desktop.
Only local admins have Remote Admin capability	Remote Desktop access is configurable

Enabling Remote Desktop
For security reasons, Windows 2003 disables Remote Desktop by default. The software is completely installed by default—and, in fact, can’t be removed—but turned off in keeping with Windows 2003’s “more secure out of the box” philosophy. Turning it on is easy: Open the properties for My Computer, click the Remote tab, and select the checkbox to allow users to connect remotely (see Figure 1).

Figure 1. Remote Desktop is disabled by default. Enable it through this screen. (Click image to view larger version.)

By default, all members of the local Administrators group will have the ability to connect to Remote Desktop, and Windows 2003 supports up to two simultaneous remote sessions. Before enabling Remote Desktop, review the membership of your server’s local Administrators group and any other user groups to which you choose to grant Remote Desktop access. Remote Desktop provides unrestricted access to the server’s desktop, so you don’t want any untrusted users accidentally finding their way in!

Note: You don’t need to enable Remote Assistance in order to use Remote Desktop. While the two features both use Terminal Services technology, they’re independent. I don’t generally recommend enabling Remote Assistance on a server, as it could lead to unauthorized users having access to the server’s desktop.

Utilizing RDP 5.1 Features
As mentioned earlier, RDP 5.1 has some cool new features that can make Remote Desktop a more effective administration tool. One of the biggest complaints about Win2K Terminal Services Remote Admin mode was that there was no way to easily copy files to and from the remote server over the RDP connection. RDP 5.1 corrects this problem by adding the ability to map client computer drives to the remote server to which you’re connected.

To enable this feature, open the RDC client software and configure a new connection. On the Resources tab (see Figure 2), check the Disk drives checkbox. Keep in mind that this feature is only available on RDP 5.1 clients—it won’t work with older RDP 5.0 servers like Win2K.

RDP 5.1 clients can connect to disk drives

Figure 2. The ability to connect to disk drives on the remote server is available only to RDP 5.1 clients. (Click image to view larger version.)

Once the connection’s activated, look at My Computer on the remote server. You’ll find several network drives, starting with drive Z: and working backward through the alphabet. These network drives represent the drives on your client computer, making it easy to copy files to and from the client and server without using additional protocols. This allows you to completely manage the server right over RDP’s TCP port 3389, without having to use Windows file sharing or FTP to move files back and forth. Bear in mind that the RDP traffic is encrypted, as it always has been, which helps to protect the confidentiality of any files you copy to and from the remote machine.

RDP: Under the Hood

Ever wonder how RDP and Terminal Services really work? You’re probably familiar with products like Symantec’s pcAnywhere, which essentially copy compressed bitmaps of the server’s screen back to your client computer. They detect screen changes and send back just the portion of the screen that’s been altered, which improves performance.

Terminal Services is quite different. Citrix, the company that originally created the Terminal Services technology that Microsoft now uses, was a licensee of the Windows NT 3.51 source code. That gave them the ability to integrate remote control with the operating system at a very deep level; Microsoft eventually licensed and added these enhancements to Windows NT Server 4.0 Terminal Services edition and then the Win2K base code.

In Windows, all screen drawing—windows, buttons, graphics, and whatever—are accomplished by the Graphical Device Interface (GDI), a special layer of the operating system. When an application needs a window or checkbox drawn, it asks GDI to do so. Terminal Services plugs into the GDI, intercepting the GDI commands directly. These commands are then retransmitted to the remote client, which “replays” them. GDI commands are pretty small, even though some of them—like redrawing the whole screen—can have a large effect. And GDI isn’t immune to having to copy bitmaps, such as desktop wallpaper, from time to time. Still, by transmitting the GDI commands, RDP is able to optimize performance over slower connections.

Although this explanation is a bit of an oversimplification, you can see how RDP’s technique is more efficient than bitmap-based products like pcAnywhere. And keep in mind that Microsoft didn’t invent this technique: Citrix’ ICA protocol does exactly the same thing.

—Don Jones

RDP 5.1’s resource redirection isn’t limited to disk drives. You can configure it to redirect sounds made on the remote computer to the client. RDP 5.0 allowed client printers to show up on the remote computer, which is a useful feature. RDP 5.1 extends resource redirection capability to serial ports and disk drives, allowing the client’s resources to appear on the remote computer. For example, a client’s C: drive might show up on a Terminal Server as the Z: drive, making it easy to copy files between the server and client.

Windows 2003 also extends printer Plug and Play capabilities to RDP 5.1 clients. Imagine that your users are running Windows XP and connecting to a Windows 2003 Terminal Server. Plug and Play allows the server to detect users’ locally connected printers and automatically set them up for use within the Terminal Services session. As with all things Plug and Play, however, you’ll need to test that behavior in your environment. If things don’t seem to be working correctly in your tests, check out the System and Application event logs on the server, as Terminal Services will usually add reasonably useful entries when printer mapping fails.

Remote Desktop Console: A Better RDP
Most RDC clients (including Windows XP) allow open multiple instances of the software, which makes it possible to open multiple RDP connections. I do that all the time in a busy environment; it’s not unusual for me to have open four or five RDC windows, each connected to a different remote server.

Keeping track of all those windows can be a pain, though, and Windows 2003 has a better solution: The Remote Desktops console (Figure 3). This is a standard MMC snap-in with a list of remote servers in the left-hand tree. The details pane on the right shows the selected server’s remote desktop. You can easily switch between remote servers in the left-hand list, effectively managing multiple remote connections from a single window

To add a new server to the Remote Desktops console, right-click Remote Desktops and select Add Connection from the context menu. To connect to a remote server, just select its connection name in the console (or right-click and select Connect).

Remote Desktops MMC snap-in tracks multiple sessions

Figure 3. The Remote Desktops MMC snap-in can be used to track multiple open server sessions (Click image to view larger version.)

To configure advanced properties for a connection, right-click the connection name and select Properties from the context menu. You can configure the following options:

Server’s name or IP address or the connection name.

Logon credentials.

Size of the remote desktop window. By default, it will fill the right-hand pane of the MMC, but a custom size can be configured.

Redirecting local drives to the remote server, provided the remote server supports RDP 5.1.

Keep in mind that the Remote Desktops console will connect not only to Windows 2003 servers, but also to Win2K servers and even Windows XP Professional clients that have Remote Desktop enabled. You can even connect to Windows NT 4.0 Terminal Servers. Remote Desktops is a full RDP 5.1 client, allowing mapping of client disk drives to the server for easier file management.

Making a Terminal Server
If you want to use Windows 2003 Terminal Services as a true Terminal Server (formerly called Application Mode), you’ll need to open the Control Panel, open Add/Remove Programs, and click the Add/Remove Windows Components button. Select the Terminal Server option (Figure 4). This installs Terminal Services’ application server capabilities.

Figure 4. To use Windows 2003 Terminal Services, you first have to install it. (Click image to view larger version.)

Note: Don’t get confused and accidentally select the Application Server Windows component, as that installs IIS and some other bits unrelated to Terminal Services.

Terminal Services
vs. MetaFrame

With the improvements in RDP 5.1—especially the drive map-back capability—you may wonder why anyone would buy Citrix MetaFrame, which adds capabilities and Citrix’ ICA protocol to Terminal Services. In fact, if you’re just using Terminal Services for remote administration, you probably don’t need MetaFrame. But that’s not why Citrix wants you to buy it, anyway!

MetaFrame’s ICA protocol opens Terminal Services to a wider array of clients, including Unix, handheld devices, Java clients, and more. For now, RDP is officially only available on Windows and Mac OS X, directly from Microsoft. Of course, open-source RDP clients are available for Unix, Linux, and the Palm OS, so the gap between RDP and ICA is closing on the client end. MetaFrame also offers load balancing and the ability for clients to reconnect a disconnected session back to the same server in a server farm. Terminal Services’ new session directory, along with Network Load Balancing, now provides a similar capability in Windows 2003.

The major features between Terminal Services and MetaFrame are becoming more parallel. MetaFrame still offers a variety of unique functionality, but it’s definitely worth your time to see investigate those capabilities. Many environments are discovering that Windows 2003’s Terminal Services offer everything they need without the extra expense.

—Don Jones

As in Win2K, making a server into a Terminal Server changes its behavior a bit. First, you’ll still need a Terminal Server Licensing Server on your network somewhere. You’ll also need to take special steps to install applications on the Terminal Server so they’ll be available to multiple concurrent users. You’ll have the familiar Terminal Services Configuration and Terminal Services Manager MMC consoles available to configure and manage user connections, perform shadowing of user connections, and so on—see Windows 2003’s Online Help and Support Center for details.

A Better Way to Reach Out and Touch Someone
Windows 2003’s Remote Desktop feature provides all the features and functionality of Win2K Terminal Services Remote Admin mode—and then some! It’s installed by default and can’t be uninstalled. But it’s installed in a disabled configuration, making Windows 2003 more secure by default than previous versions of Windows. Windows 2003 also includes a new Remote Desktops console, an improved multi-connection RDP client that makes managing multiple remote servers a breeze. All in all, Windows 2003’s evolution of Terminal Services technology is a welcome addition to anyadministrator’s arsenal of management tools.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.