| TOGGIT
IN SEARCH OF CERTIFICATION |
|
 |
Test 070-290 - Managing and Maintaining a Microsoft Windows Server 2003 Environment
|
Logon to ToggIT Join ToggIT |
|||||||||||||||||||||||
| Home | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Microsoft | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Cisco | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| CompTia | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Study tools for exam 070-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment | |||||||
| The Exam | Exam Tips | What to know | Study Guide | Study Tools | Practice Test | ||
Sponsored
Links:
|
|||||||
|
Managing and
Maintaining a Terminal Services Terminal Services allows clients computers to access Windows Server 2003 and the latest Windows-based applications using thin client technology, even if the client computers cannot run the 32-bit Windows operating system. Terminal Servers also allows system administrators to remotely administer network clients, servers and resources. The Terminal Server operates with either Windows Server 2003 workgroups or domains. Users of thin-clients must be authenticated, and their privileges can be defined by Windows Server 2003 group policies. Users of thinclient terminals are like their fat-client counterparts except for some differences in system configuration and hardware availability. Windows Server 2003 Terminal Services provides terminal clients for Microsoft Windows computers only. Terminal Services Components The Terminal Services service in Windows Server 2003 supports three separate components: Remote Desktop for Administration; Remote Assistance; and the terminal server role. Remote Desktop for Administration and Remote Assistance are installed with the installation of Windows XP Professional and Windows Server 2003 by default, but in a disabled state, while the terminal server role is not installed with the default installation of Windows Server 2003 and must be installed through the Add/Remove Windows Components in the Add or Remove Programs application in Control Panel. Both Remote Desktop for Administration and Remote Assistance can be enabled on the Remote tab of the System Properties windows in Control Panel. Remote Desktop for Administration Remote Desktop for Administration enables remote server administration over a TCP/IP network. It is installed with the operating system by default, but is disabled. Once Remote Desktop for Administration is enabled, members of the administrators group can connect and use it by default, while non-administrators must be specifically granted access. You can accomplish this by adding the user accounts that require access to the Remote Desktop Users group on the server. This can be done through Computer Management in Administrative Tools, or through the System Properties window in Control Panel. Remote Desktop for Administration allows a maximum of two concurrent connections for the purposes of remotely administering the server. By default, when a Terminal Services client connects to this component, a new session is created and a copy of the Windows Server 2003 desktop is displayed in a window on the client computer. This copy of the desktop is not the actual server desktop, called the console session that you would see at the actual server. Thus, when you connect to the server using Terminal Services you will not see the console by default, and will not see any popup messages form server-based applications that are capable of delivering messages only to the server’s primary console session. You also will not see any applications that might be running on the console session, unless you use a Terminal Services client that uses at least version 5.1 of the Remote Desktop Protocol (RDP) to run a remote console session. However, only a single console session can run at a time, therefore, the console screen on the actual server is locked when the remote session is established. Terminal Services allows a maximum of two concurrent Remote Desktop connections without requiring licensing for those connections. Web-Based Administration A new feature in Windows Server 2003 is the capability to perform Remote Administration from any Microsoft Internet Explorer 5.0 or later browser without a locally installed client. This allows you to connect to and remotely administer a server using Terminal Services from any client system that is capable of running Microsoft Internet Explorer 5.0 or later. This feature uses the Remote Desktop Web Connection utility, which consists of an ActiveX component that is downloaded to the client browser and sample Web pages that the client uses to connect to. The Remote Desktop Web Connection utility, however, requires that Internet Information Services 6.0 be installed on the server. Remote Assistance Remote Assistance is installed with the operating system by default but is disabled. Thus, it must be enable before it can be used. Remote Assistance allows a user at one computer to ask for assistance from a user at another computer, on the network or across the Internet. This request for assistance can be made through Windows Messenger, e-mail, or through a transferred file. The assistant can also offer remote assistance without receiving an explicit request if Group Policy settings are configured to enable offering of remote assistance and the assistant is listed in the Offer Remote Assistance policy, or is a local administrator. However, the user requiring assistance must grant the assistant permission to take over the user’s computer. When an assistant receives a request for assistance, he or she can initiate a connection to the requesting user’s computer. Once connected, the assistant is able to view the actual desktop and applications that are in use on the requesting user’s computer. In addition, a special application is launched on the requesting user’s computer that allows the user to chat with the assistant and control the session. In addition, files can be transferred easily between the two through the Remote Assistance interface. Remote Assistance on the requesting user’s computer can also be configured to allow the assistant to interact with the requesting user’s desktop and applications on the requesting user’s compute. This allows both the requesting user and the remote assistant to control the computer at the same time. The RDP protocol is used during this session so that only screen updates are sent to the client, i.e. the assistant, while keystrokes and mouse movements are sent back to the server, i.e., the user requesting assistance. Remote Assistance requires that both computers be running Windows XP Professional or Server 2003. In addition, Remote Assistance invitations can require that the assistant provide a password, to prevent an impostor from connecting to the computer while pretending to be the assistant. You can also specify the amount of time for which a Remote Assistance invitation will remain valid. Users also have the option to turn off the Remote Assistance feature entirely. Only one Remote Desktop session at a time can connect to a Windows XP Professional system. In addition, when you connect via Remote Desktop to a Windows XP Professional computer, you will see all the applications that are running on the desktop of that Windows XP computer. Requesting Assistance A user can use three methods to request assistance by sending an invitation using Remote Assistance: the invitation can be sent using Windows Messenger; e-mail; or a transferred file. To create an invitation, go to the HELP AND SUPPORT CENTER Using Windows Messenger to Request Assistance Windows Messenger is installed in Windows XP by default, but not in Windows Server 2003. If you do not have Windows Messenger installed, you begin the installation process from the Help and Support Center by clicking on the DOWNLOAD WINDOWS MESSENGER link. This will open an Internet Explorer window with a Web page that displays the latest version of Windows Messenger for download. On the Web page, click the DOWNLOAD NOW button. Then, when the Save As dialog box opens, click the OPEN button. After the download has completed, click YES in the Security Warning dialog box that appears. When installation has completed, the application will launch and ask you to sign in. If you have a username and password provided by your administrator, or a valid Microsoft .NET Passport account, click the CLICK HERE TO SIGN IN link in the Windows Messenger window. The CLICK HERE TO SIGN IN link will open up the .NET Passport Wizard, which will associate a .NET Passport account with your Windows user account. When you use Windows Messenger for Remote Assistance, the invitation travels through a messaging server infrastructure that can include the Internet, or can work with Microsoft Exchange Server within the LAN. After the invitation messages have been exchanged, the actual RDP connection attempt and subsequent session take place directly between the two computers. If Messenger is installed, the user from whom you wish to solicit assistance must be on the network and logged on to his or her Windows Messenger client. If this is the case, you can click the name of the contact from whom you want to solicit assistance, followed by the INVITE THIS PERSON link. You can also request assistance from within the Windows Messenger application, by double-clicking a contact to establish a conversation with him or her and then selecting the ASK FOR REMOTE ASSISTANCE link. In either event, the user you sent the invitation to can then click the ACCEPT link in his or her Windows Messenger window to initiate the connection, or click the DECLINE link to reject it. However, invitations for assistance do not stay valid indefinitely. They have an expiration time, which is set to one hour by default. If the user from whom you wish to solicit assistance neither accepts nor declines the invitation before the invitation expires, he or she will be unable to establish a connection in response to the invitation. The user sending the request can alter the expiration time of the invitations he or she sends, from 1 minute to 99 days. Using E-Mail to Request Assistance You must first have a default mail client configured on the Windows Server 2003 computer before you can use e-mail to send a Remote Assistance invitation. To create a Remote Assistance invitation using e-mail, select the e-mail option after clicking on the INVITE A FRIEND TO CONNECT TO YOUR COMPUTER USING REMOTE ASSISTANCE link and the INVITE SOMEONE TO HELP YOU link in HELP AND SUPPORT CENTER. This will allow you to set the expiration time for the invitation, and to set a password require that the recipient to required to use. The password is required by default but can be disabled by clearing the REQUIRE THE RECIPIENT TO USE A PASSWORD check box. When the recipient receives an invitation for remote assistance, a short e-mail message entitled “YOU HAVE RECEIVED A REMOTE ASSISTANCE INVITATION” appears in his or her inbox. This message contains a link that the recipient must click. When the recipient clicks the link, his or her browser will open to a page on Microsoft’s Web site. The entire process of the two computers finding each other using this method takes place through Microsoft’s Web site. In addition, e-mail-based remote assistance depends on a Remote Assistance Server Control that is downloaded during the process. When the recipient visit the site, a Security Warning dialog box will appear and he or she will be prompted to specify whether he or she wants to install the Remote Assistance Server Control. If the recipient selects YES, the control will download and the page will load. If the recipient is accessing the Web page from a Windows XP Professional or Windows Server 2003 computer, he or she will see a START REMOTE ASSISTANCE button in the middle of the Web page. When he or she clicks this button, a small Remote Assistance dialog box appears requesting the password associated with the invitation. After the recipient enters the password, he or she must click the YES button to begin the connection. Using a Saved File to Request Assistance The third method that you can use to request assistance is to use a saved file that is transferred to the user from whom you want to solicit assistance. To create a Remote Assistance invitation using a transferred file, select the SAVE INFORMATION AS A FILE (ADVANCED) option after clicking on the INVITE A FRIEND TO CONNECT TO YOUR COMPUTER USING REMOTE ASSISTANCE link and the INVITE SOMEONE TO HELP YOU link in Help and Support Center. This opens a page which contains an ENTER YOUR NAME text box into which you type your name and an option that allows you to set expiration time for the invitation. This method also requires that the recipient to use a password by default, but you can disable this requirement by clearing the REQUIRE THE RECIPIENT TO USE A PASSWORD check box. Once you have entered all the required information, a SAVE INVITATION button is activated. Clicking this button brings up the Save As dialog box on which you can specify a name and location for the file. The file will be saved with an .msrcincident extension. The file can now be transferred to the user from whom you wish to solicit assistance. When the user from whom you wish to solicit assistance receives the .msrcincident file, he or she can open it by double-clicking the file. This action opens a Remote Assistance dialog box, requesting the password associated with the invitation. After the assistant enters in the password, he or she must click the YES button to initiate the connection. Terminal Server Role The Terminal Services Role involves the creation of several components that works together. These components include a presentation layer protocol called the Remote Desktop Protocol (RDP) and a core architectural component called the Multi-Win. The Multi-Win component enables more than one user to be logged in locally with separate user sessions. It is a core component of Terminal Services and is used in Remote Desktop for Administration, Remote Assistance, and the terminal server role. The creation of Multi-Win enabled remote users to log on and use the server as if they were local users. The Multi-Win component also keeps each user’s system and application settings separate, even when many are logged on concurrently. This enables remote users to launch and use applications on the remote system. When you establish a terminal server session, by default you see a copy of the desktop from the server to which you have connected. When you double-click an icon within this session and launch an application, it launches in your session on the server. It uses the server’s processor, the server’s memory, and accesses the server’s hard disk. Only images of the screen transfer to the local computer; the application files never leave the server. Note: Each client computer that accesses Terminal server that is used in terminal server role must have the Terminal Services Client Access License as well as the Windows 2003 Client Access License. You are, however, allowed to run Terminal Services in terminal server role for 120 days without using any license. Thereafter the service will fail. The Remote Desktop Protocol (RDP) is responsible for transferring the screen information from the server to the client and the cursor movements and keystrokes from the client to the client session on the server. Windows XP and Windows Server 2003 use RDP version 5.1, while Windows 2000 uses RDP v5.0 and Windows NT 4.0 uses RDP v4.0. RDP uses encryption to protect the information that is sent between the terminal server and the client computer and uses port 3389 to transfer this information. Installing the Terminal Services Role You can use Add/Remove Windows Components in the Add or Remove Programs application in Control Panel, or the Manage Your Server utility in Administrative Tools to install Terminal Server on a Windows Server 2003 computer. Installing Terminal Server Licensing After you have installed the Terminal Server role, you must install Terminal Server licensing. If you fail to do so, all Terminal Server connections will be rejected starting 120 days after the first client logs on. Microsoft recommends that you install Terminal Server licensing on a server that does not host the terminal server role. The terminal server licensing component must be added using Add or Remove Programs from Control Panel. After you have installed the licensing component, you must add client license key packs and activate the license server. Client license key packs enable the license server to issue licenses to terminal server clients. Clients cannot connect to the Terminal Server without a license after the 120 day evaluation period. Installing Applications for Terminal Services Applications for use via Terminal Services should be installed after Terminal Server. This can be performed through the Add or Remove Programs wizard in Control Panel. When using the Add/Remove Programs wizard, select the Change User Option and click All users with common applications settings for universal access or Install applications setting for this user only. Applications installed prior to Terminal Services would need to be reinstalled or properly configured. Client Software and Installation The Terminal Services client is called Remote Desktop Connection. This software is automatically installed as an integral part of Windows XP. For previous versions of Windows operating system clients, 16-bit and 32-bit version of the Terminal Services Client software is available in the \Windows\system32\clients\tsclient folder. For previous versions of Windows operating system clients, the Terminal Services Client software must be made available for installation. This can be accomplished by placing the Terminal Services Client software on a network share or on a CD. The installation of the Terminal Services Client software is accomplished by double-clicking the Setup file. Connecting to Terminal Services A listener connection, called the RDP-TCP connection, must be configured and exist on the server for clients to successfully establish Terminal Services sessions to that server. RDP-TCP connections can be configured for RDP only over TCP/IP, and only one RDP-TCP connection can be configured for each network interface card in the Terminal Services computer. By default, the RDP-TCP connection is created that is bound to all the network interface cards in the server. If the server has more than one network interface card, an administrator can configure the default RDP-TCP connection to only be associated with one network interface card, and create new RDP-TCP connections for each of the other network interface cards. Windows Server 2003 provides two primary mechanisms that clients can use to connect to Terminal Services. These mechanisms are the Remote Desktop Connection utility, and the Remote Desktops snap-in. The Remote Desktop Connection Utility The Remote Desktop Connection utility is the standard client for connecting to Terminal Services, via RDA on a server or Terminal Services on a Terminal Server. It can be used for Remote Administration or full Terminal Server client use. It enables a user to connect to a single server running Terminal Services using the RDP protocol over TCP/IP. The utility is installed by default with the operating system in Windows XP Professional and Windows Server 2003. It can also be installed and used on a number of older Windows operating systems, including Windows 2000, Windows NT, Windows ME, Windows 98, and Windows 95. The Remote Desktop Connection utility is backward compatible and capable of communicating with Terminal Services in Windows 2000, and Windows NT 4.0, Terminal Server Edition. The Remote Desktops Snap-In The Remote Desktops snap-in is another utility that can be used to establish Terminal Services connections to Windows Server 2003 and terminal servers. The Remote Desktop snap-in contains two important features: • It can be used to connect to multiple Windows Server 2003 computers using Terminal Services; and • It enables a remote connection to the console session The Remote Desktops snap-in is not available on Windows XP Professional computers but you can use it on a Windows XP Professional computer to manage your servers, by installing the Admin Pack (adminpak.msi) on the Windows XP Professional computer. The Admin Pack is located in the i386 folder on the Windows Server 2003 Installation CD. Administering Terminal Services The Terminal Server allows the administrator to remotely monitor servers, sessions, users, and processes, and supports the centralized deployment of applications, disk management, and device access. It also allows the administrator to manage the applications available to users, logon privileges, and security. This can be accomplished using the various system administrative tools provided by Terminal Services. These tools include: • The Remote Desktops snap-in, which allows you to host multiple Terminal Services connections in an easily navigable tree. It is also useful for managing many Windows 2003 or Windows 2000 servers. By right-clicking Remote Desktops, you can identify the additional servers by selecting Add New Connection. • Terminal Services Manager, which available from Administrative Tools. It is the primary utility for managing existing Terminal Services sessions and can be used to view and administer users, active sessions, and processes on a single or multiple terminal servers anywhere on the network. • Terminal Services Configuration tool, which can be used to create new RDP-TCP connections, or listener connections, and configure the ones that currently exist. These RDP-TCP connections must be configured and exist on the server for clients to successfully establish Terminal Services sessions to that server. RDP-TCP connections can be configured for RDP only over TCP/IP, and only one RDP-TCP connection can be configured for each network interface card in the Terminal Services computer. By default, the RDP-TCP connection is created that is bound to all the network interface cards in the server. If the server has more than one network interface card, you can use the Terminal Services Configuration to configure the default RDP-TCP connection to only be associated with one network interface card, and create new RDP-TCP connections for each of the other network interface cards. You must be a member of the Administrators group, or be delegated the authority, in order to create new RDP-TCP connections. The Terminal Services Configuration tool can also be used to configure connections for ICA (Citrix) clients using IPX, SPX, Asynchronous, NetBIOS, or TCP. • The Server Settings node in Terminal Services Configuration, which controls a number of server-wide settings that affect all sessions running on the server. In an Active Directory environment, these settings can also be configured using Group Policy. If configured in both Group Policy and within Terminal Services Configuration, the Group Policy settings will take precedence. • The Directory Users And Computers Snap-in or the Local Users And Groups Snap-in, depending on the environment, can be used to establish Terminal Services settings for individual users. • The Task Manager also monitors and administers Terminal Services. Once Terminal Services is installed, additional fields are added to the Task Manager. • Group Policies, which you can use to control Terminal Services users. There are over 900, of which approximately 50 group policy settings in Windows Server 2003 that are relate specifically to Terminal Services components. When the same setting is configured in both Group Policy and one of the Terminal Services utilities or clients, the setting specified in Group Policy will take preference. • The Terminal Services Command-Line tools that both administrators and end users can use to manage connections. These command-line tools can be used in scripts to automate Terminal Services tasks. Here are some references from Microsoft on the Command Line tools for clients and administrators: Troubleshooting Terminal Services The complexity of Terminal Services makes it difficult to troubleshoot Terminal Services problems. There are, however, a few common problems, which include problems related to automatic logon; launching an initial program; and licensing. Automatic Logon There are a number of possible causes and solutions to a common problem that occurs when you want to be able to automatically log on to the server, but are still prompted for your user credentials when you connect to the terminal server. This problem is especially common if you are using a Windows NT 4.0 Terminal Services client because these clients are not always able to detect and pass on the system logon credentials to the Windows Server 2003 terminal server. You should use the Windows NT 4.0 Client Connection Manager, to configure Automatic logon on the General tab in the Properties box for the connection. Enter the appropriate logon credentials in the User name, Password and Domain text boxes. If you are using a Windows 2000 Terminal Services client or the RDC client, it is possible that you entered the incorrect credentials on the General tab. If you mistyped the user name or password, the terminal server will not be able to verify your credentials and will prompt you for the correct ones. Another possible cause is that Group Policy is configured to require users to enter their credentials. Group Policy settings override client settings. The only way to correct this is to remove the Group Policy setting that is enforcing this restriction. Initial Program Launching At the client level, a user can specify that program be launched when they connect to a server instead of receiving a desktop. Likewise, an administrator can specify this at the connection level for all users that connect to a specific listener connection. Finally, this can also be set in Group Policy. However, the client may receive a message stating, “This initial program cannot be started” This error may be caused by an input error or incorrect path and executable file name. If you have entered the incorrect path and executable file name, they will be pointing to a file that does not exist. Another possible cause is that the correct permissions are not set on the executable file. If Windows Server 2003 cannot access the file, it will not be able to launch the program. You should verify that the appropriate read and execute permissions are applied to both the file and the working folder. If neither of these two possible solutions resolves the issue, the application itself may have become corrupt. Try to launch the application at the server. If it will not open, you may need to uninstall and reinstall the application. License Problems For remote administration, licenses come built in to the Windows Server 2003. The Terminal Server role, however, requires the installation and proper configuration of the terminal server licensing component. Because of this, license problems typically relate only to the terminal server role. If you have license component problems you will receive one of the following error messages: • The remote session was disconnected because there are no terminal server client access licenses available for this computer. Please contact the server administrator • The remote session was disconnected because there are no Terminal Server License Servers available to provide a license. Please contact the server administrator These error messages can indicate several issues which must be resolved systematically. First, verify that the license server is online and able to communicate on the network. Also verify name resolution during this step. Next, ensure that the license server component has been activated. Check event logs on the license server. Verify that the license server has a sufficient number of valid client licenses for your network, and that the licenses are valid. The Terminal Server draws licenses from the license server so you should also ensure that these two servers can communicate with each other. Finally, check the clients. It is possible that the clients never received a valid license. By default, clients often receive temporary licenses that expire after 90 days and prevent further connections. If they did receive full licenses, the licenses may have become corrupt and need to be replaced or overwritten.
|