Terminal services offers the ability to use thin clients. These thin clients will contact the terminal server on which all programs are installed. The following points could be benefits whe using terminal services :
| No heavy (expensive) clients needed. (reduced hardware and electricity cost) |
| Central system- and application management. -> Lower TCO for maintenance. |
| Faster application upgrades and deployments. |
| Better (less bandwidth) remote access options. |
| Increased security. (No local data on desk- or laptops) |
Disadvantages could be :
| Higher initial deployment costs. (heavy servers, application research, etc.) |
| Less multimedia options. (RDP protocol limitations to sound and screen updates) |
| Every application must be installed on a terminal server, even for one user. |
| Limited personalization of desktop. |
You can use terminal services in two ways :
| Remote administration mode. You can administer the server from any
terminal client in the network. You cannot use this mode to run
applications. |
| Application server mode. Users can run applications on the server as if they are on their own desktop. |
The main components of terminal services are :
| Terminal services server. This server maintains the connections with
the clients and runs all the applications. A terminal server requires at
least 128 mb of memory and 10 to 20 MB extra memory for a connecting client. |
| Terminal services client. This soft- or hardware connects to the
terminal server. |
| Remote desktop protocol. This protocol transfers the screen-, mouse- and keyboard data between the terminal service client and server. It only work over TCP/IP, not over IPX/SPX or NetBEUI. |
The following types of licenses could be needed when using a terminal server in application mode :
| Windows 2000 server license. |
| Windows 2000 server client access license or BackOffice 2000 client access license. This license is needed for all clients (terminal service or not) who access file-, print- and other network services on a Windows 2000 server. |
| Windows 2000 terminal service client access license or Windows 2000/XP Professional license. A Windows 2000 terminal service client license gives the right to connect to a terminal server. This licenses is included in a Windows 2000 Professional and Windows XP Professional license. This license is needed per device, not per concurrent user. It is needed for all Windows 9x, ME, and XP home computers and other non W2K/XP Professional devices. |
| Windows 2000 terminal service internet connector license. This license allows 200 anonymous clients to connect from the internet to a terminal server. |
| Work at home Windows 2000 terminal services client license. Required when accessing the terminal server from home. |
To handle licensing, a Terminal server licensing server must be installed within 90 days. (120 days in .NET server 2003).This service can be installed via Add/Remove Windows components. In a Windows 2000 domain it should be installed on a domain controller. You can install the license for the entire enterprise (Enterprise administrator membership required) or for the domain. (Domain administrator membership required) After installing the license service, it should be activated by Microsoft Clearinghouse. This can be done via www, email, phone or fax (Windows 2000) or via www or phone. (Windows .NET server 2003)
For more info see :
When the terminal server is installed in remote administration mode, two concurrent licenses are automatically available to remotely administrate the server. When using Windows .NET server 2003, installing terminal services for remote administration enables the Remote control option on the Remote tab of the system. This gives administrators and members of the Remote desktop user group rights to remotely connect to the server via RDP.
Each terminal server client must receive a license from a terminal server license server. This server can be installed via Add/Remove programs and must be available on the network within 90 days. You can use two types of license servers :
| Enterprise license server. This server can serve every terminal
server in any Windows 2000 domain but it cannot serve workgroups or NT 4
domains. |
| Domain license server. This license server must be installed on a domain controller on Windows 2000. In a workgroup or NT 4 it can be installed on member servers. A domain license server can serve any terminal server in the domain it is installed in. |
| Select Terminal Services via Add/Remove programs at the Windows components. (14.3 MB including client creation files) |
| Select Remote administration mode. |
| Restart the machine. |
This mode gives two concurrent sessions that can be used to connect to the server. You must be in the administrator group or domain administrators group (domain controller) to have this ability. For more info see :
Special issues are important when installing terminal services on a domain controller. (Q250776)
| Select Terminal Services via Add/Remove programs at the Windows components. (14.3 MB including client creation files in Windows 2000) | ||||
| Select Application server mode. | ||||
| Select the default permissions mode (Windows 2000) :
| ||||
| Select the default permissions mode (Windows .NET server 2003) :
This settings can be changed later by the Terminal services
configuration mmc. |
| You will receive a warning the currently installed applications may not
work via terminal services and that they probably must be reinstalled. |
| Restart the machine. |
For more information about installing terminal services, see :
Before a user can logon to a Windows 2000 terminal server, it needs to following permissions :
| Allow logon to terminal server check box. This settings is set on the Terminal services profile-tab of the account of the user in Active Directory Users and Computers. This setting is on by default. |
| Log on locally right. On the terminal server the user needs this right which can be set via the policy Computer configuration - Windows settings - Security settings - Local policies - User right assignment - (Allow) Log on locally. This settings is enabled by default on member servers where the Users group is add during the installation of terminal services. This is not done on a domain controller. |
| RDP permissions. Via the Terminal services configuration utility
the Users group gets the permission to use RDP by default. Security tab of
properties of RDP protocol. (Windows 2000) In Windows .NET server 2003, the local group Remote Desktop Users gives the members permissions to use RDP. By default this group is empty and should be filled with allowed terminal server users. |
More info :
| How to: Modify RDP Connection Permissions for Terminal Server (Q259129) |
User settings for terminal server are managed via the user account. You can specify various settings at the environment-, sessions-, remote control- and terminal services profile tab. These settings could be overwritten by settings specified for a specific terminal server via the terminal server configuration utility or group policies. To manage the terminal servers, the following tools can be used :
This management console (tsmmc.msc) can be used to connect to various terminal servers. In Windows 2000 it is called Terminal Server Connections and only available via a download. In Windows 2003 server it is called Remote Desktops and available by default.
If you put the terminal server is a special OU, you can use the loopback processing option to use group policy to customize the terminal server environment for the users. See Q231287, Q253672 and Q260370. In Windows .NET server 2003 you can also use group policies to administrate the terminal server settings of the servers that are available in the terminal server configuration utility. (Computer configuration\Administrative templates\Windows components\Terminal services)
This management console (tscc.msc) is used to manage the Remote Desktop Protocol - Transmission Control Protocol (RDP-TCP) connections. Most of the settings can also be set at user or client level. When they are set on multuple levels, the settings on the server overrule the settings on the user or client level. Within Windows .NET server 2003, it is also possible to manage these settings via the group policies.
For each connection you can modify the following tabs :
| Comment. |
| Encryption level. Set the encryption level. Windows 2000 : At the low level only data sent from the client to the server is encrypted with a 56-bit key. At the medium level (default) the communication is in both ways encrypted with a 56-bit key. At the high level, communication in both ways is encrypted with a 128-bit key. For encryption RSA RC4 is used. Windows server 2003 : Low (56-bit), client compatible (default 128-bit), high (128-bit) and FIPS compliant (Triple DES encryption algorithm for the TLS traffic encryption, RSA public key algorithm for the TLS key exchange and authentication, and SHA-1 hashing algorithm for the TLS hashing requirements) |
| Use standard Windows authentication. Select this option if another authentication mechanism is installed and you still want to use Windows authentication. |
| Use client provided logon information or always use the following logon information. Let the client provide a user-id and password or use a default one. By default the client should provide a user-id and password. |
| Always prompt for password. (default on in W2k, off in Windows 2003) |
| Override user settings. You can override the user settings about when to end a disconnected session, the active session limit and the idle session limit. You can also set if you want to disconnect the session or to end it. Finally you can set if you allow reconnection from any client or from the previous client. |
| Override settings from user profile and client connection manager wizard. Define a specific program to run when the user logs on. |
| Disable wallpaper. (default on, not available in Windows server 2003) |
Set the remote control option to one of the following options ;
| Use remote control with default user settings. Uses the settings as specified in the user's account. (Default option) |
| Do not allow remote control. |
| Use remote control with the following settings. You can set to require the user's permission and the level of control. (view or interact) |
| Connection. Set if the settings specified in the user's account should be used about the re-connection of client drives, client printers and the main client printer. | ||||||||||||
| Disable the following. Set which kind of mapping are not allowed
during a session :
| ||||||||||||
| Limit maximum color depth. (Windows 2003 server only, default 16-bit) |
Set for each network adapter, or for all, the maximum number of connections. (default unlimited)
At this tab you can set the following types of permissions for users or groups (Q243554) :
| Query information. Query for information about sessions or servers. |
| Set information. Configure RDP settings and permissions. |
| Reset. End sessions. (Not available in Windows server 2003) |
| Remote control. View of interact with other sessions. |
| Logon. Logon to a terminal server session. |
| Logoff. Log an other user off from a session. |
| Message. Send a message to another session via the terminal server manager or msg command. |
| Connect. Alllows a user to reconnect to a session. |
| Disconnect. Disconnect another session. |
| Virtual channels. Allows the client to establish additional virtual channels to the server. |
By default the following permissions are set :
| Administrators -> Full control. |
| System -> Full control. |
| Users -> Query information, logon, message, connect. Windows server 2003 does not use the Users group but the group Remote Desktop users. |
| Local service -> Special permissions. (Windows server 2003 only, query information and message) |
| Network service -> Special permissions. (Windows server 2003 only, query information and message) |
Standard permissions are :
| Full control -> All permissions. |
| User access -> Query information-, logon-, message- and connect permissions. |
| Guest access -> Logon permission. |
For a server you can modify the following settings :
| Terminal server mode. Shows if the server runs in remote administration mode or in application server mode . Use control panel, Add/Remove programs to change the mode. |
| Delete temporary folders on exit. (Default on) |
| Use temporary folder per session. Set if temporary folder should be created for each session. (Default on) See (Q272464) and (Q243555). |
| Internet connector licensing. Allows anonymous users to connect via the internet. (default disabled, only available on W2K) Requires a licensing server. |
| Licensing. Licensing per device (default) or per user. Windows server 2003 only) |
| Active desktop. (Default enabled in W2K, off in Windows 2003 server) |
| Permission compatibility. Sets the permission compatibility to Windows 2000 users or Terminal server 4.0 users in W2k or Full security or Relaxed security in Windows server 2003. (default based on installation settings) |
| Restrict each user to one session. Default on. Windows server 2003 only. |
| Session directory. Default off. Windows server 2003 only. See Session Directory and Load Balancing Using Terminal Server. |
This tools is not an management console but tsadmin.exe When selecting the domain you will see three tabs with information :
| Users tab. Shows all connected users. (server, user, session, session id, state, idle time and logon time) You can logoff a user at this tab. (Full control required) | ||||||||||||
| Sessions. Shows all sessions. (server, session, user, session id,
state, type, idle time, logon time, comment) For each session you can do the
following things :
| ||||||||||||
| Process. Shows all processes. (server, user, session, session id, process id, image) You can end each process. |
When you select a specific session you can view all processes on the processes tab and get all kinds of information about the connection on the information tab.
See Licensing.
| Change logon. Enables or disables logons. (Q186504) |
| Change port. Change port mappings. (Q186504 and Q320184) |
| Change user. Switch between installation and execution mode. (Q186504) |
| Change client. View and changed the redirected devices. |
| Cprofile. Remove user specific file associations from profile. (Q186509) |
| Dbgtrace. Enable or disable debugging mode. |
| Flattemp. Enable or disable flat temporary directories. (Q186516) |
| Logoff. Logoff a user/session. |
| Msg. Send a message. |
| Query process. Displays information about a process. (Q186592) |
| Query user. Displays information about the users logged on. (Q186592) |
| Query termserver. Displays information about a terminal server. (Q186592) |
| Query session. Displays session information about a terminal server. |
| Register. Register a program so that it has special execution characteristics. |
| Reset session. Reset a terminal server session. |
| Shadow. Can be run on a terminal server to remote control a session. |
| Tscon. Connect to an existing terminal server session. (Q243202) |
| Tsdiscon. Disconnects a client from a terminal server session. (Q243202) |
| Tskill. Kills a process. (Q243202, Q320052) |
| Tsprof. Copies a user configuration and changes the profile path. |
| Tsshutdn. Shut down a terminal server. (Q320188 ,Q243202) |
| Rwinsta. Resets a session subsystem hardware and software to initial values. (Q243202) |
More info :
If you want to install applications on a terminal server, use the Add/Remove programs option to change the server to install mode. This will arrange that ini-files and registry settings are available for each user. The ini-files will be stored in the user's home directory or, if not available, in the profile of the user. Registry settings are stored in hkey_current_user. The temporary files created by an application are stored into the userprofile temp\{session id} folder so each user has a separate temp folder. Also install applications on NTFS partitions so you can set permissions on them. Some applications also need a compatibility script that makes them available to run in a multi-user environment. These scripts are stored in \winnt\application compatibility scripts\install.
More info :
| Installing and Using Programs on Windows 2000 Terminal Services (Q248340) |
| How to: Switch Terminal Services to Install Mode (Q320185) |
A user can have its own terminal server profile defined via Active Directory Users and Computers. (Terminal services profile-tab) It is recommended to use one on a network share so that the profile is available, independent to which terminal server the user logs on. If no terminal server profile is specified, or it is unavailable, the normal windows profile is used. The tsprof.exe utility can be used to update the terminal server profile without using Active Directory Users and Computers.
A user can have it's own terminal server home directory defined via Active Directory Users and Computers. (Terminal services profile-tab) This folder is used as a rootdrive to store the application compatibility files. (*.ini). If no terminal server home directory is specified, the home folder is used that is specified on the Profile-tab.
If you put the terminal server is a special OU, you can use the loopback processing option to use group policy to customize the terminal server environment for the users. By activating the loopback option in the group policy of the OU the terminal server is in, the user settings of this OU are used to customize the user's environment.
For more info see :
When logging on to a terminal server the usrlogon.cmd script starts for the %systemroot%\system32 folder. This script activates the following scripts :
| Setpaths.cmd. Stored in %systemroot%\Application compatibility scripts folder and used to check the registry keys for the user environment. |
| Usrlogn1.cmd. Only if available in the %systemroot%\system32 folder. If available it is used by application compatibility scripts. |
| Rootdrv.cmd. Stored in %systemroot%\Application compatibility scripts folder and used to create a homedrive via rootdrv2.cmd. (if available) |
| Usrlogn2.cmd. Only if available in the %systemroot%\system32 folder. This script is used to create application directories in the root drive as specified in the application compatibility scripts. |
For more info see :
| Q195461: How to Set Up a Logon Script Only for Terminal Server Users |
Older application could require application scripts. Microsoft provides some during the installation of terminal server. There are three kinds op compatibility scripts :
| Install. Stored in %systemroot%\Application compatibility\Install folder. These scripts should be started after the application is installed. The scripts modify the usrlogn2.cmd file. They also use chkroot.cmd and rootdrv2.cmd to check if a root-drive is available. |
| Logon. Stored in %systemroot%\Application compatibility\Install folder. These scripts are called from the userlogn2.cmd file to copy files and/or modify hkey_current_user registry entries. |
| Unistall. Stored in %systemroot%\Application compatibility\Install folder. These scripts are called when the application is uninstalled. This to remove the modifications in usrlogn2.cmd. |
More info :
| Terminal Services Compatibility Scripts Available (Q263458) |
A copy of system.ini, win.ini and other .ini files in the system-root is made to the Windows folder of the profile of the user. This happens when the user tries to access the file. When the user logs on the system checks if the files are still up-to-date. If not, the updated files are copied to the profile of the user. When the user needs to access the ini-file, he's redirected to the files in the Windows folder of the profile instead of to the system-root folder
When the terminal server is in install mode, it monitors every entry that is written to hkey_current_user. Each new entry is copied to HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Terminal server\Install\Software. This method makes the registry keys available for all users in execute mode. If during execution mode a key cannot be found in hkey_current_user, the system looks in the HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Terminal server\Install\Software key. This prevents problems with applications that don't use advertising to make the application available for all users.
A terminal server client can only print to local LPT printers or to network printers. In both situations, the printer driver must be installed on the terminal server. With the default security settings, this can only be done by administrators.
In a new situation, the terminal clients only sees the local LPT printers and not the printers installed on the Terminal server. (unless he has administrative priviliges) New network printers can be add by connecting to the printer)
The printer control panel can be started via the explorer with the command
'explorer /n,/root,::{2227a280-3aea-1069-a2de-08002b30309d}'
If you have multiple terminal servers you can specify on terminal server as the
trusted source on which all printer drivers are installed by the administrator :
| Share the folder \%systemroot%\system32\spool\drivers\w32x86. | ||||
| Create two values in the registry of the other terminal servers under HKLM\System\CurrentControlSet\Control\Print\Providors\LanMan
Print Services\Servers.
| ||||
| Disable via the group policy the security option 'Prevent users from installing printer drivers' on the terminal servers. (except on the trusted source) |
More info :
On a terminal server termserv.exe instructs the session manager (smss.exe) to create the sessions. Each of the sessions contains a the following user mode processes :
| CSRSS.exe -> Client server runtime sub system. 1.5 MB in W2K, 2.6 MB in W2003. |
| Winlogon.exe -> Windows logon service. 1.7 MB in W2K, 2.4 MB in W2003. |
| Explorer.exe -> Explorer. 5 MB in W2K, 9 MB in W2003. |
| Rdpclip.exe -> Remote desktop protocol clipboard extension. 1 MB in W2K, 2.5 MB in W2003. |
| Ctfmon.exe -> Alternative user input text input processor. (optional) |
In kernel mode it also creates a new win32k.sys process to handle the keyboard and mouse input and a display and printer driver. For more info see Inside Microsoft terminal server (Windows 2000 magazine) The WinObj tool of Sysinternals can be used monitor objects that are used.
You can connect to the Terminal services by using the RDP client that is
offered in Windows XP and Windows 20003 server or is available by
download. Another option is to use the Terminal server client as it is
offered on the Terminal server. The terminal service clients are stored in the \winnt\system32\clients\tsclient\net
folder. There is a folder for a 16-bit and a 32-bit client. These folders can
be shared so that they can be installed on clients.
You can also use the Terminal services client creator console to create floppy
disks of the installation files. The 16-bit client uses 4 disks, the 32-bit
client 2 disks.
An MSI package of the terminal services client can be download
at
Microsoft. The version of mstsc.exe can be started with parameters :
| -v: [Server name or ip address] |
| -f Enables full screen mode |
| -h: [height] -w: [width] Can be used to specify the screen resolution. |
The client connection manager (conman.exe) can be used to configure a connection with a terminal server. You can enter the following settings :
| Connection name |
| Host name or ip address terminal server |
| Logon information to automatically logon |
| Screen resolution |
| Data compressions |
| Cache bitmaps |
| Program to start automatically. (folder and program name as is on terminal server) |
| Icon of the connection |
| Program group where the icon is created |
In Windows server 2003, the client is installed from the \windows\system32\clients\tsclient\win32 folder. It installs the remote desktop connection manager (mstsc.exe) in which the following options can be configured :
| General tab
| ||||||||||||||
| Display tab
| ||||||||||||||
| Local resources tab
| ||||||||||||||
| Programs tab
| ||||||||||||||
| Experience tab
|
Other clients could be :
| Windows CE or Pocket PC's. |
| Windows based terminals. (WBT) For more info see www.thinplanet.com. |
| Microsoft terminal services advanced client. Enables access to the terminal services from a web browser via an IIS server. |
| Platform independent Java based access software to terminal server from Hobsoft. |
For more info see :
Terminal services uses the Remote Desktop Protocol (RDP) to communicate between the terminal server client and the terminal server. The RDP protocol is based on the T.120 protocol and can only be used on TCP/IP. Windows 2000 uses RDP 5.0, Windows XP uses RDP 5.1 and Windows server 2003 uses RDP 5.1. The main new functions of RDP 5.1 are :
| Support for 24-bit color. RDP 5.0 did support up to 256 colors. |
| Improved performance over low speed connections. |
| Smart card authentication. |
| Keyboard hooking to direct Windows key combinations to the terminal server sessions. |
| Drive redirection. Terminal server users can access their local disks. Was already available via a workaround with the drmapsrv.exe resource kit utility. (Q244725, Download here Drmapsrv.exe) |
| Sound redirection. Sound on the terminal server can be redirected to the client. |
| Port redirection. |
| Local printer redirection improvements. This functions was already available in RDP 5.0. |
For more info see :
Several options that should be concerned when tuning the Terminal services environment :
| Use Network Load Balancing with Client Affinity to create a high-availability environment. | ||||||||||||||||||
| Use roaming terminal server profiles. Disable storage of local profiles via Group policies. | ||||||||||||||||||
| Use and tune NTFS. (Q150355,Q130694) | ||||||||||||||||||
| Use home-folders. | ||||||||||||||||||
| Use desktop policies like :
| ||||||||||||||||||
| Disable access to local drives. | ||||||||||||||||||
| Disable access to registry editors. | ||||||||||||||||||
| Disable offline files. | ||||||||||||||||||
| Use folder redirection to the home-folder of the user. | ||||||||||||||||||
| Allow only specific applications to run. At least required are cmd.exe, cmstart.exe, explorer.exe, systray.exe, userinit.ini, usrlogon.cmd and updatdrv.exe. (Citrix only) | ||||||||||||||||||
| Session time-outs. | ||||||||||||||||||
| Increase idle sessions. | ||||||||||||||||||
| Increase size event logs. | ||||||||||||||||||
| Increase the registry size. ((Q124594) | ||||||||||||||||||
| Disable Dr. Watson. (Q188296) | ||||||||||||||||||
| Use multiple network adapters. | ||||||||||||||||||
| Minimize graphic usage on terminal server. (Q226931) | ||||||||||||||||||
| Optimize performance for background services. | ||||||||||||||||||
| Stop the NT Executive from paging to disk when enough memory is available. (Q184419) |
If the Windows shortcuts are not used, you can use terminal server shortcuts :
| Alt+Home -> Display start menu. |
| Alt+Ins -> Switches running tasks. |
| Alt+pgUp/PgDn -> Alt-tab functionallity. |
| CTRL+Alt+Break -> Switch a client between window and full screen. |
| CTRL+Alt+End - >Shows the windows security screen. |
| CTRL+Alt+Minus (num. keyboard) -> Make a print screen of the terminal server session. |
| CTRL+Alt+Plus (num. keyboard) -> Make a print screen of the local and terminal server session. |
For more shortcuts see the terminal services help file.
By default RDP uses TCP port 3389. This port can be changed by using the \HKLM\System\CurrentControlSet\Control\TerminalServer\Wds\Rdpwd\Tds\Tcp\Portnumber key and rebooting the server. The change the client settings export, change and inport a .CNS file that contains the connection to the server.
The Terminal Server Advanced Client can be used to make a terminal server available via an Internet Explorer web browser :
| HotLink jwt 2.1 (Windows 2000 magazine jan 2001) |
| Hobsoft jwt 2.1 |
Last update : 19 February 2003
