In-Depth
Windows Management from Afar
Windows Server 2003 offers significant upgrades over Windows 2000 in the area of remote connectivity.
One of the coolest new features introduced in Windows 2000 was Terminal
Services Remote Admin mode. Thanks to Terminal Services’ integration into
the base operating system, up to two administrators can remotely control
any Win2K server in their enterprise, making single-seat administration
more realistic and without the need for third-party utilities like pcAnywhere.
Of course, there are some drawbacks. In particular is Terminal Services’
lack of support for file copying to and from the remote machine, a feature
long available in Symantec’s pcAnywhere, Citrix WinFrame and other products.
Windows Server 2003 still includes the Terminal Services
technologies but deploys them differently. You might be surprised, for
example, to find that your newly installed Windows 2003 computers not
only don’t have remote control as a default option, but that there doesn’t
seem to be any way to install Terminal Services in Remote Admin mode!
Don’t panic—Windows 2003 not only includes a replacement for Remote Admin
mode but offers some much needed improvements.
Language Lesson
You’ll need to become accustomed to new terminology when it comes to Windows
2003 and Terminal Services. Remote Admin mode is gone, replaced with Remote
Desktop. Functionally, this is a one-for-one replacement for Remote Admin
mode. Remote Desktop is installed in the OS by default and can’t be removed.
If you’ve used Windows XP’s Remote Desktop, then you’re familiar with
Windows 2003’s Remote Desktop, because they work almost exactly the same.
Terminal Server is a new term that refers to
a Windows 2003 computer with Terminal Services installed, in what was
called Application Server mode. Making Windows 2003 into a Terminal Server
is what allows multiple users to log in and remotely use the server. You’ll
still need a Terminal Services Licensing server somewhere on your network
in order to use a Terminal Server.
Remote Desktop Connection (RDC) is the new
name for the Terminal Services client. It looks and feels pretty much
the same and still uses Microsoft’s Remote Desktop Protocol (RDP) to connect
to Terminal Services. Windows 2003 supports RDP 5.1, which enables some
cool new features discussed later. The RDC client included with Windows
XP and newer editions of Windows CE-powered devices are RDP 5.1-compatible;
older RDP 5.0 clients can still connect to Windows 2003 but can’t take
advantage of the new features.
Terminal Services 2000 vs. 2003
While the functionality of Terminal Services hasn't changed a great
deal in Windows Server 2003, the terminology has. Here's a summary
of the new terms and new feature, compared to Windows 2000 Terminal
Services. |
Windows
2000 Server |
Windows
Server 2003 |
Remote Admin Mode installation
option |
Remote Desktop always installed |
Application Mode installation
option |
Terminal Server installation
option |
Web client (Terminal Services
Advanced Client, or TSAC) |
Web client included with IIS
6.09 but not installed by default |
32-bit clients: Terminal Services client
|
32-bit clients: Remote Desktop Connection
and Remote Desktops console |
Resource map-back: mainly printers |
Resource map-back: sound, disk drives, printers |
Server must have copy of all printer drivers
used by clients for map-back to work |
Server uses Plug and Play to automatically
get printer drivers from NT-based clients |
Maximum of two admin connections in Remote
Admin mode |
Max. two admin connections to Remote Desktop. |
Only local admins have Remote Admin capability |
Remote Desktop access is configurable |
|
|
Enabling Remote Desktop
For security reasons, Windows 2003 disables Remote Desktop by default.
The software is completely installed by default—and, in fact, can’t be
removed—but turned off in keeping with Windows 2003’s “more secure out
of the box” philosophy. Turning it on is easy: Open the properties for
My Computer, click the Remote tab, and select the checkbox to allow users
to connect remotely (see Figure 1).
|
Figure 1. Remote Desktop is disabled by default.
Enable it through this screen. (Click image to view larger version.) |
By default, all members of the local Administrators group will have the
ability to connect to Remote Desktop, and Windows 2003 supports up to
two simultaneous remote sessions. Before enabling Remote Desktop, review
the membership of your server’s local Administrators group and any other
user groups to which you choose to grant Remote Desktop access. Remote
Desktop provides unrestricted access to the server’s desktop, so you don’t
want any untrusted users accidentally finding their way in!
Note: You don’t need to enable Remote Assistance
in order to use Remote Desktop. While the two features both use Terminal
Services technology, they’re independent. I don’t generally recommend
enabling Remote Assistance on a server, as it could lead to unauthorized
users having access to the server’s desktop.
Utilizing RDP 5.1 Features
As mentioned earlier, RDP 5.1 has some cool new features that can make
Remote Desktop a more effective administration tool. One of the biggest
complaints about Win2K Terminal Services Remote Admin mode was that there
was no way to easily copy files to and from the remote server over the
RDP connection. RDP 5.1 corrects this problem by adding the ability to
map client computer drives to the remote server to which you’re connected.
To enable this feature, open the RDC client software and configure a
new connection. On the Resources tab (see Figure 2), check the Disk drives
checkbox. Keep in mind that this feature is only available on RDP 5.1
clients—it won’t work with older RDP 5.0 servers like Win2K.
|
Figure 2. The ability to connect to disk drives
on the remote server is available only to RDP 5.1 clients. (Click
image to view larger version.) |
Once the connection’s activated, look at My Computer on the remote server.
You’ll find several network drives, starting with drive Z: and working
backward through the alphabet. These network drives represent the drives
on your client computer, making it easy to copy files to and from the
client and server without using additional protocols. This allows you
to completely manage the server right over RDP’s TCP port 3389, without
having to use Windows file sharing or FTP to move files back and forth.
Bear in mind that the RDP traffic is encrypted, as it always has been,
which helps to protect the confidentiality of any files you copy to and
from the remote machine.
RDP:
Under the Hood |
Ever wonder how RDP and Terminal Services
really work? You’re probably familiar with products like
Symantec’s pcAnywhere, which essentially copy compressed
bitmaps of the server’s screen back to your client computer.
They detect screen changes and send back just the portion
of the screen that’s been altered, which improves performance.
Terminal Services is quite different. Citrix, the company
that originally created the Terminal Services technology
that Microsoft now uses, was a licensee of the Windows
NT 3.51 source code. That gave them the ability to integrate
remote control with the operating system at a very deep
level; Microsoft eventually licensed and added these
enhancements to Windows NT Server 4.0 Terminal Services
edition and then the Win2K base code.
In Windows, all screen drawing—windows, buttons, graphics,
and whatever—are accomplished by the Graphical Device
Interface (GDI), a special layer of the operating system.
When an application needs a window or checkbox drawn,
it asks GDI to do so. Terminal Services plugs into the
GDI, intercepting the GDI commands directly. These commands
are then retransmitted to the remote client, which “replays”
them. GDI commands are pretty small, even though some
of them—like redrawing the whole screen—can have a large
effect. And GDI isn’t immune to having to copy bitmaps,
such as desktop wallpaper, from time to time. Still,
by transmitting the GDI commands, RDP is able to optimize
performance over slower connections.
Although this explanation is a bit of an oversimplification,
you can see how RDP’s technique is more efficient than
bitmap-based products like pcAnywhere. And keep in mind
that Microsoft didn’t invent this technique: Citrix’
ICA protocol does exactly the same thing.
—Don Jones |
|
|
RDP 5.1’s resource redirection isn’t limited to disk drives. You can
configure it to redirect sounds made on the remote computer to the client.
RDP 5.0 allowed client printers to show up on the remote computer, which
is a useful feature. RDP 5.1 extends resource redirection capability to
serial ports and disk drives, allowing the client’s resources to appear
on the remote computer. For example, a client’s C: drive might show up
on a Terminal Server as the Z: drive, making it easy to copy files between
the server and client.
Windows 2003 also extends printer Plug and Play capabilities to RDP 5.1
clients. Imagine that your users are running Windows XP and connecting
to a Windows 2003 Terminal Server. Plug and Play allows the server to
detect users’ locally connected printers and automatically set them up
for use within the Terminal Services session. As with all things Plug
and Play, however, you’ll need to test that behavior in your environment.
If things don’t seem to be working correctly in your tests, check out
the System and Application event logs on the server, as Terminal Services
will usually add reasonably useful entries when printer mapping fails.
Remote Desktop Console: A Better RDP
Most RDC clients (including Windows XP) allow open multiple instances
of the software, which makes it possible to open multiple RDP connections.
I do that all the time in a busy environment; it’s not unusual for me
to have open four or five RDC windows, each connected to a different remote
server.
Keeping track of all those windows can be a pain, though, and Windows
2003 has a better solution: The Remote Desktops console (Figure 3). This
is a standard MMC snap-in with a list of remote servers in the left-hand
tree. The details pane on the right shows the selected server’s remote
desktop. You can easily switch between remote servers in the left-hand
list, effectively managing multiple remote connections from a single window
To add a new server to the Remote Desktops console, right-click Remote
Desktops and select Add Connection from the context menu. To connect to
a remote server, just select its connection name in the console (or right-click
and select Connect).
|
Figure 3. The Remote Desktops MMC snap-in can
be used to track multiple open server sessions (Click image to view
larger version.) |
To configure advanced properties for a connection, right-click the connection
name and select Properties from the context menu. You can configure the
following options:
Server’s name or IP address or the connection name.
Logon credentials.
Size of the remote desktop window. By default, it will fill the right-hand
pane of the MMC, but a custom size can be configured.
Redirecting local drives to the remote server, provided the remote server
supports RDP 5.1.
Keep in mind that the Remote Desktops console will connect not only to
Windows 2003 servers, but also to Win2K servers and even Windows XP Professional
clients that have Remote Desktop enabled. You can even connect to Windows
NT 4.0 Terminal Servers. Remote Desktops is a full RDP 5.1 client, allowing
mapping of client disk drives to the server for easier file management.
Making a Terminal Server
If you want to use Windows 2003 Terminal Services as a true Terminal Server
(formerly called Application Mode), you’ll need to open the Control Panel,
open Add/Remove Programs, and click the Add/Remove Windows Components
button. Select the Terminal Server option (Figure 4). This installs Terminal
Services’ application server capabilities.
|
Figure 4. To use Windows 2003 Terminal Services,
you first have to install it. (Click image to view larger version.) |
Note: Don’t get confused and accidentally select
the Application Server Windows component, as that installs IIS and some
other bits unrelated to Terminal Services.
Terminal
Services
vs. MetaFrame |
With the improvements in RDP 5.1—especially
the drive map-back capability—you may wonder why
anyone would buy Citrix MetaFrame, which adds capabilities
and Citrix’ ICA protocol to Terminal Services.
In fact, if you’re just using Terminal Services
for remote administration, you probably don’t
need MetaFrame. But that’s not why Citrix wants
you to buy it, anyway!
MetaFrame’s ICA protocol opens Terminal Services
to a wider array of clients, including Unix, handheld
devices, Java clients, and more. For now, RDP is officially
only available on Windows and Mac OS X, directly from
Microsoft. Of course, open-source RDP clients are available
for Unix, Linux, and the Palm OS, so the gap between
RDP and ICA is closing on the client end. MetaFrame
also offers load balancing and the ability for clients
to reconnect a disconnected session back to the same
server in a server farm. Terminal Services’ new
session directory, along with Network Load Balancing,
now provides a similar capability in Windows 2003.
The major features between Terminal Services and MetaFrame
are becoming more parallel. MetaFrame still offers a
variety of unique functionality, but it’s definitely
worth your time to see investigate those capabilities.
Many environments are discovering that Windows 2003’s
Terminal Services offer everything they need without
the extra expense.
—Don Jones |
|
|
As in Win2K, making a server into a Terminal Server changes its behavior
a bit. First, you’ll still need a Terminal Server Licensing Server on
your network somewhere. You’ll also need to take special steps to install
applications on the Terminal Server so they’ll be available to multiple
concurrent users. You’ll have the familiar Terminal Services Configuration
and Terminal Services Manager MMC consoles available to configure and
manage user connections, perform shadowing of user connections, and so
on—see Windows 2003’s Online Help and Support Center for details.
A Better Way to Reach Out and Touch Someone
Windows 2003’s Remote Desktop feature provides all the features and functionality
of Win2K Terminal Services Remote Admin mode—and then some! It’s installed
by default and can’t be uninstalled. But it’s installed in a disabled
configuration, making Windows 2003 more secure by default than previous
versions of Windows. Windows 2003 also includes a new Remote Desktops
console, an improved multi-connection RDP client that makes managing multiple
remote servers a breeze. All in all, Windows 2003’s evolution of Terminal
Services technology is a welcome addition to anyadministrator’s arsenal
of management tools.